gnutls_dh_params_generate2 generates short primes

Bug #1463147 reported by LaMont Jones
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls28 (Ubuntu)
New
Undecided
Unassigned

Bug Description

I have several hosts (running inspircd) that call gnutls_dh_params_generate2 to generate their dh params.

The key lengths that openssl s_client reports are not always the correct length.

It seems that gnutls is not following the crypto-community standard of forcing the high bit on before throwing the random number into primality testing.

Looking at gen_group() in lib/nettle/mpi.c in the gnutls sources may be useful.

dh_bits == 2048
Server Temp Key: DH, 2046 bits
Server Temp Key: DH, 2048 bits
Server Temp Key: DH, 2047 bits
Server Temp Key: DH, 2046 bits
Server Temp Key: DH, 2049 bits

dh_bits == 3072
Server Temp Key: DH, 3072 bits
Server Temp Key: DH, 3069 bits

Seen in trusty's libgnutls28=3.2.11-2ubuntu1

Revision history for this message
LaMont Jones (lamont) wrote :

This shows up as weechat failing to connect because the key length is less than 2048 bits (weechat's default behavior). Needless to say, if I ask for 2048 bits of temp key, I should get (at least) 2048 bits of temp key.

Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

This was discussed upstream in <http://article.gmane.org/gmane.network.gnutls.general/3667> and according to <http://article.gmane.org/gmane.network.gnutls.general/3669> should not be an issue in 3.3.x:

Quoting Nikos Mavrogiannopoulos:
|| On Mon, 2014-11-10 at 11:48 -1000, Daniel Kahn Gillmor wrote:
| >> After some debugging it turns out that the failing criteria is that
| >> multiple of 64 bits requirement[1]. For some reason I've gotten a 1023
| >> bit prime, even though I called gnutls_dh_params_generate2() with 1024
| >> as the argument.
| > ugh. Java is at fault here -- there's no sense in this particular
| > severe limitation. if they're willing to use 512-bit DHE parameters and
| > 1024-bit DHE parameters, they should be willing to use 1023-bit DHE
| > parameters.
|
| That's indeed quite some arbitrary limitation.
|
| > That said, i suppose it's possible that gnutls could always ensure that
| > the high bit is set when generating a prime of a given size.
|
| That should be the case in gnutls 3.3.x. That version delegates to
| nettle the DH parameter generation and nettle seems to be more precise.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.