Prime Number Testing

1. Fixed variable name typo in DH for the FFDHE 8192-bit q value. 2. Updated some error strings in wolfSSL_BN_is_prime_ex(). 3. Changed the calls to mp_prime_is_prime_ex() in fp_randprime() and mp_randprime() so they go back to the 8 rounds of MR, which is more than adequate in this situation.
2025-07-29 18:27:29 +02:00 · 2018-07-11 16:24:41 -07:00
parent 0e06f6413d
commit 5908230d20
4 changed files with 13 additions and 9 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@ -22566,7 +22566,7 @@ int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM *bn, int nbchecks,
    if (rng) {
        if (mp_prime_is_prime_ex((mp_int*)bn->internal,
                                 nbchecks, &res, rng) != MP_OKAY) {
-            WOLFSSL_MSG("mp_prime_is_prime error");
+            WOLFSSL_MSG("mp_prime_is_prime_ex error");
            res = MP_NO;
        }
    }
@ -22579,7 +22579,7 @@ int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM *bn, int nbchecks,
 #endif

    if (res != MP_YES) {
-        WOLFSSL_MSG("mp_prime_is_prime not prime");
+        WOLFSSL_MSG("mp_prime_is_prime_ex not prime");
        return WOLFSSL_FAILURE;
    }

--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@ -765,7 +765,7 @@ static const byte dh_ffdhe8192_p[] = {
 };
 static const byte dh_ffdhe8192_g[] = { 0x02 };
 #ifdef HAVE_FFDHE_Q
-static const byte dh_ffdhe8192_g[] = {
+static const byte dh_ffdhe8192_q[] = {
    0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
    0xD6, 0xFC, 0x2A, 0x2C, 0x51, 0x5D, 0xA5, 0x4D,
    0x57, 0xEE, 0x2B, 0x10, 0x13, 0x9E, 0x9E, 0x78,
--- a/wolfcrypt/src/integer.c
+++ b/wolfcrypt/src/integer.c
@ -4529,9 +4529,11 @@ int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap)
        }

        /* test */
-        /* Running Miller-Rabin up to 40 times gives us a 2^{-80} chance
-         * of a candidate being a false positive. */
-        if ((err = mp_prime_is_prime_ex(N, 40, &res, rng)) != MP_OKAY) {
+        /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance
+         * of a 1024-bit candidate being a false positive, when it is our
+         * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.)
+         * Using 8 because we've always used 8. */
+        if ((err = mp_prime_is_prime_ex(N, 8, &res, rng)) != MP_OKAY) {
            XFREE(buf, heap, DYNAMIC_TYPE_RSA);
            return err;
        }
--- a/wolfcrypt/src/tfm.c
+++ b/wolfcrypt/src/tfm.c
@ -3067,9 +3067,11 @@ int fp_randprime(fp_int* N, int len, WC_RNG* rng, void* heap)
        fp_read_unsigned_bin(N, buf, len);

        /* test */
-        /* Running Miller-Rabin up to 40 times gives us a 2^{-80} chance
-         * of a candidate being a false positive. */
-        mp_prime_is_prime_ex(N, 40, &isPrime, rng);
+        /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance
+         * of a 1024-bit candidate being a false positive, when it is our
+         * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.)
+         * Using 8 because we've always used 8 */
+        mp_prime_is_prime_ex(N, 8, &isPrime, rng);
    } while (isPrime == FP_NO);

    XMEMSET(buf, 0, len);