+catacomb (2.3.1) experimental; urgency=low
+
+ * catacomb2: Fix memory corruption when allocating `salsa20' and
+ `chacha'-based RNGs.
+ * catacomb2: Fix segfault when opening read-only keyring with no
+ associated file.
+ * catacomb2: Return the correct stream offset in `chacha_tell*'.
+ * catacomb2: Produce correct keyring files when they contain empty
+ keys.
+ * catacomb2: Fix cross-compilation-unit type incompatibility in prime
+ and binary group implementations.
+ * catacomb-dev: Add missing licence notices to `salsa20.h'.
+ * catacomb-bin: Fix assertion failure in RSA-PSS signing.
+ * catacomb-bin: Fix uninitialized structure slot in RSA-PSS signing and
+ verifying.
+ * catacomb-bin: Compare MAC tags in constant time.
+ * catacomb2: Fix a (minor) source of bias in BBS and RSA key generation.
+
+ -- Mark Wooding <mdw@distorted.org.uk> Sun, 14 May 2017 04:05:00 +0100
+
catacomb (2.3.0.1) experimental; urgency=low
* catacomb2: Actually make the stack non-executable rather than just
if ((how & KOPEN_MASK) == KOPEN_READ) {
f->f &= ~KF_WRITE;
- fclose(f->fp);
+ if (f->fp) fclose(f->fp);
f->fp = 0;
}
# include "gfreduce.h"
#endif
+#define GROUP_GUTS_MPSTRUCT
typedef struct { mp *x; } ge_prime;
typedef struct { mp *x; } ge_bin;
* Use: Sets up for a strong prime search, so that primes with
* particular properties can be found. It's probably important
* to note that the number left in the filter context @f@ is
- * congruent to 2 (mod 4).
+ * congruent to 2 (mod 4); that the jump value is twice the
+ * product of two large primes; and that the starting point is
+ * at least %$3 \cdot 2^{N-2}$%. (Hence, if you multiply two
+ * such numbers, the product is at least
+ *
+ * %$9 \cdot 2^{2N-4} > 2^{2N-1}$%
+ *
+ * i.e., it will be (at least) a %$2 N$%-bit value.
*/
mp *strongprime_setup(const char *name, mp *d, pfilt *f, unsigned nbits,
* i.e., if %$J \le N - (k + \log_2 N)$%.
*
* Experimentation shows that taking %$k + \log_2 N = 12$% works well for
- * %$N = 1024$%, so %$k = 2$%.
+ * %$N = 1024$%, so %$k = 2$%. Add a few extra bits for luck.
*/
for (i = 1; i && nbits >> i; i <<= 1); assert(i);
- for (slop = 2, nb = nbits; nb > 1; i >>= 1) {
+ for (slop = 6, nb = nbits; nb > 1; i >>= 1) {
u = nb >> i;
if (u) { slop += i; nb = u; }
}
if (!q)
goto fail_r;
- /* --- Select a suitable starting-point for finding %$p$% --- *
+ /* --- Select a suitable congruence class for %$p$% --- *
*
* This computes %$p_0 = 2 s (s^{r - 2} \bmod r) - 1$%.
*/
rr = mp_sub(rr, rr, MP_ONE);
}
- /* --- Now find %$p = p_0 + 2jrs$% for some %$j$% --- */
+ /* --- Pick a starting point for the search --- *
+ *
+ * Select %$3 \cdot 2^{N-2} < p_1 < 2^N$% at random, only with
+ * %$p_1 \equiv p_0 \pmod{2 r s}$.
+ */
{
mp *x, *y;
x = mp_mul(MP_NEW, q, s);
x = mp_lsl(x, x, 1);
- pfilt_create(f, x);
- y = mp_lsl(MP_NEW, MP_ONE, nbits - 1);
+ pfilt_create(f, x); /* %$2 r s$% */
+ y = mprand(MP_NEW, nbits, r, 0);
+ y = mp_setbit(y, y, nbits - 2);
rr = mp_leastcongruent(rr, y, rr, x);
mp_drop(x); mp_drop(y);
}
* Use: Sets up for a strong prime search, so that primes with
* particular properties can be found. It's probably important
* to note that the number left in the filter context @f@ is
- * congruent to 2 (mod 4).
+ * congruent to 2 (mod 4); that the jump value is twice the
+ * product of two large primes; and that the starting point is
+ * at least %$3 \cdot 2^{N-2}$%. (Hence, if you multiply two
+ * such numbers, the product is at least
+ *
+ * %$9 \cdot 2^{2N-4} > 2^{2N-1}$%
+ *
+ * i.e., it will be (at least) a %$2 N$%-bit value.
*/
extern mp *strongprime_setup(const char */*name*/, mp */*d*/, pfilt */*f*/,
pgen_jumpctx j;
pgen_gcdstepctx g;
unsigned nb = nbits/2;
- mp *x = MP_NEWSEC, *t = MP_NEW;
+ mp *x = MP_NEWSEC;
/* --- Generate @p@ --- */
g.r = mp_lsr(MP_NEW, bp->p, 1);
g.g = MP_NEW;
g.max = MP_ONE;
- t = mp_lsl(t, MP_ONE, nbits - 1);
- mp_div(&t, 0, t, bp->p);
- if (MP_CMP(x, <, t)) x = mp_leastcongruent(x, t, x, g.jp.m);
bp->q = pgen("q", MP_NEWSEC, x, event, ectx, n, pgen_gcdstep, &g,
rabin_iters(nb), pgen_test, &rb);
pfilt_destroy(&g.jp);
mp_drop(g.r);
mp_drop(g.g);
- mp_drop(t);
if (!bp->q) goto fail_q;
/* --- Compute @n@ --- */
{
mp *q;
- mp *t = MP_NEW, *u = MP_NEW;
rabin rb;
if ((q = strongprime_setup("q", MP_NEWSEC, &g.jp, nbits / 2,
r, n, event, ectx)) == 0)
goto fail_q;
- t = mp_lsl(t, MP_ONE, nbits - 1);
- mp_div(&t, &u, t, rp->p);
- if (!MP_ZEROP(u)) t = mp_add(t, t, MP_ONE);
- if (MP_CMP(q, <, t)) q = mp_leastcongruent(q, t, q, g.jp.m);
- mp_drop(t);
g.r = mp_lsr(MP_NEW, rp->p, 1);
g.g = MP_NEW;
~mdw / catacomb / commitdiff