|
|
118cf7 |
From 9f5a60c1fe576f82bcd5c7998b2ca2b0d60e8e4f Mon Sep 17 00:00:00 2001
|
|
|
118cf7 |
From: Daiki Ueno <ueno@gnu.org>
|
|
|
118cf7 |
Date: Thu, 27 Jan 2022 18:17:43 +0100
|
|
|
118cf7 |
Subject: [PATCH 1/2] rsa_generate_fips186_4_keypair: accept a few more modulus
|
|
|
118cf7 |
sizes
|
|
|
118cf7 |
|
|
|
118cf7 |
While _rsa_generate_fips186_4_keypair was modified to accept modulus
|
|
|
118cf7 |
sizes other than 2048 and 3076, rsa_generate_fips186_4_keypair, which
|
|
|
118cf7 |
calls that function, was not updated to accept such modulus sizes.
|
|
|
118cf7 |
|
|
|
118cf7 |
Spotted by Alexander Sosedkin.
|
|
|
118cf7 |
|
|
|
118cf7 |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
118cf7 |
---
|
|
|
118cf7 |
lib/nettle/int/rsa-keygen-fips186.c | 67 ++++++++++++++++-------------
|
|
|
118cf7 |
1 file changed, 36 insertions(+), 31 deletions(-)
|
|
|
118cf7 |
|
|
|
118cf7 |
diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c
|
|
|
118cf7 |
index 5b221a030a..c6f7e675af 100644
|
|
|
118cf7 |
--- a/lib/nettle/int/rsa-keygen-fips186.c
|
|
|
118cf7 |
+++ b/lib/nettle/int/rsa-keygen-fips186.c
|
|
|
118cf7 |
@@ -27,6 +27,7 @@
|
|
|
118cf7 |
#include "config.h"
|
|
|
118cf7 |
#endif
|
|
|
118cf7 |
|
|
|
118cf7 |
+#include <assert.h>
|
|
|
118cf7 |
#include <stdlib.h>
|
|
|
118cf7 |
#include <stdio.h>
|
|
|
118cf7 |
#include <string.h>
|
|
|
118cf7 |
@@ -248,6 +249,33 @@ cleanup:
|
|
|
118cf7 |
return ret;
|
|
|
118cf7 |
}
|
|
|
118cf7 |
|
|
|
118cf7 |
+/* Return the pre-defined seed length for modulus size, or 0 when the
|
|
|
118cf7 |
+ * modulus size is unsupported.
|
|
|
118cf7 |
+ */
|
|
|
118cf7 |
+static inline unsigned
|
|
|
118cf7 |
+seed_length_for_modulus_size(unsigned modulus_size)
|
|
|
118cf7 |
+{
|
|
|
118cf7 |
+ switch (modulus_size) {
|
|
|
118cf7 |
+ case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
|
|
|
118cf7 |
+ return 14 * 2;
|
|
|
118cf7 |
+ case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
|
|
|
118cf7 |
+ return 16 * 2;
|
|
|
118cf7 |
+ case 4096: /* SP 800-56B rev 2 Appendix D */
|
|
|
118cf7 |
+ return 19 * 2;
|
|
|
118cf7 |
+ case 6144: /* SP 800-56B rev 2 Appendix D */
|
|
|
118cf7 |
+ return 22 * 2;
|
|
|
118cf7 |
+ case 7680: /* FIPS 140-2 IG 7.5 */
|
|
|
118cf7 |
+ return 24 * 2;
|
|
|
118cf7 |
+ case 8192: /* SP 800-56B rev 2 Appendix D */
|
|
|
118cf7 |
+ return 25 * 2;
|
|
|
118cf7 |
+ case 15360: /* FIPS 140-2 IG 7.5 */
|
|
|
118cf7 |
+ return 32 * 2;
|
|
|
118cf7 |
+ default:
|
|
|
118cf7 |
+ return 0;
|
|
|
118cf7 |
+ }
|
|
|
118cf7 |
+
|
|
|
118cf7 |
+}
|
|
|
118cf7 |
+
|
|
|
118cf7 |
/* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4.
|
|
|
118cf7 |
*
|
|
|
118cf7 |
* The hash function used is SHA384.
|
|
|
118cf7 |
@@ -266,33 +294,15 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
|
|
|
118cf7 |
int ret;
|
|
|
118cf7 |
struct dss_params_validation_seeds cert;
|
|
|
118cf7 |
unsigned l = n_size / 2;
|
|
|
118cf7 |
+ unsigned s = seed_length_for_modulus_size(n_size);
|
|
|
118cf7 |
|
|
|
118cf7 |
- switch (n_size) {
|
|
|
118cf7 |
- case 2048: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
|
|
|
118cf7 |
- FIPS_RULE(seed_length != 14 * 2, 0, "seed length other than 28 bytes\n");
|
|
|
118cf7 |
- break;
|
|
|
118cf7 |
- case 3072: /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
|
|
|
118cf7 |
- FIPS_RULE(seed_length != 16 * 2, 0, "seed length other than 32 bytes\n");
|
|
|
118cf7 |
- break;
|
|
|
118cf7 |
- case 4096: /* SP 800-56B rev 2 Appendix D */
|
|
|
118cf7 |
- FIPS_RULE(seed_length != 19 * 2, 0, "seed length other than 38 bytes\n");
|
|
|
118cf7 |
- break;
|
|
|
118cf7 |
- case 6144: /* SP 800-56B rev 2 Appendix D */
|
|
|
118cf7 |
- FIPS_RULE(seed_length != 22 * 2, 0, "seed length other than 44 bytes\n");
|
|
|
118cf7 |
- break;
|
|
|
118cf7 |
- case 7680: /* FIPS 140-2 IG 7.5 */
|
|
|
118cf7 |
- FIPS_RULE(seed_length != 24 * 2, 0, "seed length other than 48 bytes\n");
|
|
|
118cf7 |
- break;
|
|
|
118cf7 |
- case 8192: /* SP 800-56B rev 2 Appendix D */
|
|
|
118cf7 |
- FIPS_RULE(seed_length != 25 * 2, 0, "seed length other than 50 bytes\n");
|
|
|
118cf7 |
- break;
|
|
|
118cf7 |
- case 15360: /* FIPS 140-2 IG 7.5 */
|
|
|
118cf7 |
- FIPS_RULE(seed_length != 32 * 2, 0, "seed length other than 64 bytes\n");
|
|
|
118cf7 |
- break;
|
|
|
118cf7 |
- default:
|
|
|
118cf7 |
+ if (!s) {
|
|
|
118cf7 |
FIPS_RULE(false, 0, "unsupported modulus size\n");
|
|
|
118cf7 |
}
|
|
|
118cf7 |
|
|
|
118cf7 |
+ FIPS_RULE(seed_length != s, 0,
|
|
|
118cf7 |
+ "seed length other than %u bytes\n", s);
|
|
|
118cf7 |
+
|
|
|
118cf7 |
if (!mpz_tstbit(pub->e, 0)) {
|
|
|
118cf7 |
_gnutls_debug_log("Unacceptable e (it is even)\n");
|
|
|
118cf7 |
return 0;
|
|
|
118cf7 |
@@ -405,10 +415,6 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
|
|
|
118cf7 |
return ret;
|
|
|
118cf7 |
}
|
|
|
118cf7 |
|
|
|
118cf7 |
-/* Not entirely accurate but a good precision
|
|
|
118cf7 |
- */
|
|
|
118cf7 |
-#define SEED_LENGTH(bits) (_gnutls_pk_bits_to_subgroup_bits(bits)/8)
|
|
|
118cf7 |
-
|
|
|
118cf7 |
/* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4.
|
|
|
118cf7 |
*
|
|
|
118cf7 |
* The hash function used is SHA384.
|
|
|
118cf7 |
@@ -429,11 +435,10 @@ rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
|
|
|
118cf7 |
unsigned seed_length;
|
|
|
118cf7 |
int ret;
|
|
|
118cf7 |
|
|
|
118cf7 |
- FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "size of prime of other than 2048 or 3072\n");
|
|
|
118cf7 |
+ seed_length = seed_length_for_modulus_size(n_size);
|
|
|
118cf7 |
+ FIPS_RULE(!seed_length, 0, "unsupported modulus size\n");
|
|
|
118cf7 |
|
|
|
118cf7 |
- seed_length = SEED_LENGTH(n_size);
|
|
|
118cf7 |
- if (seed_length > sizeof(seed))
|
|
|
118cf7 |
- return 0;
|
|
|
118cf7 |
+ assert(seed_length <= sizeof(seed));
|
|
|
118cf7 |
|
|
|
118cf7 |
random(random_ctx, seed_length, seed);
|
|
|
118cf7 |
|
|
|
118cf7 |
--
|
|
|
118cf7 |
2.34.1
|
|
|
118cf7 |
|
|
|
118cf7 |
|
|
|
118cf7 |
From 46ae6160489151034bca19aa6c40ba0df6b53bcc Mon Sep 17 00:00:00 2001
|
|
|
118cf7 |
From: Daiki Ueno <ueno@gnu.org>
|
|
|
118cf7 |
Date: Tue, 1 Feb 2022 15:19:52 +0100
|
|
|
118cf7 |
Subject: [PATCH 2/2] certtool --generate-privkey: update warnings on RSA key
|
|
|
118cf7 |
sizes
|
|
|
118cf7 |
|
|
|
118cf7 |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
118cf7 |
---
|
|
|
118cf7 |
src/certtool.c | 18 +++++++++++++++---
|
|
|
118cf7 |
1 file changed, 15 insertions(+), 3 deletions(-)
|
|
|
118cf7 |
|
|
|
118cf7 |
diff --git a/src/certtool.c b/src/certtool.c
|
|
|
118cf7 |
index c128500614..71d4aff13e 100644
|
|
|
118cf7 |
--- a/src/certtool.c
|
|
|
118cf7 |
+++ b/src/certtool.c
|
|
|
118cf7 |
@@ -206,8 +206,12 @@ generate_private_key_int(common_info_st * cinfo)
|
|
|
118cf7 |
"Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n");
|
|
|
118cf7 |
|
|
|
118cf7 |
if ((HAVE_OPT(SEED) || provable) && GNUTLS_PK_IS_RSA(key_type)) {
|
|
|
118cf7 |
- if (bits != 2048 && bits != 3072) {
|
|
|
118cf7 |
- fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to 2048 and 3072 bits\n");
|
|
|
118cf7 |
+ /* Keep in sync with seed_length_for_modulus_size in
|
|
|
118cf7 |
+ * lib/nettle/int/rsa-keygen-fips186.c. */
|
|
|
118cf7 |
+ if (bits != 2048 && bits != 3072 && bits != 4096 &&
|
|
|
118cf7 |
+ bits != 6144 && bits != 7680 && bits != 8192 &&
|
|
|
118cf7 |
+ bits != 15360) {
|
|
|
118cf7 |
+ fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to be of known lengths (2048, 3072, etc)\n");
|
|
|
118cf7 |
}
|
|
|
118cf7 |
}
|
|
|
118cf7 |
|
|
|
118cf7 |
@@ -225,7 +229,15 @@ generate_private_key_int(common_info_st * cinfo)
|
|
|
118cf7 |
kdata[kdata_size++].size = cinfo->seed_size;
|
|
|
118cf7 |
|
|
|
118cf7 |
if (GNUTLS_PK_IS_RSA(key_type)) {
|
|
|
118cf7 |
- if ((bits == 3072 && cinfo->seed_size != 32) || (bits == 2048 && cinfo->seed_size != 28)) {
|
|
|
118cf7 |
+ /* Keep in sync with seed_length_for_modulus_size in
|
|
|
118cf7 |
+ * lib/nettle/int/rsa-keygen-fips186.c. */
|
|
|
118cf7 |
+ if ((bits == 2048 && cinfo->seed_size != 28) ||
|
|
|
118cf7 |
+ (bits == 3072 && cinfo->seed_size != 32) ||
|
|
|
118cf7 |
+ (bits == 4096 && cinfo->seed_size != 38) ||
|
|
|
118cf7 |
+ (bits == 6144 && cinfo->seed_size != 44) ||
|
|
|
118cf7 |
+ (bits == 7680 && cinfo->seed_size != 48) ||
|
|
|
118cf7 |
+ (bits == 8192 && cinfo->seed_size != 50) ||
|
|
|
118cf7 |
+ (bits == 15360 && cinfo->seed_size != 64)) {
|
|
|
118cf7 |
fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size);
|
|
|
118cf7 |
}
|
|
|
118cf7 |
} else if (key_type == GNUTLS_PK_DSA) {
|
|
|
118cf7 |
--
|
|
|
118cf7 |
2.34.1
|
|
|
118cf7 |
|