{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1752726667, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"b1965253ee7d2764a0ff35fbcd020c38", "commit": {"type":"commit", "time": 1553699035, "time_ofs": 0, "oid_tree": { "oid": "ea4852face20119eb5f42b2295a3a3e0bff7290e", "alias": []}, "oid":{ "oid": "af6ce3b46cd0fba2235c9ec488973c90c56d92a1", "alias": []}, "msg": "Increase rounds of Miller-Rabin testing DH_check", "sig_commit": { "git_time": { "time": 1553699035, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1553659988, "offset": 0 }, "name": "Jake Massimo", "email": "pcai002@live.rhul.ac.uk", "md5": "beb74cd47fe060c2801ee07b5d1e373f" }}, "body": "Increase rounds of Miller-Rabin testing DH_check\n\nDH_check is used to test the validity of Diffie-Hellman parameter sets (p, q, g). Among the tests performed are primality tests on p and q, for this BN_is_prime_ex is called with the rounds of Miller-Rabin set as default. This will therefore use the average case error estimates derived from the function BN_prime_checks_for_size based on the bit size of the number tested.\n\nHowever, these bounds are only accurate on testing random input. Within this testing scenario, where we are checking the validity of a DH parameter set, we can not assert that these parameters are randomly generated. Thus we must treat them as if they are adversarial in nature and increase the rounds of Miller-Rabin performed.\n\nGenerally, each round of Miller-Rabin can declare a composite number prime with probability at most (1/4), thus 64 rounds is sufficient in thwarting known generation techniques (even in safe prime settings - see https://eprint.iacr.org/2019/032 for full analysis). The choice of 64 rounds is also consistent with SRP_NUMBER_ITERATIONS_FOR_PRIME 64 as used in srp_Verify_N_and_g in openssl/apps/s_client.c.\n\nReviewed-by: Paul Dale \u003cpaul.dale@oracle.com\u003e\nReviewed-by: Matt Caswell \u003cmatt@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/8593)\n\n(cherry picked from commit 2500c093aa1e9c90c11c415053c0a27a00661d0d)\n" , "diff": "diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c\nindex 52cc0eb..67b4cec 100644\n--- a/crypto/dh/dh_check.c\n+++ b/crypto/dh/dh_check.c\n@@ -12,6 +12,8 @@\n #include \u003copenssl/bn.h\u003e\n #include \u0022dh_locl.h\u0022\n \n+# define DH_NUMBER_ITERATIONS_FOR_PRIME 64\n+\n /*-\n * Check that p and g are suitable enough\n *\n@@ -125,7 +127,7 @@ int DH_check(const DH *dh, int *ret)\n if (!BN_is_one(t1))\n *ret |\u003d DH_NOT_SUITABLE_GENERATOR;\n }\n- r \u003d BN_is_prime_ex(dh-\u003eq, BN_prime_checks, ctx, NULL);\n+ r \u003d BN_is_prime_ex(dh-\u003eq, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL);\n if (r \u003c 0)\n goto err;\n if (!r)\n@@ -153,7 +155,7 @@ int DH_check(const DH *dh, int *ret)\n } else\n *ret |\u003d DH_UNABLE_TO_CHECK_GENERATOR;\n \n- r \u003d BN_is_prime_ex(dh-\u003ep, BN_prime_checks, ctx, NULL);\n+ r \u003d BN_is_prime_ex(dh-\u003ep, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL);\n if (r \u003c 0)\n goto err;\n if (!r)\n@@ -161,7 +163,7 @@ int DH_check(const DH *dh, int *ret)\n else if (!dh-\u003eq) {\n if (!BN_rshift1(t1, dh-\u003ep))\n goto err;\n- r \u003d BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);\n+ r \u003d BN_is_prime_ex(t1, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL);\n if (r \u003c 0)\n goto err;\n if (!r)\n","s":{"c":1752726667,"u": 38650}} ],"g": 39431,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}