kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix lower bound in e in FIPS RSA checking.

Browse Source 
SP 800-89 5.3.3 references FIPS 186 for the bounds on e. I /think/
that's section B.3.1 which says:

  (b) The exponent e shall be an odd positive integer such that 2¹⁶ < e < 2²⁵⁶.

But that means that e has to be at least 17 bits. The check for
BN_is_odd ensures that 2¹⁶ itself is rejected.

Change-Id: Ib39f9d43032cbfe33317651c7b6eceb41b123291
Reviewed-on: https://boringssl-review.googlesource.com/15324
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
Adam Langley 2017-04-20 12:36:18 -07:00 committed by CQ bot account: commit-bot@chromium.org
parent 4b65693c7e
commit a54ebffa76
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/rsa/rsa.c
View File

@ -669,7 +669,7 @@ int RSA_check_fips(RSA *key) {
/* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */
/* TODO(svaldez): Check that n is composite and not a power of a prime using
* extended Miller-Rabin. */
if (BN_num_bits(key->e) < 16 ||
if (BN_num_bits(key->e) <= 16 ||
BN_num_bits(key->e) > 256 ||
!BN_is_odd(key->n) ||
!BN_is_odd(key->e) ||