/src/openssl111/crypto/bn/bn_prime.c

Source (jump to first uncovered line)
/*
 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
#include "bn_local.h"

/*
 * The quick sieve algorithm approach to weeding out primes is Philip
 * Zimmermann's, as implemented in PGP.  I have had a read of his comments
 * and implemented my own version.
 */
#include "bn_prime.h"

static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                   const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                   BN_MONT_CTX *mont);
static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods);
static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods,
                             const BIGNUM *add, const BIGNUM *rem,
                             BN_CTX *ctx);

#define square(x) ((BN_ULONG)(x) * (BN_ULONG)(x))

int BN_GENCB_call(BN_GENCB *cb, int a, int b)
{
    /* No callback means continue */
    if (!cb)
        return 1;
    switch (cb->ver) {
    case 1:
        /* Deprecated-style callbacks */
        if (!cb->cb.cb_1)
            return 1;
        cb->cb.cb_1(a, b, cb->arg);
        return 1;
    case 2:
        /* New-style callbacks */
        return cb->cb.cb_2(a, b, cb);
    default:
        break;
    }
    /* Unrecognised callback type */
    return 0;
}

int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
                         const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb)
{
    BIGNUM *t;
    int found = 0;
    int i, j, c1 = 0;
    BN_CTX *ctx = NULL;
    prime_t *mods = NULL;
    int checks = BN_prime_checks_for_size(bits);

    if (bits < 2) {
        /* There are no prime numbers this small. */
        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
        return 0;
    } else if (add == NULL && safe && bits < 6 && bits != 3) {
        /*
         * The smallest safe prime (7) is three bits.
         * But the following two safe primes with less than 6 bits (11, 23)
         * are unreachable for BN_rand with BN_RAND_TOP_TWO.
         */
        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
        return 0;
    }

    mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES);
    if (mods == NULL)
        goto err;

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    t = BN_CTX_get(ctx);
    if (t == NULL)
        goto err;
 loop:
    /* make a random number and set the top and bottom bits */
    if (add == NULL) {
        if (!probable_prime(ret, bits, safe, mods))
            goto err;
    } else {
        if (!probable_prime_dh(ret, bits, safe, mods, add, rem, ctx))
            goto err;
    }

    if (!BN_GENCB_call(cb, 0, c1++))
        /* aborted */
        goto err;

    if (!safe) {
        i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
        if (i == -1)
            goto err;
        if (i == 0)
            goto loop;
    } else {
        /*
         * for "safe prime" generation, check that (p-1)/2 is prime. Since a
         * prime is odd, We just need to divide by 2
         */
        if (!BN_rshift1(t, ret))
            goto err;

        for (i = 0; i < checks; i++) {
            j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, cb);
            if (j == -1)
                goto err;
            if (j == 0)
                goto loop;

            j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, cb);
            if (j == -1)
                goto err;
            if (j == 0)
                goto loop;

            if (!BN_GENCB_call(cb, 2, c1 - 1))
                goto err;
            /* We have a safe prime test pass */
        }
    }
    /* we have a prime :-) */
    found = 1;
 err:
    OPENSSL_free(mods);
    BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    bn_check_top(ret);
    return found;
}

int BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
                   BN_GENCB *cb)
{
    return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb);
}

int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
                            int do_trial_division, BN_GENCB *cb)
{
    int i, j, ret = -1;
    int k;
    BN_CTX *ctx = NULL;
    BIGNUM *A1, *A1_odd, *A3, *check; /* taken from ctx */
    BN_MONT_CTX *mont = NULL;

    /* Take care of the really small primes 2 & 3 */
    if (BN_is_word(a, 2) || BN_is_word(a, 3))
        return 1;

    /* Check odd and bigger than 1 */
    if (!BN_is_odd(a) || BN_cmp(a, BN_value_one()) <= 0)
        return 0;

    if (checks == BN_prime_checks)
        checks = BN_prime_checks_for_size(BN_num_bits(a));

    /* first look for small factors */
    if (do_trial_division) {
        for (i = 1; i < NUMPRIMES; i++) {
            BN_ULONG mod = BN_mod_word(a, primes[i]);
            if (mod == (BN_ULONG)-1)
                goto err;
            if (mod == 0)
                return BN_is_word(a, primes[i]);
        }
        if (!BN_GENCB_call(cb, 1, -1))
            goto err;
    }

    if (ctx_passed != NULL)
        ctx = ctx_passed;
    else if ((ctx = BN_CTX_new()) == NULL)
        goto err;
    BN_CTX_start(ctx);

    A1 = BN_CTX_get(ctx);
    A3 = BN_CTX_get(ctx);
    A1_odd = BN_CTX_get(ctx);
    check = BN_CTX_get(ctx);
    if (check == NULL)
        goto err;

    /* compute A1 := a - 1 */
    if (!BN_copy(A1, a) || !BN_sub_word(A1, 1))
        goto err;
    /* compute A3 := a - 3 */
    if (!BN_copy(A3, a) || !BN_sub_word(A3, 3))
        goto err;

    /* write  A1  as  A1_odd * 2^k */
    k = 1;
    while (!BN_is_bit_set(A1, k))
        k++;
    if (!BN_rshift(A1_odd, A1, k))
        goto err;

    /* Montgomery setup for computations mod a */
    mont = BN_MONT_CTX_new();
    if (mont == NULL)
        goto err;
    if (!BN_MONT_CTX_set(mont, a, ctx))
        goto err;

    for (i = 0; i < checks; i++) {
        /* 1 < check < a-1 */
        if (!BN_priv_rand_range(check, A3) || !BN_add_word(check, 2))
            goto err;

        j = witness(check, a, A1, A1_odd, k, ctx, mont);
        if (j == -1)
            goto err;
        if (j) {
            ret = 0;
            goto err;
        }
        if (!BN_GENCB_call(cb, 1, i))
            goto err;
    }
    ret = 1;
 err:
    if (ctx != NULL) {
        BN_CTX_end(ctx);
        if (ctx_passed == NULL)
            BN_CTX_free(ctx);
    }
    BN_MONT_CTX_free(mont);

    return ret;
}

static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                   const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                   BN_MONT_CTX *mont)
{
    if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */
        return -1;
    if (BN_is_one(w))
        return 0;               /* probably prime */
    if (BN_cmp(w, a1) == 0)
        return 0;               /* w == -1 (mod a), 'a' is probably prime */
    while (--k) {
        if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */
            return -1;
        if (BN_is_one(w))
            return 1;           /* 'a' is composite, otherwise a previous 'w'
                                 * would have been == -1 (mod 'a') */
        if (BN_cmp(w, a1) == 0)
            return 0;           /* w == -1 (mod a), 'a' is probably prime */
    }
    /*
     * If we get here, 'w' is the (a-1)/2-th power of the original 'w', and
     * it is neither -1 nor +1 -- so 'a' cannot be prime
     */
    bn_check_top(w);
    return 1;
}

static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods)
{
    int i;
    BN_ULONG delta;
    BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];

 again:
    /* TODO: Not all primes are private */
    if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
        return 0;
    if (safe && !BN_set_bit(rnd, 1))
        return 0;
    /* we now have a random number 'rnd' to test. */
    for (i = 1; i < NUMPRIMES; i++) {
        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
        if (mod == (BN_ULONG)-1)
            return 0;
        mods[i] = (prime_t) mod;
    }
    delta = 0;
 loop:
    for (i = 1; i < NUMPRIMES; i++) {
        /*
         * check that rnd is a prime and also that
         * gcd(rnd-1,primes) == 1 (except for 2)
         * do the second check only if we are interested in safe primes
         * in the case that the candidate prime is a single word then
         * we check only the primes up to sqrt(rnd)
         */
        if (bits <= 31 && delta <= 0x7fffffff
                && square(primes[i]) > BN_get_word(rnd) + delta)
            break;
        if (safe ? (mods[i] + delta) % primes[i] <= 1
                 : (mods[i] + delta) % primes[i] == 0) {
            delta += safe ? 4 : 2;
            if (delta > maxdelta)
                goto again;
            goto loop;
        }
    }
    if (!BN_add_word(rnd, delta))
        return 0;
    if (BN_num_bits(rnd) != bits)
        goto again;
    bn_check_top(rnd);
    return 1;
}

static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods,
                             const BIGNUM *add, const BIGNUM *rem,
                             BN_CTX *ctx)
{
    int i, ret = 0;
    BIGNUM *t1;
    BN_ULONG delta;
    BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];

    BN_CTX_start(ctx);
    if ((t1 = BN_CTX_get(ctx)) == NULL)
        goto err;

    if (maxdelta > BN_MASK2 - BN_get_word(add))
        maxdelta = BN_MASK2 - BN_get_word(add);

 again:
    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
        goto err;

    /* we need ((rnd-rem) % add) == 0 */

    if (!BN_mod(t1, rnd, add, ctx))
        goto err;
    if (!BN_sub(rnd, rnd, t1))
        goto err;
    if (rem == NULL) {
        if (!BN_add_word(rnd, safe ? 3u : 1u))
            goto err;
    } else {
        if (!BN_add(rnd, rnd, rem))
            goto err;
    }

    if (BN_num_bits(rnd) < bits
            || BN_get_word(rnd) < (safe ? 5u : 3u)) {
        if (!BN_add(rnd, rnd, add))
            goto err;
    }

    /* we now have a random number 'rnd' to test. */
    for (i = 1; i < NUMPRIMES; i++) {
        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
        if (mod == (BN_ULONG)-1)
            goto err;
        mods[i] = (prime_t) mod;
    }
    delta = 0;
 loop:
    for (i = 1; i < NUMPRIMES; i++) {
        /* check that rnd is a prime */
        if (bits <= 31 && delta <= 0x7fffffff
                && square(primes[i]) > BN_get_word(rnd) + delta)
            break;
        /* rnd mod p == 1 implies q = (rnd-1)/2 is divisible by p */
        if (safe ? (mods[i] + delta) % primes[i] <= 1
                 : (mods[i] + delta) % primes[i] == 0) {
            delta += BN_get_word(add);
            if (delta > maxdelta)
                goto again;
            goto loop;
        }
    }
    if (!BN_add_word(rnd, delta))
        goto err;
    ret = 1;

 err:
    BN_CTX_end(ctx);
    bn_check_top(rnd);
    return ret;
}

Coverage Report

Created: 2023-06-08 06:41

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include <time.h>
12		#include "internal/cryptlib.h"
13		#include "bn_local.h"
14
15		/*
16		* The quick sieve algorithm approach to weeding out primes is Philip
17		* Zimmermann's, as implemented in PGP. I have had a read of his comments
18		* and implemented my own version.
19		*/
20		#include "bn_prime.h"
21
22		static int witness(BIGNUM w, const BIGNUM a, const BIGNUM *a1,
23		const BIGNUM a1_odd, int k, BN_CTX ctx,
24		BN_MONT_CTX *mont);
25		static int probable_prime(BIGNUM rnd, int bits, int safe, prime_t mods);
26		static int probable_prime_dh(BIGNUM rnd, int bits, int safe, prime_t mods,
27		const BIGNUM add, const BIGNUM rem,
28		BN_CTX *ctx);
29
30	0	#define square(x) ((BN_ULONG)(x) * (BN_ULONG)(x))
31
32		int BN_GENCB_call(BN_GENCB *cb, int a, int b)
33	0	{
34		/* No callback means continue */
35	0	if (!cb)
36	0	return 1;
37	0	switch (cb->ver) {
38	0	case 1:
39		/* Deprecated-style callbacks */
40	0	if (!cb->cb.cb_1)
41	0	return 1;
42	0	cb->cb.cb_1(a, b, cb->arg);
43	0	return 1;
44	0	case 2:
45		/* New-style callbacks */
46	0	return cb->cb.cb_2(a, b, cb);
47	0	default:
48	0	break;
49	0	}
50		/* Unrecognised callback type */
51	0	return 0;
52	0	}
53
54		int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
55		const BIGNUM add, const BIGNUM rem, BN_GENCB *cb)
56	0	{
57	0	BIGNUM *t;
58	0	int found = 0;
59	0	int i, j, c1 = 0;
60	0	BN_CTX *ctx = NULL;
61	0	prime_t *mods = NULL;
62	0	int checks = BN_prime_checks_for_size(bits);
63
64	0	if (bits < 2) {
65		/* There are no prime numbers this small. */
66	0	BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
67	0	return 0;
68	0	} else if (add == NULL && safe && bits < 6 && bits != 3) {
69		/*
70		* The smallest safe prime (7) is three bits.
71		* But the following two safe primes with less than 6 bits (11, 23)
72		* are unreachable for BN_rand with BN_RAND_TOP_TWO.
73		*/
74	0	BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
75	0	return 0;
76	0	}
77
78	0	mods = OPENSSL_zalloc(sizeof(mods) NUMPRIMES);
79	0	if (mods == NULL)
80	0	goto err;
81
82	0	ctx = BN_CTX_new();
83	0	if (ctx == NULL)
84	0	goto err;
85	0	BN_CTX_start(ctx);
86	0	t = BN_CTX_get(ctx);
87	0	if (t == NULL)
88	0	goto err;
89	0	loop:
90		/* make a random number and set the top and bottom bits */
91	0	if (add == NULL) {
92	0	if (!probable_prime(ret, bits, safe, mods))
93	0	goto err;
94	0	} else {
95	0	if (!probable_prime_dh(ret, bits, safe, mods, add, rem, ctx))
96	0	goto err;
97	0	}
98
99	0	if (!BN_GENCB_call(cb, 0, c1++))
100		/* aborted */
101	0	goto err;
102
103	0	if (!safe) {
104	0	i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
105	0	if (i == -1)
106	0	goto err;
107	0	if (i == 0)
108	0	goto loop;
109	0	} else {
110		/*
111		* for "safe prime" generation, check that (p-1)/2 is prime. Since a
112		* prime is odd, We just need to divide by 2
113		*/
114	0	if (!BN_rshift1(t, ret))
115	0	goto err;
116
117	0	for (i = 0; i < checks; i++) {
118	0	j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, cb);
119	0	if (j == -1)
120	0	goto err;
121	0	if (j == 0)
122	0	goto loop;
123
124	0	j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, cb);
125	0	if (j == -1)
126	0	goto err;
127	0	if (j == 0)
128	0	goto loop;
129
130	0	if (!BN_GENCB_call(cb, 2, c1 - 1))
131	0	goto err;
132		/* We have a safe prime test pass */
133	0	}
134	0	}
135		/* we have a prime :-) */
136	0	found = 1;
137	0	err:
138	0	OPENSSL_free(mods);
139	0	BN_CTX_end(ctx);
140	0	BN_CTX_free(ctx);
141	0	bn_check_top(ret);
142	0	return found;
143	0	}
144
145		int BN_is_prime_ex(const BIGNUM a, int checks, BN_CTX ctx_passed,
146		BN_GENCB *cb)
147	0	{
148	0	return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb);
149	0	}
150
151		int BN_is_prime_fasttest_ex(const BIGNUM a, int checks, BN_CTX ctx_passed,
152		int do_trial_division, BN_GENCB *cb)
153	0	{
154	0	int i, j, ret = -1;
155	0	int k;
156	0	BN_CTX *ctx = NULL;
157	0	BIGNUM A1, A1_odd, A3, check; /* taken from ctx */
158	0	BN_MONT_CTX *mont = NULL;
159
160		/* Take care of the really small primes 2 & 3 */
161	0	if (BN_is_word(a, 2) \|\| BN_is_word(a, 3))
162	0	return 1;
163
164		/* Check odd and bigger than 1 */
165	0	if (!BN_is_odd(a) \|\| BN_cmp(a, BN_value_one()) <= 0)
166	0	return 0;
167
168	0	if (checks == BN_prime_checks)
169	0	checks = BN_prime_checks_for_size(BN_num_bits(a));
170
171		/* first look for small factors */
172	0	if (do_trial_division) {
173	0	for (i = 1; i < NUMPRIMES; i++) {
174	0	BN_ULONG mod = BN_mod_word(a, primes[i]);
175	0	if (mod == (BN_ULONG)-1)
176	0	goto err;
177	0	if (mod == 0)
178	0	return BN_is_word(a, primes[i]);
179	0	}
180	0	if (!BN_GENCB_call(cb, 1, -1))
181	0	goto err;
182	0	}
183
184	0	if (ctx_passed != NULL)
185	0	ctx = ctx_passed;
186	0	else if ((ctx = BN_CTX_new()) == NULL)
187	0	goto err;
188	0	BN_CTX_start(ctx);
189
190	0	A1 = BN_CTX_get(ctx);
191	0	A3 = BN_CTX_get(ctx);
192	0	A1_odd = BN_CTX_get(ctx);
193	0	check = BN_CTX_get(ctx);
194	0	if (check == NULL)
195	0	goto err;
196
197		/* compute A1 := a - 1 */
198	0	if (!BN_copy(A1, a) \|\| !BN_sub_word(A1, 1))
199	0	goto err;
200		/* compute A3 := a - 3 */
201	0	if (!BN_copy(A3, a) \|\| !BN_sub_word(A3, 3))
202	0	goto err;
203
204		/* write A1 as A1_odd * 2^k */
205	0	k = 1;
206	0	while (!BN_is_bit_set(A1, k))
207	0	k++;
208	0	if (!BN_rshift(A1_odd, A1, k))
209	0	goto err;
210
211		/* Montgomery setup for computations mod a */
212	0	mont = BN_MONT_CTX_new();
213	0	if (mont == NULL)
214	0	goto err;
215	0	if (!BN_MONT_CTX_set(mont, a, ctx))
216	0	goto err;
217
218	0	for (i = 0; i < checks; i++) {
219		/* 1 < check < a-1 */
220	0	if (!BN_priv_rand_range(check, A3) \|\| !BN_add_word(check, 2))
221	0	goto err;
222
223	0	j = witness(check, a, A1, A1_odd, k, ctx, mont);
224	0	if (j == -1)
225	0	goto err;
226	0	if (j) {
227	0	ret = 0;
228	0	goto err;
229	0	}
230	0	if (!BN_GENCB_call(cb, 1, i))
231	0	goto err;
232	0	}
233	0	ret = 1;
234	0	err:
235	0	if (ctx != NULL) {
236	0	BN_CTX_end(ctx);
237	0	if (ctx_passed == NULL)
238	0	BN_CTX_free(ctx);
239	0	}
240	0	BN_MONT_CTX_free(mont);
241
242	0	return ret;
243	0	}
244
245		static int witness(BIGNUM w, const BIGNUM a, const BIGNUM *a1,
246		const BIGNUM a1_odd, int k, BN_CTX ctx,
247		BN_MONT_CTX *mont)
248	0	{
249	0	if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */
250	0	return -1;
251	0	if (BN_is_one(w))
252	0	return 0; /* probably prime */
253	0	if (BN_cmp(w, a1) == 0)
254	0	return 0; /* w == -1 (mod a), 'a' is probably prime */
255	0	while (--k) {
256	0	if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */
257	0	return -1;
258	0	if (BN_is_one(w))
259	0	return 1; /* 'a' is composite, otherwise a previous 'w'
260		* would have been == -1 (mod 'a') */
261	0	if (BN_cmp(w, a1) == 0)
262	0	return 0; /* w == -1 (mod a), 'a' is probably prime */
263	0	}
264		/*
265		* If we get here, 'w' is the (a-1)/2-th power of the original 'w', and
266		* it is neither -1 nor +1 -- so 'a' cannot be prime
267		*/
268	0	bn_check_top(w);
269	0	return 1;
270	0	}
271
272		static int probable_prime(BIGNUM rnd, int bits, int safe, prime_t mods)
273	0	{
274	0	int i;
275	0	BN_ULONG delta;
276	0	BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
277
278	0	again:
279		/* TODO: Not all primes are private */
280	0	if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
281	0	return 0;
282	0	if (safe && !BN_set_bit(rnd, 1))
283	0	return 0;
284		/* we now have a random number 'rnd' to test. */
285	0	for (i = 1; i < NUMPRIMES; i++) {
286	0	BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
287	0	if (mod == (BN_ULONG)-1)
288	0	return 0;
289	0	mods[i] = (prime_t) mod;
290	0	}
291	0	delta = 0;
292	0	loop:
293	0	for (i = 1; i < NUMPRIMES; i++) {
294		/*
295		* check that rnd is a prime and also that
296		* gcd(rnd-1,primes) == 1 (except for 2)
297		* do the second check only if we are interested in safe primes
298		* in the case that the candidate prime is a single word then
299		* we check only the primes up to sqrt(rnd)
300		*/
301	0	if (bits <= 31 && delta <= 0x7fffffff
302	0	&& square(primes[i]) > BN_get_word(rnd) + delta)
303	0	break;
304	0	if (safe ? (mods[i] + delta) % primes[i] <= 1
305	0	: (mods[i] + delta) % primes[i] == 0) {
306	0	delta += safe ? 4 : 2;
307	0	if (delta > maxdelta)
308	0	goto again;
309	0	goto loop;
310	0	}
311	0	}
312	0	if (!BN_add_word(rnd, delta))
313	0	return 0;
314	0	if (BN_num_bits(rnd) != bits)
315	0	goto again;
316	0	bn_check_top(rnd);
317	0	return 1;
318	0	}
319
320		static int probable_prime_dh(BIGNUM rnd, int bits, int safe, prime_t mods,
321		const BIGNUM add, const BIGNUM rem,
322		BN_CTX *ctx)
323	0	{
324	0	int i, ret = 0;
325	0	BIGNUM *t1;
326	0	BN_ULONG delta;
327	0	BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
328
329	0	BN_CTX_start(ctx);
330	0	if ((t1 = BN_CTX_get(ctx)) == NULL)
331	0	goto err;
332
333	0	if (maxdelta > BN_MASK2 - BN_get_word(add))
334	0	maxdelta = BN_MASK2 - BN_get_word(add);
335
336	0	again:
337	0	if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
338	0	goto err;
339
340		/* we need ((rnd-rem) % add) == 0 */
341
342	0	if (!BN_mod(t1, rnd, add, ctx))
343	0	goto err;
344	0	if (!BN_sub(rnd, rnd, t1))
345	0	goto err;
346	0	if (rem == NULL) {
347	0	if (!BN_add_word(rnd, safe ? 3u : 1u))
348	0	goto err;
349	0	} else {
350	0	if (!BN_add(rnd, rnd, rem))
351	0	goto err;
352	0	}
353
354	0	if (BN_num_bits(rnd) < bits
355	0	\|\| BN_get_word(rnd) < (safe ? 5u : 3u)) {
356	0	if (!BN_add(rnd, rnd, add))
357	0	goto err;
358	0	}
359
360		/* we now have a random number 'rnd' to test. */
361	0	for (i = 1; i < NUMPRIMES; i++) {
362	0	BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
363	0	if (mod == (BN_ULONG)-1)
364	0	goto err;
365	0	mods[i] = (prime_t) mod;
366	0	}
367	0	delta = 0;
368	0	loop:
369	0	for (i = 1; i < NUMPRIMES; i++) {
370		/* check that rnd is a prime */
371	0	if (bits <= 31 && delta <= 0x7fffffff
372	0	&& square(primes[i]) > BN_get_word(rnd) + delta)
373	0	break;
374		/* rnd mod p == 1 implies q = (rnd-1)/2 is divisible by p */
375	0	if (safe ? (mods[i] + delta) % primes[i] <= 1
376	0	: (mods[i] + delta) % primes[i] == 0) {
377	0	delta += BN_get_word(add);
378	0	if (delta > maxdelta)
379	0	goto again;
380	0	goto loop;
381	0	}
382	0	}
383	0	if (!BN_add_word(rnd, delta))
384	0	goto err;
385	0	ret = 1;
386
387	0	err:
388	0	BN_CTX_end(ctx);
389	0	bn_check_top(rnd);
390	0	return ret;
391	0	}