On Thu, 2 Sep 2021, Hubert Kario wrote: > I haven't looked into OpenSSH or libssh, but for TLS the clients generally > _don't_ check if the p is a prime, let alone a safe prime, so it doesn't > really matter if the isPrime() function is hardened or not as it's not used > in the first place... It doesn't matter in the context of a single connection, where the endpoints have to trust each other not to divulge session contents or keys. But we use BN_is_prime() in the moduli verification tools we ship for users to verify that we're not shipping out composite numbers. This is an adversarial use case. Of course, having actual primality certificates is better. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
