/* reduce */
static int montgomery_reduce(void *a, void *b, void *c)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
LTC_ARGCHK(c != NULL);
return mpi_to_ltc_error(mp_montgomery_reduce(a, b, *((mp_digit *)c)));
}
/* sub */
static int sub(void *a, void *b, void *c)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
LTC_ARGCHK(c != NULL);
return mpi_to_ltc_error(mp_sub(a, b, c));
}
static int rand_prime(mp_int *N, long len)
{
int type;
/* get type */
if (len < 0) {
type = LTM_PRIME_BBS;
len = -len;
} else {
/* This seems to be what MS CSP's do: */
type = LTM_PRIME_2MSB_ON;
/* Original LibTomCrypt: type = 0; */
}
/* allow sizes between 2 and 256 bytes for a prime size */
if (len < 16 || len > 8192) {
printf("Invalid prime size!\n");
return CRYPT_INVALID_PRIME_SIZE;
}
/* New prime generation makes the code even more cryptoish-insane. Do you know what this means!!!
-- Gir: Yeah, oh wait, er, no.
*/
return mpi_to_ltc_error(mp_prime_random_ex(N, mp_prime_rabin_miller_trials(len), len, type, rand_prime_helper, NULL));
}
static int exptmod(void *a, void *b, void *c, void *d)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
LTC_ARGCHK(c != NULL);
LTC_ARGCHK(d != NULL);
return mpi_to_ltc_error(mp_exptmod(a,b,c,d));
}
/**
Read a binary string into an mp_int
@param n [out] The mp_int destination
@param in The binary string to read
@param inlen The length of the binary string
@return CRYPT_OK if successful
*/
int pkcs_1_os2ip(mp_int *n, unsigned char *in, unsigned long inlen)
{
int err;
/* read it */
if ((err = mp_read_unsigned_bin(n, in, inlen)) != MP_OKAY) {
return mpi_to_ltc_error(err);
}
return CRYPT_OK;
}
static int isprime(void *a, int *b)
{
int err;
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
err = mpi_to_ltc_error(mp_prime_is_prime(a, 8, b));
*b = (*b == MP_YES) ? LTC_MP_YES : LTC_MP_NO;
return err;
}
static int der_choice_test(void)
{
ltc_asn1_list types[7], host[1];
unsigned char bitbuf[10], octetbuf[10], ia5buf[10], printbuf[10], outbuf[256];
unsigned long integer, oidbuf[10], outlen, inlen, x, y;
mp_int mpinteger;
ltc_utctime utctime = { 91, 5, 6, 16, 45, 40, 1, 7, 0 };
/* setup variables */
for (x = 0; x < sizeof(bitbuf); x++) { bitbuf[x] = x & 1; }
for (x = 0; x < sizeof(octetbuf); x++) { octetbuf[x] = x; }
for (x = 0; x < sizeof(ia5buf); x++) { ia5buf[x] = 'a'; }
for (x = 0; x < sizeof(printbuf); x++) { printbuf[x] = 'a'; }
integer = 1;
for (x = 0; x < sizeof(oidbuf)/sizeof(oidbuf[0]); x++) { oidbuf[x] = x + 1; }
DO(mpi_to_ltc_error(mp_init(&mpinteger)));
for (x = 0; x < 14; x++) {
/* setup list */
LTC_SET_ASN1(types, 0, LTC_ASN1_PRINTABLE_STRING, printbuf, sizeof(printbuf));
LTC_SET_ASN1(types, 1, LTC_ASN1_BIT_STRING, bitbuf, sizeof(bitbuf));
LTC_SET_ASN1(types, 2, LTC_ASN1_OCTET_STRING, octetbuf, sizeof(octetbuf));
LTC_SET_ASN1(types, 3, LTC_ASN1_IA5_STRING, ia5buf, sizeof(ia5buf));
if (x > 7) {
LTC_SET_ASN1(types, 4, LTC_ASN1_SHORT_INTEGER, &integer, 1);
} else {
LTC_SET_ASN1(types, 4, LTC_ASN1_INTEGER, &mpinteger, 1);
}
LTC_SET_ASN1(types, 5, LTC_ASN1_OBJECT_IDENTIFIER, oidbuf, sizeof(oidbuf)/sizeof(oidbuf[0]));
LTC_SET_ASN1(types, 6, LTC_ASN1_UTCTIME, &utctime, 1);
LTC_SET_ASN1(host, 0, LTC_ASN1_CHOICE, types, 7);
/* encode */
outlen = sizeof(outbuf);
DO(der_encode_sequence(&types[x>6?x-7:x], 1, outbuf, &outlen));
/* decode it */
inlen = outlen;
DO(der_decode_sequence(outbuf, inlen, &host, 1));
for (y = 0; y < 7; y++) {
if (types[y].used && y != (x>6?x-7:x)) {
fprintf(stderr, "CHOICE, flag %lu in trial %lu was incorrectly set to one\n", y, x);
return 1;
}
if (!types[y].used && y == (x>6?x-7:x)) {
fprintf(stderr, "CHOICE, flag %lu in trial %lu was incorrectly set to zero\n", y, x);
return 1;
}
}
}
mp_clear(&mpinteger);
return 0;
}
/**
Import an RSAPublicKey or RSAPrivateKey [two-prime only, defined in PKCS #1 v2.1]
@param in The packet to import from
@param inlen It's length (octets)
@param key [out] Destination for newly imported key
@return CRYPT_OK if successful, upon error allocated memory is freed
*/
int rsa_import(const unsigned char *in, unsigned long inlen, rsa_key *key)
{
unsigned long x;
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(key != NULL);
/* init key */
if ((err = mp_init_multi(&key->e, &key->d, &key->N, &key->dQ, &key->dP, &key->qP,
&key->p, &key->q, NULL)) != MP_OKAY) {
return mpi_to_ltc_error(err);
}
/* read first number, it's either N or 0 [0 == private key] */
x = inlen;
if ((err = der_get_multi_integer(in, &x, &key->N, NULL)) != CRYPT_OK) {
goto LBL_ERR;
}
/* advance */
inlen -= x;
in += x;
if (mp_cmp_d(&key->N, 0) == MP_EQ) {
/* it's a private key */
if ((err = der_get_multi_integer(in, &inlen, &key->N, &key->e,
&key->d, &key->p, &key->q, &key->dP,
&key->dQ, &key->qP, NULL)) != CRYPT_OK) {
goto LBL_ERR;
}
key->type = PK_PRIVATE;
} else if (mp_cmp_d(&key->N, 1) == MP_EQ) {
/* we don't support multi-prime RSA */
err = CRYPT_PK_INVALID_TYPE;
goto LBL_ERR;
} else {
/* it's a public key and we lack e */
if ((err = der_get_multi_integer(in, &inlen, &key->e, NULL)) != CRYPT_OK) {
goto LBL_ERR;
}
/* free up some ram */
mp_clear_multi(&key->p, &key->q, &key->qP, &key->dP, &key->dQ, NULL);
key->type = PK_PUBLIC;
}
return CRYPT_OK;
LBL_ERR:
mp_clear_multi(&key->d, &key->e, &key->N, &key->dQ, &key->dP,
&key->qP, &key->p, &key->q, NULL);
return err;
}
/* modi */
static int modi(void *a, unsigned long b, unsigned long *c)
{
mp_digit tmp;
int err;
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(c != NULL);
if ((err = mpi_to_ltc_error(mp_mod_d(a, b, &tmp))) != CRYPT_OK) {
return err;
}
*c = tmp;
return CRYPT_OK;
}
/* setup */
static int montgomery_setup(void *a, void **b)
{
int err;
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
*b = XCALLOC(1, sizeof(mp_digit));
if (*b == NULL) {
return CRYPT_MEM;
}
if ((err = mpi_to_ltc_error(mp_montgomery_setup(a, (mp_digit *)*b))) != CRYPT_OK) {
XFREE(*b);
}
return err;
}
static int init(void **a)
{
int err;
LTC_ARGCHK(a != NULL);
*a = XCALLOC(1, sizeof(mp_int));
if (*a == NULL) {
return CRYPT_MEM;
}
if ((err = mpi_to_ltc_error(mp_init(*a))) != CRYPT_OK) {
XFREE(*a);
}
return err;
}
/* always stores the same # of bytes, pads with leading zero bytes
as required
*/
int pkcs_1_i2osp(mp_int *n, unsigned long modulus_len, unsigned char *out)
{
int err;
unsigned long size;
size = mp_unsigned_bin_size(n);
if (size > modulus_len) {
return CRYPT_BUFFER_OVERFLOW;
}
/* store it */
zeromem(out, modulus_len);
if ((err = mp_to_unsigned_bin(n, out+(modulus_len-size))) != MP_OKAY) {
return mpi_to_ltc_error(err);
}
return CRYPT_OK;
}
/**
Read a mp_int integer
@param in The DER encoded data
@param inlen Size of DER encoded data
@param num The first mp_int to decode
@return CRYPT_OK if successful
*/
int der_decode_integer(const unsigned char *in, unsigned long inlen, mp_int *num)
{
unsigned long x, y, z;
int err;
LTC_ARGCHK(num != NULL);
LTC_ARGCHK(in != NULL);
/* min DER INTEGER is 0x02 01 00 == 0 */
if (inlen < (1 + 1 + 1)) {
return CRYPT_INVALID_PACKET;
}
/* ok expect 0x02 when we AND with 0001 1111 [1F] */
x = 0;
if ((in[x++] & 0x1F) != 0x02) {
return CRYPT_INVALID_PACKET;
}
/* now decode the len stuff */
z = in[x++];
if ((z & 0x80) == 0x00) {
/* short form */
/* will it overflow? */
if (x + z > inlen) {
return CRYPT_INVALID_PACKET;
}
/* no so read it */
if ((err = mpi_to_ltc_error(mp_read_unsigned_bin(num, (unsigned char *)in + x, z))) != CRYPT_OK) {
return err;
}
} else {
/* long form */
z &= 0x7F;
/* will number of length bytes overflow? (or > 4) */
if (((x + z) > inlen) || (z > 4) || (z == 0)) {
return CRYPT_INVALID_PACKET;
}
/* now read it in */
y = 0;
while (z--) {
y = ((unsigned long)(in[x++])) | (y << 8);
}
/* now will reading y bytes overrun? */
if ((x + y) > inlen) {
return CRYPT_INVALID_PACKET;
}
/* no so read it */
if ((err = mpi_to_ltc_error(mp_read_unsigned_bin(num, (unsigned char *)in + x, y))) != CRYPT_OK) {
return err;
}
}
/* see if it's negative */
if (in[x] & 0x80) {
mp_int tmp;
if (mp_init(&tmp) != MP_OKAY) {
return CRYPT_MEM;
}
if (mp_2expt(&tmp, mp_count_bits(num)) != MP_OKAY || mp_sub(num, &tmp, num) != MP_OKAY) {
mp_clear(&tmp);
return CRYPT_MEM;
}
mp_clear(&tmp);
}
return CRYPT_OK;
}
/**
Create an RSA key
@param prng An active PRNG state
@param wprng The index of the PRNG desired
@param size The size of the modulus (key size) desired (octets)
@param e The "e" value (public key). e==65537 is a good choice
@param key [out] Destination of a newly created private key pair
@return CRYPT_OK if successful, upon error all allocated ram is freed
*/
int rsa_make_key(prng_state *prng, int wprng, int size, long e, rsa_key *key)
{
mp_int p, q, tmp1, tmp2, tmp3;
int err;
LTC_ARGCHK(key != NULL);
if ((size < (MIN_RSA_SIZE/8)) || (size > (MAX_RSA_SIZE/8))) {
return CRYPT_INVALID_KEYSIZE;
}
if ((e < 3) || ((e & 1) == 0)) {
return CRYPT_INVALID_ARG;
}
if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
return err;
}
if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY) {
return mpi_to_ltc_error(err);
}
/* make primes p and q (optimization provided by Wayne Scott) */
if ((err = mp_set_int(&tmp3, e)) != MP_OKAY) { goto error; } /* tmp3 = e */
/* make prime "p" */
do {
if ((err = rand_prime(&p, size*4, prng, wprng)) != CRYPT_OK) { goto done; }
if ((err = mp_sub_d(&p, 1, &tmp1)) != MP_OKAY) { goto error; } /* tmp1 = p-1 */
if ((err = mp_gcd(&tmp1, &tmp3, &tmp2)) != MP_OKAY) { goto error; } /* tmp2 = gcd(p-1, e) */
} while (mp_cmp_d(&tmp2, 1) != 0); /* while e divides p-1 */
/* make prime "q" */
do {
if ((err = rand_prime(&q, size*4, prng, wprng)) != CRYPT_OK) { goto done; }
if ((err = mp_sub_d(&q, 1, &tmp1)) != MP_OKAY) { goto error; } /* tmp1 = q-1 */
if ((err = mp_gcd(&tmp1, &tmp3, &tmp2)) != MP_OKAY) { goto error; } /* tmp2 = gcd(q-1, e) */
} while (mp_cmp_d(&tmp2, 1) != 0); /* while e divides q-1 */
/* tmp1 = lcm(p-1, q-1) */
if ((err = mp_sub_d(&p, 1, &tmp2)) != MP_OKAY) { goto error; } /* tmp2 = p-1 */
/* tmp1 = q-1 (previous do/while loop) */
if ((err = mp_lcm(&tmp1, &tmp2, &tmp1)) != MP_OKAY) { goto error; } /* tmp1 = lcm(p-1, q-1) */
/* make key */
if ((err = mp_init_multi(&key->e, &key->d, &key->N, &key->dQ, &key->dP,
&key->qP, &key->p, &key->q, NULL)) != MP_OKAY) {
goto error;
}
if ((err = mp_set_int(&key->e, e)) != MP_OKAY) { goto error2; } /* key->e = e */
if ((err = mp_invmod(&key->e, &tmp1, &key->d)) != MP_OKAY) { goto error2; } /* key->d = 1/e mod lcm(p-1,q-1) */
if ((err = mp_mul(&p, &q, &key->N)) != MP_OKAY) { goto error2; } /* key->N = pq */
/* optimize for CRT now */
/* find d mod q-1 and d mod p-1 */
if ((err = mp_sub_d(&p, 1, &tmp1)) != MP_OKAY) { goto error2; } /* tmp1 = q-1 */
if ((err = mp_sub_d(&q, 1, &tmp2)) != MP_OKAY) { goto error2; } /* tmp2 = p-1 */
if ((err = mp_mod(&key->d, &tmp1, &key->dP)) != MP_OKAY) { goto error2; } /* dP = d mod p-1 */
if ((err = mp_mod(&key->d, &tmp2, &key->dQ)) != MP_OKAY) { goto error2; } /* dQ = d mod q-1 */
if ((err = mp_invmod(&q, &p, &key->qP)) != MP_OKAY) { goto error2; } /* qP = 1/q mod p */
if ((err = mp_copy(&p, &key->p)) != MP_OKAY) { goto error2; }
if ((err = mp_copy(&q, &key->q)) != MP_OKAY) { goto error2; }
/* shrink ram required */
if ((err = mp_shrink(&key->e)) != MP_OKAY) { goto error2; }
if ((err = mp_shrink(&key->d)) != MP_OKAY) { goto error2; }
if ((err = mp_shrink(&key->N)) != MP_OKAY) { goto error2; }
if ((err = mp_shrink(&key->dQ)) != MP_OKAY) { goto error2; }
if ((err = mp_shrink(&key->dP)) != MP_OKAY) { goto error2; }
if ((err = mp_shrink(&key->qP)) != MP_OKAY) { goto error2; }
if ((err = mp_shrink(&key->p)) != MP_OKAY) { goto error2; }
if ((err = mp_shrink(&key->q)) != MP_OKAY) { goto error2; }
/* set key type (in this case it's CRT optimized) */
key->type = PK_PRIVATE;
/* return ok and free temps */
err = CRYPT_OK;
goto done;
error2:
mp_clear_multi(&key->d, &key->e, &key->N, &key->dQ, &key->dP,
&key->qP, &key->p, &key->q, NULL);
error:
err = mpi_to_ltc_error(err);
done:
mp_clear_multi(&tmp3, &tmp2, &tmp1, &p, &q, NULL);
return err;
}
/* get normalization value */
static int montgomery_normalization(void *a, void *b)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_montgomery_calc_normalization(a, b));
}
static int div_2(void *a, void *b)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_div_2(a, b));
}
/**
Sign a hash with DSA
@param in The hash to sign
@param inlen The length of the hash to sign
@param r The "r" integer of the signature (caller must initialize with mp_init() first)
@param s The "s" integer of the signature (caller must initialize with mp_init() first)
@param prng An active PRNG state
@param wprng The index of the PRNG desired
@param key A private DSA key
@return CRYPT_OK if successful
*/
int dsa_sign_hash_raw(const unsigned char *in, unsigned long inlen,
mp_int *r, mp_int *s,
prng_state *prng, int wprng, dsa_key *key)
{
mp_int k, kinv, tmp;
unsigned char *buf;
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(r != NULL);
LTC_ARGCHK(s != NULL);
LTC_ARGCHK(key != NULL);
if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
return err;
}
if (key->type != PK_PRIVATE) {
return CRYPT_PK_NOT_PRIVATE;
}
/* check group order size */
if (key->qord >= MDSA_MAX_GROUP) {
return CRYPT_INVALID_ARG;
}
buf = XMALLOC(MDSA_MAX_GROUP);
if (buf == NULL) {
return CRYPT_MEM;
}
/* Init our temps */
if ((err = mp_init_multi(&k, &kinv, &tmp, NULL)) != MP_OKAY) { goto error; }
retry:
do {
/* gen random k */
if (prng_descriptor[wprng].read(buf, key->qord, prng) != (unsigned long)key->qord) {
err = CRYPT_ERROR_READPRNG;
goto LBL_ERR;
}
/* read k */
if ((err = mp_read_unsigned_bin(&k, buf, key->qord)) != MP_OKAY) { goto error; }
/* k > 1 ? */
if (mp_cmp_d(&k, 1) != MP_GT) { goto retry; }
/* test gcd */
if ((err = mp_gcd(&k, &key->q, &tmp)) != MP_OKAY) { goto error; }
} while (mp_cmp_d(&tmp, 1) != MP_EQ);
/* now find 1/k mod q */
if ((err = mp_invmod(&k, &key->q, &kinv)) != MP_OKAY) { goto error; }
/* now find r = g^k mod p mod q */
if ((err = mp_exptmod(&key->g, &k, &key->p, r)) != MP_OKAY) { goto error; }
if ((err = mp_mod(r, &key->q, r)) != MP_OKAY) { goto error; }
if (mp_iszero(r) == MP_YES) { goto retry; }
/* now find s = (in + xr)/k mod q */
if ((err = mp_read_unsigned_bin(&tmp, (unsigned char *)in, inlen)) != MP_OKAY) { goto error; }
if ((err = mp_mul(&key->x, r, s)) != MP_OKAY) { goto error; }
if ((err = mp_add(s, &tmp, s)) != MP_OKAY) { goto error; }
if ((err = mp_mulmod(s, &kinv, &key->q, s)) != MP_OKAY) { goto error; }
if (mp_iszero(s) == MP_YES) { goto retry; }
err = CRYPT_OK;
goto LBL_ERR;
error:
err = mpi_to_ltc_error(err);
LBL_ERR:
mp_clear_multi(&k, &kinv, &tmp, NULL);
#ifdef LTC_CLEAN_STACK
zeromem(buf, MDSA_MAX_GROUP);
#endif
XFREE(buf);
return err;
}
static int muli(void *a, unsigned long b, void *c)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(c != NULL);
return mpi_to_ltc_error(mp_mul_d(a, b, c));
}
/**
Verify an ECC signature
@param sig The signature to verify
@param siglen The length of the signature (octets)
@param hash The hash (message digest) that was signed
@param hashlen The length of the hash (octets)
@param stat Result of signature, 1==valid, 0==invalid
@param key The corresponding public ECC key
@return CRYPT_OK if successful (even if the signature is not valid)
*/
int ecc_verify_hash(const unsigned char *sig, unsigned long siglen,
const unsigned char *hash, unsigned long hashlen,
int *stat, ecc_key *key)
{
ecc_point *mG, *mQ;
mp_int r, s, v, w, u1, u2, e, p, m;
mp_digit mp;
int err;
LTC_ARGCHK(sig != NULL);
LTC_ARGCHK(hash != NULL);
LTC_ARGCHK(stat != NULL);
LTC_ARGCHK(key != NULL);
/* default to invalid signature */
*stat = 0;
/* is the IDX valid ? */
if (is_valid_idx(key->idx) != 1) {
return CRYPT_PK_INVALID_TYPE;
}
/* allocate ints */
if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL)) != MP_OKAY) {
return CRYPT_MEM;
}
/* allocate points */
mG = new_point();
mQ = new_point();
if (mQ == NULL || mG == NULL) {
err = CRYPT_MEM;
goto done;
}
/* parse header */
if ((err = der_decode_sequence_multi(sig, siglen,
LTC_ASN1_INTEGER, 1UL, &r,
LTC_ASN1_INTEGER, 1UL, &s,
LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK) {
goto done;
}
/* get the order */
if ((err = mp_read_radix(&p, (char *)sets[key->idx].order, 64)) != MP_OKAY) { goto error; }
/* get the modulus */
if ((err = mp_read_radix(&m, (char *)sets[key->idx].prime, 64)) != MP_OKAY) { goto error; }
/* check for zero */
if (mp_iszero(&r) || mp_iszero(&s) || mp_cmp(&r, &p) != MP_LT || mp_cmp(&s, &p) != MP_LT) {
err = CRYPT_INVALID_PACKET;
goto done;
}
/* read hash */
if ((err = mp_read_unsigned_bin(&e, (unsigned char *)hash, (int)hashlen)) != MP_OKAY) { goto error; }
/* w = s^-1 mod n */
if ((err = mp_invmod(&s, &p, &w)) != MP_OKAY) { goto error; }
/* u1 = ew */
if ((err = mp_mulmod(&e, &w, &p, &u1)) != MP_OKAY) { goto error; }
/* u2 = rw */
if ((err = mp_mulmod(&r, &w, &p, &u2)) != MP_OKAY) { goto error; }
/* find mG = u1*G */
if ((err = mp_read_radix(&mG->x, (char *)sets[key->idx].Gx, 64)) != MP_OKAY) { goto error; }
if ((err = mp_read_radix(&mG->y, (char *)sets[key->idx].Gy, 64)) != MP_OKAY) { goto error; }
mp_set(&mG->z, 1);
if ((err = ecc_mulmod(&u1, mG, mG, &m, 0)) != CRYPT_OK) { goto done; }
/* find mQ = u2*Q */
if ((err = mp_copy(&key->pubkey.x, &mQ->x)) != MP_OKAY) { goto error; }
if ((err = mp_copy(&key->pubkey.y, &mQ->y)) != MP_OKAY) { goto error; }
if ((err = mp_copy(&key->pubkey.z, &mQ->z)) != MP_OKAY) { goto error; }
if ((err = ecc_mulmod(&u2, mQ, mQ, &m, 0)) != CRYPT_OK) { goto done; }
/* find the montgomery mp */
if ((err = mp_montgomery_setup(&m, &mp)) != MP_OKAY) { goto error; }
/* add them */
if ((err = add_point(mQ, mG, mG, &m, mp)) != CRYPT_OK) { goto done; }
/* reduce */
if ((err = ecc_map(mG, &m, mp)) != CRYPT_OK) { goto done; }
/* v = X_x1 mod n */
if ((err = mp_mod(&mG->x, &p, &v)) != CRYPT_OK) { goto done; }
/* does v == r */
if (mp_cmp(&v, &r) == MP_EQ) {
*stat = 1;
}
/* clear up and return */
err = CRYPT_OK;
goto done;
error:
err = mpi_to_ltc_error(err);
done:
del_point(mG);
del_point(mQ);
mp_clear_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL);
return err;
}
/* store */
static int unsigned_write(void *a, unsigned char *b)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_to_unsigned_bin(a, b));
}
/* read */
static int unsigned_read(void *a, unsigned char *b, unsigned long len)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_read_unsigned_bin(a, b, len));
}
/**
Sign a message digest
@param in The message digest to sign
@param inlen The length of the digest
@param out [out] The destination for the signature
@param outlen [in/out] The max size and resulting size of the signature
@param prng An active PRNG state
@param wprng The index of the PRNG you wish to use
@param key A private ECC key
@return CRYPT_OK if successful
*/
int ecc_sign_hash(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen,
prng_state *prng, int wprng, ecc_key *key)
{
ecc_key pubkey;
mp_int r, s, e, p;
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
/* is this a private key? */
if (key->type != PK_PRIVATE) {
return CRYPT_PK_NOT_PRIVATE;
}
/* is the IDX valid ? */
if (is_valid_idx(key->idx) != 1) {
return CRYPT_PK_INVALID_TYPE;
}
if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
return err;
}
/* get the hash and load it as a bignum into 'e' */
/* init the bignums */
if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != MP_OKAY) {
ecc_free(&pubkey);
err = mpi_to_ltc_error(err);
goto LBL_ERR;
}
if ((err = mp_read_radix(&p, (char *)sets[key->idx].order, 64)) != MP_OKAY) { goto error; }
if ((err = mp_read_unsigned_bin(&e, (unsigned char *)in, (int)inlen)) != MP_OKAY) { goto error; }
/* make up a key and export the public copy */
for (;;) {
if ((err = ecc_make_key(prng, wprng, ecc_get_size(key), &pubkey)) != CRYPT_OK) {
return err;
}
/* find r = x1 mod n */
if ((err = mp_mod(&pubkey.pubkey.x, &p, &r)) != MP_OKAY) { goto error; }
if (mp_iszero(&r)) {
ecc_free(&pubkey);
} else {
/* find s = (e + xr)/k */
if ((err = mp_invmod(&pubkey.k, &p, &pubkey.k)) != MP_OKAY) { goto error; } /* k = 1/k */
if ((err = mp_mulmod(&key->k, &r, &p, &s)) != MP_OKAY) { goto error; } /* s = xr */
if ((err = mp_addmod(&e, &s, &p, &s)) != MP_OKAY) { goto error; } /* s = e + xr */
if ((err = mp_mulmod(&s, &pubkey.k, &p, &s)) != MP_OKAY) { goto error; } /* s = (e + xr)/k */
if (mp_iszero(&s)) {
ecc_free(&pubkey);
} else {
break;
}
}
}
/* store as SEQUENCE { r, s -- integer } */
err = der_encode_sequence_multi(out, outlen,
LTC_ASN1_INTEGER, 1UL, &r,
LTC_ASN1_INTEGER, 1UL, &s,
LTC_ASN1_EOL, 0UL, NULL);
goto LBL_ERR;
error:
err = mpi_to_ltc_error(err);
LBL_ERR:
mp_clear_multi(&r, &s, &p, &e, NULL);
ecc_free(&pubkey);
return err;
}
static int copy(void *a, void *b)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_copy(a, b));
}
static int twoexpt(void *a, int n)
{
LTC_ARGCHK(a != NULL);
return mpi_to_ltc_error(mp_2expt(a, n));
}
static int set_rand(void *a, int size)
{
LTC_ARGCHK(a != NULL);
return mpi_to_ltc_error(mp_rand(a, size));
}
/* div */
static int divide(void *a, void *b, void *c, void *d)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_div(a, b, c, d));
}
/* read ascii string */
static int read_radix(void *a, const char *b, int radix)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_read_radix(a, b, radix));
}
int der_tests(void)
{
unsigned long x, y, z, zz, oid[2][32];
unsigned char buf[3][2048];
mp_int a, b, c, d, e, f, g;
static const unsigned char rsa_oid_der[] = { 0x06, 0x06, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d };
static const unsigned long rsa_oid[] = { 1, 2, 840, 113549 };
static const unsigned char rsa_ia5[] = "*****@*****.**";
static const unsigned char rsa_ia5_der[] = { 0x16, 0x0d, 0x74, 0x65, 0x73, 0x74, 0x31,
0x40, 0x72, 0x73, 0x61, 0x2e, 0x63, 0x6f, 0x6d };
static const unsigned char rsa_printable[] = "Test User 1";
static const unsigned char rsa_printable_der[] = { 0x13, 0x0b, 0x54, 0x65, 0x73, 0x74, 0x20, 0x55,
0x73, 0x65, 0x72, 0x20, 0x31 };
static const ltc_utctime rsa_time1 = { 91, 5, 6, 16, 45, 40, 1, 7, 0 };
static const ltc_utctime rsa_time2 = { 91, 5, 6, 23, 45, 40, 0, 0, 0 };
ltc_utctime tmp_time;
static const unsigned char rsa_time1_der[] = { 0x17, 0x11, 0x39, 0x31, 0x30, 0x35, 0x30, 0x36, 0x31, 0x36, 0x34, 0x35, 0x34, 0x30, 0x2D, 0x30, 0x37, 0x30, 0x30 };
static const unsigned char rsa_time2_der[] = { 0x17, 0x0d, 0x39, 0x31, 0x30, 0x35, 0x30, 0x36, 0x32, 0x33, 0x34, 0x35, 0x34, 0x30, 0x5a };
DO(mpi_to_ltc_error(mp_init_multi(&a, &b, &c, &d, &e, &f, &g, NULL)));
for (zz = 0; zz < 16; zz++) {
for (z = 0; z < 1024; z++) {
if (yarrow_read(buf[0], z, &yarrow_prng) != z) {
fprintf(stderr, "Failed to read %lu bytes from yarrow\n", z);
return 1;
}
DO(mpi_to_ltc_error(mp_read_unsigned_bin(&a, buf[0], z)));
if (mp_iszero(&a) == MP_NO) { a.sign = buf[0][0] & 1 ? MP_ZPOS : MP_NEG; }
x = sizeof(buf[0]);
DO(der_encode_integer(&a, buf[0], &x));
DO(der_length_integer(&a, &y));
if (y != x) { fprintf(stderr, "DER INTEGER size mismatch\n"); return 1; }
mp_zero(&b);
DO(der_decode_integer(buf[0], y, &b));
if (y != x || mp_cmp(&a, &b) != MP_EQ) {
fprintf(stderr, "%lu: %lu vs %lu\n", z, x, y);
#ifdef BN_MP_TORADIX_C
mp_todecimal(&a, buf[0]);
mp_todecimal(&b, buf[1]);
fprintf(stderr, "a == %s\nb == %s\n", buf[0], buf[1]);
#endif
mp_clear_multi(&a, &b, &c, &d, &e, &f, &g, NULL);
return 1;
}
}
}
/* test short integer */
for (zz = 0; zz < 256; zz++) {
for (z = 1; z < 4; z++) {
if (yarrow_read(buf[0], z, &yarrow_prng) != z) {
fprintf(stderr, "Failed to read %lu bytes from yarrow\n", z);
return 1;
}
/* encode with normal */
DO(mpi_to_ltc_error(mp_read_unsigned_bin(&a, buf[0], z)));
x = sizeof(buf[0]);
DO(der_encode_integer(&a, buf[0], &x));
/* encode with short */
y = sizeof(buf[1]);
DO(der_encode_short_integer(mp_get_int(&a), buf[1], &y));
if (x != y || memcmp(buf[0], buf[1], x)) {
fprintf(stderr, "DER INTEGER short encoding failed, %lu, %lu\n", x, y);
for (z = 0; z < x; z++) fprintf(stderr, "%02x ", buf[0][z]); fprintf(stderr, "\n");
for (z = 0; z < y; z++) fprintf(stderr, "%02x ", buf[1][z]); fprintf(stderr, "\n");
mp_clear_multi(&a, &b, &c, &d, &e, &f, &g, NULL);
return 1;
}
/* decode it */
x = 0;
DO(der_decode_short_integer(buf[1], y, &x));
if (x != mp_get_int(&a)) {
fprintf(stderr, "DER INTEGER short decoding failed, %lu, %lu\n", x, mp_get_int(&a));
mp_clear_multi(&a, &b, &c, &d, &e, &f, &g, NULL);
return 1;
}
}
}
mp_clear_multi(&a, &b, &c, &d, &e, &f, &g, NULL);
/* Test bit string */
for (zz = 1; zz < 1536; zz++) {
yarrow_read(buf[0], zz, &yarrow_prng);
for (z = 0; z < zz; z++) {
buf[0][z] &= 0x01;
}
x = sizeof(buf[1]);
DO(der_encode_bit_string(buf[0], zz, buf[1], &x));
DO(der_length_bit_string(zz, &y));
if (y != x) {
fprintf(stderr, "\nDER BIT STRING length of encoded not match expected : %lu, %lu, %lu\n", z, x, y);
return 1;
}
y = sizeof(buf[2]);
DO(der_decode_bit_string(buf[1], x, buf[2], &y));
if (y != zz || memcmp(buf[0], buf[2], zz)) {
fprintf(stderr, "%lu, %lu, %d\n", y, zz, memcmp(buf[0], buf[2], zz));
return 1;
}
}
/* Test octet string */
for (zz = 1; zz < 1536; zz++) {
yarrow_read(buf[0], zz, &yarrow_prng);
x = sizeof(buf[1]);
DO(der_encode_octet_string(buf[0], zz, buf[1], &x));
DO(der_length_octet_string(zz, &y));
if (y != x) {
fprintf(stderr, "\nDER OCTET STRING length of encoded not match expected : %lu, %lu, %lu\n", z, x, y);
return 1;
}
y = sizeof(buf[2]);
DO(der_decode_octet_string(buf[1], x, buf[2], &y));
if (y != zz || memcmp(buf[0], buf[2], zz)) {
fprintf(stderr, "%lu, %lu, %d\n", y, zz, memcmp(buf[0], buf[2], zz));
return 1;
}
}
/* test OID */
x = sizeof(buf[0]);
DO(der_encode_object_identifier(rsa_oid, sizeof(rsa_oid)/sizeof(rsa_oid[0]), buf[0], &x));
if (x != sizeof(rsa_oid_der) || memcmp(rsa_oid_der, buf[0], x)) {
fprintf(stderr, "rsa_oid_der encode failed to match, %lu, ", x);
for (y = 0; y < x; y++) fprintf(stderr, "%02x ", buf[0][y]);
fprintf(stderr, "\n");
return 1;
}
y = sizeof(oid[0])/sizeof(oid[0][0]);
DO(der_decode_object_identifier(buf[0], x, oid[0], &y));
if (y != sizeof(rsa_oid)/sizeof(rsa_oid[0]) || memcmp(rsa_oid, oid[0], sizeof(rsa_oid))) {
fprintf(stderr, "rsa_oid_der decode failed to match, %lu, ", y);
for (z = 0; z < y; z++) fprintf(stderr, "%lu ", oid[0][z]);
fprintf(stderr, "\n");
return 1;
}
/* do random strings */
for (zz = 0; zz < 5000; zz++) {
/* pick a random number of words */
yarrow_read(buf[0], 4, &yarrow_prng);
LOAD32L(z, buf[0]);
z = 2 + (z % ((sizeof(oid[0])/sizeof(oid[0][0])) - 2));
/* fill them in */
oid[0][0] = buf[0][0] % 3;
oid[0][1] = buf[0][1] % 40;
for (y = 2; y < z; y++) {
yarrow_read(buf[0], 4, &yarrow_prng);
LOAD32L(oid[0][y], buf[0]);
}
/* encode it */
x = sizeof(buf[0]);
DO(der_encode_object_identifier(oid[0], z, buf[0], &x));
DO(der_length_object_identifier(oid[0], z, &y));
if (x != y) {
fprintf(stderr, "Random OID %lu test failed, length mismatch: %lu, %lu\n", z, x, y);
for (x = 0; x < z; x++) fprintf(stderr, "%lu\n", oid[0][x]);
return 1;
}
/* decode it */
y = sizeof(oid[0])/sizeof(oid[0][0]);
DO(der_decode_object_identifier(buf[0], x, oid[1], &y));
if (y != z) {
fprintf(stderr, "Random OID %lu test failed, decode length mismatch: %lu, %lu\n", z, x, y);
return 1;
}
if (memcmp(oid[0], oid[1], sizeof(oid[0][0]) * z)) {
fprintf(stderr, "Random OID %lu test failed, decoded values wrong\n", z);
for (x = 0; x < z; x++) fprintf(stderr, "%lu\n", oid[0][x]); fprintf(stderr, "\n\n Got \n\n");
for (x = 0; x < z; x++) fprintf(stderr, "%lu\n", oid[1][x]);
return 1;
}
}
/* IA5 string */
x = sizeof(buf[0]);
DO(der_encode_ia5_string(rsa_ia5, strlen(rsa_ia5), buf[0], &x));
if (x != sizeof(rsa_ia5_der) || memcmp(buf[0], rsa_ia5_der, x)) {
fprintf(stderr, "IA5 encode failed: %lu, %lu\n", x, (unsigned long)sizeof(rsa_ia5_der));
return 1;
}
DO(der_length_ia5_string(rsa_ia5, strlen(rsa_ia5), &y));
if (y != x) {
fprintf(stderr, "IA5 length failed to match: %lu, %lu\n", x, y);
return 1;
}
y = sizeof(buf[1]);
DO(der_decode_ia5_string(buf[0], x, buf[1], &y));
if (y != strlen(rsa_ia5) || memcmp(buf[1], rsa_ia5, strlen(rsa_ia5))) {
fprintf(stderr, "DER IA5 failed test vector\n");
return 1;
}
/* Printable string */
x = sizeof(buf[0]);
DO(der_encode_printable_string(rsa_printable, strlen(rsa_printable), buf[0], &x));
if (x != sizeof(rsa_printable_der) || memcmp(buf[0], rsa_printable_der, x)) {
fprintf(stderr, "PRINTABLE encode failed: %lu, %lu\n", x, (unsigned long)sizeof(rsa_printable_der));
return 1;
}
DO(der_length_printable_string(rsa_printable, strlen(rsa_printable), &y));
if (y != x) {
fprintf(stderr, "printable length failed to match: %lu, %lu\n", x, y);
return 1;
}
y = sizeof(buf[1]);
DO(der_decode_printable_string(buf[0], x, buf[1], &y));
if (y != strlen(rsa_printable) || memcmp(buf[1], rsa_printable, strlen(rsa_printable))) {
fprintf(stderr, "DER printable failed test vector\n");
return 1;
}
/* Test UTC time */
x = sizeof(buf[0]);
DO(der_encode_utctime(&rsa_time1, buf[0], &x));
if (x != sizeof(rsa_time1_der) || memcmp(buf[0], rsa_time1_der, x)) {
fprintf(stderr, "UTCTIME encode of rsa_time1 failed: %lu, %lu\n", x, (unsigned long)sizeof(rsa_time1_der));
fprintf(stderr, "\n\n");
for (y = 0; y < x; y++) fprintf(stderr, "%02x ", buf[0][y]); printf("\n");
return 1;
}
DO(der_length_utctime(&rsa_time1, &y));
if (y != x) {
fprintf(stderr, "UTCTIME length failed to match for rsa_time1: %lu, %lu\n", x, y);
return 1;
}
DO(der_decode_utctime(buf[0], &y, &tmp_time));
if (y != x || memcmp(&rsa_time1, &tmp_time, sizeof(ltc_utctime))) {
fprintf(stderr, "UTCTIME decode failed for rsa_time1: %lu %lu\n", x, y);
fprintf(stderr, "\n\n%u %u %u %u %u %u %u %u %u\n\n",
tmp_time.YY,
tmp_time.MM,
tmp_time.DD,
tmp_time.hh,
tmp_time.mm,
tmp_time.ss,
tmp_time.off_dir,
tmp_time.off_mm,
tmp_time.off_hh);
return 1;
}
x = sizeof(buf[0]);
DO(der_encode_utctime(&rsa_time2, buf[0], &x));
if (x != sizeof(rsa_time2_der) || memcmp(buf[0], rsa_time2_der, x)) {
fprintf(stderr, "UTCTIME encode of rsa_time2 failed: %lu, %lu\n", x, (unsigned long)sizeof(rsa_time1_der));
fprintf(stderr, "\n\n");
for (y = 0; y < x; y++) fprintf(stderr, "%02x ", buf[0][y]); printf("\n");
return 1;
}
DO(der_length_utctime(&rsa_time2, &y));
if (y != x) {
fprintf(stderr, "UTCTIME length failed to match for rsa_time2: %lu, %lu\n", x, y);
return 1;
}
DO(der_decode_utctime(buf[0], &y, &tmp_time));
if (y != x || memcmp(&rsa_time2, &tmp_time, sizeof(ltc_utctime))) {
fprintf(stderr, "UTCTIME decode failed for rsa_time2: %lu %lu\n", x, y);
fprintf(stderr, "\n\n%u %u %u %u %u %u %u %u %u\n\n",
tmp_time.YY,
tmp_time.MM,
tmp_time.DD,
tmp_time.hh,
tmp_time.mm,
tmp_time.ss,
tmp_time.off_dir,
tmp_time.off_mm,
tmp_time.off_hh);
return 1;
}
return der_choice_test();
}
/* ---- trivial ---- */
static int set_int(void *a, unsigned long b)
{
LTC_ARGCHK(a != NULL);
return mpi_to_ltc_error(mp_set_int(a, b));
}
/* write one */
static int write_radix(void *a, char *b, int radix)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_toradix(a, b, radix));
}
