openssl/crypto/dh
Jake Massimo 2500c093aa Increase rounds of Miller-Rabin testing DH_check
DH_check is used to test the validity of Diffie-Hellman parameter sets (p, q, g). Among the tests performed are primality tests on p and q, for this BN_is_prime_ex is called with the rounds of Miller-Rabin set as default. This will therefore use the average case error estimates derived from the function BN_prime_checks_for_size based on the bit size of the number tested.

However, these bounds are only accurate on testing random input. Within this testing scenario, where we are checking the validity of a DH parameter set, we can not assert that these parameters are randomly generated. Thus we must treat them as if they are adversarial in nature and increase the rounds of Miller-Rabin performed.

Generally, each round of Miller-Rabin can declare a composite number prime with probability at most (1/4), thus 64 rounds is sufficient in thwarting known generation techniques (even in safe prime settings - see https://eprint.iacr.org/2019/032 for full analysis). The choice of 64 rounds is also consistent with SRP_NUMBER_ITERATIONS_FOR_PRIME 64 as used in srp_Verify_N_and_g in openssl/apps/s_client.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8593)
2019-03-27 14:59:25 +00:00
..
build.info DH named parameter support 2017-10-12 02:40:30 +01:00
dh192.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
dh512.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
dh1024.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
dh2048.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
dh4096.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
dh_ameth.c constify *_dup() and *i2d_*() and related functions as far as possible, introducing DECLARE_ASN1_DUP_FUNCTION 2019-03-06 16:10:09 +00:00
dh_asn1.c constify *_dup() and *i2d_*() and related functions as far as possible, introducing DECLARE_ASN1_DUP_FUNCTION 2019-03-06 16:10:09 +00:00
dh_check.c Increase rounds of Miller-Rabin testing DH_check 2019-03-27 14:59:25 +00:00
dh_depr.c Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00
dh_err.c Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00
dh_gen.c Added NULL check to BN_clear() & BN_CTX_end() 2019-03-19 07:25:48 +01:00
dh_kdf.c Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00
dh_key.c Added NULL check to BN_clear() & BN_CTX_end() 2019-03-19 07:25:48 +01:00
dh_lib.c Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00
dh_locl.h Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00
dh_meth.c Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00
dh_pmeth.c constify *_dup() and *i2d_*() and related functions as far as possible, introducing DECLARE_ASN1_DUP_FUNCTION 2019-03-06 16:10:09 +00:00
dh_prn.c Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00
dh_rfc5114.c Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00
dh_rfc7919.c Following the license change, modify the boilerplates in crypto/dh/ 2018-12-06 14:47:24 +01:00