diff options
| author | jan <> | 2025-09-29 08:46:15 +0000 |
|---|---|---|
| committer | jan <> | 2025-09-29 08:46:15 +0000 |
| commit | 46c56e258ad51543fa1d174ca9568ef545233a34 (patch) | |
| tree | 3bf9e2e29e543ebeaa5c59e952488f696ecca0e3 /src | |
| parent | 3d7417f2050e2c59d3bc34048d7ddf7f9335c1e0 (diff) | |
| download | openbsd-46c56e258ad51543fa1d174ca9568ef545233a34.tar.gz openbsd-46c56e258ad51543fa1d174ca9568ef545233a34.tar.bz2 openbsd-46c56e258ad51543fa1d174ca9568ef545233a34.zip | |
libcrypto: rsa gen: min. distance between p and q
This is required in NIST Special Publication 800-56B Revision 2
"Recommendation for Pair-Wise Key Establishment Using Integer
Factorization Cryptography":
6 RSA Key Pairs
6.2 Criteria for RSA Key Pairs for Key Establishment
6.2.1 Definition of a Key Pair
3. The prime factors p and q shall be generated using one of
the methods specified in Appendix B.3 of FIPS 186 such that:
c. |p – q| > 2nBits/2−100
ok djm@, tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_gen.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index ebd0aeffd5..6a8bd08160 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_gen.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */ | 1 | /* $OpenBSD: rsa_gen.c,v 1.32 2025/09/29 08:46:15 jan Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -84,6 +84,7 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
| 84 | BIGNUM pr0, d, p; | 84 | BIGNUM pr0, d, p; |
| 85 | int bitsp, bitsq, ok = -1, n = 0; | 85 | int bitsp, bitsq, ok = -1, n = 0; |
| 86 | BN_CTX *ctx = NULL; | 86 | BN_CTX *ctx = NULL; |
| 87 | BIGNUM *diff, *mindiff; | ||
| 87 | 88 | ||
| 88 | ctx = BN_CTX_new(); | 89 | ctx = BN_CTX_new(); |
| 89 | if (ctx == NULL) | 90 | if (ctx == NULL) |
| @@ -97,10 +98,24 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
| 97 | goto err; | 98 | goto err; |
| 98 | if ((r3 = BN_CTX_get(ctx)) == NULL) | 99 | if ((r3 = BN_CTX_get(ctx)) == NULL) |
| 99 | goto err; | 100 | goto err; |
| 101 | if ((diff = BN_CTX_get(ctx)) == NULL) | ||
| 102 | goto err; | ||
| 103 | if ((mindiff = BN_CTX_get(ctx)) == NULL) | ||
| 104 | goto err; | ||
| 100 | 105 | ||
| 101 | bitsp = (bits + 1) / 2; | 106 | bitsp = (bits + 1) / 2; |
| 102 | bitsq = bits - bitsp; | 107 | bitsq = bits - bitsp; |
| 103 | 108 | ||
| 109 | /* | ||
| 110 | * To guarantee a minimum distance of 2^(bits/2 - 100) between p and q. | ||
| 111 | * | ||
| 112 | * NIST SP 800-56B, section 6.2.1, 3.c | ||
| 113 | */ | ||
| 114 | if (bits < 200) | ||
| 115 | goto err; | ||
| 116 | if (!BN_set_bit(mindiff, bits/2 - 100)) | ||
| 117 | goto err; | ||
| 118 | |||
| 104 | /* We need the RSA components non-NULL */ | 119 | /* We need the RSA components non-NULL */ |
| 105 | if (!rsa->n && ((rsa->n = BN_new()) == NULL)) | 120 | if (!rsa->n && ((rsa->n = BN_new()) == NULL)) |
| 106 | goto err; | 121 | goto err; |
| @@ -148,8 +163,9 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
| 148 | if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, | 163 | if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, |
| 149 | cb)) | 164 | cb)) |
| 150 | goto err; | 165 | goto err; |
| 151 | } while (BN_cmp(rsa->p, rsa->q) == 0 && | 166 | if (!BN_sub(diff, rsa->p, rsa->q)) |
| 152 | ++degenerate < 3); | 167 | goto err; |
| 168 | } while (BN_ucmp(diff, mindiff) <= 0 && ++degenerate < 3); | ||
| 153 | if (degenerate == 3) { | 169 | if (degenerate == 3) { |
| 154 | ok = 0; /* we set our own err */ | 170 | ok = 0; /* we set our own err */ |
| 155 | RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); | 171 | RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); |