Commit 0122add6 authored Nov 24, 2017 by Andy Polyakov

rsa/rsa_lib.c: make RSA_security_bits multi-prime aware.



Multi-prime RSA security is not determined by modulus length alone, but
depends even on number of primes. Too many primes render security
inadequate, but there is no common amount of primes or common factors'
length that provide equivalent secuity promise as two-prime for given
modulus length. Maximum amount of permitted primes is determined
according to following table.

   <1024 | >=1024 | >=4096 | >=8192
   ------+--------+--------+-------
     2   |   3    |   4    |   5

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4791)

parent 83ccead4

crypto/rsa/rsa_lib.c

+10 −1

Original line number	Diff line number	Diff line
		@@ -165,7 +165,16 @@ void RSA_get_ex_data(const RSA r, int idx)

		int RSA_security_bits(const RSA *rsa)
		{
		return BN_security_bits(BN_num_bits(rsa->n), -1);
		int bits = BN_num_bits(rsa->n);

		if (rsa->version == RSA_ASN1_VERSION_MULTI) {
		/* This ought to mean that we have private key at hand. */
		int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos);

		if (ex_primes <= 0 \|\| (ex_primes + 2) > rsa_multip_cap(bits))
		return 0;
		}
		return BN_security_bits(bits, -1);
		}

		int RSA_set0_key(RSA r, BIGNUM n, BIGNUM e, BIGNUM d)

crypto/rsa/rsa_locl.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -129,3 +129,4 @@ void rsa_multip_info_free_ex(RSA_PRIME_INFO *pinfo);
		void rsa_multip_info_free(RSA_PRIME_INFO *pinfo);
		RSA_PRIME_INFO *rsa_multip_info_new(void);
		int rsa_multip_calc_product(RSA *rsa);
		int rsa_multip_cap(int bits);

crypto/rsa/rsa_mp.c

+14 −0

Original line number	Diff line number	Diff line
		@@ -93,3 +93,17 @@ int rsa_multip_calc_product(RSA *rsa)
		BN_CTX_free(ctx);
		return rv;
		}

		int rsa_multip_cap(int bits)
		{
		int cap = 5;

		if (bits < 1024)
		cap = 2;
		else if (bits < 4096)
		cap = 3;
		else if (bits < 8192)
		cap = 4;

		return cap;
		}