1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. 4e1051a39Sopenharmony_ci * 5e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 6e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 7e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 8e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 9e1051a39Sopenharmony_ci */ 10e1051a39Sopenharmony_ci 11e1051a39Sopenharmony_ci/* 12e1051a39Sopenharmony_ci * According to NIST SP800-131A "Transitioning the use of cryptographic 13e1051a39Sopenharmony_ci * algorithms and key lengths" Generation of 1024 bit RSA keys are no longer 14e1051a39Sopenharmony_ci * allowed for signatures (Table 2) or key transport (Table 5). In the code 15e1051a39Sopenharmony_ci * below any attempt to generate 1024 bit RSA keys will result in an error (Note 16e1051a39Sopenharmony_ci * that digital signature verification can still use deprecated 1024 bit keys). 17e1051a39Sopenharmony_ci * 18e1051a39Sopenharmony_ci * FIPS 186-4 relies on the use of the auxiliary primes p1, p2, q1 and q2 that 19e1051a39Sopenharmony_ci * must be generated before the module generates the RSA primes p and q. 20e1051a39Sopenharmony_ci * Table B.1 in FIPS 186-4 specifies RSA modulus lengths of 2048 and 21e1051a39Sopenharmony_ci * 3072 bits only, the min/max total length of the auxiliary primes. 22e1051a39Sopenharmony_ci * FIPS 186-5 Table A.1 includes an additional entry for 4096 which has been 23e1051a39Sopenharmony_ci * included here. 24e1051a39Sopenharmony_ci */ 25e1051a39Sopenharmony_ci#include <stdio.h> 26e1051a39Sopenharmony_ci#include <openssl/bn.h> 27e1051a39Sopenharmony_ci#include "bn_local.h" 28e1051a39Sopenharmony_ci#include "crypto/bn.h" 29e1051a39Sopenharmony_ci#include "internal/nelem.h" 30e1051a39Sopenharmony_ci 31e1051a39Sopenharmony_ci#if BN_BITS2 == 64 32e1051a39Sopenharmony_ci# define BN_DEF(lo, hi) (BN_ULONG)hi<<32|lo 33e1051a39Sopenharmony_ci#else 34e1051a39Sopenharmony_ci# define BN_DEF(lo, hi) lo, hi 35e1051a39Sopenharmony_ci#endif 36e1051a39Sopenharmony_ci 37e1051a39Sopenharmony_ci/* 1 / sqrt(2) * 2^256, rounded up */ 38e1051a39Sopenharmony_cistatic const BN_ULONG inv_sqrt_2_val[] = { 39e1051a39Sopenharmony_ci BN_DEF(0x83339916UL, 0xED17AC85UL), BN_DEF(0x893BA84CUL, 0x1D6F60BAUL), 40e1051a39Sopenharmony_ci BN_DEF(0x754ABE9FUL, 0x597D89B3UL), BN_DEF(0xF9DE6484UL, 0xB504F333UL) 41e1051a39Sopenharmony_ci}; 42e1051a39Sopenharmony_ci 43e1051a39Sopenharmony_ciconst BIGNUM ossl_bn_inv_sqrt_2 = { 44e1051a39Sopenharmony_ci (BN_ULONG *)inv_sqrt_2_val, 45e1051a39Sopenharmony_ci OSSL_NELEM(inv_sqrt_2_val), 46e1051a39Sopenharmony_ci OSSL_NELEM(inv_sqrt_2_val), 47e1051a39Sopenharmony_ci 0, 48e1051a39Sopenharmony_ci BN_FLG_STATIC_DATA 49e1051a39Sopenharmony_ci}; 50e1051a39Sopenharmony_ci 51e1051a39Sopenharmony_ci/* 52e1051a39Sopenharmony_ci * FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2". 53e1051a39Sopenharmony_ci * (FIPS 186-5 has an entry for >= 4096 bits). 54e1051a39Sopenharmony_ci * 55e1051a39Sopenharmony_ci * Params: 56e1051a39Sopenharmony_ci * nbits The key size in bits. 57e1051a39Sopenharmony_ci * Returns: 58e1051a39Sopenharmony_ci * The minimum size of the auxiliary primes or 0 if nbits is invalid. 59e1051a39Sopenharmony_ci */ 60e1051a39Sopenharmony_cistatic int bn_rsa_fips186_5_aux_prime_min_size(int nbits) 61e1051a39Sopenharmony_ci{ 62e1051a39Sopenharmony_ci if (nbits >= 4096) 63e1051a39Sopenharmony_ci return 201; 64e1051a39Sopenharmony_ci if (nbits >= 3072) 65e1051a39Sopenharmony_ci return 171; 66e1051a39Sopenharmony_ci if (nbits >= 2048) 67e1051a39Sopenharmony_ci return 141; 68e1051a39Sopenharmony_ci return 0; 69e1051a39Sopenharmony_ci} 70e1051a39Sopenharmony_ci 71e1051a39Sopenharmony_ci/* 72e1051a39Sopenharmony_ci * FIPS 186-5 Table A.1 "Max of len(p1) + len(p2) and 73e1051a39Sopenharmony_ci * len(q1) + len(q2) for p,q Probable Primes". 74e1051a39Sopenharmony_ci * (FIPS 186-5 has an entry for >= 4096 bits). 75e1051a39Sopenharmony_ci * Params: 76e1051a39Sopenharmony_ci * nbits The key size in bits. 77e1051a39Sopenharmony_ci * Returns: 78e1051a39Sopenharmony_ci * The maximum length or 0 if nbits is invalid. 79e1051a39Sopenharmony_ci */ 80e1051a39Sopenharmony_cistatic int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits) 81e1051a39Sopenharmony_ci{ 82e1051a39Sopenharmony_ci if (nbits >= 4096) 83e1051a39Sopenharmony_ci return 2030; 84e1051a39Sopenharmony_ci if (nbits >= 3072) 85e1051a39Sopenharmony_ci return 1518; 86e1051a39Sopenharmony_ci if (nbits >= 2048) 87e1051a39Sopenharmony_ci return 1007; 88e1051a39Sopenharmony_ci return 0; 89e1051a39Sopenharmony_ci} 90e1051a39Sopenharmony_ci 91e1051a39Sopenharmony_ci/* 92e1051a39Sopenharmony_ci * Find the first odd integer that is a probable prime. 93e1051a39Sopenharmony_ci * 94e1051a39Sopenharmony_ci * See section FIPS 186-4 B.3.6 (Steps 4.2/5.2). 95e1051a39Sopenharmony_ci * 96e1051a39Sopenharmony_ci * Params: 97e1051a39Sopenharmony_ci * Xp1 The passed in starting point to find a probably prime. 98e1051a39Sopenharmony_ci * p1 The returned probable prime (first odd integer >= Xp1) 99e1051a39Sopenharmony_ci * ctx A BN_CTX object. 100e1051a39Sopenharmony_ci * cb An optional BIGNUM callback. 101e1051a39Sopenharmony_ci * Returns: 1 on success otherwise it returns 0. 102e1051a39Sopenharmony_ci */ 103e1051a39Sopenharmony_cistatic int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, 104e1051a39Sopenharmony_ci BIGNUM *p1, BN_CTX *ctx, 105e1051a39Sopenharmony_ci BN_GENCB *cb) 106e1051a39Sopenharmony_ci{ 107e1051a39Sopenharmony_ci int ret = 0; 108e1051a39Sopenharmony_ci int i = 0; 109e1051a39Sopenharmony_ci int tmp = 0; 110e1051a39Sopenharmony_ci 111e1051a39Sopenharmony_ci if (BN_copy(p1, Xp1) == NULL) 112e1051a39Sopenharmony_ci return 0; 113e1051a39Sopenharmony_ci BN_set_flags(p1, BN_FLG_CONSTTIME); 114e1051a39Sopenharmony_ci 115e1051a39Sopenharmony_ci /* Find the first odd number >= Xp1 that is probably prime */ 116e1051a39Sopenharmony_ci for(;;) { 117e1051a39Sopenharmony_ci i++; 118e1051a39Sopenharmony_ci BN_GENCB_call(cb, 0, i); 119e1051a39Sopenharmony_ci /* MR test with trial division */ 120e1051a39Sopenharmony_ci tmp = BN_check_prime(p1, ctx, cb); 121e1051a39Sopenharmony_ci if (tmp > 0) 122e1051a39Sopenharmony_ci break; 123e1051a39Sopenharmony_ci if (tmp < 0) 124e1051a39Sopenharmony_ci goto err; 125e1051a39Sopenharmony_ci /* Get next odd number */ 126e1051a39Sopenharmony_ci if (!BN_add_word(p1, 2)) 127e1051a39Sopenharmony_ci goto err; 128e1051a39Sopenharmony_ci } 129e1051a39Sopenharmony_ci BN_GENCB_call(cb, 2, i); 130e1051a39Sopenharmony_ci ret = 1; 131e1051a39Sopenharmony_cierr: 132e1051a39Sopenharmony_ci return ret; 133e1051a39Sopenharmony_ci} 134e1051a39Sopenharmony_ci 135e1051a39Sopenharmony_ci/* 136e1051a39Sopenharmony_ci * Generate a probable prime (p or q). 137e1051a39Sopenharmony_ci * 138e1051a39Sopenharmony_ci * See FIPS 186-4 B.3.6 (Steps 4 & 5) 139e1051a39Sopenharmony_ci * 140e1051a39Sopenharmony_ci * Params: 141e1051a39Sopenharmony_ci * p The returned probable prime. 142e1051a39Sopenharmony_ci * Xpout An optionally returned random number used during generation of p. 143e1051a39Sopenharmony_ci * p1, p2 The returned auxiliary primes. If NULL they are not returned. 144e1051a39Sopenharmony_ci * Xp An optional passed in value (that is random number used during 145e1051a39Sopenharmony_ci * generation of p). 146e1051a39Sopenharmony_ci * Xp1, Xp2 Optional passed in values that are normally generated 147e1051a39Sopenharmony_ci * internally. Used to find p1, p2. 148e1051a39Sopenharmony_ci * nlen The bit length of the modulus (the key size). 149e1051a39Sopenharmony_ci * e The public exponent. 150e1051a39Sopenharmony_ci * ctx A BN_CTX object. 151e1051a39Sopenharmony_ci * cb An optional BIGNUM callback. 152e1051a39Sopenharmony_ci * Returns: 1 on success otherwise it returns 0. 153e1051a39Sopenharmony_ci */ 154e1051a39Sopenharmony_ciint ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, 155e1051a39Sopenharmony_ci BIGNUM *p1, BIGNUM *p2, 156e1051a39Sopenharmony_ci const BIGNUM *Xp, const BIGNUM *Xp1, 157e1051a39Sopenharmony_ci const BIGNUM *Xp2, int nlen, 158e1051a39Sopenharmony_ci const BIGNUM *e, BN_CTX *ctx, 159e1051a39Sopenharmony_ci BN_GENCB *cb) 160e1051a39Sopenharmony_ci{ 161e1051a39Sopenharmony_ci int ret = 0; 162e1051a39Sopenharmony_ci BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL; 163e1051a39Sopenharmony_ci int bitlen; 164e1051a39Sopenharmony_ci 165e1051a39Sopenharmony_ci if (p == NULL || Xpout == NULL) 166e1051a39Sopenharmony_ci return 0; 167e1051a39Sopenharmony_ci 168e1051a39Sopenharmony_ci BN_CTX_start(ctx); 169e1051a39Sopenharmony_ci 170e1051a39Sopenharmony_ci p1i = (p1 != NULL) ? p1 : BN_CTX_get(ctx); 171e1051a39Sopenharmony_ci p2i = (p2 != NULL) ? p2 : BN_CTX_get(ctx); 172e1051a39Sopenharmony_ci Xp1i = (Xp1 != NULL) ? (BIGNUM *)Xp1 : BN_CTX_get(ctx); 173e1051a39Sopenharmony_ci Xp2i = (Xp2 != NULL) ? (BIGNUM *)Xp2 : BN_CTX_get(ctx); 174e1051a39Sopenharmony_ci if (p1i == NULL || p2i == NULL || Xp1i == NULL || Xp2i == NULL) 175e1051a39Sopenharmony_ci goto err; 176e1051a39Sopenharmony_ci 177e1051a39Sopenharmony_ci bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen); 178e1051a39Sopenharmony_ci if (bitlen == 0) 179e1051a39Sopenharmony_ci goto err; 180e1051a39Sopenharmony_ci 181e1051a39Sopenharmony_ci /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */ 182e1051a39Sopenharmony_ci if (Xp1 == NULL) { 183e1051a39Sopenharmony_ci /* Set the top and bottom bits to make it odd and the correct size */ 184e1051a39Sopenharmony_ci if (!BN_priv_rand_ex(Xp1i, bitlen, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD, 185e1051a39Sopenharmony_ci 0, ctx)) 186e1051a39Sopenharmony_ci goto err; 187e1051a39Sopenharmony_ci } 188e1051a39Sopenharmony_ci /* (Steps 4.1/5.1): Randomly generate Xp2 if it is not passed in */ 189e1051a39Sopenharmony_ci if (Xp2 == NULL) { 190e1051a39Sopenharmony_ci /* Set the top and bottom bits to make it odd and the correct size */ 191e1051a39Sopenharmony_ci if (!BN_priv_rand_ex(Xp2i, bitlen, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD, 192e1051a39Sopenharmony_ci 0, ctx)) 193e1051a39Sopenharmony_ci goto err; 194e1051a39Sopenharmony_ci } 195e1051a39Sopenharmony_ci 196e1051a39Sopenharmony_ci /* (Steps 4.2/5.2) - find first auxiliary probable primes */ 197e1051a39Sopenharmony_ci if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb) 198e1051a39Sopenharmony_ci || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb)) 199e1051a39Sopenharmony_ci goto err; 200e1051a39Sopenharmony_ci /* (Table B.1) auxiliary prime Max length check */ 201e1051a39Sopenharmony_ci if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >= 202e1051a39Sopenharmony_ci bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(nlen)) 203e1051a39Sopenharmony_ci goto err; 204e1051a39Sopenharmony_ci /* (Steps 4.3/5.3) - generate prime */ 205e1051a39Sopenharmony_ci if (!ossl_bn_rsa_fips186_4_derive_prime(p, Xpout, Xp, p1i, p2i, nlen, e, 206e1051a39Sopenharmony_ci ctx, cb)) 207e1051a39Sopenharmony_ci goto err; 208e1051a39Sopenharmony_ci ret = 1; 209e1051a39Sopenharmony_cierr: 210e1051a39Sopenharmony_ci /* Zeroize any internally generated values that are not returned */ 211e1051a39Sopenharmony_ci if (p1 == NULL) 212e1051a39Sopenharmony_ci BN_clear(p1i); 213e1051a39Sopenharmony_ci if (p2 == NULL) 214e1051a39Sopenharmony_ci BN_clear(p2i); 215e1051a39Sopenharmony_ci if (Xp1 == NULL) 216e1051a39Sopenharmony_ci BN_clear(Xp1i); 217e1051a39Sopenharmony_ci if (Xp2 == NULL) 218e1051a39Sopenharmony_ci BN_clear(Xp2i); 219e1051a39Sopenharmony_ci BN_CTX_end(ctx); 220e1051a39Sopenharmony_ci return ret; 221e1051a39Sopenharmony_ci} 222e1051a39Sopenharmony_ci 223e1051a39Sopenharmony_ci/* 224e1051a39Sopenharmony_ci * Constructs a probable prime (a candidate for p or q) using 2 auxiliary 225e1051a39Sopenharmony_ci * prime numbers and the Chinese Remainder Theorem. 226e1051a39Sopenharmony_ci * 227e1051a39Sopenharmony_ci * See FIPS 186-4 C.9 "Compute a Probable Prime Factor Based on Auxiliary 228e1051a39Sopenharmony_ci * Primes". Used by FIPS 186-4 B.3.6 Section (4.3) for p and Section (5.3) for q. 229e1051a39Sopenharmony_ci * 230e1051a39Sopenharmony_ci * Params: 231e1051a39Sopenharmony_ci * Y The returned prime factor (private_prime_factor) of the modulus n. 232e1051a39Sopenharmony_ci * X The returned random number used during generation of the prime factor. 233e1051a39Sopenharmony_ci * Xin An optional passed in value for X used for testing purposes. 234e1051a39Sopenharmony_ci * r1 An auxiliary prime. 235e1051a39Sopenharmony_ci * r2 An auxiliary prime. 236e1051a39Sopenharmony_ci * nlen The desired length of n (the RSA modulus). 237e1051a39Sopenharmony_ci * e The public exponent. 238e1051a39Sopenharmony_ci * ctx A BN_CTX object. 239e1051a39Sopenharmony_ci * cb An optional BIGNUM callback object. 240e1051a39Sopenharmony_ci * Returns: 1 on success otherwise it returns 0. 241e1051a39Sopenharmony_ci * Assumptions: 242e1051a39Sopenharmony_ci * Y, X, r1, r2, e are not NULL. 243e1051a39Sopenharmony_ci */ 244e1051a39Sopenharmony_ciint ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, 245e1051a39Sopenharmony_ci const BIGNUM *r1, const BIGNUM *r2, 246e1051a39Sopenharmony_ci int nlen, const BIGNUM *e, BN_CTX *ctx, 247e1051a39Sopenharmony_ci BN_GENCB *cb) 248e1051a39Sopenharmony_ci{ 249e1051a39Sopenharmony_ci int ret = 0; 250e1051a39Sopenharmony_ci int i, imax; 251e1051a39Sopenharmony_ci int bits = nlen >> 1; 252e1051a39Sopenharmony_ci BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2; 253e1051a39Sopenharmony_ci BIGNUM *base, *range; 254e1051a39Sopenharmony_ci 255e1051a39Sopenharmony_ci BN_CTX_start(ctx); 256e1051a39Sopenharmony_ci 257e1051a39Sopenharmony_ci base = BN_CTX_get(ctx); 258e1051a39Sopenharmony_ci range = BN_CTX_get(ctx); 259e1051a39Sopenharmony_ci R = BN_CTX_get(ctx); 260e1051a39Sopenharmony_ci tmp = BN_CTX_get(ctx); 261e1051a39Sopenharmony_ci r1r2x2 = BN_CTX_get(ctx); 262e1051a39Sopenharmony_ci y1 = BN_CTX_get(ctx); 263e1051a39Sopenharmony_ci r1x2 = BN_CTX_get(ctx); 264e1051a39Sopenharmony_ci if (r1x2 == NULL) 265e1051a39Sopenharmony_ci goto err; 266e1051a39Sopenharmony_ci 267e1051a39Sopenharmony_ci if (Xin != NULL && BN_copy(X, Xin) == NULL) 268e1051a39Sopenharmony_ci goto err; 269e1051a39Sopenharmony_ci 270e1051a39Sopenharmony_ci /* 271e1051a39Sopenharmony_ci * We need to generate a random number X in the range 272e1051a39Sopenharmony_ci * 1/sqrt(2) * 2^(nlen/2) <= X < 2^(nlen/2). 273e1051a39Sopenharmony_ci * We can rewrite that as: 274e1051a39Sopenharmony_ci * base = 1/sqrt(2) * 2^(nlen/2) 275e1051a39Sopenharmony_ci * range = ((2^(nlen/2))) - (1/sqrt(2) * 2^(nlen/2)) 276e1051a39Sopenharmony_ci * X = base + random(range) 277e1051a39Sopenharmony_ci * We only have the first 256 bit of 1/sqrt(2) 278e1051a39Sopenharmony_ci */ 279e1051a39Sopenharmony_ci if (Xin == NULL) { 280e1051a39Sopenharmony_ci if (bits < BN_num_bits(&ossl_bn_inv_sqrt_2)) 281e1051a39Sopenharmony_ci goto err; 282e1051a39Sopenharmony_ci if (!BN_lshift(base, &ossl_bn_inv_sqrt_2, 283e1051a39Sopenharmony_ci bits - BN_num_bits(&ossl_bn_inv_sqrt_2)) 284e1051a39Sopenharmony_ci || !BN_lshift(range, BN_value_one(), bits) 285e1051a39Sopenharmony_ci || !BN_sub(range, range, base)) 286e1051a39Sopenharmony_ci goto err; 287e1051a39Sopenharmony_ci } 288e1051a39Sopenharmony_ci 289e1051a39Sopenharmony_ci if (!(BN_lshift1(r1x2, r1) 290e1051a39Sopenharmony_ci /* (Step 1) GCD(2r1, r2) = 1 */ 291e1051a39Sopenharmony_ci && BN_gcd(tmp, r1x2, r2, ctx) 292e1051a39Sopenharmony_ci && BN_is_one(tmp) 293e1051a39Sopenharmony_ci /* (Step 2) R = ((r2^-1 mod 2r1) * r2) - ((2r1^-1 mod r2)*2r1) */ 294e1051a39Sopenharmony_ci && BN_mod_inverse(R, r2, r1x2, ctx) 295e1051a39Sopenharmony_ci && BN_mul(R, R, r2, ctx) /* R = (r2^-1 mod 2r1) * r2 */ 296e1051a39Sopenharmony_ci && BN_mod_inverse(tmp, r1x2, r2, ctx) 297e1051a39Sopenharmony_ci && BN_mul(tmp, tmp, r1x2, ctx) /* tmp = (2r1^-1 mod r2)*2r1 */ 298e1051a39Sopenharmony_ci && BN_sub(R, R, tmp) 299e1051a39Sopenharmony_ci /* Calculate 2r1r2 */ 300e1051a39Sopenharmony_ci && BN_mul(r1r2x2, r1x2, r2, ctx))) 301e1051a39Sopenharmony_ci goto err; 302e1051a39Sopenharmony_ci /* Make positive by adding the modulus */ 303e1051a39Sopenharmony_ci if (BN_is_negative(R) && !BN_add(R, R, r1r2x2)) 304e1051a39Sopenharmony_ci goto err; 305e1051a39Sopenharmony_ci 306e1051a39Sopenharmony_ci /* 307e1051a39Sopenharmony_ci * In FIPS 186-4 imax was set to 5 * nlen/2. 308e1051a39Sopenharmony_ci * Analysis by Allen Roginsky (See https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf 309e1051a39Sopenharmony_ci * page 68) indicates this has a 1 in 2 million chance of failure. 310e1051a39Sopenharmony_ci * The number has been updated to 20 * nlen/2 as used in 311e1051a39Sopenharmony_ci * FIPS186-5 Appendix B.9 Step 9. 312e1051a39Sopenharmony_ci */ 313e1051a39Sopenharmony_ci imax = 20 * bits; /* max = 20/2 * nbits */ 314e1051a39Sopenharmony_ci for (;;) { 315e1051a39Sopenharmony_ci if (Xin == NULL) { 316e1051a39Sopenharmony_ci /* 317e1051a39Sopenharmony_ci * (Step 3) Choose Random X such that 318e1051a39Sopenharmony_ci * sqrt(2) * 2^(nlen/2-1) <= Random X <= (2^(nlen/2)) - 1. 319e1051a39Sopenharmony_ci */ 320e1051a39Sopenharmony_ci if (!BN_priv_rand_range_ex(X, range, 0, ctx) || !BN_add(X, X, base)) 321e1051a39Sopenharmony_ci goto err; 322e1051a39Sopenharmony_ci } 323e1051a39Sopenharmony_ci /* (Step 4) Y = X + ((R - X) mod 2r1r2) */ 324e1051a39Sopenharmony_ci if (!BN_mod_sub(Y, R, X, r1r2x2, ctx) || !BN_add(Y, Y, X)) 325e1051a39Sopenharmony_ci goto err; 326e1051a39Sopenharmony_ci /* (Step 5) */ 327e1051a39Sopenharmony_ci i = 0; 328e1051a39Sopenharmony_ci for (;;) { 329e1051a39Sopenharmony_ci /* (Step 6) */ 330e1051a39Sopenharmony_ci if (BN_num_bits(Y) > bits) { 331e1051a39Sopenharmony_ci if (Xin == NULL) 332e1051a39Sopenharmony_ci break; /* Randomly Generated X so Go back to Step 3 */ 333e1051a39Sopenharmony_ci else 334e1051a39Sopenharmony_ci goto err; /* X is not random so it will always fail */ 335e1051a39Sopenharmony_ci } 336e1051a39Sopenharmony_ci BN_GENCB_call(cb, 0, 2); 337e1051a39Sopenharmony_ci 338e1051a39Sopenharmony_ci /* (Step 7) If GCD(Y-1) == 1 & Y is probably prime then return Y */ 339e1051a39Sopenharmony_ci if (BN_copy(y1, Y) == NULL 340e1051a39Sopenharmony_ci || !BN_sub_word(y1, 1) 341e1051a39Sopenharmony_ci || !BN_gcd(tmp, y1, e, ctx)) 342e1051a39Sopenharmony_ci goto err; 343e1051a39Sopenharmony_ci if (BN_is_one(tmp)) { 344e1051a39Sopenharmony_ci int rv = BN_check_prime(Y, ctx, cb); 345e1051a39Sopenharmony_ci 346e1051a39Sopenharmony_ci if (rv > 0) 347e1051a39Sopenharmony_ci goto end; 348e1051a39Sopenharmony_ci if (rv < 0) 349e1051a39Sopenharmony_ci goto err; 350e1051a39Sopenharmony_ci } 351e1051a39Sopenharmony_ci /* (Step 8-10) */ 352e1051a39Sopenharmony_ci if (++i >= imax) { 353e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_NO_PRIME_CANDIDATE); 354e1051a39Sopenharmony_ci goto err; 355e1051a39Sopenharmony_ci } 356e1051a39Sopenharmony_ci if (!BN_add(Y, Y, r1r2x2)) 357e1051a39Sopenharmony_ci goto err; 358e1051a39Sopenharmony_ci } 359e1051a39Sopenharmony_ci } 360e1051a39Sopenharmony_ciend: 361e1051a39Sopenharmony_ci ret = 1; 362e1051a39Sopenharmony_ci BN_GENCB_call(cb, 3, 0); 363e1051a39Sopenharmony_cierr: 364e1051a39Sopenharmony_ci BN_clear(y1); 365e1051a39Sopenharmony_ci BN_CTX_end(ctx); 366e1051a39Sopenharmony_ci return ret; 367e1051a39Sopenharmony_ci} 368