From 6abc01095702bccf1b966eb26085d6d6fdfb50be Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 24 Apr 2017 14:16:24 +0200 Subject: Added explicit check for the bounds of the generated 'd'. This is according to FIPS186-4 sec. B.3.1. Signed-off-by: Nikos Mavrogiannopoulos --- lib/nettle/int/rsa-keygen-fips186.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c index 9bafc10186..506f758dd1 100644 --- a/lib/nettle/int/rsa-keygen-fips186.c +++ b/lib/nettle/int/rsa-keygen-fips186.c @@ -365,6 +365,12 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, goto cleanup; } + /* check whether d > 2^(nlen/2) -- FIPS186-4 5.3.1 */ + if (mpz_sizeinbase(key->d, 2) < n_size/2) { + ret = 0; + goto cleanup; + } + /* Done! Almost, we must compute the auxillary private values. */ /* a = d % (p-1) */ mpz_fdiv_r(key->a, key->d, p1); -- cgit v1.2.1