summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorSebastian Andrzej Siewior <sebastian@breakpoint.cc>2017-10-18 13:30:23 +0200
committerRichard Levitte <levitte@openssl.org>2017-12-11 12:53:07 +0100
commitcac19d19e7d6f252ff9aea60d85e0c0fd71a117f (patch)
treec99c44c5a70e11d5662f4e187e1fa34bf67f923d /crypto
parentFix no-chacha (diff)
downloadopenssl-cac19d19e7d6f252ff9aea60d85e0c0fd71a117f.tar.xz
openssl-cac19d19e7d6f252ff9aea60d85e0c0fd71a117f.zip
rsa: Do not allow less than 512 bit RSA keys
As per documentation, the RSA keys should not be smaller than 64bit (the documentation mentions something about a quirk in the prime generation algorithm). I am adding check into the code which used to be 16 for some reason. My primary motivation is to get rid of the last sentence in the documentation which suggest that typical keys have 1024 bits (instead updating it to the now default 2048). I *assume* that keys less than the 2048 bits (say 512) are used for education purposes. The 512 bits as the minimum have been suggested by Bernd Edlinger. Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4547)
Diffstat (limited to 'crypto')
-rw-r--r--crypto/rsa/rsa_gen.c6
-rw-r--r--crypto/rsa/rsa_locl.h1
-rw-r--r--crypto/rsa/rsa_pmeth.c2
3 files changed, 3 insertions, 6 deletions
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index eda23b5481..4b9296e46c 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -72,11 +72,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
BN_CTX *ctx = NULL;
BN_ULONG bitst = 0;
- /*
- * When generating ridiculously small keys, we can get stuck
- * continually regenerating the same prime values.
- */
- if (bits < 16) {
+ if (bits < RSA_MIN_MODULUS_BITS) {
ok = 0; /* we set our own err */
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
goto err;
diff --git a/crypto/rsa/rsa_locl.h b/crypto/rsa/rsa_locl.h
index 52d839d73a..9bd53bec5a 100644
--- a/crypto/rsa/rsa_locl.h
+++ b/crypto/rsa/rsa_locl.h
@@ -12,6 +12,7 @@
#define RSA_MAX_PRIME_NUM 16
#define RSA_MIN_PRIME_SIZE 64
+#define RSA_MIN_MODULUS_BITS 512
typedef struct rsa_prime_info_st {
BIGNUM *r;
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 8a114cff89..e11ed1f034 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -459,7 +459,7 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
return 1;
case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
- if (p1 < 512) {
+ if (p1 < RSA_MIN_MODULUS_BITS) {
RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL);
return -2;
}