diff options
author | slontis <shane.lontis@oracle.com> | 2022-05-30 17:56:53 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-06-13 10:56:03 +0200 |
commit | ad7e0fd550a9eb2946edf38003ebc6d5b988dac7 (patch) | |
tree | 0d2e39bd4488c848c8c90cf92b2eff411842bf62 /crypto/bn | |
parent | a644cb7c1c19c78e2ca393c8ca36989e7ca61715 (diff) |
RSA keygen fixes
Fixes #18321
Increase the iteration factor used when 'Computing a Probable Prime Factor Based on Auxiliary Primes' from 5 to 20.
This matches the algorithm update made in FIPS 186-5.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18429)
Diffstat (limited to 'crypto/bn')
-rw-r--r-- | crypto/bn/bn_rsa_fips186_4.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c index 8faaaefe99..a451576bf9 100644 --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_4.c @@ -303,7 +303,14 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, if (BN_is_negative(R) && !BN_add(R, R, r1r2x2)) goto err; - imax = 5 * bits; /* max = 5/2 * nbits */ + /* + * In FIPS 186-4 imax was set to 5 * nlen/2. + * Analysis by Allen Roginsky (See https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf + * page 68) indicates this has a 1 in 2 million chance of failure. + * The number has been updated to 20 * nlen/2 as used in + * FIPS186-5 Appendix B.9 Step 9. + */ + imax = 20 * bits; /* max = 20/2 * nbits */ for (;;) { if (Xin == NULL) { /* |