I was looking at the internal functions in bn_prime.c: probable_prime(), probable_prime_dh() and probably_prime_dh_safe().
Possibly I'm missing something, but... don't all of these functions actually generate (probable) safe primes? This is particularly bemusing for the DH ones. Also, probable_prime() has some cunning optimisations which it seems that the other two could also use. Anyone got any idea why not? Finally, all of them have a bias: they're much more likely to pick a prime with a long run of non-primes before it than one that hasn't (in the case of the DH ones, the condition is slightly more subtle, depending on parameters, but its there nevertheless). Is this wise? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
