On Sun, 31 Jul 2016 10:44:01 +0200 nisse@lysator.liu.se (Niels Möller) wrote:
Done now (or rather, added to the shared helper function _rsa_check_size).
I think this is incomplete. Looking at the patch: https://git.lysator.liu.se/nettle/nettle/commit/5eb30d94f6f5f3f0cb9ba9ed24bc...
You're only checking n (for both private and public keys), I could probably still craft a private key that crashes by choosing one of p or q to be even.
Any other easy checks for bogus keys that should be added? I would expect that code parsing key formats, e.g., asn.1, would check sign and range of parameters and catch bogus values early (e.g., the code in nettle's der2rsa.c does that). It's possible to add additional sanity checks to the _key_prepare functions, if desired.
Depends on how far you want to go. Easy checks: * d, e must not be 0, 1, 2
More expensive checks: * Make sure n = p * q * p, q prime
It's not entirely obvious where that responsibility should be placed.
Yeah, I've been thinking a bit about it yesterday, I could still see problems with this approach. E.g. imagine someone does sanity checks with openssl and then assumes the key can be used with a nettle-based TLS stack. Even if we prevent it from crashing it may still prevent something from starting.
I ended up wishing that there'd be a defined standard set of key sanity checks shared among implementations... but I'm probably just dreaming here...