rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check

The code did not yet check that the length of the RSA key is positive
and even.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22403)

diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
index fc8f19b48770b1084b7a6e202d1fc5cc9bc3b53a..e6b79e953dda16347753e1ec5beb49e19f174fa2 100644 (file)
--- a/crypto/rsa/rsa_sp800_56b_check.c
+++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
         return 0;
     }
+    /* (Step 3.c): check that the modulus length is a positive even integer */
+    if (nbits <= 0 || (nbits & 0x1)) {
+        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
+        return 0;
+    }
 
     ctx = BN_CTX_new_ex(rsa->libctx);
     if (ctx == NULL)

diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
index 7660019f4739f1d11f0d2d35162eed91a29713a9..aa58bbbe6c50f33fea6108fb03d958c972ec1a56 100644 (file)
--- a/test/rsa_sp800_56b_test.c
+++ b/test/rsa_sp800_56b_test.c
@@ -458,6 +458,10 @@ static int test_invalid_keypair(void)
           && TEST_true(BN_add_word(n, 1))
           && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
           && TEST_true(BN_sub_word(n, 1))
+          /* check that validation fails if len(n) is not even */
+          && TEST_true(BN_lshift1(n, n))
+          && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049))
+          && TEST_true(BN_rshift1(n, n))
           /* check p  */
           && TEST_true(BN_sub_word(p, 2))
           && TEST_true(BN_mul(n, p, q, ctx))