Fix lower bound in e in FIPS RSA checking.
SP 800-89 5.3.3 references FIPS 186 for the bounds on e. I /think/
that's section B.3.1 which says:
(b) The exponent e shall be an odd positive integer such that 2¹⁶ < e < 2²⁵⁶.
But that means that e has to be at least 17 bits. The check for
BN_is_odd ensures that 2¹⁶ itself is rejected.
Change-Id: Ib39f9d43032cbfe33317651c7b6eceb41b123291
Reviewed-on: https://boringssl-review.googlesource.com/15324
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/rsa/rsa.c b/crypto/rsa/rsa.c
index 1b62d03..cc4aa75 100644
--- a/crypto/rsa/rsa.c
+++ b/crypto/rsa/rsa.c
@@ -669,7 +669,7 @@
/* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */
/* TODO(svaldez): Check that n is composite and not a power of a prime using
* extended Miller-Rabin. */
- if (BN_num_bits(key->e) < 16 ||
+ if (BN_num_bits(key->e) <= 16 ||
BN_num_bits(key->e) > 256 ||
!BN_is_odd(key->n) ||
!BN_is_odd(key->e) ||