From: Mark Wooding Date: Sun, 14 May 2017 03:11:09 +0000 (+0100) Subject: Merge branch '2.3.x' X-Git-Tag: 2.4.0~37 X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/commitdiff_plain/373641eaacc86b56715a2ebf0b603fce25c16051?hp=9c1437f372e62f0b3b3a7162aabee73bdc96ce4b Merge branch '2.3.x' * 2.3.x: Release 2.3.1. pub/bbs-gen.c, pub/rsa-gen.c: Remove the lower-bounding on q. math/strongprime.c: Clamp the starting point. math/strongprime.c: Reduce failures by adding some more slop bits. progs/catcrypt.c, progs/cc-sig.c: Compare MAC tags in constant time. progs/cc-sig.c: Initialize hash context properly for RSA-PSS. progs/cc-sig.c: Don't destroy an RSA context just after building it. math/g-bin.c, math/g-prime.c: Fix type incompatibility. math/g-*.c: Group implementations include `group.h' via `group-guts.h'. key/key-io.c: Produce valid key lines for empty keys. key/key-io.c: Fix segfault opening `KOPEN_READ | KOPEN_NOFILE' key files. Conflicts: math/group-guts.h (trivial) progs/catcrypt.c (already picked up) --- diff --git a/debian/changelog b/debian/changelog index e71266dd..91d36353 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,23 @@ +catacomb (2.3.1) experimental; urgency=low + + * catacomb2: Fix memory corruption when allocating `salsa20' and + `chacha'-based RNGs. + * catacomb2: Fix segfault when opening read-only keyring with no + associated file. + * catacomb2: Return the correct stream offset in `chacha_tell*'. + * catacomb2: Produce correct keyring files when they contain empty + keys. + * catacomb2: Fix cross-compilation-unit type incompatibility in prime + and binary group implementations. + * catacomb-dev: Add missing licence notices to `salsa20.h'. + * catacomb-bin: Fix assertion failure in RSA-PSS signing. + * catacomb-bin: Fix uninitialized structure slot in RSA-PSS signing and + verifying. + * catacomb-bin: Compare MAC tags in constant time. + * catacomb2: Fix a (minor) source of bias in BBS and RSA key generation. + + -- Mark Wooding Sun, 14 May 2017 04:05:00 +0100 + catacomb (2.3.0.1) experimental; urgency=low * catacomb2: Actually make the stack non-executable rather than just diff --git a/key/key-io.c b/key/key-io.c index 843f81d8..c79c8e06 100644 --- a/key/key-io.c +++ b/key/key-io.c @@ -439,7 +439,7 @@ int key_open(key_file *f, const char *file, unsigned how, if ((how & KOPEN_MASK) == KOPEN_READ) { f->f &= ~KF_WRITE; - fclose(f->fp); + if (f->fp) fclose(f->fp); f->fp = 0; } diff --git a/math/group-guts.h b/math/group-guts.h index 1bc2e94c..c9f28c49 100644 --- a/math/group-guts.h +++ b/math/group-guts.h @@ -50,6 +50,7 @@ # include "gfreduce.h" #endif +#define GROUP_GUTS_MPSTRUCT typedef struct { mp *x; } ge_prime; typedef struct { mp *x; } ge_bin; diff --git a/math/strongprime.c b/math/strongprime.c index fc20bfea..9eab8b20 100644 --- a/math/strongprime.c +++ b/math/strongprime.c @@ -55,7 +55,14 @@ * Use: Sets up for a strong prime search, so that primes with * particular properties can be found. It's probably important * to note that the number left in the filter context @f@ is - * congruent to 2 (mod 4). + * congruent to 2 (mod 4); that the jump value is twice the + * product of two large primes; and that the starting point is + * at least %$3 \cdot 2^{N-2}$%. (Hence, if you multiply two + * such numbers, the product is at least + * + * %$9 \cdot 2^{2N-4} > 2^{2N-1}$% + * + * i.e., it will be (at least) a %$2 N$%-bit value. */ mp *strongprime_setup(const char *name, mp *d, pfilt *f, unsigned nbits, @@ -87,11 +94,11 @@ mp *strongprime_setup(const char *name, mp *d, pfilt *f, unsigned nbits, * i.e., if %$J \le N - (k + \log_2 N)$%. * * Experimentation shows that taking %$k + \log_2 N = 12$% works well for - * %$N = 1024$%, so %$k = 2$%. + * %$N = 1024$%, so %$k = 2$%. Add a few extra bits for luck. */ for (i = 1; i && nbits >> i; i <<= 1); assert(i); - for (slop = 2, nb = nbits; nb > 1; i >>= 1) { + for (slop = 6, nb = nbits; nb > 1; i >>= 1) { u = nb >> i; if (u) { slop += i; nb = u; } } @@ -128,7 +135,7 @@ mp *strongprime_setup(const char *name, mp *d, pfilt *f, unsigned nbits, if (!q) goto fail_r; - /* --- Select a suitable starting-point for finding %$p$% --- * + /* --- Select a suitable congruence class for %$p$% --- * * * This computes %$p_0 = 2 s (s^{r - 2} \bmod r) - 1$%. */ @@ -145,14 +152,19 @@ mp *strongprime_setup(const char *name, mp *d, pfilt *f, unsigned nbits, rr = mp_sub(rr, rr, MP_ONE); } - /* --- Now find %$p = p_0 + 2jrs$% for some %$j$% --- */ + /* --- Pick a starting point for the search --- * + * + * Select %$3 \cdot 2^{N-2} < p_1 < 2^N$% at random, only with + * %$p_1 \equiv p_0 \pmod{2 r s}$. + */ { mp *x, *y; x = mp_mul(MP_NEW, q, s); x = mp_lsl(x, x, 1); - pfilt_create(f, x); - y = mp_lsl(MP_NEW, MP_ONE, nbits - 1); + pfilt_create(f, x); /* %$2 r s$% */ + y = mprand(MP_NEW, nbits, r, 0); + y = mp_setbit(y, y, nbits - 2); rr = mp_leastcongruent(rr, y, rr, x); mp_drop(x); mp_drop(y); } diff --git a/math/strongprime.h b/math/strongprime.h index 90102362..14ad39e4 100644 --- a/math/strongprime.h +++ b/math/strongprime.h @@ -60,7 +60,14 @@ * Use: Sets up for a strong prime search, so that primes with * particular properties can be found. It's probably important * to note that the number left in the filter context @f@ is - * congruent to 2 (mod 4). + * congruent to 2 (mod 4); that the jump value is twice the + * product of two large primes; and that the starting point is + * at least %$3 \cdot 2^{N-2}$%. (Hence, if you multiply two + * such numbers, the product is at least + * + * %$9 \cdot 2^{2N-4} > 2^{2N-1}$% + * + * i.e., it will be (at least) a %$2 N$%-bit value. */ extern mp *strongprime_setup(const char */*name*/, mp */*d*/, pfilt */*f*/, diff --git a/pub/bbs-gen.c b/pub/bbs-gen.c index fcba8288..6ec65e2d 100644 --- a/pub/bbs-gen.c +++ b/pub/bbs-gen.c @@ -65,7 +65,7 @@ int bbs_gen(bbs_priv *bp, unsigned nbits, grand *r, unsigned n, pgen_jumpctx j; pgen_gcdstepctx g; unsigned nb = nbits/2; - mp *x = MP_NEWSEC, *t = MP_NEW; + mp *x = MP_NEWSEC; /* --- Generate @p@ --- */ @@ -88,15 +88,11 @@ int bbs_gen(bbs_priv *bp, unsigned nbits, grand *r, unsigned n, g.r = mp_lsr(MP_NEW, bp->p, 1); g.g = MP_NEW; g.max = MP_ONE; - t = mp_lsl(t, MP_ONE, nbits - 1); - mp_div(&t, 0, t, bp->p); - if (MP_CMP(x, <, t)) x = mp_leastcongruent(x, t, x, g.jp.m); bp->q = pgen("q", MP_NEWSEC, x, event, ectx, n, pgen_gcdstep, &g, rabin_iters(nb), pgen_test, &rb); pfilt_destroy(&g.jp); mp_drop(g.r); mp_drop(g.g); - mp_drop(t); if (!bp->q) goto fail_q; /* --- Compute @n@ --- */ diff --git a/pub/rsa-gen.c b/pub/rsa-gen.c index de97644c..3b5334b8 100644 --- a/pub/rsa-gen.c +++ b/pub/rsa-gen.c @@ -84,17 +84,11 @@ int rsa_gen(rsa_priv *rp, unsigned nbits, grand *r, unsigned n, { mp *q; - mp *t = MP_NEW, *u = MP_NEW; rabin rb; if ((q = strongprime_setup("q", MP_NEWSEC, &g.jp, nbits / 2, r, n, event, ectx)) == 0) goto fail_q; - t = mp_lsl(t, MP_ONE, nbits - 1); - mp_div(&t, &u, t, rp->p); - if (!MP_ZEROP(u)) t = mp_add(t, t, MP_ONE); - if (MP_CMP(q, <, t)) q = mp_leastcongruent(q, t, q, g.jp.m); - mp_drop(t); g.r = mp_lsr(MP_NEW, rp->p, 1); g.g = MP_NEW;