| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has long been known that pure Miller-Rabin primality tests are
insufficient. "Prime and Prejudice: Primality Testing Under Adversarial
Conditions" https://eprint.iacr.org/2018/749 points out severe flaws
in many widely used libraries. In particular, they exhibited a method to
generate 2048-bit composites that bypass the default OpenSSL (and hence
LibreSSL) primality test with a probability of 1/16 (!).
As a remedy, the authors recommend switching to using BPSW wherever
possible. This possibility has always been there, but someone had to
sit down and actually implement a properly licensed piece of code.
Fortunately, espie suggested to Martin Grenouilloux to do precisely this
after asking us whether we would be interested. Of course we were!
After a good first implementation from Martin and a lot of back and
forth, we came up with the present version.
This implementation is ~50% slower than the current default Miller-Rabin
test, but that is a small price to pay given the improvements.
Thanks to Martin Grenouilloux <martin.grenouilloux () lse ! epita ! fr>
for this awesome work, to espie without whom it wouldn't have happened,
and to djm for pointing us at this problem a long time back.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds an implementation of the integer square root using a variant
of Newton's method with adaptive precision. The implementation is based
on a pure Python description of cpython's math.isqrt(). This algorithm
is proven to be correct with a tricky but very neat loop invariant:
https://github.com/mdickinson/snippets/blob/master/proofs/isqrt/src/isqrt.lean
Using this algorithm instead of Newton method, implement Algorithm 1.7.3
(square test) from H. Cohen, "A course in computational algebraic number
theory" to detect perfect squares.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
remove (expired):
/O=Cybertrust, Inc/CN=Cybertrust Global Root
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
remove:
/C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC
/C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
add new root (existing CAs):
/C=TW/O=Chunghwa Telecom Co., Ltd./CN=HiPKI Root CA - G1
/C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020
/C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 1 2020
/C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS ECC Root CA 2021
/C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021
/C=US/O=Internet Security Research Group/CN=ISRG Root X2
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
add (new CAs):
/C=TN/O=Agence Nationale de Certification Electronique/CN=TunTrust Root CA
/serialNumber=G63287510/C=ES/O=ANF Autoridad de Certificacion/OU=ANF CA Raiz/CN=ANF Secure Server Root CA
/C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum EC-384 CA
/C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum Trusted Root CA
/C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020
/C=CN/O=iTrusChina Co.,Ltd./CN=vTrus ECC Root CA
/C=CN/O=iTrusChina Co.,Ltd./CN=vTrus Root CA
/C=FI/O=Telia Finland Oyj/CN=Telia Root CA v2
replace with another cert with same CN (SHA1 vs SHA256):
/C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
not exposed in the public API.
|
| |
|
|
|
|
| |
and DSA_meth_set1_name(3).
Merge the documentation from the OpenSSL 1.1.1 branch, which
is still under a free license, significantly tweaked by me.
|
| | |
|
| |
|
|
|
|
|
|
| |
This is the documented behavior which got lost in the recent rewrite.
Mismatch of documentation and reality pointed out by schwarze
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
ASN1_INTEGER_set_uint64(3), ASN1_INTEGER_set_int64(3),
ASN1_ENUMERATED_get_int64(3), and ASN1_ENUMERATED_set_int64(3)
recently provided by tb@.
Even though Dr. Steven Henson also documented these functions in OpenSSL,
the text over there is excessively verbose, repetitive, very badly ordered,
and incomplete, so i chose to instead write this patch from scratch,
also adding some precision in a few places.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Project Wycheproof's primality_tests.json contain a set of 280 numbers
that trigger edge cases in Miller-Rabin and related checks. libcrypto's
Miller-Rabin test is known to be rather poor, hopefully we will soon see
a diff on tech that improves on this.
This extends the Go test in the usual way and also adds a perl script
that allows testing on non-Go architectures.
Deliberately not yet linked to regress since the tests are flaky with
the current BN_is_prime_ex() implementatation.
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Contrary to CBS_stow(), CBB_finish() will leak, so ensure we fail if
*out_data is populated.
Discussed with & ok jsing
|
| |
|
|
|
|
| |
Needed for an upcoming diff adding a NULL check to CBB_finish().
ok jsing
|
| |
|
|
|
|
| |
calls.
ok jsing
|
| |
|
|
| |
from beck
|
| | |
|
| |
|
|
| |
From beck
|
| |
|
|
| |
From beck
|
| | |
|
| |
|
|
|
|
|
| |
that are no longer needed now that libcrypto exposes the necessary
security-bits API.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
These are mostly security-level related, but there are also ASN1_TIME
and ASN_INTEGER functions here, as well as some missing accessors.
ok jsing
|
| |
|
|
|
|
| |
of SHA-1. This helps the switch to security-level aware ssltest.
From jsing
|
| |
|
|
|
|
|
| |
The well-known masters of consistency of course use strings that don't
match the names of the errors.
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
pointed out by jsing
|
| |
|
|
|
|
|
|
| |
Also follow OpenSSL by making the name non-const to avoid ugly casting.
Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in
https://github.com/libressl-portable/openbsd/issues/130
ok jsing sthen
|
| |
|
|
| |
ok jsing sthen
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A client is required to send an empty list if it does not have a suitable
certificate - handle this case up front, rather than going through the
normal code path and ending up with an empty certificate list. This matches
what we do in the TLSv1.3 stack and will allow for ruther clean up (in
addition to making the code more readable).
Also tidy up the CBS code and remove some unnecessary length checks. Use
'cert' and 'certs' for certificates, rather than 'x' and 'sk'.
ok tb@
|
| |
|
|
|
|
|
| |
Tidy up CBS code and remove some unnecessary length checks. Use 'cert' and
'certs' for certificates, rather than 'x' and 'sk'.
ok tb@
|
| |
|
|
|
|
|
| |
Replace long switch statement duplicating data from nid_list[] with a
linear scan.
requested by and ok jsing
|
| |
|
|
|
|
|
| |
Instead of a nonsensical NULL check, check nid_list[group_id].{bits,nid}
is not 0. This way we can drop the group_id < 1 check.
ok jsing
|
