From f4681b08645c61b9a9a1cb5d84fcdc2da154b563 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Mon, 3 Sep 2001 13:01:28 +0000 Subject: [PATCH] Use uniformly chosen witnesses for Miller-Rabin test (by using new BN_pseudo_rand_range function) --- CHANGES | 9 ++++++ crypto/bn/bn.h | 1 + crypto/bn/bn_prime.c | 10 +++--- crypto/bn/bn_rand.c | 71 ++++++++++++++++++++++++++++++++++++++++-- doc/crypto/BN_rand.pod | 5 +++ doc/crypto/bn.pod | 1 + 6 files changed, 89 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 88574700f4..1fd2e2841a 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,15 @@ Changes between 0.9.6b and 0.9.6c [XX xxx XXXX] + *) Rabin-Miller test analyses assume uniformly distributed witnesses, + so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() + followed by modular reduction. + [Bodo Moeller; pointed out by Adam Young ] + + *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() + requivalent based on BN_pseudo_rand() instead of BN_rand(). + [Bodo Moeller] + *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). This function was broken, as the check for a new client hello message to handle SGC did not allow these large messages. diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index b232c2ceae..6213142e02 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -329,6 +329,7 @@ void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_rand_range(BIGNUM *rnd, BIGNUM *range); +int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index a5f01b92eb..8eda6c0755 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -225,12 +225,15 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks, BN_MONT_CTX *mont = NULL; const BIGNUM *A = NULL; + if (BN_cmp(a, BN_value_one) <= 0) + return 0; + if (checks == BN_prime_checks) checks = BN_prime_checks_for_size(BN_num_bits(a)); /* first look for small factors */ if (!BN_is_odd(a)) - return(0); + return 0; if (do_trial_division) { for (i = 1; i < NUMPRIMES; i++) @@ -289,11 +292,8 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks, for (i = 0; i < checks; i++) { - if (!BN_pseudo_rand(check, BN_num_bits(A1), 0, 0)) + if (!BN_pseudo_rand_range(check, A1)) goto err; - if (BN_cmp(check, A1) >= 0) - if (!BN_sub(check, check, A1)) - goto err; if (!BN_add_word(check, 1)) goto err; /* now 1 <= check < A */ diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index acd0619921..b368d12f80 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -172,8 +225,9 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) #endif /* random number r: 0 <= r < range */ -int BN_rand_range(BIGNUM *r, BIGNUM *range) +static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range) { + int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand; int n; if (range->neg || BN_is_zero(range)) @@ -193,7 +247,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) do { /* range = 11..._2, so each iteration succeeds with probability >= .75 */ - if (!BN_rand(r, n, -1, 0)) return 0; + if (!bn_rand(r, n, -1, 0)) return 0; } while (BN_cmp(r, range) >= 0); } @@ -203,7 +257,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) * so 3*range (= 11..._2) is exactly one bit longer than range */ do { - if (!BN_rand(r, n + 1, -1, 0)) return 0; + if (!bn_rand(r, n + 1, -1, 0)) return 0; /* If r < 3*range, use r := r MOD range * (which is either r, r - range, or r - 2*range). * Otherwise, iterate once more. @@ -221,3 +275,14 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) return 1; } + + +int BN_rand_range(BIGNUM *r, BIGNUM *range) + { + return bn_rand_range(0, r, range); + } + +int BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range) + { + return bn_rand_range(1, r, range); + } diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod index cbae2fca97..ecd410f7f2 100644 --- a/doc/crypto/BN_rand.pod +++ b/doc/crypto/BN_rand.pod @@ -14,6 +14,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + int BN_pseudo_rand_range(BIGNUM *rnd, int bits, int top, int bottom); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of @@ -31,6 +33,8 @@ protocols, but usually not for key generation etc. BN_rand_range() generates a cryptographically strong pseudo-random number B in the range 0 = B E B. +BN_pseudo_rand_range() does the same, but is based on BN_pseudo_rand(), +and hence numbers generated by it are not necessarily unpredictable. The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). @@ -49,5 +53,6 @@ L, L BN_rand() is available in all versions of SSLeay and OpenSSL. BN_pseudo_rand() was added in OpenSSL 0.9.5. The B == -1 case and the function BN_rand_range() were added in OpenSSL 0.9.6a. +BN_pseudo_rand_range() was added in OpenSSL 0.9.6c. =cut diff --git a/doc/crypto/bn.pod b/doc/crypto/bn.pod index d183028d61..1524bc202d 100644 --- a/doc/crypto/bn.pod +++ b/doc/crypto/bn.pod @@ -61,6 +61,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); -- 2.25.1