diff options
| author | tb <> | 2023-08-03 18:53:56 +0000 |
|---|---|---|
| committer | tb <> | 2023-08-03 18:53:56 +0000 |
| commit | 44ff07e01874ea8be0c72bf9d20cb7f13b76cca8 (patch) | |
| tree | 3779d2c9bdc12cd8a0d0eb7981bf515d6e27b344 /src/lib/libcrypto/dh | |
| parent | 6ce6cf23a77a446252150319206f0075eb6267cf (diff) | |
| download | openbsd-44ff07e01874ea8be0c72bf9d20cb7f13b76cca8.tar.gz openbsd-44ff07e01874ea8be0c72bf9d20cb7f13b76cca8.tar.bz2 openbsd-44ff07e01874ea8be0c72bf9d20cb7f13b76cca8.zip | |
Make the bn_rand_interval() API a bit more ergonomic
Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().
The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().
Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.
ok jsing
Diffstat (limited to 'src/lib/libcrypto/dh')
| -rw-r--r-- | src/lib/libcrypto/dh/dh_key.c | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index a4bd689483..050d1143f8 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dh_key.c,v 1.39 2023/07/08 15:29:03 beck Exp $ */ | 1 | /* $OpenBSD: dh_key.c,v 1.40 2023/08/03 18:53:55 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -109,7 +109,7 @@ generate_key(DH *dh) | |||
| 109 | unsigned l; | 109 | unsigned l; |
| 110 | BN_CTX *ctx; | 110 | BN_CTX *ctx; |
| 111 | BN_MONT_CTX *mont = NULL; | 111 | BN_MONT_CTX *mont = NULL; |
| 112 | BIGNUM *pub_key = NULL, *priv_key = NULL, *two = NULL; | 112 | BIGNUM *pub_key = NULL, *priv_key = NULL; |
| 113 | 113 | ||
| 114 | if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { | 114 | if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { |
| 115 | DHerror(DH_R_MODULUS_TOO_LARGE); | 115 | DHerror(DH_R_MODULUS_TOO_LARGE); |
| @@ -139,11 +139,7 @@ generate_key(DH *dh) | |||
| 139 | 139 | ||
| 140 | if (dh->priv_key == NULL) { | 140 | if (dh->priv_key == NULL) { |
| 141 | if (dh->q) { | 141 | if (dh->q) { |
| 142 | if ((two = BN_new()) == NULL) | 142 | if (!bn_rand_interval(priv_key, 2, dh->q)) |
| 143 | goto err; | ||
| 144 | if (!BN_add(two, BN_value_one(), BN_value_one())) | ||
| 145 | goto err; | ||
| 146 | if (!bn_rand_interval(priv_key, two, dh->q)) | ||
| 147 | goto err; | 143 | goto err; |
| 148 | } else { | 144 | } else { |
| 149 | /* secret exponent length */ | 145 | /* secret exponent length */ |
| @@ -169,7 +165,7 @@ generate_key(DH *dh) | |||
| 169 | if (dh->priv_key == NULL) | 165 | if (dh->priv_key == NULL) |
| 170 | BN_free(priv_key); | 166 | BN_free(priv_key); |
| 171 | BN_CTX_free(ctx); | 167 | BN_CTX_free(ctx); |
| 172 | BN_free(two); | 168 | |
| 173 | return ok; | 169 | return ok; |
| 174 | } | 170 | } |
| 175 | 171 | ||