1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/bn.h>
110
111 #include <openssl/err.h>
112 #include <openssl/mem.h>
113
114 #include "internal.h"
115
116 // The quick sieve algorithm approach to weeding out primes is Philip
117 // Zimmermann's, as implemented in PGP. I have had a read of his comments and
118 // implemented my own version.
119
120 #define NUMPRIMES 2048
121
122 // primes contains all the primes that fit into a uint16_t.
123 static const uint16_t primes[NUMPRIMES] = {
124 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31,
125 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79,
126 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137,
127 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193,
128 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257,
129 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
130 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389,
131 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457,
132 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523,
133 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601,
134 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661,
135 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743,
136 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823,
137 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887,
138 907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977,
139 983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049,
140 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117,
141 1123, 1129, 1151, 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
142 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289,
143 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373,
144 1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451, 1453,
145 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523, 1531,
146 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607,
147 1609, 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,
148 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753, 1759, 1777,
149 1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
150 1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951,
151 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029,
152 2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113,
153 2129, 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213,
154 2221, 2237, 2239, 2243, 2251, 2267, 2269, 2273, 2281, 2287, 2293,
155 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377,
156 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447,
157 2459, 2467, 2473, 2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
158 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659,
159 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713,
160 2719, 2729, 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791, 2797,
161 2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887,
162 2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971,
163 2999, 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079,
164 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169, 3181, 3187,
165 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
166 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, 3359,
167 3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433, 3449, 3457, 3461,
168 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533, 3539,
169 3541, 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, 3613, 3617,
170 3623, 3631, 3637, 3643, 3659, 3671, 3673, 3677, 3691, 3697, 3701,
171 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,
172 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889,
173 3907, 3911, 3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
174 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073,
175 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157,
176 4159, 4177, 4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243, 4253,
177 4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 4339, 4349,
178 4357, 4363, 4373, 4391, 4397, 4409, 4421, 4423, 4441, 4447, 4451,
179 4457, 4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547,
180 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 4637, 4639, 4643,
181 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
182 4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817,
183 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937,
184 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009,
185 5011, 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101,
186 5107, 5113, 5119, 5147, 5153, 5167, 5171, 5179, 5189, 5197, 5209,
187 5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309,
188 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, 5407, 5413, 5417,
189 5419, 5431, 5437, 5441, 5443, 5449, 5471, 5477, 5479, 5483, 5501,
190 5503, 5507, 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 5581,
191 5591, 5623, 5639, 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683,
192 5689, 5693, 5701, 5711, 5717, 5737, 5741, 5743, 5749, 5779, 5783,
193 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851, 5857,
194 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953,
195 5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,
196 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143, 6151, 6163,
197 6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263,
198 6269, 6271, 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337,
199 6343, 6353, 6359, 6361, 6367, 6373, 6379, 6389, 6397, 6421, 6427,
200 6449, 6451, 6469, 6473, 6481, 6491, 6521, 6529, 6547, 6551, 6553,
201 6563, 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659,
202 6661, 6673, 6679, 6689, 6691, 6701, 6703, 6709, 6719, 6733, 6737,
203 6761, 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833,
204 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947,
205 6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997, 7001, 7013,
206 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 7127,
207 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229,
208 7237, 7243, 7247, 7253, 7283, 7297, 7307, 7309, 7321, 7331, 7333,
209 7349, 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459, 7477,
210 7481, 7487, 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547,
211 7549, 7559, 7561, 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621,
212 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 7699, 7703, 7717,
213 7723, 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829,
214 7841, 7853, 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927,
215 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011, 8017, 8039, 8053,
216 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, 8123, 8147,
217 8161, 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, 8233, 8237,
218 8243, 8263, 8269, 8273, 8287, 8291, 8293, 8297, 8311, 8317, 8329,
219 8353, 8363, 8369, 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443,
220 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, 8539, 8543, 8563,
221 8573, 8581, 8597, 8599, 8609, 8623, 8627, 8629, 8641, 8647, 8663,
222 8669, 8677, 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737,
223 8741, 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831,
224 8837, 8839, 8849, 8861, 8863, 8867, 8887, 8893, 8923, 8929, 8933,
225 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013, 9029,
226 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, 9133, 9137,
227 9151, 9157, 9161, 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227,
228 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 9319, 9323, 9337,
229 9341, 9343, 9349, 9371, 9377, 9391, 9397, 9403, 9413, 9419, 9421,
230 9431, 9433, 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, 9497,
231 9511, 9521, 9533, 9539, 9547, 9551, 9587, 9601, 9613, 9619, 9623,
232 9629, 9631, 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721,
233 9733, 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811,
234 9817, 9829, 9833, 9839, 9851, 9857, 9859, 9871, 9883, 9887, 9901,
235 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037,
236 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, 10111, 10133,
237 10139, 10141, 10151, 10159, 10163, 10169, 10177, 10181, 10193, 10211, 10223,
238 10243, 10247, 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 10313,
239 10321, 10331, 10333, 10337, 10343, 10357, 10369, 10391, 10399, 10427, 10429,
240 10433, 10453, 10457, 10459, 10463, 10477, 10487, 10499, 10501, 10513, 10529,
241 10531, 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 10631, 10639,
242 10651, 10657, 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733,
243 10739, 10753, 10771, 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859,
244 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939, 10949, 10957,
245 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, 11071,
246 11083, 11087, 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, 11171,
247 11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257, 11261, 11273, 11279,
248 11287, 11299, 11311, 11317, 11321, 11329, 11351, 11353, 11369, 11383, 11393,
249 11399, 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, 11489, 11491,
250 11497, 11503, 11519, 11527, 11549, 11551, 11579, 11587, 11593, 11597, 11617,
251 11621, 11633, 11657, 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731,
252 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831,
253 11833, 11839, 11863, 11867, 11887, 11897, 11903, 11909, 11923, 11927, 11933,
254 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037,
255 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, 12119,
256 12143, 12149, 12157, 12161, 12163, 12197, 12203, 12211, 12227, 12239, 12241,
257 12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 12329, 12343,
258 12347, 12373, 12377, 12379, 12391, 12401, 12409, 12413, 12421, 12433, 12437,
259 12451, 12457, 12473, 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527,
260 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 12601, 12611, 12613,
261 12619, 12637, 12641, 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713,
262 12721, 12739, 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823,
263 12829, 12841, 12853, 12889, 12893, 12899, 12907, 12911, 12917, 12919, 12923,
264 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009,
265 13033, 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, 13127,
266 13147, 13151, 13159, 13163, 13171, 13177, 13183, 13187, 13217, 13219, 13229,
267 13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337,
268 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, 13441, 13451, 13457,
269 13463, 13469, 13477, 13487, 13499, 13513, 13523, 13537, 13553, 13567, 13577,
270 13591, 13597, 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 13687,
271 13691, 13693, 13697, 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759,
272 13763, 13781, 13789, 13799, 13807, 13829, 13831, 13841, 13859, 13873, 13877,
273 13879, 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963, 13967,
274 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083,
275 14087, 14107, 14143, 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221,
276 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327, 14341, 14347,
277 14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, 14431, 14437, 14447,
278 14449, 14461, 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, 14551,
279 14557, 14561, 14563, 14591, 14593, 14621, 14627, 14629, 14633, 14639, 14653,
280 14657, 14669, 14683, 14699, 14713, 14717, 14723, 14731, 14737, 14741, 14747,
281 14753, 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831,
282 14843, 14851, 14867, 14869, 14879, 14887, 14891, 14897, 14923, 14929, 14939,
283 14947, 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073,
284 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161,
285 15173, 15187, 15193, 15199, 15217, 15227, 15233, 15241, 15259, 15263, 15269,
286 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 15349,
287 15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, 15427, 15439, 15443,
288 15451, 15461, 15467, 15473, 15493, 15497, 15511, 15527, 15541, 15551, 15559,
289 15569, 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 15647, 15649,
290 15661, 15667, 15671, 15679, 15683, 15727, 15731, 15733, 15737, 15739, 15749,
291 15761, 15767, 15773, 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859,
292 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 15923, 15937, 15959,
293 15971, 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069,
294 16073, 16087, 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187,
295 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253, 16267, 16273, 16301,
296 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, 16417, 16421,
297 16427, 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, 16519, 16529,
298 16547, 16553, 16561, 16567, 16573, 16603, 16607, 16619, 16631, 16633, 16649,
299 16651, 16657, 16661, 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747,
300 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, 16871, 16879, 16883,
301 16889, 16901, 16903, 16921, 16927, 16931, 16937, 16943, 16963, 16979, 16981,
302 16987, 16993, 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077,
303 17093, 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191,
304 17203, 17207, 17209, 17231, 17239, 17257, 17291, 17293, 17299, 17317, 17321,
305 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393, 17401,
306 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, 17489, 17491,
307 17497, 17509, 17519, 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599,
308 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 17707, 17713, 17729,
309 17737, 17747, 17749, 17761, 17783, 17789, 17791, 17807, 17827, 17837, 17839,
310 17851, 17863,
311 };
312
313 // BN_prime_checks_for_size returns the number of Miller-Rabin iterations
314 // necessary for a 'bits'-bit prime, in order to maintain an error rate greater
315 // than the security level for an RSA prime of that many bits (calculated using
316 // the FIPS SP 800-57 security level and 186-4 Section F.1; original paper:
317 // Damgaard, Landrock, Pomerance: Average case error estimates for the strong
318 // probable prime test. -- Math. Comp. 61 (1993) 177-194)
BN_prime_checks_for_size(int bits)319 static int BN_prime_checks_for_size(int bits) {
320 if (bits >= 3747) {
321 return 3;
322 }
323 if (bits >= 1345) {
324 return 4;
325 }
326 if (bits >= 476) {
327 return 5;
328 }
329 if (bits >= 400) {
330 return 6;
331 }
332 if (bits >= 308) {
333 return 8;
334 }
335 if (bits >= 205) {
336 return 13;
337 }
338 if (bits >= 155) {
339 return 19;
340 }
341 return 28;
342 }
343
344 static int probable_prime(BIGNUM *rnd, int bits);
345 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
346 const BIGNUM *rem, BN_CTX *ctx);
347 static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add,
348 const BIGNUM *rem, BN_CTX *ctx);
349
BN_GENCB_set(BN_GENCB * callback,int (* f)(int event,int n,struct bn_gencb_st *),void * arg)350 void BN_GENCB_set(BN_GENCB *callback,
351 int (*f)(int event, int n, struct bn_gencb_st *),
352 void *arg) {
353 callback->callback = f;
354 callback->arg = arg;
355 }
356
BN_GENCB_call(BN_GENCB * callback,int event,int n)357 int BN_GENCB_call(BN_GENCB *callback, int event, int n) {
358 if (!callback) {
359 return 1;
360 }
361
362 return callback->callback(event, n, callback);
363 }
364
BN_generate_prime_ex(BIGNUM * ret,int bits,int safe,const BIGNUM * add,const BIGNUM * rem,BN_GENCB * cb)365 int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
366 const BIGNUM *rem, BN_GENCB *cb) {
367 BIGNUM *t;
368 int found = 0;
369 int i, j, c1 = 0;
370 BN_CTX *ctx;
371 int checks = BN_prime_checks_for_size(bits);
372
373 if (bits < 2) {
374 // There are no prime numbers this small.
375 OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
376 return 0;
377 } else if (bits == 2 && safe) {
378 // The smallest safe prime (7) is three bits.
379 OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
380 return 0;
381 }
382
383 ctx = BN_CTX_new();
384 if (ctx == NULL) {
385 goto err;
386 }
387 BN_CTX_start(ctx);
388 t = BN_CTX_get(ctx);
389 if (!t) {
390 goto err;
391 }
392
393 loop:
394 // make a random number and set the top and bottom bits
395 if (add == NULL) {
396 if (!probable_prime(ret, bits)) {
397 goto err;
398 }
399 } else {
400 if (safe) {
401 if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) {
402 goto err;
403 }
404 } else {
405 if (!probable_prime_dh(ret, bits, add, rem, ctx)) {
406 goto err;
407 }
408 }
409 }
410
411 if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) {
412 // aborted
413 goto err;
414 }
415
416 if (!safe) {
417 i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
418 if (i == -1) {
419 goto err;
420 } else if (i == 0) {
421 goto loop;
422 }
423 } else {
424 // for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
425 // is odd, We just need to divide by 2
426 if (!BN_rshift1(t, ret)) {
427 goto err;
428 }
429
430 for (i = 0; i < checks; i++) {
431 j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, NULL);
432 if (j == -1) {
433 goto err;
434 } else if (j == 0) {
435 goto loop;
436 }
437
438 j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, NULL);
439 if (j == -1) {
440 goto err;
441 } else if (j == 0) {
442 goto loop;
443 }
444
445 if (!BN_GENCB_call(cb, i, c1 - 1)) {
446 goto err;
447 }
448 // We have a safe prime test pass
449 }
450 }
451
452 // we have a prime :-)
453 found = 1;
454
455 err:
456 if (ctx != NULL) {
457 BN_CTX_end(ctx);
458 BN_CTX_free(ctx);
459 }
460
461 return found;
462 }
463
BN_primality_test(int * is_probably_prime,const BIGNUM * candidate,int checks,BN_CTX * ctx,int do_trial_division,BN_GENCB * cb)464 int BN_primality_test(int *is_probably_prime, const BIGNUM *candidate,
465 int checks, BN_CTX *ctx, int do_trial_division,
466 BN_GENCB *cb) {
467 switch (BN_is_prime_fasttest_ex(candidate, checks, ctx, do_trial_division, cb)) {
468 case 1:
469 *is_probably_prime = 1;
470 return 1;
471 case 0:
472 *is_probably_prime = 0;
473 return 1;
474 default:
475 *is_probably_prime = 0;
476 return 0;
477 }
478 }
479
BN_is_prime_ex(const BIGNUM * candidate,int checks,BN_CTX * ctx,BN_GENCB * cb)480 int BN_is_prime_ex(const BIGNUM *candidate, int checks, BN_CTX *ctx, BN_GENCB *cb) {
481 return BN_is_prime_fasttest_ex(candidate, checks, ctx, 0, cb);
482 }
483
BN_is_prime_fasttest_ex(const BIGNUM * a,int checks,BN_CTX * ctx,int do_trial_division,BN_GENCB * cb)484 int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx,
485 int do_trial_division, BN_GENCB *cb) {
486 if (BN_cmp(a, BN_value_one()) <= 0) {
487 return 0;
488 }
489
490 // first look for small factors
491 if (!BN_is_odd(a)) {
492 // a is even => a is prime if and only if a == 2
493 return BN_is_word(a, 2);
494 }
495
496 // Enhanced Miller-Rabin does not work for three.
497 if (BN_is_word(a, 3)) {
498 return 1;
499 }
500
501 if (do_trial_division) {
502 for (int i = 1; i < NUMPRIMES; i++) {
503 BN_ULONG mod = BN_mod_word(a, primes[i]);
504 if (mod == (BN_ULONG)-1) {
505 return -1;
506 }
507 if (mod == 0) {
508 return BN_is_word(a, primes[i]);
509 }
510 }
511
512 if (!BN_GENCB_call(cb, 1, -1)) {
513 return -1;
514 }
515 }
516
517 int ret = -1;
518 BN_CTX *ctx_allocated = NULL;
519 if (ctx == NULL) {
520 ctx_allocated = BN_CTX_new();
521 if (ctx_allocated == NULL) {
522 return -1;
523 }
524 ctx = ctx_allocated;
525 }
526
527 enum bn_primality_result_t result;
528 if (!BN_enhanced_miller_rabin_primality_test(&result, a, checks, ctx, cb)) {
529 goto err;
530 }
531
532 ret = (result == bn_probably_prime);
533
534 err:
535 BN_CTX_free(ctx_allocated);
536 return ret;
537 }
538
BN_enhanced_miller_rabin_primality_test(enum bn_primality_result_t * out_result,const BIGNUM * w,int iterations,BN_CTX * ctx,BN_GENCB * cb)539 int BN_enhanced_miller_rabin_primality_test(
540 enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations,
541 BN_CTX *ctx, BN_GENCB *cb) {
542 // Enhanced Miller-Rabin is only valid on odd integers greater than 3.
543 if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) {
544 OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT);
545 return 0;
546 }
547
548 if (iterations == BN_prime_checks) {
549 iterations = BN_prime_checks_for_size(BN_num_bits(w));
550 }
551
552 int ret = 0;
553 BN_MONT_CTX *mont = NULL;
554
555 BN_CTX_start(ctx);
556
557 BIGNUM *w1 = BN_CTX_get(ctx);
558 if (w1 == NULL ||
559 !BN_copy(w1, w) ||
560 !BN_sub_word(w1, 1)) {
561 goto err;
562 }
563
564 // Write w1 as m*2^a (Steps 1 and 2).
565 int a = 0;
566 while (!BN_is_bit_set(w1, a)) {
567 a++;
568 }
569 BIGNUM *m = BN_CTX_get(ctx);
570 if (m == NULL ||
571 !BN_rshift(m, w1, a)) {
572 goto err;
573 }
574
575 BIGNUM *b = BN_CTX_get(ctx);
576 BIGNUM *g = BN_CTX_get(ctx);
577 BIGNUM *z = BN_CTX_get(ctx);
578 BIGNUM *x = BN_CTX_get(ctx);
579 BIGNUM *x1 = BN_CTX_get(ctx);
580 if (b == NULL ||
581 g == NULL ||
582 z == NULL ||
583 x == NULL ||
584 x1 == NULL) {
585 goto err;
586 }
587
588 // Montgomery setup for computations mod A
589 mont = BN_MONT_CTX_new_for_modulus(w, ctx);
590 if (mont == NULL) {
591 goto err;
592 }
593
594 // The following loop performs in inner iteration of the Enhanced Miller-Rabin
595 // Primality test (Step 4).
596 for (int i = 1; i <= iterations; i++) {
597 // Step 4.1-4.2
598 if (!BN_rand_range_ex(b, 2, w1)) {
599 goto err;
600 }
601
602 // Step 4.3-4.4
603 if (!BN_gcd(g, b, w, ctx)) {
604 goto err;
605 }
606 if (BN_cmp_word(g, 1) > 0) {
607 *out_result = bn_composite;
608 ret = 1;
609 goto err;
610 }
611
612 // Step 4.5
613 if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) {
614 goto err;
615 }
616
617 // Step 4.6
618 if (BN_is_one(z) || BN_cmp(z, w1) == 0) {
619 goto loop;
620 }
621
622 // Step 4.7
623 for (int j = 1; j < a; j++) {
624 if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
625 goto err;
626 }
627 if (BN_cmp(z, w1) == 0) {
628 goto loop;
629 }
630 if (BN_is_one(z)) {
631 goto composite;
632 }
633 }
634
635 // Step 4.8-4.9
636 if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
637 goto err;
638 }
639
640 // Step 4.10-4.11
641 if (!BN_is_one(z) && !BN_copy(x, z)) {
642 goto err;
643 }
644
645 composite:
646 // Step 4.12-4.14
647 if (!BN_copy(x1, x) ||
648 !BN_sub_word(x1, 1) ||
649 !BN_gcd(g, x1, w, ctx)) {
650 goto err;
651 }
652 if (BN_cmp_word(g, 1) > 0) {
653 *out_result = bn_composite;
654 } else {
655 *out_result = bn_non_prime_power_composite;
656 }
657
658 ret = 1;
659 goto err;
660
661 loop:
662 // Step 4.15
663 if (!BN_GENCB_call(cb, 1, i)) {
664 goto err;
665 }
666 }
667
668 *out_result = bn_probably_prime;
669 ret = 1;
670
671 err:
672 BN_MONT_CTX_free(mont);
673 BN_CTX_end(ctx);
674
675 return ret;
676 }
677
probable_prime(BIGNUM * rnd,int bits)678 static int probable_prime(BIGNUM *rnd, int bits) {
679 int i;
680 uint16_t mods[NUMPRIMES];
681 BN_ULONG delta;
682 BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
683 char is_single_word = bits <= BN_BITS2;
684
685 again:
686 if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) {
687 return 0;
688 }
689
690 // we now have a random number 'rnd' to test.
691 for (i = 1; i < NUMPRIMES; i++) {
692 BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
693 if (mod == (BN_ULONG)-1) {
694 return 0;
695 }
696 mods[i] = (uint16_t)mod;
697 }
698 // If bits is so small that it fits into a single word then we
699 // additionally don't want to exceed that many bits.
700 if (is_single_word) {
701 BN_ULONG size_limit;
702 if (bits == BN_BITS2) {
703 // Avoid undefined behavior.
704 size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
705 } else {
706 size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
707 }
708 if (size_limit < maxdelta) {
709 maxdelta = size_limit;
710 }
711 }
712 delta = 0;
713
714 loop:
715 if (is_single_word) {
716 BN_ULONG rnd_word = BN_get_word(rnd);
717
718 // In the case that the candidate prime is a single word then
719 // we check that:
720 // 1) It's greater than primes[i] because we shouldn't reject
721 // 3 as being a prime number because it's a multiple of
722 // three.
723 // 2) That it's not a multiple of a known prime. We don't
724 // check that rnd-1 is also coprime to all the known
725 // primes because there aren't many small primes where
726 // that's true.
727 for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
728 if ((mods[i] + delta) % primes[i] == 0) {
729 delta += 2;
730 if (delta > maxdelta) {
731 goto again;
732 }
733 goto loop;
734 }
735 }
736 } else {
737 for (i = 1; i < NUMPRIMES; i++) {
738 // check that rnd is not a prime and also
739 // that gcd(rnd-1,primes) == 1 (except for 2)
740 if (((mods[i] + delta) % primes[i]) <= 1) {
741 delta += 2;
742 if (delta > maxdelta) {
743 goto again;
744 }
745 goto loop;
746 }
747 }
748 }
749
750 if (!BN_add_word(rnd, delta)) {
751 return 0;
752 }
753 if (BN_num_bits(rnd) != (unsigned)bits) {
754 goto again;
755 }
756
757 return 1;
758 }
759
probable_prime_dh(BIGNUM * rnd,int bits,const BIGNUM * add,const BIGNUM * rem,BN_CTX * ctx)760 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
761 const BIGNUM *rem, BN_CTX *ctx) {
762 int i, ret = 0;
763 BIGNUM *t1;
764
765 BN_CTX_start(ctx);
766 if ((t1 = BN_CTX_get(ctx)) == NULL) {
767 goto err;
768 }
769
770 if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
771 goto err;
772 }
773
774 // we need ((rnd-rem) % add) == 0
775
776 if (!BN_mod(t1, rnd, add, ctx)) {
777 goto err;
778 }
779 if (!BN_sub(rnd, rnd, t1)) {
780 goto err;
781 }
782 if (rem == NULL) {
783 if (!BN_add_word(rnd, 1)) {
784 goto err;
785 }
786 } else {
787 if (!BN_add(rnd, rnd, rem)) {
788 goto err;
789 }
790 }
791 // we now have a random number 'rand' to test.
792
793 loop:
794 for (i = 1; i < NUMPRIMES; i++) {
795 // check that rnd is a prime
796 BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
797 if (mod == (BN_ULONG)-1) {
798 goto err;
799 }
800 if (mod <= 1) {
801 if (!BN_add(rnd, rnd, add)) {
802 goto err;
803 }
804 goto loop;
805 }
806 }
807
808 ret = 1;
809
810 err:
811 BN_CTX_end(ctx);
812 return ret;
813 }
814
probable_prime_dh_safe(BIGNUM * p,int bits,const BIGNUM * padd,const BIGNUM * rem,BN_CTX * ctx)815 static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
816 const BIGNUM *rem, BN_CTX *ctx) {
817 int i, ret = 0;
818 BIGNUM *t1, *qadd, *q;
819
820 bits--;
821 BN_CTX_start(ctx);
822 t1 = BN_CTX_get(ctx);
823 q = BN_CTX_get(ctx);
824 qadd = BN_CTX_get(ctx);
825 if (qadd == NULL) {
826 goto err;
827 }
828
829 if (!BN_rshift1(qadd, padd)) {
830 goto err;
831 }
832
833 if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
834 goto err;
835 }
836
837 // we need ((rnd-rem) % add) == 0
838 if (!BN_mod(t1, q, qadd, ctx)) {
839 goto err;
840 }
841
842 if (!BN_sub(q, q, t1)) {
843 goto err;
844 }
845
846 if (rem == NULL) {
847 if (!BN_add_word(q, 1)) {
848 goto err;
849 }
850 } else {
851 if (!BN_rshift1(t1, rem)) {
852 goto err;
853 }
854 if (!BN_add(q, q, t1)) {
855 goto err;
856 }
857 }
858
859 // we now have a random number 'rand' to test.
860 if (!BN_lshift1(p, q)) {
861 goto err;
862 }
863 if (!BN_add_word(p, 1)) {
864 goto err;
865 }
866
867 loop:
868 for (i = 1; i < NUMPRIMES; i++) {
869 // check that p and q are prime
870 // check that for p and q
871 // gcd(p-1,primes) == 1 (except for 2)
872 BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
873 BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
874 if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) {
875 goto err;
876 }
877 if (pmod == 0 || qmod == 0) {
878 if (!BN_add(p, p, padd)) {
879 goto err;
880 }
881 if (!BN_add(q, q, qadd)) {
882 goto err;
883 }
884 goto loop;
885 }
886 }
887
888 ret = 1;
889
890 err:
891 BN_CTX_end(ctx);
892 return ret;
893 }
894