1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/bn.h>
110
111 #include <openssl/err.h>
112 #include <openssl/mem.h>
113
114 #include "internal.h"
115 #include "../../internal.h"
116
117
118 // kPrimes contains the first 1024 primes.
119 static const uint16_t kPrimes[] = {
120 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37,
121 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89,
122 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
123 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223,
124 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281,
125 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359,
126 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433,
127 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503,
128 509, 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593,
129 599, 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659,
130 661, 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743,
131 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827,
132 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911,
133 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997,
134 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 1051, 1061, 1063, 1069,
135 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163,
136 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, 1229, 1231, 1237, 1249,
137 1259, 1277, 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321,
138 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439,
139 1447, 1451, 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511,
140 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601,
141 1607, 1609, 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,
142 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753, 1759, 1777, 1783,
143 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877,
144 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987,
145 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069,
146 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 2131, 2137, 2141, 2143,
147 2153, 2161, 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267,
148 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347,
149 2351, 2357, 2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423,
150 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521, 2531, 2539, 2543,
151 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657,
152 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713,
153 2719, 2729, 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801,
154 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887, 2897, 2903,
155 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011,
156 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, 3083, 3089, 3109, 3119,
157 3121, 3137, 3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221,
158 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, 3307, 3313, 3319, 3323,
159 3329, 3331, 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413,
160 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527,
161 3529, 3533, 3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607,
162 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, 3673, 3677, 3691, 3697,
163 3701, 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,
164 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907,
165 3911, 3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003,
166 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073, 4079, 4091, 4093,
167 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211,
168 4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259, 4261, 4271, 4273, 4283,
169 4289, 4297, 4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409,
170 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483, 4493, 4507, 4513,
171 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621,
172 4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721,
173 4723, 4729, 4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813,
174 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937,
175 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011,
176 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101, 5107, 5113,
177 5119, 5147, 5153, 5167, 5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233,
178 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, 5323, 5333, 5347, 5351,
179 5381, 5387, 5393, 5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443,
180 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521, 5527, 5531,
181 5557, 5563, 5569, 5573, 5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653,
182 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, 5717, 5737, 5741, 5743,
183 5749, 5779, 5783, 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849,
184 5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939,
185 5953, 5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,
186 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143, 6151, 6163, 6173,
187 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271,
188 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337, 6343, 6353, 6359,
189 6361, 6367, 6373, 6379, 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473,
190 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569, 6571, 6577, 6581,
191 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701,
192 6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779, 6781, 6791, 6793, 6803,
193 6823, 6827, 6829, 6833, 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907,
194 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997,
195 7001, 7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121,
196 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229,
197 7237, 7243, 7247, 7253, 7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349,
198 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459, 7477, 7481, 7487,
199 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561,
200 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643, 7649, 7669,
201 7673, 7681, 7687, 7691, 7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757,
202 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, 7867, 7873, 7877, 7879,
203 7883, 7901, 7907, 7919, 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009,
204 8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111,
205 8117, 8123, 8147, 8161,
206 };
207
208 // BN_prime_checks_for_size returns the number of Miller-Rabin iterations
209 // necessary for generating a 'bits'-bit candidate prime.
210 //
211 //
212 // This table is generated using the algorithm of FIPS PUB 186-4
213 // Digital Signature Standard (DSS), section F.1, page 117.
214 // (https://doi.org/10.6028/NIST.FIPS.186-4)
215 // The following magma script was used to generate the output:
216 // securitybits:=125;
217 // k:=1024;
218 // for t:=1 to 65 do
219 // for M:=3 to Floor(2*Sqrt(k-1)-1) do
220 // S:=0;
221 // // Sum over m
222 // for m:=3 to M do
223 // s:=0;
224 // // Sum over j
225 // for j:=2 to m do
226 // s+:=(RealField(32)!2)^-(j+(k-1)/j);
227 // end for;
228 // S+:=2^(m-(m-1)*t)*s;
229 // end for;
230 // A:=2^(k-2-M*t);
231 // B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S;
232 // pkt:=2.00743*Log(2)*k*2^-k*(A+B);
233 // seclevel:=Floor(-Log(2,pkt));
234 // if seclevel ge securitybits then
235 // printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M;
236 // break;
237 // end if;
238 // end for;
239 // if seclevel ge securitybits then break; end if;
240 // end for;
241 //
242 // It can be run online at: http://magma.maths.usyd.edu.au/calc
243 // And will output:
244 // k: 1024, security: 129 bits (t: 6, M: 23)
245 // k is the number of bits of the prime, securitybits is the level we want to
246 // reach.
247 // prime length | RSA key size | # MR tests | security level
248 // -------------+--------------|------------+---------------
249 // (b) >= 6394 | >= 12788 | 3 | 256 bit
250 // (b) >= 3747 | >= 7494 | 3 | 192 bit
251 // (b) >= 1345 | >= 2690 | 4 | 128 bit
252 // (b) >= 1080 | >= 2160 | 5 | 128 bit
253 // (b) >= 852 | >= 1704 | 5 | 112 bit
254 // (b) >= 476 | >= 952 | 5 | 80 bit
255 // (b) >= 400 | >= 800 | 6 | 80 bit
256 // (b) >= 347 | >= 694 | 7 | 80 bit
257 // (b) >= 308 | >= 616 | 8 | 80 bit
258 // (b) >= 55 | >= 110 | 27 | 64 bit
259 // (b) >= 6 | >= 12 | 34 | 64 bit
BN_prime_checks_for_size(int bits)260 static int BN_prime_checks_for_size(int bits) {
261 if (bits >= 3747) {
262 return 3;
263 }
264 if (bits >= 1345) {
265 return 4;
266 }
267 if (bits >= 476) {
268 return 5;
269 }
270 if (bits >= 400) {
271 return 6;
272 }
273 if (bits >= 347) {
274 return 7;
275 }
276 if (bits >= 308) {
277 return 8;
278 }
279 if (bits >= 55) {
280 return 27;
281 }
282 return 34;
283 }
284
285 // num_trial_division_primes returns the number of primes to try with trial
286 // division before using more expensive checks. For larger numbers, the value
287 // of excluding a candidate with trial division is larger.
num_trial_division_primes(const BIGNUM * n)288 static size_t num_trial_division_primes(const BIGNUM *n) {
289 if (n->width * BN_BITS2 > 1024) {
290 return OPENSSL_ARRAY_SIZE(kPrimes);
291 }
292 return OPENSSL_ARRAY_SIZE(kPrimes) / 2;
293 }
294
295 // BN_PRIME_CHECKS_BLINDED is the iteration count for blinding the constant-time
296 // primality test. See |BN_primality_test| for details. This number is selected
297 // so that, for a candidate N-bit RSA prime, picking |BN_PRIME_CHECKS_BLINDED|
298 // random N-bit numbers will have at least |BN_prime_checks_for_size(N)| values
299 // in range with high probability.
300 //
301 // The following Python script computes the blinding factor needed for the
302 // corresponding iteration count.
303 /*
304 import math
305
306 # We choose candidate RSA primes between sqrt(2)/2 * 2^N and 2^N and select
307 # witnesses by generating random N-bit numbers. Thus the probability of
308 # selecting one in range is at least sqrt(2)/2.
309 p = math.sqrt(2) / 2
310
311 # Target around 2^-8 probability of the blinding being insufficient given that
312 # key generation is a one-time, noisy operation.
313 epsilon = 2**-8
314
315 def choose(a, b):
316 r = 1
317 for i in xrange(b):
318 r *= a - i
319 r /= (i + 1)
320 return r
321
322 def failure_rate(min_uniform, iterations):
323 """ Returns the probability that, for |iterations| candidate witnesses, fewer
324 than |min_uniform| of them will be uniform. """
325 prob = 0.0
326 for i in xrange(min_uniform):
327 prob += (choose(iterations, i) *
328 p**i * (1-p)**(iterations - i))
329 return prob
330
331 for min_uniform in (3, 4, 5, 6, 8, 13, 19, 28):
332 # Find the smallest number of iterations under the target failure rate.
333 iterations = min_uniform
334 while True:
335 prob = failure_rate(min_uniform, iterations)
336 if prob < epsilon:
337 print min_uniform, iterations, prob
338 break
339 iterations += 1
340
341 Output:
342 3 9 0.00368894873911
343 4 11 0.00363319494662
344 5 13 0.00336215573898
345 6 15 0.00300145783158
346 8 19 0.00225214119331
347 13 27 0.00385610026955
348 19 38 0.0021410539126
349 28 52 0.00325405801769
350
351 16 iterations suffices for 400-bit primes and larger (6 uniform samples needed),
352 which is already well below the minimum acceptable key size for RSA.
353 */
354 #define BN_PRIME_CHECKS_BLINDED 16
355
356 static int probable_prime(BIGNUM *rnd, int bits);
357 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
358 const BIGNUM *rem, BN_CTX *ctx);
359 static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add,
360 const BIGNUM *rem, BN_CTX *ctx);
361
BN_GENCB_new(void)362 BN_GENCB *BN_GENCB_new(void) { return OPENSSL_zalloc(sizeof(BN_GENCB)); }
363
BN_GENCB_free(BN_GENCB * callback)364 void BN_GENCB_free(BN_GENCB *callback) { OPENSSL_free(callback); }
365
BN_GENCB_set(BN_GENCB * callback,int (* f)(int event,int n,struct bn_gencb_st *),void * arg)366 void BN_GENCB_set(BN_GENCB *callback,
367 int (*f)(int event, int n, struct bn_gencb_st *),
368 void *arg) {
369 callback->callback = f;
370 callback->arg = arg;
371 }
372
BN_GENCB_call(BN_GENCB * callback,int event,int n)373 int BN_GENCB_call(BN_GENCB *callback, int event, int n) {
374 if (!callback) {
375 return 1;
376 }
377
378 return callback->callback(event, n, callback);
379 }
380
BN_GENCB_get_arg(const BN_GENCB * callback)381 void *BN_GENCB_get_arg(const BN_GENCB *callback) { return callback->arg; }
382
BN_generate_prime_ex(BIGNUM * ret,int bits,int safe,const BIGNUM * add,const BIGNUM * rem,BN_GENCB * cb)383 int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
384 const BIGNUM *rem, BN_GENCB *cb) {
385 BIGNUM *t;
386 int found = 0;
387 int i, j, c1 = 0;
388 BN_CTX *ctx;
389 int checks = BN_prime_checks_for_size(bits);
390
391 if (bits < 2) {
392 // There are no prime numbers this small.
393 OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
394 return 0;
395 } else if (bits == 2 && safe) {
396 // The smallest safe prime (7) is three bits.
397 OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
398 return 0;
399 }
400
401 ctx = BN_CTX_new();
402 if (ctx == NULL) {
403 goto err;
404 }
405 BN_CTX_start(ctx);
406 t = BN_CTX_get(ctx);
407 if (!t) {
408 goto err;
409 }
410
411 loop:
412 // make a random number and set the top and bottom bits
413 if (add == NULL) {
414 if (!probable_prime(ret, bits)) {
415 goto err;
416 }
417 } else {
418 if (safe) {
419 if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) {
420 goto err;
421 }
422 } else {
423 if (!probable_prime_dh(ret, bits, add, rem, ctx)) {
424 goto err;
425 }
426 }
427 }
428
429 if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) {
430 // aborted
431 goto err;
432 }
433
434 if (!safe) {
435 i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
436 if (i == -1) {
437 goto err;
438 } else if (i == 0) {
439 goto loop;
440 }
441 } else {
442 // for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
443 // is odd, We just need to divide by 2
444 if (!BN_rshift1(t, ret)) {
445 goto err;
446 }
447
448 // Interleave |ret| and |t|'s primality tests to avoid paying the full
449 // iteration count on |ret| only to quickly discover |t| is composite.
450 //
451 // TODO(davidben): This doesn't quite work because an iteration count of 1
452 // still runs the blinding mechanism.
453 for (i = 0; i < checks; i++) {
454 j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, NULL);
455 if (j == -1) {
456 goto err;
457 } else if (j == 0) {
458 goto loop;
459 }
460
461 j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, NULL);
462 if (j == -1) {
463 goto err;
464 } else if (j == 0) {
465 goto loop;
466 }
467
468 if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, i)) {
469 goto err;
470 }
471 // We have a safe prime test pass
472 }
473 }
474
475 // we have a prime :-)
476 found = 1;
477
478 err:
479 if (ctx != NULL) {
480 BN_CTX_end(ctx);
481 BN_CTX_free(ctx);
482 }
483
484 return found;
485 }
486
bn_trial_division(uint16_t * out,const BIGNUM * bn)487 static int bn_trial_division(uint16_t *out, const BIGNUM *bn) {
488 const size_t num_primes = num_trial_division_primes(bn);
489 for (size_t i = 1; i < num_primes; i++) {
490 if (bn_mod_u16_consttime(bn, kPrimes[i]) == 0) {
491 *out = kPrimes[i];
492 return 1;
493 }
494 }
495 return 0;
496 }
497
bn_odd_number_is_obviously_composite(const BIGNUM * bn)498 int bn_odd_number_is_obviously_composite(const BIGNUM *bn) {
499 uint16_t prime;
500 return bn_trial_division(&prime, bn) && !BN_is_word(bn, prime);
501 }
502
bn_miller_rabin_init(BN_MILLER_RABIN * miller_rabin,const BN_MONT_CTX * mont,BN_CTX * ctx)503 int bn_miller_rabin_init(BN_MILLER_RABIN *miller_rabin, const BN_MONT_CTX *mont,
504 BN_CTX *ctx) {
505 // This function corresponds to steps 1 through 3 of FIPS 186-4, C.3.1.
506 const BIGNUM *w = &mont->N;
507 // Note we do not call |BN_CTX_start| in this function. We intentionally
508 // allocate values in the containing scope so they outlive this function.
509 miller_rabin->w1 = BN_CTX_get(ctx);
510 miller_rabin->m = BN_CTX_get(ctx);
511 miller_rabin->one_mont = BN_CTX_get(ctx);
512 miller_rabin->w1_mont = BN_CTX_get(ctx);
513 if (miller_rabin->w1 == NULL ||
514 miller_rabin->m == NULL ||
515 miller_rabin->one_mont == NULL ||
516 miller_rabin->w1_mont == NULL) {
517 return 0;
518 }
519
520 // See FIPS 186-4, C.3.1, steps 1 through 3.
521 if (!bn_usub_consttime(miller_rabin->w1, w, BN_value_one())) {
522 return 0;
523 }
524 miller_rabin->a = BN_count_low_zero_bits(miller_rabin->w1);
525 if (!bn_rshift_secret_shift(miller_rabin->m, miller_rabin->w1,
526 miller_rabin->a, ctx)) {
527 return 0;
528 }
529 miller_rabin->w_bits = BN_num_bits(w);
530
531 // Precompute some values in Montgomery form.
532 if (!bn_one_to_montgomery(miller_rabin->one_mont, mont, ctx) ||
533 // w - 1 is -1 mod w, so we can compute it in the Montgomery domain, -R,
534 // with a subtraction. (|one_mont| cannot be zero.)
535 !bn_usub_consttime(miller_rabin->w1_mont, w, miller_rabin->one_mont)) {
536 return 0;
537 }
538
539 return 1;
540 }
541
bn_miller_rabin_iteration(const BN_MILLER_RABIN * miller_rabin,int * out_is_possibly_prime,const BIGNUM * b,const BN_MONT_CTX * mont,BN_CTX * ctx)542 int bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin,
543 int *out_is_possibly_prime, const BIGNUM *b,
544 const BN_MONT_CTX *mont, BN_CTX *ctx) {
545 // This function corresponds to steps 4.3 through 4.5 of FIPS 186-4, C.3.1.
546 int ret = 0;
547 BN_CTX_start(ctx);
548
549 // Step 4.3. We use Montgomery-encoding for better performance and to avoid
550 // timing leaks.
551 const BIGNUM *w = &mont->N;
552 BIGNUM *z = BN_CTX_get(ctx);
553 if (z == NULL ||
554 !BN_mod_exp_mont_consttime(z, b, miller_rabin->m, w, ctx, mont) ||
555 !BN_to_montgomery(z, z, mont, ctx)) {
556 goto err;
557 }
558
559 // is_possibly_prime is all ones if we have determined |b| is not a composite
560 // witness for |w|. This is equivalent to going to step 4.7 in the original
561 // algorithm. To avoid timing leaks, we run the algorithm to the end for prime
562 // inputs.
563 crypto_word_t is_possibly_prime = 0;
564
565 // Step 4.4. If z = 1 or z = w-1, b is not a composite witness and w is still
566 // possibly prime.
567 is_possibly_prime = BN_equal_consttime(z, miller_rabin->one_mont) |
568 BN_equal_consttime(z, miller_rabin->w1_mont);
569 is_possibly_prime = 0 - is_possibly_prime; // Make it all zeros or all ones.
570
571 // Step 4.5.
572 //
573 // To avoid leaking |a|, we run the loop to |w_bits| and mask off all
574 // iterations once |j| = |a|.
575 for (int j = 1; j < miller_rabin->w_bits; j++) {
576 if (constant_time_eq_int(j, miller_rabin->a) & ~is_possibly_prime) {
577 // If the loop is done and we haven't seen z = 1 or z = w-1 yet, the
578 // value is composite and we can break in variable time.
579 break;
580 }
581
582 // Step 4.5.1.
583 if (!BN_mod_mul_montgomery(z, z, z, mont, ctx)) {
584 goto err;
585 }
586
587 // Step 4.5.2. If z = w-1 and the loop is not done, this is not a composite
588 // witness.
589 crypto_word_t z_is_w1_mont = BN_equal_consttime(z, miller_rabin->w1_mont);
590 z_is_w1_mont = 0 - z_is_w1_mont; // Make it all zeros or all ones.
591 is_possibly_prime |= z_is_w1_mont; // Go to step 4.7 if |z_is_w1_mont|.
592
593 // Step 4.5.3. If z = 1 and the loop is not done, the previous value of z
594 // was not -1. There are no non-trivial square roots of 1 modulo a prime, so
595 // w is composite and we may exit in variable time.
596 if (BN_equal_consttime(z, miller_rabin->one_mont) & ~is_possibly_prime) {
597 break;
598 }
599 }
600
601 *out_is_possibly_prime = is_possibly_prime & 1;
602 ret = 1;
603
604 err:
605 BN_CTX_end(ctx);
606 return ret;
607 }
608
BN_primality_test(int * out_is_probably_prime,const BIGNUM * w,int checks,BN_CTX * ctx,int do_trial_division,BN_GENCB * cb)609 int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks,
610 BN_CTX *ctx, int do_trial_division, BN_GENCB *cb) {
611 // This function's secrecy and performance requirements come from RSA key
612 // generation. We generate RSA keys by selecting two large, secret primes with
613 // rejection sampling.
614 //
615 // We thus treat |w| as secret if turns out to be a large prime. However, if
616 // |w| is composite, we treat this and |w| itself as public. (Conversely, if
617 // |w| is prime, that it is prime is public. Only the value is secret.) This
618 // is fine for RSA key generation, but note it is important that we use
619 // rejection sampling, with each candidate prime chosen independently. This
620 // would not work for, e.g., an algorithm which looked for primes in
621 // consecutive integers. These assumptions allow us to discard composites
622 // quickly. We additionally treat |w| as public when it is a small prime to
623 // simplify trial decryption and some edge cases.
624 //
625 // One RSA key generation will call this function on exactly two primes and
626 // many more composites. The overall cost is a combination of several factors:
627 //
628 // 1. Checking if |w| is divisible by a small prime is much faster than
629 // learning it is composite by Miller-Rabin (see below for details on that
630 // cost). Trial division by p saves 1/p of Miller-Rabin calls, so this is
631 // worthwhile until p exceeds the ratio of the two costs.
632 //
633 // 2. For a random (i.e. non-adversarial) candidate large prime and candidate
634 // witness, the probability of false witness is very low. (This is why FIPS
635 // 186-4 only requires a few iterations.) Thus composites not discarded by
636 // trial decryption, in practice, cost one Miller-Rabin iteration. Only the
637 // two actual primes cost the full iteration count.
638 //
639 // 3. A Miller-Rabin iteration is a modular exponentiation plus |a| additional
640 // modular squares, where |a| is the number of factors of two in |w-1|. |a|
641 // is likely small (the distribution falls exponentially), but it is also
642 // potentially secret, so we loop up to its log(w) upper bound when |w| is
643 // prime. When |w| is composite, we break early, so only two calls pay this
644 // cost. (Note that all calls pay the modular exponentiation which is,
645 // itself, log(w) modular multiplications and squares.)
646 //
647 // 4. While there are only two prime calls, they multiplicatively pay the full
648 // costs of (2) and (3).
649 //
650 // 5. After the primes are chosen, RSA keys derive some values from the
651 // primes, but this cost is negligible in comparison.
652
653 *out_is_probably_prime = 0;
654
655 if (BN_cmp(w, BN_value_one()) <= 0) {
656 return 1;
657 }
658
659 if (!BN_is_odd(w)) {
660 // The only even prime is two.
661 *out_is_probably_prime = BN_is_word(w, 2);
662 return 1;
663 }
664
665 // Miller-Rabin does not work for three.
666 if (BN_is_word(w, 3)) {
667 *out_is_probably_prime = 1;
668 return 1;
669 }
670
671 if (do_trial_division) {
672 // Perform additional trial division checks to discard small primes.
673 uint16_t prime;
674 if (bn_trial_division(&prime, w)) {
675 *out_is_probably_prime = BN_is_word(w, prime);
676 return 1;
677 }
678 if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, -1)) {
679 return 0;
680 }
681 }
682
683 if (checks == BN_prime_checks_for_generation) {
684 checks = BN_prime_checks_for_size(BN_num_bits(w));
685 }
686
687 BN_CTX *new_ctx = NULL;
688 if (ctx == NULL) {
689 new_ctx = BN_CTX_new();
690 if (new_ctx == NULL) {
691 return 0;
692 }
693 ctx = new_ctx;
694 }
695
696 // See C.3.1 from FIPS 186-4.
697 int ret = 0;
698 BN_CTX_start(ctx);
699 BIGNUM *b = BN_CTX_get(ctx);
700 BN_MONT_CTX *mont = BN_MONT_CTX_new_consttime(w, ctx);
701 BN_MILLER_RABIN miller_rabin;
702 if (b == NULL || mont == NULL ||
703 // Steps 1-3.
704 !bn_miller_rabin_init(&miller_rabin, mont, ctx)) {
705 goto err;
706 }
707
708 // The following loop performs in inner iteration of the Miller-Rabin
709 // Primality test (Step 4).
710 //
711 // The algorithm as specified in FIPS 186-4 leaks information on |w|, the RSA
712 // private key. Instead, we run through each iteration unconditionally,
713 // performing modular multiplications, masking off any effects to behave
714 // equivalently to the specified algorithm.
715 //
716 // We also blind the number of values of |b| we try. Steps 4.1–4.2 say to
717 // discard out-of-range values. To avoid leaking information on |w|, we use
718 // |bn_rand_secret_range| which, rather than discarding bad values, adjusts
719 // them to be in range. Though not uniformly selected, these adjusted values
720 // are still usable as Miller-Rabin checks.
721 //
722 // Miller-Rabin is already probabilistic, so we could reach the desired
723 // confidence levels by just suitably increasing the iteration count. However,
724 // to align with FIPS 186-4, we use a more pessimal analysis: we do not count
725 // the non-uniform values towards the iteration count. As a result, this
726 // function is more complex and has more timing risk than necessary.
727 //
728 // We count both total iterations and uniform ones and iterate until we've
729 // reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively.
730 // If the latter is large enough, it will be the limiting factor with high
731 // probability and we won't leak information.
732 //
733 // Note this blinding does not impact most calls when picking primes because
734 // composites are rejected early. Only the two secret primes see extra work.
735
736 crypto_word_t uniform_iterations = 0;
737 // Using |constant_time_lt_w| seems to prevent the compiler from optimizing
738 // this into two jumps.
739 for (int i = 1; (i <= BN_PRIME_CHECKS_BLINDED) |
740 constant_time_lt_w(uniform_iterations, checks);
741 i++) {
742 // Step 4.1-4.2
743 int is_uniform;
744 if (!bn_rand_secret_range(b, &is_uniform, 2, miller_rabin.w1)) {
745 goto err;
746 }
747 uniform_iterations += is_uniform;
748
749 // Steps 4.3-4.5
750 int is_possibly_prime = 0;
751 if (!bn_miller_rabin_iteration(&miller_rabin, &is_possibly_prime, b, mont,
752 ctx)) {
753 goto err;
754 }
755
756 if (!is_possibly_prime) {
757 // Step 4.6. We did not see z = w-1 before z = 1, so w must be composite.
758 *out_is_probably_prime = 0;
759 ret = 1;
760 goto err;
761 }
762
763 // Step 4.7
764 if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, i - 1)) {
765 goto err;
766 }
767 }
768
769 assert(uniform_iterations >= (crypto_word_t)checks);
770 *out_is_probably_prime = 1;
771 ret = 1;
772
773 err:
774 BN_MONT_CTX_free(mont);
775 BN_CTX_end(ctx);
776 BN_CTX_free(new_ctx);
777 return ret;
778 }
779
BN_is_prime_ex(const BIGNUM * candidate,int checks,BN_CTX * ctx,BN_GENCB * cb)780 int BN_is_prime_ex(const BIGNUM *candidate, int checks, BN_CTX *ctx,
781 BN_GENCB *cb) {
782 return BN_is_prime_fasttest_ex(candidate, checks, ctx, 0, cb);
783 }
784
BN_is_prime_fasttest_ex(const BIGNUM * a,int checks,BN_CTX * ctx,int do_trial_division,BN_GENCB * cb)785 int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx,
786 int do_trial_division, BN_GENCB *cb) {
787 int is_probably_prime;
788 if (!BN_primality_test(&is_probably_prime, a, checks, ctx, do_trial_division,
789 cb)) {
790 return -1;
791 }
792 return is_probably_prime;
793 }
794
BN_enhanced_miller_rabin_primality_test(enum bn_primality_result_t * out_result,const BIGNUM * w,int checks,BN_CTX * ctx,BN_GENCB * cb)795 int BN_enhanced_miller_rabin_primality_test(
796 enum bn_primality_result_t *out_result, const BIGNUM *w, int checks,
797 BN_CTX *ctx, BN_GENCB *cb) {
798 // Enhanced Miller-Rabin is only valid on odd integers greater than 3.
799 if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) {
800 OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT);
801 return 0;
802 }
803
804 if (checks == BN_prime_checks_for_generation) {
805 checks = BN_prime_checks_for_size(BN_num_bits(w));
806 }
807
808 int ret = 0;
809 BN_MONT_CTX *mont = NULL;
810
811 BN_CTX_start(ctx);
812
813 BIGNUM *w1 = BN_CTX_get(ctx);
814 if (w1 == NULL ||
815 !BN_copy(w1, w) ||
816 !BN_sub_word(w1, 1)) {
817 goto err;
818 }
819
820 // Write w1 as m*2^a (Steps 1 and 2).
821 int a = 0;
822 while (!BN_is_bit_set(w1, a)) {
823 a++;
824 }
825 BIGNUM *m = BN_CTX_get(ctx);
826 if (m == NULL ||
827 !BN_rshift(m, w1, a)) {
828 goto err;
829 }
830
831 BIGNUM *b = BN_CTX_get(ctx);
832 BIGNUM *g = BN_CTX_get(ctx);
833 BIGNUM *z = BN_CTX_get(ctx);
834 BIGNUM *x = BN_CTX_get(ctx);
835 BIGNUM *x1 = BN_CTX_get(ctx);
836 if (b == NULL ||
837 g == NULL ||
838 z == NULL ||
839 x == NULL ||
840 x1 == NULL) {
841 goto err;
842 }
843
844 // Montgomery setup for computations mod w
845 mont = BN_MONT_CTX_new_for_modulus(w, ctx);
846 if (mont == NULL) {
847 goto err;
848 }
849
850 // The following loop performs in inner iteration of the Enhanced Miller-Rabin
851 // Primality test (Step 4).
852 for (int i = 1; i <= checks; i++) {
853 // Step 4.1-4.2
854 if (!BN_rand_range_ex(b, 2, w1)) {
855 goto err;
856 }
857
858 // Step 4.3-4.4
859 if (!BN_gcd(g, b, w, ctx)) {
860 goto err;
861 }
862 if (BN_cmp_word(g, 1) > 0) {
863 *out_result = bn_composite;
864 ret = 1;
865 goto err;
866 }
867
868 // Step 4.5
869 if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) {
870 goto err;
871 }
872
873 // Step 4.6
874 if (BN_is_one(z) || BN_cmp(z, w1) == 0) {
875 goto loop;
876 }
877
878 // Step 4.7
879 for (int j = 1; j < a; j++) {
880 if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
881 goto err;
882 }
883 if (BN_cmp(z, w1) == 0) {
884 goto loop;
885 }
886 if (BN_is_one(z)) {
887 goto composite;
888 }
889 }
890
891 // Step 4.8-4.9
892 if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
893 goto err;
894 }
895
896 // Step 4.10-4.11
897 if (!BN_is_one(z) && !BN_copy(x, z)) {
898 goto err;
899 }
900
901 composite:
902 // Step 4.12-4.14
903 if (!BN_copy(x1, x) ||
904 !BN_sub_word(x1, 1) ||
905 !BN_gcd(g, x1, w, ctx)) {
906 goto err;
907 }
908 if (BN_cmp_word(g, 1) > 0) {
909 *out_result = bn_composite;
910 } else {
911 *out_result = bn_non_prime_power_composite;
912 }
913
914 ret = 1;
915 goto err;
916
917 loop:
918 // Step 4.15
919 if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, i - 1)) {
920 goto err;
921 }
922 }
923
924 *out_result = bn_probably_prime;
925 ret = 1;
926
927 err:
928 BN_MONT_CTX_free(mont);
929 BN_CTX_end(ctx);
930
931 return ret;
932 }
933
probable_prime(BIGNUM * rnd,int bits)934 static int probable_prime(BIGNUM *rnd, int bits) {
935 do {
936 if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) {
937 return 0;
938 }
939 } while (bn_odd_number_is_obviously_composite(rnd));
940 return 1;
941 }
942
probable_prime_dh(BIGNUM * rnd,int bits,const BIGNUM * add,const BIGNUM * rem,BN_CTX * ctx)943 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
944 const BIGNUM *rem, BN_CTX *ctx) {
945 int ret = 0;
946 BIGNUM *t1;
947
948 BN_CTX_start(ctx);
949 if ((t1 = BN_CTX_get(ctx)) == NULL) {
950 goto err;
951 }
952
953 if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
954 goto err;
955 }
956
957 // we need ((rnd-rem) % add) == 0
958
959 if (!BN_mod(t1, rnd, add, ctx)) {
960 goto err;
961 }
962 if (!BN_sub(rnd, rnd, t1)) {
963 goto err;
964 }
965 if (rem == NULL) {
966 if (!BN_add_word(rnd, 1)) {
967 goto err;
968 }
969 } else {
970 if (!BN_add(rnd, rnd, rem)) {
971 goto err;
972 }
973 }
974 // we now have a random number 'rand' to test.
975
976 const size_t num_primes = num_trial_division_primes(rnd);
977 loop:
978 for (size_t i = 1; i < num_primes; i++) {
979 // check that rnd is a prime
980 if (bn_mod_u16_consttime(rnd, kPrimes[i]) <= 1) {
981 if (!BN_add(rnd, rnd, add)) {
982 goto err;
983 }
984 goto loop;
985 }
986 }
987
988 ret = 1;
989
990 err:
991 BN_CTX_end(ctx);
992 return ret;
993 }
994
probable_prime_dh_safe(BIGNUM * p,int bits,const BIGNUM * padd,const BIGNUM * rem,BN_CTX * ctx)995 static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
996 const BIGNUM *rem, BN_CTX *ctx) {
997 int ret = 0;
998 BIGNUM *t1, *qadd, *q;
999
1000 bits--;
1001 BN_CTX_start(ctx);
1002 t1 = BN_CTX_get(ctx);
1003 q = BN_CTX_get(ctx);
1004 qadd = BN_CTX_get(ctx);
1005 if (qadd == NULL) {
1006 goto err;
1007 }
1008
1009 if (!BN_rshift1(qadd, padd)) {
1010 goto err;
1011 }
1012
1013 if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
1014 goto err;
1015 }
1016
1017 // we need ((rnd-rem) % add) == 0
1018 if (!BN_mod(t1, q, qadd, ctx)) {
1019 goto err;
1020 }
1021
1022 if (!BN_sub(q, q, t1)) {
1023 goto err;
1024 }
1025
1026 if (rem == NULL) {
1027 if (!BN_add_word(q, 1)) {
1028 goto err;
1029 }
1030 } else {
1031 if (!BN_rshift1(t1, rem)) {
1032 goto err;
1033 }
1034 if (!BN_add(q, q, t1)) {
1035 goto err;
1036 }
1037 }
1038
1039 // we now have a random number 'rand' to test.
1040 if (!BN_lshift1(p, q)) {
1041 goto err;
1042 }
1043 if (!BN_add_word(p, 1)) {
1044 goto err;
1045 }
1046
1047 const size_t num_primes = num_trial_division_primes(p);
1048 loop:
1049 for (size_t i = 1; i < num_primes; i++) {
1050 // check that p and q are prime
1051 // check that for p and q
1052 // gcd(p-1,primes) == 1 (except for 2)
1053 if (bn_mod_u16_consttime(p, kPrimes[i]) == 0 ||
1054 bn_mod_u16_consttime(q, kPrimes[i]) == 0) {
1055 if (!BN_add(p, p, padd)) {
1056 goto err;
1057 }
1058 if (!BN_add(q, q, qadd)) {
1059 goto err;
1060 }
1061 goto loop;
1062 }
1063 }
1064
1065 ret = 1;
1066
1067 err:
1068 BN_CTX_end(ctx);
1069 return ret;
1070 }
1071