/src/openssl/crypto/bn/bn_prime.c

Source (jump to first uncovered line)
/*
 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
#include "bn_lcl.h"

/*
 * The quick sieve algorithm approach to weeding out primes is Philip
 * Zimmermann's, as implemented in PGP.  I have had a read of his comments
 * and implemented my own version.
 */
#include "bn_prime.h"

static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                   const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                   BN_MONT_CTX *mont);
static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods);
static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
                                  const BIGNUM *add, const BIGNUM *rem,
                                  BN_CTX *ctx);

int BN_GENCB_call(BN_GENCB *cb, int a, int b)
{
    /* No callback means continue */
    if (!cb)
        return 1;
    switch (cb->ver) {
    case 1:
        /* Deprecated-style callbacks */
        if (!cb->cb.cb_1)
            return 1;
        cb->cb.cb_1(a, b, cb->arg);
        return 1;
    case 2:
        /* New-style callbacks */
        return cb->cb.cb_2(a, b, cb);
    default:
        break;
    }
    /* Unrecognised callback type */
    return 0;
}

int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
                         const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb)
{
    BIGNUM *t;
    int found = 0;
    int i, j, c1 = 0;
    BN_CTX *ctx = NULL;
    prime_t *mods = NULL;
    int checks = BN_prime_checks_for_size(bits);

    if (bits < 2) {
        /* There are no prime numbers this small. */
        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
        return 0;
    } else if (bits == 2 && safe) {
        /* The smallest safe prime (7) is three bits. */
        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
        return 0;
    }

    mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES);
    if (mods == NULL)
        goto err;

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    t = BN_CTX_get(ctx);
    if (t == NULL)
        goto err;
 loop:
    /* make a random number and set the top and bottom bits */
    if (add == NULL) {
        if (!probable_prime(ret, bits, mods))
            goto err;
    } else {
        if (safe) {
            if (!probable_prime_dh_safe(ret, bits, add, rem, ctx))
                goto err;
        } else {
            if (!bn_probable_prime_dh(ret, bits, add, rem, ctx))
                goto err;
        }
    }

    if (!BN_GENCB_call(cb, 0, c1++))
        /* aborted */
        goto err;

    if (!safe) {
        i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
        if (i == -1)
            goto err;
        if (i == 0)
            goto loop;
    } else {
        /*
         * for "safe prime" generation, check that (p-1)/2 is prime. Since a
         * prime is odd, We just need to divide by 2
         */
        if (!BN_rshift1(t, ret))
            goto err;

        for (i = 0; i < checks; i++) {
            j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, cb);
            if (j == -1)
                goto err;
            if (j == 0)
                goto loop;

            j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, cb);
            if (j == -1)
                goto err;
            if (j == 0)
                goto loop;

            if (!BN_GENCB_call(cb, 2, c1 - 1))
                goto err;
            /* We have a safe prime test pass */
        }
    }
    /* we have a prime :-) */
    found = 1;
 err:
    OPENSSL_free(mods);
    if (ctx != NULL)
        BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    bn_check_top(ret);
    return found;
}

int BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
                   BN_GENCB *cb)
{
    return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb);
}

int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
                            int do_trial_division, BN_GENCB *cb)
{
    int i, j, ret = -1;
    int k;
    BN_CTX *ctx = NULL;
    BIGNUM *A1, *A1_odd, *A3, *check; /* taken from ctx */
    BN_MONT_CTX *mont = NULL;

    /* Take care of the really small primes 2 & 3 */
    if (BN_is_word(a, 2) || BN_is_word(a, 3))
        return 1;

    /* Check odd and bigger than 1 */
    if (!BN_is_odd(a) || BN_cmp(a, BN_value_one()) <= 0)
        return 0;

    if (checks == BN_prime_checks)
        checks = BN_prime_checks_for_size(BN_num_bits(a));

    /* first look for small factors */
    if (do_trial_division) {
        for (i = 1; i < NUMPRIMES; i++) {
            BN_ULONG mod = BN_mod_word(a, primes[i]);
            if (mod == (BN_ULONG)-1)
                goto err;
            if (mod == 0)
                return BN_is_word(a, primes[i]);
        }
        if (!BN_GENCB_call(cb, 1, -1))
            goto err;
    }

    if (ctx_passed != NULL)
        ctx = ctx_passed;
    else if ((ctx = BN_CTX_new()) == NULL)
        goto err;
    BN_CTX_start(ctx);

    A1 = BN_CTX_get(ctx);
    A3 = BN_CTX_get(ctx);
    A1_odd = BN_CTX_get(ctx);
    check = BN_CTX_get(ctx);
    if (check == NULL)
        goto err;

    /* compute A1 := a - 1 */
    if (!BN_copy(A1, a) || !BN_sub_word(A1, 1))
        goto err;
    /* compute A3 := a - 3 */
    if (!BN_copy(A3, a) || !BN_sub_word(A3, 3))
        goto err;

    /* write  A1  as  A1_odd * 2^k */
    k = 1;
    while (!BN_is_bit_set(A1, k))
        k++;
    if (!BN_rshift(A1_odd, A1, k))
        goto err;

    /* Montgomery setup for computations mod a */
    mont = BN_MONT_CTX_new();
    if (mont == NULL)
        goto err;
    if (!BN_MONT_CTX_set(mont, a, ctx))
        goto err;

    for (i = 0; i < checks; i++) {
        /* 1 < check < a-1 */
        if (!BN_priv_rand_range(check, A3) || !BN_add_word(check, 2))
            goto err;

        j = witness(check, a, A1, A1_odd, k, ctx, mont);
        if (j == -1)
            goto err;
        if (j) {
            ret = 0;
            goto err;
        }
        if (!BN_GENCB_call(cb, 1, i))
            goto err;
    }
    ret = 1;
 err:
    if (ctx != NULL) {
        BN_CTX_end(ctx);
        if (ctx_passed == NULL)
            BN_CTX_free(ctx);
    }
    BN_MONT_CTX_free(mont);

    return ret;
}

static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                   const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                   BN_MONT_CTX *mont)
{
    if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */
        return -1;
    if (BN_is_one(w))
        return 0;               /* probably prime */
    if (BN_cmp(w, a1) == 0)
        return 0;               /* w == -1 (mod a), 'a' is probably prime */
    while (--k) {
        if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */
            return -1;
        if (BN_is_one(w))
            return 1;           /* 'a' is composite, otherwise a previous 'w'
                                 * would have been == -1 (mod 'a') */
        if (BN_cmp(w, a1) == 0)
            return 0;           /* w == -1 (mod a), 'a' is probably prime */
    }
    /*
     * If we get here, 'w' is the (a-1)/2-th power of the original 'w', and
     * it is neither -1 nor +1 -- so 'a' cannot be prime
     */
    bn_check_top(w);
    return 1;
}

static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods)
{
    int i;
    BN_ULONG delta;
    BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
    char is_single_word = bits <= BN_BITS2;

 again:
    /* TODO: Not all primes are private */
    if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
        return 0;
    /* we now have a random number 'rnd' to test. */
    for (i = 1; i < NUMPRIMES; i++) {
        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
        if (mod == (BN_ULONG)-1)
            return 0;
        mods[i] = (prime_t) mod;
    }
    /*
     * If bits is so small that it fits into a single word then we
     * additionally don't want to exceed that many bits.
     */
    if (is_single_word) {
        BN_ULONG size_limit;

        if (bits == BN_BITS2) {
            /*
             * Shifting by this much has undefined behaviour so we do it a
             * different way
             */
            size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
        } else {
            size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
        }
        if (size_limit < maxdelta)
            maxdelta = size_limit;
    }
    delta = 0;
 loop:
    if (is_single_word) {
        BN_ULONG rnd_word = BN_get_word(rnd);

        /*-
         * In the case that the candidate prime is a single word then
         * we check that:
         *   1) It's greater than primes[i] because we shouldn't reject
         *      3 as being a prime number because it's a multiple of
         *      three.
         *   2) That it's not a multiple of a known prime. We don't
         *      check that rnd-1 is also coprime to all the known
         *      primes because there aren't many small primes where
         *      that's true.
         */
        for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
            if ((mods[i] + delta) % primes[i] == 0) {
                delta += 2;
                if (delta > maxdelta)
                    goto again;
                goto loop;
            }
        }
    } else {
        for (i = 1; i < NUMPRIMES; i++) {
            /*
             * check that rnd is not a prime and also that gcd(rnd-1,primes)
             * == 1 (except for 2)
             */
            if (((mods[i] + delta) % primes[i]) <= 1) {
                delta += 2;
                if (delta > maxdelta)
                    goto again;
                goto loop;
            }
        }
    }
    if (!BN_add_word(rnd, delta))
        return 0;
    if (BN_num_bits(rnd) != bits)
        goto again;
    bn_check_top(rnd);
    return 1;
}

int bn_probable_prime_dh(BIGNUM *rnd, int bits,
                         const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx)
{
    int i, ret = 0;
    BIGNUM *t1;

    BN_CTX_start(ctx);
    if ((t1 = BN_CTX_get(ctx)) == NULL)
        goto err;

    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
        goto err;

    /* we need ((rnd-rem) % add) == 0 */

    if (!BN_mod(t1, rnd, add, ctx))
        goto err;
    if (!BN_sub(rnd, rnd, t1))
        goto err;
    if (rem == NULL) {
        if (!BN_add_word(rnd, 1))
            goto err;
    } else {
        if (!BN_add(rnd, rnd, rem))
            goto err;
    }

    /* we now have a random number 'rand' to test. */

 loop:
    for (i = 1; i < NUMPRIMES; i++) {
        /* check that rnd is a prime */
        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
        if (mod == (BN_ULONG)-1)
            goto err;
        if (mod <= 1) {
            if (!BN_add(rnd, rnd, add))
                goto err;
            goto loop;
        }
    }
    ret = 1;

 err:
    BN_CTX_end(ctx);
    bn_check_top(rnd);
    return ret;
}

static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
                                  const BIGNUM *rem, BN_CTX *ctx)
{
    int i, ret = 0;
    BIGNUM *t1, *qadd, *q;

    bits--;
    BN_CTX_start(ctx);
    t1 = BN_CTX_get(ctx);
    q = BN_CTX_get(ctx);
    qadd = BN_CTX_get(ctx);
    if (qadd == NULL)
        goto err;

    if (!BN_rshift1(qadd, padd))
        goto err;

    if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
        goto err;

    /* we need ((rnd-rem) % add) == 0 */
    if (!BN_mod(t1, q, qadd, ctx))
        goto err;
    if (!BN_sub(q, q, t1))
        goto err;
    if (rem == NULL) {
        if (!BN_add_word(q, 1))
            goto err;
    } else {
        if (!BN_rshift1(t1, rem))
            goto err;
        if (!BN_add(q, q, t1))
            goto err;
    }

    /* we now have a random number 'rand' to test. */
    if (!BN_lshift1(p, q))
        goto err;
    if (!BN_add_word(p, 1))
        goto err;

 loop:
    for (i = 1; i < NUMPRIMES; i++) {
        /* check that p and q are prime */
        /*
         * check that for p and q gcd(p-1,primes) == 1 (except for 2)
         */
        BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
        BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
        if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1)
            goto err;
        if (pmod == 0 || qmod == 0) {
            if (!BN_add(p, p, padd))
                goto err;
            if (!BN_add(q, q, qadd))
                goto err;
            goto loop;
        }
    }
    ret = 1;

 err:
    BN_CTX_end(ctx);
    bn_check_top(p);
    return ret;
}

Coverage Report

Created: 2018-08-29 13:53

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include <time.h>
12		#include "internal/cryptlib.h"
13		#include "bn_lcl.h"
14
15		/*
16		* The quick sieve algorithm approach to weeding out primes is Philip
17		* Zimmermann's, as implemented in PGP. I have had a read of his comments
18		* and implemented my own version.
19		*/
20		#include "bn_prime.h"
21
22		static int witness(BIGNUM w, const BIGNUM a, const BIGNUM *a1,
23		const BIGNUM a1_odd, int k, BN_CTX ctx,
24		BN_MONT_CTX *mont);
25		static int probable_prime(BIGNUM rnd, int bits, prime_t mods);
26		static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
27		const BIGNUM add, const BIGNUM rem,
28		BN_CTX *ctx);
29
30		int BN_GENCB_call(BN_GENCB *cb, int a, int b)
31	0	{
32	0	/* No callback means continue */
33	0	if (!cb)
34	0	return 1;
35	0	switch (cb->ver) {
36	0	case 1:
37	0	/* Deprecated-style callbacks */
38	0	if (!cb->cb.cb_1)
39	0	return 1;
40	0	cb->cb.cb_1(a, b, cb->arg);
41	0	return 1;
42	0	case 2:
43	0	/* New-style callbacks */
44	0	return cb->cb.cb_2(a, b, cb);
45	0	default:
46	0	break;
47	0	}
48	0	/* Unrecognised callback type */
49	0	return 0;
50	0	}
51
52		int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
53		const BIGNUM add, const BIGNUM rem, BN_GENCB *cb)
54	0	{
55	0	BIGNUM *t;
56	0	int found = 0;
57	0	int i, j, c1 = 0;
58	0	BN_CTX *ctx = NULL;
59	0	prime_t *mods = NULL;
60	0	int checks = BN_prime_checks_for_size(bits);
61	0
62	0	if (bits < 2) {
63	0	/* There are no prime numbers this small. */
64	0	BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
65	0	return 0;
66	0	} else if (bits == 2 && safe) {
67	0	/* The smallest safe prime (7) is three bits. */
68	0	BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
69	0	return 0;
70	0	}
71	0
72	0	mods = OPENSSL_zalloc(sizeof(mods) NUMPRIMES);
73	0	if (mods == NULL)
74	0	goto err;
75	0
76	0	ctx = BN_CTX_new();
77	0	if (ctx == NULL)
78	0	goto err;
79	0	BN_CTX_start(ctx);
80	0	t = BN_CTX_get(ctx);
81	0	if (t == NULL)
82	0	goto err;
83	0	loop:
84	0	/* make a random number and set the top and bottom bits */
85	0	if (add == NULL) {
86	0	if (!probable_prime(ret, bits, mods))
87	0	goto err;
88	0	} else {
89	0	if (safe) {
90	0	if (!probable_prime_dh_safe(ret, bits, add, rem, ctx))
91	0	goto err;
92	0	} else {
93	0	if (!bn_probable_prime_dh(ret, bits, add, rem, ctx))
94	0	goto err;
95	0	}
96	0	}
97	0
98	0	if (!BN_GENCB_call(cb, 0, c1++))
99	0	/* aborted */
100	0	goto err;
101	0
102	0	if (!safe) {
103	0	i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
104	0	if (i == -1)
105	0	goto err;
106	0	if (i == 0)
107	0	goto loop;
108	0	} else {
109	0	/*
110	0	* for "safe prime" generation, check that (p-1)/2 is prime. Since a
111	0	* prime is odd, We just need to divide by 2
112	0	*/
113	0	if (!BN_rshift1(t, ret))
114	0	goto err;
115	0
116	0	for (i = 0; i < checks; i++) {
117	0	j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, cb);
118	0	if (j == -1)
119	0	goto err;
120	0	if (j == 0)
121	0	goto loop;
122	0
123	0	j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, cb);
124	0	if (j == -1)
125	0	goto err;
126	0	if (j == 0)
127	0	goto loop;
128	0
129	0	if (!BN_GENCB_call(cb, 2, c1 - 1))
130	0	goto err;
131	0	/* We have a safe prime test pass */
132	0	}
133	0	}
134	0	/* we have a prime :-) */
135	0	found = 1;
136	0	err:
137	0	OPENSSL_free(mods);
138	0	if (ctx != NULL)
139	0	BN_CTX_end(ctx);
140	0	BN_CTX_free(ctx);
141	0	bn_check_top(ret);
142	0	return found;
143	0	}
144
145		int BN_is_prime_ex(const BIGNUM a, int checks, BN_CTX ctx_passed,
146		BN_GENCB *cb)
147	0	{
148	0	return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb);
149	0	}
150
151		int BN_is_prime_fasttest_ex(const BIGNUM a, int checks, BN_CTX ctx_passed,
152		int do_trial_division, BN_GENCB *cb)
153	0	{
154	0	int i, j, ret = -1;
155	0	int k;
156	0	BN_CTX *ctx = NULL;
157	0	BIGNUM A1, A1_odd, A3, check; /* taken from ctx */
158	0	BN_MONT_CTX *mont = NULL;
159	0
160	0	/* Take care of the really small primes 2 & 3 */
161	0	if (BN_is_word(a, 2) \|\| BN_is_word(a, 3))
162	0	return 1;
163	0
164	0	/* Check odd and bigger than 1 */
165	0	if (!BN_is_odd(a) \|\| BN_cmp(a, BN_value_one()) <= 0)
166	0	return 0;
167	0
168	0	if (checks == BN_prime_checks)
169	0	checks = BN_prime_checks_for_size(BN_num_bits(a));
170	0
171	0	/* first look for small factors */
172	0	if (do_trial_division) {
173	0	for (i = 1; i < NUMPRIMES; i++) {
174	0	BN_ULONG mod = BN_mod_word(a, primes[i]);
175	0	if (mod == (BN_ULONG)-1)
176	0	goto err;
177	0	if (mod == 0)
178	0	return BN_is_word(a, primes[i]);
179	0	}
180	0	if (!BN_GENCB_call(cb, 1, -1))
181	0	goto err;
182	0	}
183	0
184	0	if (ctx_passed != NULL)
185	0	ctx = ctx_passed;
186	0	else if ((ctx = BN_CTX_new()) == NULL)
187	0	goto err;
188	0	BN_CTX_start(ctx);
189	0
190	0	A1 = BN_CTX_get(ctx);
191	0	A3 = BN_CTX_get(ctx);
192	0	A1_odd = BN_CTX_get(ctx);
193	0	check = BN_CTX_get(ctx);
194	0	if (check == NULL)
195	0	goto err;
196	0
197	0	/* compute A1 := a - 1 */
198	0	if (!BN_copy(A1, a) \|\| !BN_sub_word(A1, 1))
199	0	goto err;
200	0	/* compute A3 := a - 3 */
201	0	if (!BN_copy(A3, a) \|\| !BN_sub_word(A3, 3))
202	0	goto err;
203	0
204	0	/* write A1 as A1_odd * 2^k */
205	0	k = 1;
206	0	while (!BN_is_bit_set(A1, k))
207	0	k++;
208	0	if (!BN_rshift(A1_odd, A1, k))
209	0	goto err;
210	0
211	0	/* Montgomery setup for computations mod a */
212	0	mont = BN_MONT_CTX_new();
213	0	if (mont == NULL)
214	0	goto err;
215	0	if (!BN_MONT_CTX_set(mont, a, ctx))
216	0	goto err;
217	0
218	0	for (i = 0; i < checks; i++) {
219	0	/* 1 < check < a-1 */
220	0	if (!BN_priv_rand_range(check, A3) \|\| !BN_add_word(check, 2))
221	0	goto err;
222	0
223	0	j = witness(check, a, A1, A1_odd, k, ctx, mont);
224	0	if (j == -1)
225	0	goto err;
226	0	if (j) {
227	0	ret = 0;
228	0	goto err;
229	0	}
230	0	if (!BN_GENCB_call(cb, 1, i))
231	0	goto err;
232	0	}
233	0	ret = 1;
234	0	err:
235	0	if (ctx != NULL) {
236	0	BN_CTX_end(ctx);
237	0	if (ctx_passed == NULL)
238	0	BN_CTX_free(ctx);
239	0	}
240	0	BN_MONT_CTX_free(mont);
241	0
242	0	return ret;
243	0	}
244
245		static int witness(BIGNUM w, const BIGNUM a, const BIGNUM *a1,
246		const BIGNUM a1_odd, int k, BN_CTX ctx,
247		BN_MONT_CTX *mont)
248	0	{
249	0	if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */
250	0	return -1;
251	0	if (BN_is_one(w))
252	0	return 0; /* probably prime */
253	0	if (BN_cmp(w, a1) == 0)
254	0	return 0; /* w == -1 (mod a), 'a' is probably prime */
255	0	while (--k) {
256	0	if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */
257	0	return -1;
258	0	if (BN_is_one(w))
259	0	return 1; /* 'a' is composite, otherwise a previous 'w'
260	0	* would have been == -1 (mod 'a') */
261	0	if (BN_cmp(w, a1) == 0)
262	0	return 0; /* w == -1 (mod a), 'a' is probably prime */
263	0	}
264	0	/*
265	0	* If we get here, 'w' is the (a-1)/2-th power of the original 'w', and
266	0	* it is neither -1 nor +1 -- so 'a' cannot be prime
267	0	*/
268	0	bn_check_top(w);
269	0	return 1;
270	0	}
271
272		static int probable_prime(BIGNUM rnd, int bits, prime_t mods)
273	0	{
274	0	int i;
275	0	BN_ULONG delta;
276	0	BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
277	0	char is_single_word = bits <= BN_BITS2;
278	0
279	0	again:
280	0	/* TODO: Not all primes are private */
281	0	if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
282	0	return 0;
283	0	/* we now have a random number 'rnd' to test. */
284	0	for (i = 1; i < NUMPRIMES; i++) {
285	0	BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
286	0	if (mod == (BN_ULONG)-1)
287	0	return 0;
288	0	mods[i] = (prime_t) mod;
289	0	}
290	0	/*
291	0	* If bits is so small that it fits into a single word then we
292	0	* additionally don't want to exceed that many bits.
293	0	*/
294	0	if (is_single_word) {
295	0	BN_ULONG size_limit;
296	0
297	0	if (bits == BN_BITS2) {
298	0	/*
299	0	* Shifting by this much has undefined behaviour so we do it a
300	0	* different way
301	0	*/
302	0	size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
303	0	} else {
304	0	size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
305	0	}
306	0	if (size_limit < maxdelta)
307	0	maxdelta = size_limit;
308	0	}
309	0	delta = 0;
310	0	loop:
311	0	if (is_single_word) {
312	0	BN_ULONG rnd_word = BN_get_word(rnd);
313	0
314	0	/*-
315	0	* In the case that the candidate prime is a single word then
316	0	* we check that:
317	0	* 1) It's greater than primes[i] because we shouldn't reject
318	0	* 3 as being a prime number because it's a multiple of
319	0	* three.
320	0	* 2) That it's not a multiple of a known prime. We don't
321	0	* check that rnd-1 is also coprime to all the known
322	0	* primes because there aren't many small primes where
323	0	* that's true.
324	0	*/
325	0	for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
326	0	if ((mods[i] + delta) % primes[i] == 0) {
327	0	delta += 2;
328	0	if (delta > maxdelta)
329	0	goto again;
330	0	goto loop;
331	0	}
332	0	}
333	0	} else {
334	0	for (i = 1; i < NUMPRIMES; i++) {
335	0	/*
336	0	* check that rnd is not a prime and also that gcd(rnd-1,primes)
337	0	* == 1 (except for 2)
338	0	*/
339	0	if (((mods[i] + delta) % primes[i]) <= 1) {
340	0	delta += 2;
341	0	if (delta > maxdelta)
342	0	goto again;
343	0	goto loop;
344	0	}
345	0	}
346	0	}
347	0	if (!BN_add_word(rnd, delta))
348	0	return 0;
349	0	if (BN_num_bits(rnd) != bits)
350	0	goto again;
351	0	bn_check_top(rnd);
352	0	return 1;
353	0	}
354
355		int bn_probable_prime_dh(BIGNUM *rnd, int bits,
356		const BIGNUM add, const BIGNUM rem, BN_CTX *ctx)
357	0	{
358	0	int i, ret = 0;
359	0	BIGNUM *t1;
360	0
361	0	BN_CTX_start(ctx);
362	0	if ((t1 = BN_CTX_get(ctx)) == NULL)
363	0	goto err;
364	0
365	0	if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
366	0	goto err;
367	0
368	0	/* we need ((rnd-rem) % add) == 0 */
369	0
370	0	if (!BN_mod(t1, rnd, add, ctx))
371	0	goto err;
372	0	if (!BN_sub(rnd, rnd, t1))
373	0	goto err;
374	0	if (rem == NULL) {
375	0	if (!BN_add_word(rnd, 1))
376	0	goto err;
377	0	} else {
378	0	if (!BN_add(rnd, rnd, rem))
379	0	goto err;
380	0	}
381	0
382	0	/* we now have a random number 'rand' to test. */
383	0
384	0	loop:
385	0	for (i = 1; i < NUMPRIMES; i++) {
386	0	/* check that rnd is a prime */
387	0	BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
388	0	if (mod == (BN_ULONG)-1)
389	0	goto err;
390	0	if (mod <= 1) {
391	0	if (!BN_add(rnd, rnd, add))
392	0	goto err;
393	0	goto loop;
394	0	}
395	0	}
396	0	ret = 1;
397	0
398	0	err:
399	0	BN_CTX_end(ctx);
400	0	bn_check_top(rnd);
401	0	return ret;
402	0	}
403
404		static int probable_prime_dh_safe(BIGNUM p, int bits, const BIGNUM padd,
405		const BIGNUM rem, BN_CTX ctx)
406	0	{
407	0	int i, ret = 0;
408	0	BIGNUM t1, qadd, *q;
409	0
410	0	bits--;
411	0	BN_CTX_start(ctx);
412	0	t1 = BN_CTX_get(ctx);
413	0	q = BN_CTX_get(ctx);
414	0	qadd = BN_CTX_get(ctx);
415	0	if (qadd == NULL)
416	0	goto err;
417	0
418	0	if (!BN_rshift1(qadd, padd))
419	0	goto err;
420	0
421	0	if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
422	0	goto err;
423	0
424	0	/* we need ((rnd-rem) % add) == 0 */
425	0	if (!BN_mod(t1, q, qadd, ctx))
426	0	goto err;
427	0	if (!BN_sub(q, q, t1))
428	0	goto err;
429	0	if (rem == NULL) {
430	0	if (!BN_add_word(q, 1))
431	0	goto err;
432	0	} else {
433	0	if (!BN_rshift1(t1, rem))
434	0	goto err;
435	0	if (!BN_add(q, q, t1))
436	0	goto err;
437	0	}
438	0
439	0	/* we now have a random number 'rand' to test. */
440	0	if (!BN_lshift1(p, q))
441	0	goto err;
442	0	if (!BN_add_word(p, 1))
443	0	goto err;
444	0
445	0	loop:
446	0	for (i = 1; i < NUMPRIMES; i++) {
447	0	/* check that p and q are prime */
448	0	/*
449	0	* check that for p and q gcd(p-1,primes) == 1 (except for 2)
450	0	*/
451	0	BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
452	0	BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
453	0	if (pmod == (BN_ULONG)-1 \|\| qmod == (BN_ULONG)-1)
454	0	goto err;
455	0	if (pmod == 0 \|\| qmod == 0) {
456	0	if (!BN_add(p, p, padd))
457	0	goto err;
458	0	if (!BN_add(q, q, qadd))
459	0	goto err;
460	0	goto loop;
461	0	}
462	0	}
463	0	ret = 1;
464	0
465	0	err:
466	0	BN_CTX_end(ctx);
467	0	bn_check_top(p);
468	0	return ret;
469	0	}