From 019cc625bd5ea80174a5ab7b2528e8953563dd0d Mon Sep 17 00:00:00 2001
From: jakemas <jakemas@amazon.com>
Date: Mon, 13 Sep 2021 14:45:13 +0100
Subject: [PATCH] Fix BN_prime_checks_for_validation to align with
 false-positive rate.

This doesn't affect RSA key generation, which uses
BN_prime_checks_for_generation.

Change-Id: Ibf32c0c4bc9fed369e8f8a1efea72c5bd39185a9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49426
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
---
 include/openssl/bn.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/openssl/bn.h b/include/openssl/bn.h
index 295ca6298..5ca8b8552 100644
--- a/include/openssl/bn.h
+++ b/include/openssl/bn.h
@@ -687,9 +687,9 @@ OPENSSL_EXPORT int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
 // BN_prime_checks_for_validation can be used as the |checks| argument to the
 // primarily testing functions when validating an externally-supplied candidate
 // prime. It gives a false positive rate of at most 2^{-128}. (The worst case
-// false positive rate for a single iteration is 1/4, so we perform 32
-// iterations.)
-#define BN_prime_checks_for_validation 32
+// false positive rate for a single iteration is 1/4 per
+// https://eprint.iacr.org/2018/749. (1/4)^64 = 2^{-128}.)
+#define BN_prime_checks_for_validation 64
 
 // BN_prime_checks_for_generation can be used as the |checks| argument to the
 // primality testing functions when generating random primes. It gives a false