From 36525cc0039b54ceed393df47158c5cacb4a42f6 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Wed, 17 Apr 2019 18:15:23 +0100 Subject: [PATCH] Fix RSA key gen at awkward sizes mod BIGNUM_INT_BITS. If you try to generate (say) a 2049-bit RSA key, then primegen will try to generate a 1025-bit prime. It will do it by making a random 1024-bit mp_int (that is, one strictly _less_ than 2^1024), and then trying to set bit 1024. But that will fail an assertion in mp_set_bit, because the number of random bits is a multiple of BIGNUM_INT_BITS, so an mp_int of the minimum size that can hold the random bits is not quite big enough to hold the extra bit at the top. Fix: change the strategy in primegen so that we allocate the mp_int large enough to hold even the top bit, and copy in the random numbers via mp_or_into. There's a second bug hiding behind that one. If the key has odd size, then the two primes are generated with different bit lengths. If the overall key size is congruent to 1 mod (2*BIGNUM_INT_BITS), then the two primes will be allocated as mp_ints with different numbers of words, leading to another assertion failure in the mp_cond_swap that sorts the primes into a consistent order. Fix for that one: if the primes are being generated different bit lengths, then we arrange those lengths to be already in the right order, and replace the mp_cond_swap with an assert() that checks the ordering is already correct. Combined effect: now you should be able to successfully generate a 2049-bit key without assertion failures. --- sshprime.c | 8 +++++--- sshrsag.c | 21 ++++++++++++++++----- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/sshprime.c b/sshprime.c index 45081ed3..44ab386e 100644 --- a/sshprime.c +++ b/sshprime.c @@ -194,10 +194,12 @@ mp_int *primegen( * random number with the top bit set and the bottom bit clear, * multiply it by `factor', and add one. */ - mp_int *p = mp_random_bits(bits - 1); + mp_int *p = mp_power_2(bits - 1); /* ensure top bit is 1 */ + mp_int *r = mp_random_bits(bits - 1); + mp_or_into(p, p, r); + mp_free(r); + mp_set_bit(p, 0, factor ? 0 : 1); /* set bottom bit appropriately */ - mp_set_bit(p, 0, factor ? 0 : 1); /* bottom bit */ - mp_set_bit(p, bits-1, 1); /* top bit */ for (size_t i = 0; i < fbsize; i++) mp_set_bit(p, bits-fbsize + i, 1 & (firstbits >> i)); diff --git a/sshrsag.c b/sshrsag.c index d70ac6b4..2d88fef9 100644 --- a/sshrsag.c +++ b/sshrsag.c @@ -71,15 +71,26 @@ int rsa_generate(RSAKey *key, int bits, progfn_t pfn, * but it doesn't cost much to make sure.) */ invent_firstbits(&pfirst, &qfirst, 2); - mp_int *p = primegen(bits / 2, RSA_EXPONENT, 1, NULL, - 1, pfn, pfnparam, pfirst); - mp_int *q = primegen(bits - bits / 2, RSA_EXPONENT, 1, NULL, - 2, pfn, pfnparam, qfirst); + int qbits = bits / 2; + int pbits = bits - qbits; + assert(pbits >= qbits); + mp_int *p = primegen(pbits, RSA_EXPONENT, 1, NULL, + 1, pfn, pfnparam, pfirst); + mp_int *q = primegen(qbits, RSA_EXPONENT, 1, NULL, + 2, pfn, pfnparam, qfirst); /* * Ensure p > q, by swapping them if not. + * + * We only need to do this if the two primes were generated with + * the same number of bits (i.e. if the requested key size is + * even) - otherwise it's already guaranteed! */ - mp_cond_swap(p, q, mp_cmp_hs(q, p)); + if (pbits == qbits) { + mp_cond_swap(p, q, mp_cmp_hs(q, p)); + } else { + assert(mp_cmp_hs(p, q)); + } /* * Now we have p, q and e. All we need to do now is work out