rsa/rsa_gen.c: harmonize keygen's ability with RSA_security_bits.

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4791)

crypto/rsa/rsa_chk.c

@@ -30,10 +30,13 @@ int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
     }
 
     /* multi-prime? */
-    if (key->version == RSA_ASN1_VERSION_MULTI
-        && (ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos)) <= 0) {
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_INVALID_MULTI_PRIME_KEY);
-        return 0;
+    if (key->version == RSA_ASN1_VERSION_MULTI) {
+        ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos);
+        if (ex_primes <= 0
+                || (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) {
+            RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_INVALID_MULTI_PRIME_KEY);
+            return 0;
+        }
     }
 
     i = BN_new();

crypto/rsa/rsa_gen.c

@@ -72,16 +72,6 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
     BN_CTX *ctx = NULL;
     BN_ULONG bitst = 0;
 
-    /*
-     * From Github pull request #4241:
-     *
-     * We are in disagreement on how to handle security trade-off, in other
-     * words:
-     *
-     * mechanical-check-for-maximum-of-16-prime-factors vs.
-     * limiting-number-depending-on-length-less-factors-for-shorter-keys.
-     */
-
     /*
      * When generating ridiculously small keys, we can get stuck
      * continually regenerating the same prime values.
@@ -92,8 +82,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
         goto err;
     }
 
-    if (primes < RSA_DEFAULT_PRIME_NUM
-        || primes > RSA_MAX_PRIME_NUM || bits <= primes) {
+    if (primes < RSA_DEFAULT_PRIME_NUM || primes > rsa_multip_cap(bits)) {
+        ok = 0;             /* we set our own err */
         RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);
         goto err;
     }
@@ -112,20 +102,6 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
     quo = bits / primes;
     rmd = bits % primes;
 
-    if (primes > RSA_DEFAULT_PRIME_NUM && quo < RSA_MIN_PRIME_SIZE) {
-        /*
-         * this means primes are too many for the key bits.
-         *
-         * This only affects multi-prime keys. For normal RSA,
-         * it's limited above (bits >= 16, hence each prime >= 8).
-         *
-         * This is done in this way because the original normal
-         * RSA's behavior should not alter at least in OpenSSL 1.1.1.
-         */
-        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);
-        goto err;
-    }
-
     for (i = 0; i < primes; i++)
         bitsr[i] = (i < rmd) ? quo + 1 : quo;
 

doc/man3/RSA_generate_key.pod

@@ -35,6 +35,13 @@ modulus will be B<primes>, and the public exponent will be B<e>. Key sizes
 with B<num> E<lt> 1024 should be considered insecure. The exponent is an odd
 number, typically 3, 17 or 65537.
 
+In order to maintain adequate security level, the maximum number of permitted
+B<primes> depends on modulus bit length:
+
+   <1024 | >=1024 | >=4096 | >=8192
+   ------+--------+--------+-------
+     2   |   3    |   4    |   5
+
 A callback function may be used to provide feedback about the
 progress of the key generation. If B<cb> is not B<NULL>, it
 will be called as follows using the BN_GENCB_call() function
@@ -81,8 +88,7 @@ B<BN_GENCB_call(cb, 2, x)> is used with two different meanings.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)>, L<RAND_bytes(3)>,
-L<RSA_generate_key_ex(3)>, L<BN_generate_prime(3)>
+L<ERR_get_error(3)>, L<RAND_bytes(3)>, L<BN_generate_prime(3)>
 
 =head1 HISTORY
 

test/recipes/15-test_mp_rsa.t

@@ -17,7 +17,7 @@ use OpenSSL::Test::Utils;
 
 setup("test_mp_rsa");
 
-plan tests => 61;
+plan tests => 31;
 
 ok(run(test(["rsa_mp_test"])), "running rsa multi prime test");
 
@@ -29,30 +29,15 @@ my @test_param = (
         primes => '3',
         bits => '2048',
     },
-    # 4 primes, 2048-bit
+    # 4 primes, 4096-bit
     {
         primes => '4',
-        bits => '2048',
-    },
-    # 8 primes, 2048-bit
-    {
-        primes => '8',
-        bits => '2048',
-    },
-    # 15 primes, 2048-bit
-    {
-        primes => '15',
-        bits => '2048',
-    },
-    # 8 primes, 15360-bit (3 & 4 primes for 15360 bit is too long to gen a key)
-    {
-        primes => '8',
-        bits => '15360',
+        bits => '4096',
     },
-    # 15 primes, 15360-bit
+    # 5 primes, 8192-bit
     {
-        primes => '15',
-        bits => '15360',
+        primes => '5',
+        bits => '8192',
     },
 );