Add primality checking for RSA_check_fips.

This also fixes the comments regarding BN_prime_checks to match the security level guarantees provided by BN_prime_checks. Change-Id: I8032e88680bf51e8876e134b4253ed26c2072617 Reviewed-on: https://boringssl-review.googlesource.com/15304 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
2017-04-20 10:45:25 -04:00 · 2017-04-20 10:45:25 -04:00 · b1ffe0b36a
commit b1ffe0b36a
parent 7ce349ef26
1 changed files with 5 additions and 3 deletions
--- a/crypto/rsa/rsa.c
+++ b/crypto/rsa/rsa.c
@ -667,14 +667,16 @@ int RSA_check_fips(RSA *key) {
  int ret = 1;

  /* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */
-  /* TODO(svaldez): Check that n is composite and not a power of a prime using
-   * extended Miller-Rabin. */
+  enum bn_primality_result_t primality_result;
  if (BN_num_bits(key->e) <= 16 ||
      BN_num_bits(key->e) > 256 ||
      !BN_is_odd(key->n) ||
      !BN_is_odd(key->e) ||
      !BN_gcd(&small_gcd, key->n, &kSmallFactors, ctx) ||
-      !BN_is_one(&small_gcd)) {
+      !BN_is_one(&small_gcd) ||
+      !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
+                                               BN_prime_checks, ctx, NULL) ||
+      primality_result != bn_non_prime_power_composite) {
    OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
    ret = 0;
  }