simon-git: putty (master): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Wed Apr 17 18:17:34 BST 2019 

TL;DR:
  36525cc0 Fix RSA key gen at awkward sizes mod BIGNUM_INT_BITS.

Repository:     https://git.tartarus.org/simon/putty.git
On the web:     https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2019-04-17 18:17:34

commit 36525cc0039b54ceed393df47158c5cacb4a42f6
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=36525cc0039b54ceed393df47158c5cacb4a42f6;hp=ca6d278c102a733d38c891ca60cf6c535d1502d4
Author: Simon Tatham <anakin at pobox.com>
Date:   Wed Apr 17 18:15:23 2019 +0100

    Fix RSA key gen at awkward sizes mod BIGNUM_INT_BITS.
    
    If you try to generate (say) a 2049-bit RSA key, then primegen will
    try to generate a 1025-bit prime. It will do it by making a random
    1024-bit mp_int (that is, one strictly _less_ than 2^1024), and then
    trying to set bit 1024. But that will fail an assertion in mp_set_bit,
    because the number of random bits is a multiple of BIGNUM_INT_BITS, so
    an mp_int of the minimum size that can hold the random bits is not
    quite big enough to hold the extra bit at the top.
    
    Fix: change the strategy in primegen so that we allocate the mp_int
    large enough to hold even the top bit, and copy in the random numbers
    via mp_or_into.
    
    There's a second bug hiding behind that one. If the key has odd size,
    then the two primes are generated with different bit lengths. If the
    overall key size is congruent to 1 mod (2*BIGNUM_INT_BITS), then the
    two primes will be allocated as mp_ints with different numbers of
    words, leading to another assertion failure in the mp_cond_swap that
    sorts the primes into a consistent order.
    
    Fix for that one: if the primes are being generated different bit
    lengths, then we arrange those lengths to be already in the right
    order, and replace the mp_cond_swap with an assert() that checks the
    ordering is already correct.
    
    Combined effect: now you should be able to successfully generate a
    2049-bit key without assertion failures.

 sshprime.c |  8 +++++---
 sshrsag.c  | 21 ++++++++++++++++-----
 2 files changed, 21 insertions(+), 8 deletions(-)

More information about the tartarus-commits mailing list