diff options
| author | Brian Smith <brian@briansmith.org> | 2016-01-13 23:50:00 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2016-02-27 02:38:18 +0300 |
| commit | b944882f26d64881161622b6c708568ff67483dd (patch) | |
| tree | 76490a73b25d572511159e781456328d5caeea0a /crypto/rsa | |
| parent | f4e447c16d24aa2f6a9336aa6dbba015380beb29 (diff) | |
Reduce maximum RSA public exponent size to 33 bits.
Reduce the maximum RSA exponent size to 33 bits, regardless of modulus
size, for public key operations.
Change-Id: I88502b1033d8854696841531031298e8ad96a467
Reviewed-on: https://boringssl-review.googlesource.com/6901
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'crypto/rsa')
| -rw-r--r-- | crypto/rsa/rsa_impl.c | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/crypto/rsa/rsa_impl.c b/crypto/rsa/rsa_impl.c index ba310739..7eedf6f4 100644 --- a/crypto/rsa/rsa_impl.c +++ b/crypto/rsa/rsa_impl.c @@ -56,6 +56,7 @@ #include <openssl/rsa.h> +#include <assert.h> #include <string.h> #include <openssl/bn.h> @@ -69,21 +70,37 @@ static int check_modulus_and_exponent_sizes(const RSA *rsa) { unsigned rsa_bits = BN_num_bits(rsa->n); + if (rsa_bits > 16 * 1024) { OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); return 0; } - if (BN_ucmp(rsa->n, rsa->e) <= 0) { + /* Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as + * the limit based on the recommendations in [1] and [2]. Windows CryptoAPI + * doesn't support values larger than 32 bits [3], so it is unlikely that + * exponents larger than 32 bits are being used for anything Windows commonly + * does. + * + * [1] https://www.imperialviolet.org/2012/03/16/rsae.html + * [2] https://www.imperialviolet.org/2012/03/17/rsados.html + * [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx */ + static const unsigned kMaxExponentBits = 33; + + if (BN_num_bits(rsa->e) > kMaxExponentBits) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); return 0; } - /* For large moduli only, enforce exponent limit. */ - if (rsa_bits > 3072 && BN_num_bits(rsa->e) > 64) { - OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); + /* Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small + * shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits| + * is much smaller than the minimum RSA key size that any application should + * accept. */ + if (rsa_bits <= kMaxExponentBits) { + OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); return 0; } + assert(BN_ucmp(rsa->n, rsa->e) > 0); return 1; } |