Primes p where (p-1)/2 is prime too are called "safe", not "strong".
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
+ *) Do more iterations of Rabin-Miller probable prime test (specifically,
+ 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
+ instead of only 2 for all lengths; see BN_prime_checks definition
+ in crypto/bn/bn.h for the complete table). This guarantees a
+ false-positive rate of at most 2^-80 (actually less because we are
+ additionally doing trial division) for random input.
+ [Bodo Moeller]
+
*) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
[Bodo Moeller]
#define BN_to_montgomery(r,a,mont,ctx) BN_mod_mul_montgomery(\
r,a,&((mont)->RR),(mont),ctx)
-#define BN_prime_checks (5)
+/* number of Miller-Rabin iterations for an error rate of less than 2^-80
+ * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
+ * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
+ * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
+ * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
+#define BN_prime_checks(b) ((b) >= 1300 ? 2 : \
+ (b) >= 850 ? 3 : \
+ (b) >= 650 ? 4 : \
+ (b) >= 550 ? 5 : \
+ (b) >= 450 ? 6 : \
+ (b) >= 400 ? 7 : \
+ (b) >= 350 ? 8 : \
+ (b) >= 300 ? 9 : \
+ (b) >= 250 ? 12 : \
+ (b) >= 200 ? 15 : \
+ (b) >= 150 ? 18 : \
+ /* b >= 100 */ 27)
#define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
#define BN_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
int BN_dec2bn(BIGNUM **a, const char *str);
int BN_gcd(BIGNUM *r,BIGNUM *in_a,BIGNUM *in_b,BN_CTX *ctx);
BIGNUM *BN_mod_inverse(BIGNUM *ret,BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
-BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int strong,BIGNUM *add,
+BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,BIGNUM *add,
BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg);
int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int,void *),
BN_CTX *ctx,void *cb_arg);
static int probable_prime(BIGNUM *rnd, int bits);
static int probable_prime_dh(BIGNUM *rnd, int bits,
BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
-static int probable_prime_dh_strong(BIGNUM *rnd, int bits,
+static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
-BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int strong, BIGNUM *add,
+BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add,
BIGNUM *rem, void (*callback)(int,int,void *), void *cb_arg)
{
BIGNUM *rnd=NULL;
BIGNUM t;
int i,j,c1=0;
BN_CTX *ctx;
+ int checks = BN_prime_checks(bits);
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
}
else
{
- if (strong)
+ if (safe)
{
- if (!probable_prime_dh_strong(rnd,bits,add,rem,ctx))
+ if (!probable_prime_dh_safe(rnd,bits,add,rem,ctx))
goto err;
}
else
/* if (BN_mod_word(rnd,(BN_ULONG)3) == 1) goto loop; */
if (callback != NULL) callback(0,c1++,cb_arg);
- if (!strong)
+ if (!safe)
{
- i=BN_is_prime(rnd,BN_prime_checks,callback,ctx,cb_arg);
+ i=BN_is_prime(rnd,checks,callback,ctx,cb_arg);
if (i == -1) goto err;
if (i == 0) goto loop;
}
else
{
- /* for a strong prime generation,
+ /* for "safe prime" generation,
* check that (p-1)/2 is prime.
* Since a prime is odd, We just
* need to divide by 2 */
if (!BN_rshift1(&t,rnd)) goto err;
- for (i=0; i<BN_prime_checks; i++)
+ for (i=0; i<checks; i++)
{
j=BN_is_prime(rnd,1,callback,ctx,cb_arg);
if (j == -1) goto err;
if (j == 0) goto loop;
if (callback != NULL) callback(2,c1-1,cb_arg);
- /* We have a strong prime test pass */
+ /* We have a safe prime test pass */
}
}
/* we have a prime :-) */
return(ret);
}
-static int probable_prime_dh_strong(BIGNUM *p, int bits, BIGNUM *padd,
+static int probable_prime_dh_safe(BIGNUM *p, int bits, BIGNUM *padd,
BIGNUM *rem, BN_CTX *ctx)
{
int i,ret=0;
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+
#ifndef EIGHT_BIT
#define NUMPRIMES 2048
#else
else
*ret|=DH_UNABLE_TO_CHECK_GENERATOR;
- if (!BN_is_prime(dh->p,BN_prime_checks,NULL,ctx,NULL))
+ if (!BN_is_prime(dh->p,BN_prime_checks(BN_num_bits(dh->p)),NULL,ctx,NULL))
*ret|=DH_CHECK_P_NOT_PRIME;
else
{
if (!BN_rshift1(q,dh->p)) goto err;
- if (!BN_is_prime(q,BN_prime_checks,NULL,ctx,NULL))
+ if (!BN_is_prime(q,BN_prime_checks(BN_num_bits(q)),NULL,ctx,NULL))
*ret|=DH_CHECK_P_NOT_STRONG_PRIME;
}
ok=1;
}
/* p prime? */
- r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL);
+ r = BN_is_prime(key->p, BN_prime_checks(BN_num_bits(key->p)), NULL, NULL, NULL);
if (r != 1)
{
ret = r;
}
/* q prime? */
- r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL);
+ r = BN_is_prime(key->q, BN_prime_checks(BN_num_bits(key->q)), NULL, NULL, NULL);
if (r != 1)
{
ret = r;
projects / openssl.git / commitdiff