Merge OpenSSL 1.1.1g.

[FreeBSD/FreeBSD.git] / secure / lib / libcrypto / man / man3 / BN_generate_prime.3

.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.40)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_GENERATE_PRIME 3"
.TH BN_GENERATE_PRIME 3 "2020-04-21" "1.1.1g" "OpenSSL"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_generate_prime_ex, BN_is_prime_ex, BN_is_prime_fasttest_ex, BN_GENCB_call, BN_GENCB_new, BN_GENCB_free, BN_GENCB_set_old, BN_GENCB_set, BN_GENCB_get_arg, BN_generate_prime, BN_is_prime, BN_is_prime_fasttest \- generate primes and test for primality
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
\&                          const BIGNUM *rem, BN_GENCB *cb);
\&
\& int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);
\&
\& int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx,
\&                             int do_trial_division, BN_GENCB *cb);
\&
\& int BN_GENCB_call(BN_GENCB *cb, int a, int b);
\&
\& BN_GENCB *BN_GENCB_new(void);
\&
\& void BN_GENCB_free(BN_GENCB *cb);
\&
\& void BN_GENCB_set_old(BN_GENCB *gencb,
\&                       void (*callback)(int, int, void *), void *cb_arg);
\&
\& void BN_GENCB_set(BN_GENCB *gencb,
\&                   int (*callback)(int, int, BN_GENCB *), void *cb_arg);
\&
\& void *BN_GENCB_get_arg(BN_GENCB *cb);
.Ve
.PP
Deprecated:
.PP
.Vb 4
\& #if OPENSSL_API_COMPAT < 0x00908000L
\& BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add,
\&                           BIGNUM *rem, void (*callback)(int, int, void *),
\&                           void *cb_arg);
\&
\& int BN_is_prime(const BIGNUM *a, int checks,
\&                 void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg);
\&
\& int BN_is_prime_fasttest(const BIGNUM *a, int checks,
\&                          void (*callback)(int, int, void *), BN_CTX *ctx,
\&                          void *cb_arg, int do_trial_division);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_generate_prime_ex()\fR generates a pseudo-random prime number of
at least bit length \fBbits\fR. The returned number is probably prime
with a negligible error. If \fBadd\fR is \fB\s-1NULL\s0\fR the returned prime
number will have exact bit length \fBbits\fR with the top most two
bits set.
.PP
If \fBret\fR is not \fB\s-1NULL\s0\fR, it will be used to store the number.
.PP
If \fBcb\fR is not \fB\s-1NULL\s0\fR, it is used as follows:
.IP "\(bu" 2
\&\fBBN_GENCB_call(cb, 0, i)\fR is called after generating the i\-th
potential prime number.
.IP "\(bu" 2
While the number is being tested for primality,
\&\fBBN_GENCB_call(cb, 1, j)\fR is called as described below.
.IP "\(bu" 2
When a prime has been found, \fBBN_GENCB_call(cb, 2, i)\fR is called.
.IP "\(bu" 2
The callers of \fBBN_generate_prime_ex()\fR may call \fBBN_GENCB_call(cb, i, j)\fR with
other values as described in their respective man pages; see \*(L"\s-1SEE ALSO\*(R"\s0.
.PP
The prime may have to fulfill additional requirements for use in
Diffie-Hellman key exchange:
.PP
If \fBadd\fR is not \fB\s-1NULL\s0\fR, the prime will fulfill the condition p % \fBadd\fR
== \fBrem\fR (p % \fBadd\fR == 1 if \fBrem\fR == \fB\s-1NULL\s0\fR) in order to suit a given
generator.
.PP
If \fBsafe\fR is true, it will be a safe prime (i.e. a prime p so
that (p\-1)/2 is also prime). If \fBsafe\fR is true, and \fBrem\fR == \fB\s-1NULL\s0\fR
the condition will be p % \fBadd\fR == 3.
It is recommended that \fBadd\fR is a multiple of 4.
.PP
The random generator must be seeded prior to calling \fBBN_generate_prime_ex()\fR.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.PP
\&\fBBN_is_prime_ex()\fR and \fBBN_is_prime_fasttest_ex()\fR test if the number \fBp\fR is
prime.  The following tests are performed until one of them shows that
\&\fBp\fR is composite; if \fBp\fR passes all these tests, it is considered
prime.
.PP
\&\fBBN_is_prime_fasttest_ex()\fR, when called with \fBdo_trial_division == 1\fR,
first attempts trial division by a number of small primes;
if no divisors are found by this test and \fBcb\fR is not \fB\s-1NULL\s0\fR,
\&\fBBN_GENCB_call(cb, 1, \-1)\fR is called.
If \fBdo_trial_division == 0\fR, this test is skipped.
.PP
Both \fBBN_is_prime_ex()\fR and \fBBN_is_prime_fasttest_ex()\fR perform a Miller-Rabin
probabilistic primality test with \fBnchecks\fR iterations. If
\&\fBnchecks == BN_prime_checks\fR, a number of iterations is used that
yields a false positive rate of at most 2^\-64 for random input.
The error rate depends on the size of the prime and goes down for bigger primes.
The rate is 2^\-80 starting at 308 bits, 2^\-112 at 852 bits, 2^\-128 at 1080 bits,
2^\-192 at 3747 bits and 2^\-256 at 6394 bits.
.PP
When the source of the prime is not random or not trusted, the number
of checks needs to be much higher to reach the same level of assurance:
It should equal half of the targeted security level in bits (rounded up to the
next integer if necessary).
For instance, to reach the 128 bit security level, \fBnchecks\fR should be set to
64.
.PP
If \fBcb\fR is not \fB\s-1NULL\s0\fR, \fBBN_GENCB_call(cb, 1, j)\fR is called
after the j\-th iteration (j = 0, 1, ...). \fBctx\fR is a
pre-allocated \fB\s-1BN_CTX\s0\fR (to save the overhead of allocating and
freeing the structure in a loop), or \fB\s-1NULL\s0\fR.
.PP
\&\fBBN_GENCB_call()\fR calls the callback function held in the \fB\s-1BN_GENCB\s0\fR structure
and passes the ints \fBa\fR and \fBb\fR as arguments. There are two types of
\&\fB\s-1BN_GENCB\s0\fR structure that are supported: \*(L"new\*(R" style and \*(L"old\*(R" style. New
programs should prefer the \*(L"new\*(R" style, whilst the \*(L"old\*(R" style is provided
for backwards compatibility purposes.
.PP
A \fB\s-1BN_GENCB\s0\fR structure should be created through a call to \fBBN_GENCB_new()\fR,
and freed through a call to \fBBN_GENCB_free()\fR.
.PP
For \*(L"new\*(R" style callbacks a \s-1BN_GENCB\s0 structure should be initialised with a
call to \fBBN_GENCB_set()\fR, where \fBgencb\fR is a \fB\s-1BN_GENCB\s0 *\fR, \fBcallback\fR is of
type \fBint (*callback)(int, int, \s-1BN_GENCB\s0 *)\fR and \fBcb_arg\fR is a \fBvoid *\fR.
\&\*(L"Old\*(R" style callbacks are the same except they are initialised with a call
to \fBBN_GENCB_set_old()\fR and \fBcallback\fR is of type
\&\fBvoid (*callback)(int, int, void *)\fR.
.PP
A callback is invoked through a call to \fBBN_GENCB_call\fR. This will check
the type of the callback and will invoke \fBcallback(a, b, gencb)\fR for new
style callbacks or \fBcallback(a, b, cb_arg)\fR for old style.
.PP
It is possible to obtain the argument associated with a \s-1BN_GENCB\s0 structure
(set via a call to BN_GENCB_set or BN_GENCB_set_old) using BN_GENCB_get_arg.
.PP
\&\fBBN_generate_prime()\fR (deprecated) works in the same way as
\&\fBBN_generate_prime_ex()\fR but expects an old-style callback function
directly in the \fBcallback\fR parameter, and an argument to pass to it in
the \fBcb_arg\fR. \fBBN_is_prime()\fR and \fBBN_is_prime_fasttest()\fR
can similarly be compared to \fBBN_is_prime_ex()\fR and
\&\fBBN_is_prime_fasttest_ex()\fR, respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_generate_prime_ex()\fR return 1 on success or 0 on error.
.PP
\&\fBBN_is_prime_ex()\fR, \fBBN_is_prime_fasttest_ex()\fR, \fBBN_is_prime()\fR and
\&\fBBN_is_prime_fasttest()\fR return 0 if the number is composite, 1 if it is
prime with an error probability of less than 0.25^\fBnchecks\fR, and
\&\-1 on error.
.PP
\&\fBBN_generate_prime()\fR returns the prime number on success, \fB\s-1NULL\s0\fR otherwise.
.PP
BN_GENCB_new returns a pointer to a \s-1BN_GENCB\s0 structure on success, or \fB\s-1NULL\s0\fR
otherwise.
.PP
BN_GENCB_get_arg returns the argument previously associated with a \s-1BN_GENCB\s0
structure.
.PP
Callback functions should return 1 on success or 0 on error.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "REMOVED FUNCTIONALITY"
.IX Header "REMOVED FUNCTIONALITY"
As of OpenSSL 1.1.0 it is no longer possible to create a \s-1BN_GENCB\s0 structure
directly, as in:
.PP
.Vb 1
\& BN_GENCB callback;
.Ve
.PP
Instead applications should create a \s-1BN_GENCB\s0 structure using BN_GENCB_new:
.PP
.Vb 6
\& BN_GENCB *callback;
\& callback = BN_GENCB_new();
\& if (!callback)
\&     /* error */
\& ...
\& BN_GENCB_free(callback);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_generate_parameters\fR\|(3), \fBDSA_generate_parameters\fR\|(3),
\&\fBRSA_generate_key\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBN_GENCB_new()\fR, \fBBN_GENCB_free()\fR,
and \fBBN_GENCB_get_arg()\fR functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.