BN_generate_prime_ex, BN_is_prime_ex, BN_is_prime_fasttest_ex, BN_GENCB_call, BN_GENCB_new, BN_GENCB_free, BN_GENCB_set_old, BN_GENCB_set, BN_GENCB_get_arg, BN_generate_prime, BN_is_prime, BN_is_prime_fasttest − generate primes and test for primality

#include
<openssl/bn.h>

int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
const BIGNUM *add,

const BIGNUM *rem, BN_GENCB *cb);

int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX
*ctx, BN_GENCB *cb);

int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks,
BN_CTX *ctx,

int do_trial_division, BN_GENCB *cb);

int BN_GENCB_call(BN_GENCB *cb, int a, int b);

BN_GENCB *BN_GENCB_new(void);

void BN_GENCB_free(BN_GENCB *cb);

void BN_GENCB_set_old(BN_GENCB *gencb,

void (*callback)(int, int, void *), void *cb_arg);

void BN_GENCB_set(BN_GENCB *gencb,

int (*callback)(int, int, BN_GENCB *), void *cb_arg);

void *BN_GENCB_get_arg(BN_GENCB *cb);

Deprecated:

#if
OPENSSL_API_COMPAT < 0x00908000L

BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe,
BIGNUM *add,

BIGNUM *rem, void (*callback)(int, int, void *),

void *cb_arg);

int BN_is_prime(const BIGNUM *a, int checks,

void (*callback)(int, int, void *), BN_CTX *ctx, void
*cb_arg);

int BN_is_prime_fasttest(const BIGNUM *a, int checks,

void (*callback)(int, int, void *), BN_CTX *ctx,

void *cb_arg, int do_trial_division);

#endif

**BN_generate_prime_ex()**
generates a pseudo-random prime number of at least bit
length **bits**. The returned number is probably prime
with a negligible error. If **add** is
**NULL** the returned prime number will
have exact bit length **bits** with the top most two bits
set.

If **ret**
is not **NULL** , it will be used to store
the number.

If **cb** is
not **NULL** , it is used as follows:

• |
| ||

• |
While the number is being tested for primality,
| ||

• |
When a prime has been found, | ||

• |
The callers of |

The prime may have to fulfill additional requirements for use in Diffie-Hellman key exchange:

If **add**
is not **NULL** , the prime will fulfill
the condition p % **add** == **rem** (p % **add**
== 1 if **rem** == **NULL** ) in order
to suit a given generator.

If **safe**
is true, it will be a safe prime (i.e. a prime p so that
(p−1)/2 is also prime). If **safe** is true, and
**rem** == **NULL** the condition will
be p % **add** == 3. It is recommended that **add** is
a multiple of 4.

The random
generator must be seeded prior to calling
**BN_generate_prime_ex()**. If the automatic seeding or
reseeding of the OpenSSL CSPRNG fails due to
external circumstances (see **RAND** (7)),
the operation will fail.

**BN_is_prime_ex()**
and **BN_is_prime_fasttest_ex()** test if the number
**p** is prime. The following tests are performed until
one of them shows that **p** is composite; if **p**
passes all these tests, it is considered prime.

**BN_is_prime_fasttest_ex()**,
when called with **do_trial_division == 1**, first
attempts trial division by a number of small primes; if no
divisors are found by this test and **cb** is not
**NULL** , **BN_GENCB_call(cb, 1,
−1)** is called. If **do_trial_division == 0**,
this test is skipped.

Both
**BN_is_prime_ex()** and **BN_is_prime_fasttest_ex()**
perform a Miller-Rabin probabilistic primality test with
**nchecks** iterations. If **nchecks ==
BN_prime_checks**, a number of iterations is used that
yields a false positive rate of at most 2^−64 for
random input. The error rate depends on the size of the
prime and goes down for bigger primes. The rate is
2^−80 starting at 308 bits, 2^−112 at 852 bits,
2^−128 at 1080 bits, 2^−192 at 3747 bits and
2^−256 at 6394 bits.

When the source
of the prime is not random or not trusted, the number of
checks needs to be much higher to reach the same level of
assurance: It should equal half of the targeted security
level in bits (rounded up to the next integer if necessary).
For instance, to reach the 128 bit security level,
**nchecks** should be set to 64.

If **cb** is
not **NULL** , **BN_GENCB_call(cb, 1,
j)** is called after the j−th iteration (j = 0, 1,
...). **ctx** is a preallocated
**BN_CTX** (to save the overhead of
allocating and freeing the structure in a loop), or
**NULL** .

**BN_GENCB_call()**
calls the callback function held in the
**BN_GENCB** structure and passes the ints
**a** and **b** as arguments. There are two types of
**BN_GENCB** structure that are supported:
"new" style and "old" style. New
programs should prefer the "new" style, whilst the
"old" style is provided for backwards
compatibility purposes.

A
**BN_GENCB** structure should be created
through a call to **BN_GENCB_new()**, and freed through a
call to **BN_GENCB_free()**.

For
"new" style callbacks a BN_GENCB
structure should be initialised with a call to
**BN_GENCB_set()**, where **gencb** is a
**BN_GENCB ***, **callback** is of type
**int (*callback)(int, int, BN_GENCB *)**
and **cb_arg** is a **void ***. "Old" style
callbacks are the same except they are initialised with a
call to **BN_GENCB_set_old()** and **callback** is of
type **void (*callback)(int, int, void *)**.

A callback is
invoked through a call to **BN_GENCB_call**. This will
check the type of the callback and will invoke
**callback(a, b, gencb)** for new style callbacks or
**callback(a, b, cb_arg)** for old style.

It is possible to obtain the argument associated with a BN_GENCB structure (set via a call to BN_GENCB_set or BN_GENCB_set_old) using BN_GENCB_get_arg.

**BN_generate_prime()**
(deprecated) works in the same way as
**BN_generate_prime_ex()** but expects an old-style
callback function directly in the **callback** parameter,
and an argument to pass to it in the **cb_arg**.
**BN_is_prime()** and **BN_is_prime_fasttest()** can
similarly be compared to **BN_is_prime_ex()** and
**BN_is_prime_fasttest_ex()**, respectively.

**BN_generate_prime_ex()**
return 1 on success or 0 on error.

**BN_is_prime_ex()**,
**BN_is_prime_fasttest_ex()**, **BN_is_prime()** and
**BN_is_prime_fasttest()** return 0 if the number is
composite, 1 if it is prime with an error probability of
less than 0.25^**nchecks**, and −1 on error.

**BN_generate_prime()**
returns the prime number on success,
**NULL** otherwise.

BN_GENCB_new
returns a pointer to a BN_GENCB structure on
success, or **NULL** otherwise.

BN_GENCB_get_arg returns the argument previously associated with a BN_GENCB structure.

Callback functions should return 1 on success or 0 on error.

The error codes
can be obtained by **ERR_get_error**(3).

As of OpenSSL 1.1.0 it is no longer possible to create a BN_GENCB structure directly, as in:

BN_GENCB callback;

Instead applications should create a BN_GENCB structure using BN_GENCB_new:

BN_GENCB
*callback;

callback = BN_GENCB_new();

if (!callback)

/* error */

...

BN_GENCB_free(callback);

**DH_generate_parameters**(3),
**DSA_generate_parameters**(3),
**RSA_generate_key**(3), **ERR_get_error**(3),
**RAND_bytes**(3), **RAND** (7)

The
**BN_GENCB_new()**, **BN_GENCB_free()**, and
**BN_GENCB_get_arg()** functions were added in OpenSSL
1.1.0.

Copyright 2000−2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.