X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=crypto%2Fbn%2Fbn_prime.c;h=339dbec57051b2f751b1f9cde8caffe6d244662b;hb=3009244da47b989c4cc59ba02cf81a4e9d8f8431;hp=0f07c222fa0e1ae9c6cea35ead17295934af5fbe;hpb=7999c65c9bfd80ec0f07f6eb5be5ce2e36927298;p=openssl.git

diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 0f07c222fa..339dbec570 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -115,6 +115,11 @@
 #include "bn_lcl.h"
 #include <openssl/rand.h>
 
+/* NB: these functions have been "upgraded", the deprecated versions (which are
+ * compatibility wrappers using these functions) are in bn_depr.c.
+ * - Geoff
+ */
+
 /* The quick sieve algorithm approach to weeding out primes is
  * Philip Zimmermann's, as implemented in PGP.  I have had a read of
  * his comments and implemented my own version.
@@ -125,54 +130,86 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
 	const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont);
 static int probable_prime(BIGNUM *rnd, int bits);
 static int probable_prime_dh(BIGNUM *rnd, int bits,
-	BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
+	const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx);
 static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
-	BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
+	const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx);
+
+int BN_GENCB_call(BN_GENCB *cb, int a, int b)
+	{
+	/* No callback means continue */
+	if(!cb) return 1;
+	switch(cb->ver)
+		{
+	case 1:
+		/* Deprecated-style callbacks */
+		if(!cb->cb.cb_1)
+			return 1;
+		cb->cb.cb_1(a, b, cb->arg);
+		return 1;
+	case 2:
+		/* New-style callbacks */
+		return cb->cb.cb_2(a, b, cb);
+	default:
+		break;
+		}
+	/* Unrecognised callback type */
+	return 0;
+	}
 
-BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add,
-	     BIGNUM *rem, void (*callback)(int,int,void *), void *cb_arg)
+int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
+	const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb)
 	{
-	BIGNUM *rnd=NULL;
-	BIGNUM t;
+	BIGNUM *t;
 	int found=0;
 	int i,j,c1=0;
 	BN_CTX *ctx;
 	int checks = BN_prime_checks_for_size(bits);
 
-	ctx=BN_CTX_new();
-	if (ctx == NULL) goto err;
-	if (ret == NULL)
+	if (bits < 2)
 		{
-		if ((rnd=BN_new()) == NULL) goto err;
+		/* There are no prime numbers this small. */
+		BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
+		return 0;
 		}
-	else
-		rnd=ret;
-	BN_init(&t);
+	else if (bits == 2 && safe)
+		{
+		/* The smallest safe prime (7) is three bits. */
+		BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
+		return 0;
+		}
+
+	ctx=BN_CTX_new();
+	if (ctx == NULL) goto err;
+	BN_CTX_start(ctx);
+	t = BN_CTX_get(ctx);
+	if(!t) goto err;
 loop: 
 	/* make a random number and set the top and bottom bits */
 	if (add == NULL)
 		{
-		if (!probable_prime(rnd,bits)) goto err;
+		if (!probable_prime(ret,bits)) goto err;
 		}
 	else
 		{
 		if (safe)
 			{
-			if (!probable_prime_dh_safe(rnd,bits,add,rem,ctx))
+			if (!probable_prime_dh_safe(ret,bits,add,rem,ctx))
 				 goto err;
 			}
 		else
 			{
-			if (!probable_prime_dh(rnd,bits,add,rem,ctx))
+			if (!probable_prime_dh(ret,bits,add,rem,ctx))
 				goto err;
 			}
 		}
-	/* if (BN_mod_word(rnd,(BN_ULONG)3) == 1) goto loop; */
-	if (callback != NULL) callback(0,c1++,cb_arg);
+	/* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */
+	if(!BN_GENCB_call(cb, 0, c1++))
+		/* aborted */
+		goto err;
 
 	if (!safe)
 		{
-		i=BN_is_prime_fasttest(rnd,checks,callback,ctx,cb_arg,0);
+		i=BN_is_prime_fasttest_ex(ret,checks,ctx,0,cb);
 		if (i == -1) goto err;
 		if (i == 0) goto loop;
 		}
@@ -182,61 +219,67 @@ loop:
 		 * check that (p-1)/2 is prime.
 		 * Since a prime is odd, We just
 		 * need to divide by 2 */
-		if (!BN_rshift1(&t,rnd)) goto err;
+		if (!BN_rshift1(t,ret)) goto err;
 
 		for (i=0; i<checks; i++)
 			{
-			j=BN_is_prime_fasttest(rnd,1,callback,ctx,cb_arg,0);
+			j=BN_is_prime_fasttest_ex(ret,1,ctx,0,cb);
 			if (j == -1) goto err;
 			if (j == 0) goto loop;
 
-			j=BN_is_prime_fasttest(&t,1,callback,ctx,cb_arg,0);
+			j=BN_is_prime_fasttest_ex(t,1,ctx,0,cb);
 			if (j == -1) goto err;
 			if (j == 0) goto loop;
 
-			if (callback != NULL) callback(2,c1-1,cb_arg);
+			if(!BN_GENCB_call(cb, 2, c1-1))
+				goto err;
 			/* We have a safe prime test pass */
 			}
 		}
 	/* we have a prime :-) */
 	found = 1;
 err:
-	if (!found && (ret == NULL) && (rnd != NULL)) BN_free(rnd);
-	BN_free(&t);
-	if (ctx != NULL) BN_CTX_free(ctx);
-	return(found ? rnd : NULL);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
+	bn_check_top(ret);
+	return found;
 	}
 
-int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int,int,void *),
-	BN_CTX *ctx_passed, void *cb_arg)
+int BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, BN_GENCB *cb)
 	{
-	return BN_is_prime_fasttest(a, checks, callback, ctx_passed, cb_arg, 0);
+	return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb);
 	}
 
-int BN_is_prime_fasttest(const BIGNUM *a, int checks,
-		void (*callback)(int,int,void *),
-		BN_CTX *ctx_passed, void *cb_arg,
-		int do_trial_division)
+int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
+		int do_trial_division, BN_GENCB *cb)
 	{
 	int i, j, ret = -1;
 	int k;
 	BN_CTX *ctx = NULL;
 	BIGNUM *A1, *A1_odd, *check; /* taken from ctx */
 	BN_MONT_CTX *mont = NULL;
-	const BIGNUM *A;
+	const BIGNUM *A = NULL;
 
+	if (BN_cmp(a, BN_value_one()) <= 0)
+		return 0;
+	
 	if (checks == BN_prime_checks)
 		checks = BN_prime_checks_for_size(BN_num_bits(a));
 
 	/* first look for small factors */
 	if (!BN_is_odd(a))
-		return(0);
+		/* a is even => a is prime if and only if a == 2 */
+		return BN_is_word(a, 2);
 	if (do_trial_division)
 		{
 		for (i = 1; i < NUMPRIMES; i++)
 			if (BN_mod_word(a, primes[i]) == 0) 
 				return 0;
-		if (callback != NULL) callback(1, -1, cb_arg);
+		if(!BN_GENCB_call(cb, 1, -1))
+			goto err;
 		}
 
 	if (ctx_passed != NULL)
@@ -244,19 +287,23 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
 	else
 		if ((ctx=BN_CTX_new()) == NULL)
 			goto err;
+	BN_CTX_start(ctx);
+
 	/* A := abs(a) */
 	if (a->neg)
 		{
-		BIGNUM *t = &(ctx->bn[ctx->tos++]);
+		BIGNUM *t;
+		if ((t = BN_CTX_get(ctx)) == NULL) goto err;
 		BN_copy(t, a);
 		t->neg = 0;
 		A = t;
 		}
 	else
 		A = a;
-	A1 = &(ctx->bn[ctx->tos++]);
-	A1_odd = &(ctx->bn[ctx->tos++]);
-	check = &(ctx->bn[ctx->tos++]);;
+	A1 = BN_CTX_get(ctx);
+	A1_odd = BN_CTX_get(ctx);
+	check = BN_CTX_get(ctx);
+	if (check == NULL) goto err;
 
 	/* compute A1 := A - 1 */
 	if (!BN_copy(A1, A))
@@ -285,11 +332,8 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
 	
 	for (i = 0; i < checks; i++)
 		{
-		if (!BN_pseudo_rand(check, BN_num_bits(A1), 0, 0))
+		if (!BN_pseudo_rand_range(check, A1))
 			goto err;
-		if (BN_cmp(check, A1) >= 0)
-			if (!BN_sub(check, check, A1))
-				goto err;
 		if (!BN_add_word(check, 1))
 			goto err;
 		/* now 1 <= check < A */
@@ -301,18 +345,17 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
 			ret=0;
 			goto err;
 			}
-		if (callback != NULL) callback(1,i,cb_arg);
+		if(!BN_GENCB_call(cb, 1, i))
+			goto err;
 		}
 	ret=1;
 err:
-	if (ctx_passed != NULL)
+	if (ctx != NULL)
 		{
-		ctx_passed->tos -= 3; /* A1, A1_odd, check */
-		if (a != A)
-			--ctx_passed->tos; /* A */
+		BN_CTX_end(ctx);
+		if (ctx_passed == NULL)
+			BN_CTX_free(ctx);
 		}
-	else if (ctx != NULL)
-		BN_CTX_free(ctx);
 	if (mont != NULL)
 		BN_MONT_CTX_free(mont);
 
@@ -340,47 +383,85 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
 		}
 	/* If we get here, 'w' is the (a-1)/2-th power of the original 'w',
 	 * and it is neither -1 nor +1 -- so 'a' cannot be prime */
+	bn_check_top(w);
 	return 1;
 	}
 
 static int probable_prime(BIGNUM *rnd, int bits)
 	{
 	int i;
-	BN_ULONG mods[NUMPRIMES];
-	BN_ULONG delta,d;
+	prime_t mods[NUMPRIMES];
+	BN_ULONG delta;
+	BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES-1];
+	char is_single_word = bits <= BN_BITS2;
 
 again:
 	if (!BN_rand(rnd,bits,1,1)) return(0);
-	/* we now have a random number 'rand' to test. */
+	/* we now have a random number 'rnd' to test. */
 	for (i=1; i<NUMPRIMES; i++)
-		mods[i]=BN_mod_word(rnd,(BN_ULONG)primes[i]);
+		mods[i]=(prime_t)BN_mod_word(rnd,(BN_ULONG)primes[i]);
+	/* If bits is so small that it fits into a single word then we
+	 * additionally don't want to exceed that many bits. */
+	if (is_single_word)
+		{
+		BN_ULONG size_limit = (((BN_ULONG) 1) << bits) - BN_get_word(rnd) - 1;
+		if (size_limit < maxdelta)
+			maxdelta = size_limit;
+		}
 	delta=0;
-	loop: for (i=1; i<NUMPRIMES; i++)
+	loop:
+	if (is_single_word)
 		{
-		/* check that rnd is not a prime and also
-		 * that gcd(rnd-1,primes) == 1 (except for 2) */
-		if (((mods[i]+delta)%primes[i]) <= 1)
+		BN_ULONG rnd_word = BN_get_word(rnd);
+
+		/* In the case that the candidate prime is a single word then
+		 * we check that:
+		 *   1) It's greater than primes[i] because we shouldn't reject
+		 *      3 as being a prime number because it's a multiple of
+		 *      three.
+		 *   2) That it's not a multiple of a known prime. We don't
+		 *      check that rnd-1 is also coprime to all the known
+		 *      primes because there aren't many small primes where
+		 *      that's true. */
+		for (i=1; i<NUMPRIMES && primes[i]<rnd_word; i++)
 			{
-			d=delta;
-			delta+=2;
-			/* perhaps need to check for overflow of
-			 * delta (but delta can be upto 2^32)
-			 * 21-May-98 eay - added overflow check */
-			if (delta < d) goto again;
-			goto loop;
+			if ((mods[i]+delta)%primes[i] == 0)
+				{
+				delta+=2;
+				if (delta > maxdelta) goto again;
+				goto loop;
+				}
+			}
+		}
+	else
+		{
+		for (i=1; i<NUMPRIMES; i++)
+			{
+			/* check that rnd is not a prime and also
+			 * that gcd(rnd-1,primes) == 1 (except for 2) */
+			if (((mods[i]+delta)%primes[i]) <= 1)
+				{
+				delta+=2;
+				if (delta > maxdelta) goto again;
+				goto loop;
+				}
 			}
 		}
 	if (!BN_add_word(rnd,delta)) return(0);
+	if (BN_num_bits(rnd) != bits)
+		goto again;
+	bn_check_top(rnd);
 	return(1);
 	}
 
-static int probable_prime_dh(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem,
-	     BN_CTX *ctx)
+static int probable_prime_dh(BIGNUM *rnd, int bits,
+	const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx)
 	{
 	int i,ret=0;
 	BIGNUM *t1;
 
-	t1= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
+	if ((t1 = BN_CTX_get(ctx)) == NULL) goto err;
 
 	if (!BN_rand(rnd,bits,0,1)) goto err;
 
@@ -406,20 +487,23 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem,
 		}
 	ret=1;
 err:
-	ctx->tos--;
+	BN_CTX_end(ctx);
+	bn_check_top(rnd);
 	return(ret);
 	}
 
-static int probable_prime_dh_safe(BIGNUM *p, int bits, BIGNUM *padd,
-	     BIGNUM *rem, BN_CTX *ctx)
+static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
+	const BIGNUM *rem, BN_CTX *ctx)
 	{
 	int i,ret=0;
-	BIGNUM *t1,*qadd=NULL,*q=NULL;
+	BIGNUM *t1,*qadd,*q;
 
 	bits--;
-	t1= &(ctx->bn[ctx->tos++]);
-	q= &(ctx->bn[ctx->tos++]);
-	qadd= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	q = BN_CTX_get(ctx);
+	qadd = BN_CTX_get(ctx);
+	if (qadd == NULL) goto err;
 
 	if (!BN_rshift1(qadd,padd)) goto err;
 		
@@ -455,6 +539,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, BIGNUM *padd,
 		}
 	ret=1;
 err:
-	ctx->tos-=3;
+	BN_CTX_end(ctx);
+	bn_check_top(p);
 	return(ret);
 	}