1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/bn.h>
110
111 #include <openssl/err.h>
112 #include <openssl/mem.h>
113
114 #include "internal.h"
115
116 /* number of Miller-Rabin iterations for an error rate of less than 2^-80
117 * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
118 * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
119 * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
120 * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
121 #define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \
122 (b) >= 850 ? 3 : \
123 (b) >= 650 ? 4 : \
124 (b) >= 550 ? 5 : \
125 (b) >= 450 ? 6 : \
126 (b) >= 400 ? 7 : \
127 (b) >= 350 ? 8 : \
128 (b) >= 300 ? 9 : \
129 (b) >= 250 ? 12 : \
130 (b) >= 200 ? 15 : \
131 (b) >= 150 ? 18 : \
132 /* b >= 100 */ 27)
133
134 /* The quick sieve algorithm approach to weeding out primes is Philip
135 * Zimmermann's, as implemented in PGP. I have had a read of his comments and
136 * implemented my own version. */
137
138 /* NUMPRIMES is the number of primes that fit into a uint16_t. */
139 #define NUMPRIMES 2048
140
141 /* primes contains all the primes that fit into a uint16_t. */
142 static const uint16_t primes[NUMPRIMES] = {
143 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31,
144 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79,
145 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137,
146 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193,
147 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257,
148 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
149 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389,
150 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457,
151 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523,
152 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601,
153 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661,
154 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743,
155 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823,
156 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887,
157 907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977,
158 983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049,
159 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117,
160 1123, 1129, 1151, 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
161 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289,
162 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373,
163 1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451, 1453,
164 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523, 1531,
165 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607,
166 1609, 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,
167 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753, 1759, 1777,
168 1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
169 1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951,
170 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029,
171 2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113,
172 2129, 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213,
173 2221, 2237, 2239, 2243, 2251, 2267, 2269, 2273, 2281, 2287, 2293,
174 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377,
175 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447,
176 2459, 2467, 2473, 2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
177 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659,
178 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713,
179 2719, 2729, 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791, 2797,
180 2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887,
181 2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971,
182 2999, 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079,
183 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169, 3181, 3187,
184 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
185 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, 3359,
186 3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433, 3449, 3457, 3461,
187 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533, 3539,
188 3541, 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, 3613, 3617,
189 3623, 3631, 3637, 3643, 3659, 3671, 3673, 3677, 3691, 3697, 3701,
190 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,
191 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889,
192 3907, 3911, 3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
193 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073,
194 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157,
195 4159, 4177, 4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243, 4253,
196 4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 4339, 4349,
197 4357, 4363, 4373, 4391, 4397, 4409, 4421, 4423, 4441, 4447, 4451,
198 4457, 4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547,
199 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 4637, 4639, 4643,
200 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
201 4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817,
202 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937,
203 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009,
204 5011, 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101,
205 5107, 5113, 5119, 5147, 5153, 5167, 5171, 5179, 5189, 5197, 5209,
206 5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309,
207 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, 5407, 5413, 5417,
208 5419, 5431, 5437, 5441, 5443, 5449, 5471, 5477, 5479, 5483, 5501,
209 5503, 5507, 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 5581,
210 5591, 5623, 5639, 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683,
211 5689, 5693, 5701, 5711, 5717, 5737, 5741, 5743, 5749, 5779, 5783,
212 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851, 5857,
213 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953,
214 5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,
215 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143, 6151, 6163,
216 6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263,
217 6269, 6271, 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337,
218 6343, 6353, 6359, 6361, 6367, 6373, 6379, 6389, 6397, 6421, 6427,
219 6449, 6451, 6469, 6473, 6481, 6491, 6521, 6529, 6547, 6551, 6553,
220 6563, 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659,
221 6661, 6673, 6679, 6689, 6691, 6701, 6703, 6709, 6719, 6733, 6737,
222 6761, 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833,
223 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947,
224 6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997, 7001, 7013,
225 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 7127,
226 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229,
227 7237, 7243, 7247, 7253, 7283, 7297, 7307, 7309, 7321, 7331, 7333,
228 7349, 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459, 7477,
229 7481, 7487, 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547,
230 7549, 7559, 7561, 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621,
231 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 7699, 7703, 7717,
232 7723, 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829,
233 7841, 7853, 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927,
234 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011, 8017, 8039, 8053,
235 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, 8123, 8147,
236 8161, 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, 8233, 8237,
237 8243, 8263, 8269, 8273, 8287, 8291, 8293, 8297, 8311, 8317, 8329,
238 8353, 8363, 8369, 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443,
239 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, 8539, 8543, 8563,
240 8573, 8581, 8597, 8599, 8609, 8623, 8627, 8629, 8641, 8647, 8663,
241 8669, 8677, 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737,
242 8741, 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831,
243 8837, 8839, 8849, 8861, 8863, 8867, 8887, 8893, 8923, 8929, 8933,
244 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013, 9029,
245 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, 9133, 9137,
246 9151, 9157, 9161, 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227,
247 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 9319, 9323, 9337,
248 9341, 9343, 9349, 9371, 9377, 9391, 9397, 9403, 9413, 9419, 9421,
249 9431, 9433, 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, 9497,
250 9511, 9521, 9533, 9539, 9547, 9551, 9587, 9601, 9613, 9619, 9623,
251 9629, 9631, 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721,
252 9733, 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811,
253 9817, 9829, 9833, 9839, 9851, 9857, 9859, 9871, 9883, 9887, 9901,
254 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037,
255 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, 10111, 10133,
256 10139, 10141, 10151, 10159, 10163, 10169, 10177, 10181, 10193, 10211, 10223,
257 10243, 10247, 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 10313,
258 10321, 10331, 10333, 10337, 10343, 10357, 10369, 10391, 10399, 10427, 10429,
259 10433, 10453, 10457, 10459, 10463, 10477, 10487, 10499, 10501, 10513, 10529,
260 10531, 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 10631, 10639,
261 10651, 10657, 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733,
262 10739, 10753, 10771, 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859,
263 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939, 10949, 10957,
264 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, 11071,
265 11083, 11087, 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, 11171,
266 11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257, 11261, 11273, 11279,
267 11287, 11299, 11311, 11317, 11321, 11329, 11351, 11353, 11369, 11383, 11393,
268 11399, 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, 11489, 11491,
269 11497, 11503, 11519, 11527, 11549, 11551, 11579, 11587, 11593, 11597, 11617,
270 11621, 11633, 11657, 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731,
271 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831,
272 11833, 11839, 11863, 11867, 11887, 11897, 11903, 11909, 11923, 11927, 11933,
273 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037,
274 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, 12119,
275 12143, 12149, 12157, 12161, 12163, 12197, 12203, 12211, 12227, 12239, 12241,
276 12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 12329, 12343,
277 12347, 12373, 12377, 12379, 12391, 12401, 12409, 12413, 12421, 12433, 12437,
278 12451, 12457, 12473, 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527,
279 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 12601, 12611, 12613,
280 12619, 12637, 12641, 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713,
281 12721, 12739, 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823,
282 12829, 12841, 12853, 12889, 12893, 12899, 12907, 12911, 12917, 12919, 12923,
283 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009,
284 13033, 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, 13127,
285 13147, 13151, 13159, 13163, 13171, 13177, 13183, 13187, 13217, 13219, 13229,
286 13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337,
287 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, 13441, 13451, 13457,
288 13463, 13469, 13477, 13487, 13499, 13513, 13523, 13537, 13553, 13567, 13577,
289 13591, 13597, 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 13687,
290 13691, 13693, 13697, 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759,
291 13763, 13781, 13789, 13799, 13807, 13829, 13831, 13841, 13859, 13873, 13877,
292 13879, 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963, 13967,
293 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083,
294 14087, 14107, 14143, 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221,
295 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327, 14341, 14347,
296 14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, 14431, 14437, 14447,
297 14449, 14461, 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, 14551,
298 14557, 14561, 14563, 14591, 14593, 14621, 14627, 14629, 14633, 14639, 14653,
299 14657, 14669, 14683, 14699, 14713, 14717, 14723, 14731, 14737, 14741, 14747,
300 14753, 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831,
301 14843, 14851, 14867, 14869, 14879, 14887, 14891, 14897, 14923, 14929, 14939,
302 14947, 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073,
303 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161,
304 15173, 15187, 15193, 15199, 15217, 15227, 15233, 15241, 15259, 15263, 15269,
305 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 15349,
306 15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, 15427, 15439, 15443,
307 15451, 15461, 15467, 15473, 15493, 15497, 15511, 15527, 15541, 15551, 15559,
308 15569, 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 15647, 15649,
309 15661, 15667, 15671, 15679, 15683, 15727, 15731, 15733, 15737, 15739, 15749,
310 15761, 15767, 15773, 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859,
311 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 15923, 15937, 15959,
312 15971, 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069,
313 16073, 16087, 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187,
314 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253, 16267, 16273, 16301,
315 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, 16417, 16421,
316 16427, 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, 16519, 16529,
317 16547, 16553, 16561, 16567, 16573, 16603, 16607, 16619, 16631, 16633, 16649,
318 16651, 16657, 16661, 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747,
319 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, 16871, 16879, 16883,
320 16889, 16901, 16903, 16921, 16927, 16931, 16937, 16943, 16963, 16979, 16981,
321 16987, 16993, 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077,
322 17093, 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191,
323 17203, 17207, 17209, 17231, 17239, 17257, 17291, 17293, 17299, 17317, 17321,
324 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393, 17401,
325 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, 17489, 17491,
326 17497, 17509, 17519, 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599,
327 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 17707, 17713, 17729,
328 17737, 17747, 17749, 17761, 17783, 17789, 17791, 17807, 17827, 17837, 17839,
329 17851, 17863,
330 };
331
332 static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
333 const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont);
334 static int probable_prime(BIGNUM *rnd, int bits);
335 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
336 const BIGNUM *rem, BN_CTX *ctx);
337 static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add,
338 const BIGNUM *rem, BN_CTX *ctx);
339
BN_GENCB_set(BN_GENCB * callback,int (* f)(int event,int n,struct bn_gencb_st *),void * arg)340 void BN_GENCB_set(BN_GENCB *callback,
341 int (*f)(int event, int n, struct bn_gencb_st *),
342 void *arg) {
343 callback->callback = f;
344 callback->arg = arg;
345 }
346
BN_GENCB_call(BN_GENCB * callback,int event,int n)347 int BN_GENCB_call(BN_GENCB *callback, int event, int n) {
348 if (!callback) {
349 return 1;
350 }
351
352 return callback->callback(event, n, callback);
353 }
354
BN_generate_prime_ex(BIGNUM * ret,int bits,int safe,const BIGNUM * add,const BIGNUM * rem,BN_GENCB * cb)355 int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
356 const BIGNUM *rem, BN_GENCB *cb) {
357 BIGNUM *t;
358 int found = 0;
359 int i, j, c1 = 0;
360 BN_CTX *ctx;
361 int checks = BN_prime_checks_for_size(bits);
362
363 if (bits < 2) {
364 /* There are no prime numbers this small. */
365 OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
366 return 0;
367 } else if (bits == 2 && safe) {
368 /* The smallest safe prime (7) is three bits. */
369 OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
370 return 0;
371 }
372
373 ctx = BN_CTX_new();
374 if (ctx == NULL) {
375 goto err;
376 }
377 BN_CTX_start(ctx);
378 t = BN_CTX_get(ctx);
379 if (!t) {
380 goto err;
381 }
382
383 loop:
384 /* make a random number and set the top and bottom bits */
385 if (add == NULL) {
386 if (!probable_prime(ret, bits)) {
387 goto err;
388 }
389 } else {
390 if (safe) {
391 if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) {
392 goto err;
393 }
394 } else {
395 if (!probable_prime_dh(ret, bits, add, rem, ctx)) {
396 goto err;
397 }
398 }
399 }
400
401 if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) {
402 /* aborted */
403 goto err;
404 }
405
406 if (!safe) {
407 i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
408 if (i == -1) {
409 goto err;
410 } else if (i == 0) {
411 goto loop;
412 }
413 } else {
414 /* for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
415 * is odd, We just need to divide by 2 */
416 if (!BN_rshift1(t, ret)) {
417 goto err;
418 }
419
420 for (i = 0; i < checks; i++) {
421 j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, NULL);
422 if (j == -1) {
423 goto err;
424 } else if (j == 0) {
425 goto loop;
426 }
427
428 j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, NULL);
429 if (j == -1) {
430 goto err;
431 } else if (j == 0) {
432 goto loop;
433 }
434
435 if (!BN_GENCB_call(cb, i, c1 - 1)) {
436 goto err;
437 }
438 /* We have a safe prime test pass */
439 }
440 }
441
442 /* we have a prime :-) */
443 found = 1;
444
445 err:
446 if (ctx != NULL) {
447 BN_CTX_end(ctx);
448 BN_CTX_free(ctx);
449 }
450
451 return found;
452 }
453
BN_primality_test(int * is_probably_prime,const BIGNUM * candidate,int checks,BN_CTX * ctx,int do_trial_division,BN_GENCB * cb)454 int BN_primality_test(int *is_probably_prime, const BIGNUM *candidate,
455 int checks, BN_CTX *ctx, int do_trial_division,
456 BN_GENCB *cb) {
457 switch (BN_is_prime_fasttest_ex(candidate, checks, ctx, do_trial_division, cb)) {
458 case 1:
459 *is_probably_prime = 1;
460 return 1;
461 case 0:
462 *is_probably_prime = 0;
463 return 1;
464 default:
465 *is_probably_prime = 0;
466 return 0;
467 }
468 }
469
BN_is_prime_ex(const BIGNUM * candidate,int checks,BN_CTX * ctx,BN_GENCB * cb)470 int BN_is_prime_ex(const BIGNUM *candidate, int checks, BN_CTX *ctx, BN_GENCB *cb) {
471 return BN_is_prime_fasttest_ex(candidate, checks, ctx, 0, cb);
472 }
473
BN_is_prime_fasttest_ex(const BIGNUM * a,int checks,BN_CTX * ctx_passed,int do_trial_division,BN_GENCB * cb)474 int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
475 int do_trial_division, BN_GENCB *cb) {
476 int i, j, ret = -1;
477 int k;
478 BN_CTX *ctx = NULL;
479 BIGNUM *A1, *A1_odd, *check; /* taken from ctx */
480 BN_MONT_CTX *mont = NULL;
481 const BIGNUM *A = NULL;
482
483 if (BN_cmp(a, BN_value_one()) <= 0) {
484 return 0;
485 }
486
487 if (checks == BN_prime_checks) {
488 checks = BN_prime_checks_for_size(BN_num_bits(a));
489 }
490
491 /* first look for small factors */
492 if (!BN_is_odd(a)) {
493 /* a is even => a is prime if and only if a == 2 */
494 return BN_is_word(a, 2);
495 }
496
497 if (do_trial_division) {
498 for (i = 1; i < NUMPRIMES; i++) {
499 if (BN_mod_word(a, primes[i]) == 0) {
500 return 0;
501 }
502 }
503
504 if (!BN_GENCB_call(cb, 1, -1)) {
505 goto err;
506 }
507 }
508
509 if (ctx_passed != NULL) {
510 ctx = ctx_passed;
511 } else if ((ctx = BN_CTX_new()) == NULL) {
512 goto err;
513 }
514 BN_CTX_start(ctx);
515
516 /* A := abs(a) */
517 if (a->neg) {
518 BIGNUM *t = BN_CTX_get(ctx);
519 if (t == NULL || !BN_copy(t, a)) {
520 goto err;
521 }
522 t->neg = 0;
523 A = t;
524 } else {
525 A = a;
526 }
527
528 A1 = BN_CTX_get(ctx);
529 A1_odd = BN_CTX_get(ctx);
530 check = BN_CTX_get(ctx);
531 if (check == NULL) {
532 goto err;
533 }
534
535 /* compute A1 := A - 1 */
536 if (!BN_copy(A1, A)) {
537 goto err;
538 }
539 if (!BN_sub_word(A1, 1)) {
540 goto err;
541 }
542 if (BN_is_zero(A1)) {
543 ret = 0;
544 goto err;
545 }
546
547 /* write A1 as A1_odd * 2^k */
548 k = 1;
549 while (!BN_is_bit_set(A1, k)) {
550 k++;
551 }
552 if (!BN_rshift(A1_odd, A1, k)) {
553 goto err;
554 }
555
556 /* Montgomery setup for computations mod A */
557 mont = BN_MONT_CTX_new();
558 if (mont == NULL) {
559 goto err;
560 }
561 if (!BN_MONT_CTX_set(mont, A, ctx)) {
562 goto err;
563 }
564
565 for (i = 0; i < checks; i++) {
566 if (!BN_pseudo_rand_range(check, A1)) {
567 goto err;
568 }
569 if (!BN_add_word(check, 1)) {
570 goto err;
571 }
572 /* now 1 <= check < A */
573
574 j = witness(check, A, A1, A1_odd, k, ctx, mont);
575 if (j == -1) {
576 goto err;
577 }
578 if (j) {
579 ret = 0;
580 goto err;
581 }
582 if (!BN_GENCB_call(cb, 1, i)) {
583 goto err;
584 }
585 }
586 ret = 1;
587
588 err:
589 if (ctx != NULL) {
590 BN_CTX_end(ctx);
591 if (ctx_passed == NULL) {
592 BN_CTX_free(ctx);
593 }
594 }
595 if (mont != NULL) {
596 BN_MONT_CTX_free(mont);
597 }
598
599 return ret;
600 }
601
witness(BIGNUM * w,const BIGNUM * a,const BIGNUM * a1,const BIGNUM * a1_odd,int k,BN_CTX * ctx,BN_MONT_CTX * mont)602 static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
603 const BIGNUM *a1_odd, int k, BN_CTX *ctx,
604 BN_MONT_CTX *mont) {
605 if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) { /* w := w^a1_odd mod a */
606 return -1;
607 }
608 if (BN_is_one(w)) {
609 return 0; /* probably prime */
610 }
611 if (BN_cmp(w, a1) == 0) {
612 return 0; /* w == -1 (mod a), 'a' is probably prime */
613 }
614
615 while (--k) {
616 if (!BN_mod_mul(w, w, w, a, ctx)) { /* w := w^2 mod a */
617 return -1;
618 }
619
620 if (BN_is_one(w)) {
621 return 1; /* 'a' is composite, otherwise a previous 'w' would
622 * have been == -1 (mod 'a') */
623 }
624
625 if (BN_cmp(w, a1) == 0) {
626 return 0; /* w == -1 (mod a), 'a' is probably prime */
627 }
628 }
629
630 /* If we get here, 'w' is the (a-1)/2-th power of the original 'w',
631 * and it is neither -1 nor +1 -- so 'a' cannot be prime */
632 return 1;
633 }
634
get_word(const BIGNUM * bn)635 static BN_ULONG get_word(const BIGNUM *bn) {
636 if (bn->top == 1) {
637 return bn->d[0];
638 }
639 return 0;
640 }
641
probable_prime(BIGNUM * rnd,int bits)642 static int probable_prime(BIGNUM *rnd, int bits) {
643 int i;
644 uint16_t mods[NUMPRIMES];
645 BN_ULONG delta;
646 BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
647 char is_single_word = bits <= BN_BITS2;
648
649 again:
650 if (!BN_rand(rnd, bits, 1, 1)) {
651 return 0;
652 }
653
654 /* we now have a random number 'rnd' to test. */
655 for (i = 1; i < NUMPRIMES; i++) {
656 mods[i] = (uint16_t)BN_mod_word(rnd, (BN_ULONG)primes[i]);
657 }
658 /* If bits is so small that it fits into a single word then we
659 * additionally don't want to exceed that many bits. */
660 if (is_single_word) {
661 BN_ULONG size_limit;
662 if (bits == BN_BITS2) {
663 /* Avoid undefined behavior. */
664 size_limit = ~((BN_ULONG)0) - get_word(rnd);
665 } else {
666 size_limit = (((BN_ULONG)1) << bits) - get_word(rnd) - 1;
667 }
668 if (size_limit < maxdelta) {
669 maxdelta = size_limit;
670 }
671 }
672 delta = 0;
673
674 loop:
675 if (is_single_word) {
676 BN_ULONG rnd_word = get_word(rnd);
677
678 /* In the case that the candidate prime is a single word then
679 * we check that:
680 * 1) It's greater than primes[i] because we shouldn't reject
681 * 3 as being a prime number because it's a multiple of
682 * three.
683 * 2) That it's not a multiple of a known prime. We don't
684 * check that rnd-1 is also coprime to all the known
685 * primes because there aren't many small primes where
686 * that's true. */
687 for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
688 if ((mods[i] + delta) % primes[i] == 0) {
689 delta += 2;
690 if (delta > maxdelta) {
691 goto again;
692 }
693 goto loop;
694 }
695 }
696 } else {
697 for (i = 1; i < NUMPRIMES; i++) {
698 /* check that rnd is not a prime and also
699 * that gcd(rnd-1,primes) == 1 (except for 2) */
700 if (((mods[i] + delta) % primes[i]) <= 1) {
701 delta += 2;
702 if (delta > maxdelta) {
703 goto again;
704 }
705 goto loop;
706 }
707 }
708 }
709
710 if (!BN_add_word(rnd, delta)) {
711 return 0;
712 }
713 if (BN_num_bits(rnd) != (unsigned)bits) {
714 goto again;
715 }
716
717 return 1;
718 }
719
probable_prime_dh(BIGNUM * rnd,int bits,const BIGNUM * add,const BIGNUM * rem,BN_CTX * ctx)720 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
721 const BIGNUM *rem, BN_CTX *ctx) {
722 int i, ret = 0;
723 BIGNUM *t1;
724
725 BN_CTX_start(ctx);
726 if ((t1 = BN_CTX_get(ctx)) == NULL) {
727 goto err;
728 }
729
730 if (!BN_rand(rnd, bits, 0, 1)) {
731 goto err;
732 }
733
734 /* we need ((rnd-rem) % add) == 0 */
735
736 if (!BN_mod(t1, rnd, add, ctx)) {
737 goto err;
738 }
739 if (!BN_sub(rnd, rnd, t1)) {
740 goto err;
741 }
742 if (rem == NULL) {
743 if (!BN_add_word(rnd, 1)) {
744 goto err;
745 }
746 } else {
747 if (!BN_add(rnd, rnd, rem)) {
748 goto err;
749 }
750 }
751 /* we now have a random number 'rand' to test. */
752
753 loop:
754 for (i = 1; i < NUMPRIMES; i++) {
755 /* check that rnd is a prime */
756 if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
757 if (!BN_add(rnd, rnd, add)) {
758 goto err;
759 }
760 goto loop;
761 }
762 }
763
764 ret = 1;
765
766 err:
767 BN_CTX_end(ctx);
768 return ret;
769 }
770
probable_prime_dh_safe(BIGNUM * p,int bits,const BIGNUM * padd,const BIGNUM * rem,BN_CTX * ctx)771 static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
772 const BIGNUM *rem, BN_CTX *ctx) {
773 int i, ret = 0;
774 BIGNUM *t1, *qadd, *q;
775
776 bits--;
777 BN_CTX_start(ctx);
778 t1 = BN_CTX_get(ctx);
779 q = BN_CTX_get(ctx);
780 qadd = BN_CTX_get(ctx);
781 if (qadd == NULL) {
782 goto err;
783 }
784
785 if (!BN_rshift1(qadd, padd)) {
786 goto err;
787 }
788
789 if (!BN_rand(q, bits, 0, 1)) {
790 goto err;
791 }
792
793 /* we need ((rnd-rem) % add) == 0 */
794 if (!BN_mod(t1, q, qadd, ctx)) {
795 goto err;
796 }
797
798 if (!BN_sub(q, q, t1)) {
799 goto err;
800 }
801
802 if (rem == NULL) {
803 if (!BN_add_word(q, 1)) {
804 goto err;
805 }
806 } else {
807 if (!BN_rshift1(t1, rem)) {
808 goto err;
809 }
810 if (!BN_add(q, q, t1)) {
811 goto err;
812 }
813 }
814
815 /* we now have a random number 'rand' to test. */
816 if (!BN_lshift1(p, q)) {
817 goto err;
818 }
819 if (!BN_add_word(p, 1)) {
820 goto err;
821 }
822
823 loop:
824 for (i = 1; i < NUMPRIMES; i++) {
825 /* check that p and q are prime */
826 /* check that for p and q
827 * gcd(p-1,primes) == 1 (except for 2) */
828 if ((BN_mod_word(p, (BN_ULONG)primes[i]) == 0) ||
829 (BN_mod_word(q, (BN_ULONG)primes[i]) == 0)) {
830 if (!BN_add(p, p, padd)) {
831 goto err;
832 }
833 if (!BN_add(q, q, qadd)) {
834 goto err;
835 }
836 goto loop;
837 }
838 }
839
840 ret = 1;
841
842 err:
843 BN_CTX_end(ctx);
844 return ret;
845 }
846