diff options
| author | David Benjamin <davidben@google.com> | 2016-03-09 02:03:31 +0300 |
|---|---|---|
| committer | David Benjamin <davidben@google.com> | 2016-03-09 02:10:50 +0300 |
| commit | ba70118d8ea7bb0232554bbd70606703bde5bde3 (patch) | |
| tree | 628ae8bf6b7f6da11031facd2f370d95413d4918 /crypto/rsa | |
| parent | 617804adc5cd6760a3febcd9d4408fbfc6ebcd0c (diff) | |
Revert "Reduce maximum RSA public exponent size to 33 bits."
This reverts commit b944882f26d64881161622b6c708568ff67483dd.
Recent Chrome canaries show a visible jump in ERR_SSL_PROTOCOL_ERROR which
coincided with a DEPS roll that included this change. Speculatively revert it
to see if they go back down afterwards.
Change-Id: I067798db144c348d666985986dfb9720d1153b7a
Reviewed-on: https://boringssl-review.googlesource.com/7391
Reviewed-by: David Benjamin <davidben@google.com>
Diffstat (limited to 'crypto/rsa')
| -rw-r--r-- | crypto/rsa/rsa_impl.c | 25 |
1 files changed, 4 insertions, 21 deletions
diff --git a/crypto/rsa/rsa_impl.c b/crypto/rsa/rsa_impl.c index 8dd59dc4..8e1b0eb4 100644 --- a/crypto/rsa/rsa_impl.c +++ b/crypto/rsa/rsa_impl.c @@ -56,7 +56,6 @@ #include <openssl/rsa.h> -#include <assert.h> #include <string.h> #include <openssl/bn.h> @@ -70,37 +69,21 @@ static int check_modulus_and_exponent_sizes(const RSA *rsa) { unsigned rsa_bits = BN_num_bits(rsa->n); - if (rsa_bits > 16 * 1024) { OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); return 0; } - /* Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as - * the limit based on the recommendations in [1] and [2]. Windows CryptoAPI - * doesn't support values larger than 32 bits [3], so it is unlikely that - * exponents larger than 32 bits are being used for anything Windows commonly - * does. - * - * [1] https://www.imperialviolet.org/2012/03/16/rsae.html - * [2] https://www.imperialviolet.org/2012/03/17/rsados.html - * [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx */ - static const unsigned kMaxExponentBits = 33; - - if (BN_num_bits(rsa->e) > kMaxExponentBits) { + if (BN_ucmp(rsa->n, rsa->e) <= 0) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); return 0; } - /* Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small - * shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits| - * is much smaller than the minimum RSA key size that any application should - * accept. */ - if (rsa_bits <= kMaxExponentBits) { - OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); + /* For large moduli only, enforce exponent limit. */ + if (rsa_bits > 3072 && BN_num_bits(rsa->e) > 64) { + OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); return 0; } - assert(BN_ucmp(rsa->n, rsa->e) > 0); return 1; } |