Document DSA and SHA.

New function BN_pseudo_rand().
Use BN_prime_checks_size(BN_num_bits(w)) rounds of Miller-Rabin when
generating DSA primes (why not use BN_is_prime()?)

8 files changed, 61 insertions, 35 deletions

diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index 9c92d76b41..aade57988c 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -286,6 +286,25 @@ typedef struct bn_recp_ctx_st
 #define BN_prime_checks 0 /* default: select number of iterations
 			     based on the size of the number */
 
+
+/* number of Miller-Rabin iterations for an error rate  of less than 2^-80
+ * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
+ * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
+ * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
+ * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
+#define BN_prime_checks_size(b) ((b) >= 1300 ?  2 : \
+                                (b) >=  850 ?  3 : \
+                                (b) >=  650 ?  4 : \
+                                (b) >=  550 ?  5 : \
+                                (b) >=  450 ?  6 : \
+                                (b) >=  400 ?  7 : \
+                                (b) >=  350 ?  8 : \
+                                (b) >=  300 ?  9 : \
+                                (b) >=  250 ? 12 : \
+                                (b) >=  200 ? 15 : \
+                                (b) >=  150 ? 18 : \
+                                /* b >= 100 */ 27)
+
 #define BN_num_bytes(a)	((BN_num_bits(a)+7)/8)
 #define BN_is_word(a,w)	(((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
 #define BN_is_zero(a)	(((a)->top == 0) || BN_is_word(a,0))
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index e22851ddf4..84f0699b9b 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -68,24 +68,6 @@
  */
 #include "bn_prime.h"
 
-/* number of Miller-Rabin iterations for an error rate  of less than 2^-80
- * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
- * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
- * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
- * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
-#define BN_prime_checks_size(b) ((b) >= 1300 ?  2 : \
-                                (b) >=  850 ?  3 : \
-                                (b) >=  650 ?  4 : \
-                                (b) >=  550 ?  5 : \
-                                (b) >=  450 ?  6 : \
-                                (b) >=  400 ?  7 : \
-                                (b) >=  350 ?  8 : \
-                                (b) >=  300 ?  9 : \
-                                (b) >=  250 ? 12 : \
-                                (b) >=  200 ? 15 : \
-                                (b) >=  150 ? 18 : \
-                                /* b >= 100 */ 27)
-
 static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx,BN_CTX *ctx2,
 	BN_MONT_CTX *mont);
 static int probable_prime(BIGNUM *rnd, int bits);
@@ -203,7 +185,7 @@ int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *),
 
 	for (i=0; i<checks; i++)
 		{
-		if (!BN_rand(check,BN_num_bits(a)-1,0,0)) goto err;
+		if (!BN_pseudo_rand(check,BN_num_bits(a)-1,0,0)) goto err;
 		j=witness(check,a,ctx,ctx2,mont);
 		if (j == -1) goto err;
 		if (j)
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index b567b43a6f..dd6f6c9e44 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -62,7 +62,7 @@
 #include "bn_lcl.h"
 #include <openssl/rand.h>
 
-int BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
+static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 	{
 	unsigned char *buf=NULL;
 	int ret=0,bit,bytes,mask;
@@ -83,8 +83,17 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
 	time(&tim);
 	RAND_add(&tim,sizeof(tim),0);
 
-	if (RAND_bytes(buf,(int)bytes) <= 0)
-		goto err;
+	if (pseudorand)
+		{
+		if (RAND_pseudo_bytes(buf, bytes) == -1)
+			goto err;
+		}
+	else
+		{
+		if (RAND_bytes(buf, bytes) <= 0)
+			goto err;
+		}
+
 	if (top)
 		{
 		if (bit == 0)
@@ -116,3 +125,12 @@ err:
 	return(ret);
 	}
 
+int     BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
+	{
+	return bnrand(1, rnd, bits, top, bottom);
+	}
+
+int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
+	{
+	return bnrand(0, rnd, bits, top, bottom);
+	}
diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h
index a68d3f6681..3da104b6dd 100644
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -182,7 +182,7 @@ DSA *	d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
 DSA * 	d2i_DSAparams(DSA **a, unsigned char **pp, long length);
 DSA *	DSA_generate_parameters(int bits, unsigned char *seed,int seed_len,
 		int *counter_ret, unsigned long *h_ret,void
-		(*callback)(),char *cb_arg);
+		(*callback)(),void *cb_arg);
 int	DSA_generate_key(DSA *a);
 int	i2d_DSAPublicKey(DSA *a, unsigned char **pp);
 int 	i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
@@ -197,7 +197,7 @@ int	DSAparams_print_fp(FILE *fp, DSA *x);
 int	DSA_print_fp(FILE *bp, DSA *x, int off);
 #endif
 
-int DSA_is_prime(BIGNUM *q,void (*callback)(),char *cb_arg);
+int DSA_is_prime(BIGNUM *q,void (*callback)(),void *cb_arg);
 
 #ifndef NO_DH
 /* Convert DSA structure (key or just parameters) into DH structure
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 57435a9be2..5df9132dd8 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -75,7 +75,7 @@
 
 DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 	     int *counter_ret, unsigned long *h_ret, void (*callback)(),
-	     char *cb_arg)
+	     void *cb_arg)
 	{
 	int ok=0;
 	unsigned char seed[SHA_DIGEST_LENGTH];
@@ -93,6 +93,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 	if (bits < 512) bits=512;
 	bits=(bits+63)/64*64;
 
+	if (seed_len < 20) seed_in = NULL;
 	if ((seed_in != NULL) && (seed_len == 20))
 		memcpy(seed,seed_in,seed_len);
 
@@ -142,10 +143,10 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 			/* step 3 */
 			md[0]|=0x80;
 			md[SHA_DIGEST_LENGTH-1]|=0x01;
-			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort();
+			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
 
 			/* step 4 */
-			if (DSA_is_prime(q,callback,cb_arg) > 0) break;
+			if (BN_is_prime(q,BN_prime_checks,callback,NULL,cb_arg) > 0) break;
 			/* do a callback call */
 			/* step 5 */
 			}
@@ -174,7 +175,8 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 				HASH(buf,SHA_DIGEST_LENGTH,md);
 
 				/* step 8 */
-				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort();
+				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
+					goto err;
 				BN_lshift(r0,r0,160*k);
 				BN_add(W,W,r0);
 				}
@@ -194,7 +196,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 			if (BN_cmp(p,test) >= 0)
 				{
 				/* step 11 */
-				if (DSA_is_prime(p,callback,cb_arg) > 0)
+				if (BN_is_prime(p,BN_prime_checks,callback,NULL,cb_arg) > 0)
 					goto end;
 				}
 
@@ -210,7 +212,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 end:
 	if (callback != NULL) callback(2,1,cb_arg);
 
-	/* We now need to gernerate g */
+	/* We now need to generate g */
 	/* Set r0=(p-1)/q */
 	BN_sub(test,p,BN_value_one());
 	BN_div(r0,NULL,test,q,ctx);
@@ -250,7 +252,7 @@ err:
 	return(ok?ret:NULL);
 	}
 
-int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg)
+int DSA_is_prime(BIGNUM *w, void (*callback)(), void *cb_arg)
 	{
 	int ok= -1,j,i,n;
 	BN_CTX *ctx=NULL,*ctx2=NULL;
@@ -258,7 +260,7 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg)
 	int a;
 	BN_MONT_CTX *mont=NULL;
 
-	if (!BN_is_bit_set(w,0)) return(0);
+	if (!BN_is_odd(w)) return(0);
 
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
 	if ((ctx2=BN_CTX_new()) == NULL) goto err;
@@ -272,7 +274,7 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg)
 	mont_1= &(ctx2->bn[7]);
 
 	/* step 1 */
-	n=50;
+	n=BN_prime_checks_size(BN_num_bits(w));
 
 	/* step 2 */
 	if (!BN_sub(w_1,w,BN_value_one())) goto err;
@@ -286,7 +288,8 @@ int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg)
 	for (i=1; i < n; i++)
 		{
 		/* step 3 */
-		BN_rand(b,BN_num_bits(w)-2/*-1*/,0,0);
+		if (!BN_pseudo_rand(b,BN_num_bits(w)-2/*-1*/,0,0))
+			goto err;
 		/* BN_set_word(b,0x10001L); */
 
 		/* step 4 */
diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c
index 220f71c260..a30dae6b72 100644
--- a/crypto/dsa/dsatest.c
+++ b/crypto/dsa/dsatest.c
@@ -141,7 +141,7 @@ int main(int argc, char **argv)
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
 	BIO_printf(bio_err,"test generation of DSA parameters\n");
-	BIO_printf(bio_err,"expect '.*' followed by 5 lines of '.'s and '+'s\n");
+	BIO_printf(bio_err,"expect '.*' followed by 3 lines of '.'s and '+'s\n");
 	dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb,
 		(char *)bio_err);
 
diff --git a/crypto/sha/sha1dgst.c b/crypto/sha/sha1dgst.c
index 141daf0846..dc008124e2 100644
--- a/crypto/sha/sha1dgst.c
+++ b/crypto/sha/sha1dgst.c
@@ -65,6 +65,8 @@
 
 char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
 
+/* The implementation is in ../md32_common.h */
+
 #include "sha_locl.h"
 
 #endif
diff --git a/crypto/sha/sha_dgst.c b/crypto/sha/sha_dgst.c
index 81bce0c150..1aade357d1 100644
--- a/crypto/sha/sha_dgst.c
+++ b/crypto/sha/sha_dgst.c
@@ -65,6 +65,8 @@
 
 char *SHA_version="SHA" OPENSSL_VERSION_PTEXT;
 
+/* The implementation is in ../md32_common.h */
+
 #include "sha_locl.h"
 
 #endif