crypto/rsa: RSA keys newly rejected in Go 1.24 #70643
Comments
rsc
added
NeedsInvestigation
|
I am seeing a similar failure in golang.org/x/crypto/openpgp/clearsign when running locally, but oddly I am not seeing it on the dashboard. |
|
Ah, I see it, go/src/crypto/internal/fips140/rsa/rsa.go Lines 251 to 255 in e5489a3 assumes |
|
Is there something in the code that makes p > q generally true? The openpgp test is generating its own keys which then fail to validate. It is doing so with a terrible random number generator, and if I make the generator less terrible, the error goes away, but a bad RNG should not trigger invalid keys. |
|
Change https://go.dev/cl/632955 mentions this issue: |
|
Looking at the openpgp/clearsign failure, it looks like something bad happened before the "keep the CRT values" change. Note the failure beginning at "move key generation": |
|
Yeah I think there's two different issues. The key in the initial issue has ⌈log₂(p)⌉ < ⌈log₂(q)⌉ which can't happen with our keygen (because for even sized moduli we produce primes of nlen/2 with the top two bits set, while for odd moduli we make p longer, while this key... has a 512 bit modulus with a 256 bit p and a 257 bit q, which I honestly wonder how you'd non-intentionally generate such a key). That tickled the bug CL 632955 is fixing. The openpgp/clearsign failure is different I think, and I am looking into it now. |
|
This diff in openpgp, improving the entropy returned by the random reader, "fixes" the errors, but we should understand why we are mishandling the current reader. |
|
Hah, found it. The rng is so bad that it causes p = q, and then we compute q⁻¹ = q^(p-2) mod p which for p = q is 0. I remember thinking "huh, why is this here" and deciding to remove it because a random source that bad kind of ought to explode. (Looking at the history, it actually looks like it's always been there, so it's not clear if it was because Adam stepped into the same problem.) Lines 402 to 409 in c390a1c We could fix the openpgp/clearsign test by retrying when p = q because this RNG is bad but not so bad that the primes keep coming out equal every time (which I think used to infinite loop), but I kinda prefer erroring out with a clear error rather than hide the brokenness of the random source. |
|
+1 for the error case. |
|
Returning an error in this case is great. We've had to improve these bad RNGs in the past as well. |
|
Change https://go.dev/cl/632896 mentions this issue: |
Updates #70643 Change-Id: I4aee8373dbddf774564902b3957c6eba11d15fc9 Reviewed-on: https://go-review.googlesource.com/c/go/+/632955 Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The old one complains about invalid modulus with new Go. Related to golang/go#70643 maybe?
The old one complains about invalid modulus with new Go. Related to golang/go#70643 maybe?
The old one complains about invalid modulus with new Go. Related to golang/go#70643 maybe?
Since the release of [Go v1.24.0](https://tip.golang.org/doc/go1.24), Go 1.22 is no longer supported. ~~We might go for 1.24 for the various performance improvements and the significant changes to the crypto packages but that's up to collective consensus.~~ We can't upgrade to `v1.23.x` because of significant performance regression and instead we need to upgrade all the way to Go `v1.24.0`. - `private/trust`: Change RSA key generation in `TestSignerGenGenerate` to use 1024-bit keys instead of 512-bit because the latter is no longer accepted, see golang/go#70643 - **test:** slightly lower router benchmark expectations as there seems to be a general performance regression since the Go upgrade to v1.24 (not as much as v1.23.6 though). - **ci:** remove linter `exportloopref` due to deprecation, see [golangci-lint/CHANGELOG](https://github.com/golangci/golangci-lint/blob/312fdf7a8d0516ced651630c6196da9d6053c2d7/CHANGELOG.md?plain=1#L251) - **ci:** disable Go linker's new automatic build id setting which causes rpmbuild to fail due to all binaries having the same build id. - **ci:** temporarily remove `nogo` due to incompatibility with Go 1.24 until further investigation. - **ci:** upgrade golangci-lint to v1.64.5
This program works in Go 1.23 but fails in Go 1.24 with "invalid CRT coefficient".
The specific key is taken from a larger test that is now failing, because the key is rejected.
openssl rsa -in dummy.key -check -noouthas no complaints about the key./cc @rolandshoemaker @FiloSottile
The text was updated successfully, but these errors were encountered: