xref: /openbsd-src/lib/libcrypto/man/BN_generate_prime.3 (revision aa997e528a848ca5596493c2a801bdd6fb26ae61)

.\" $OpenBSD: BN_generate_prime.3,v 1.14 2018/03/27 17:35:50 schwarze Exp $
.\" full merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400
.\"
.\" This file was written by Ulf Moeller <ulf@openssl.org>
.\" Bodo Moeller <bodo@openssl.org>, and Matt Caswell <matt@openssl.org>.
.\" Copyright (c) 2000, 2003, 2013, 2014 The OpenSSL Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in
.\"    the documentation and/or other materials provided with the
.\"    distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this
.\"    software must display the following acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.\"
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
.\"    endorse or promote products derived from this software without
.\"    prior written permission. For written permission, please contact
.\"    openssl-core@openssl.org.
.\"
.\" 5. Products derived from this software may not be called "OpenSSL"
.\"    nor may "OpenSSL" appear in their names without prior written
.\"    permission of the OpenSSL Project.
.\"
.\" 6. Redistributions of any form whatsoever must retain the following
.\"    acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: March 27 2018 $
.Dt BN_GENERATE_PRIME 3
.Os
.Sh NAME
.Nm BN_generate_prime_ex ,
.Nm BN_is_prime_ex ,
.Nm BN_is_prime_fasttest_ex ,
.Nm BN_GENCB_call ,
.Nm BN_GENCB_new ,
.Nm BN_GENCB_free ,
.Nm BN_GENCB_set_old ,
.Nm BN_GENCB_set ,
.Nm BN_GENCB_get_arg ,
.Nm BN_generate_prime ,
.Nm BN_is_prime ,
.Nm BN_is_prime_fasttest
.Nd generate primes and test for primality
.Sh SYNOPSIS
.In openssl/bn.h
.Ft int
.Fo BN_generate_prime_ex
.Fa "BIGNUM *ret"
.Fa "int bits"
.Fa "int safe"
.Fa "const BIGNUM *add"
.Fa "const BIGNUM *rem"
.Fa "BN_GENCB *cb"
.Fc
.Ft int
.Fo BN_is_prime_ex
.Fa "const BIGNUM *p"
.Fa "int nchecks"
.Fa "BN_CTX *ctx"
.Fa "BN_GENCB *cb"
.Fc
.Ft int
.Fo BN_is_prime_fasttest_ex
.Fa "const BIGNUM *p"
.Fa "int nchecks"
.Fa "BN_CTX *ctx"
.Fa "int do_trial_division"
.Fa "BN_GENCB *cb"
.Fc
.Ft int
.Fo BN_GENCB_call
.Fa "BN_GENCB *cb"
.Fa "int a"
.Fa "int b"
.Fc
.Ft BN_GENCB *
.Fn BN_GENCB_new void
.Ft void
.Fo BN_GENCB_free
.Fa "BN_GENCB *cb"
.Fc
.Ft void
.Fo BN_GENCB_set_old
.Fa "BN_GENCB *gencb"
.Fa "void (*callback)(int, int, void *)"
.Fa "void *cb_arg"
.Fc
.Ft void
.Fo BN_GENCB_set
.Fa "BN_GENCB *gencb"
.Fa "int (*callback)(int, int, BN_GENCB *)"
.Fa "void *cb_arg"
.Fc
.Ft void *
.Fo BN_GENCB_get_arg
.Fa "BN_GENCB *cb"
.Fc
.Pp
Deprecated:
.Pp
.Ft BIGNUM *
.Fo BN_generate_prime
.Fa "BIGNUM *ret"
.Fa "int num"
.Fa "int safe"
.Fa "BIGNUM *add"
.Fa "BIGNUM *rem"
.Fa "void (*callback)(int, int, void *)"
.Fa "void *cb_arg"
.Fc
.Ft int
.Fo BN_is_prime
.Fa "const BIGNUM *a"
.Fa "int checks"
.Fa "void (*callback)(int, int, void *)"
.Fa "BN_CTX *ctx"
.Fa "void *cb_arg"
.Fc
.Ft int
.Fo BN_is_prime_fasttest
.Fa "const BIGNUM *a"
.Fa "int checks"
.Fa "void (*callback)(int, int, void *)"
.Fa "BN_CTX *ctx"
.Fa "void *cb_arg"
.Fa "int do_trial_division"
.Fc
.Sh DESCRIPTION
.Fn BN_generate_prime_ex
generates a pseudo-random prime number of at least bit length
.Fa bits .
If
.Fa ret
is not
.Dv NULL ,
it will be used to store the number.
.Pp
If
.Fa cb
is not
.Dv NULL ,
it is used as follows:
.Bl -bullet
.It
.Fn BN_GENCB_call cb 0 i
is called after generating the i-th potential prime number.
.It
While the number is being tested for primality,
.Fn BN_GENCB_call cb 1 j
is called as described below.
.It
When a prime has been found,
.Fn BN_GENCB_call cb 2 i
is called.
.El
.Pp
The prime may have to fulfill additional requirements for use in
Diffie-Hellman key exchange:
.Pp
If
.Fa add
is not
.Dv NULL ,
the prime will fulfill the condition p %
.Fa add
==
.Fa rem
(p %
.Fa add
== 1 if
.Fa rem
==
.Dv NULL )
in order to suit a given generator.
.Pp
If
.Fa safe
is true, it will be a safe prime (i.e. a prime p so that (p-1)/2
is also prime).
.Pp
The prime number generation has a negligible error probability.
.Pp
.Fn BN_is_prime_ex
and
.Fn BN_is_prime_fasttest_ex
test if the number
.Fa p
is prime.
The following tests are performed until one of them shows that
.Fa p
is composite; if
.Fa p
passes all these tests, it is considered prime.
.Pp
.Fn BN_is_prime_fasttest_ex ,
when called with
.Fa do_trial_division
== 1, first attempts trial division by a number of small primes;
if no divisors are found by this test and
.Fa cb
is not
.Dv NULL ,
.Sy BN_GENCB_call(cb, 1, -1)
is called.
If
.Fa do_trial_division
== 0, this test is skipped.
.Pp
Both
.Fn BN_is_prime_ex
and
.Fn BN_is_prime_fasttest_ex
perform a Miller-Rabin probabilistic primality test with
.Fa nchecks
iterations.
If
.Fa nchecks
==
.Dv BN_prime_checks ,
a number of iterations is used that yields a false positive rate of at
most 2^-80 for random input.
.Pp
If
.Fa cb
is not
.Dv NULL ,
.Fa BN_GENCB_call cb 1 j
is called after the j-th iteration (j = 0, 1, ...).
.Fa ctx
is a pre-allocated
.Vt BN_CTX
(to save the overhead of allocating and freeing the structure in a
loop), or
.Dv NULL .
.Pp
.Fn BN_GENCB_call
calls the callback function held in the
.Vt BN_GENCB
structure and passes the ints
.Fa a
and
.Fa b
as arguments.
There are two types of
.Vt BN_GENCB
structures that are supported: "new" style and "old" style.
New programs should prefer the "new" style, whilst the "old" style is
provided for backwards compatibility purposes.
.Pp
A
.Vt BN_GENCB
structure should be created through a call to
.Fn BN_GENCB_new
and freed through a call to
.Fn BN_GENCB_free .
.Pp
For "new" style callbacks a
.Vt BN_GENCB
structure should be initialised with a call to
.Fn BN_GENCB_set ,
where
.Fa gencb
is a
.Vt BN_GENCB * ,
.Fa callback
is of type
.Vt int (*callback)(int, int, BN_GENCB *)
and
.Fa cb_arg
is a
.Vt void * .
"Old" style callbacks are the same except they are initialised with a
call to
.Fn BN_GENCB_set_old
and
.Fa callback
is of type
.Vt void (*callback)(int, int, void *) .
.Pp
A callback is invoked through a call to
.Fn BN_GENCB_call .
This will check the type of the callback and will invoke
.Fn callback a b gencb
for new style callbacks or
.Fn callback a b cb_arg
for old style.
.Pp
It is possible to obtain the argument associated with a
.Vt BN_GENCB
structure (set via a call to
.Fn BN_GENCB_set
or
.Fn BN_GENCB_set_old )
using
.Fn BN_GENCB_get_arg .
.Pp
.Fn BN_generate_prime
(deprecated) works in the same way as
.Fn BN_generate_prime_ex
but expects an old style callback function directly in the
.Fa callback
parameter, and an argument to pass to it in the
.Fa cb_arg .
Similarly
.Fn BN_is_prime
and
.Fn BN_is_prime_fasttest
are deprecated and can be compared to
.Fn BN_is_prime_ex
and
.Fn BN_is_prime_fasttest_ex
respectively.
.Sh RETURN VALUES
.Fn BN_generate_prime_ex
returns 1 on success or 0 on error.
.Pp
.Fn BN_is_prime_ex ,
.Fn BN_is_prime_fasttest_ex ,
.Fn BN_is_prime ,
and
.Fn BN_is_prime_fasttest
return 0 if the number is composite, 1 if it is prime with an error
probability of less than
.Pf 0.25^ Fa nchecks ,
and -1 on error.
.Pp
.Fn BN_generate_prime
returns the prime number on success,
.Dv NULL
otherwise.
.Pp
.Fn BN_GENCB_new
returns a pointer to a
.Vt BN_GENCB
structure on success, or
.Dv NULL
otherwise.
.Pp
.Fn BN_GENCB_get_arg
returns the argument previously associated with a
.Vt BN_GENCB
structure.
.Pp
Callback functions should return 1 on success or 0 on error.
.Pp
The error codes can be obtained by
.Xr ERR_get_error 3 .
.Sh SEE ALSO
.Xr BN_new 3 ,
.Xr ERR_get_error 3 ,
.Xr RAND_bytes 3
.Sh HISTORY
.Fn BN_generate_prime
and
.Fn BN_is_prime
first appeared in SSLeay 0.5.1 and had their
.Fa cb_arg
argument added in SSLeay 0.9.0.
These two functions have been available since
.Ox 2.4 .
.Pp
The
.Fa ret
argument to
.Fn BN_generate_prime
was added in SSLeay 0.9.1 and
.Ox 2.6 .
.Pp
.Fn BN_is_prime_fasttest
first appeared in OpenSSL 0.9.5 and has been available since
.Ox 2.7 .
.Pp
.Fn BN_generate_prime_ex ,
.Fn BN_is_prime_ex ,
.Fn BN_is_prime_fasttest_ex ,
.Fn BN_GENCB_call ,
.Fn BN_GENCB_set_old ,
and
.Fn BN_GENCB_set
first appeared in OpenSSL 0.9.8 and have been available since
.Ox 4.5 .
.Pp
.Fn BN_GENCB_new ,
.Fn BN_GENCB_free ,
and
.Fn BN_GENCB_get_arg
first appeared in OpenSSL 1.1.0 and have been available since
.Ox 6.3 .