From 3072458ec31604b5986b6ff36b9628ebe247925a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 21 Sep 2016 13:18:12 +0100 Subject: [PATCH] Restore P>Q in RSA key generation (#558) The PKCS#1 standard says nothing about the relation between P and Q but many libraries guarantee P>Q and mbed TLS did so too in earlier versions. This commit restores this behaviour. --- ChangeLog | 1 + library/rsa.c | 16 +++++++--------- tests/suites/test_suite_rsa.data | 2 +- tests/suites/test_suite_rsa.function | 7 +++++-- 4 files changed, 14 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 49fdbccb7..ecd92d569 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,7 @@ Bugfix by inestlerode. #559. * Fix documentation and implementation missmatch for function arguments of mbedtls_gcm_finish(). Found by cmiatpaar. #602 + * Guarantee that P>Q at RSA key generation. #558 = mbed TLS 1.3.17 branch 2016-06-28 diff --git a/library/rsa.c b/library/rsa.c index 26d69c522..bf77cb5b9 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -97,6 +97,9 @@ int rsa_gen_key( rsa_context *ctx, if( f_rng == NULL || nbits < 128 || exponent < 3 ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + if( nbits % 2 ) + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G ); @@ -111,16 +114,8 @@ int rsa_gen_key( rsa_context *ctx, MPI_CHK( mpi_gen_prime( &ctx->P, nbits >> 1, 0, f_rng, p_rng ) ); - if( nbits % 2 ) - { - MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits >> 1 ) + 1, 0, + MPI_CHK( mpi_gen_prime( &ctx->Q, nbits >> 1, 0, f_rng, p_rng ) ); - } - else - { - MPI_CHK( mpi_gen_prime( &ctx->Q, nbits >> 1, 0, - f_rng, p_rng ) ); - } if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 ) continue; @@ -129,6 +124,9 @@ int rsa_gen_key( rsa_context *ctx, if( mpi_msb( &ctx->N ) != nbits ) continue; + if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 ) + mpi_swap( &ctx->P, &ctx->Q ); + MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) ); MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) ); MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) ); diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 720a5dd01..e4bc89eec 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -361,7 +361,7 @@ RSA Generate Key - 2048 bit key rsa_gen_key:2048:3:0 RSA Generate Key - 1025 bit key -rsa_gen_key:1025:3:0 +rsa_gen_key:1025:3:POLARSSL_ERR_RSA_BAD_INPUT_DATA RSA PKCS1 Encrypt Bad RNG depends_on:POLARSSL_PKCS1_V15 diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 45d572330..d4f330805 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -668,14 +668,17 @@ void rsa_gen_key( int nrbits, int exponent, int result) entropy_init( &entropy ); TEST_ASSERT( ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, - (const unsigned char *) pers, strlen( pers ) ) == 0 ); + (const unsigned char *) pers, + strlen( pers ) ) == 0 ); rsa_init( &ctx, 0, 0 ); - TEST_ASSERT( rsa_gen_key( &ctx, ctr_drbg_random, &ctr_drbg, nrbits, exponent ) == result ); + TEST_ASSERT( rsa_gen_key( &ctx, ctr_drbg_random, &ctr_drbg, nrbits, + exponent ) == result ); if( result == 0 ) { TEST_ASSERT( rsa_check_privkey( &ctx ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &ctx.P, &ctx.Q ) > 0 ); } exit: