diff options
author | tb <> | 2023-08-03 18:53:56 +0000 |
---|---|---|
committer | tb <> | 2023-08-03 18:53:56 +0000 |
commit | e680fe5b2098d1406fab3bb3994254f026651090 (patch) | |
tree | 3779d2c9bdc12cd8a0d0eb7981bf515d6e27b344 /src/lib/libcrypto/dh | |
parent | 9110c93cd11bc18d800c645352c10a57e2ceea4b (diff) | |
download | openbsd-e680fe5b2098d1406fab3bb3994254f026651090.tar.gz openbsd-e680fe5b2098d1406fab3bb3994254f026651090.tar.bz2 openbsd-e680fe5b2098d1406fab3bb3994254f026651090.zip |
Make the bn_rand_interval() API a bit more ergonomic
Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().
The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().
Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.
ok jsing
Diffstat (limited to 'src/lib/libcrypto/dh')
-rw-r--r-- | src/lib/libcrypto/dh/dh_key.c | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index a4bd689483..050d1143f8 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: dh_key.c,v 1.39 2023/07/08 15:29:03 beck Exp $ */ | 1 | /* $OpenBSD: dh_key.c,v 1.40 2023/08/03 18:53:55 tb Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -109,7 +109,7 @@ generate_key(DH *dh) | |||
109 | unsigned l; | 109 | unsigned l; |
110 | BN_CTX *ctx; | 110 | BN_CTX *ctx; |
111 | BN_MONT_CTX *mont = NULL; | 111 | BN_MONT_CTX *mont = NULL; |
112 | BIGNUM *pub_key = NULL, *priv_key = NULL, *two = NULL; | 112 | BIGNUM *pub_key = NULL, *priv_key = NULL; |
113 | 113 | ||
114 | if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { | 114 | if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { |
115 | DHerror(DH_R_MODULUS_TOO_LARGE); | 115 | DHerror(DH_R_MODULUS_TOO_LARGE); |
@@ -139,11 +139,7 @@ generate_key(DH *dh) | |||
139 | 139 | ||
140 | if (dh->priv_key == NULL) { | 140 | if (dh->priv_key == NULL) { |
141 | if (dh->q) { | 141 | if (dh->q) { |
142 | if ((two = BN_new()) == NULL) | 142 | if (!bn_rand_interval(priv_key, 2, dh->q)) |
143 | goto err; | ||
144 | if (!BN_add(two, BN_value_one(), BN_value_one())) | ||
145 | goto err; | ||
146 | if (!bn_rand_interval(priv_key, two, dh->q)) | ||
147 | goto err; | 143 | goto err; |
148 | } else { | 144 | } else { |
149 | /* secret exponent length */ | 145 | /* secret exponent length */ |
@@ -169,7 +165,7 @@ generate_key(DH *dh) | |||
169 | if (dh->priv_key == NULL) | 165 | if (dh->priv_key == NULL) |
170 | BN_free(priv_key); | 166 | BN_free(priv_key); |
171 | BN_CTX_free(ctx); | 167 | BN_CTX_free(ctx); |
172 | BN_free(two); | 168 | |
173 | return ok; | 169 | return ok; |
174 | } | 170 | } |
175 | 171 | ||