OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
author: beck <> 2000-03-19 11:13:58 +0000
committer: beck <> 2000-03-19 11:13:58 +0000
commit: 796d609550df3a33fc11468741c5d2f6d3df4c11 (patch)
tree: 6c6d539061caa20372dad0ac4ddb1dfae2fbe7fe /src/lib/libcrypto/dsa/dsa_gen.c
parent: 5be3114c1fd7e0dfea1e38d3abb4cbba75244419 (diff)
download: openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.tar.gz
openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.tar.bz2
openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.zip
1 files changed, 66 insertions, 105 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index b5e5ec06e5..2294a362d9 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -59,12 +59,18 @@
 #undef GENUINE_DSA
 #ifdef GENUINE_DSA
+/* Parameter generation follows the original release of FIPS PUB 186,
+ * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */
 #define HASH    SHA
 #else
+/* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
+ * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in
+ * FIPS PUB 180-1) */
 #define HASH    SHA1
 #endif 
 #ifndef NO_SHA
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
@@ -74,8 +80,9 @@
 #include <openssl/rand.h>
 DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
-             int *counter_ret, unsigned long *h_ret, void (*callback)(),
+                int *counter_ret, unsigned long *h_ret,
-             char *cb_arg)
+                void (*callback)(int, int, void *),
+                void *cb_arg)
        {
        int ok=0;
        unsigned char seed[SHA_DIGEST_LENGTH];
@@ -86,47 +93,63 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
        BN_MONT_CTX *mont=NULL;
        int k,n=0,i,b,m=0;
        int counter=0;
-        BN_CTX *ctx=NULL,*ctx2=NULL;
+        int r=0;
+        BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL;
        unsigned int h=2;
        DSA *ret=NULL;
        if (bits < 512) bits=512;
        bits=(bits+63)/64*64;
+        if (seed_len < 20)
+                seed_in = NULL; /* seed buffer too small -- ignore */
+        if (seed_len > 20) 
+                seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
+                                * but our internal buffers are restricted to 160 bits*/
        if ((seed_in != NULL) && (seed_len == 20))
                memcpy(seed,seed_in,seed_len);
        if ((ctx=BN_CTX_new()) == NULL) goto err;
        if ((ctx2=BN_CTX_new()) == NULL) goto err;
+        if ((ctx3=BN_CTX_new()) == NULL) goto err;
        if ((ret=DSA_new()) == NULL) goto err;
        if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
-        r0= &(ctx2->bn[0]);
+        BN_CTX_start(ctx2);
-        g= &(ctx2->bn[1]);
+        r0 = BN_CTX_get(ctx2);
-        W= &(ctx2->bn[2]);
+        g = BN_CTX_get(ctx2);
-        q= &(ctx2->bn[3]);
+        W = BN_CTX_get(ctx2);
-        X= &(ctx2->bn[4]);
+        q = BN_CTX_get(ctx2);
-        c= &(ctx2->bn[5]);
+        X = BN_CTX_get(ctx2);
-        p= &(ctx2->bn[6]);
+        c = BN_CTX_get(ctx2);
-        test= &(ctx2->bn[7]);
+        p = BN_CTX_get(ctx2);
+        test = BN_CTX_get(ctx2);
        BN_lshift(test,BN_value_one(),bits-1);
        for (;;)
                {
-                for (;;)
+                for (;;) /* find q */
                        {
+                        int seed_is_random;
                        /* step 1 */
                        if (callback != NULL) callback(0,m++,cb_arg);
                        if (!seed_len)
-                                RAND_bytes(seed,SHA_DIGEST_LENGTH);
+                                {
+                                RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
+                                seed_is_random = 1;
+                                }
                        else
-                                seed_len=0;
+                                {
+                                seed_is_random = 0;
+                                seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
+                                }
                        memcpy(buf,seed,SHA_DIGEST_LENGTH);
                        memcpy(buf2,seed,SHA_DIGEST_LENGTH);
+                        /* precompute "SEED + 1" for step 7: */
                        for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
                                {
                                buf[i]++;
@@ -142,10 +165,15 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
                        /* step 3 */
                        md[0]|=0x80;
                        md[SHA_DIGEST_LENGTH-1]|=0x01;
-                        if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort();
+                        if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
                        /* step 4 */
-                        if (DSA_is_prime(q,callback,cb_arg) > 0) break;
+                        r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, cb_arg, seed_is_random);
+                        if (r > 0)
+                                break;
+                        if (r != 0)
+                                goto err;
                        /* do a callback call */
                        /* step 5 */
                        }
@@ -155,16 +183,22 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
                /* step 6 */
                counter=0;
+                /* "offset = 2" */
                n=(bits-1)/160;
                b=(bits-1)-n*160;
                for (;;)
                        {
+                        if (callback != NULL && counter != 0)
+                                callback(0,counter,cb_arg);
                        /* step 7 */
                        BN_zero(W);
+                        /* now 'buf' contains "SEED + offset - 1" */
                        for (k=0; k<=n; k++)
                                {
+                                /* obtain "SEED + offset + k" by incrementing: */
                                for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
                                        {
                                        buf[i]++;
@@ -174,7 +208,8 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
                                HASH(buf,SHA_DIGEST_LENGTH,md);
                                /* step 8 */
-                                if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort();
+                                if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
+                                        goto err;
                                BN_lshift(r0,r0,160*k);
                                BN_add(W,W,r0);
                                }
@@ -194,23 +229,25 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
                        if (BN_cmp(p,test) >= 0)
                                {
                                /* step 11 */
-                                if (DSA_is_prime(p,callback,cb_arg) > 0)
+                                r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1);
-                                        goto end;
+                                if (r > 0)
+                                                goto end; /* found it */
+                                if (r != 0)
+                                        goto err;
                                }
                        /* step 13 */
                        counter++;
+                        /* "offset = offset + n + 1" */
                        /* step 14 */
                        if (counter >= 4096) break;
-                        if (callback != NULL) callback(0,counter,cb_arg);
                        }
                }
 end:
        if (callback != NULL) callback(2,1,cb_arg);
-        /* We now need to gernerate g */
+        /* We now need to generate g */
        /* Set r0=(p-1)/q */
        BN_sub(test,p,BN_value_one());
        BN_div(r0,NULL,test,q,ctx);
@@ -245,89 +282,13 @@ err:
                if (h_ret != NULL) *h_ret=h;
                }
        if (ctx != NULL) BN_CTX_free(ctx);
-        if (ctx != NULL) BN_CTX_free(ctx2);
+        if (ctx2 != NULL)
-        if (mont != NULL) BN_MONT_CTX_free(mont);
-        return(ok?ret:NULL);
-        }
-int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg)
-        {
-        int ok= -1,j,i,n;
-        BN_CTX *ctx=NULL,*ctx2=NULL;
-        BIGNUM *w_1,*b,*m,*z,*tmp,*mont_1;
-        int a;
-        BN_MONT_CTX *mont=NULL;
-        if (!BN_is_bit_set(w,0)) return(0);
-        if ((ctx=BN_CTX_new()) == NULL) goto err;
-        if ((ctx2=BN_CTX_new()) == NULL) goto err;
-        if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
-        m=   &(ctx2->bn[2]);
-        b=   &(ctx2->bn[3]);
-        z=   &(ctx2->bn[4]);
-        w_1= &(ctx2->bn[5]);
-        tmp= &(ctx2->bn[6]);
-        mont_1= &(ctx2->bn[7]);
-        /* step 1 */
-        n=50;
-        /* step 2 */
-        if (!BN_sub(w_1,w,BN_value_one())) goto err;
-        for (a=1; !BN_is_bit_set(w_1,a); a++)
-                ;
-        if (!BN_rshift(m,w_1,a)) goto err;
-        BN_MONT_CTX_set(mont,w,ctx);
-        BN_to_montgomery(mont_1,BN_value_one(),mont,ctx);
-        BN_to_montgomery(w_1,w_1,mont,ctx);
-        for (i=1; i < n; i++)
                {
-                /* step 3 */
+                BN_CTX_end(ctx2);
-                BN_rand(b,BN_num_bits(w)-2/*-1*/,0,0);
+                BN_CTX_free(ctx2);
-                /* BN_set_word(b,0x10001L); */
-                /* step 4 */
-                j=0;
-                if (!BN_mod_exp_mont(z,b,m,w,ctx,mont)) goto err;
-                if (!BN_to_montgomery(z,z,mont,ctx)) goto err;
-                /* step 5 */
-                for (;;)
-                        {
-                        if (((j == 0) && (BN_cmp(z,mont_1) == 0)) ||
-                                (BN_cmp(z,w_1) == 0))
-                                break;
-                        /* step 6 */
-                        if ((j > 0) && (BN_cmp(z,mont_1) == 0))
-                                {
-                                ok=0;
-                                goto err;
-                                }
-                        j++;
-                        if (j >= a)
-                                {
-                                ok=0;
-                                goto err;
-                                }
-                        if (!BN_mod_mul_montgomery(z,z,z,mont,ctx)) goto err;
-                        if (callback != NULL) callback(1,j,cb_arg);
-                        }
                }
+        if (ctx3 != NULL) BN_CTX_free(ctx3);
-        ok=1;
+        if (mont != NULL) BN_MONT_CTX_free(mont);
-err:
+        return(ok?ret:NULL);
-        if (ok == -1) DSAerr(DSA_F_DSA_IS_PRIME,ERR_R_BN_LIB);
-        BN_CTX_free(ctx);
-        BN_CTX_free(ctx2);
-        BN_MONT_CTX_free(mont);
-        
-        return(ok);
        }
 #endif
author	beck <>	2000-03-19 11:13:58 +0000
committer	beck <>	2000-03-19 11:13:58 +0000
commit	796d609550df3a33fc11468741c5d2f6d3df4c11 (patch)
tree	6c6d539061caa20372dad0ac4ddb1dfae2fbe7fe /src/lib/libcrypto/dsa/dsa_gen.c
parent	5be3114c1fd7e0dfea1e38d3abb4cbba75244419 (diff)
download	openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.tar.gz openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.tar.bz2 openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.zip

diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c index b5e5ec06e5..2294a362d9 100644 --- a/src/lib/libcrypto/dsa/dsa_gen.c +++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -59,12 +59,18 @@
59	#undef GENUINE_DSA	59	#undef GENUINE_DSA
60		60
61	#ifdef GENUINE_DSA	61	#ifdef GENUINE_DSA
		62	/* Parameter generation follows the original release of FIPS PUB 186,
		63	* Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */
62	#define HASH SHA	64	#define HASH SHA
63	#else	65	#else
		66	/* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
		67	* also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in
		68	* FIPS PUB 180-1) */
64	#define HASH SHA1	69	#define HASH SHA1
65	#endif	70	#endif
66		71
67	#ifndef NO_SHA	72	#ifndef NO_SHA
		73
68	#include <stdio.h>	74	#include <stdio.h>
69	#include <time.h>	75	#include <time.h>
70	#include "cryptlib.h"	76	#include "cryptlib.h"
@@ -74,8 +80,9 @@
74	#include <openssl/rand.h>	80	#include <openssl/rand.h>
75		81
76	DSA DSA_generate_parameters(int bits, unsigned char seed_in, int seed_len,	82	DSA DSA_generate_parameters(int bits, unsigned char seed_in, int seed_len,
77	int counter_ret, unsigned long h_ret, void (*callback)(),	83	int counter_ret, unsigned long h_ret,
78	char *cb_arg)	84	void (callback)(int, int, void ),
		85	void *cb_arg)
79	{	86	{
80	int ok=0;	87	int ok=0;
81	unsigned char seed[SHA_DIGEST_LENGTH];	88	unsigned char seed[SHA_DIGEST_LENGTH];
@@ -86,47 +93,63 @@ DSA DSA_generate_parameters(int bits, unsigned char seed_in, int seed_len,
86	BN_MONT_CTX *mont=NULL;	93	BN_MONT_CTX *mont=NULL;
87	int k,n=0,i,b,m=0;	94	int k,n=0,i,b,m=0;
88	int counter=0;	95	int counter=0;
89	BN_CTX ctx=NULL,ctx2=NULL;	96	int r=0;
		97	BN_CTX ctx=NULL,ctx2=NULL,*ctx3=NULL;
90	unsigned int h=2;	98	unsigned int h=2;
91	DSA *ret=NULL;	99	DSA *ret=NULL;
92		100
93	if (bits < 512) bits=512;	101	if (bits < 512) bits=512;
94	bits=(bits+63)/64*64;	102	bits=(bits+63)/64*64;
95		103
		104	if (seed_len < 20)
		105	seed_in = NULL; /* seed buffer too small -- ignore */
		106	if (seed_len > 20)
		107	seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
		108	* but our internal buffers are restricted to 160 bits*/
96	if ((seed_in != NULL) && (seed_len == 20))	109	if ((seed_in != NULL) && (seed_len == 20))
97	memcpy(seed,seed_in,seed_len);	110	memcpy(seed,seed_in,seed_len);
98		111
99	if ((ctx=BN_CTX_new()) == NULL) goto err;	112	if ((ctx=BN_CTX_new()) == NULL) goto err;
100	if ((ctx2=BN_CTX_new()) == NULL) goto err;	113	if ((ctx2=BN_CTX_new()) == NULL) goto err;
		114	if ((ctx3=BN_CTX_new()) == NULL) goto err;
101	if ((ret=DSA_new()) == NULL) goto err;	115	if ((ret=DSA_new()) == NULL) goto err;
102		116
103	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;	117	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
104		118
105	r0= &(ctx2->bn[0]);	119	BN_CTX_start(ctx2);
106	g= &(ctx2->bn[1]);	120	r0 = BN_CTX_get(ctx2);
107	W= &(ctx2->bn[2]);	121	g = BN_CTX_get(ctx2);
108	q= &(ctx2->bn[3]);	122	W = BN_CTX_get(ctx2);
109	X= &(ctx2->bn[4]);	123	q = BN_CTX_get(ctx2);
110	c= &(ctx2->bn[5]);	124	X = BN_CTX_get(ctx2);
111	p= &(ctx2->bn[6]);	125	c = BN_CTX_get(ctx2);
112	test= &(ctx2->bn[7]);	126	p = BN_CTX_get(ctx2);
		127	test = BN_CTX_get(ctx2);
113		128
114	BN_lshift(test,BN_value_one(),bits-1);	129	BN_lshift(test,BN_value_one(),bits-1);
115		130
116	for (;;)	131	for (;;)
117	{	132	{
118	for (;;)	133	for (;;) /* find q */
119	{	134	{
		135	int seed_is_random;
		136
120	/* step 1 */	137	/* step 1 */
121	if (callback != NULL) callback(0,m++,cb_arg);	138	if (callback != NULL) callback(0,m++,cb_arg);
122		139
123	if (!seed_len)	140	if (!seed_len)
124	RAND_bytes(seed,SHA_DIGEST_LENGTH);	141	{
		142	RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
		143	seed_is_random = 1;
		144	}
125	else	145	else
126	seed_len=0;	146	{
127		147	seed_is_random = 0;
		148	seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
		149	}
128	memcpy(buf,seed,SHA_DIGEST_LENGTH);	150	memcpy(buf,seed,SHA_DIGEST_LENGTH);
129	memcpy(buf2,seed,SHA_DIGEST_LENGTH);	151	memcpy(buf2,seed,SHA_DIGEST_LENGTH);
		152	/* precompute "SEED + 1" for step 7: */
130	for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)	153	for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
131	{	154	{
132	buf[i]++;	155	buf[i]++;
@@ -142,10 +165,15 @@ DSA DSA_generate_parameters(int bits, unsigned char seed_in, int seed_len,
142	/* step 3 */	165	/* step 3 */
143	md[0]\|=0x80;	166	md[0]\|=0x80;
144	md[SHA_DIGEST_LENGTH-1]\|=0x01;	167	md[SHA_DIGEST_LENGTH-1]\|=0x01;
145	if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort();	168	if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
146		169
147	/* step 4 */	170	/* step 4 */
148	if (DSA_is_prime(q,callback,cb_arg) > 0) break;	171	r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, cb_arg, seed_is_random);
		172	if (r > 0)
		173	break;
		174	if (r != 0)
		175	goto err;
		176
149	/* do a callback call */	177	/* do a callback call */
150	/* step 5 */	178	/* step 5 */
151	}	179	}
@@ -155,16 +183,22 @@ DSA DSA_generate_parameters(int bits, unsigned char seed_in, int seed_len,
155		183
156	/* step 6 */	184	/* step 6 */
157	counter=0;	185	counter=0;
		186	/* "offset = 2" */
158		187
159	n=(bits-1)/160;	188	n=(bits-1)/160;
160	b=(bits-1)-n*160;	189	b=(bits-1)-n*160;
161		190
162	for (;;)	191	for (;;)
163	{	192	{
		193	if (callback != NULL && counter != 0)
		194	callback(0,counter,cb_arg);
		195
164	/* step 7 */	196	/* step 7 */
165	BN_zero(W);	197	BN_zero(W);
		198	/* now 'buf' contains "SEED + offset - 1" */
166	for (k=0; k<=n; k++)	199	for (k=0; k<=n; k++)
167	{	200	{
		201	/* obtain "SEED + offset + k" by incrementing: */
168	for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)	202	for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
169	{	203	{
170	buf[i]++;	204	buf[i]++;
@@ -174,7 +208,8 @@ DSA DSA_generate_parameters(int bits, unsigned char seed_in, int seed_len,
174	HASH(buf,SHA_DIGEST_LENGTH,md);	208	HASH(buf,SHA_DIGEST_LENGTH,md);
175		209
176	/* step 8 */	210	/* step 8 */
177	if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort();	211	if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
		212	goto err;
178	BN_lshift(r0,r0,160*k);	213	BN_lshift(r0,r0,160*k);
179	BN_add(W,W,r0);	214	BN_add(W,W,r0);
180	}	215	}
@@ -194,23 +229,25 @@ DSA DSA_generate_parameters(int bits, unsigned char seed_in, int seed_len,
194	if (BN_cmp(p,test) >= 0)	229	if (BN_cmp(p,test) >= 0)
195	{	230	{
196	/* step 11 */	231	/* step 11 */
197	if (DSA_is_prime(p,callback,cb_arg) > 0)	232	r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1);
198	goto end;	233	if (r > 0)
		234	goto end; /* found it */
		235	if (r != 0)
		236	goto err;
199	}	237	}
200		238
201	/* step 13 */	239	/* step 13 */
202	counter++;	240	counter++;
		241	/* "offset = offset + n + 1" */
203		242
204	/* step 14 */	243	/* step 14 */
205	if (counter >= 4096) break;	244	if (counter >= 4096) break;
206
207	if (callback != NULL) callback(0,counter,cb_arg);
208	}	245	}
209	}	246	}
210	end:	247	end:
211	if (callback != NULL) callback(2,1,cb_arg);	248	if (callback != NULL) callback(2,1,cb_arg);
212		249
213	/* We now need to gernerate g */	250	/* We now need to generate g */
214	/* Set r0=(p-1)/q */	251	/* Set r0=(p-1)/q */
215	BN_sub(test,p,BN_value_one());	252	BN_sub(test,p,BN_value_one());
216	BN_div(r0,NULL,test,q,ctx);	253	BN_div(r0,NULL,test,q,ctx);
@@ -245,89 +282,13 @@ err:
245	if (h_ret != NULL) *h_ret=h;	282	if (h_ret != NULL) *h_ret=h;
246	}	283	}
247	if (ctx != NULL) BN_CTX_free(ctx);	284	if (ctx != NULL) BN_CTX_free(ctx);
248	if (ctx != NULL) BN_CTX_free(ctx2);	285	if (ctx2 != NULL)
249	if (mont != NULL) BN_MONT_CTX_free(mont);
250	return(ok?ret:NULL);
251	}
252
253	int DSA_is_prime(BIGNUM w, void (callback)(), char *cb_arg)
254	{
255	int ok= -1,j,i,n;
256	BN_CTX ctx=NULL,ctx2=NULL;
257	BIGNUM w_1,b,m,z,tmp,mont_1;
258	int a;
259	BN_MONT_CTX *mont=NULL;
260
261	if (!BN_is_bit_set(w,0)) return(0);
262
263	if ((ctx=BN_CTX_new()) == NULL) goto err;
264	if ((ctx2=BN_CTX_new()) == NULL) goto err;
265	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
266
267	m= &(ctx2->bn[2]);
268	b= &(ctx2->bn[3]);
269	z= &(ctx2->bn[4]);
270	w_1= &(ctx2->bn[5]);
271	tmp= &(ctx2->bn[6]);
272	mont_1= &(ctx2->bn[7]);
273
274	/* step 1 */
275	n=50;
276
277	/* step 2 */
278	if (!BN_sub(w_1,w,BN_value_one())) goto err;
279	for (a=1; !BN_is_bit_set(w_1,a); a++)
280	;
281	if (!BN_rshift(m,w_1,a)) goto err;
282
283	BN_MONT_CTX_set(mont,w,ctx);
284	BN_to_montgomery(mont_1,BN_value_one(),mont,ctx);
285	BN_to_montgomery(w_1,w_1,mont,ctx);
286	for (i=1; i < n; i++)
287	{	286	{
288	/* step 3 */	287	BN_CTX_end(ctx2);
289	BN_rand(b,BN_num_bits(w)-2/-1/,0,0);	288	BN_CTX_free(ctx2);
290	/* BN_set_word(b,0x10001L); */
291
292	/* step 4 */
293	j=0;
294	if (!BN_mod_exp_mont(z,b,m,w,ctx,mont)) goto err;
295
296	if (!BN_to_montgomery(z,z,mont,ctx)) goto err;
297
298	/* step 5 */
299	for (;;)
300	{
301	if (((j == 0) && (BN_cmp(z,mont_1) == 0)) \|\|
302	(BN_cmp(z,w_1) == 0))
303	break;
304
305	/* step 6 */
306	if ((j > 0) && (BN_cmp(z,mont_1) == 0))
307	{
308	ok=0;
309	goto err;
310	}
311
312	j++;
313	if (j >= a)
314	{
315	ok=0;
316	goto err;
317	}
318
319	if (!BN_mod_mul_montgomery(z,z,z,mont,ctx)) goto err;
320	if (callback != NULL) callback(1,j,cb_arg);
321	}
322	}	289	}
323		290	if (ctx3 != NULL) BN_CTX_free(ctx3);
324	ok=1;	291	if (mont != NULL) BN_MONT_CTX_free(mont);
325	err:	292	return(ok?ret:NULL);
326	if (ok == -1) DSAerr(DSA_F_DSA_IS_PRIME,ERR_R_BN_LIB);
327	BN_CTX_free(ctx);
328	BN_CTX_free(ctx2);
329	BN_MONT_CTX_free(mont);
330
331	return(ok);
332	}	293	}
333	#endif	294	#endif