Loading CHANGES +35 −8 Original line number Diff line number Diff line Loading @@ -4,6 +4,35 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 2000] *) Bugfix: ssl3_send_server_key_exchange was not restartable (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of this the server could overwrite ephemeral keys that the client has already seen). [Bodo Moeller] *) Turn DSA_is_prime into a macro that calls BN_is_prime, using 50 iterations of the Rabin-Miller test. DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 iterations of the Rabin-Miller test as required by the appendix to FIPS PUB 186[-1]) instead of DSA_is_prime. As BN_is_prime_fasttest includes trial division, DSA parameter generation becomes much faster. This implies a change for the callback functions in DSA_is_prime and DSA_generate_parameters: They are now called once for each positive witness in the Rabin-Miller test, not just occasionally in the inner loop; and the parameters to the callback function now provide an iteration count for the outer loop rather than for the current invocation of the inner loop. [Bodo Moeller] *) New functions BN_is_prime_fasttest that optionally does trial division before starting the Rabin-Miller test and has an additional BN_CTX * argument (whereas BN_is_prime always has to allocate at least one BN_CTX). [Bodo Moeller] *) Fix for bug in CRL encoding. The validity dates weren't being handled as ASN1_TIME. [Steve Henson] Loading @@ -11,10 +40,6 @@ *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file. [Steve Henson] *) Use BN_prime_checks_size(BN_num_bits(w)) rounds of Miller-Rabin when generating DSA primes. [Ulf Möller] *) New function BN_pseudo_rand(). [Ulf Möller] Loading @@ -41,7 +66,10 @@ *) Make BN_generate_prime() return NULL on error if ret!=NULL. [Ulf Möller] *) Retain source code compatibility for BN_prime_checks macro. *) Retain source code compatibility for BN_prime_checks macro: BN_is_prime(..., BN_prime_checks, ...) now uses BN_prime_checks_for_size to determine the appropriate number of Rabin-Miller iterations. [Ulf Möller] *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to Loading Loading @@ -114,10 +142,9 @@ *) Do more iterations of Rabin-Miller probable prime test (specifically, 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes instead of only 2 for all lengths; see BN_prime_checks_size definition instead of only 2 for all lengths; see BN_prime_checks_for_size definition in crypto/bn/bn_prime.c for the complete table). This guarantees a false-positive rate of at most 2^-80 (actually less because we are additionally doing trial division) for random input. false-positive rate of at most 2^-80 for random input. [Bodo Moeller] *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. Loading TABLE +17 −0 Original line number Diff line number Diff line Loading @@ -663,6 +663,23 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o *** debug-levitte-linux-elf $cc = gcc $cflags = -DRL_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe $unistd = $thread_cflag = -D_REENTRANT $lflags = $bn_ops = $bn_obj = $des_obj = $bf_obj = $md5_obj = $sha1_obj = $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = *** debug-linux-elf $cc = gcc $cflags = -DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall Loading crypto/bn/bn.h +5 −1 Original line number Diff line number Diff line Loading @@ -292,7 +292,7 @@ typedef struct bn_recp_ctx_st * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; * original paper: Damgaard, Landrock, Pomerance: Average case error estimates * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */ #define BN_prime_checks_size(b) ((b) >= 1300 ? 2 : \ #define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \ (b) >= 850 ? 3 : \ (b) >= 650 ? 4 : \ (b) >= 550 ? 5 : \ Loading Loading @@ -406,6 +406,10 @@ BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,BIGNUM *add, BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg); int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int,void *), BN_CTX *ctx,void *cb_arg); int BN_is_prime_fasttest(BIGNUM *p,int nchecks, void (*callback)(int,int,void *), BN_CTX *ctx,BN_CTX *ctx2,void *cb_arg, int do_trial_division); void ERR_load_BN_strings(void ); BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w); Loading crypto/bn/bn_prime.c +28 −10 Original line number Diff line number Diff line Loading @@ -84,7 +84,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add, int found=0; int i,j,c1=0; BN_CTX *ctx; int checks = BN_prime_checks_size(bits); int checks = BN_prime_checks_for_size(bits); ctx=BN_CTX_new(); if (ctx == NULL) goto err; Loading Loading @@ -154,10 +154,12 @@ err: return(found ? rnd : NULL); } int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), BN_CTX *ctx_passed, void *cb_arg) int BN_is_prime_fasttest(BIGNUM *a, int checks, void (*callback)(int,int,void *), BN_CTX *ctx_passed, BN_CTX *ctx2_passed, void *cb_arg, int do_trial_division) { int i,j,c2=0,ret= -1; int i,j,ret= -1; BIGNUM *check; BN_CTX *ctx=NULL,*ctx2=NULL; BN_MONT_CTX *mont=NULL; Loading @@ -165,17 +167,25 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), if (checks == BN_prime_checks) { int bits = BN_num_bits(a); checks = BN_prime_checks_size(bits); checks = BN_prime_checks_for_size(bits); } if (!BN_is_odd(a)) return(0); if (do_trial_division) for (i = 1; i < NUMPRIMES; i++) if (BN_mod_word(a, primes[i]) == 0) return 0; if (ctx_passed != NULL) ctx=ctx_passed; else if ((ctx=BN_CTX_new()) == NULL) goto err; if (ctx2_passed != NULL) ctx2=ctx2_passed; else if ((ctx2=BN_CTX_new()) == NULL) goto err; if ((mont=BN_MONT_CTX_new()) == NULL) goto err; check= &(ctx->bn[ctx->tos++]); Loading @@ -185,7 +195,9 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), for (i=0; i<checks; i++) { if (!BN_pseudo_rand(check,BN_num_bits(a)-1,0,0)) goto err; if (!BN_pseudo_rand(check,BN_num_bits(a),0,0)) goto err; if (BN_cmp(check, a) >= 0) BN_sub(check, check, a); j=witness(check,a,ctx,ctx2,mont); if (j == -1) goto err; if (j) Loading @@ -193,20 +205,26 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), ret=0; goto err; } if (callback != NULL) callback(1,c2++,cb_arg); if (callback != NULL) callback(1,i,cb_arg); } ret=1; err: ctx->tos--; if ((ctx_passed == NULL) && (ctx != NULL)) BN_CTX_free(ctx); if (ctx2 != NULL) if ((ctx2_passed == NULL) && (ctx2 != NULL)) BN_CTX_free(ctx2); if (mont != NULL) BN_MONT_CTX_free(mont); return(ret); } int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), BN_CTX *ctx_passed, void *cb_arg) { return BN_is_prime_fasttest(a, checks, callback, ctx_passed, NULL, cb_arg, 0); } static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx, BN_CTX *ctx2, BN_MONT_CTX *mont) { Loading Loading @@ -274,7 +292,7 @@ err: static int probable_prime(BIGNUM *rnd, int bits) { int i; MS_STATIC BN_ULONG mods[NUMPRIMES]; BN_ULONG mods[NUMPRIMES]; BN_ULONG delta,d; again: Loading crypto/dsa/dsa.h +5 −2 Original line number Diff line number Diff line Loading @@ -197,7 +197,11 @@ int DSAparams_print_fp(FILE *fp, DSA *x); int DSA_print_fp(FILE *bp, DSA *x, int off); #endif int DSA_is_prime(BIGNUM *q,void (*callback)(),void *cb_arg); #define DSS_prime_checks 50 /* Primality test according to FIPS PUB 186[-1], Appendix 2.1: * 50 rounds of Rabin-Miller */ #define DSA_is_prime(n, callback, cb_arg) \ BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) #ifndef NO_DH /* Convert DSA structure (key or just parameters) into DH structure Loading @@ -218,7 +222,6 @@ DH *DSA_dup_DH(DSA *r); #define DSA_F_DSAPARAMS_PRINT_FP 101 #define DSA_F_DSA_DO_SIGN 112 #define DSA_F_DSA_DO_VERIFY 113 #define DSA_F_DSA_IS_PRIME 102 #define DSA_F_DSA_NEW 103 #define DSA_F_DSA_PRINT 104 #define DSA_F_DSA_PRINT_FP 105 Loading Loading
CHANGES +35 −8 Original line number Diff line number Diff line Loading @@ -4,6 +4,35 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 2000] *) Bugfix: ssl3_send_server_key_exchange was not restartable (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of this the server could overwrite ephemeral keys that the client has already seen). [Bodo Moeller] *) Turn DSA_is_prime into a macro that calls BN_is_prime, using 50 iterations of the Rabin-Miller test. DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 iterations of the Rabin-Miller test as required by the appendix to FIPS PUB 186[-1]) instead of DSA_is_prime. As BN_is_prime_fasttest includes trial division, DSA parameter generation becomes much faster. This implies a change for the callback functions in DSA_is_prime and DSA_generate_parameters: They are now called once for each positive witness in the Rabin-Miller test, not just occasionally in the inner loop; and the parameters to the callback function now provide an iteration count for the outer loop rather than for the current invocation of the inner loop. [Bodo Moeller] *) New functions BN_is_prime_fasttest that optionally does trial division before starting the Rabin-Miller test and has an additional BN_CTX * argument (whereas BN_is_prime always has to allocate at least one BN_CTX). [Bodo Moeller] *) Fix for bug in CRL encoding. The validity dates weren't being handled as ASN1_TIME. [Steve Henson] Loading @@ -11,10 +40,6 @@ *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file. [Steve Henson] *) Use BN_prime_checks_size(BN_num_bits(w)) rounds of Miller-Rabin when generating DSA primes. [Ulf Möller] *) New function BN_pseudo_rand(). [Ulf Möller] Loading @@ -41,7 +66,10 @@ *) Make BN_generate_prime() return NULL on error if ret!=NULL. [Ulf Möller] *) Retain source code compatibility for BN_prime_checks macro. *) Retain source code compatibility for BN_prime_checks macro: BN_is_prime(..., BN_prime_checks, ...) now uses BN_prime_checks_for_size to determine the appropriate number of Rabin-Miller iterations. [Ulf Möller] *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to Loading Loading @@ -114,10 +142,9 @@ *) Do more iterations of Rabin-Miller probable prime test (specifically, 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes instead of only 2 for all lengths; see BN_prime_checks_size definition instead of only 2 for all lengths; see BN_prime_checks_for_size definition in crypto/bn/bn_prime.c for the complete table). This guarantees a false-positive rate of at most 2^-80 (actually less because we are additionally doing trial division) for random input. false-positive rate of at most 2^-80 for random input. [Bodo Moeller] *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. Loading
TABLE +17 −0 Original line number Diff line number Diff line Loading @@ -663,6 +663,23 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o *** debug-levitte-linux-elf $cc = gcc $cflags = -DRL_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe $unistd = $thread_cflag = -D_REENTRANT $lflags = $bn_ops = $bn_obj = $des_obj = $bf_obj = $md5_obj = $sha1_obj = $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = *** debug-linux-elf $cc = gcc $cflags = -DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall Loading
crypto/bn/bn.h +5 −1 Original line number Diff line number Diff line Loading @@ -292,7 +292,7 @@ typedef struct bn_recp_ctx_st * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; * original paper: Damgaard, Landrock, Pomerance: Average case error estimates * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */ #define BN_prime_checks_size(b) ((b) >= 1300 ? 2 : \ #define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \ (b) >= 850 ? 3 : \ (b) >= 650 ? 4 : \ (b) >= 550 ? 5 : \ Loading Loading @@ -406,6 +406,10 @@ BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,BIGNUM *add, BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg); int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int,void *), BN_CTX *ctx,void *cb_arg); int BN_is_prime_fasttest(BIGNUM *p,int nchecks, void (*callback)(int,int,void *), BN_CTX *ctx,BN_CTX *ctx2,void *cb_arg, int do_trial_division); void ERR_load_BN_strings(void ); BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w); Loading
crypto/bn/bn_prime.c +28 −10 Original line number Diff line number Diff line Loading @@ -84,7 +84,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add, int found=0; int i,j,c1=0; BN_CTX *ctx; int checks = BN_prime_checks_size(bits); int checks = BN_prime_checks_for_size(bits); ctx=BN_CTX_new(); if (ctx == NULL) goto err; Loading Loading @@ -154,10 +154,12 @@ err: return(found ? rnd : NULL); } int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), BN_CTX *ctx_passed, void *cb_arg) int BN_is_prime_fasttest(BIGNUM *a, int checks, void (*callback)(int,int,void *), BN_CTX *ctx_passed, BN_CTX *ctx2_passed, void *cb_arg, int do_trial_division) { int i,j,c2=0,ret= -1; int i,j,ret= -1; BIGNUM *check; BN_CTX *ctx=NULL,*ctx2=NULL; BN_MONT_CTX *mont=NULL; Loading @@ -165,17 +167,25 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), if (checks == BN_prime_checks) { int bits = BN_num_bits(a); checks = BN_prime_checks_size(bits); checks = BN_prime_checks_for_size(bits); } if (!BN_is_odd(a)) return(0); if (do_trial_division) for (i = 1; i < NUMPRIMES; i++) if (BN_mod_word(a, primes[i]) == 0) return 0; if (ctx_passed != NULL) ctx=ctx_passed; else if ((ctx=BN_CTX_new()) == NULL) goto err; if (ctx2_passed != NULL) ctx2=ctx2_passed; else if ((ctx2=BN_CTX_new()) == NULL) goto err; if ((mont=BN_MONT_CTX_new()) == NULL) goto err; check= &(ctx->bn[ctx->tos++]); Loading @@ -185,7 +195,9 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), for (i=0; i<checks; i++) { if (!BN_pseudo_rand(check,BN_num_bits(a)-1,0,0)) goto err; if (!BN_pseudo_rand(check,BN_num_bits(a),0,0)) goto err; if (BN_cmp(check, a) >= 0) BN_sub(check, check, a); j=witness(check,a,ctx,ctx2,mont); if (j == -1) goto err; if (j) Loading @@ -193,20 +205,26 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), ret=0; goto err; } if (callback != NULL) callback(1,c2++,cb_arg); if (callback != NULL) callback(1,i,cb_arg); } ret=1; err: ctx->tos--; if ((ctx_passed == NULL) && (ctx != NULL)) BN_CTX_free(ctx); if (ctx2 != NULL) if ((ctx2_passed == NULL) && (ctx2 != NULL)) BN_CTX_free(ctx2); if (mont != NULL) BN_MONT_CTX_free(mont); return(ret); } int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), BN_CTX *ctx_passed, void *cb_arg) { return BN_is_prime_fasttest(a, checks, callback, ctx_passed, NULL, cb_arg, 0); } static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx, BN_CTX *ctx2, BN_MONT_CTX *mont) { Loading Loading @@ -274,7 +292,7 @@ err: static int probable_prime(BIGNUM *rnd, int bits) { int i; MS_STATIC BN_ULONG mods[NUMPRIMES]; BN_ULONG mods[NUMPRIMES]; BN_ULONG delta,d; again: Loading
crypto/dsa/dsa.h +5 −2 Original line number Diff line number Diff line Loading @@ -197,7 +197,11 @@ int DSAparams_print_fp(FILE *fp, DSA *x); int DSA_print_fp(FILE *bp, DSA *x, int off); #endif int DSA_is_prime(BIGNUM *q,void (*callback)(),void *cb_arg); #define DSS_prime_checks 50 /* Primality test according to FIPS PUB 186[-1], Appendix 2.1: * 50 rounds of Rabin-Miller */ #define DSA_is_prime(n, callback, cb_arg) \ BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) #ifndef NO_DH /* Convert DSA structure (key or just parameters) into DH structure Loading @@ -218,7 +222,6 @@ DH *DSA_dup_DH(DSA *r); #define DSA_F_DSAPARAMS_PRINT_FP 101 #define DSA_F_DSA_DO_SIGN 112 #define DSA_F_DSA_DO_VERIFY 113 #define DSA_F_DSA_IS_PRIME 102 #define DSA_F_DSA_NEW 103 #define DSA_F_DSA_PRINT 104 #define DSA_F_DSA_PRINT_FP 105 Loading
