You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
182 lines
6.3 KiB
182 lines
6.3 KiB
From 9f5a60c1fe576f82bcd5c7998b2ca2b0d60e8e4f Mon Sep 17 00:00:00 2001 |
|
From: Daiki Ueno <ueno@gnu.org> |
|
Date: Thu, 27 Jan 2022 18:17:43 +0100 |
|
Subject: [PATCH 1/2] rsa_generate_fips186_4_keypair: accept a few more modulus |
|
sizes |
|
|
|
While _rsa_generate_fips186_4_keypair was modified to accept modulus |
|
sizes other than 2048 and 3076, rsa_generate_fips186_4_keypair, which |
|
calls that function, was not updated to accept such modulus sizes. |
|
|
|
Spotted by Alexander Sosedkin. |
|
|
|
Signed-off-by: Daiki Ueno <ueno@gnu.org> |
|
--- |
|
lib/nettle/int/rsa-keygen-fips186.c | 67 ++++++++++++++++------------- |
|
1 file changed, 36 insertions(+), 31 deletions(-) |
|
|
|
diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c |
|
index 5b221a030a..c6f7e675af 100644 |
|
--- a/lib/nettle/int/rsa-keygen-fips186.c |
|
+++ b/lib/nettle/int/rsa-keygen-fips186.c |
|
@@ -27,6 +27,7 @@ |
|
#include "config.h" |
|
#endif |
|
|
|
+#include <assert.h> |
|
#include <stdlib.h> |
|
#include <stdio.h> |
|
#include <string.h> |
|
@@ -248,6 +249,33 @@ cleanup: |
|
return ret; |
|
} |
|
|
|
+/* Return the pre-defined seed length for modulus size, or 0 when the |
|
+ * modulus size is unsupported. |
|
+ */ |
|
+static inline unsigned |
|
+seed_length_for_modulus_size(unsigned modulus_size) |
|
+{ |
|
+ switch (modulus_size) { |
|
+ case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ |
|
+ return 14 * 2; |
|
+ case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ |
|
+ return 16 * 2; |
|
+ case 4096: /* SP 800-56B rev 2 Appendix D */ |
|
+ return 19 * 2; |
|
+ case 6144: /* SP 800-56B rev 2 Appendix D */ |
|
+ return 22 * 2; |
|
+ case 7680: /* FIPS 140-2 IG 7.5 */ |
|
+ return 24 * 2; |
|
+ case 8192: /* SP 800-56B rev 2 Appendix D */ |
|
+ return 25 * 2; |
|
+ case 15360: /* FIPS 140-2 IG 7.5 */ |
|
+ return 32 * 2; |
|
+ default: |
|
+ return 0; |
|
+ } |
|
+ |
|
+} |
|
+ |
|
/* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4. |
|
* |
|
* The hash function used is SHA384. |
|
@@ -266,33 +294,15 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, |
|
int ret; |
|
struct dss_params_validation_seeds cert; |
|
unsigned l = n_size / 2; |
|
+ unsigned s = seed_length_for_modulus_size(n_size); |
|
|
|
- switch (n_size) { |
|
- case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ |
|
- FIPS_RULE(seed_length != 14 * 2, 0, "seed length other than 28 bytes\n"); |
|
- break; |
|
- case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */ |
|
- FIPS_RULE(seed_length != 16 * 2, 0, "seed length other than 32 bytes\n"); |
|
- break; |
|
- case 4096: /* SP 800-56B rev 2 Appendix D */ |
|
- FIPS_RULE(seed_length != 19 * 2, 0, "seed length other than 38 bytes\n"); |
|
- break; |
|
- case 6144: /* SP 800-56B rev 2 Appendix D */ |
|
- FIPS_RULE(seed_length != 22 * 2, 0, "seed length other than 44 bytes\n"); |
|
- break; |
|
- case 7680: /* FIPS 140-2 IG 7.5 */ |
|
- FIPS_RULE(seed_length != 24 * 2, 0, "seed length other than 48 bytes\n"); |
|
- break; |
|
- case 8192: /* SP 800-56B rev 2 Appendix D */ |
|
- FIPS_RULE(seed_length != 25 * 2, 0, "seed length other than 50 bytes\n"); |
|
- break; |
|
- case 15360: /* FIPS 140-2 IG 7.5 */ |
|
- FIPS_RULE(seed_length != 32 * 2, 0, "seed length other than 64 bytes\n"); |
|
- break; |
|
- default: |
|
+ if (!s) { |
|
FIPS_RULE(false, 0, "unsupported modulus size\n"); |
|
} |
|
|
|
+ FIPS_RULE(seed_length != s, 0, |
|
+ "seed length other than %u bytes\n", s); |
|
+ |
|
if (!mpz_tstbit(pub->e, 0)) { |
|
_gnutls_debug_log("Unacceptable e (it is even)\n"); |
|
return 0; |
|
@@ -405,10 +415,6 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, |
|
return ret; |
|
} |
|
|
|
-/* Not entirely accurate but a good precision |
|
- */ |
|
-#define SEED_LENGTH(bits) (_gnutls_pk_bits_to_subgroup_bits(bits)/8) |
|
- |
|
/* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4. |
|
* |
|
* The hash function used is SHA384. |
|
@@ -429,11 +435,10 @@ rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, |
|
unsigned seed_length; |
|
int ret; |
|
|
|
- FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "size of prime of other than 2048 or 3072\n"); |
|
+ seed_length = seed_length_for_modulus_size(n_size); |
|
+ FIPS_RULE(!seed_length, 0, "unsupported modulus size\n"); |
|
|
|
- seed_length = SEED_LENGTH(n_size); |
|
- if (seed_length > sizeof(seed)) |
|
- return 0; |
|
+ assert(seed_length <= sizeof(seed)); |
|
|
|
random(random_ctx, seed_length, seed); |
|
|
|
-- |
|
2.34.1 |
|
|
|
|
|
From 46ae6160489151034bca19aa6c40ba0df6b53bcc Mon Sep 17 00:00:00 2001 |
|
From: Daiki Ueno <ueno@gnu.org> |
|
Date: Tue, 1 Feb 2022 15:19:52 +0100 |
|
Subject: [PATCH 2/2] certtool --generate-privkey: update warnings on RSA key |
|
sizes |
|
|
|
Signed-off-by: Daiki Ueno <ueno@gnu.org> |
|
--- |
|
src/certtool.c | 18 +++++++++++++++--- |
|
1 file changed, 15 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/src/certtool.c b/src/certtool.c |
|
index c128500614..71d4aff13e 100644 |
|
--- a/src/certtool.c |
|
+++ b/src/certtool.c |
|
@@ -206,8 +206,12 @@ generate_private_key_int(common_info_st * cinfo) |
|
"Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n"); |
|
|
|
if ((HAVE_OPT(SEED) || provable) && GNUTLS_PK_IS_RSA(key_type)) { |
|
- if (bits != 2048 && bits != 3072) { |
|
- fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to 2048 and 3072 bits\n"); |
|
+ /* Keep in sync with seed_length_for_modulus_size in |
|
+ * lib/nettle/int/rsa-keygen-fips186.c. */ |
|
+ if (bits != 2048 && bits != 3072 && bits != 4096 && |
|
+ bits != 6144 && bits != 7680 && bits != 8192 && |
|
+ bits != 15360) { |
|
+ fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to be of known lengths (2048, 3072, etc)\n"); |
|
} |
|
} |
|
|
|
@@ -225,7 +229,15 @@ generate_private_key_int(common_info_st * cinfo) |
|
kdata[kdata_size++].size = cinfo->seed_size; |
|
|
|
if (GNUTLS_PK_IS_RSA(key_type)) { |
|
- if ((bits == 3072 && cinfo->seed_size != 32) || (bits == 2048 && cinfo->seed_size != 28)) { |
|
+ /* Keep in sync with seed_length_for_modulus_size in |
|
+ * lib/nettle/int/rsa-keygen-fips186.c. */ |
|
+ if ((bits == 2048 && cinfo->seed_size != 28) || |
|
+ (bits == 3072 && cinfo->seed_size != 32) || |
|
+ (bits == 4096 && cinfo->seed_size != 38) || |
|
+ (bits == 6144 && cinfo->seed_size != 44) || |
|
+ (bits == 7680 && cinfo->seed_size != 48) || |
|
+ (bits == 8192 && cinfo->seed_size != 50) || |
|
+ (bits == 15360 && cinfo->seed_size != 64)) { |
|
fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size); |
|
} |
|
} else if (key_type == GNUTLS_PK_DSA) { |
|
-- |
|
2.34.1 |
|
|
|
|