> Hi, Yair Elharrar! > > For me it looks bad. :-/ Because, BN_sub doesn't handle this situation (r = > b): > 1) BN_sub call BN_uadd(r,a,b), but r = b, then > 2) BN_sub change r->neg, but r = b, then > 3) BN_sub call BN_expand(r), then > 4) BN_sub call BN_ucmp(a,b), but b here is not that b that was at the > begin of BN_sub, then > 5) BN_sub call BN_usub(r,a,b) or BN_usub(r,b,a), but ... > > May be I've used wrong words, but my thought was that calling > BN_sub(Y,n,Y) from BN_mod_inverse leads to unpredictable behavior. And > this is not subject of standard of C rather using it.
AFAICS, the code never does all 4 of these steps. It either does 1 and 2 then returns or it does 3 and 4 and also sets r->neg before returning. I think you'll need to post a repeatable test case, with the values of the args to BN_mod_inverse that fail, preferably what is returned by BN_num_bytes and bytes from BN_bn2bin for each one. __Martin ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]