rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check

The code did not yet check that the length of the RSA key is positive and even. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from #22403)
openssl · Oct 25, 2023 · 8b26854 · 8b26854
1 parent df5f419
commit 8b26854
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
         return 0;
     }
+    /* (Step 3.c): check that the modulus length is a positive even integer */
+    if (nbits <= 0 || (nbits & 0x1)) {
+        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
+        return 0;
+    }
 
     ctx = BN_CTX_new_ex(rsa->libctx);
     if (ctx == NULL)

diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
@@ -458,6 +458,10 @@ static int test_invalid_keypair(void)
           && TEST_true(BN_add_word(n, 1))
           && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
           && TEST_true(BN_sub_word(n, 1))
+          /* check that validation fails if len(n) is not even */
+          && TEST_true(BN_lshift1(n, n))
+          && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049))
+          && TEST_true(BN_rshift1(n, n))
           /* check p  */
           && TEST_true(BN_sub_word(p, 2))
           && TEST_true(BN_mul(n, p, q, ctx))