Small prime generation.

Ensure that, when generating small primes, the result is actually of the
requested size. Fixes OpenSSL #2701.

This change does not address the cases of generating safe primes, or
where the |add| parameter is non-NULL.
This commit is contained in:
Adam Langley 2014-06-20 12:00:00 -07:00
parent 61bb3ddfab
commit 27ae9ed774
4 changed files with 93 additions and 11 deletions

View File

@ -780,6 +780,7 @@ unsigned BN_num_bits_word(BN_ULONG l);
#define BN_F_BN_CTX_new 120
#define BN_F_BN_mod_inverse_no_branch 121
#define BN_F_BN_generate_dsa_nonce 122
#define BN_F_BN_generate_prime_ex 123
#define BN_R_NOT_A_SQUARE 100
#define BN_R_TOO_MANY_ITERATIONS 101
#define BN_R_INPUT_NOT_REDUCED 102
@ -795,5 +796,6 @@ unsigned BN_num_bits_word(BN_ULONG l);
#define BN_R_ARG2_LT_ARG3 112
#define BN_R_BIGNUM_TOO_LONG 113
#define BN_R_PRIVATE_KEY_TOO_LARGE 114
#define BN_R_BITS_TOO_SMALL 115
#endif /* OPENSSL_HEADER_BN_H */

View File

@ -26,6 +26,7 @@ const ERR_STRING_DATA BN_error_string_data[] = {
{ERR_PACK(ERR_LIB_BN, BN_F_BN_div_recp, 0), "BN_div_recp"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_exp, 0), "BN_exp"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_generate_dsa_nonce, 0), "BN_generate_dsa_nonce"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_generate_prime_ex, 0), "BN_generate_prime_ex"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp2_mont, 0), "BN_mod_exp2_mont"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp_mont, 0), "BN_mod_exp_mont"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp_mont_consttime, 0), "BN_mod_exp_mont_consttime"},
@ -43,6 +44,7 @@ const ERR_STRING_DATA BN_error_string_data[] = {
{ERR_PACK(ERR_LIB_BN, 0, BN_R_ARG2_LT_ARG3), "ARG2_LT_ARG3"},
{ERR_PACK(ERR_LIB_BN, 0, BN_R_BAD_RECIPROCAL), "BAD_RECIPROCAL"},
{ERR_PACK(ERR_LIB_BN, 0, BN_R_BIGNUM_TOO_LONG), "BIGNUM_TOO_LONG"},
{ERR_PACK(ERR_LIB_BN, 0, BN_R_BITS_TOO_SMALL), "BITS_TOO_SMALL"},
{ERR_PACK(ERR_LIB_BN, 0, BN_R_CALLED_WITH_EVEN_MODULUS), "CALLED_WITH_EVEN_MODULUS"},
{ERR_PACK(ERR_LIB_BN, 0, BN_R_DIV_BY_ZERO), "DIV_BY_ZERO"},
{ERR_PACK(ERR_LIB_BN, 0, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA), "EXPAND_ON_STATIC_BIGNUM_DATA"},

View File

@ -99,6 +99,7 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
int test_exp(BIO *bp, BN_CTX *ctx);
int test_mod_sqrt(BIO *bp, BN_CTX *ctx);
static int test_exp_mod_zero();
int test_small_prime(BIO *bp,BN_CTX *ctx);
int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
#if 0
int test_gf2m_add(BIO *bp);
@ -263,6 +264,11 @@ int main(int argc, char *argv[]) {
goto err;
(void)BIO_flush(out);
message(out, "Small prime generation");
if (!test_small_prime(out, ctx))
goto err;
(void)BIO_flush(out);
BN_CTX_free(ctx);
BIO_free(out);
@ -1261,3 +1267,25 @@ err:
BN_free(r);
return ret;
}
int test_small_prime(BIO *bp, BN_CTX *ctx) {
static const int bits = 10;
int ret = 0;
BIGNUM r;
BN_init(&r);
if (!BN_generate_prime_ex(&r, bits, 0, NULL, NULL, NULL)) {
goto err;
}
if (BN_num_bits(&r) != bits) {
BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
BN_num_bits(&r));
goto err;
}
ret = 1;
err:
BN_free(&r);
return ret;
}

View File

@ -173,6 +173,16 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
BN_CTX *ctx;
int checks = BN_prime_checks_for_size(bits);
if (bits < 2) {
/* There are no prime numbers this small. */
OPENSSL_PUT_ERROR(BN, BN_generate_prime_ex, BN_R_BITS_TOO_SMALL);
return 0;
} else if (bits == 2 && safe) {
/* The smallest safe prime (7) is three bits. */
OPENSSL_PUT_ERROR(BN, BN_generate_prime_ex, BN_R_BITS_TOO_SMALL);
return 0;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
goto err;
@ -436,39 +446,79 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
return 1;
}
static BN_ULONG get_word(const BIGNUM *bn) {
if (bn->top == 1) {
return bn->d[0];
}
return 0;
}
static int probable_prime(BIGNUM *rnd, int bits) {
int i;
uint16_t mods[NUMPRIMES];
BN_ULONG delta, maxdelta;
BN_ULONG delta;
BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
char is_single_word = bits <= BN_BITS2;
again:
if (!BN_rand(rnd, bits, 1, 1)) {
return 0;
}
/* we now have a random number 'rand' to test. */
/* we now have a random number 'rnd' to test. */
for (i = 1; i < NUMPRIMES; i++) {
mods[i] = (uint16_t)BN_mod_word(rnd, (BN_ULONG)primes[i]);
}
maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
/* If bits is so small that it fits into a single word then we
* additionally don't want to exceed that many bits. */
if (is_single_word) {
BN_ULONG size_limit = (((BN_ULONG)1) << bits) - get_word(rnd) - 1;
if (size_limit < maxdelta) {
maxdelta = size_limit;
}
}
delta = 0;
loop:
if (is_single_word) {
BN_ULONG rnd_word = get_word(rnd);
/* In the case that the candidate prime is a single word then
* we check that:
* 1) It's greater than primes[i] because we shouldn't reject
* 3 as being a prime number because it's a multiple of
* three.
* 2) That it's not a multiple of a known prime. We don't
* check that rnd-1 is also coprime to all the known
* primes because there aren't many small primes where
* that's true. */
for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
if ((mods[i] + delta) % primes[i] == 0) {
delta += 2;
if (delta > maxdelta)
goto again;
goto loop;
}
}
} else {
for (i = 1; i < NUMPRIMES; i++) {
/* check that rnd is not a prime and also
* that gcd(rnd-1,primes) == 1 (except for 2) */
if (((mods[i] + delta) % primes[i]) <= 1) {
delta += 2;
if (delta > maxdelta) {
if (delta > maxdelta)
goto again;
}
goto loop;
}
}
}
if (!BN_add_word(rnd, delta)) {
return 0;
}
if (BN_num_bits(rnd) != bits) {
goto again;
}
return 1;
}