/src/libressl/crypto/bn/bn_bpsw.c

Source (jump to first uncovered line)
/*  $OpenBSD: bn_bpsw.c,v 1.5 2022/07/29 08:37:33 tb Exp $ */
/*
 * Copyright (c) 2022 Martin Grenouilloux <martin.grenouilloux@lse.epita.fr>
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <openssl/bn.h>

#include "bn_lcl.h"
#include "bn_prime.h"

/*
 * For an odd n compute a / 2 (mod n). If a is even, we can do a plain
 * division, otherwise calculate (a + n) / 2. Then reduce (mod n).
 */

static int
bn_div_by_two_mod_odd_n(BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
  if (!BN_is_odd(n))
    return 0;

  if (BN_is_odd(a)) {
    if (!BN_add(a, a, n))
      return 0;
  }
  if (!BN_rshift1(a, a))
    return 0;
  if (!BN_mod_ct(a, a, n, ctx))
    return 0;

  return 1;
}

/*
 * Given the next binary digit of k and the current Lucas terms U and V, this
 * helper computes the next terms in the Lucas sequence defined as follows:
 *
 *   U' = U * V                  (mod n)
 *   V' = (V^2 + D * U^2) / 2    (mod n)
 *
 * If digit == 0, bn_lucas_step() returns U' and V'. If digit == 1, it returns
 *
 *   U'' = (U' + V') / 2         (mod n)
 *   V'' = (V' + D * U') / 2     (mod n)
 *
 * Compare with FIPS 186-4, Appendix C.3.3, step 6.
 */

static int
bn_lucas_step(BIGNUM *U, BIGNUM *V, int digit, const BIGNUM *D,
    const BIGNUM *n, BN_CTX *ctx)
{
  BIGNUM *tmp;
  int ret = 0;

  BN_CTX_start(ctx);

  if ((tmp = BN_CTX_get(ctx)) == NULL)
    goto err;

  /* Calculate D * U^2 before computing U'. */
  if (!BN_sqr(tmp, U, ctx))
    goto err;
  if (!BN_mul(tmp, D, tmp, ctx))
    goto err;

  /* U' = U * V (mod n). */
  if (!BN_mod_mul(U, U, V, n, ctx))
    goto err;

  /* V' = (V^2 + D * U^2) / 2 (mod n). */
  if (!BN_sqr(V, V, ctx))
    goto err;
  if (!BN_add(V, V, tmp))
    goto err;
  if (!bn_div_by_two_mod_odd_n(V, n, ctx))
    goto err;

  if (digit == 1) {
    /* Calculate D * U' before computing U''. */
    if (!BN_mul(tmp, D, U, ctx))
      goto err;

    /* U'' = (U' + V') / 2 (mod n). */
    if (!BN_add(U, U, V))
      goto err;
    if (!bn_div_by_two_mod_odd_n(U, n, ctx))
      goto err;

    /* V'' = (V' + D * U') / 2 (mod n). */
    if (!BN_add(V, V, tmp))
      goto err;
    if (!bn_div_by_two_mod_odd_n(V, n, ctx))
      goto err;
  }

  ret = 1;

 err:
  BN_CTX_end(ctx);

  return ret;
}

/*
 * Compute the Lucas terms U_k, V_k, see FIPS 186-4, Appendix C.3.3, steps 4-6.
 */

static int
bn_lucas(BIGNUM *U, BIGNUM *V, const BIGNUM *k, const BIGNUM *D,
    const BIGNUM *n, BN_CTX *ctx)
{
  int digit, i;
  int ret = 0;

  if (!BN_one(U))
    goto err;
  if (!BN_one(V))
    goto err;

  /*
   * Iterate over the digits of k from MSB to LSB. Start at digit 2
   * since the first digit is dealt with by setting U = 1 and V = 1.
   */

  for (i = BN_num_bits(k) - 2; i >= 0; i--) {
    digit = BN_is_bit_set(k, i);

    if (!bn_lucas_step(U, V, digit, D, n, ctx))
      goto err;
  }

  ret = 1;

 err:
  return ret;
}

/*
 * This is a stronger variant of the Lucas test in FIPS 186-4, Appendix C.3.3.
 * Every strong Lucas pseudoprime n is also a Lucas pseudoprime since
 * U_{n+1} == 0 follows from U_k == 0 or V_{k * 2^r} == 0 for 0 <= r < s.
 */

static int
bn_strong_lucas_test(int *is_prime, const BIGNUM *n, const BIGNUM *D,
    BN_CTX *ctx)
{
  BIGNUM *k, *U, *V;
  int r, s;
  int ret = 0;

  BN_CTX_start(ctx);

  if ((k = BN_CTX_get(ctx)) == NULL)
    goto err;
  if ((U = BN_CTX_get(ctx)) == NULL)
    goto err;
  if ((V = BN_CTX_get(ctx)) == NULL)
    goto err;

  /*
   * Factorize n + 1 = k * 2^s with odd k: shift away the s trailing ones
   * of n and set the lowest bit of the resulting number k.
   */

  s = 0;
  while (BN_is_bit_set(n, s))
    s++;
  if (!BN_rshift(k, n, s))
    goto err;
  if (!BN_set_bit(k, 0))
    goto err;

  /*
   * Calculate the Lucas terms U_k and V_k. If either of them is zero,
   * then n is a strong Lucas pseudoprime.
   */

  if (!bn_lucas(U, V, k, D, n, ctx))
    goto err;

  if (BN_is_zero(U) || BN_is_zero(V)) {
    *is_prime = 1;
    goto done;
  }

  /*
   * Calculate the Lucas terms U_{k * 2^r}, V_{k * 2^r} for 1 <= r < s.
   * If any V_{k * 2^r} is zero then n is a strong Lucas pseudoprime.
   */

  for (r = 1; r < s; r++) {
    if (!bn_lucas_step(U, V, 0, D, n, ctx))
      goto err;

    if (BN_is_zero(V)) {
      *is_prime = 1;
      goto done;
    }
  }

  /*
   * If we got here, n is definitely composite.
   */

  *is_prime = 0;

 done:
  ret = 1;

 err:
  BN_CTX_end(ctx);

  return ret;
}

/*
 * Test n for primality using the strong Lucas test with Selfridge's Method A.
 * Returns 1 if n is prime or a strong Lucas-Selfridge pseudoprime.
 * If it returns 0 then n is definitely composite.
 */

static int
bn_strong_lucas_selfridge(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
{
  BIGNUM *D, *two;
  int is_perfect_square, jacobi_symbol, sign;
  int ret = 0;

  BN_CTX_start(ctx);

  /* If n is a perfect square, it is composite. */
  if (!bn_is_perfect_square(&is_perfect_square, n, ctx))
    goto err;
  if (is_perfect_square) {
    *is_prime = 0;
    goto done;
  }

  /*
   * Find the first D in the Selfridge sequence 5, -7, 9, -11, 13, ...
   * such that the Jacobi symbol (D/n) is -1.
   */

  if ((D = BN_CTX_get(ctx)) == NULL)
    goto err;
  if ((two = BN_CTX_get(ctx)) == NULL)
    goto err;

  sign = 1;
  if (!BN_set_word(D, 5))
    goto err;
  if (!BN_set_word(two, 2))
    goto err;

  while (1) {
    /* For odd n the Kronecker symbol computes the Jacobi symbol. */
    if ((jacobi_symbol = BN_kronecker(D, n, ctx)) == -2)
      goto err;

    /* We found the value for D. */
    if (jacobi_symbol == -1)
      break;

    /* n and D have prime factors in common. */
    if (jacobi_symbol == 0) {
      *is_prime = 0;
      goto done;
    }

    sign = -sign;
    if (!BN_uadd(D, D, two))
      goto err;
    BN_set_negative(D, sign == -1);
  }

  if (!bn_strong_lucas_test(is_prime, n, D, ctx))
    goto err;

 done:
  ret = 1;

 err:
  BN_CTX_end(ctx);

  return ret;
}

/*
 * Miller-Rabin primality test for base 2.
 */
static int
bn_miller_rabin_base_2(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
{
  BIGNUM *n_minus_one, *k, *x;
  int i, s;
  int ret = 0;

  BN_CTX_start(ctx);

  if ((n_minus_one = BN_CTX_get(ctx)) == NULL)
    goto err;
  if ((k = BN_CTX_get(ctx)) == NULL)
    goto err;
  if ((x = BN_CTX_get(ctx)) == NULL)
    goto err;

  if (BN_is_word(n, 2) || BN_is_word(n, 3)) {
    *is_prime = 1;
    goto done;
  }

  if (BN_cmp(n, BN_value_one()) <= 0 || !BN_is_odd(n)) {
    *is_prime = 0;
    goto done;
  }

  if (!BN_sub(n_minus_one, n, BN_value_one()))
    goto err;

  /*
   * Factorize n - 1 = k * 2^s.
   */

  s = 0;
  while (!BN_is_bit_set(n_minus_one, s))
    s++;
  if (!BN_rshift(k, n_minus_one, s))
    goto err;

  /*
   * If 2^k is 1 or -1 (mod n) then n is a 2-pseudoprime.
   */

  if (!BN_set_word(x, 2))
    goto err;
  if (!BN_mod_exp_ct(x, x, k, n, ctx))
    goto err;

  if (BN_is_one(x) || BN_cmp(x, n_minus_one) == 0) {
    *is_prime = 1;
    goto done;
  }

  /*
   * If 2^{2^i k} == -1 (mod n) for some 1 <= i < s, then n is a
   * 2-pseudoprime
   */

  for (i = 1; i < s; i++) {
    if (!BN_mod_sqr(x, x, n, ctx))
      goto err;
    if (BN_cmp(x, n_minus_one) == 0) {
      *is_prime = 1;
      goto done;
    }
  }

  /*
   * If we got here, n is definitely composite.
   */

  *is_prime = 0;

 done:
  ret = 1;

 err:
  BN_CTX_end(ctx);

  return ret;
}

/*
 * The Baillie-Pomerance-Selfridge-Wagstaff algorithm combines a Miller-Rabin
 * test for base 2 with a Strong Lucas pseudoprime test.
 */

int
bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *in_ctx)
{
  BN_CTX *ctx = NULL;
  BN_ULONG mod;
  int i;
  int ret = 0;

  if (BN_is_word(n, 2)) {
    *is_prime = 1;
    goto done;
  }

  if (BN_cmp(n, BN_value_one()) <= 0 || !BN_is_odd(n)) {
    *is_prime = 0;
    goto done;
  }

  /* Trial divisions with the first 2048 primes. */
  for (i = 0; i < NUMPRIMES; i++) {
    if ((mod = BN_mod_word(n, primes[i])) == (BN_ULONG)-1)
      goto err;
    if (mod == 0) {
      *is_prime = BN_is_word(n, primes[i]);
      goto done;
    }
  }

  if ((ctx = in_ctx) == NULL)
    ctx = BN_CTX_new();
  if (ctx == NULL)
    goto err;

  if (!bn_miller_rabin_base_2(is_prime, n, ctx))
    goto err;
  if (!*is_prime)
    goto done;

  /* XXX - Miller-Rabin for random bases? See FIPS 186-4, Table C.1. */

  if (!bn_strong_lucas_selfridge(is_prime, n, ctx))
    goto err;

 done:
  ret = 1;

 err:
  if (ctx != in_ctx)
    BN_CTX_free(ctx);

  return ret;
}

Coverage Report

Created: 2022-08-24 06:30

Line	Count	Source (jump to first uncovered line)
1		/* $OpenBSD: bn_bpsw.c,v 1.5 2022/07/29 08:37:33 tb Exp $ */
2		/*
3		* Copyright (c) 2022 Martin Grenouilloux <martin.grenouilloux@lse.epita.fr>
4		* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
5		*
6		* Permission to use, copy, modify, and distribute this software for any
7		* purpose with or without fee is hereby granted, provided that the above
8		* copyright notice and this permission notice appear in all copies.
9		*
10		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13		* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15		* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16		* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17		*/
18
19		#include <openssl/bn.h>
20
21		#include "bn_lcl.h"
22		#include "bn_prime.h"
23
24		/*
25		* For an odd n compute a / 2 (mod n). If a is even, we can do a plain
26		* division, otherwise calculate (a + n) / 2. Then reduce (mod n).
27		*/
28
29		static int
30		bn_div_by_two_mod_odd_n(BIGNUM a, const BIGNUM n, BN_CTX *ctx)
31	0	{
32	0	if (!BN_is_odd(n))
33	0	return 0;
34
35	0	if (BN_is_odd(a)) {
36	0	if (!BN_add(a, a, n))
37	0	return 0;
38	0	}
39	0	if (!BN_rshift1(a, a))
40	0	return 0;
41	0	if (!BN_mod_ct(a, a, n, ctx))
42	0	return 0;
43
44	0	return 1;
45	0	}
46
47		/*
48		* Given the next binary digit of k and the current Lucas terms U and V, this
49		* helper computes the next terms in the Lucas sequence defined as follows:
50		*
51		* U' = U * V (mod n)
52		* V' = (V^2 + D * U^2) / 2 (mod n)
53		*
54		* If digit == 0, bn_lucas_step() returns U' and V'. If digit == 1, it returns
55		*
56		* U'' = (U' + V') / 2 (mod n)
57		* V'' = (V' + D * U') / 2 (mod n)
58		*
59		* Compare with FIPS 186-4, Appendix C.3.3, step 6.
60		*/
61
62		static int
63		bn_lucas_step(BIGNUM U, BIGNUM V, int digit, const BIGNUM *D,
64		const BIGNUM n, BN_CTX ctx)
65	0	{
66	0	BIGNUM *tmp;
67	0	int ret = 0;
68
69	0	BN_CTX_start(ctx);
70
71	0	if ((tmp = BN_CTX_get(ctx)) == NULL)
72	0	goto err;
73
74		/* Calculate D * U^2 before computing U'. */
75	0	if (!BN_sqr(tmp, U, ctx))
76	0	goto err;
77	0	if (!BN_mul(tmp, D, tmp, ctx))
78	0	goto err;
79
80		/* U' = U * V (mod n). */
81	0	if (!BN_mod_mul(U, U, V, n, ctx))
82	0	goto err;
83
84		/* V' = (V^2 + D * U^2) / 2 (mod n). */
85	0	if (!BN_sqr(V, V, ctx))
86	0	goto err;
87	0	if (!BN_add(V, V, tmp))
88	0	goto err;
89	0	if (!bn_div_by_two_mod_odd_n(V, n, ctx))
90	0	goto err;
91
92	0	if (digit == 1) {
93		/* Calculate D * U' before computing U''. */
94	0	if (!BN_mul(tmp, D, U, ctx))
95	0	goto err;
96
97		/* U'' = (U' + V') / 2 (mod n). */
98	0	if (!BN_add(U, U, V))
99	0	goto err;
100	0	if (!bn_div_by_two_mod_odd_n(U, n, ctx))
101	0	goto err;
102
103		/* V'' = (V' + D * U') / 2 (mod n). */
104	0	if (!BN_add(V, V, tmp))
105	0	goto err;
106	0	if (!bn_div_by_two_mod_odd_n(V, n, ctx))
107	0	goto err;
108	0	}
109
110	0	ret = 1;
111
112	0	err:
113	0	BN_CTX_end(ctx);
114
115	0	return ret;
116	0	}
117
118		/*
119		* Compute the Lucas terms U_k, V_k, see FIPS 186-4, Appendix C.3.3, steps 4-6.
120		*/
121
122		static int
123		bn_lucas(BIGNUM U, BIGNUM V, const BIGNUM k, const BIGNUM D,
124		const BIGNUM n, BN_CTX ctx)
125	0	{
126	0	int digit, i;
127	0	int ret = 0;
128
129	0	if (!BN_one(U))
130	0	goto err;
131	0	if (!BN_one(V))
132	0	goto err;
133
134		/*
135		* Iterate over the digits of k from MSB to LSB. Start at digit 2
136		* since the first digit is dealt with by setting U = 1 and V = 1.
137		*/
138
139	0	for (i = BN_num_bits(k) - 2; i >= 0; i--) {
140	0	digit = BN_is_bit_set(k, i);
141
142	0	if (!bn_lucas_step(U, V, digit, D, n, ctx))
143	0	goto err;
144	0	}
145
146	0	ret = 1;
147
148	0	err:
149	0	return ret;
150	0	}
151
152		/*
153		* This is a stronger variant of the Lucas test in FIPS 186-4, Appendix C.3.3.
154		* Every strong Lucas pseudoprime n is also a Lucas pseudoprime since
155		* U_{n+1} == 0 follows from U_k == 0 or V_{k * 2^r} == 0 for 0 <= r < s.
156		*/
157
158		static int
159		bn_strong_lucas_test(int is_prime, const BIGNUM n, const BIGNUM *D,
160		BN_CTX *ctx)
161	0	{
162	0	BIGNUM k, U, *V;
163	0	int r, s;
164	0	int ret = 0;
165
166	0	BN_CTX_start(ctx);
167
168	0	if ((k = BN_CTX_get(ctx)) == NULL)
169	0	goto err;
170	0	if ((U = BN_CTX_get(ctx)) == NULL)
171	0	goto err;
172	0	if ((V = BN_CTX_get(ctx)) == NULL)
173	0	goto err;
174
175		/*
176		* Factorize n + 1 = k * 2^s with odd k: shift away the s trailing ones
177		* of n and set the lowest bit of the resulting number k.
178		*/
179
180	0	s = 0;
181	0	while (BN_is_bit_set(n, s))
182	0	s++;
183	0	if (!BN_rshift(k, n, s))
184	0	goto err;
185	0	if (!BN_set_bit(k, 0))
186	0	goto err;
187
188		/*
189		* Calculate the Lucas terms U_k and V_k. If either of them is zero,
190		* then n is a strong Lucas pseudoprime.
191		*/
192
193	0	if (!bn_lucas(U, V, k, D, n, ctx))
194	0	goto err;
195
196	0	if (BN_is_zero(U) \|\| BN_is_zero(V)) {
197	0	*is_prime = 1;
198	0	goto done;
199	0	}
200
201		/*
202		* Calculate the Lucas terms U_{k * 2^r}, V_{k * 2^r} for 1 <= r < s.
203		* If any V_{k * 2^r} is zero then n is a strong Lucas pseudoprime.
204		*/
205
206	0	for (r = 1; r < s; r++) {
207	0	if (!bn_lucas_step(U, V, 0, D, n, ctx))
208	0	goto err;
209
210	0	if (BN_is_zero(V)) {
211	0	*is_prime = 1;
212	0	goto done;
213	0	}
214	0	}
215
216		/*
217		* If we got here, n is definitely composite.
218		*/
219
220	0	*is_prime = 0;
221
222	0	done:
223	0	ret = 1;
224
225	0	err:
226	0	BN_CTX_end(ctx);
227
228	0	return ret;
229	0	}
230
231		/*
232		* Test n for primality using the strong Lucas test with Selfridge's Method A.
233		* Returns 1 if n is prime or a strong Lucas-Selfridge pseudoprime.
234		* If it returns 0 then n is definitely composite.
235		*/
236
237		static int
238		bn_strong_lucas_selfridge(int is_prime, const BIGNUM n, BN_CTX *ctx)
239	0	{
240	0	BIGNUM D, two;
241	0	int is_perfect_square, jacobi_symbol, sign;
242	0	int ret = 0;
243
244	0	BN_CTX_start(ctx);
245
246		/* If n is a perfect square, it is composite. */
247	0	if (!bn_is_perfect_square(&is_perfect_square, n, ctx))
248	0	goto err;
249	0	if (is_perfect_square) {
250	0	*is_prime = 0;
251	0	goto done;
252	0	}
253
254		/*
255		* Find the first D in the Selfridge sequence 5, -7, 9, -11, 13, ...
256		* such that the Jacobi symbol (D/n) is -1.
257		*/
258
259	0	if ((D = BN_CTX_get(ctx)) == NULL)
260	0	goto err;
261	0	if ((two = BN_CTX_get(ctx)) == NULL)
262	0	goto err;
263
264	0	sign = 1;
265	0	if (!BN_set_word(D, 5))
266	0	goto err;
267	0	if (!BN_set_word(two, 2))
268	0	goto err;
269
270	0	while (1) {
271		/* For odd n the Kronecker symbol computes the Jacobi symbol. */
272	0	if ((jacobi_symbol = BN_kronecker(D, n, ctx)) == -2)
273	0	goto err;
274
275		/* We found the value for D. */
276	0	if (jacobi_symbol == -1)
277	0	break;
278
279		/* n and D have prime factors in common. */
280	0	if (jacobi_symbol == 0) {
281	0	*is_prime = 0;
282	0	goto done;
283	0	}
284
285	0	sign = -sign;
286	0	if (!BN_uadd(D, D, two))
287	0	goto err;
288	0	BN_set_negative(D, sign == -1);
289	0	}
290
291	0	if (!bn_strong_lucas_test(is_prime, n, D, ctx))
292	0	goto err;
293
294	0	done:
295	0	ret = 1;
296
297	0	err:
298	0	BN_CTX_end(ctx);
299
300	0	return ret;
301	0	}
302
303		/*
304		* Miller-Rabin primality test for base 2.
305		*/
306		static int
307		bn_miller_rabin_base_2(int is_prime, const BIGNUM n, BN_CTX *ctx)
308	0	{
309	0	BIGNUM n_minus_one, k, *x;
310	0	int i, s;
311	0	int ret = 0;
312
313	0	BN_CTX_start(ctx);
314
315	0	if ((n_minus_one = BN_CTX_get(ctx)) == NULL)
316	0	goto err;
317	0	if ((k = BN_CTX_get(ctx)) == NULL)
318	0	goto err;
319	0	if ((x = BN_CTX_get(ctx)) == NULL)
320	0	goto err;
321
322	0	if (BN_is_word(n, 2) \|\| BN_is_word(n, 3)) {
323	0	*is_prime = 1;
324	0	goto done;
325	0	}
326
327	0	if (BN_cmp(n, BN_value_one()) <= 0 \|\| !BN_is_odd(n)) {
328	0	*is_prime = 0;
329	0	goto done;
330	0	}
331
332	0	if (!BN_sub(n_minus_one, n, BN_value_one()))
333	0	goto err;
334
335		/*
336		* Factorize n - 1 = k * 2^s.
337		*/
338
339	0	s = 0;
340	0	while (!BN_is_bit_set(n_minus_one, s))
341	0	s++;
342	0	if (!BN_rshift(k, n_minus_one, s))
343	0	goto err;
344
345		/*
346		* If 2^k is 1 or -1 (mod n) then n is a 2-pseudoprime.
347		*/
348
349	0	if (!BN_set_word(x, 2))
350	0	goto err;
351	0	if (!BN_mod_exp_ct(x, x, k, n, ctx))
352	0	goto err;
353
354	0	if (BN_is_one(x) \|\| BN_cmp(x, n_minus_one) == 0) {
355	0	*is_prime = 1;
356	0	goto done;
357	0	}
358
359		/*
360		* If 2^{2^i k} == -1 (mod n) for some 1 <= i < s, then n is a
361		* 2-pseudoprime
362		*/
363
364	0	for (i = 1; i < s; i++) {
365	0	if (!BN_mod_sqr(x, x, n, ctx))
366	0	goto err;
367	0	if (BN_cmp(x, n_minus_one) == 0) {
368	0	*is_prime = 1;
369	0	goto done;
370	0	}
371	0	}
372
373		/*
374		* If we got here, n is definitely composite.
375		*/
376
377	0	*is_prime = 0;
378
379	0	done:
380	0	ret = 1;
381
382	0	err:
383	0	BN_CTX_end(ctx);
384
385	0	return ret;
386	0	}
387
388		/*
389		* The Baillie-Pomerance-Selfridge-Wagstaff algorithm combines a Miller-Rabin
390		* test for base 2 with a Strong Lucas pseudoprime test.
391		*/
392
393		int
394		bn_is_prime_bpsw(int is_prime, const BIGNUM n, BN_CTX *in_ctx)
395	0	{
396	0	BN_CTX *ctx = NULL;
397	0	BN_ULONG mod;
398	0	int i;
399	0	int ret = 0;
400
401	0	if (BN_is_word(n, 2)) {
402	0	*is_prime = 1;
403	0	goto done;
404	0	}
405
406	0	if (BN_cmp(n, BN_value_one()) <= 0 \|\| !BN_is_odd(n)) {
407	0	*is_prime = 0;
408	0	goto done;
409	0	}
410
411		/* Trial divisions with the first 2048 primes. */
412	0	for (i = 0; i < NUMPRIMES; i++) {
413	0	if ((mod = BN_mod_word(n, primes[i])) == (BN_ULONG)-1)
414	0	goto err;
415	0	if (mod == 0) {
416	0	*is_prime = BN_is_word(n, primes[i]);
417	0	goto done;
418	0	}
419	0	}
420
421	0	if ((ctx = in_ctx) == NULL)
422	0	ctx = BN_CTX_new();
423	0	if (ctx == NULL)
424	0	goto err;
425
426	0	if (!bn_miller_rabin_base_2(is_prime, n, ctx))
427	0	goto err;
428	0	if (!*is_prime)
429	0	goto done;
430
431		/* XXX - Miller-Rabin for random bases? See FIPS 186-4, Table C.1. */
432
433	0	if (!bn_strong_lucas_selfridge(is_prime, n, ctx))
434	0	goto err;
435
436	0	done:
437	0	ret = 1;
438
439	0	err:
440	0	if (ctx != in_ctx)
441	0	BN_CTX_free(ctx);
442
443	0	return ret;
444	0	}