Don't corrupt RSA private keys during loading. #1055
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fifteen years ago, Twisted landed [a change](twisted@3cf1ed6) which enforced that the RSA primes were ordered p <= q, but then serialised them backwards, so that actually p >= q, and it always recreated the CRT values. This was because of [this bug](https://twistedmatrix.com/trac/ticket/259), which is something to do with testing key serialisation round-tripping. 2003-era PyCrypto [did something](https://github.com/dlitz/pycrypto/blob/bb6a94896433587a7a819efde503337e4b9ab3a5/PublicKey/RSA.py#L74) very similar, so they were probably copying that in order to avoid PyCrypto changing their keys and triggering round-trip failures. As time has gone by, much of the Twisted code has changed, but the initial condition to swap p & q if p > q has remained. However, the CRT values are no longer recomputed, so this just corrupts the key. (For example, `dmp1` stands for "d mod p-1" so clearly if p & q are swapped, that value has to be updated in order to be correct. The values `dmq1` and `iqmp` (inverse of q mod p) are likewise.) OpenSSL has anti-glitch checking in its RSA implementation that is designed to stop power-glitching attacks. (An arithmetic error during CRT computation has a high chance of leaking the private key.) That anti-glitch code detects the error caused by swapping p and q and triggers a slow-path re-computation of signatures without the CRT. Thus OpenSSL is silently correcting this, but spending much more CPU to do so. https://twistedmatrix.com/trac/ticket/9518
|
There are failing tests that look relevant; I suspect they need to be un-swapped |
glyph
previously requested changes
Aug 31, 2018
There was a problem hiding this comment.
See comment on Trac: https://twistedmatrix.com/trac/ticket/9518#comment:3
|
(Also it looks like you're using an email address that isn't associated with your github account here - is that intentional? If not maybe rebase...) |
Codecov Report
@@ Coverage Diff @@
## trunk #1055 +/- ##
==========================================
+ Coverage 91.56% 91.91% +0.35%
==========================================
Files 844 844
Lines 150840 150838 -2
Branches 13155 13154 -1
==========================================
+ Hits 138117 138647 +530
+ Misses 10609 10102 -507
+ Partials 2114 2089 -25 |
alex
approved these changes
Sep 1, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fifteen years ago, Twisted landed a change which enforced that the RSA primes were ordered p ⩽ q, but then serialised them backwards, so that actually p ⩾ q, and it always recreated the CRT values. This was because of this bug, which is something to do with testing key serialisation round-tripping. 2003-era PyCrypto did something very similar, so they were probably copying that in order to avoid PyCrypto changing their keys and triggering round-trip failures.
As time has gone by, much of the Twisted code has changed, but the initial condition to swap p & q if p > q has remained. However, the CRT values are no longer recomputed, so this just corrupts the key. (For example,
dmp1stands for “d mod p-1” so clearly if p & q are swapped, that value has to be updated in order to be correct. The valuesdmq1andiqmp(inverse of q mod p) are likewise.)OpenSSL has anti-glitch checking in its RSA implementation that is designed to stop power-glitching attacks. (An arithmetic error during CRT computation has a high chance of leaking the private key.) That anti-glitch code detects the error caused by swapping p and q and triggers a slow-path re-computation of signatures without the CRT. Thus OpenSSL is silently correcting this, but spending much more CPU to do so.
https://twistedmatrix.com/trac/ticket/9518
Contributor Checklist: