|BN_GENERATE_PRIME(3)||Library Functions Manual||BN_GENERATE_PRIME(3)|
generate primes and test for primality
*ret, int bits, int safe,
const BIGNUM *add, const BIGNUM
*rem, BN_GENCB *cb);
BN_is_prime_ex(const BIGNUM *p,
int nchecks, BN_CTX *ctx,
*p, int nchecks, BN_CTX
*ctx, int do_trial_division,
int a, int b);
*gencb, void (*callback)(int, int, void *),
int (*callback)(int, int, BN_GENCB *),
int num, int safe,
BIGNUM *add, BIGNUM *rem,
void (*callback)(int, int, void *),
BN_is_prime(const BIGNUM *a,
int checks, void (*callback)(int, int,
void *), BN_CTX *ctx, void
*a, int checks, void
(*callback)(int, int, void *), BN_CTX *ctx,
void *cb_arg, int
generates a pseudo-random prime number of at least bit length
bits. The returned number is probably prime, but there
is a very small probability of returning a non-prime number. If
ret is not
NULL, it will be
used to store the number.
If cb is not
it is used as follows:
BN_GENCB_call(cb, 0, i) is called after generating the i-th potential prime number.
BN_GENCB_call(cb, 1, j) is called as described below.
BN_GENCB_call(cb, 2, i) is called.
BN_generate_prime_ex() may call
BN_GENCB_call() with other values as described in their respective manual pages; see SEE ALSO.
The prime may have to fulfill additional requirements for use in Diffie-Hellman key exchange:
If add is not
the prime will fulfill the condition p % add ==
rem (p % add == 1 if
NULL) in order to suit
a given generator.
If safe is true, it will be a safe prime (i.e. a prime p so that (p-1)/2 is also prime).
BN_is_prime_fasttest_ex() test if the number
p is prime. The following tests are performed until
one of them shows that p is composite; if
p passes all these tests, it is considered prime.
when called with do_trial_division == 1, first
attempts trial division by a number of small primes; if no divisors are
found by this test and cb is not
1, -1) is called. If do_trial_division == 0,
this test is skipped.
BN_is_prime_fasttest_ex() perform a Miller-Rabin
probabilistic primality test with nchecks iterations.
If nchecks ==
a number of iterations is used that yields a false positive rate of at most
2^-64 for random input. The error rate depends on the size of the prime and
goes down for bigger primes. The rate is 2^-80 starting at 308 bits, 2^-112
at 852 bits, 2^-128 at 1080 bits, 2^-192 at 3747 bits and 2^-256 at 6394
When the source of the prime is not random or not trusted, the number of checks needs to be much higher to reach the same level of assurance: It should equal half of the targeted security level in bits (rounded up to the next integer if necessary). For instance, to reach the 128-bit security level, nchecks should be set to 64.
If cb is not
BN_GENCB_call cb 1 j is called after the j-th
iteration (j = 0, 1, ...). ctx is a pre-allocated
BN_CTX (to save the overhead of allocating and freeing
the structure in a loop), or
calls the callback function held in the BN_GENCB
structure and passes the ints a and
b as arguments. There are two types of
BN_GENCB structures that are supported:
"new" style and "old" style. New programs should prefer
the "new" style, whilst the "old" style is provided for
backwards compatibility purposes.
For "new" style callbacks a
BN_GENCB structure should be initialised with a call
where gencb is a BN_GENCB *,
callback is of type int
(*callback)(int, int, BN_GENCB *) and cb_arg is
a void *. "Old" style callbacks are the same
except they are initialised with a call to
and callback is of type void
(*callback)(int, int, void *).
A callback is invoked through a call to
This will check the type of the callback and will invoke
b, gencb) for new style
b, cb_arg) for old style.
(deprecated) works in the same way as
BN_generate_prime_ex() but expects an old style
callback function directly in the callback parameter,
and an argument to pass to it in the cb_arg. Similarly
are deprecated and can be compared to
BN_generate_prime_ex() returns 1 on
success or 0 on error.
BN_is_prime_fasttest() return 0 if the number is
composite, 1 if it is prime with an error probability of less than
0.25^nchecks, and -1 on error.
BN_generate_prime() returns the prime
number on success,
BN_GENCB_new() returns a pointer to a
BN_GENCB structure on success, or
BN_GENCB_get_arg() returns the argument
previously associated with a BN_GENCB structure.
Callback functions should return 1 on success or 0 on error.
The error codes can be obtained by ERR_get_error(3).
BN_is_prime() first appeared in SSLeay 0.5.1 and had
their cb_arg argument added in SSLeay 0.9.0. These two
functions have been available since OpenBSD 2.4.
The ret argument to
BN_generate_prime() was added in SSLeay 0.9.1 and
BN_is_prime_fasttest() first appeared in
OpenSSL 0.9.5 and has been available since OpenBSD
BN_GENCB_set() first appeared in OpenSSL 0.9.8 and
have been available since OpenBSD 4.5.
BN_GENCB_get_arg() first appeared in OpenSSL 1.1.0
and have been available since OpenBSD 6.3.
|June 24, 2020||OpenBSD-current|