openbsd/src/lib/libcrypto/bn, branch libressl-v3.0.1 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.0.1 2019-08-25T19:24:00+00:00 Change generating and checking of primes so that the error rate of 2019-08-25T19:24:00+00:00 schwarze 2019-08-25T19:24:00+00:00 urn:sha1:0fd355ae5ac95f1b4265d2c28d096b63de52a902 not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. Patch from Kurt Roeckx <kurt@roeckx.be> and Annie Yousar via OpenSSL commit feac7a1c Jul 25 18:55:16 2018 +0200, still under a free license. OK tb@. make BN_CTX_end(NULL) a NOOP for compatibility with documented behaviour 2019-08-20T10:59:09+00:00 schwarze 2019-08-20T10:59:09+00:00 urn:sha1:4569778023d8d4ec0159e09baa48f5f397ff8847 in OpenSSL 1.1.1 even though in general, letting random functions accept NULL is not advisable because it can hide programming errors; "yes please" tb@ "unfortunately I suspect you're right" jsing@ "oh well" deraadt@ Make BN_num_bits_word() constant time. 2019-06-17T17:11:48+00:00 tb 2019-06-17T17:11:48+00:00 urn:sha1:aad713565aa006bc353dc31ecaa5e9f0aa3de235 Previously, this function would leak the most significant word of its argument due to branching and memory access pattern. This patch is enough to fix the use of BN_num_bits() on RSA prime factors in the library. The diff is a simplified and more readable (but perhaps less efficient) version of https://github.com/openssl/openssl/commit/972c87df by Andy Polyakov and David Benjamin (pre license change). Consult that commit message for details. Subsequent fixes to follow in the near future. Issue pointed out by David Schrammel and Samuel Weiser as part of a larger report. tests & ok inoguchi, ok jsing Add range checks to varios ASN1_INTEGER functions to ensure the 2019-03-23T18:48:15+00:00 beck 2019-03-23T18:48:15+00:00 urn:sha1:c7b9ffc836ad7a05586d7c83c368d784af9cacda sizes used remain a positive integer. Should address issue 13799 from oss-fuzz ok tb@ jsing@ Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error. 2019-01-20T01:56:59+00:00 tb 2019-01-20T01:56:59+00:00 urn:sha1:4d359baaefb1597abf730cf3a09574e1e03d620b From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing Flip reversed test in bn_rand_interval(). 2018-11-06T06:49:45+00:00 tb 2018-11-06T06:49:45+00:00 urn:sha1:a8249222cfc2738a9d25e498cd781c3b188cb9e0 ok jsing Introduce bn_rand_interval() that allows specifying an interval [a, b) 2018-11-05T23:52:47+00:00 tb 2018-11-05T23:52:47+00:00 urn:sha1:180c3e4250e4e8ea8cdade42002a7fd6564d66c2 from which a a BIGNUM is chosen uniformly at random. ok beck jsing Use a size_t instead of an int for the byte count in BN_swap_ct(). 2018-07-23T18:14:32+00:00 tb 2018-07-23T18:14:32+00:00 urn:sha1:1b961cfb65c1f00f26f20454324577edec589a1b Since bignums use ints for the same purpose, this still uses an int internally after an overflow check. Suggested by and discussed with jsing. ok inoguchi, jsing Clean up our disgusting implementations of BN_{,u}{add,sub}(), following 2018-07-23T18:07:21+00:00 tb 2018-07-23T18:07:21+00:00 urn:sha1:49a35ed3e279b1c1d03fa757a539851339945e90 changes made in OpenSSL by Davide Galassi and others, so that one can actually follow what is going on. There is no performance impact from this change as the code still does essentially the same thing. There's a ton of work still to be done to make the BN code less terrible. ok jsing, kn Eliminate the weird condition in the BN_swap_ct() API that at most one bit 2018-07-13T08:43:31+00:00 tb 2018-07-13T08:43:31+00:00 urn:sha1:30d844db17bda4a9465f89832a192a4685d70d38 be set in condition. This makes the constant time bit-twiddling a bit trickier, but it's not too bad. Thanks to halex for an extensive rubber ducking session over a non-spicy spicy tabouleh falafel.. ok jsing, kn