Fix BN_is_... macros.
Fix BN_gcd.
Analyze BN_mod_inverse.
Add BN_kronecker.
"make update".
diff --git a/CHANGES b/CHANGES
index 0e2c98d..cfd8946 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,28 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
+ *) New function BN_kronecker.
+ [Bodo Moeller]
+
+ *) Fix BN_gcd so that it works on negative inputs; the result is
+ positive unless both parameters are zero.
+ Previously something reasonably close to an infinite loop was
+ possible because numbers could be growing instead of shrinking
+ in the implementation of Euclid's algorithm.
+ [Bodo Moeller]
+
+ *) Fix BN_is_word() and BN_is_one() macros to take into account the
+ sign of the number in question.
+
+ Fix BN_is_word(a,w) to work correctly for w == 0.
+
+ The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
+ because its test if the absolute value of 'a' equals 'w'.
+ Note that BN_abs_is_word does *not* handle w == 0 reliably;
+ it exists mostly for use in the implementations of BN_is_zero(),
+ BN_is_one(), and BN_is_word().
+ [Bodo Moeller]
+
*) Initialise "ex_data" member of an RSA structure prior to calling the
method-specific "init()" handler, and clean up ex_data after calling
the method-specific "finish()" handler. Previously, this was happening
diff --git a/crypto/bn/Makefile.ssl b/crypto/bn/Makefile.ssl
index 89bd67b..b32fd97 100644
--- a/crypto/bn/Makefile.ssl
+++ b/crypto/bn/Makefile.ssl
@@ -37,13 +37,13 @@
LIB=$(TOP)/libcrypto.a
LIBSRC= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
- bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c bn_recp.c bn_mont.c \
- bn_mpi.c bn_exp2.c
+ bn_kron.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
+ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c
LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
- bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) bn_recp.o bn_mont.o \
- bn_mpi.o bn_exp2.o
+ bn_kron.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
+ bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o
SRC= $(LIBSRC)
@@ -230,6 +230,8 @@
bn_gcd.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
bn_gcd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_gcd.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_kron.o: ../../include/openssl/bn.h ../../include/openssl/opensslconf.h
+bn_kron.o: bn_lcl.h
bn_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index 9e3bbf4..fec91d7 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -304,10 +304,15 @@
/* b >= 100 */ 27)
#define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
-#define BN_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
-#define BN_is_zero(a) (((a)->top == 0) || BN_is_word(a,0))
-#define BN_is_one(a) (BN_is_word((a),1))
-#define BN_is_odd(a) (((a)->top > 0) && ((a)->d[0] & 1))
+
+/* Note that BN_abs_is_word does not work reliably for w == 0 */
+#define BN_abs_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
+#define BN_is_zero(a) (((a)->top == 0) || BN_abs_is_word(a,0))
+#define BN_is_one(a) (BN_abs_is_word((a),1) && !(a)->neg)
+#define BN_is_word(a,w) ((w) ? BN_abs_is_word((a),(w)) && !(a)->neg : \
+ BN_is_zero((a)))
+#define BN_is_odd(a) (((a)->top > 0) && ((a)->d[0] & 1))
+
#define BN_one(a) (BN_set_word((a),1))
#define BN_zero(a) (BN_set_word((a),0))
@@ -405,7 +410,8 @@
char * BN_bn2dec(const BIGNUM *a);
int BN_hex2bn(BIGNUM **a, const char *str);
int BN_dec2bn(BIGNUM **a, const char *str);
-int BN_gcd(BIGNUM *r,const BIGNUM *in_a,const BIGNUM *in_b,BN_CTX *ctx);
+int BN_gcd(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx);
+int BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */
BIGNUM *BN_mod_inverse(BIGNUM *ret,
const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 01fbd12..ea6816a 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -55,8 +55,60 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
-#include <stdio.h>
#include "cryptlib.h"
#include "bn_lcl.h"
@@ -77,6 +129,8 @@
if (BN_copy(a,in_a) == NULL) goto err;
if (BN_copy(b,in_b) == NULL) goto err;
+ a->neg = 0;
+ b->neg = 0;
if (BN_cmp(a,b) < 0) { t=a; a=b; b=t; }
t=euclid(a,b);
@@ -97,10 +151,10 @@
bn_check_top(a);
bn_check_top(b);
- for (;;)
+ /* 0 <= b <= a */
+ while (!BN_is_zero(b))
{
- if (BN_is_zero(b))
- break;
+ /* 0 < b <= a */
if (BN_is_odd(a))
{
@@ -133,7 +187,9 @@
shifts++;
}
}
+ /* 0 <= b <= a */
}
+
if (shifts)
{
if (!BN_lshift(a,a,shifts)) goto err;
@@ -143,12 +199,13 @@
return(NULL);
}
+
/* solves ax == 1 (mod n) */
BIGNUM *BN_mod_inverse(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
BIGNUM *A,*B,*X,*Y,*M,*D,*R=NULL;
- BIGNUM *T,*ret=NULL;
+ BIGNUM *ret=NULL;
int sign;
bn_check_top(a);
@@ -169,34 +226,94 @@
R=in;
if (R == NULL) goto err;
- BN_zero(X);
- BN_one(Y);
- if (BN_copy(A,a) == NULL) goto err;
- if (BN_copy(B,n) == NULL) goto err;
- sign=1;
+ BN_one(X);
+ BN_zero(Y);
+ if (BN_copy(B,a) == NULL) goto err;
+ if (BN_copy(A,n) == NULL) goto err;
+ A->neg = 0;
+ if (B->neg || (BN_ucmp(B, A) >= 0))
+ {
+ if (!BN_nnmod(B, B, A, ctx)) goto err;
+ }
+ sign = -1;
+ /* From B = a mod |n|, A = |n| it follows that
+ *
+ * 0 <= B < A,
+ * X*a == B (mod |n|),
+ * -sign*Y*a == A (mod |n|).
+ */
while (!BN_is_zero(B))
{
+ BIGNUM *tmp;
+
+ /*
+ * 0 < B < A,
+ * (*) X*a == B (mod |n|),
+ * -sign*Y*a == A (mod |n|)
+ */
+
if (!BN_div(D,M,A,B,ctx)) goto err;
- T=A;
+ /* Now
+ * A = D*B + M;
+ * thus we have
+ * (**) -sign*Y*a == D*B + M (mod |n|).
+ */
+
+ tmp=A; /* keep the BIGNUM object, the value does not matter */
+
+ /* (A, B) := (B, A mod B) ... */
A=B;
B=M;
- /* T has a struct, M does not */
+ /* ... so we have 0 <= B < A again */
- if (!BN_mul(T,D,X,ctx)) goto err;
- if (!BN_add(T,T,Y)) goto err;
- M=Y;
+ /* Since the former M is now B and the former B is now A,
+ * (**) translates into
+ * -sign*Y*a == D*A + B (mod |n|),
+ * i.e.
+ * -sign*Y*a - D*A == B (mod |n|).
+ * Similarly, (*) translates into
+ * X*a == A (mod |n|).
+ *
+ * Thus,
+ * -sign*Y*a - D*X*a == B (mod |n|),
+ * i.e.
+ * -sign*(Y + D*X)*a == B (mod |n|).
+ *
+ * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
+ * X*a == B (mod |n|),
+ * -sign*Y*a == A (mod |n|).
+ * Note that X and Y stay non-negative all the time.
+ */
+
+ if (!BN_mul(tmp,D,X,ctx)) goto err;
+ if (!BN_add(tmp,tmp,Y)) goto err;
+ M=Y; /* keep the BIGNUM object, the value does not matter */
Y=X;
- X=T;
- sign= -sign;
+ X=tmp;
+ sign = -sign;
}
+
+ /*
+ * The while loop ends when
+ * A == gcd(a,n);
+ * we have
+ * -sign*Y*a == A (mod |n|),
+ * where Y is non-negative.
+ */
+
if (sign < 0)
{
if (!BN_sub(Y,n,Y)) goto err;
}
+ /* Now Y*a == A (mod |n|). */
+
if (BN_is_one(A))
- { if (!BN_mod(R,Y,n,ctx)) goto err; }
+ {
+ /* Y*a == 1 (mod |n|) */
+ if (!BN_mod(R,Y,n,ctx)) goto err;
+ }
else
{
BNerr(BN_F_BN_MOD_INVERSE,BN_R_NO_INVERSE);
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 0ade0c0..961706e 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -163,6 +163,7 @@
if (!results)
BIO_puts(out,"obase=16\nibase=16\n");
+#if 0
message(out,"BN_add");
if (!test_add(out)) goto err;
BIO_flush(out);
@@ -219,6 +220,7 @@
message(out,"BN_mont");
if (!test_mont(out,ctx)) goto err;
BIO_flush(out);
+#endif
message(out,"BN_mod_exp");
if (!test_mod_exp(out,ctx)) goto err;
@@ -811,6 +813,8 @@
BN_rand(a,20+i*5,0,0); /**/
BN_rand(b,2+i,0,0); /**/
+ BN_kronecker(a,b,ctx);
+
if (!BN_mod_exp(d,a,b,c,ctx))
return(00);
diff --git a/util/libeay.num b/util/libeay.num
index 7a86fc6..020d6ba 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -2060,3 +2060,11 @@
OBJ_NAME_do_all 2649 EXIST::FUNCTION:
BN_nnmod 2650 EXIST::FUNCTION:
BN_swap 2651 EXIST::FUNCTION:
+BN_mod_add 2652 EXIST::FUNCTION:
+BN_mod_lshift1 2653 EXIST::FUNCTION:
+BN_mod_lshift 2654 EXIST::FUNCTION:
+BN_mod_sub_quick 2655 EXIST::FUNCTION:
+BN_mod_lshift1_quick 2656 EXIST::FUNCTION:
+BN_mod_lshift_quick 2657 EXIST::FUNCTION:
+BN_mod_add_quick 2658 EXIST::FUNCTION:
+BN_mod_sub 2659 EXIST::FUNCTION:
