1 files changed, 23 insertions, 8 deletions
diff --git a/src/lib/libcrypto/man/BN_generate_prime.3 b/src/lib/libcrypto/man/BN_generate_prime.3
index 268bc02a03..85c7349b1b 100644
--- a/src/lib/libcrypto/man/BN_generate_prime.3
+++ b/src/lib/libcrypto/man/BN_generate_prime.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_generate_prime.3,v 1.22 2023/04/30 20:17:59 tb Exp $
+.\" $OpenBSD: BN_generate_prime.3,v 1.23 2023/05/11 05:45:33 tb Exp $
 .\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: May 11 2023 $
 .Dt BN_GENERATE_PRIME 3
 .Os
 .Sh NAME
@@ -81,7 +81,7 @@
 .Nm BN_GENCB_get_arg ,
 .Nm BN_GENCB_set_old
 .\" Nm BN_prime_checks_for_size is intentionally undocumented
-.\" because it is no longer used by LibreSSL.
+.\" because it should not be used outside of libcrypto.
 .Nd generate primes and test for primality
 .Sh SYNOPSIS
 .In openssl/bn.h
@@ -147,13 +147,14 @@ and
 test whether the number
 .Fa a
 is prime.
-In LibreSSL, both functions behave identically,
+In LibreSSL, both functions behave identically
-use the Baillie-Pomerance-Selfridge-Wagstaff algorithm,
+and use the Baillie-Pomerance-Selfridge-Wagstaff algorithm
-and ignore the
+combined with
 .Fa checks
-and
+Miller-Rabin rounds.
+The
 .Fa do_trial_division
-arguments.
+argument is ignored.
 .Pp
 It is unknown whether any composite number exists that the
 Baillie-PSW algorithm misclassifies as a prime.
@@ -161,6 +162,20 @@ Some suspect that there may be infinitely many such numbers,
 but not a single one is currently known.
 It is known that no such number exists below 2\(ha64.
 .Pp
+In order to reduce the likelihood of a composite number
+passing the primility tests
+.Fn BN_is_prime_fasttest_ex
+and
+.Fn BN_is_prime_ex ,
+a number of rounds of the probabilistic Miller-Rabin test is performed.
+If
+.Fa checks
+is positive, it is used as the number of rounds;
+if it is zero or the special value
+.Dv BN_prime_checks ,
+a suitable number of rounds is calculated from the bit length of
+.Fa a .
+.Pp
 If
 .Dv NULL
 is passed for the

diff --git a/src/lib/libcrypto/man/BN_generate_prime.3 b/src/lib/libcrypto/man/BN_generate_prime.3 index 268bc02a03..85c7349b1b 100644 --- a/src/lib/libcrypto/man/BN_generate_prime.3 +++ b/src/lib/libcrypto/man/BN_generate_prime.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_generate_prime.3,v 1.22 2023/04/30 20:17:59 tb Exp $	1	.\" $OpenBSD: BN_generate_prime.3,v 1.23 2023/05/11 05:45:33 tb Exp $
2	.\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200	2	.\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
@@ -67,7 +67,7 @@
67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
69	.\"	69	.\"
70	.Dd $Mdocdate: April 30 2023 $	70	.Dd $Mdocdate: May 11 2023 $
71	.Dt BN_GENERATE_PRIME 3	71	.Dt BN_GENERATE_PRIME 3
72	.Os	72	.Os
73	.Sh NAME	73	.Sh NAME
@@ -81,7 +81,7 @@
81	.Nm BN_GENCB_get_arg ,	81	.Nm BN_GENCB_get_arg ,
82	.Nm BN_GENCB_set_old	82	.Nm BN_GENCB_set_old
83	.\" Nm BN_prime_checks_for_size is intentionally undocumented	83	.\" Nm BN_prime_checks_for_size is intentionally undocumented
84	.\" because it is no longer used by LibreSSL.	84	.\" because it should not be used outside of libcrypto.
85	.Nd generate primes and test for primality	85	.Nd generate primes and test for primality
86	.Sh SYNOPSIS	86	.Sh SYNOPSIS
87	.In openssl/bn.h	87	.In openssl/bn.h
@@ -147,13 +147,14 @@ and
147	test whether the number	147	test whether the number
148	.Fa a	148	.Fa a
149	is prime.	149	is prime.
150	In LibreSSL, both functions behave identically,	150	In LibreSSL, both functions behave identically
151	use the Baillie-Pomerance-Selfridge-Wagstaff algorithm,	151	and use the Baillie-Pomerance-Selfridge-Wagstaff algorithm
152	and ignore the	152	combined with
153	.Fa checks	153	.Fa checks
154	and	154	Miller-Rabin rounds.
		155	The
155	.Fa do_trial_division	156	.Fa do_trial_division
156	arguments.	157	argument is ignored.
157	.Pp	158	.Pp
158	It is unknown whether any composite number exists that the	159	It is unknown whether any composite number exists that the
159	Baillie-PSW algorithm misclassifies as a prime.	160	Baillie-PSW algorithm misclassifies as a prime.
@@ -161,6 +162,20 @@ Some suspect that there may be infinitely many such numbers,
161	but not a single one is currently known.	162	but not a single one is currently known.
162	It is known that no such number exists below 2\(ha64.	163	It is known that no such number exists below 2\(ha64.
163	.Pp	164	.Pp
		165	In order to reduce the likelihood of a composite number
		166	passing the primility tests
		167	.Fn BN_is_prime_fasttest_ex
		168	and
		169	.Fn BN_is_prime_ex ,
		170	a number of rounds of the probabilistic Miller-Rabin test is performed.
		171	If
		172	.Fa checks
		173	is positive, it is used as the number of rounds;
		174	if it is zero or the special value
		175	.Dv BN_prime_checks ,
		176	a suitable number of rounds is calculated from the bit length of
		177	.Fa a .
		178	.Pp
164	If	179	If
165	.Dv NULL	180	.Dv NULL
166	is passed for the	181	is passed for the