Page MenuHomeFreeBSD
Files F143059130

D17678.diff
No OneTemporary
Actions

D17678.diff
View Options

Index: head/sbin/dumpon/dumpon.8
===================================================================
--- head/sbin/dumpon/dumpon.8
+++ head/sbin/dumpon/dumpon.8
@@ -28,7 +28,7 @@
.\" From: @(#)swapon.8 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd June 13, 2018
+.Dd October 26, 2018
.Dt DUMPON 8
.Os
.Sh NAME
@@ -348,3 +348,15 @@
It is currently not possible to configure both compression and encryption.
The encrypted dump format assumes that the kernel dump size is a multiple
of the cipher block size, which may not be true when the dump is compressed.
+.Sh SECURITY CONSIDERATIONS
+RSA keys smaller than 1024 bits are practical to factor and therefore weak.
+Even 1024 bit keys may not be large enough to ensure privacy for many
+years, so NIST recommends a minimum of 2048 bit RSA keys.
+As a seatbelt,
+.Nm
+prevents users from configuring encrypted kernel dumps with weak RSA keys.
+If you do not care for cryptographic privacy guarantees, just use
+.Nm
+without specifying a
+.Fl k Ar pubkey
+option.
Index: head/sbin/dumpon/dumpon.c
===================================================================
--- head/sbin/dumpon/dumpon.c
+++ head/sbin/dumpon/dumpon.c
@@ -243,6 +243,30 @@
if (pubkey == NULL)
errx(1, "Unable to read data from %s.", pubkeyfile);
+ /*
+ * RSA keys under ~1024 bits are trivially factorable (2018). OpenSSL
+ * provides an API for RSA keys to estimate the symmetric-cipher
+ * "equivalent" bits of security (defined in NIST SP800-57), which as
+ * of this writing equates a 2048-bit RSA key to 112 symmetric cipher
+ * bits.
+ *
+ * Use this API as a seatbelt to avoid suggesting to users that their
+ * privacy is protected by encryption when the key size is insufficient
+ * to prevent compromise via factoring.
+ *
+ * Future work: Sanity check for weak 'e', and sanity check for absence
+ * of 'd' (i.e., the supplied key is a public key rather than a full
+ * keypair).
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if (RSA_security_bits(pubkey) < 112)
+#else
+ if (RSA_size(pubkey) * 8 < 2048)
+#endif
+ errx(1, "Small RSA keys (you provided: %db) can be "
+ "factored cheaply. Please generate a larger key.",
+ RSA_size(pubkey) * 8);
+
kdap->kda_encryptedkeysize = RSA_size(pubkey);
if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) {
errx(1, "Public key has to be at most %db long.",

File Metadata

Mime Type
text/plain
Expires
Mon, Jan 26, 1:37 PM (18 h, 25 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28033789
Default Alt Text
D17678.diff (2 KB)

Event Timeline