summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/dh
diff options
context:
space:
mode:
authortb <>2023-08-03 18:53:56 +0000
committertb <>2023-08-03 18:53:56 +0000
commite680fe5b2098d1406fab3bb3994254f026651090 (patch)
tree3779d2c9bdc12cd8a0d0eb7981bf515d6e27b344 /src/lib/libcrypto/dh
parent9110c93cd11bc18d800c645352c10a57e2ceea4b (diff)
downloadopenbsd-e680fe5b2098d1406fab3bb3994254f026651090.tar.gz
openbsd-e680fe5b2098d1406fab3bb3994254f026651090.tar.bz2
openbsd-e680fe5b2098d1406fab3bb3994254f026651090.zip
Make the bn_rand_interval() API a bit more ergonomic
Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing
Diffstat (limited to 'src/lib/libcrypto/dh')
-rw-r--r--src/lib/libcrypto/dh/dh_key.c12
1 files changed, 4 insertions, 8 deletions
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index a4bd689483..050d1143f8 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dh_key.c,v 1.39 2023/07/08 15:29:03 beck Exp $ */ 1/* $OpenBSD: dh_key.c,v 1.40 2023/08/03 18:53:55 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -109,7 +109,7 @@ generate_key(DH *dh)
109 unsigned l; 109 unsigned l;
110 BN_CTX *ctx; 110 BN_CTX *ctx;
111 BN_MONT_CTX *mont = NULL; 111 BN_MONT_CTX *mont = NULL;
112 BIGNUM *pub_key = NULL, *priv_key = NULL, *two = NULL; 112 BIGNUM *pub_key = NULL, *priv_key = NULL;
113 113
114 if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { 114 if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
115 DHerror(DH_R_MODULUS_TOO_LARGE); 115 DHerror(DH_R_MODULUS_TOO_LARGE);
@@ -139,11 +139,7 @@ generate_key(DH *dh)
139 139
140 if (dh->priv_key == NULL) { 140 if (dh->priv_key == NULL) {
141 if (dh->q) { 141 if (dh->q) {
142 if ((two = BN_new()) == NULL) 142 if (!bn_rand_interval(priv_key, 2, dh->q))
143 goto err;
144 if (!BN_add(two, BN_value_one(), BN_value_one()))
145 goto err;
146 if (!bn_rand_interval(priv_key, two, dh->q))
147 goto err; 143 goto err;
148 } else { 144 } else {
149 /* secret exponent length */ 145 /* secret exponent length */
@@ -169,7 +165,7 @@ generate_key(DH *dh)
169 if (dh->priv_key == NULL) 165 if (dh->priv_key == NULL)
170 BN_free(priv_key); 166 BN_free(priv_key);
171 BN_CTX_free(ctx); 167 BN_CTX_free(ctx);
172 BN_free(two); 168
173 return ok; 169 return ok;
174} 170}
175 171