diff options
| author | tb <> | 2021-11-29 19:54:07 +0000 |
|---|---|---|
| committer | tb <> | 2021-11-29 19:54:07 +0000 |
| commit | 33c4b670470691ed907e24ba05f290f1e366bd59 (patch) | |
| tree | 611b1e72915a879263d2b76d2c8334dc0df91b46 | |
| parent | b753fe631ca17cfd52a93a2e4d1cd2b5bccebcc9 (diff) | |
| download | openbsd-33c4b670470691ed907e24ba05f290f1e366bd59.tar.gz openbsd-33c4b670470691ed907e24ba05f290f1e366bd59.tar.bz2 openbsd-33c4b670470691ed907e24ba05f290f1e366bd59.zip | |
Increase number of iterations in Miller-Rabin checks for DH.
BN_prime_checks is only to be used for random input. Here, the
input isn't random, so increase the number of checks. According
to https://eprint.iacr.org/2019/032, 64 rounds is suitable.
From Jake Massimo, OpenSSL 1.1.1, af6ce3b4
ok inoguchi jsing
| -rw-r--r-- | src/lib/libcrypto/dh/dh_check.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c index 258cc8d916..b06e971235 100644 --- a/src/lib/libcrypto/dh/dh_check.c +++ b/src/lib/libcrypto/dh/dh_check.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dh_check.c,v 1.19 2021/11/29 19:47:47 tb Exp $ */ | 1 | /* $OpenBSD: dh_check.c,v 1.20 2021/11/29 19:54:07 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -63,6 +63,8 @@ | |||
| 63 | 63 | ||
| 64 | #include "bn_lcl.h" | 64 | #include "bn_lcl.h" |
| 65 | 65 | ||
| 66 | #define DH_NUMBER_ITERATIONS_FOR_PRIME 64 | ||
| 67 | |||
| 66 | int | 68 | int |
| 67 | DH_check_params(const DH *dh, int *flags) | 69 | DH_check_params(const DH *dh, int *flags) |
| 68 | { | 70 | { |
| @@ -140,7 +142,8 @@ DH_check(const DH *dh, int *flags) | |||
| 140 | if (!BN_is_one(residue)) | 142 | if (!BN_is_one(residue)) |
| 141 | *flags |= DH_NOT_SUITABLE_GENERATOR; | 143 | *flags |= DH_NOT_SUITABLE_GENERATOR; |
| 142 | } | 144 | } |
| 143 | is_prime = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL); | 145 | is_prime = BN_is_prime_ex(dh->q, DH_NUMBER_ITERATIONS_FOR_PRIME, |
| 146 | ctx, NULL); | ||
| 144 | if (is_prime < 0) | 147 | if (is_prime < 0) |
| 145 | goto err; | 148 | goto err; |
| 146 | if (is_prime == 0) | 149 | if (is_prime == 0) |
| @@ -154,7 +157,8 @@ DH_check(const DH *dh, int *flags) | |||
| 154 | *flags |= DH_CHECK_INVALID_J_VALUE; | 157 | *flags |= DH_CHECK_INVALID_J_VALUE; |
| 155 | } | 158 | } |
| 156 | 159 | ||
| 157 | is_prime = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL); | 160 | is_prime = BN_is_prime_ex(dh->p, DH_NUMBER_ITERATIONS_FOR_PRIME, |
| 161 | ctx, NULL); | ||
| 158 | if (is_prime < 0) | 162 | if (is_prime < 0) |
| 159 | goto err; | 163 | goto err; |
| 160 | if (is_prime == 0) | 164 | if (is_prime == 0) |
| @@ -166,7 +170,8 @@ DH_check(const DH *dh, int *flags) | |||
| 166 | goto err; | 170 | goto err; |
| 167 | if (!BN_rshift1(q, dh->p)) | 171 | if (!BN_rshift1(q, dh->p)) |
| 168 | goto err; | 172 | goto err; |
| 169 | is_prime = BN_is_prime_ex(q, BN_prime_checks, ctx, NULL); | 173 | is_prime = BN_is_prime_ex(q, DH_NUMBER_ITERATIONS_FOR_PRIME, |
| 174 | ctx, NULL); | ||
| 170 | if (is_prime < 0) | 175 | if (is_prime < 0) |
| 171 | goto err; | 176 | goto err; |
| 172 | if (is_prime == 0) | 177 | if (is_prime == 0) |