rsa/rsa_gen.c: harmonize keygen's ability with RSA_security_bits.

    }

    /* multi-prime? */

    if (key->version == RSA_ASN1_VERSION_MULTI

        && (ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos)) <= 0) {

    if (key->version == RSA_ASN1_VERSION_MULTI) {

        ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos);

        if (ex_primes <= 0

                || (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) {

            RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_INVALID_MULTI_PRIME_KEY);

            return 0;

        }

    }

    i = BN_new();

    j = BN_new();

    BN_CTX *ctx = NULL;

    BN_ULONG bitst = 0;

    /*

     * From Github pull request #4241:

     *

     * We are in disagreement on how to handle security trade-off, in other

     * words:

     *

     * mechanical-check-for-maximum-of-16-prime-factors vs.

     * limiting-number-depending-on-length-less-factors-for-shorter-keys.

     */

    /*

     * When generating ridiculously small keys, we can get stuck

     * continually regenerating the same prime values.

        goto err;

    }

    if (primes < RSA_DEFAULT_PRIME_NUM

        || primes > RSA_MAX_PRIME_NUM || bits <= primes) {

    if (primes < RSA_DEFAULT_PRIME_NUM || primes > rsa_multip_cap(bits)) {

        ok = 0;             /* we set our own err */

        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);

        goto err;

    }

    quo = bits / primes;

    rmd = bits % primes;

    if (primes > RSA_DEFAULT_PRIME_NUM && quo < RSA_MIN_PRIME_SIZE) {

        /*

         * this means primes are too many for the key bits.

         *

         * This only affects multi-prime keys. For normal RSA,

         * it's limited above (bits >= 16, hence each prime >= 8).

         *

         * This is done in this way because the original normal

         * RSA's behavior should not alter at least in OpenSSL 1.1.1.

         */

        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);

        goto err;

    }

    for (i = 0; i < primes; i++)

        bitsr[i] = (i < rmd) ? quo + 1 : quo;

with B<num> E<lt> 1024 should be considered insecure. The exponent is an odd

number, typically 3, 17 or 65537.

In order to maintain adequate security level, the maximum number of permitted

B<primes> depends on modulus bit length:

   <1024 | >=1024 | >=4096 | >=8192

   ------+--------+--------+-------

     2   |   3    |   4    |   5

A callback function may be used to provide feedback about the

progress of the key generation. If B<cb> is not B<NULL>, it

will be called as follows using the BN_GENCB_call() function

=head1 SEE ALSO

L<ERR_get_error(3)>, L<RAND_bytes(3)>,

L<RSA_generate_key_ex(3)>, L<BN_generate_prime(3)>

L<ERR_get_error(3)>, L<RAND_bytes(3)>, L<BN_generate_prime(3)>

=head1 HISTORY

setup("test_mp_rsa");

plan tests => 61;

plan tests => 31;

ok(run(test(["rsa_mp_test"])), "running rsa multi prime test");

        primes => '3',

        bits => '2048',

    },

    # 4 primes, 2048-bit

    # 4 primes, 4096-bit

    {

        primes => '4',

        bits => '2048',

    },

    # 8 primes, 2048-bit

    {

        primes => '8',

        bits => '2048',

    },

    # 15 primes, 2048-bit

    {

        primes => '15',

        bits => '2048',

    },

    # 8 primes, 15360-bit (3 & 4 primes for 15360 bit is too long to gen a key)

    {

        primes => '8',

        bits => '15360',

        bits => '4096',

    },

    # 15 primes, 15360-bit

    # 5 primes, 8192-bit

    {

        primes => '15',

        bits => '15360',

        primes => '5',

        bits => '8192',

    },

);