|  | Commit message (Collapse) | Author | Files | Lines | 
|---|
|  |  | 
|  |  | 
|  | ok jsing | 
|  | ok jsing | 
|  | ok jsing | 
|  | It has long been known that pure Miller-Rabin primality tests are
insufficient. "Prime and Prejudice: Primality Testing Under Adversarial
Conditions" https://eprint.iacr.org/2018/749 points out severe flaws
in many widely used libraries. In particular, they exhibited a method to
generate 2048-bit composites that bypass the default OpenSSL (and hence
LibreSSL) primality test with a probability of 1/16 (!).
As a remedy, the authors recommend switching to using BPSW wherever
possible. This possibility has always been there, but someone had to
sit down and actually implement a properly licensed piece of code.
Fortunately, espie suggested to Martin Grenouilloux to do precisely this
after asking us whether we would be interested. Of course we were!
After a good first implementation from Martin and a lot of back and
forth, we came up with the present version.
This implementation is ~50% slower than the current default Miller-Rabin
test, but that is a small price to pay given the improvements.
Thanks to Martin Grenouilloux <martin.grenouilloux () lse ! epita ! fr>
for this awesome work, to espie without whom it wouldn't have happened,
and to djm for pointing us at this problem a long time back.
ok jsing | 
|  | ok jsing | 
|  | This adds an implementation of the integer square root using a variant
of Newton's method with adaptive precision. The implementation is based
on a pure Python description of cpython's math.isqrt(). This algorithm
is proven to be correct with a tricky but very neat loop invariant:
https://github.com/mdickinson/snippets/blob/master/proofs/isqrt/src/isqrt.lean
Using this algorithm instead of Newton method, implement Algorithm 1.7.3
(square test) from H. Cohen, "A course in computational algebraic number
theory" to detect perfect squares.
ok jsing | 
|  |  | 
|  | ok jsing | 
|  | This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb | 
|  |  | 
|  | remove (expired):
/O=Cybertrust, Inc/CN=Cybertrust Global Root
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
remove:
/C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC
/C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
add new root (existing CAs):
/C=TW/O=Chunghwa Telecom Co., Ltd./CN=HiPKI Root CA - G1
/C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020
/C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 1 2020
/C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS ECC Root CA 2021
/C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021
/C=US/O=Internet Security Research Group/CN=ISRG Root X2
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
add (new CAs):
/C=TN/O=Agence Nationale de Certification Electronique/CN=TunTrust Root CA
/serialNumber=G63287510/C=ES/O=ANF Autoridad de Certificacion/OU=ANF CA Raiz/CN=ANF Secure Server Root CA
/C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum EC-384 CA
/C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum Trusted Root CA
/C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020
/C=CN/O=iTrusChina Co.,Ltd./CN=vTrus ECC Root CA
/C=CN/O=iTrusChina Co.,Ltd./CN=vTrus Root CA
/C=FI/O=Telia Finland Oyj/CN=Telia Root CA v2
replace with another cert with same CN (SHA1 vs SHA256):
/C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 | 
|  | ok tb@ | 
|  | not exposed in the public API. | 
|  | and DSA_meth_set1_name(3).
Merge the documentation from the OpenSSL 1.1.1 branch, which
is still under a free license, significantly tweaked by me. | 
|  |  | 
|  | This is the documented behavior which got lost in the recent rewrite.
Mismatch of documentation and reality pointed out by schwarze
ok jsing | 
|  | ASN1_INTEGER_set_uint64(3), ASN1_INTEGER_set_int64(3),
ASN1_ENUMERATED_get_int64(3), and ASN1_ENUMERATED_set_int64(3)
recently provided by tb@.
Even though Dr. Steven Henson also documented these functions in OpenSSL,
the text over there is excessively verbose, repetitive, very badly ordered,
and incomplete, so i chose to instead write this patch from scratch,
also adding some precision in a few places. | 
|  |  | 
|  |  | 
|  | Project Wycheproof's primality_tests.json contain a set of 280 numbers
that trigger edge cases in Miller-Rabin and related checks. libcrypto's
Miller-Rabin test is known to be rather poor, hopefully we will soon see
a diff on tech that improves on this.
This extends the Go test in the usual way and also adds a perl script
that allows testing on non-Go architectures.
Deliberately not yet linked to regress since the tests are flaky with
the current BN_is_prime_ex() implementatation. | 
|  |  | 
|  | ok jsing | 
|  | Contrary to CBS_stow(), CBB_finish() will leak, so ensure we fail if
*out_data is populated.
Discussed with & ok jsing | 
|  | Needed for an upcoming diff adding a NULL check to CBB_finish().
ok jsing | 
|  | calls.
ok jsing | 
|  | from beck | 
|  |  | 
|  | From beck | 
|  | From beck | 
|  |  | 
|  | that are no longer needed now that libcrypto exposes the necessary
security-bits API.
ok jsing | 
|  |  | 
|  | ok jsing | 
|  | ok jsing | 
|  |  | 
|  | These are mostly security-level related, but there are also ASN1_TIME
and ASN_INTEGER functions here, as well as some missing accessors.
ok jsing | 
|  | of SHA-1. This helps the switch to security-level aware ssltest.
From jsing | 
|  | The well-known masters of consistency of course use strings that don't
match the names of the errors.
ok jsing | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | pointed out by jsing | 
|  | Also follow OpenSSL by making the name non-const to avoid ugly casting.
Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in
https://github.com/libressl-portable/openbsd/issues/130
ok jsing sthen | 
|  | ok jsing sthen | 
|  |  | 
|  |  |