Cap the size of numbers we check for primality - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2023-07-20 06:26:27 +0000
committer	tb <>	2023-07-20 06:26:27 +0000
commit	02b32b9db0a60f8a55706e1f30f429f143a59432 (patch)
tree	55cccc1b683393b47b9d3306e4fd44c422e35238 /src/lib/libcrypto/man
parent	54c50b85497b7c540a373873d75748084937f062 (diff)
download	openbsd-02b32b9db0a60f8a55706e1f30f429f143a59432.tar.gz openbsd-02b32b9db0a60f8a55706e1f30f429f143a59432.tar.bz2 openbsd-02b32b9db0a60f8a55706e1f30f429f143a59432.zip

Cap the size of numbers we check for primality

We refuse to generate RSA keys larger than 16k and DH keys larger than 10k. Primality checking with adversarial input is a DoS vector, so simply don't do this. Introduce a cap of 32k for numbers we try to test for primality, which should be more than large enough for use withing a non-toolkit crypto library. This is one way of mitigating the DH_check()/EVP_PKEY_param_check() issue. ok jsing miod

Diffstat (limited to 'src/lib/libcrypto/man')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: