[thirdparty/openssl.git] / crypto / bn / bn_prime.c

/*
 * WARNING: do not edit!
 * Generated by crypto/bn/bn_prime.pl
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
#include "bn_lcl.h"
#include <openssl/rand.h>

/*
 * The quick sieve algorithm approach to weeding out primes is Philip
 * Zimmermann's, as implemented in PGP.  I have had a read of his comments
 * and implemented my own version.
 */
#include "bn_prime.h"

static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                   const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                   BN_MONT_CTX *mont);
static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods);
static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
                                  const BIGNUM *add, const BIGNUM *rem,
                                  BN_CTX *ctx);

static const int prime_offsets[480] = {
    13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83,
    89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163,
    167, 169, 173, 179, 181, 191, 193, 197, 199, 211, 221, 223, 227, 229,
    233, 239, 241, 247, 251, 257, 263, 269, 271, 277, 281, 283, 289, 293,
    299, 307, 311, 313, 317, 323, 331, 337, 347, 349, 353, 359, 361, 367,
    373, 377, 379, 383, 389, 391, 397, 401, 403, 409, 419, 421, 431, 433,
    437, 439, 443, 449, 457, 461, 463, 467, 479, 481, 487, 491, 493, 499,
    503, 509, 521, 523, 527, 529, 533, 541, 547, 551, 557, 559, 563, 569,
    571, 577, 587, 589, 593, 599, 601, 607, 611, 613, 617, 619, 629, 631,
    641, 643, 647, 653, 659, 661, 667, 673, 677, 683, 689, 691, 697, 701,
    703, 709, 713, 719, 727, 731, 733, 739, 743, 751, 757, 761, 767, 769,
    773, 779, 787, 793, 797, 799, 809, 811, 817, 821, 823, 827, 829, 839,
    841, 851, 853, 857, 859, 863, 871, 877, 881, 883, 887, 893, 899, 901,
    907, 911, 919, 923, 929, 937, 941, 943, 947, 949, 953, 961, 967, 971,
    977, 983, 989, 991, 997, 1003, 1007, 1009, 1013, 1019, 1021, 1027, 1031,
    1033, 1037, 1039, 1049, 1051, 1061, 1063, 1069, 1073, 1079, 1081, 1087,
    1091, 1093, 1097, 1103, 1109, 1117, 1121, 1123, 1129, 1139, 1147, 1151,
    1153, 1157, 1159, 1163, 1171, 1181, 1187, 1189, 1193, 1201, 1207, 1213,
    1217, 1219, 1223, 1229, 1231, 1237, 1241, 1247, 1249, 1259, 1261, 1271,
    1273, 1277, 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307, 1313, 1319,
    1321, 1327, 1333, 1339, 1343, 1349, 1357, 1361, 1363, 1367, 1369, 1373,
    1381, 1387, 1391, 1399, 1403, 1409, 1411, 1417, 1423, 1427, 1429, 1433,
    1439, 1447, 1451, 1453, 1457, 1459, 1469, 1471, 1481, 1483, 1487, 1489,
    1493, 1499, 1501, 1511, 1513, 1517, 1523, 1531, 1537, 1541, 1543, 1549,
    1553, 1559, 1567, 1571, 1577, 1579, 1583, 1591, 1597, 1601, 1607, 1609,
    1613, 1619, 1621, 1627, 1633, 1637, 1643, 1649, 1651, 1657, 1663, 1667,
    1669, 1679, 1681, 1691, 1693, 1697, 1699, 1703, 1709, 1711, 1717, 1721,
    1723, 1733, 1739, 1741, 1747, 1751, 1753, 1759, 1763, 1769, 1777, 1781,
    1783, 1787, 1789, 1801, 1807, 1811, 1817, 1819, 1823, 1829, 1831, 1843,
    1847, 1849, 1853, 1861, 1867, 1871, 1873, 1877, 1879, 1889, 1891, 1901,
    1907, 1909, 1913, 1919, 1921, 1927, 1931, 1933, 1937, 1943, 1949, 1951,
    1957, 1961, 1963, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017,
    2021, 2027, 2029, 2033, 2039, 2041, 2047, 2053, 2059, 2063, 2069, 2071,
    2077, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2117, 2119, 2129, 2131,
    2137, 2141, 2143, 2147, 2153, 2159, 2161, 2171, 2173, 2179, 2183, 2197,
    2201, 2203, 2207, 2209, 2213, 2221, 2227, 2231, 2237, 2239, 2243, 2249,
    2251, 2257, 2263, 2267, 2269, 2273, 2279, 2281, 2287, 2291, 2293, 2297,
    2309, 2311
};

static const int prime_offset_count = 480;
static const int prime_multiplier = 2310;
static const int prime_multiplier_bits = 11; /* 2^|prime_multiplier_bits| <=
                                              * |prime_multiplier| */
static const int first_prime_index = 5;

int BN_GENCB_call(BN_GENCB *cb, int a, int b)
{
    /* No callback means continue */
    if (!cb)
        return 1;
    switch (cb->ver) {
    case 1:
        /* Deprecated-style callbacks */
        if (!cb->cb.cb_1)
            return 1;
        cb->cb.cb_1(a, b, cb->arg);
        return 1;
    case 2:
        /* New-style callbacks */
        return cb->cb.cb_2(a, b, cb);
    default:
        break;
    }
    /* Unrecognised callback type */
    return 0;
}

int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
                         const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb)
{
    BIGNUM *t;
    int found = 0;
    int i, j, c1 = 0;
    BN_CTX *ctx = NULL;
    prime_t *mods = NULL;
    int checks = BN_prime_checks_for_size(bits);

    if (bits < 2) {
        /* There are no prime numbers this small. */
        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
        return 0;
    } else if (bits == 2 && safe) {
        /* The smallest safe prime (7) is three bits. */
        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
        return 0;
    }

    mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES);
    if (mods == NULL)
        goto err;

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    t = BN_CTX_get(ctx);
    if (!t)
        goto err;
 loop:
    /* make a random number and set the top and bottom bits */
    if (add == NULL) {
        if (!probable_prime(ret, bits, mods))
            goto err;
    } else {
        if (safe) {
            if (!probable_prime_dh_safe(ret, bits, add, rem, ctx))
                goto err;
        } else {
            if (!bn_probable_prime_dh(ret, bits, add, rem, ctx))
                goto err;
        }
    }
    /* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */
    if (!BN_GENCB_call(cb, 0, c1++))
        /* aborted */
        goto err;

    if (!safe) {
        i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
        if (i == -1)
            goto err;
        if (i == 0)
            goto loop;
    } else {
        /*
         * for "safe prime" generation, check that (p-1)/2 is prime. Since a
         * prime is odd, We just need to divide by 2
         */
        if (!BN_rshift1(t, ret))
            goto err;

        for (i = 0; i < checks; i++) {
            j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, cb);
            if (j == -1)
                goto err;
            if (j == 0)
                goto loop;

            j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, cb);
            if (j == -1)
                goto err;
            if (j == 0)
                goto loop;

            if (!BN_GENCB_call(cb, 2, c1 - 1))
                goto err;
            /* We have a safe prime test pass */
        }
    }
    /* we have a prime :-) */
    found = 1;
 err:
    OPENSSL_free(mods);
    if (ctx != NULL)
        BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    bn_check_top(ret);
    return found;
}

int BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
                   BN_GENCB *cb)
{
    return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb);
}

int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
                            int do_trial_division, BN_GENCB *cb)
{
    int i, j, ret = -1;
    int k;
    BN_CTX *ctx = NULL;
    BIGNUM *A1, *A1_odd, *check; /* taken from ctx */
    BN_MONT_CTX *mont = NULL;
    const BIGNUM *A = NULL;

    if (BN_cmp(a, BN_value_one()) <= 0)
        return 0;

    if (checks == BN_prime_checks)
        checks = BN_prime_checks_for_size(BN_num_bits(a));

    /* first look for small factors */
    if (!BN_is_odd(a))
        /* a is even => a is prime if and only if a == 2 */
        return BN_is_word(a, 2);
    if (do_trial_division) {
        for (i = 1; i < NUMPRIMES; i++)
            if (BN_mod_word(a, primes[i]) == 0)
                return 0;
        if (!BN_GENCB_call(cb, 1, -1))
            goto err;
    }

    if (ctx_passed != NULL)
        ctx = ctx_passed;
    else if ((ctx = BN_CTX_new()) == NULL)
        goto err;
    BN_CTX_start(ctx);

    /* A := abs(a) */
    if (a->neg) {
        BIGNUM *t;
        if ((t = BN_CTX_get(ctx)) == NULL)
            goto err;
        BN_copy(t, a);
        t->neg = 0;
        A = t;
    } else
        A = a;
    A1 = BN_CTX_get(ctx);
    A1_odd = BN_CTX_get(ctx);
    check = BN_CTX_get(ctx);
    if (check == NULL)
        goto err;

    /* compute A1 := A - 1 */
    if (!BN_copy(A1, A))
        goto err;
    if (!BN_sub_word(A1, 1))
        goto err;
    if (BN_is_zero(A1)) {
        ret = 0;
        goto err;
    }

    /* write  A1  as  A1_odd * 2^k */
    k = 1;
    while (!BN_is_bit_set(A1, k))
        k++;
    if (!BN_rshift(A1_odd, A1, k))
        goto err;

    /* Montgomery setup for computations mod A */
    mont = BN_MONT_CTX_new();
    if (mont == NULL)
        goto err;
    if (!BN_MONT_CTX_set(mont, A, ctx))
        goto err;

    for (i = 0; i < checks; i++) {
        if (!BN_pseudo_rand_range(check, A1))
            goto err;
        if (!BN_add_word(check, 1))
            goto err;
        /* now 1 <= check < A */

        j = witness(check, A, A1, A1_odd, k, ctx, mont);
        if (j == -1)
            goto err;
        if (j) {
            ret = 0;
            goto err;
        }
        if (!BN_GENCB_call(cb, 1, i))
            goto err;
    }
    ret = 1;
 err:
    if (ctx != NULL) {
        BN_CTX_end(ctx);
        if (ctx_passed == NULL)
            BN_CTX_free(ctx);
    }
    BN_MONT_CTX_free(mont);

    return (ret);
}

int bn_probable_prime_dh_retry(BIGNUM *rnd, int bits, BN_CTX *ctx)
{
    int i;
    int ret = 0;

 loop:
    if (!BN_rand(rnd, bits, 0, 1))
        goto err;

    /* we now have a random number 'rand' to test. */

    for (i = 1; i < NUMPRIMES; i++) {
        /* check that rnd is a prime */
        if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
            goto loop;
        }
    }
    ret = 1;

 err:
    bn_check_top(rnd);
    return (ret);
}

int bn_probable_prime_dh_coprime(BIGNUM *rnd, int bits, BN_CTX *ctx)
{
    int i;
    BIGNUM *offset_index;
    BIGNUM *offset_count;
    int ret = 0;

    OPENSSL_assert(bits > prime_multiplier_bits);

    BN_CTX_start(ctx);
    if ((offset_index = BN_CTX_get(ctx)) == NULL)
        goto err;
    if ((offset_count = BN_CTX_get(ctx)) == NULL)
        goto err;

    BN_add_word(offset_count, prime_offset_count);

 loop:
    if (!BN_rand(rnd, bits - prime_multiplier_bits, 0, 1))
        goto err;
    if (BN_is_bit_set(rnd, bits))
        goto loop;
    if (!BN_rand_range(offset_index, offset_count))
        goto err;

    BN_mul_word(rnd, prime_multiplier);
    BN_add_word(rnd, prime_offsets[BN_get_word(offset_index)]);

    /* we now have a random number 'rand' to test. */

    /* skip coprimes */
    for (i = first_prime_index; i < NUMPRIMES; i++) {
        /* check that rnd is a prime */
        if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
            goto loop;
        }
    }
    ret = 1;

 err:
    BN_CTX_end(ctx);
    bn_check_top(rnd);
    return ret;
}

static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                   const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                   BN_MONT_CTX *mont)
{
    if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */
        return -1;
    if (BN_is_one(w))
        return 0;               /* probably prime */
    if (BN_cmp(w, a1) == 0)
        return 0;               /* w == -1 (mod a), 'a' is probably prime */
    while (--k) {
        if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */
            return -1;
        if (BN_is_one(w))
            return 1;           /* 'a' is composite, otherwise a previous 'w'
                                 * would have been == -1 (mod 'a') */
        if (BN_cmp(w, a1) == 0)
            return 0;           /* w == -1 (mod a), 'a' is probably prime */
    }
    /*
     * If we get here, 'w' is the (a-1)/2-th power of the original 'w', and
     * it is neither -1 nor +1 -- so 'a' cannot be prime
     */
    bn_check_top(w);
    return 1;
}

static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods)
{
    int i;
    BN_ULONG delta;
    BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
    char is_single_word = bits <= BN_BITS2;

 again:
    if (!BN_rand(rnd, bits, 1, 1))
        return (0);
    /* we now have a random number 'rnd' to test. */
    for (i = 1; i < NUMPRIMES; i++)
        mods[i] = (prime_t) BN_mod_word(rnd, (BN_ULONG)primes[i]);
    /*
     * If bits is so small that it fits into a single word then we
     * additionally don't want to exceed that many bits.
     */
    if (is_single_word) {
        BN_ULONG size_limit;
        
        if (bits == BN_BITS2) {
            /*
             * Shifting by this much has undefined behaviour so we do it a
             * different way
             */
            size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
        } else {
            size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
        }
        if (size_limit < maxdelta)
            maxdelta = size_limit;
    }
    delta = 0;
 loop:
    if (is_single_word) {
        BN_ULONG rnd_word = BN_get_word(rnd);

        /*-
         * In the case that the candidate prime is a single word then
         * we check that:
         *   1) It's greater than primes[i] because we shouldn't reject
         *      3 as being a prime number because it's a multiple of
         *      three.
         *   2) That it's not a multiple of a known prime. We don't
         *      check that rnd-1 is also coprime to all the known
         *      primes because there aren't many small primes where
         *      that's true.
         */
        for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
            if ((mods[i] + delta) % primes[i] == 0) {
                delta += 2;
                if (delta > maxdelta)
                    goto again;
                goto loop;
            }
        }
    } else {
        for (i = 1; i < NUMPRIMES; i++) {
            /*
             * check that rnd is not a prime and also that gcd(rnd-1,primes)
             * == 1 (except for 2)
             */
            if (((mods[i] + delta) % primes[i]) <= 1) {
                delta += 2;
                if (delta > maxdelta)
                    goto again;
                goto loop;
            }
        }
    }
    if (!BN_add_word(rnd, delta))
        return (0);
    if (BN_num_bits(rnd) != bits)
        goto again;
    bn_check_top(rnd);
    return (1);
}

int bn_probable_prime_dh(BIGNUM *rnd, int bits,
                         const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx)
{
    int i, ret = 0;
    BIGNUM *t1;

    BN_CTX_start(ctx);
    if ((t1 = BN_CTX_get(ctx)) == NULL)
        goto err;

    if (!BN_rand(rnd, bits, 0, 1))
        goto err;

    /* we need ((rnd-rem) % add) == 0 */

    if (!BN_mod(t1, rnd, add, ctx))
        goto err;
    if (!BN_sub(rnd, rnd, t1))
        goto err;
    if (rem == NULL) {
        if (!BN_add_word(rnd, 1))
            goto err;
    } else {
        if (!BN_add(rnd, rnd, rem))
            goto err;
    }

    /* we now have a random number 'rand' to test. */

 loop:
    for (i = 1; i < NUMPRIMES; i++) {
        /* check that rnd is a prime */
        if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
            if (!BN_add(rnd, rnd, add))
                goto err;
            goto loop;
        }
    }
    ret = 1;

 err:
    BN_CTX_end(ctx);
    bn_check_top(rnd);
    return (ret);
}

static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
                                  const BIGNUM *rem, BN_CTX *ctx)
{
    int i, ret = 0;
    BIGNUM *t1, *qadd, *q;

    bits--;
    BN_CTX_start(ctx);
    t1 = BN_CTX_get(ctx);
    q = BN_CTX_get(ctx);
    qadd = BN_CTX_get(ctx);
    if (qadd == NULL)
        goto err;

    if (!BN_rshift1(qadd, padd))
        goto err;

    if (!BN_rand(q, bits, 0, 1))
        goto err;

    /* we need ((rnd-rem) % add) == 0 */
    if (!BN_mod(t1, q, qadd, ctx))
        goto err;
    if (!BN_sub(q, q, t1))
        goto err;
    if (rem == NULL) {
        if (!BN_add_word(q, 1))
            goto err;
    } else {
        if (!BN_rshift1(t1, rem))
            goto err;
        if (!BN_add(q, q, t1))
            goto err;
    }

    /* we now have a random number 'rand' to test. */
    if (!BN_lshift1(p, q))
        goto err;
    if (!BN_add_word(p, 1))
        goto err;

 loop:
    for (i = 1; i < NUMPRIMES; i++) {
        /* check that p and q are prime */
        /*
         * check that for p and q gcd(p-1,primes) == 1 (except for 2)
         */
        if ((BN_mod_word(p, (BN_ULONG)primes[i]) == 0) ||
            (BN_mod_word(q, (BN_ULONG)primes[i]) == 0)) {
            if (!BN_add(p, p, padd))
                goto err;
            if (!BN_add(q, q, qadd))
                goto err;
            goto loop;
        }
    }
    ret = 1;

 err:
    BN_CTX_end(ctx);
    bn_check_top(p);
    return (ret);
}
Commit	Line	Data
4f22f405 RS	1	/*
	2	* WARNING: do not edit!
	3	* Generated by crypto/bn/bn_prime.pl
	4	* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
	5	*
	6	* Licensed under the OpenSSL license (the "License"). You may not use
	7	* this file except in compliance with the License. You can obtain a copy
	8	* in the file LICENSE in the source distribution or at
	9	* https://www.openssl.org/source/license.html
bfe30e4d	10	*/
d02b48c6 RE	11
	12	#include <stdio.h>
	13	#include <time.h>
b39fc560	14	#include "internal/cryptlib.h"
d02b48c6	15	#include "bn_lcl.h"
ec577822	16	#include <openssl/rand.h>
d02b48c6	17
0f113f3e MC	18	/*
	19	* The quick sieve algorithm approach to weeding out primes is Philip
	20	* Zimmermann's, as implemented in PGP. I have had a read of his comments
	21	* and implemented my own version.
d02b48c6 RE	22	*/
	23	#include "bn_prime.h"
	24
7999c65c	25	static int witness(BIGNUM w, const BIGNUM a, const BIGNUM *a1,
0f113f3e MC	26	const BIGNUM a1_odd, int k, BN_CTX ctx,
0f113f3e MC	27	BN_MONT_CTX *mont);
8e704858	28	static int probable_prime(BIGNUM rnd, int bits, prime_t mods);
76aa0ddc	29	static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
0f113f3e MC	30	const BIGNUM add, const BIGNUM rem,
0f113f3e MC	31	BN_CTX *ctx);
eb952088	32
46838817	33	static const int prime_offsets[480] = {
0f113f3e MC	34	13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83,
	35	89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163,
	36	167, 169, 173, 179, 181, 191, 193, 197, 199, 211, 221, 223, 227, 229,
	37	233, 239, 241, 247, 251, 257, 263, 269, 271, 277, 281, 283, 289, 293,
	38	299, 307, 311, 313, 317, 323, 331, 337, 347, 349, 353, 359, 361, 367,
	39	373, 377, 379, 383, 389, 391, 397, 401, 403, 409, 419, 421, 431, 433,
	40	437, 439, 443, 449, 457, 461, 463, 467, 479, 481, 487, 491, 493, 499,
	41	503, 509, 521, 523, 527, 529, 533, 541, 547, 551, 557, 559, 563, 569,
	42	571, 577, 587, 589, 593, 599, 601, 607, 611, 613, 617, 619, 629, 631,
	43	641, 643, 647, 653, 659, 661, 667, 673, 677, 683, 689, 691, 697, 701,
	44	703, 709, 713, 719, 727, 731, 733, 739, 743, 751, 757, 761, 767, 769,
	45	773, 779, 787, 793, 797, 799, 809, 811, 817, 821, 823, 827, 829, 839,
	46	841, 851, 853, 857, 859, 863, 871, 877, 881, 883, 887, 893, 899, 901,
	47	907, 911, 919, 923, 929, 937, 941, 943, 947, 949, 953, 961, 967, 971,
	48	977, 983, 989, 991, 997, 1003, 1007, 1009, 1013, 1019, 1021, 1027, 1031,
	49	1033, 1037, 1039, 1049, 1051, 1061, 1063, 1069, 1073, 1079, 1081, 1087,
	50	1091, 1093, 1097, 1103, 1109, 1117, 1121, 1123, 1129, 1139, 1147, 1151,
	51	1153, 1157, 1159, 1163, 1171, 1181, 1187, 1189, 1193, 1201, 1207, 1213,
	52	1217, 1219, 1223, 1229, 1231, 1237, 1241, 1247, 1249, 1259, 1261, 1271,
	53	1273, 1277, 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307, 1313, 1319,
	54	1321, 1327, 1333, 1339, 1343, 1349, 1357, 1361, 1363, 1367, 1369, 1373,
	55	1381, 1387, 1391, 1399, 1403, 1409, 1411, 1417, 1423, 1427, 1429, 1433,
	56	1439, 1447, 1451, 1453, 1457, 1459, 1469, 1471, 1481, 1483, 1487, 1489,
	57	1493, 1499, 1501, 1511, 1513, 1517, 1523, 1531, 1537, 1541, 1543, 1549,
	58	1553, 1559, 1567, 1571, 1577, 1579, 1583, 1591, 1597, 1601, 1607, 1609,
	59	1613, 1619, 1621, 1627, 1633, 1637, 1643, 1649, 1651, 1657, 1663, 1667,
	60	1669, 1679, 1681, 1691, 1693, 1697, 1699, 1703, 1709, 1711, 1717, 1721,
	61	1723, 1733, 1739, 1741, 1747, 1751, 1753, 1759, 1763, 1769, 1777, 1781,
	62	1783, 1787, 1789, 1801, 1807, 1811, 1817, 1819, 1823, 1829, 1831, 1843,
	63	1847, 1849, 1853, 1861, 1867, 1871, 1873, 1877, 1879, 1889, 1891, 1901,
	64	1907, 1909, 1913, 1919, 1921, 1927, 1931, 1933, 1937, 1943, 1949, 1951,
	65	1957, 1961, 1963, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017,
	66	2021, 2027, 2029, 2033, 2039, 2041, 2047, 2053, 2059, 2063, 2069, 2071,
	67	2077, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2117, 2119, 2129, 2131,
	68	2137, 2141, 2143, 2147, 2153, 2159, 2161, 2171, 2173, 2179, 2183, 2197,
	69	2201, 2203, 2207, 2209, 2213, 2221, 2227, 2231, 2237, 2239, 2243, 2249,
	70	2251, 2257, 2263, 2267, 2269, 2273, 2279, 2281, 2287, 2291, 2293, 2297,
	71	2309, 2311
	72	};
	73
46838817 BL	74	static const int prime_offset_count = 480;
46838817 BL	75	static const int prime_multiplier = 2310;
0f113f3e MC	76	static const int prime_multiplier_bits = 11; /* 2^\|prime_multiplier_bits\| <=
0f113f3e MC	77	* \|prime_multiplier\| */
46838817	78	static const int first_prime_index = 5;
b0513819	79
e9224c71	80	int BN_GENCB_call(BN_GENCB *cb, int a, int b)
0f113f3e MC	81	{
	82	/* No callback means continue */
	83	if (!cb)
	84	return 1;
	85	switch (cb->ver) {
	86	case 1:
	87	/* Deprecated-style callbacks */
	88	if (!cb->cb.cb_1)
	89	return 1;
	90	cb->cb.cb_1(a, b, cb->arg);
	91	return 1;
	92	case 2:
	93	/* New-style callbacks */
	94	return cb->cb.cb_2(a, b, cb);
	95	default:
	96	break;
	97	}
	98	/* Unrecognised callback type */
	99	return 0;
	100	}
e9224c71 GT	101
e9224c71 GT	102	int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
0f113f3e MC	103	const BIGNUM add, const BIGNUM rem, BN_GENCB *cb)
	104	{
	105	BIGNUM *t;
	106	int found = 0;
	107	int i, j, c1 = 0;
8e704858 RS	108	BN_CTX *ctx = NULL;
8e704858 RS	109	prime_t *mods = NULL;
0f113f3e MC	110	int checks = BN_prime_checks_for_size(bits);
	111
	112	if (bits < 2) {
	113	/* There are no prime numbers this small. */
	114	BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
	115	return 0;
	116	} else if (bits == 2 && safe) {
	117	/* The smallest safe prime (7) is three bits. */
	118	BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
	119	return 0;
	120	}
	121
d71eb667 MC	122	mods = OPENSSL_zalloc(sizeof(mods) NUMPRIMES);
	123	if (mods == NULL)
	124	goto err;
	125
0f113f3e MC	126	ctx = BN_CTX_new();
	127	if (ctx == NULL)
	128	goto err;
	129	BN_CTX_start(ctx);
	130	t = BN_CTX_get(ctx);
	131	if (!t)
	132	goto err;
	133	loop:
	134	/* make a random number and set the top and bottom bits */
	135	if (add == NULL) {
8e704858	136	if (!probable_prime(ret, bits, mods))
0f113f3e MC	137	goto err;
	138	} else {
	139	if (safe) {
	140	if (!probable_prime_dh_safe(ret, bits, add, rem, ctx))
	141	goto err;
	142	} else {
	143	if (!bn_probable_prime_dh(ret, bits, add, rem, ctx))
	144	goto err;
	145	}
	146	}
	147	/* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */
	148	if (!BN_GENCB_call(cb, 0, c1++))
	149	/* aborted */
	150	goto err;
	151
	152	if (!safe) {
	153	i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
	154	if (i == -1)
	155	goto err;
	156	if (i == 0)
	157	goto loop;
	158	} else {
	159	/*
	160	* for "safe prime" generation, check that (p-1)/2 is prime. Since a
	161	* prime is odd, We just need to divide by 2
	162	*/
	163	if (!BN_rshift1(t, ret))
	164	goto err;
	165
	166	for (i = 0; i < checks; i++) {
	167	j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, cb);
	168	if (j == -1)
	169	goto err;
	170	if (j == 0)
	171	goto loop;
	172
	173	j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, cb);
	174	if (j == -1)
	175	goto err;
	176	if (j == 0)
	177	goto loop;
	178
	179	if (!BN_GENCB_call(cb, 2, c1 - 1))
	180	goto err;
	181	/* We have a safe prime test pass */
	182	}
	183	}
	184	/* we have a prime :-) */
	185	found = 1;
	186	err:
8e704858	187	OPENSSL_free(mods);
23a1d5e9	188	if (ctx != NULL)
0f113f3e	189	BN_CTX_end(ctx);
23a1d5e9	190	BN_CTX_free(ctx);
0f113f3e MC	191	bn_check_top(ret);
	192	return found;
	193	}
	194
	195	int BN_is_prime_ex(const BIGNUM a, int checks, BN_CTX ctx_passed,
	196	BN_GENCB *cb)
	197	{
	198	return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb);
	199	}
e74231ed	200
e9224c71	201	int BN_is_prime_fasttest_ex(const BIGNUM a, int checks, BN_CTX ctx_passed,
0f113f3e MC	202	int do_trial_division, BN_GENCB *cb)
	203	{
	204	int i, j, ret = -1;
	205	int k;
	206	BN_CTX *ctx = NULL;
	207	BIGNUM A1, A1_odd, check; / taken from ctx */
	208	BN_MONT_CTX *mont = NULL;
	209	const BIGNUM *A = NULL;
	210
	211	if (BN_cmp(a, BN_value_one()) <= 0)
	212	return 0;
	213
	214	if (checks == BN_prime_checks)
	215	checks = BN_prime_checks_for_size(BN_num_bits(a));
	216
	217	/* first look for small factors */
	218	if (!BN_is_odd(a))
	219	/* a is even => a is prime if and only if a == 2 */
	220	return BN_is_word(a, 2);
	221	if (do_trial_division) {
	222	for (i = 1; i < NUMPRIMES; i++)
	223	if (BN_mod_word(a, primes[i]) == 0)
	224	return 0;
	225	if (!BN_GENCB_call(cb, 1, -1))
	226	goto err;
	227	}
	228
	229	if (ctx_passed != NULL)
	230	ctx = ctx_passed;
	231	else if ((ctx = BN_CTX_new()) == NULL)
	232	goto err;
	233	BN_CTX_start(ctx);
	234
	235	/* A := abs(a) */
	236	if (a->neg) {
	237	BIGNUM *t;
	238	if ((t = BN_CTX_get(ctx)) == NULL)
	239	goto err;
	240	BN_copy(t, a);
	241	t->neg = 0;
	242	A = t;
	243	} else
	244	A = a;
	245	A1 = BN_CTX_get(ctx);
	246	A1_odd = BN_CTX_get(ctx);
	247	check = BN_CTX_get(ctx);
	248	if (check == NULL)
	249	goto err;
	250
	251	/* compute A1 := A - 1 */
	252	if (!BN_copy(A1, A))
	253	goto err;
	254	if (!BN_sub_word(A1, 1))
	255	goto err;
	256	if (BN_is_zero(A1)) {
	257	ret = 0;
	258	goto err;
	259	}
	260
	261	/* write A1 as A1_odd * 2^k */
	262	k = 1;
	263	while (!BN_is_bit_set(A1, k))
	264	k++;
	265	if (!BN_rshift(A1_odd, A1, k))
266	goto err;
267
268	/* Montgomery setup for computations mod A */
269	mont = BN_MONT_CTX_new();
270	if (mont == NULL)
271	goto err;
272	if (!BN_MONT_CTX_set(mont, A, ctx))
273	goto err;
274
275	for (i = 0; i < checks; i++) {
276	if (!BN_pseudo_rand_range(check, A1))
277	goto err;
278	if (!BN_add_word(check, 1))
279	goto err;
280	/* now 1 <= check < A */
281
282	j = witness(check, A, A1, A1_odd, k, ctx, mont);
283	if (j == -1)
284	goto err;
285	if (j) {
286	ret = 0;
287	goto err;
288	}
289	if (!BN_GENCB_call(cb, 1, i))
290	goto err;
291	}
292	ret = 1;
293	err:
294	if (ctx != NULL) {
295	BN_CTX_end(ctx);
296	if (ctx_passed == NULL)
297	BN_CTX_free(ctx);
298	}
23a1d5e9	299	BN_MONT_CTX_free(mont);
0f113f3e MC	300
	301	return (ret);
	302	}
a87030a1	303
982c42cb	304	int bn_probable_prime_dh_retry(BIGNUM rnd, int bits, BN_CTX ctx)
0f113f3e MC	305	{
	306	int i;
	307	int ret = 0;
	308
	309	loop:
	310	if (!BN_rand(rnd, bits, 0, 1))
	311	goto err;
	312
	313	/* we now have a random number 'rand' to test. */
	314
	315	for (i = 1; i < NUMPRIMES; i++) {
	316	/* check that rnd is a prime */
	317	if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
	318	goto loop;
	319	}
	320	}
	321	ret = 1;
	322
	323	err:
	324	bn_check_top(rnd);
	325	return (ret);
	326	}
982c42cb FLM	327
982c42cb FLM	328	int bn_probable_prime_dh_coprime(BIGNUM rnd, int bits, BN_CTX ctx)
0f113f3e MC	329	{
	330	int i;
	331	BIGNUM *offset_index;
	332	BIGNUM *offset_count;
	333	int ret = 0;
	334
	335	OPENSSL_assert(bits > prime_multiplier_bits);
	336
	337	BN_CTX_start(ctx);
	338	if ((offset_index = BN_CTX_get(ctx)) == NULL)
	339	goto err;
	340	if ((offset_count = BN_CTX_get(ctx)) == NULL)
	341	goto err;
	342
	343	BN_add_word(offset_count, prime_offset_count);
	344
	345	loop:
	346	if (!BN_rand(rnd, bits - prime_multiplier_bits, 0, 1))
	347	goto err;
	348	if (BN_is_bit_set(rnd, bits))
	349	goto loop;
	350	if (!BN_rand_range(offset_index, offset_count))
	351	goto err;
	352
	353	BN_mul_word(rnd, prime_multiplier);
	354	BN_add_word(rnd, prime_offsets[BN_get_word(offset_index)]);
	355
	356	/* we now have a random number 'rand' to test. */
	357
	358	/* skip coprimes */
	359	for (i = first_prime_index; i < NUMPRIMES; i++) {
	360	/* check that rnd is a prime */
	361	if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
	362	goto loop;
	363	}
	364	}
	365	ret = 1;
	366
	367	err:
	368	BN_CTX_end(ctx);
	369	bn_check_top(rnd);
	370	return ret;
	371	}
e46a059e	372
7999c65c	373	static int witness(BIGNUM w, const BIGNUM a, const BIGNUM *a1,
0f113f3e MC	374	const BIGNUM a1_odd, int k, BN_CTX ctx,
	375	BN_MONT_CTX *mont)
	376	{
	377	if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */
	378	return -1;
	379	if (BN_is_one(w))
	380	return 0; /* probably prime */
	381	if (BN_cmp(w, a1) == 0)
	382	return 0; /* w == -1 (mod a), 'a' is probably prime */
	383	while (--k) {
	384	if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */
	385	return -1;
	386	if (BN_is_one(w))
	387	return 1; /* 'a' is composite, otherwise a previous 'w'
	388	* would have been == -1 (mod 'a') */
	389	if (BN_cmp(w, a1) == 0)
	390	return 0; /* w == -1 (mod a), 'a' is probably prime */
	391	}
	392	/*
	393	* If we get here, 'w' is the (a-1)/2-th power of the original 'w', and
	394	* it is neither -1 nor +1 -- so 'a' cannot be prime
	395	*/
	396	bn_check_top(w);
	397	return 1;
	398	}
d02b48c6	399
8e704858	400	static int probable_prime(BIGNUM rnd, int bits, prime_t mods)
0f113f3e MC	401	{
0f113f3e MC	402	int i;
0f113f3e MC	403	BN_ULONG delta;
	404	BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
	405	char is_single_word = bits <= BN_BITS2;
	406
	407	again:
	408	if (!BN_rand(rnd, bits, 1, 1))
	409	return (0);
	410	/* we now have a random number 'rnd' to test. */
	411	for (i = 1; i < NUMPRIMES; i++)
	412	mods[i] = (prime_t) BN_mod_word(rnd, (BN_ULONG)primes[i]);
	413	/*
	414	* If bits is so small that it fits into a single word then we
	415	* additionally don't want to exceed that many bits.
	416	*/
	417	if (is_single_word) {
e4676e90 MC	418	BN_ULONG size_limit;
	419
	420	if (bits == BN_BITS2) {
	421	/*
	422	* Shifting by this much has undefined behaviour so we do it a
	423	* different way
	424	*/
	425	size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
	426	} else {
	427	size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
	428	}
0f113f3e MC	429	if (size_limit < maxdelta)
	430	maxdelta = size_limit;
	431	}
	432	delta = 0;
	433	loop:
	434	if (is_single_word) {
	435	BN_ULONG rnd_word = BN_get_word(rnd);
	436
50e735f9 MC	437	/*-
	438	* In the case that the candidate prime is a single word then
	439	* we check that:
	440	* 1) It's greater than primes[i] because we shouldn't reject
	441	* 3 as being a prime number because it's a multiple of
	442	* three.
	443	* 2) That it's not a multiple of a known prime. We don't
	444	* check that rnd-1 is also coprime to all the known
	445	* primes because there aren't many small primes where
	446	* that's true.
	447	*/
0f113f3e MC	448	for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
	449	if ((mods[i] + delta) % primes[i] == 0) {
	450	delta += 2;
	451	if (delta > maxdelta)
	452	goto again;
	453	goto loop;
	454	}
	455	}
	456	} else {
	457	for (i = 1; i < NUMPRIMES; i++) {
	458	/*
	459	* check that rnd is not a prime and also that gcd(rnd-1,primes)
	460	* == 1 (except for 2)
	461	*/
	462	if (((mods[i] + delta) % primes[i]) <= 1) {
	463	delta += 2;
	464	if (delta > maxdelta)
	465	goto again;
	466	goto loop;
	467	}
	468	}
	469	}
	470	if (!BN_add_word(rnd, delta))
	471	return (0);
	472	if (BN_num_bits(rnd) != bits)
	473	goto again;
	474	bn_check_top(rnd);
	475	return (1);
	476	}
d02b48c6	477
982c42cb	478	int bn_probable_prime_dh(BIGNUM *rnd, int bits,
0f113f3e MC	479	const BIGNUM add, const BIGNUM rem, BN_CTX *ctx)
	480	{
	481	int i, ret = 0;
	482	BIGNUM *t1;
	483
	484	BN_CTX_start(ctx);
	485	if ((t1 = BN_CTX_get(ctx)) == NULL)
	486	goto err;
	487
	488	if (!BN_rand(rnd, bits, 0, 1))
	489	goto err;
	490
	491	/* we need ((rnd-rem) % add) == 0 */
	492
	493	if (!BN_mod(t1, rnd, add, ctx))
	494	goto err;
	495	if (!BN_sub(rnd, rnd, t1))
	496	goto err;
	497	if (rem == NULL) {
	498	if (!BN_add_word(rnd, 1))
	499	goto err;
	500	} else {
	501	if (!BN_add(rnd, rnd, rem))
	502	goto err;
	503	}
	504
	505	/* we now have a random number 'rand' to test. */
	506
	507	loop:
	508	for (i = 1; i < NUMPRIMES; i++) {
	509	/* check that rnd is a prime */
	510	if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
	511	if (!BN_add(rnd, rnd, add))
	512	goto err;
	513	goto loop;
	514	}
	515	}
	516	ret = 1;
	517
	518	err:
	519	BN_CTX_end(ctx);
	520	bn_check_top(rnd);
	521	return (ret);
	522	}
b0513819	523
020fc820	524	static int probable_prime_dh_safe(BIGNUM p, int bits, const BIGNUM padd,
0f113f3e MC	525	const BIGNUM rem, BN_CTX ctx)
	526	{
	527	int i, ret = 0;
	528	BIGNUM t1, qadd, *q;
	529
	530	bits--;
	531	BN_CTX_start(ctx);
	532	t1 = BN_CTX_get(ctx);
	533	q = BN_CTX_get(ctx);
	534	qadd = BN_CTX_get(ctx);
	535	if (qadd == NULL)
	536	goto err;
	537
	538	if (!BN_rshift1(qadd, padd))
	539	goto err;
	540
	541	if (!BN_rand(q, bits, 0, 1))
	542	goto err;
	543
	544	/* we need ((rnd-rem) % add) == 0 */
	545	if (!BN_mod(t1, q, qadd, ctx))
	546	goto err;
	547	if (!BN_sub(q, q, t1))
	548	goto err;
	549	if (rem == NULL) {
	550	if (!BN_add_word(q, 1))
	551	goto err;
	552	} else {
	553	if (!BN_rshift1(t1, rem))
	554	goto err;
	555	if (!BN_add(q, q, t1))
	556	goto err;
	557	}
	558
	559	/* we now have a random number 'rand' to test. */
	560	if (!BN_lshift1(p, q))
	561	goto err;
	562	if (!BN_add_word(p, 1))
	563	goto err;
	564
	565	loop:
	566	for (i = 1; i < NUMPRIMES; i++) {
	567	/* check that p and q are prime */
	568	/*
	569	* check that for p and q gcd(p-1,primes) == 1 (except for 2)
	570	*/
	571	if ((BN_mod_word(p, (BN_ULONG)primes[i]) == 0) \|\|
	572	(BN_mod_word(q, (BN_ULONG)primes[i]) == 0)) {
	573	if (!BN_add(p, p, padd))
	574	goto err;
	575	if (!BN_add(q, q, qadd))
	576	goto err;
	577	goto loop;
	578	}
	579	}
	580	ret = 1;
	581
	582	err:
	583	BN_CTX_end(ctx);
	584	bn_check_top(p);
	585	return (ret);
	586	}