diff options
author | jan <> | 2025-09-29 08:46:15 +0000 |
---|---|---|
committer | jan <> | 2025-09-29 08:46:15 +0000 |
commit | 46c56e258ad51543fa1d174ca9568ef545233a34 (patch) | |
tree | 3bf9e2e29e543ebeaa5c59e952488f696ecca0e3 /src | |
parent | 3d7417f2050e2c59d3bc34048d7ddf7f9335c1e0 (diff) | |
download | openbsd-46c56e258ad51543fa1d174ca9568ef545233a34.tar.gz openbsd-46c56e258ad51543fa1d174ca9568ef545233a34.tar.bz2 openbsd-46c56e258ad51543fa1d174ca9568ef545233a34.zip |
libcrypto: rsa gen: min. distance between p and q
This is required in NIST Special Publication 800-56B Revision 2
"Recommendation for Pair-Wise Key Establishment Using Integer
Factorization Cryptography":
6 RSA Key Pairs
6.2 Criteria for RSA Key Pairs for Key Establishment
6.2.1 Definition of a Key Pair
3. The prime factors p and q shall be generated using one of
the methods specified in Appendix B.3 of FIPS 186 such that:
c. |p – q| > 2nBits/2−100
ok djm@, tb@
Diffstat (limited to '')
-rw-r--r-- | src/lib/libcrypto/rsa/rsa_gen.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index ebd0aeffd5..6a8bd08160 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: rsa_gen.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */ | 1 | /* $OpenBSD: rsa_gen.c,v 1.32 2025/09/29 08:46:15 jan Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -84,6 +84,7 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
84 | BIGNUM pr0, d, p; | 84 | BIGNUM pr0, d, p; |
85 | int bitsp, bitsq, ok = -1, n = 0; | 85 | int bitsp, bitsq, ok = -1, n = 0; |
86 | BN_CTX *ctx = NULL; | 86 | BN_CTX *ctx = NULL; |
87 | BIGNUM *diff, *mindiff; | ||
87 | 88 | ||
88 | ctx = BN_CTX_new(); | 89 | ctx = BN_CTX_new(); |
89 | if (ctx == NULL) | 90 | if (ctx == NULL) |
@@ -97,10 +98,24 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
97 | goto err; | 98 | goto err; |
98 | if ((r3 = BN_CTX_get(ctx)) == NULL) | 99 | if ((r3 = BN_CTX_get(ctx)) == NULL) |
99 | goto err; | 100 | goto err; |
101 | if ((diff = BN_CTX_get(ctx)) == NULL) | ||
102 | goto err; | ||
103 | if ((mindiff = BN_CTX_get(ctx)) == NULL) | ||
104 | goto err; | ||
100 | 105 | ||
101 | bitsp = (bits + 1) / 2; | 106 | bitsp = (bits + 1) / 2; |
102 | bitsq = bits - bitsp; | 107 | bitsq = bits - bitsp; |
103 | 108 | ||
109 | /* | ||
110 | * To guarantee a minimum distance of 2^(bits/2 - 100) between p and q. | ||
111 | * | ||
112 | * NIST SP 800-56B, section 6.2.1, 3.c | ||
113 | */ | ||
114 | if (bits < 200) | ||
115 | goto err; | ||
116 | if (!BN_set_bit(mindiff, bits/2 - 100)) | ||
117 | goto err; | ||
118 | |||
104 | /* We need the RSA components non-NULL */ | 119 | /* We need the RSA components non-NULL */ |
105 | if (!rsa->n && ((rsa->n = BN_new()) == NULL)) | 120 | if (!rsa->n && ((rsa->n = BN_new()) == NULL)) |
106 | goto err; | 121 | goto err; |
@@ -148,8 +163,9 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
148 | if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, | 163 | if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, |
149 | cb)) | 164 | cb)) |
150 | goto err; | 165 | goto err; |
151 | } while (BN_cmp(rsa->p, rsa->q) == 0 && | 166 | if (!BN_sub(diff, rsa->p, rsa->q)) |
152 | ++degenerate < 3); | 167 | goto err; |
168 | } while (BN_ucmp(diff, mindiff) <= 0 && ++degenerate < 3); | ||
153 | if (degenerate == 3) { | 169 | if (degenerate == 3) { |
154 | ok = 0; /* we set our own err */ | 170 | ok = 0; /* we set our own err */ |
155 | RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); | 171 | RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); |