| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the last argument, the size of the output array, is too small to
contain all degrees present in the input polynomial plus one for the
terminating -1, the function is documented to return the size of the
output array that would be needed (in comments in the source code, in
the new manual page, and by the way how the function is used by other
functions in the same file). However, in case of overflow, the existing
code failed to include the element needed for the terminating -1 in the
return value, wrongly indicating success if everything but the -1 did
fit and reporting failure with a size that was still too small otherwise.
According to tb@, this is very unlikely to cause vulnerabilities in
practical applications because there is no real reason to pick a
reducing polynomial longer than a pentanomial, because all known
callers use either fixed size arrays of size 6 or dynamic allocation,
because use of GF(2^m) is rare in practice, and GF(2^m) with custom
reducing polynomials even more so.
OK tb@
|
| |
|
|
|
| |
It was placed and formatted weirdly. Fix the title of the book referenced
and complete the reference's information.
|
| |
|
|
|
|
| |
It's entirely trivial.
ok beck
|
| |
|
|
|
|
|
| |
This way we deduplicate two inclusions of the same big table and eliminate
lots of stupid casts.
input and ok many
|
| |
|
|
|
|
|
|
|
| |
Instead of using the BN_is_prime_fasttime_ex() API, use a direct call to
bn_is_prime_bpsw(). This increases readability and simplifies error
handling. Also put a division by two to the natural place now that we no
longer need to do Miller-Rabin rounds.
ok beck jsing
|
| |
|
|
|
|
|
| |
Garbage collect a few pointless variables and remove a loop that wasn't
really a loop. Simplify BN_CTX handling and drop some stupid comments.
ok jsing miod
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
found with CodeChecker
feedback from millert@
ok tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Shuffle variables around for consistency, also ensuring appropriate and
consistent initialisation.
ok tb@
|
| |
|
|
|
|
|
| |
Also move the _bignum_nist_p_.*_sqr static BIGNUMs out of individual
functions.
ok tb@
|
| |
|
|
|
| |
a shortcut bypassing expensive computation, so change goto err to
goto done. Bug introduced in last refactoring before commit.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Since there is nothing randomized in bn_is_prime_bpsw(), the concept
of rounds makes no sense. Apply a minimal change for now that avoids
expensive loops that won't change the outcome in case we found a
probable prime.
ok jsing
|
| | |
|
| | |
|
| |
|
|
| |
the code in bn_isqrt.c.
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has long been known that pure Miller-Rabin primality tests are
insufficient. "Prime and Prejudice: Primality Testing Under Adversarial
Conditions" https://eprint.iacr.org/2018/749 points out severe flaws
in many widely used libraries. In particular, they exhibited a method to
generate 2048-bit composites that bypass the default OpenSSL (and hence
LibreSSL) primality test with a probability of 1/16 (!).
As a remedy, the authors recommend switching to using BPSW wherever
possible. This possibility has always been there, but someone had to
sit down and actually implement a properly licensed piece of code.
Fortunately, espie suggested to Martin Grenouilloux to do precisely this
after asking us whether we would be interested. Of course we were!
After a good first implementation from Martin and a lot of back and
forth, we came up with the present version.
This implementation is ~50% slower than the current default Miller-Rabin
test, but that is a small price to pay given the improvements.
Thanks to Martin Grenouilloux <martin.grenouilloux () lse ! epita ! fr>
for this awesome work, to espie without whom it wouldn't have happened,
and to djm for pointing us at this problem a long time back.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds an implementation of the integer square root using a variant
of Newton's method with adaptive precision. The implementation is based
on a pure Python description of cpython's math.isqrt(). This algorithm
is proven to be correct with a tricky but very neat loop invariant:
https://github.com/mdickinson/snippets/blob/master/proofs/isqrt/src/isqrt.lean
Using this algorithm instead of Newton method, implement Algorithm 1.7.3
(square test) from H. Cohen, "A course in computational algebraic number
theory" to detect perfect squares.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
|
|
|
| |
These are mostly security-level related, but there are also ASN1_TIME
and ASN_INTEGER functions here, as well as some missing accessors.
ok jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
| |
Without these checks in both functions nw = n / BN_BITS2 will be negative
and this leads to out-of-bounds accesses via negative array indices and
memset with a negative size.
Pointed out by cheloha
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
This matches Cohen's text better and makes the entire thing easier to
read.
suggested by jsing
|
| |
|
|
|
|
|
|
|
|
| |
Instead of "Cohen's step N" explain in words what is being done. Things
such as (A & B & 2) != 0 being equivalent to (-1)^((A-1)(B-1)/4) being
negative are not entirely obvious... Remove the strange error dance and
adjust variable names to what Cohen's book uses. Simplify various curly
bits.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If gcd(a, primes[i]) == 0 then a could still be a prime, namely in the
case that a == primes[i], so check for that case as well.
Problem noted by Martin Grenouilloux
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The optimised code path switches from processing data via unsigned long to
processing data via unsigned int, which requires type punning. This is
currently attempted via a union (for one case), however this fails since
a pointer to a union member is passed to another function (these unions
were added to "fix strict-aliasing compiler warning" - it would seem the
warnings stopped but the undefined behaviour remained). The second case
does not use a union and simply casts from one type to another.
Undefined behaviour is currently triggered when compiling with clang 14
using -03 and -fstrict-aliasing, while disabling assembly (in order to use
this C code). The resulting binary produces incorrect results.
Avoid strict aliasing violations by copying from an unsigned long array to
an unsigned int array, then copying back the result. Any sensible compiler
will omit the copies, while avoiding undefined behaviour that would result
from unsafe type punning via pointer type casting.
Thanks to Guido Vranken for reporting the issue and testing the fix.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
If either of the two initial BN_CTX_get() fails, we will call
BN_RECP_CTX_free() on the uninitialized recp, which won't end
well, so hoist the BN_RECP_CTX_init() call a few lines up.
From Pauli, OpenSSL ad249412
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A bug in the implementation of the Tonelli-Shanks algorithm can lead to
an infinite loop. This loop can be hit in various ways, in particular on
decompressing an elliptic curve public key via EC_POINT_oct2point() - to
do this, one must solve y^2 = x^3 + ax + b for y, given x.
If a certificate uses explicit encoding for elliptic curve parameters,
this operation needs to be done during certificate verification, leading
to a DoS. In particular, everything dealing with untrusted certificates
is affected, notably TLS servers explicitly configured to request
client certificates (httpd, smtpd, various VPN implementations, ...).
Ordinary TLS servers do not consume untrusted certificates.
The problem is that we cannot assume that x^3 + ax + b is actually a
square on untrusted input and neither can we assume that the modulus
p is a prime. Ensuring that p is a prime is too expensive (it would
likely itself lead to a DoS). To avoid the infinite loop, fix the logic
to be more resilient and explicitly limit the number of iterations that
can be done. The bug is such that the infinite loop can also be hit for
primes = 3 (mod 4) but fortunately that case is optimized earlier.
It's also worth noting that there is a size bound on the field size
enforced via OPENSSL_ECC_MAX_FIELD_BITS (= 661), which help mitigate
further DoS vectors in presence of this fix.
Reported by Tavis Ormandy and David Benjamin, Google
Patch based on the fixes by David Benjamin and Tomas Mraz, OpenSSL
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
| |
This is a very rarely used function and the crash is hard to reach in
practice. Instead of implementing BN_is_odd() badly by hand, just call
the real thing.
Reported by Guido Vranken
ok beck jsing
|
| |
|
|
|
|
| |
From OpenSSL 6a009812, prompted by a report by Guido Vranken
ok beck jsing
|
| |
|
|
| |
ok jsing@ millert@ tb@
|
| |
|
|
|
|
|
| |
CID 21665 24835
comment from jsing@ and tb@
ok jsing@ millert@ tb@
|
| |
|
|
|
|
| |
This makes all structs in bn.h opaque that are also opaque in OpenSSL.
ok inoguchi jsing
|
| |
|
|
|
| |
This marks the start of major surgery in libcrypto. Do not attempt to
build the tree for a while (~50 commits).
|
| |
|
|
| |
Discussed with tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination
which results in a potential use of an uninitialized bit. In practice
this doesn't matter since we don't free the cloned BIGNUMs anyway.
As jsing points out, these are mostly pointless noise and should be
garbage collected. I'll leave that for another rainy day.
Coverity flagged one instance BN_gcd_no_branch(), the rest was found by
the ever so helpful grep(1).
CID 345122
ok jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| | |
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
| |
BN_abs_is_word, BN_is_{zero,one,word,odd}, BN_one, BN_zero_ex are
now implemented as functions for internal use. They will be exposed
publicly to replace the macros reaching into BIGNUM in the next bump.
ok inoguchi jsing
|
