"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "goodkey/good_key.go" between
boulder-release-2020-06-23.tar.gz and boulder-release-2020-06-29.tar.gz

About: Boulder is an ACME-based Certificate Authority (CA) used by Let’s Encrypt (written in Go).

good_key.go  (boulder-release-2020-06-23):good_key.go  (boulder-release-2020-06-29)
skipping to change at line 39 skipping to change at line 39
433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491,
499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571, 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571,
577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641, 577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709,
719, 727, 733, 739, 743, 751, 719, 727, 733, 739, 743, 751,
} }
// singleton defines the object of a Singleton pattern // singleton defines the object of a Singleton pattern
var ( var (
smallPrimesSingleton sync.Once smallPrimesSingleton sync.Once
smallPrimes []*big.Int smallPrimesProduct *big.Int
) )
// BlockedKeyCheckFunc is used to pass in the sa.BlockedKey method to KeyPolicy, // BlockedKeyCheckFunc is used to pass in the sa.BlockedKey method to KeyPolicy,
// rather than storing a full sa.SQLStorageAuthority. This makes testing // rather than storing a full sa.SQLStorageAuthority. This makes testing
// significantly simpler. // significantly simpler.
type BlockedKeyCheckFunc func(context.Context, *sapb.KeyBlockedRequest) (*sapb.E xists, error) type BlockedKeyCheckFunc func(context.Context, *sapb.KeyBlockedRequest) (*sapb.E xists, error)
// KeyPolicy determines which types of key may be used with various boulder // KeyPolicy determines which types of key may be used with various boulder
// operations. // operations.
type KeyPolicy struct { type KeyPolicy struct {
skipping to change at line 319 skipping to change at line 319
return berrors.MalformedError("key generated by vulnerable Infine on-based hardware") return berrors.MalformedError("key generated by vulnerable Infine on-based hardware")
} }
return nil return nil
} }
// Returns true iff integer i is divisible by any of the primes in smallPrimes. // Returns true iff integer i is divisible by any of the primes in smallPrimes.
// //
// Short circuits; execution time is dependent on i. Do not use this on secret // Short circuits; execution time is dependent on i. Do not use this on secret
// values. // values.
//
// Rather than checking each prime individually (invoking Mod on each),
// multiply the primes together and let GCD do our work for us: if the
// GCD between <key> and <product of primes> is not one, we know we have
// a bad key. This is substantially faster than checking each prime
// individually.
func checkSmallPrimes(i *big.Int) bool { func checkSmallPrimes(i *big.Int) bool {
smallPrimesSingleton.Do(func() { smallPrimesSingleton.Do(func() {
smallPrimesProduct = big.NewInt(1)
for _, prime := range smallPrimeInts { for _, prime := range smallPrimeInts {
smallPrimes = append(smallPrimes, big.NewInt(prime)) smallPrimesProduct.Mul(smallPrimesProduct, big.NewInt(pri me))
} }
}) })
for _, prime := range smallPrimes { // When the GCD is 1, i and smallPrimesProduct are coprime, meaning they
var result big.Int // share no common factors. When the GCD is not one, it is the product of
result.Mod(i, prime) // all common factors, meaning we've identified at least one small prime
if result.Sign() == 0 { // which invalidates i as a valid key.
return true
} var result big.Int
} result.GCD(nil, nil, i, smallPrimesProduct)
return result.Cmp(big.NewInt(1)) != 0
return false
} }
 End of changes. 5 change blocks. 
11 lines changed or deleted 17 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)