Prime Number Testing

1. Fixed variable name typo in DH for the FFDHE 8192-bit q value.
2. Updated some error strings in wolfSSL_BN_is_prime_ex().
3. Changed the calls to mp_prime_is_prime_ex() in fp_randprime() and
mp_randprime() so they go back to the 8 rounds of MR, which is more than
adequate in this situation.

src/ssl.c

@@ -22566,7 +22566,7 @@ int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM *bn, int nbchecks,
     if (rng) {
         if (mp_prime_is_prime_ex((mp_int*)bn->internal,
                                  nbchecks, &res, rng) != MP_OKAY) {
-            WOLFSSL_MSG("mp_prime_is_prime error");
+            WOLFSSL_MSG("mp_prime_is_prime_ex error");
             res = MP_NO;
         }
     }
@@ -22579,7 +22579,7 @@ int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM *bn, int nbchecks,
 #endif
 
     if (res != MP_YES) {
-        WOLFSSL_MSG("mp_prime_is_prime not prime");
+        WOLFSSL_MSG("mp_prime_is_prime_ex not prime");
         return WOLFSSL_FAILURE;
     }
 

wolfcrypt/src/dh.c

@@ -765,7 +765,7 @@ static const byte dh_ffdhe8192_p[] = {
 };
 static const byte dh_ffdhe8192_g[] = { 0x02 };
 #ifdef HAVE_FFDHE_Q
-static const byte dh_ffdhe8192_g[] = {
+static const byte dh_ffdhe8192_q[] = {
     0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
     0xD6, 0xFC, 0x2A, 0x2C, 0x51, 0x5D, 0xA5, 0x4D,
     0x57, 0xEE, 0x2B, 0x10, 0x13, 0x9E, 0x9E, 0x78,

wolfcrypt/src/integer.c

@@ -4529,9 +4529,11 @@ int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap)
         }
 
         /* test */
-        /* Running Miller-Rabin up to 40 times gives us a 2^{-80} chance
-         * of a candidate being a false positive. */
-        if ((err = mp_prime_is_prime_ex(N, 40, &res, rng)) != MP_OKAY) {
+        /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance
+         * of a 1024-bit candidate being a false positive, when it is our
+         * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.)
+         * Using 8 because we've always used 8. */
+        if ((err = mp_prime_is_prime_ex(N, 8, &res, rng)) != MP_OKAY) {
             XFREE(buf, heap, DYNAMIC_TYPE_RSA);
             return err;
         }

wolfcrypt/src/tfm.c

@@ -3067,9 +3067,11 @@ int fp_randprime(fp_int* N, int len, WC_RNG* rng, void* heap)
         fp_read_unsigned_bin(N, buf, len);
 
         /* test */
-        /* Running Miller-Rabin up to 40 times gives us a 2^{-80} chance
-         * of a candidate being a false positive. */
-        mp_prime_is_prime_ex(N, 40, &isPrime, rng);
+        /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance
+         * of a 1024-bit candidate being a false positive, when it is our
+         * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.)
+         * Using 8 because we've always used 8 */
+        mp_prime_is_prime_ex(N, 8, &isPrime, rng);
     } while (isPrime == FP_NO);
 
     XMEMSET(buf, 0, len);