Merge pull request #7923 from embhorn/rsa2048_min

Set RSA_MIN_SIZE default to 2048 bits

Author: SparkiDev

.github/workflows/no-malloc.yml

@@ -18,7 +18,7 @@ jobs:
       matrix:
         config: [
           # Add new configs here
-          '--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC"',
+          '--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC -DRSA_MIN_SIZE=1024"',
         ]
     name: make check
     runs-on: ubuntu-latest

.github/workflows/openssh.yml

@@ -26,7 +26,7 @@ jobs:
           path: wolfssl
           configure: >-
             --enable-openssh --enable-dsa --with-max-rsa-bits=8192
-            --enable-intelasm --enable-sp-asm
+            --enable-intelasm --enable-sp-asm CFLAGS="-DRSA_MIN_SIZE=1024"
           install: true
 
       - name: tar build-dir

tests/api.c

@@ -565,13 +565,16 @@ int tmpDirNameSet = 0;
 #define TEST_STRING    "Everyone gets Friday off."
 #define TEST_STRING_SZ 25
 
+#ifndef NO_RSA
 #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
-    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4)) && \
+    (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
 #define TEST_RSA_BITS 1024
 #else
 #define TEST_RSA_BITS 2048
 #endif
 #define TEST_RSA_BYTES (TEST_RSA_BITS/8)
+#endif /* !NO_RSA */
 
 #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
     (!defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT))
@@ -20564,7 +20567,8 @@ static int test_wc_MakeRsaKey(void)
     RsaKey genKey;
     WC_RNG rng;
 #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
-    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4)) && \
+    (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
     int bits = 1024;
 #else
     int bits = 2048;
@@ -20965,7 +20969,8 @@ static int test_wc_RsaKeyToDer(void)
     WC_RNG rng;
     byte*  der = NULL;
 #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
-    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4)) && \
+    (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
     int     bits = 1024;
     word32  derSz = 611;
     /* (2 x 128) + 2 (possible leading 00) + (5 x 64) + 5 (possible leading 00)
@@ -21019,7 +21024,8 @@ static int test_wc_RsaKeyToPublicDer(void)
     WC_RNG rng;
     byte*  der = NULL;
 #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
-    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4)) && \
+    (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
     int    bits = 1024;
     word32 derLen = 162;
 #else
@@ -21283,7 +21289,8 @@ static int test_wc_RsaEncryptSize(void)
     ExpectIntEQ(wc_InitRng(&rng), 0);
 
 #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
-    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4)) && \
+    (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
     ExpectIntEQ(MAKE_RSA_KEY(&key, 1024, WC_RSA_EXPONENT, &rng), 0);
 
     ExpectIntEQ(wc_RsaEncryptSize(&key), 128);
@@ -21317,7 +21324,8 @@ static int test_wc_RsaFlattenPublicKey(void)
     word32 eSz = sizeof(e);
     word32 nSz = sizeof(n);
     #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
-        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
+        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4)) && \
+        (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
     int    bits = 1024;
     #else
     int    bits = 2048;

wolfcrypt/benchmark/benchmark.c

@@ -8433,7 +8433,8 @@ static void bench_rsaKeyGen_helper(int useDeviceID, word32 keySz)
 void bench_rsaKeyGen(int useDeviceID)
 {
     int    k;
-#if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
+#if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL) && \
+    (RSA_MIN_SIZE <= 1024)
     static const word32  keySizes[2] = {1024, 2048};
 #else
     static const word32  keySizes[1] = {2048};

wolfcrypt/test/test.c

@@ -21000,7 +21000,8 @@ static wc_test_ret_t rsa_keygen_test(WC_RNG* rng)
     word32 idx = 0;
 #endif
     int    derSz = 0;
-#if !defined(WOLFSSL_SP_MATH) && !defined(HAVE_FIPS)
+#if !defined(WOLFSSL_SP_MATH) && !defined(HAVE_FIPS) && \
+    (defined(RSA_MIN_SIZE) && (RSA_MIN_SIZE <= 1024))
     int    keySz = 1024;
 #else
     int    keySz = 2048;

wolfssl/wolfcrypt/rsa.h

@@ -103,7 +103,7 @@ RSA keys can be used to encrypt, decrypt, sign and verify data.
 #endif
 
 #ifndef RSA_MIN_SIZE
-#define RSA_MIN_SIZE 1024
+#define RSA_MIN_SIZE 2048
 #endif
 
 #ifndef RSA_MAX_SIZE