/src/openssl30/crypto/bn/bn_prime.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdio.h> |
11 | | #include <time.h> |
12 | | #include "internal/cryptlib.h" |
13 | | #include "bn_local.h" |
14 | | |
15 | | /* |
16 | | * The quick sieve algorithm approach to weeding out primes is Philip |
17 | | * Zimmermann's, as implemented in PGP. I have had a read of his comments |
18 | | * and implemented my own version. |
19 | | */ |
20 | | #include "bn_prime.h" |
21 | | |
22 | | static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods, |
23 | | BN_CTX *ctx); |
24 | | static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods, |
25 | | const BIGNUM *add, const BIGNUM *rem, |
26 | | BN_CTX *ctx); |
27 | | static int bn_is_prime_int(const BIGNUM *w, int checks, BN_CTX *ctx, |
28 | | int do_trial_division, BN_GENCB *cb); |
29 | | |
30 | 0 | #define square(x) ((BN_ULONG)(x) * (BN_ULONG)(x)) |
31 | | |
32 | | #if BN_BITS2 == 64 |
33 | | # define BN_DEF(lo, hi) (BN_ULONG)hi<<32|lo |
34 | | #else |
35 | | # define BN_DEF(lo, hi) lo, hi |
36 | | #endif |
37 | | |
38 | | /* |
39 | | * See SP800 89 5.3.3 (Step f) |
40 | | * The product of the set of primes ranging from 3 to 751 |
41 | | * Generated using process in test/bn_internal_test.c test_bn_small_factors(). |
42 | | * This includes 751 (which is not currently included in SP 800-89). |
43 | | */ |
44 | | static const BN_ULONG small_prime_factors[] = { |
45 | | BN_DEF(0x3ef4e3e1, 0xc4309333), BN_DEF(0xcd2d655f, 0x71161eb6), |
46 | | BN_DEF(0x0bf94862, 0x95e2238c), BN_DEF(0x24f7912b, 0x3eb233d3), |
47 | | BN_DEF(0xbf26c483, 0x6b55514b), BN_DEF(0x5a144871, 0x0a84d817), |
48 | | BN_DEF(0x9b82210a, 0x77d12fee), BN_DEF(0x97f050b3, 0xdb5b93c2), |
49 | | BN_DEF(0x4d6c026b, 0x4acad6b9), BN_DEF(0x54aec893, 0xeb7751f3), |
50 | | BN_DEF(0x36bc85c4, 0xdba53368), BN_DEF(0x7f5ec78e, 0xd85a1b28), |
51 | | BN_DEF(0x6b322244, 0x2eb072d8), BN_DEF(0x5e2b3aea, 0xbba51112), |
52 | | BN_DEF(0x0e2486bf, 0x36ed1a6c), BN_DEF(0xec0c5727, 0x5f270460), |
53 | | (BN_ULONG)0x000017b1 |
54 | | }; |
55 | | |
56 | | #define BN_SMALL_PRIME_FACTORS_TOP OSSL_NELEM(small_prime_factors) |
57 | | static const BIGNUM _bignum_small_prime_factors = { |
58 | | (BN_ULONG *)small_prime_factors, |
59 | | BN_SMALL_PRIME_FACTORS_TOP, |
60 | | BN_SMALL_PRIME_FACTORS_TOP, |
61 | | 0, |
62 | | BN_FLG_STATIC_DATA |
63 | | }; |
64 | | |
65 | | const BIGNUM *ossl_bn_get0_small_factors(void) |
66 | 600 | { |
67 | 600 | return &_bignum_small_prime_factors; |
68 | 600 | } |
69 | | |
70 | | /* |
71 | | * Calculate the number of trial divisions that gives the best speed in |
72 | | * combination with Miller-Rabin prime test, based on the sized of the prime. |
73 | | */ |
74 | | static int calc_trial_divisions(int bits) |
75 | 3.58k | { |
76 | 3.58k | if (bits <= 512) |
77 | 3.08k | return 64; |
78 | 505 | else if (bits <= 1024) |
79 | 292 | return 128; |
80 | 213 | else if (bits <= 2048) |
81 | 160 | return 384; |
82 | 53 | else if (bits <= 4096) |
83 | 31 | return 1024; |
84 | 22 | return NUMPRIMES; |
85 | 3.58k | } |
86 | | |
87 | | /* |
88 | | * Use a minimum of 64 rounds of Miller-Rabin, which should give a false |
89 | | * positive rate of 2^-128. If the size of the prime is larger than 2048 |
90 | | * the user probably wants a higher security level than 128, so switch |
91 | | * to 128 rounds giving a false positive rate of 2^-256. |
92 | | * Returns the number of rounds. |
93 | | */ |
94 | | static int bn_mr_min_checks(int bits) |
95 | 8.38k | { |
96 | 8.38k | if (bits > 2048) |
97 | 73 | return 128; |
98 | 8.31k | return 64; |
99 | 8.38k | } |
100 | | |
101 | | int BN_GENCB_call(BN_GENCB *cb, int a, int b) |
102 | 61.9k | { |
103 | | /* No callback means continue */ |
104 | 61.9k | if (!cb) |
105 | 61.9k | return 1; |
106 | 0 | switch (cb->ver) { |
107 | 0 | case 1: |
108 | | /* Deprecated-style callbacks */ |
109 | 0 | if (!cb->cb.cb_1) |
110 | 0 | return 1; |
111 | 0 | cb->cb.cb_1(a, b, cb->arg); |
112 | 0 | return 1; |
113 | 0 | case 2: |
114 | | /* New-style callbacks */ |
115 | 0 | return cb->cb.cb_2(a, b, cb); |
116 | 0 | default: |
117 | 0 | break; |
118 | 0 | } |
119 | | /* Unrecognised callback type */ |
120 | 0 | return 0; |
121 | 0 | } |
122 | | |
123 | | int BN_generate_prime_ex2(BIGNUM *ret, int bits, int safe, |
124 | | const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb, |
125 | | BN_CTX *ctx) |
126 | 0 | { |
127 | 0 | BIGNUM *t; |
128 | 0 | int found = 0; |
129 | 0 | int i, j, c1 = 0; |
130 | 0 | prime_t *mods = NULL; |
131 | 0 | int checks = bn_mr_min_checks(bits); |
132 | |
|
133 | 0 | if (bits < 2) { |
134 | | /* There are no prime numbers this small. */ |
135 | 0 | ERR_raise(ERR_LIB_BN, BN_R_BITS_TOO_SMALL); |
136 | 0 | return 0; |
137 | 0 | } else if (add == NULL && safe && bits < 6 && bits != 3) { |
138 | | /* |
139 | | * The smallest safe prime (7) is three bits. |
140 | | * But the following two safe primes with less than 6 bits (11, 23) |
141 | | * are unreachable for BN_rand with BN_RAND_TOP_TWO. |
142 | | */ |
143 | 0 | ERR_raise(ERR_LIB_BN, BN_R_BITS_TOO_SMALL); |
144 | 0 | return 0; |
145 | 0 | } |
146 | | |
147 | 0 | mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES); |
148 | 0 | if (mods == NULL) { |
149 | 0 | ERR_raise(ERR_LIB_BN, ERR_R_MALLOC_FAILURE); |
150 | 0 | return 0; |
151 | 0 | } |
152 | | |
153 | 0 | BN_CTX_start(ctx); |
154 | 0 | t = BN_CTX_get(ctx); |
155 | 0 | if (t == NULL) |
156 | 0 | goto err; |
157 | 0 | loop: |
158 | | /* make a random number and set the top and bottom bits */ |
159 | 0 | if (add == NULL) { |
160 | 0 | if (!probable_prime(ret, bits, safe, mods, ctx)) |
161 | 0 | goto err; |
162 | 0 | } else { |
163 | 0 | if (!probable_prime_dh(ret, bits, safe, mods, add, rem, ctx)) |
164 | 0 | goto err; |
165 | 0 | } |
166 | | |
167 | 0 | if (!BN_GENCB_call(cb, 0, c1++)) |
168 | | /* aborted */ |
169 | 0 | goto err; |
170 | | |
171 | 0 | if (!safe) { |
172 | 0 | i = bn_is_prime_int(ret, checks, ctx, 0, cb); |
173 | 0 | if (i == -1) |
174 | 0 | goto err; |
175 | 0 | if (i == 0) |
176 | 0 | goto loop; |
177 | 0 | } else { |
178 | | /* |
179 | | * for "safe prime" generation, check that (p-1)/2 is prime. Since a |
180 | | * prime is odd, We just need to divide by 2 |
181 | | */ |
182 | 0 | if (!BN_rshift1(t, ret)) |
183 | 0 | goto err; |
184 | | |
185 | 0 | for (i = 0; i < checks; i++) { |
186 | 0 | j = bn_is_prime_int(ret, 1, ctx, 0, cb); |
187 | 0 | if (j == -1) |
188 | 0 | goto err; |
189 | 0 | if (j == 0) |
190 | 0 | goto loop; |
191 | | |
192 | 0 | j = bn_is_prime_int(t, 1, ctx, 0, cb); |
193 | 0 | if (j == -1) |
194 | 0 | goto err; |
195 | 0 | if (j == 0) |
196 | 0 | goto loop; |
197 | | |
198 | 0 | if (!BN_GENCB_call(cb, 2, c1 - 1)) |
199 | 0 | goto err; |
200 | | /* We have a safe prime test pass */ |
201 | 0 | } |
202 | 0 | } |
203 | | /* we have a prime :-) */ |
204 | 0 | found = 1; |
205 | 0 | err: |
206 | 0 | OPENSSL_free(mods); |
207 | 0 | BN_CTX_end(ctx); |
208 | 0 | bn_check_top(ret); |
209 | 0 | return found; |
210 | 0 | } |
211 | | |
212 | | #ifndef FIPS_MODULE |
213 | | int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, |
214 | | const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb) |
215 | 0 | { |
216 | 0 | BN_CTX *ctx = BN_CTX_new(); |
217 | 0 | int retval; |
218 | |
|
219 | 0 | if (ctx == NULL) |
220 | 0 | return 0; |
221 | | |
222 | 0 | retval = BN_generate_prime_ex2(ret, bits, safe, add, rem, cb, ctx); |
223 | |
|
224 | 0 | BN_CTX_free(ctx); |
225 | 0 | return retval; |
226 | 0 | } |
227 | | #endif |
228 | | |
229 | | #ifndef OPENSSL_NO_DEPRECATED_3_0 |
230 | | int BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, |
231 | | BN_GENCB *cb) |
232 | 0 | { |
233 | 0 | return ossl_bn_check_prime(a, checks, ctx_passed, 0, cb); |
234 | 0 | } |
235 | | |
236 | | int BN_is_prime_fasttest_ex(const BIGNUM *w, int checks, BN_CTX *ctx, |
237 | | int do_trial_division, BN_GENCB *cb) |
238 | 0 | { |
239 | 0 | return ossl_bn_check_prime(w, checks, ctx, do_trial_division, cb); |
240 | 0 | } |
241 | | #endif |
242 | | |
243 | | /* Wrapper around bn_is_prime_int that sets the minimum number of checks */ |
244 | | int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx, |
245 | | int do_trial_division, BN_GENCB *cb) |
246 | 8.38k | { |
247 | 8.38k | int min_checks = bn_mr_min_checks(BN_num_bits(w)); |
248 | | |
249 | 8.38k | if (checks < min_checks) |
250 | 8.38k | checks = min_checks; |
251 | | |
252 | 8.38k | return bn_is_prime_int(w, checks, ctx, do_trial_division, cb); |
253 | 8.38k | } |
254 | | |
255 | | int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) |
256 | 8.38k | { |
257 | 8.38k | return ossl_bn_check_prime(p, 0, ctx, 1, cb); |
258 | 8.38k | } |
259 | | |
260 | | /* |
261 | | * Tests that |w| is probably prime |
262 | | * See FIPS 186-4 C.3.1 Miller Rabin Probabilistic Primality Test. |
263 | | * |
264 | | * Returns 0 when composite, 1 when probable prime, -1 on error. |
265 | | */ |
266 | | static int bn_is_prime_int(const BIGNUM *w, int checks, BN_CTX *ctx, |
267 | | int do_trial_division, BN_GENCB *cb) |
268 | 8.38k | { |
269 | 8.38k | int i, status, ret = -1; |
270 | 8.38k | #ifndef FIPS_MODULE |
271 | 8.38k | BN_CTX *ctxlocal = NULL; |
272 | | #else |
273 | | |
274 | | if (ctx == NULL) |
275 | | return -1; |
276 | | #endif |
277 | | |
278 | | /* w must be bigger than 1 */ |
279 | 8.38k | if (BN_cmp(w, BN_value_one()) <= 0) |
280 | 737 | return 0; |
281 | | |
282 | | /* w must be odd */ |
283 | 7.65k | if (BN_is_odd(w)) { |
284 | | /* Take care of the really small prime 3 */ |
285 | 3.61k | if (BN_is_word(w, 3)) |
286 | 21 | return 1; |
287 | 4.04k | } else { |
288 | | /* 2 is the only even prime */ |
289 | 4.04k | return BN_is_word(w, 2); |
290 | 4.04k | } |
291 | | |
292 | | /* first look for small factors */ |
293 | 3.58k | if (do_trial_division) { |
294 | 3.58k | int trial_divisions = calc_trial_divisions(BN_num_bits(w)); |
295 | | |
296 | 243k | for (i = 1; i < trial_divisions; i++) { |
297 | 241k | BN_ULONG mod = BN_mod_word(w, primes[i]); |
298 | 241k | if (mod == (BN_ULONG)-1) |
299 | 0 | return -1; |
300 | 241k | if (mod == 0) |
301 | 1.63k | return BN_is_word(w, primes[i]); |
302 | 241k | } |
303 | 1.95k | if (!BN_GENCB_call(cb, 1, -1)) |
304 | 0 | return -1; |
305 | 1.95k | } |
306 | 1.95k | #ifndef FIPS_MODULE |
307 | 1.95k | if (ctx == NULL && (ctxlocal = ctx = BN_CTX_new()) == NULL) |
308 | 0 | goto err; |
309 | 1.95k | #endif |
310 | | |
311 | 1.95k | if (!ossl_bn_miller_rabin_is_prime(w, checks, ctx, cb, 0, &status)) { |
312 | 0 | ret = -1; |
313 | 0 | goto err; |
314 | 0 | } |
315 | 1.95k | ret = (status == BN_PRIMETEST_PROBABLY_PRIME); |
316 | 1.95k | err: |
317 | 1.95k | #ifndef FIPS_MODULE |
318 | 1.95k | BN_CTX_free(ctxlocal); |
319 | 1.95k | #endif |
320 | 1.95k | return ret; |
321 | 1.95k | } |
322 | | |
323 | | /* |
324 | | * Refer to FIPS 186-4 C.3.2 Enhanced Miller-Rabin Probabilistic Primality Test. |
325 | | * OR C.3.1 Miller-Rabin Probabilistic Primality Test (if enhanced is zero). |
326 | | * The Step numbers listed in the code refer to the enhanced case. |
327 | | * |
328 | | * if enhanced is set, then status returns one of the following: |
329 | | * BN_PRIMETEST_PROBABLY_PRIME |
330 | | * BN_PRIMETEST_COMPOSITE_WITH_FACTOR |
331 | | * BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME |
332 | | * if enhanced is zero, then status returns either |
333 | | * BN_PRIMETEST_PROBABLY_PRIME or |
334 | | * BN_PRIMETEST_COMPOSITE |
335 | | * |
336 | | * returns 0 if there was an error, otherwise it returns 1. |
337 | | */ |
338 | | int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, |
339 | | BN_GENCB *cb, int enhanced, int *status) |
340 | 2.35k | { |
341 | 2.35k | int i, j, a, ret = 0; |
342 | 2.35k | BIGNUM *g, *w1, *w3, *x, *m, *z, *b; |
343 | 2.35k | BN_MONT_CTX *mont = NULL; |
344 | | |
345 | | /* w must be odd */ |
346 | 2.35k | if (!BN_is_odd(w)) |
347 | 0 | return 0; |
348 | | |
349 | 2.35k | BN_CTX_start(ctx); |
350 | 2.35k | g = BN_CTX_get(ctx); |
351 | 2.35k | w1 = BN_CTX_get(ctx); |
352 | 2.35k | w3 = BN_CTX_get(ctx); |
353 | 2.35k | x = BN_CTX_get(ctx); |
354 | 2.35k | m = BN_CTX_get(ctx); |
355 | 2.35k | z = BN_CTX_get(ctx); |
356 | 2.35k | b = BN_CTX_get(ctx); |
357 | | |
358 | 2.35k | if (!(b != NULL |
359 | | /* w1 := w - 1 */ |
360 | 2.35k | && BN_copy(w1, w) |
361 | 2.35k | && BN_sub_word(w1, 1) |
362 | | /* w3 := w - 3 */ |
363 | 2.35k | && BN_copy(w3, w) |
364 | 2.35k | && BN_sub_word(w3, 3))) |
365 | 0 | goto err; |
366 | | |
367 | | /* check w is larger than 3, otherwise the random b will be too small */ |
368 | 2.35k | if (BN_is_zero(w3) || BN_is_negative(w3)) |
369 | 4 | goto err; |
370 | | |
371 | | /* (Step 1) Calculate largest integer 'a' such that 2^a divides w-1 */ |
372 | 2.35k | a = 1; |
373 | 25.0k | while (!BN_is_bit_set(w1, a)) |
374 | 22.6k | a++; |
375 | | /* (Step 2) m = (w-1) / 2^a */ |
376 | 2.35k | if (!BN_rshift(m, w1, a)) |
377 | 0 | goto err; |
378 | | |
379 | | /* Montgomery setup for computations mod a */ |
380 | 2.35k | mont = BN_MONT_CTX_new(); |
381 | 2.35k | if (mont == NULL || !BN_MONT_CTX_set(mont, w, ctx)) |
382 | 0 | goto err; |
383 | | |
384 | 2.35k | if (iterations == 0) |
385 | 0 | iterations = bn_mr_min_checks(BN_num_bits(w)); |
386 | | |
387 | | /* (Step 4) */ |
388 | 62.3k | for (i = 0; i < iterations; ++i) { |
389 | | /* (Step 4.1) obtain a Random string of bits b where 1 < b < w-1 */ |
390 | 61.2k | if (!BN_priv_rand_range_ex(b, w3, 0, ctx) |
391 | 61.2k | || !BN_add_word(b, 2)) /* 1 < b < w-1 */ |
392 | 0 | goto err; |
393 | | |
394 | 61.2k | if (enhanced) { |
395 | | /* (Step 4.3) */ |
396 | 788 | if (!BN_gcd(g, b, w, ctx)) |
397 | 0 | goto err; |
398 | | /* (Step 4.4) */ |
399 | 788 | if (!BN_is_one(g)) { |
400 | 6 | *status = BN_PRIMETEST_COMPOSITE_WITH_FACTOR; |
401 | 6 | ret = 1; |
402 | 6 | goto err; |
403 | 6 | } |
404 | 788 | } |
405 | | /* (Step 4.5) z = b^m mod w */ |
406 | 61.2k | if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) |
407 | 0 | goto err; |
408 | | /* (Step 4.6) if (z = 1 or z = w-1) */ |
409 | 61.2k | if (BN_is_one(z) || BN_cmp(z, w1) == 0) |
410 | 34.2k | goto outer_loop; |
411 | | /* (Step 4.7) for j = 1 to a-1 */ |
412 | 271k | for (j = 1; j < a ; ++j) { |
413 | | /* (Step 4.7.1 - 4.7.2) x = z. z = x^2 mod w */ |
414 | 269k | if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) |
415 | 0 | goto err; |
416 | | /* (Step 4.7.3) */ |
417 | 269k | if (BN_cmp(z, w1) == 0) |
418 | 25.7k | goto outer_loop; |
419 | | /* (Step 4.7.4) */ |
420 | 244k | if (BN_is_one(z)) |
421 | 7 | goto composite; |
422 | 244k | } |
423 | | /* At this point z = b^((w-1)/2) mod w */ |
424 | | /* (Steps 4.8 - 4.9) x = z, z = x^2 mod w */ |
425 | 1.31k | if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) |
426 | 0 | goto err; |
427 | | /* (Step 4.10) */ |
428 | 1.31k | if (BN_is_one(z)) |
429 | 6 | goto composite; |
430 | | /* (Step 4.11) x = b^(w-1) mod w */ |
431 | 1.30k | if (!BN_copy(x, z)) |
432 | 0 | goto err; |
433 | 1.32k | composite: |
434 | 1.32k | if (enhanced) { |
435 | | /* (Step 4.1.2) g = GCD(x-1, w) */ |
436 | 287 | if (!BN_sub_word(x, 1) || !BN_gcd(g, x, w, ctx)) |
437 | 0 | goto err; |
438 | | /* (Steps 4.1.3 - 4.1.4) */ |
439 | 287 | if (BN_is_one(g)) |
440 | 280 | *status = BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME; |
441 | 7 | else |
442 | 7 | *status = BN_PRIMETEST_COMPOSITE_WITH_FACTOR; |
443 | 1.03k | } else { |
444 | 1.03k | *status = BN_PRIMETEST_COMPOSITE; |
445 | 1.03k | } |
446 | 1.32k | ret = 1; |
447 | 1.32k | goto err; |
448 | 59.9k | outer_loop: ; |
449 | | /* (Step 4.1.5) */ |
450 | 59.9k | if (!BN_GENCB_call(cb, 1, i)) |
451 | 0 | goto err; |
452 | 59.9k | } |
453 | | /* (Step 5) */ |
454 | 1.02k | *status = BN_PRIMETEST_PROBABLY_PRIME; |
455 | 1.02k | ret = 1; |
456 | 2.35k | err: |
457 | 2.35k | BN_clear(g); |
458 | 2.35k | BN_clear(w1); |
459 | 2.35k | BN_clear(w3); |
460 | 2.35k | BN_clear(x); |
461 | 2.35k | BN_clear(m); |
462 | 2.35k | BN_clear(z); |
463 | 2.35k | BN_clear(b); |
464 | 2.35k | BN_CTX_end(ctx); |
465 | 2.35k | BN_MONT_CTX_free(mont); |
466 | 2.35k | return ret; |
467 | 1.02k | } |
468 | | |
469 | | /* |
470 | | * Generate a random number of |bits| bits that is probably prime by sieving. |
471 | | * If |safe| != 0, it generates a safe prime. |
472 | | * |mods| is a preallocated array that gets reused when called again. |
473 | | * |
474 | | * The probably prime is saved in |rnd|. |
475 | | * |
476 | | * Returns 1 on success and 0 on error. |
477 | | */ |
478 | | static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods, |
479 | | BN_CTX *ctx) |
480 | 0 | { |
481 | 0 | int i; |
482 | 0 | BN_ULONG delta; |
483 | 0 | int trial_divisions = calc_trial_divisions(bits); |
484 | 0 | BN_ULONG maxdelta = BN_MASK2 - primes[trial_divisions - 1]; |
485 | |
|
486 | 0 | again: |
487 | 0 | if (!BN_priv_rand_ex(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD, 0, |
488 | 0 | ctx)) |
489 | 0 | return 0; |
490 | 0 | if (safe && !BN_set_bit(rnd, 1)) |
491 | 0 | return 0; |
492 | | /* we now have a random number 'rnd' to test. */ |
493 | 0 | for (i = 1; i < trial_divisions; i++) { |
494 | 0 | BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); |
495 | 0 | if (mod == (BN_ULONG)-1) |
496 | 0 | return 0; |
497 | 0 | mods[i] = (prime_t) mod; |
498 | 0 | } |
499 | 0 | delta = 0; |
500 | 0 | loop: |
501 | 0 | for (i = 1; i < trial_divisions; i++) { |
502 | | /* |
503 | | * check that rnd is a prime and also that |
504 | | * gcd(rnd-1,primes) == 1 (except for 2) |
505 | | * do the second check only if we are interested in safe primes |
506 | | * in the case that the candidate prime is a single word then |
507 | | * we check only the primes up to sqrt(rnd) |
508 | | */ |
509 | 0 | if (bits <= 31 && delta <= 0x7fffffff |
510 | 0 | && square(primes[i]) > BN_get_word(rnd) + delta) |
511 | 0 | break; |
512 | 0 | if (safe ? (mods[i] + delta) % primes[i] <= 1 |
513 | 0 | : (mods[i] + delta) % primes[i] == 0) { |
514 | 0 | delta += safe ? 4 : 2; |
515 | 0 | if (delta > maxdelta) |
516 | 0 | goto again; |
517 | 0 | goto loop; |
518 | 0 | } |
519 | 0 | } |
520 | 0 | if (!BN_add_word(rnd, delta)) |
521 | 0 | return 0; |
522 | 0 | if (BN_num_bits(rnd) != bits) |
523 | 0 | goto again; |
524 | 0 | bn_check_top(rnd); |
525 | 0 | return 1; |
526 | 0 | } |
527 | | |
528 | | /* |
529 | | * Generate a random number |rnd| of |bits| bits that is probably prime |
530 | | * and satisfies |rnd| % |add| == |rem| by sieving. |
531 | | * If |safe| != 0, it generates a safe prime. |
532 | | * |mods| is a preallocated array that gets reused when called again. |
533 | | * |
534 | | * Returns 1 on success and 0 on error. |
535 | | */ |
536 | | static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods, |
537 | | const BIGNUM *add, const BIGNUM *rem, |
538 | | BN_CTX *ctx) |
539 | 0 | { |
540 | 0 | int i, ret = 0; |
541 | 0 | BIGNUM *t1; |
542 | 0 | BN_ULONG delta; |
543 | 0 | int trial_divisions = calc_trial_divisions(bits); |
544 | 0 | BN_ULONG maxdelta = BN_MASK2 - primes[trial_divisions - 1]; |
545 | |
|
546 | 0 | BN_CTX_start(ctx); |
547 | 0 | if ((t1 = BN_CTX_get(ctx)) == NULL) |
548 | 0 | goto err; |
549 | | |
550 | 0 | if (maxdelta > BN_MASK2 - BN_get_word(add)) |
551 | 0 | maxdelta = BN_MASK2 - BN_get_word(add); |
552 | |
|
553 | 0 | again: |
554 | 0 | if (!BN_rand_ex(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD, 0, ctx)) |
555 | 0 | goto err; |
556 | | |
557 | | /* we need ((rnd-rem) % add) == 0 */ |
558 | | |
559 | 0 | if (!BN_mod(t1, rnd, add, ctx)) |
560 | 0 | goto err; |
561 | 0 | if (!BN_sub(rnd, rnd, t1)) |
562 | 0 | goto err; |
563 | 0 | if (rem == NULL) { |
564 | 0 | if (!BN_add_word(rnd, safe ? 3u : 1u)) |
565 | 0 | goto err; |
566 | 0 | } else { |
567 | 0 | if (!BN_add(rnd, rnd, rem)) |
568 | 0 | goto err; |
569 | 0 | } |
570 | | |
571 | 0 | if (BN_num_bits(rnd) < bits |
572 | 0 | || BN_get_word(rnd) < (safe ? 5u : 3u)) { |
573 | 0 | if (!BN_add(rnd, rnd, add)) |
574 | 0 | goto err; |
575 | 0 | } |
576 | | |
577 | | /* we now have a random number 'rnd' to test. */ |
578 | 0 | for (i = 1; i < trial_divisions; i++) { |
579 | 0 | BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); |
580 | 0 | if (mod == (BN_ULONG)-1) |
581 | 0 | goto err; |
582 | 0 | mods[i] = (prime_t) mod; |
583 | 0 | } |
584 | 0 | delta = 0; |
585 | 0 | loop: |
586 | 0 | for (i = 1; i < trial_divisions; i++) { |
587 | | /* check that rnd is a prime */ |
588 | 0 | if (bits <= 31 && delta <= 0x7fffffff |
589 | 0 | && square(primes[i]) > BN_get_word(rnd) + delta) |
590 | 0 | break; |
591 | | /* rnd mod p == 1 implies q = (rnd-1)/2 is divisible by p */ |
592 | 0 | if (safe ? (mods[i] + delta) % primes[i] <= 1 |
593 | 0 | : (mods[i] + delta) % primes[i] == 0) { |
594 | 0 | delta += BN_get_word(add); |
595 | 0 | if (delta > maxdelta) |
596 | 0 | goto again; |
597 | 0 | goto loop; |
598 | 0 | } |
599 | 0 | } |
600 | 0 | if (!BN_add_word(rnd, delta)) |
601 | 0 | goto err; |
602 | 0 | ret = 1; |
603 | |
|
604 | 0 | err: |
605 | 0 | BN_CTX_end(ctx); |
606 | 0 | bn_check_top(rnd); |
607 | 0 | return ret; |
608 | 0 | } |