1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/bn.h>
110
111 #include <openssl/err.h>
112 #include <openssl/mem.h>
113
114 #include "internal.h"
115 #include "../../internal.h"
116
117
118 // The quick sieve algorithm approach to weeding out primes is Philip
119 // Zimmermann's, as implemented in PGP. I have had a read of his comments and
120 // implemented my own version.
121
122 // kPrimes contains the first 2048 primes.
123 static const uint16_t kPrimes[] = {
124 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31,
125 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79,
126 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137,
127 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193,
128 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257,
129 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
130 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389,
131 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457,
132 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523,
133 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601,
134 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661,
135 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743,
136 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823,
137 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887,
138 907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977,
139 983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049,
140 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117,
141 1123, 1129, 1151, 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
142 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289,
143 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373,
144 1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451, 1453,
145 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523, 1531,
146 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607,
147 1609, 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,
148 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753, 1759, 1777,
149 1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
150 1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951,
151 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029,
152 2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113,
153 2129, 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213,
154 2221, 2237, 2239, 2243, 2251, 2267, 2269, 2273, 2281, 2287, 2293,
155 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377,
156 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447,
157 2459, 2467, 2473, 2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
158 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659,
159 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713,
160 2719, 2729, 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791, 2797,
161 2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887,
162 2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971,
163 2999, 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079,
164 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169, 3181, 3187,
165 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
166 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, 3359,
167 3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433, 3449, 3457, 3461,
168 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533, 3539,
169 3541, 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, 3613, 3617,
170 3623, 3631, 3637, 3643, 3659, 3671, 3673, 3677, 3691, 3697, 3701,
171 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,
172 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889,
173 3907, 3911, 3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
174 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073,
175 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157,
176 4159, 4177, 4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243, 4253,
177 4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 4339, 4349,
178 4357, 4363, 4373, 4391, 4397, 4409, 4421, 4423, 4441, 4447, 4451,
179 4457, 4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547,
180 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 4637, 4639, 4643,
181 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
182 4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817,
183 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937,
184 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009,
185 5011, 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101,
186 5107, 5113, 5119, 5147, 5153, 5167, 5171, 5179, 5189, 5197, 5209,
187 5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309,
188 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, 5407, 5413, 5417,
189 5419, 5431, 5437, 5441, 5443, 5449, 5471, 5477, 5479, 5483, 5501,
190 5503, 5507, 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 5581,
191 5591, 5623, 5639, 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683,
192 5689, 5693, 5701, 5711, 5717, 5737, 5741, 5743, 5749, 5779, 5783,
193 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851, 5857,
194 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953,
195 5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,
196 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143, 6151, 6163,
197 6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263,
198 6269, 6271, 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337,
199 6343, 6353, 6359, 6361, 6367, 6373, 6379, 6389, 6397, 6421, 6427,
200 6449, 6451, 6469, 6473, 6481, 6491, 6521, 6529, 6547, 6551, 6553,
201 6563, 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659,
202 6661, 6673, 6679, 6689, 6691, 6701, 6703, 6709, 6719, 6733, 6737,
203 6761, 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833,
204 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947,
205 6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997, 7001, 7013,
206 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 7127,
207 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229,
208 7237, 7243, 7247, 7253, 7283, 7297, 7307, 7309, 7321, 7331, 7333,
209 7349, 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459, 7477,
210 7481, 7487, 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547,
211 7549, 7559, 7561, 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621,
212 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 7699, 7703, 7717,
213 7723, 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829,
214 7841, 7853, 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927,
215 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011, 8017, 8039, 8053,
216 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, 8123, 8147,
217 8161, 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, 8233, 8237,
218 8243, 8263, 8269, 8273, 8287, 8291, 8293, 8297, 8311, 8317, 8329,
219 8353, 8363, 8369, 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443,
220 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, 8539, 8543, 8563,
221 8573, 8581, 8597, 8599, 8609, 8623, 8627, 8629, 8641, 8647, 8663,
222 8669, 8677, 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737,
223 8741, 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831,
224 8837, 8839, 8849, 8861, 8863, 8867, 8887, 8893, 8923, 8929, 8933,
225 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013, 9029,
226 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, 9133, 9137,
227 9151, 9157, 9161, 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227,
228 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 9319, 9323, 9337,
229 9341, 9343, 9349, 9371, 9377, 9391, 9397, 9403, 9413, 9419, 9421,
230 9431, 9433, 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, 9497,
231 9511, 9521, 9533, 9539, 9547, 9551, 9587, 9601, 9613, 9619, 9623,
232 9629, 9631, 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721,
233 9733, 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811,
234 9817, 9829, 9833, 9839, 9851, 9857, 9859, 9871, 9883, 9887, 9901,
235 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037,
236 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, 10111, 10133,
237 10139, 10141, 10151, 10159, 10163, 10169, 10177, 10181, 10193, 10211, 10223,
238 10243, 10247, 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 10313,
239 10321, 10331, 10333, 10337, 10343, 10357, 10369, 10391, 10399, 10427, 10429,
240 10433, 10453, 10457, 10459, 10463, 10477, 10487, 10499, 10501, 10513, 10529,
241 10531, 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 10631, 10639,
242 10651, 10657, 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733,
243 10739, 10753, 10771, 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859,
244 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939, 10949, 10957,
245 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, 11071,
246 11083, 11087, 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, 11171,
247 11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257, 11261, 11273, 11279,
248 11287, 11299, 11311, 11317, 11321, 11329, 11351, 11353, 11369, 11383, 11393,
249 11399, 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, 11489, 11491,
250 11497, 11503, 11519, 11527, 11549, 11551, 11579, 11587, 11593, 11597, 11617,
251 11621, 11633, 11657, 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731,
252 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831,
253 11833, 11839, 11863, 11867, 11887, 11897, 11903, 11909, 11923, 11927, 11933,
254 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037,
255 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, 12119,
256 12143, 12149, 12157, 12161, 12163, 12197, 12203, 12211, 12227, 12239, 12241,
257 12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 12329, 12343,
258 12347, 12373, 12377, 12379, 12391, 12401, 12409, 12413, 12421, 12433, 12437,
259 12451, 12457, 12473, 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527,
260 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 12601, 12611, 12613,
261 12619, 12637, 12641, 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713,
262 12721, 12739, 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823,
263 12829, 12841, 12853, 12889, 12893, 12899, 12907, 12911, 12917, 12919, 12923,
264 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009,
265 13033, 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, 13127,
266 13147, 13151, 13159, 13163, 13171, 13177, 13183, 13187, 13217, 13219, 13229,
267 13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337,
268 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, 13441, 13451, 13457,
269 13463, 13469, 13477, 13487, 13499, 13513, 13523, 13537, 13553, 13567, 13577,
270 13591, 13597, 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 13687,
271 13691, 13693, 13697, 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759,
272 13763, 13781, 13789, 13799, 13807, 13829, 13831, 13841, 13859, 13873, 13877,
273 13879, 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963, 13967,
274 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083,
275 14087, 14107, 14143, 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221,
276 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327, 14341, 14347,
277 14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, 14431, 14437, 14447,
278 14449, 14461, 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, 14551,
279 14557, 14561, 14563, 14591, 14593, 14621, 14627, 14629, 14633, 14639, 14653,
280 14657, 14669, 14683, 14699, 14713, 14717, 14723, 14731, 14737, 14741, 14747,
281 14753, 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831,
282 14843, 14851, 14867, 14869, 14879, 14887, 14891, 14897, 14923, 14929, 14939,
283 14947, 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073,
284 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161,
285 15173, 15187, 15193, 15199, 15217, 15227, 15233, 15241, 15259, 15263, 15269,
286 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 15349,
287 15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, 15427, 15439, 15443,
288 15451, 15461, 15467, 15473, 15493, 15497, 15511, 15527, 15541, 15551, 15559,
289 15569, 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 15647, 15649,
290 15661, 15667, 15671, 15679, 15683, 15727, 15731, 15733, 15737, 15739, 15749,
291 15761, 15767, 15773, 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859,
292 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 15923, 15937, 15959,
293 15971, 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069,
294 16073, 16087, 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187,
295 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253, 16267, 16273, 16301,
296 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, 16417, 16421,
297 16427, 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, 16519, 16529,
298 16547, 16553, 16561, 16567, 16573, 16603, 16607, 16619, 16631, 16633, 16649,
299 16651, 16657, 16661, 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747,
300 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, 16871, 16879, 16883,
301 16889, 16901, 16903, 16921, 16927, 16931, 16937, 16943, 16963, 16979, 16981,
302 16987, 16993, 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077,
303 17093, 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191,
304 17203, 17207, 17209, 17231, 17239, 17257, 17291, 17293, 17299, 17317, 17321,
305 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393, 17401,
306 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, 17489, 17491,
307 17497, 17509, 17519, 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599,
308 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 17707, 17713, 17729,
309 17737, 17747, 17749, 17761, 17783, 17789, 17791, 17807, 17827, 17837, 17839,
310 17851, 17863,
311 };
312
313 // BN_prime_checks_for_size returns the number of Miller-Rabin iterations
314 // necessary for a 'bits'-bit prime.
315 //
316 //
317 // This table is generated using the algorithm of FIPS PUB 186-4
318 // Digital Signature Standard (DSS), section F.1, page 117.
319 // (https://doi.org/10.6028/NIST.FIPS.186-4)
320 // The following magma script was used to generate the output:
321 // securitybits:=125;
322 // k:=1024;
323 // for t:=1 to 65 do
324 // for M:=3 to Floor(2*Sqrt(k-1)-1) do
325 // S:=0;
326 // // Sum over m
327 // for m:=3 to M do
328 // s:=0;
329 // // Sum over j
330 // for j:=2 to m do
331 // s+:=(RealField(32)!2)^-(j+(k-1)/j);
332 // end for;
333 // S+:=2^(m-(m-1)*t)*s;
334 // end for;
335 // A:=2^(k-2-M*t);
336 // B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S;
337 // pkt:=2.00743*Log(2)*k*2^-k*(A+B);
338 // seclevel:=Floor(-Log(2,pkt));
339 // if seclevel ge securitybits then
340 // printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M;
341 // break;
342 // end if;
343 // end for;
344 // if seclevel ge securitybits then break; end if;
345 // end for;
346 //
347 // It can be run online at: http://magma.maths.usyd.edu.au/calc
348 // And will output:
349 // k: 1024, security: 129 bits (t: 6, M: 23)
350 // k is the number of bits of the prime, securitybits is the level we want to
351 // reach.
352 // prime length | RSA key size | # MR tests | security level
353 // -------------+--------------|------------+---------------
354 // (b) >= 6394 | >= 12788 | 3 | 256 bit
355 // (b) >= 3747 | >= 7494 | 3 | 192 bit
356 // (b) >= 1345 | >= 2690 | 4 | 128 bit
357 // (b) >= 1080 | >= 2160 | 5 | 128 bit
358 // (b) >= 852 | >= 1704 | 5 | 112 bit
359 // (b) >= 476 | >= 952 | 5 | 80 bit
360 // (b) >= 400 | >= 800 | 6 | 80 bit
361 // (b) >= 347 | >= 694 | 7 | 80 bit
362 // (b) >= 308 | >= 616 | 8 | 80 bit
363 // (b) >= 55 | >= 110 | 27 | 64 bit
364 // (b) >= 6 | >= 12 | 34 | 64 bit
BN_prime_checks_for_size(int bits)365 static int BN_prime_checks_for_size(int bits) {
366 if (bits >= 3747) {
367 return 3;
368 }
369 if (bits >= 1345) {
370 return 4;
371 }
372 if (bits >= 476) {
373 return 5;
374 }
375 if (bits >= 400) {
376 return 6;
377 }
378 if (bits >= 347) {
379 return 7;
380 }
381 if (bits >= 308) {
382 return 8;
383 }
384 if (bits >= 55) {
385 return 27;
386 }
387 return 34;
388 }
389
390 // num_trial_division_primes returns the number of primes to try with trial
391 // division before using more expensive checks. For larger numbers, the value
392 // of excluding a candidate with trial division is larger.
num_trial_division_primes(const BIGNUM * n)393 static size_t num_trial_division_primes(const BIGNUM *n) {
394 if (n->width * BN_BITS2 > 1024) {
395 return OPENSSL_ARRAY_SIZE(kPrimes);
396 }
397 return OPENSSL_ARRAY_SIZE(kPrimes) / 4;
398 }
399
400 // BN_PRIME_CHECKS_BLINDED is the iteration count for blinding the constant-time
401 // primality test. See |BN_primality_test| for details. This number is selected
402 // so that, for a candidate N-bit RSA prime, picking |BN_PRIME_CHECKS_BLINDED|
403 // random N-bit numbers will have at least |BN_prime_checks_for_size(N)| values
404 // in range with high probability.
405 //
406 // The following Python script computes the blinding factor needed for the
407 // corresponding iteration count.
408 /*
409 import math
410
411 # We choose candidate RSA primes between sqrt(2)/2 * 2^N and 2^N and select
412 # witnesses by generating random N-bit numbers. Thus the probability of
413 # selecting one in range is at least sqrt(2)/2.
414 p = math.sqrt(2) / 2
415
416 # Target around 2^-8 probability of the blinding being insufficient given that
417 # key generation is a one-time, noisy operation.
418 epsilon = 2**-8
419
420 def choose(a, b):
421 r = 1
422 for i in xrange(b):
423 r *= a - i
424 r /= (i + 1)
425 return r
426
427 def failure_rate(min_uniform, iterations):
428 """ Returns the probability that, for |iterations| candidate witnesses, fewer
429 than |min_uniform| of them will be uniform. """
430 prob = 0.0
431 for i in xrange(min_uniform):
432 prob += (choose(iterations, i) *
433 p**i * (1-p)**(iterations - i))
434 return prob
435
436 for min_uniform in (3, 4, 5, 6, 8, 13, 19, 28):
437 # Find the smallest number of iterations under the target failure rate.
438 iterations = min_uniform
439 while True:
440 prob = failure_rate(min_uniform, iterations)
441 if prob < epsilon:
442 print min_uniform, iterations, prob
443 break
444 iterations += 1
445
446 Output:
447 3 9 0.00368894873911
448 4 11 0.00363319494662
449 5 13 0.00336215573898
450 6 15 0.00300145783158
451 8 19 0.00225214119331
452 13 27 0.00385610026955
453 19 38 0.0021410539126
454 28 52 0.00325405801769
455
456 16 iterations suffices for 400-bit primes and larger (6 uniform samples needed),
457 which is already well below the minimum acceptable key size for RSA.
458 */
459 #define BN_PRIME_CHECKS_BLINDED 16
460
461 static int probable_prime(BIGNUM *rnd, int bits);
462 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
463 const BIGNUM *rem, BN_CTX *ctx);
464 static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add,
465 const BIGNUM *rem, BN_CTX *ctx);
466
BN_GENCB_set(BN_GENCB * callback,int (* f)(int event,int n,struct bn_gencb_st *),void * arg)467 void BN_GENCB_set(BN_GENCB *callback,
468 int (*f)(int event, int n, struct bn_gencb_st *),
469 void *arg) {
470 callback->callback = f;
471 callback->arg = arg;
472 }
473
BN_GENCB_call(BN_GENCB * callback,int event,int n)474 int BN_GENCB_call(BN_GENCB *callback, int event, int n) {
475 if (!callback) {
476 return 1;
477 }
478
479 return callback->callback(event, n, callback);
480 }
481
BN_generate_prime_ex(BIGNUM * ret,int bits,int safe,const BIGNUM * add,const BIGNUM * rem,BN_GENCB * cb)482 int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
483 const BIGNUM *rem, BN_GENCB *cb) {
484 BIGNUM *t;
485 int found = 0;
486 int i, j, c1 = 0;
487 BN_CTX *ctx;
488 int checks = BN_prime_checks_for_size(bits);
489
490 if (bits < 2) {
491 // There are no prime numbers this small.
492 OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
493 return 0;
494 } else if (bits == 2 && safe) {
495 // The smallest safe prime (7) is three bits.
496 OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
497 return 0;
498 }
499
500 ctx = BN_CTX_new();
501 if (ctx == NULL) {
502 goto err;
503 }
504 BN_CTX_start(ctx);
505 t = BN_CTX_get(ctx);
506 if (!t) {
507 goto err;
508 }
509
510 loop:
511 // make a random number and set the top and bottom bits
512 if (add == NULL) {
513 if (!probable_prime(ret, bits)) {
514 goto err;
515 }
516 } else {
517 if (safe) {
518 if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) {
519 goto err;
520 }
521 } else {
522 if (!probable_prime_dh(ret, bits, add, rem, ctx)) {
523 goto err;
524 }
525 }
526 }
527
528 if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) {
529 // aborted
530 goto err;
531 }
532
533 if (!safe) {
534 i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
535 if (i == -1) {
536 goto err;
537 } else if (i == 0) {
538 goto loop;
539 }
540 } else {
541 // for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
542 // is odd, We just need to divide by 2
543 if (!BN_rshift1(t, ret)) {
544 goto err;
545 }
546
547 for (i = 0; i < checks; i++) {
548 j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, NULL);
549 if (j == -1) {
550 goto err;
551 } else if (j == 0) {
552 goto loop;
553 }
554
555 j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, NULL);
556 if (j == -1) {
557 goto err;
558 } else if (j == 0) {
559 goto loop;
560 }
561
562 if (!BN_GENCB_call(cb, i, c1 - 1)) {
563 goto err;
564 }
565 // We have a safe prime test pass
566 }
567 }
568
569 // we have a prime :-)
570 found = 1;
571
572 err:
573 if (ctx != NULL) {
574 BN_CTX_end(ctx);
575 BN_CTX_free(ctx);
576 }
577
578 return found;
579 }
580
bn_trial_division(uint16_t * out,const BIGNUM * bn)581 static int bn_trial_division(uint16_t *out, const BIGNUM *bn) {
582 const size_t num_primes = num_trial_division_primes(bn);
583 for (size_t i = 1; i < num_primes; i++) {
584 if (bn_mod_u16_consttime(bn, kPrimes[i]) == 0) {
585 *out = kPrimes[i];
586 return 1;
587 }
588 }
589 return 0;
590 }
591
bn_odd_number_is_obviously_composite(const BIGNUM * bn)592 int bn_odd_number_is_obviously_composite(const BIGNUM *bn) {
593 uint16_t prime;
594 return bn_trial_division(&prime, bn) && !BN_is_word(bn, prime);
595 }
596
BN_primality_test(int * is_probably_prime,const BIGNUM * w,int iterations,BN_CTX * ctx,int do_trial_division,BN_GENCB * cb)597 int BN_primality_test(int *is_probably_prime, const BIGNUM *w,
598 int iterations, BN_CTX *ctx, int do_trial_division,
599 BN_GENCB *cb) {
600 *is_probably_prime = 0;
601
602 // To support RSA key generation, this function should treat |w| as secret if
603 // it is a large prime. Composite numbers are discarded, so they may return
604 // early.
605
606 if (BN_cmp(w, BN_value_one()) <= 0) {
607 return 1;
608 }
609
610 if (!BN_is_odd(w)) {
611 // The only even prime is two.
612 *is_probably_prime = BN_is_word(w, 2);
613 return 1;
614 }
615
616 // Miller-Rabin does not work for three.
617 if (BN_is_word(w, 3)) {
618 *is_probably_prime = 1;
619 return 1;
620 }
621
622 if (do_trial_division) {
623 // Perform additional trial division checks to discard small primes.
624 uint16_t prime;
625 if (bn_trial_division(&prime, w)) {
626 *is_probably_prime = BN_is_word(w, prime);
627 return 1;
628 }
629 if (!BN_GENCB_call(cb, 1, -1)) {
630 return 0;
631 }
632 }
633
634 if (iterations == BN_prime_checks) {
635 iterations = BN_prime_checks_for_size(BN_num_bits(w));
636 }
637
638 BN_CTX *new_ctx = NULL;
639 if (ctx == NULL) {
640 new_ctx = BN_CTX_new();
641 if (new_ctx == NULL) {
642 return 0;
643 }
644 ctx = new_ctx;
645 }
646
647 // See C.3.1 from FIPS 186-4.
648 int ret = 0;
649 BN_MONT_CTX *mont = NULL;
650 BN_CTX_start(ctx);
651 BIGNUM *w1 = BN_CTX_get(ctx);
652 if (w1 == NULL ||
653 !bn_usub_consttime(w1, w, BN_value_one())) {
654 goto err;
655 }
656
657 // Write w1 as m * 2^a (Steps 1 and 2).
658 int w_len = BN_num_bits(w);
659 int a = BN_count_low_zero_bits(w1);
660 BIGNUM *m = BN_CTX_get(ctx);
661 if (m == NULL ||
662 !bn_rshift_secret_shift(m, w1, a, ctx)) {
663 goto err;
664 }
665
666 // Montgomery setup for computations mod w. Additionally, compute 1 and w - 1
667 // in the Montgomery domain for later comparisons.
668 BIGNUM *b = BN_CTX_get(ctx);
669 BIGNUM *z = BN_CTX_get(ctx);
670 BIGNUM *one_mont = BN_CTX_get(ctx);
671 BIGNUM *w1_mont = BN_CTX_get(ctx);
672 mont = BN_MONT_CTX_new_consttime(w, ctx);
673 if (b == NULL || z == NULL || one_mont == NULL || w1_mont == NULL ||
674 mont == NULL ||
675 !bn_one_to_montgomery(one_mont, mont, ctx) ||
676 // w - 1 is -1 mod w, so we can compute it in the Montgomery domain, -R,
677 // with a subtraction. (|one_mont| cannot be zero.)
678 !bn_usub_consttime(w1_mont, w, one_mont)) {
679 goto err;
680 }
681
682 // The following loop performs in inner iteration of the Miller-Rabin
683 // Primality test (Step 4).
684 //
685 // The algorithm as specified in FIPS 186-4 leaks information on |w|, the RSA
686 // private key. Instead, we run through each iteration unconditionally,
687 // performing modular multiplications, masking off any effects to behave
688 // equivalently to the specified algorithm.
689 //
690 // We also blind the number of values of |b| we try. Steps 4.1–4.2 say to
691 // discard out-of-range values. To avoid leaking information on |w|, we use
692 // |bn_rand_secret_range| which, rather than discarding bad values, adjusts
693 // them to be in range. Though not uniformly selected, these adjusted values
694 // are still usable as Rabin-Miller checks.
695 //
696 // Rabin-Miller is already probabilistic, so we could reach the desired
697 // confidence levels by just suitably increasing the iteration count. However,
698 // to align with FIPS 186-4, we use a more pessimal analysis: we do not count
699 // the non-uniform values towards the iteration count. As a result, this
700 // function is more complex and has more timing risk than necessary.
701 //
702 // We count both total iterations and uniform ones and iterate until we've
703 // reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively.
704 // If the latter is large enough, it will be the limiting factor with high
705 // probability and we won't leak information.
706 //
707 // Note this blinding does not impact most calls when picking primes because
708 // composites are rejected early. Only the two secret primes see extra work.
709
710 crypto_word_t uniform_iterations = 0;
711 // Using |constant_time_lt_w| seems to prevent the compiler from optimizing
712 // this into two jumps.
713 for (int i = 1; (i <= BN_PRIME_CHECKS_BLINDED) |
714 constant_time_lt_w(uniform_iterations, iterations);
715 i++) {
716 int is_uniform;
717 if (// Step 4.1-4.2
718 !bn_rand_secret_range(b, &is_uniform, 2, w1) ||
719 // Step 4.3
720 !BN_mod_exp_mont_consttime(z, b, m, w, ctx, mont)) {
721 goto err;
722 }
723 uniform_iterations += is_uniform;
724
725 // loop_done is all ones if the loop has completed and all zeros otherwise.
726 crypto_word_t loop_done = 0;
727 // next_iteration is all ones if we should continue to the next iteration
728 // (|b| is not a composite witness for |w|). This is equivalent to going to
729 // step 4.7 in the original algorithm.
730 crypto_word_t next_iteration = 0;
731
732 // Step 4.4. If z = 1 or z = w-1, mask off the loop and continue to the next
733 // iteration (go to step 4.7).
734 loop_done = BN_equal_consttime(z, BN_value_one()) |
735 BN_equal_consttime(z, w1);
736 loop_done = 0 - loop_done; // Make it all zeros or all ones.
737 next_iteration = loop_done; // Go to step 4.7 if |loop_done|.
738
739 // Step 4.5. We use Montgomery-encoding for better performance and to avoid
740 // timing leaks.
741 if (!BN_to_montgomery(z, z, mont, ctx)) {
742 goto err;
743 }
744
745 // To avoid leaking |a|, we run the loop to |w_len| and mask off all
746 // iterations once |j| = |a|.
747 for (int j = 1; j < w_len; j++) {
748 loop_done |= constant_time_eq_int(j, a);
749
750 // Step 4.5.1.
751 if (!BN_mod_mul_montgomery(z, z, z, mont, ctx)) {
752 goto err;
753 }
754
755 // Step 4.5.2. If z = w-1 and the loop is not done, run through the next
756 // iteration.
757 crypto_word_t z_is_w1_mont = BN_equal_consttime(z, w1_mont) & ~loop_done;
758 z_is_w1_mont = 0 - z_is_w1_mont; // Make it all zeros or all ones.
759 loop_done |= z_is_w1_mont;
760 next_iteration |= z_is_w1_mont; // Go to step 4.7 if |z_is_w1_mont|.
761
762 // Step 4.5.3. If z = 1 and the loop is not done, w is composite and we
763 // may exit in variable time.
764 if (BN_equal_consttime(z, one_mont) & ~loop_done) {
765 assert(!next_iteration);
766 break;
767 }
768 }
769
770 if (!next_iteration) {
771 // Step 4.6. We did not see z = w-1 before z = 1, so w must be composite.
772 // (For any prime, the value of z immediately preceding 1 must be -1.
773 // There are no non-trivial square roots of 1 modulo a prime.)
774 *is_probably_prime = 0;
775 ret = 1;
776 goto err;
777 }
778
779 // Step 4.7
780 if (!BN_GENCB_call(cb, 1, i)) {
781 goto err;
782 }
783 }
784
785 assert(uniform_iterations >= (crypto_word_t)iterations);
786 *is_probably_prime = 1;
787 ret = 1;
788
789 err:
790 BN_MONT_CTX_free(mont);
791 BN_CTX_end(ctx);
792 BN_CTX_free(new_ctx);
793 return ret;
794 }
795
BN_is_prime_ex(const BIGNUM * candidate,int checks,BN_CTX * ctx,BN_GENCB * cb)796 int BN_is_prime_ex(const BIGNUM *candidate, int checks, BN_CTX *ctx,
797 BN_GENCB *cb) {
798 return BN_is_prime_fasttest_ex(candidate, checks, ctx, 0, cb);
799 }
800
BN_is_prime_fasttest_ex(const BIGNUM * a,int checks,BN_CTX * ctx,int do_trial_division,BN_GENCB * cb)801 int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx,
802 int do_trial_division, BN_GENCB *cb) {
803 int is_probably_prime;
804 if (!BN_primality_test(&is_probably_prime, a, checks, ctx, do_trial_division,
805 cb)) {
806 return -1;
807 }
808 return is_probably_prime;
809 }
810
BN_enhanced_miller_rabin_primality_test(enum bn_primality_result_t * out_result,const BIGNUM * w,int iterations,BN_CTX * ctx,BN_GENCB * cb)811 int BN_enhanced_miller_rabin_primality_test(
812 enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations,
813 BN_CTX *ctx, BN_GENCB *cb) {
814 // Enhanced Miller-Rabin is only valid on odd integers greater than 3.
815 if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) {
816 OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT);
817 return 0;
818 }
819
820 if (iterations == BN_prime_checks) {
821 iterations = BN_prime_checks_for_size(BN_num_bits(w));
822 }
823
824 int ret = 0;
825 BN_MONT_CTX *mont = NULL;
826
827 BN_CTX_start(ctx);
828
829 BIGNUM *w1 = BN_CTX_get(ctx);
830 if (w1 == NULL ||
831 !BN_copy(w1, w) ||
832 !BN_sub_word(w1, 1)) {
833 goto err;
834 }
835
836 // Write w1 as m*2^a (Steps 1 and 2).
837 int a = 0;
838 while (!BN_is_bit_set(w1, a)) {
839 a++;
840 }
841 BIGNUM *m = BN_CTX_get(ctx);
842 if (m == NULL ||
843 !BN_rshift(m, w1, a)) {
844 goto err;
845 }
846
847 BIGNUM *b = BN_CTX_get(ctx);
848 BIGNUM *g = BN_CTX_get(ctx);
849 BIGNUM *z = BN_CTX_get(ctx);
850 BIGNUM *x = BN_CTX_get(ctx);
851 BIGNUM *x1 = BN_CTX_get(ctx);
852 if (b == NULL ||
853 g == NULL ||
854 z == NULL ||
855 x == NULL ||
856 x1 == NULL) {
857 goto err;
858 }
859
860 // Montgomery setup for computations mod w
861 mont = BN_MONT_CTX_new_for_modulus(w, ctx);
862 if (mont == NULL) {
863 goto err;
864 }
865
866 // The following loop performs in inner iteration of the Enhanced Miller-Rabin
867 // Primality test (Step 4).
868 for (int i = 1; i <= iterations; i++) {
869 // Step 4.1-4.2
870 if (!BN_rand_range_ex(b, 2, w1)) {
871 goto err;
872 }
873
874 // Step 4.3-4.4
875 if (!BN_gcd(g, b, w, ctx)) {
876 goto err;
877 }
878 if (BN_cmp_word(g, 1) > 0) {
879 *out_result = bn_composite;
880 ret = 1;
881 goto err;
882 }
883
884 // Step 4.5
885 if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) {
886 goto err;
887 }
888
889 // Step 4.6
890 if (BN_is_one(z) || BN_cmp(z, w1) == 0) {
891 goto loop;
892 }
893
894 // Step 4.7
895 for (int j = 1; j < a; j++) {
896 if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
897 goto err;
898 }
899 if (BN_cmp(z, w1) == 0) {
900 goto loop;
901 }
902 if (BN_is_one(z)) {
903 goto composite;
904 }
905 }
906
907 // Step 4.8-4.9
908 if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
909 goto err;
910 }
911
912 // Step 4.10-4.11
913 if (!BN_is_one(z) && !BN_copy(x, z)) {
914 goto err;
915 }
916
917 composite:
918 // Step 4.12-4.14
919 if (!BN_copy(x1, x) ||
920 !BN_sub_word(x1, 1) ||
921 !BN_gcd(g, x1, w, ctx)) {
922 goto err;
923 }
924 if (BN_cmp_word(g, 1) > 0) {
925 *out_result = bn_composite;
926 } else {
927 *out_result = bn_non_prime_power_composite;
928 }
929
930 ret = 1;
931 goto err;
932
933 loop:
934 // Step 4.15
935 if (!BN_GENCB_call(cb, 1, i)) {
936 goto err;
937 }
938 }
939
940 *out_result = bn_probably_prime;
941 ret = 1;
942
943 err:
944 BN_MONT_CTX_free(mont);
945 BN_CTX_end(ctx);
946
947 return ret;
948 }
949
probable_prime(BIGNUM * rnd,int bits)950 static int probable_prime(BIGNUM *rnd, int bits) {
951 uint16_t mods[OPENSSL_ARRAY_SIZE(kPrimes)];
952 const size_t num_primes = num_trial_division_primes(rnd);
953 BN_ULONG delta;
954 BN_ULONG maxdelta = BN_MASK2 - kPrimes[num_primes - 1];
955 char is_single_word = bits <= BN_BITS2;
956
957 again:
958 if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) {
959 return 0;
960 }
961
962 // we now have a random number 'rnd' to test.
963 for (size_t i = 1; i < num_primes; i++) {
964 mods[i] = bn_mod_u16_consttime(rnd, kPrimes[i]);
965 }
966 // If bits is so small that it fits into a single word then we
967 // additionally don't want to exceed that many bits.
968 if (is_single_word) {
969 BN_ULONG size_limit;
970 if (bits == BN_BITS2) {
971 // Avoid undefined behavior.
972 size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
973 } else {
974 size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
975 }
976 if (size_limit < maxdelta) {
977 maxdelta = size_limit;
978 }
979 }
980 delta = 0;
981
982 loop:
983 if (is_single_word) {
984 BN_ULONG rnd_word = BN_get_word(rnd);
985
986 // In the case that the candidate prime is a single word then
987 // we check that:
988 // 1) It's greater than kPrimes[i] because we shouldn't reject
989 // 3 as being a prime number because it's a multiple of
990 // three.
991 // 2) That it's not a multiple of a known prime. We don't
992 // check that rnd-1 is also coprime to all the known
993 // primes because there aren't many small primes where
994 // that's true.
995 for (size_t i = 1; i < num_primes && kPrimes[i] < rnd_word; i++) {
996 if ((mods[i] + delta) % kPrimes[i] == 0) {
997 delta += 2;
998 if (delta > maxdelta) {
999 goto again;
1000 }
1001 goto loop;
1002 }
1003 }
1004 } else {
1005 for (size_t i = 1; i < num_primes; i++) {
1006 // check that rnd is not a prime and also
1007 // that gcd(rnd-1,primes) == 1 (except for 2)
1008 if (((mods[i] + delta) % kPrimes[i]) <= 1) {
1009 delta += 2;
1010 if (delta > maxdelta) {
1011 goto again;
1012 }
1013 goto loop;
1014 }
1015 }
1016 }
1017
1018 if (!BN_add_word(rnd, delta)) {
1019 return 0;
1020 }
1021 if (BN_num_bits(rnd) != (unsigned)bits) {
1022 goto again;
1023 }
1024
1025 return 1;
1026 }
1027
probable_prime_dh(BIGNUM * rnd,int bits,const BIGNUM * add,const BIGNUM * rem,BN_CTX * ctx)1028 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
1029 const BIGNUM *rem, BN_CTX *ctx) {
1030 int ret = 0;
1031 BIGNUM *t1;
1032
1033 BN_CTX_start(ctx);
1034 if ((t1 = BN_CTX_get(ctx)) == NULL) {
1035 goto err;
1036 }
1037
1038 if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
1039 goto err;
1040 }
1041
1042 // we need ((rnd-rem) % add) == 0
1043
1044 if (!BN_mod(t1, rnd, add, ctx)) {
1045 goto err;
1046 }
1047 if (!BN_sub(rnd, rnd, t1)) {
1048 goto err;
1049 }
1050 if (rem == NULL) {
1051 if (!BN_add_word(rnd, 1)) {
1052 goto err;
1053 }
1054 } else {
1055 if (!BN_add(rnd, rnd, rem)) {
1056 goto err;
1057 }
1058 }
1059 // we now have a random number 'rand' to test.
1060
1061 const size_t num_primes = num_trial_division_primes(rnd);
1062 loop:
1063 for (size_t i = 1; i < num_primes; i++) {
1064 // check that rnd is a prime
1065 if (bn_mod_u16_consttime(rnd, kPrimes[i]) <= 1) {
1066 if (!BN_add(rnd, rnd, add)) {
1067 goto err;
1068 }
1069 goto loop;
1070 }
1071 }
1072
1073 ret = 1;
1074
1075 err:
1076 BN_CTX_end(ctx);
1077 return ret;
1078 }
1079
probable_prime_dh_safe(BIGNUM * p,int bits,const BIGNUM * padd,const BIGNUM * rem,BN_CTX * ctx)1080 static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
1081 const BIGNUM *rem, BN_CTX *ctx) {
1082 int ret = 0;
1083 BIGNUM *t1, *qadd, *q;
1084
1085 bits--;
1086 BN_CTX_start(ctx);
1087 t1 = BN_CTX_get(ctx);
1088 q = BN_CTX_get(ctx);
1089 qadd = BN_CTX_get(ctx);
1090 if (qadd == NULL) {
1091 goto err;
1092 }
1093
1094 if (!BN_rshift1(qadd, padd)) {
1095 goto err;
1096 }
1097
1098 if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
1099 goto err;
1100 }
1101
1102 // we need ((rnd-rem) % add) == 0
1103 if (!BN_mod(t1, q, qadd, ctx)) {
1104 goto err;
1105 }
1106
1107 if (!BN_sub(q, q, t1)) {
1108 goto err;
1109 }
1110
1111 if (rem == NULL) {
1112 if (!BN_add_word(q, 1)) {
1113 goto err;
1114 }
1115 } else {
1116 if (!BN_rshift1(t1, rem)) {
1117 goto err;
1118 }
1119 if (!BN_add(q, q, t1)) {
1120 goto err;
1121 }
1122 }
1123
1124 // we now have a random number 'rand' to test.
1125 if (!BN_lshift1(p, q)) {
1126 goto err;
1127 }
1128 if (!BN_add_word(p, 1)) {
1129 goto err;
1130 }
1131
1132 const size_t num_primes = num_trial_division_primes(p);
1133 loop:
1134 for (size_t i = 1; i < num_primes; i++) {
1135 // check that p and q are prime
1136 // check that for p and q
1137 // gcd(p-1,primes) == 1 (except for 2)
1138 if (bn_mod_u16_consttime(p, kPrimes[i]) == 0 ||
1139 bn_mod_u16_consttime(q, kPrimes[i]) == 0) {
1140 if (!BN_add(p, p, padd)) {
1141 goto err;
1142 }
1143 if (!BN_add(q, q, qadd)) {
1144 goto err;
1145 }
1146 goto loop;
1147 }
1148 }
1149
1150 ret = 1;
1151
1152 err:
1153 BN_CTX_end(ctx);
1154 return ret;
1155 }
1156