int BN_solinas2bn(const BN_SOLINAS *solinas, BIGNUM *bn)
{
int ret = 0;
BIGNUM *tmp = NULL;
if (!solinas || !bn) {
BNerr(BN_F_BN_SOLINAS2BN, ERR_R_MALLOC_FAILURE);
return 0;
}
if (solinas->b <= 0 || solinas->a <= solinas->b
|| (solinas->s != 1 && solinas->s != -1)
|| (solinas->c != 1 && solinas->c != -1)) {
BNerr(BN_F_BN_SOLINAS2BN, BN_R_INVALID_SOLINAS_PARAMETERS);
return 0;
}
if (!(tmp = BN_new())) {
BNerr(BN_F_BN_SOLINAS2BN, ERR_R_MALLOC_FAILURE);
goto end;
}
BN_one(tmp);
if (!BN_lshift(bn, tmp, solinas->a)) {
BNerr(BN_F_BN_SOLINAS2BN, ERR_R_BN_LIB);
goto end;
}
if (!BN_lshift(tmp, tmp, solinas->b)) {
BNerr(BN_F_BN_SOLINAS2BN, ERR_R_BN_LIB);
goto end;
}
if (!BN_add_word(tmp, solinas->c)) {
BNerr(BN_F_BN_SOLINAS2BN, ERR_R_BN_LIB);
goto end;
}
if (solinas->s > 0) {
if (!BN_add(bn, bn, tmp)) {
BNerr(BN_F_BN_SOLINAS2BN, ERR_R_BN_LIB);
goto end;
}
} else {
if (!BN_sub(bn, bn, tmp)) {
BNerr(BN_F_BN_SOLINAS2BN, ERR_R_BN_LIB);
goto end;
}
}
/* check if it is a prime */
ret = 1;
end:
BN_free(tmp);
return ret;
}
/* rem != m */
int BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
{
#if 0 /* The old slow way */
int i, nm, nd;
BIGNUM *dv;
if(BN_ucmp(m, d) < 0)
{ return ((BN_copy(rem, m) == NULL) ? 0 : 1); }
BN_CTX_start(ctx);
dv = BN_CTX_get(ctx);
if(!BN_copy(rem, m)) { goto err; }
nm = BN_num_bits(rem);
nd = BN_num_bits(d);
if(!BN_lshift(dv, d, nm - nd)) { goto err; }
for(i = nm - nd; i >= 0; i--)
{
if(BN_cmp(rem, dv) >= 0)
{
if(!BN_sub(rem, rem, dv)) { goto err; }
}
if(!BN_rshift1(dv, dv)) { goto err; }
}
BN_CTX_end(ctx);
return (1);
err:
BN_CTX_end(ctx);
return (0);
#else
return (BN_div(NULL, rem, m, d, ctx));
#endif
}
BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w)
{
BN_ULONG ret = 0;
int i, j;
bn_check_top(a);
w &= BN_MASK2;
if (!w)
/* actually this an error (division by zero) */
return (BN_ULONG)-1;
if (a->top == 0)
return 0;
/* normalize input (so bn_div_words doesn't complain) */
j = BN_BITS2 - BN_num_bits_word(w);
w <<= j;
if (!BN_lshift(a, a, j))
return (BN_ULONG)-1;
for (i=a->top-1; i>=0; i--)
{
BN_ULONG l,d;
l=a->d[i];
d=bn_div_words(ret,l,w);
ret=(l-((d*w)&BN_MASK2))&BN_MASK2;
a->d[i]=d;
}
if ((a->top > 0) && (a->d[a->top-1] == 0))
a->top--;
ret >>= j;
bn_check_top(a);
return(ret);
}
int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
BN_CTX *ctx)
{
int i,nm,nd;
int ret = 0;
BIGNUM *D;
bn_check_top(m);
bn_check_top(d);
if (BN_is_zero(d))
{
BNerr(BN_F_BN_DIV,BN_R_DIV_BY_ZERO);
return(0);
}
if (BN_ucmp(m,d) < 0)
{
if (rem != NULL)
{ if (BN_copy(rem,m) == NULL) return(0); }
if (dv != NULL) BN_zero(dv);
return(1);
}
BN_CTX_start(ctx);
D = BN_CTX_get(ctx);
if (dv == NULL) dv = BN_CTX_get(ctx);
if (rem == NULL) rem = BN_CTX_get(ctx);
if (D == NULL || dv == NULL || rem == NULL)
goto end;
nd=BN_num_bits(d);
nm=BN_num_bits(m);
if (BN_copy(D,d) == NULL) goto end;
if (BN_copy(rem,m) == NULL) goto end;
/* The next 2 are needed so we can do a dv->d[0]|=1 later
* since BN_lshift1 will only work once there is a value :-) */
BN_zero(dv);
if(bn_wexpand(dv,1) == NULL) goto end;
dv->top=1;
if (!BN_lshift(D,D,nm-nd)) goto end;
for (i=nm-nd; i>=0; i--)
{
if (!BN_lshift1(dv,dv)) goto end;
if (BN_ucmp(rem,D) >= 0)
{
dv->d[0]|=1;
if (!BN_usub(rem,rem,D)) goto end;
}
/* CAN IMPROVE (and have now :=) */
if (!BN_rshift1(D,D)) goto end;
}
rem->neg=BN_is_zero(rem)?0:m->neg;
dv->neg=m->neg^d->neg;
ret = 1;
end:
BN_CTX_end(ctx);
return(ret);
}
int
test_div(BIO *bp, BN_CTX *ctx)
{
BIGNUM a, b,c, d, e;
int i;
int rc = 1;
BN_init(&a);
BN_init(&b);
BN_init(&c);
BN_init(&d);
BN_init(&e);
for (i = 0; i < num0 + num1; i++) {
if (i < num1) {
BN_bntest_rand(&a, 400, 0, 0);
BN_copy(&b, &a);
BN_lshift(&a, &a, i);
BN_add_word(&a, i);
} else
BN_bntest_rand(&b, 50 + 3*(i - num1), 0, 0);
a.neg = rand_neg();
b.neg = rand_neg();
BN_div(&d, &c, &a, &b, ctx);
if (bp != NULL) {
if (!results) {
BN_print(bp, &a);
BIO_puts(bp, " / ");
BN_print(bp, &b);
BIO_puts(bp, " - ");
}
BN_print(bp, &d);
BIO_puts(bp, "\n");
if (!results) {
BN_print(bp, &a);
BIO_puts(bp, " % ");
BN_print(bp, &b);
BIO_puts(bp, " - ");
}
BN_print(bp, &c);
BIO_puts(bp, "\n");
}
BN_mul(&e, &d, &b, ctx);
BN_add(&d, &e, &c);
BN_sub(&d, &d, &a);
if (!BN_is_zero(&d)) {
fprintf(stderr, "Division test failed!\n");
rc = 0;
break;
}
}
BN_free(&a);
BN_free(&b);
BN_free(&c);
BN_free(&d);
BN_free(&e);
return (rc);
}
/*
* \fn hit2hit_key
*
* \param hit 128-bit Host Identity Tag
* \param hit_key buffer for storing HIT_KEY; should be DHT_VAL_SIZE long
*
* \brief Create a HIT_KEY from a HIT by taking the middle 100 bits and adding
* padding.
*/
void hit2hit_key(hip_hit *hit, __u8 *hit_key)
{
BIGNUM *hk = BN_bin2bn((const unsigned char *)hit, HIT_SIZE, NULL);
BN_lshift(hk, hk, 28); /* truncate to 100-bit number */
memset(hit_key, 0, DHT_KEY_SIZE);
bn2bin_safe(hk, hit_key, 16); /* lower 28-bits now zeroes */
BN_free(hk);
}
int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
{
BIGNUM *a,*b,*c,*d;
int i;
b=BN_new();
c=BN_new();
d=BN_new();
BN_one(c);
if(a_)
a=a_;
else
{
a=BN_new();
BN_bntest_rand(a,200,0,0); /**/
a->neg=rand_neg();
}
for (i=0; i<num0; i++)
{
BN_lshift(b,a,i+1);
BN_add(c,c,c);
if (bp != NULL)
{
if (!results)
{
BN_print(bp,a);
BIO_puts(bp," * ");
BN_print(bp,c);
BIO_puts(bp," - ");
}
BN_print(bp,b);
BIO_puts(bp,"\n");
}
BN_mul(d,a,c,ctx);
BN_sub(d,d,b);
if(!BN_is_zero(d))
{
fprintf(stderr,"Left shift test failed!\n");
fprintf(stderr,"a=");
BN_print_fp(stderr,a);
fprintf(stderr,"\nb=");
BN_print_fp(stderr,b);
fprintf(stderr,"\nc=");
BN_print_fp(stderr,c);
fprintf(stderr,"\nd=");
BN_print_fp(stderr,d);
fprintf(stderr,"\n");
return 0;
}
}
BN_free(a);
BN_free(b);
BN_free(c);
BN_free(d);
return(1);
}
extern "C" void Java_java_math_NativeBN_BN_1shift(JNIEnv* env, jclass, jlong r, jlong a, int n) {
if (!twoValidHandles(env, r, a)) return;
if (n >= 0) {
BN_lshift(toBigNum(r), toBigNum(a), n);
} else {
BN_rshift(toBigNum(r), toBigNum(a), -n);
}
throwExceptionIfNecessary(env);
}
static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
{
BIGNUM *t;
int shifts=0;
bn_check_top(a);
bn_check_top(b);
/* 0 <= b <= a */
while (!BN_is_zero(b))
{
/* 0 < b <= a */
if (BN_is_odd(a))
{
if (BN_is_odd(b))
{
if (!BN_sub(a,a,b)) goto err;
if (!BN_rshift1(a,a)) goto err;
if (BN_cmp(a,b) < 0)
{ t=a; a=b; b=t; }
}
else /* a odd - b even */
{
if (!BN_rshift1(b,b)) goto err;
if (BN_cmp(a,b) < 0)
{ t=a; a=b; b=t; }
}
}
else /* a is even */
{
if (BN_is_odd(b))
{
if (!BN_rshift1(a,a)) goto err;
if (BN_cmp(a,b) < 0)
{ t=a; a=b; b=t; }
}
else /* a even - b even */
{
if (!BN_rshift1(a,a)) goto err;
if (!BN_rshift1(b,b)) goto err;
shifts++;
}
}
/* 0 <= b <= a */
}
if (shifts)
{
if (!BN_lshift(a,a,shifts)) goto err;
}
bn_check_top(a);
return(a);
err:
return(NULL);
}
int test_div(BIO *bp, BN_CTX *ctx)
{
BIGNUM *a, *b, *c, *d, *e;
int i;
a = BN_new();
b = BN_new();
c = BN_new();
d = BN_new();
e = BN_new();
for (i = 0; i < num0 + num1; i++) {
if (i < num1) {
BN_bntest_rand(a, 400, 0, 0);
BN_copy(b, a);
BN_lshift(a, a, i);
BN_add_word(a, i);
} else
BN_bntest_rand(b, 50 + 3 * (i - num1), 0, 0);
a->neg = rand_neg();
b->neg = rand_neg();
BN_div(d, c, a, b, ctx);
if (bp != NULL) {
if (!results) {
BN_print(bp, a);
BIO_puts(bp, " / ");
BN_print(bp, b);
BIO_puts(bp, " - ");
}
BN_print(bp, d);
BIO_puts(bp, "\n");
if (!results) {
BN_print(bp, a);
BIO_puts(bp, " % ");
BN_print(bp, b);
BIO_puts(bp, " - ");
}
BN_print(bp, c);
BIO_puts(bp, "\n");
}
BN_mul(e, d, b, ctx);
BN_add(d, e, c);
BN_sub(d, d, a);
if (!BN_is_zero(d)) {
fprintf(stderr, "Division test failed!\n");
return 0;
}
}
BN_free(a);
BN_free(b);
BN_free(c);
BN_free(d);
BN_free(e);
return (1);
}
static RSA *
fermat_question_ask(const RSA *rsa)
{
BIGNUM
*a = BN_new(),
*b = BN_new(),
*a2 = BN_new(),
*b2 = BN_new();
BIGNUM *n = rsa->n;
BIGNUM
*tmp = BN_new(),
*rem = BN_new(),
*dssdelta = BN_new();
BN_CTX *ctx = BN_CTX_new();
RSA *ret = NULL;
BN_sqrtmod(tmp, rem, n, ctx);
/* Δ = |p - q| = |a + b - a + b| = |2b| > √N 2⁻¹⁰⁰ */
/* BN_rshift(dssdelta, tmp, 101); */
BN_one(dssdelta);
BN_lshift(dssdelta, dssdelta, BN_num_bits(n) / 4 + 10);
BN_copy(a, tmp);
BN_sqr(a2, a, ctx);
do {
/* a² += 2a + 1 */
BN_lshift1(tmp, a);
BN_uiadd1(tmp);
BN_add(a2, a2, tmp);
/* a += 1 */
BN_uiadd1(a);
/* b² = a² - N */
BN_usub(b2, a2, n);
/* b */
BN_sqrtmod(b, rem, b2, ctx);
} while (!BN_is_zero(rem) && BN_cmp(b, dssdelta) < 1);
if (BN_is_zero(rem)) {
BN_uadd(a, a, b);
ret = qa_RSA_recover(rsa, a, ctx);
}
BN_CTX_free(ctx);
BN_free(a);
BN_free(b);
BN_free(a2);
BN_free(b2);
BN_free(dssdelta);
BN_free(tmp);
BN_free(rem);
return ret;
}
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
{
BIGNUM Ri,*R;
BN_init(&Ri);
R= &(mont->RR); /* grab RR as a temp */
BN_copy(&(mont->N),mod); /* Set N */
{
BIGNUM tmod;
BN_ULONG buf[2];
mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
if (!(BN_zero(R))) goto err;
if (!(BN_set_bit(R,BN_BITS2))) goto err; /* R */
buf[0]=mod->d[0]; /* tmod = N mod word size */
buf[1]=0;
tmod.d=buf;
tmod.top=1;
tmod.dmax=2;
tmod.neg=mod->neg;
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL)
goto err;
/* R*Ri */
if (!(BN_lshift(&Ri,&Ri,BN_BITS2))) goto err;
if (!BN_is_zero(&Ri))
{
if (!BN_sub_word(&Ri,1)) goto err;
}
else /* if N mod word size == 1 */
/* Ri-- (mod word size) */
{
if (!BN_set_word(&Ri,BN_MASK2)) goto err;
}
/* Ni = (R*Ri-1)/N, keep only least significant word: */
if (!(BN_div(&Ri,NULL,&Ri,&tmod,ctx))) goto err;
mont->n0=Ri.d[0];
BN_free(&Ri);
}
/* setup RR for conversions */
if (!(BN_zero(&(mont->RR)))) goto err;
if (!(BN_set_bit(&(mont->RR),mont->ri*2))) goto err;
if (!(BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx))) goto err;
return(1);
err:
return(0);
}
/* BN_mod_lshift variant that may be used if a is non-negative
* and less than m */
int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m)
{
if (r != a)
{
if (BN_copy(r, a) == NULL) return 0;
}
while (n > 0)
{
int max_shift;
/* 0 < r < m */
max_shift = BN_num_bits(m) - BN_num_bits(r);
/* max_shift >= 0 */
if (max_shift < 0)
{
BNerr(BN_F_BN_MOD_LSHIFT_QUICK, BN_R_INPUT_NOT_REDUCED);
return 0;
}
if (max_shift > n)
max_shift = n;
if (max_shift)
{
if (!BN_lshift(r, r, max_shift)) return 0;
n -= max_shift;
}
else
{
if (!BN_lshift1(r, r)) return 0;
--n;
}
/* BN_num_bits(r) <= BN_num_bits(m) */
if (BN_cmp(r, m) >= 0)
{
if (!BN_sub(r, r, m)) return 0;
}
}
bn_check_top(r);
return 1;
}
void bu256_bn(BIGNUM *vo, const bu256_t *vi)
{
BN_zero(vo);
BIGNUM tmp;
BN_init(&tmp);
unsigned int i;
for (i = 0; i < 8; i++) {
BN_set_word(&tmp, GUINT32_FROM_LE(vi->dword[i]));
BN_lshift(&tmp, &tmp, (i * 32));
BN_add(vo, vo, &tmp);
}
BN_free(&tmp);
}
EC_POINT *embed(const polypseud_ctx *ctx, const unsigned char *data, const size_t len) {
BIGNUM *t1 = BN_bin2bn(data, len, NULL);
BIGNUM *x = BN_new();
BN_mod(x, t1, ctx->p, ctx->bn_ctx);
EC_POINT *point = EC_POINT_new(ctx->ec_group);
unsigned char counter = 0;
int success = 0;
while(!success) {
success = EC_POINT_set_compressed_coordinates_GFp(ctx->ec_group, point, x, 1, ctx->bn_ctx);
if(!success) {
if(counter == 0) {
BN_lshift(x, x, 8);
}
BN_add(x, x, BN_value_one());
}
}
BN_free(x);
BN_free(t1);
return point;
}
static ssize_t
get_size(const uint8_t *buf, size_t len, BIGNUM *out)
{
int sz = -1;
if (len == 0)
return 1;
if (BN_set_word(out, 0) <= 0)
return -ENOMEM;
for (size_t i = 0; i < len; i++) {
if (sz > 0) {
if (BN_lshift(out, out, 8) <= 0)
return -ENOMEM;
if (BN_add_word(out, buf[i]) <= 0)
return -ENOMEM;
} else if (sz < 0) {
if (i == 0) {
if (IS_ID_SHORT(buf[i]))
sz++;
} else if (IS_ID_LAST(buf[i]))
sz++;
} else if (sz == 0) {
sz = buf[i] & ~BIT8;
if (IS_LEN_SHORT(buf[i]))
return BN_set_word(out, sz) > 0 ? 0 : -ENOMEM;
if (i + 1 == len)
return sz;
}
}
return sz <= 0 ? 1 : 0;
}
static int test_check_public_exponent(void)
{
int ret = 0;
BIGNUM *e = NULL;
ret = TEST_ptr(e = BN_new())
/* e is too small */
&& TEST_true(BN_set_word(e, 65535))
&& TEST_false(rsa_check_public_exponent(e))
/* e is even will fail */
&& TEST_true(BN_set_word(e, 65536))
&& TEST_false(rsa_check_public_exponent(e))
/* e is ok */
&& TEST_true(BN_set_word(e, 65537))
&& TEST_true(rsa_check_public_exponent(e))
/* e = 2^256 is too big */
&& TEST_true(BN_lshift(e, BN_value_one(), 256))
&& TEST_false(rsa_check_public_exponent(e))
/* e = 2^256-1 is odd and in range */
&& TEST_true(BN_sub(e, e, BN_value_one()))
&& TEST_true(rsa_check_public_exponent(e));
BN_free(e);
return ret;
}
/* BN_div_no_branch is a special version of BN_div. It does not contain
* branches that may leak sensitive information.
*/
static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
const BIGNUM *divisor, BN_CTX *ctx)
{
int norm_shift,i,loop;
BIGNUM *tmp,wnum,*snum,*sdiv,*res;
BN_ULONG *resp,*wnump;
BN_ULONG d0,d1;
int num_n,div_n;
bn_check_top(dv);
bn_check_top(rm);
/* bn_check_top(num); */ /* 'num' has been checked in BN_div() */
bn_check_top(divisor);
if (BN_is_zero(divisor))
{
BNerr(BN_F_BN_DIV_NO_BRANCH,BN_R_DIV_BY_ZERO);
return(0);
}
BN_CTX_start(ctx);
tmp=BN_CTX_get(ctx);
snum=BN_CTX_get(ctx);
sdiv=BN_CTX_get(ctx);
if (dv == NULL)
res=BN_CTX_get(ctx);
else res=dv;
if (sdiv == NULL || res == NULL) goto err;
/* First we normalise the numbers */
norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
if (!(BN_lshift(sdiv,divisor,norm_shift))) goto err;
sdiv->neg=0;
norm_shift+=BN_BITS2;
if (!(BN_lshift(snum,num,norm_shift))) goto err;
snum->neg=0;
/* Since we don't know whether snum is larger than sdiv,
* we pad snum with enough zeroes without changing its
* value.
*/
if (snum->top <= sdiv->top+1)
{
if (bn_wexpand(snum, sdiv->top + 2) == NULL) goto err;
for (i = snum->top; i < sdiv->top + 2; i++) snum->d[i] = 0;
snum->top = sdiv->top + 2;
}
else
{
if (bn_wexpand(snum, snum->top + 1) == NULL) goto err;
snum->d[snum->top] = 0;
snum->top ++;
}
div_n=sdiv->top;
num_n=snum->top;
loop=num_n-div_n;
/* Lets setup a 'window' into snum
* This is the part that corresponds to the current
* 'area' being divided */
wnum.neg = 0;
wnum.d = &(snum->d[loop]);
wnum.top = div_n;
/* only needed when BN_ucmp messes up the values between top and max */
wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
/* Get the top 2 words of sdiv */
/* div_n=sdiv->top; */
d0=sdiv->d[div_n-1];
d1=(div_n == 1)?0:sdiv->d[div_n-2];
/* pointer to the 'top' of snum */
wnump= &(snum->d[num_n-1]);
/* Setup to 'res' */
res->neg= (num->neg^divisor->neg);
if (!bn_wexpand(res,(loop+1))) goto err;
res->top=loop-1;
resp= &(res->d[loop-1]);
/* space for temp */
if (!bn_wexpand(tmp,(div_n+1))) goto err;
/* if res->top == 0 then clear the neg value otherwise decrease
* the resp pointer */
if (res->top == 0)
res->neg = 0;
else
resp--;
for (i=0; i<loop-1; i++, wnump--, resp--)
{
BN_ULONG q,l0;
/* the first part of the loop uses the top two words of
* snum and sdiv to calculate a BN_ULONG q such that
* | wnum - sdiv * q | < sdiv */
#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
BN_ULONG bn_div_3_words(BN_ULONG*,BN_ULONG,BN_ULONG);
q=bn_div_3_words(wnump,d1,d0);
#else
BN_ULONG n0,n1,rem=0;
n0=wnump[0];
n1=wnump[-1];
if (n0 == d0)
q=BN_MASK2;
else /* n0 < d0 */
{
#ifdef BN_LLONG
BN_ULLONG t2;
#if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
q=(BN_ULONG)(((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0);
#else
q=bn_div_words(n0,n1,d0);
#ifdef BN_DEBUG_LEVITTE
TINYCLR_SSL_FPRINTF(OPENSSL_TYPE__FILE_STDERR,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
X) -> 0x%08X\n",
n0, n1, d0, q);
#endif
#endif
#ifndef REMAINDER_IS_ALREADY_CALCULATED
/*
* rem doesn't have to be BN_ULLONG. The least we
* know it's less that d0, isn't it?
*/
rem=(n1-q*d0)&BN_MASK2;
#endif
t2=(BN_ULLONG)d1*q;
for (;;)
{
if (t2 <= ((((BN_ULLONG)rem)<<BN_BITS2)|wnump[-2]))
break;
q--;
rem += d0;
if (rem < d0) break; /* don't let rem overflow */
t2 -= d1;
}
#else /* !BN_LLONG */
BN_ULONG t2l,t2h;
q=bn_div_words(n0,n1,d0);
#ifdef BN_DEBUG_LEVITTE
TINYCLR_SSL_FPRINTF(OPENSSL_TYPE__FILE_STDERR,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
X) -> 0x%08X\n",
n0, n1, d0, q);
#endif
#ifndef REMAINDER_IS_ALREADY_CALCULATED
rem=(n1-q*d0)&BN_MASK2;
#endif
#if defined(BN_UMULT_LOHI)
BN_UMULT_LOHI(t2l,t2h,d1,q);
#elif defined(BN_UMULT_HIGH)
t2l = d1 * q;
t2h = BN_UMULT_HIGH(d1,q);
#else
{
BN_ULONG ql, qh;
t2l=LBITS(d1); t2h=HBITS(d1);
ql =LBITS(q); qh =HBITS(q);
mul64(t2l,t2h,ql,qh); /* t2=(BN_ULLONG)d1*q; */
}
#endif
for (;;)
{
if ((t2h < rem) ||
((t2h == rem) && (t2l <= wnump[-2])))
break;
q--;
rem += d0;
if (rem < d0) break; /* don't let rem overflow */
if (t2l < d1) t2h--; t2l -= d1;
}
#endif /* !BN_LLONG */
}
#endif /* !BN_DIV3W */
l0=bn_mul_words(tmp->d,sdiv->d,div_n,q);
tmp->d[div_n]=l0;
wnum.d--;
/* ingore top values of the bignums just sub the two
* BN_ULONG arrays with bn_sub_words */
if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n+1))
{
/* Note: As we have considered only the leading
* two BN_ULONGs in the calculation of q, sdiv * q
* might be greater than wnum (but then (q-1) * sdiv
* is less or equal than wnum)
*/
q--;
if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
/* we can't have an overflow here (assuming
* that q != 0, but if q == 0 then tmp is
* zero anyway) */
(*wnump)++;
}
/* store part of the result */
*resp = q;
}
bn_correct_top(snum);
if (rm != NULL)
{
/* Keep a copy of the neg flag in num because if rm==num
* BN_rshift() will overwrite it.
*/
int neg = num->neg;
BN_rshift(rm,snum,norm_shift);
if (!BN_is_zero(rm))
rm->neg = neg;
bn_check_top(rm);
}
bn_correct_top(res);
BN_CTX_end(ctx);
return(1);
err:
bn_check_top(rm);
BN_CTX_end(ctx);
return(0);
}
int RSA_recover_crt_params(RSA *rsa) {
BN_CTX *ctx;
BIGNUM *totient, *rem, *multiple, *p_plus_q, *p_minus_q;
int ok = 0;
if (rsa->n == NULL || rsa->e == NULL || rsa->d == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_EMPTY_PUBLIC_KEY);
return 0;
}
if (rsa->p || rsa->q || rsa->dmp1 || rsa->dmq1 || rsa->iqmp) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params,
RSA_R_CRT_PARAMS_ALREADY_GIVEN);
return 0;
}
/* This uses the algorithm from section 9B of the RSA paper:
* http://people.csail.mit.edu/rivest/Rsapaper.pdf */
ctx = BN_CTX_new();
if (ctx == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
return 0;
}
BN_CTX_start(ctx);
totient = BN_CTX_get(ctx);
rem = BN_CTX_get(ctx);
multiple = BN_CTX_get(ctx);
p_plus_q = BN_CTX_get(ctx);
p_minus_q = BN_CTX_get(ctx);
if (totient == NULL || rem == NULL || multiple == NULL || p_plus_q == NULL ||
p_minus_q == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
goto err;
}
/* ed-1 is a small multiple of φ(n). */
if (!BN_mul(totient, rsa->e, rsa->d, ctx) ||
!BN_sub_word(totient, 1) ||
/* φ(n) =
* pq - p - q + 1 =
* n - (p + q) + 1
*
* Thus n is a reasonable estimate for φ(n). So, (ed-1)/n will be very
* close. But, when we calculate the quotient, we'll be truncating it
* because we discard the remainder. Thus (ed-1)/multiple will be >= n,
* which the totient cannot be. So we add one to the estimate.
*
* Consider ed-1 as:
*
* multiple * (n - (p+q) + 1) =
* multiple*n - multiple*(p+q) + multiple
*
* When we divide by n, the first term becomes multiple and, since
* multiple and p+q is tiny compared to n, the second and third terms can
* be ignored. Thus I claim that subtracting one from the estimate is
* sufficient. */
!BN_div(multiple, NULL, totient, rsa->n, ctx) ||
!BN_add_word(multiple, 1) ||
!BN_div(totient, rem, totient, multiple, ctx)) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}
if (!BN_is_zero(rem)) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_BAD_RSA_PARAMETERS);
goto err;
}
rsa->p = BN_new();
rsa->q = BN_new();
rsa->dmp1 = BN_new();
rsa->dmq1 = BN_new();
rsa->iqmp = BN_new();
if (rsa->p == NULL || rsa->q == NULL || rsa->dmp1 == NULL || rsa->dmq1 ==
NULL || rsa->iqmp == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
goto err;
}
/* φ(n) = n - (p + q) + 1 =>
* n - totient + 1 = p + q */
if (!BN_sub(p_plus_q, rsa->n, totient) ||
!BN_add_word(p_plus_q, 1) ||
/* p - q = sqrt((p+q)^2 - 4n) */
!BN_sqr(rem, p_plus_q, ctx) ||
!BN_lshift(multiple, rsa->n, 2) ||
!BN_sub(rem, rem, multiple) ||
!BN_sqrt(p_minus_q, rem, ctx) ||
/* q is 1/2 (p+q)-(p-q) */
!BN_sub(rsa->q, p_plus_q, p_minus_q) ||
!BN_rshift1(rsa->q, rsa->q) ||
!BN_div(rsa->p, NULL, rsa->n, rsa->q, ctx) ||
!BN_mul(multiple, rsa->p, rsa->q, ctx)) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}
if (BN_cmp(multiple, rsa->n) != 0) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_INTERNAL_ERROR);
goto err;
}
if (!BN_sub(rem, rsa->p, BN_value_one()) ||
!BN_mod(rsa->dmp1, rsa->d, rem, ctx) ||
!BN_sub(rem, rsa->q, BN_value_one()) ||
!BN_mod(rsa->dmq1, rsa->d, rem, ctx) ||
!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}
ok = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (!ok) {
bn_free_and_null(&rsa->p);
bn_free_and_null(&rsa->q);
bn_free_and_null(&rsa->dmp1);
bn_free_and_null(&rsa->dmq1);
bn_free_and_null(&rsa->iqmp);
}
return ok;
}
int
BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
{
int ret = 0;
BIGNUM *Ri, *R;
BN_CTX_start(ctx);
if ((Ri = BN_CTX_get(ctx)) == NULL)
goto err;
R = &(mont->RR); /* grab RR as a temp */
if (!BN_copy(&(mont->N), mod))
goto err; /* Set N */
mont->N.neg = 0;
#ifdef MONT_WORD
{
BIGNUM tmod;
BN_ULONG buf[2];
BN_init(&tmod);
tmod.d = buf;
tmod.dmax = 2;
tmod.neg = 0;
mont->ri = (BN_num_bits(mod) +
(BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
/* Only certain BN_BITS2<=32 platforms actually make use of
* n0[1], and we could use the #else case (with a shorter R
* value) for the others. However, currently only the assembler
* files do know which is which. */
BN_zero(R);
if (!(BN_set_bit(R, 2 * BN_BITS2)))
goto err;
tmod.top = 0;
if ((buf[0] = mod->d[0]))
tmod.top = 1;
if ((buf[1] = mod->top > 1 ? mod->d[1] : 0))
tmod.top = 2;
if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL)
goto err;
if (!BN_lshift(Ri, Ri, 2 * BN_BITS2))
goto err; /* R*Ri */
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1))
goto err;
}
else /* if N mod word size == 1 */
{
if (bn_expand(Ri, (int)sizeof(BN_ULONG) * 2) == NULL)
goto err;
/* Ri-- (mod double word size) */
Ri->neg = 0;
Ri->d[0] = BN_MASK2;
Ri->d[1] = BN_MASK2;
Ri->top = 2;
}
if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx))
goto err;
/* Ni = (R*Ri-1)/N,
* keep only couple of least significant words: */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
#else
BN_zero(R);
if (!(BN_set_bit(R, BN_BITS2)))
goto err; /* R */
buf[0] = mod->d[0]; /* tmod = N mod word size */
buf[1] = 0;
tmod.top = buf[0] != 0 ? 1 : 0;
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL)
goto err;
if (!BN_lshift(Ri, Ri, BN_BITS2))
goto err; /* R*Ri */
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1))
goto err;
}
else /* if N mod word size == 1 */
{
if (!BN_set_word(Ri, BN_MASK2))
goto err; /* Ri-- (mod word size) */
}
if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx))
goto err;
/* Ni = (R*Ri-1)/N,
* keep only least significant word: */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = 0;
#endif
}
#else /* !MONT_WORD */
{ /* bignum version */
mont->ri = BN_num_bits(&mont->N);
BN_zero(R);
if (!BN_set_bit(R, mont->ri))
goto err; /* R = 2^ri */
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse_ct(Ri, R, &mont->N, ctx)) == NULL)
goto err;
if (!BN_lshift(Ri, Ri, mont->ri))
goto err; /* R*Ri */
if (!BN_sub_word(Ri, 1))
goto err;
/* Ni = (R*Ri-1) / N */
if (!BN_div_ct(&(mont->Ni), NULL, Ri, &mont->N, ctx))
goto err;
}
#endif
/* setup RR for conversions */
BN_zero(&(mont->RR));
if (!BN_set_bit(&(mont->RR), mont->ri*2))
goto err;
if (!BN_mod_ct(&(mont->RR), &(mont->RR), &(mont->N), ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
static void runtest(const char *json_base_fn, const char *ser_in_fn,
const char *block_in_hash, const char *tx_in_hash)
{
/* read wallet data */
char *json_fn = test_filename(json_base_fn);
json_t *wallet = read_json(json_fn);
assert(wallet != NULL);
/* read block data containing incoming payment */
char *fn = test_filename(ser_in_fn);
void *data;
size_t data_len;
assert(bu_read_file(fn, &data, &data_len, 1 * 1024 * 1024) == true);
struct bp_block block_in;
bp_block_init(&block_in);
struct const_buffer buf = { data, data_len };
assert(deser_bp_block(&block_in, &buf) == true);
bp_block_calc_sha256(&block_in);
/* verify block-in data matches expected block-in hash */
bu256_t check_hash;
assert(hex_bu256(&check_hash, block_in_hash) == true);
assert(bu256_equal(&block_in.sha256, &check_hash) == true);
/* load key that has received an incoming payment */
struct bp_key key;
assert(bp_key_init(&key) == true);
load_json_key(wallet, &key);
/* load key into keyset */
struct bp_keyset ks;
bpks_init(&ks);
assert(bpks_add(&ks, &key) == true);
/* find key matches in block */
parr *matches;
matches = bp_block_match(&block_in, &ks);
assert(matches != NULL);
assert(matches->len == 1);
struct bp_block_match *match = parr_idx(matches, 0);
assert(match->n == 1); /* match 2nd tx, index 1 */
/* get matching transaction */
struct bp_tx *tx = parr_idx(block_in.vtx, match->n);
bp_tx_calc_sha256(tx);
/* verify txid matches expected */
char tx_hexstr[BU256_STRSZ];
bu256_hex(tx_hexstr, &tx->sha256);
assert(strcmp(tx_hexstr, tx_in_hash) == 0);
/* verify mask matches 2nd txout (1 << 1) */
BIGNUM tmp_mask;
BN_init(&tmp_mask);
BN_one(&tmp_mask);
BN_lshift(&tmp_mask, &tmp_mask, 1);
assert(BN_cmp(&tmp_mask, &match->mask) == 0);
/* build merkle tree, tx's branch */
parr *mtree = bp_block_merkle_tree(&block_in);
assert(mtree != NULL);
parr *mbranch = bp_block_merkle_branch(&block_in, mtree, match->n);
assert(mbranch != NULL);
/* verify merkle branch for tx matches expected */
bu256_t mrk_check;
bp_check_merkle_branch(&mrk_check, &tx->sha256, mbranch, match->n);
assert(bu256_equal(&mrk_check, &block_in.hashMerkleRoot) == true);
/* release resources */
parr_free(mtree, true);
parr_free(mbranch, true);
BN_clear_free(&tmp_mask);
parr_free(matches, true);
bpks_free(&ks);
bp_key_free(&key);
bp_block_free(&block_in);
json_decref(wallet);
free(data);
free(fn);
free(json_fn);
}
/*
* Find the bignum ranges that produce a given prefix.
*/
static int
get_prefix_ranges(int addrtype, const char *pfx, BIGNUM **result,
BN_CTX *bnctx)
{
int i, p, c;
int zero_prefix = 0;
int check_upper = 0;
int b58pow, b58ceil, b58top = 0;
int ret = -1;
BIGNUM bntarg, bnceil, bnfloor;
BIGNUM bnbase;
BIGNUM *bnap, *bnbp, *bntp;
BIGNUM *bnhigh = NULL, *bnlow = NULL, *bnhigh2 = NULL, *bnlow2 = NULL;
BIGNUM bntmp, bntmp2;
BN_init(&bntarg);
BN_init(&bnceil);
BN_init(&bnfloor);
BN_init(&bnbase);
BN_init(&bntmp);
BN_init(&bntmp2);
BN_set_word(&bnbase, 58);
p = strlen(pfx);
for (i = 0; i < p; i++) {
c = vg_b58_reverse_map[(int)pfx[i]];
if (c == -1) {
fprintf(stderr,
"Invalid character '%c' in prefix '%s'\n",
pfx[i], pfx);
goto out;
}
if (i == zero_prefix) {
if (c == 0) {
/* Add another zero prefix */
zero_prefix++;
if (zero_prefix > 19) {
fprintf(stderr,
"Prefix '%s' is too long\n",
pfx);
goto out;
}
continue;
}
/* First non-zero character */
b58top = c;
BN_set_word(&bntarg, c);
} else {
BN_set_word(&bntmp2, c);
BN_mul(&bntmp, &bntarg, &bnbase, bnctx);
BN_add(&bntarg, &bntmp, &bntmp2);
}
}
/* Power-of-two ceiling and floor values based on leading 1s */
BN_clear(&bntmp);
BN_set_bit(&bntmp, 200 - (zero_prefix * 8));
BN_sub(&bnceil, &bntmp, BN_value_one());
BN_set_bit(&bnfloor, 192 - (zero_prefix * 8));
bnlow = BN_new();
bnhigh = BN_new();
if (b58top) {
/*
* If a non-zero was given in the prefix, find the
* numeric boundaries of the prefix.
*/
BN_copy(&bntmp, &bnceil);
bnap = &bntmp;
bnbp = &bntmp2;
b58pow = 0;
while (BN_cmp(bnap, &bnbase) > 0) {
b58pow++;
BN_div(bnbp, NULL, bnap, &bnbase, bnctx);
bntp = bnap;
bnap = bnbp;
bnbp = bntp;
}
b58ceil = BN_get_word(bnap);
if ((b58pow - (p - zero_prefix)) < 6) {
/*
* Do not allow the prefix to constrain the
* check value, this is ridiculous.
*/
fprintf(stderr, "Prefix '%s' is too long\n", pfx);
goto out;
}
BN_set_word(&bntmp2, b58pow - (p - zero_prefix));
BN_exp(&bntmp, &bnbase, &bntmp2, bnctx);
BN_mul(bnlow, &bntmp, &bntarg, bnctx);
BN_sub(&bntmp2, &bntmp, BN_value_one());
BN_add(bnhigh, bnlow, &bntmp2);
if (b58top <= b58ceil) {
/* Fill out the upper range too */
check_upper = 1;
bnlow2 = BN_new();
bnhigh2 = BN_new();
BN_mul(bnlow2, bnlow, &bnbase, bnctx);
BN_mul(&bntmp2, bnhigh, &bnbase, bnctx);
BN_set_word(&bntmp, 57);
BN_add(bnhigh2, &bntmp2, &bntmp);
/*
* Addresses above the ceiling will have one
* fewer "1" prefix in front than we require.
*/
if (BN_cmp(&bnceil, bnlow2) < 0) {
/* High prefix is above the ceiling */
check_upper = 0;
BN_free(bnhigh2);
bnhigh2 = NULL;
BN_free(bnlow2);
bnlow2 = NULL;
}
else if (BN_cmp(&bnceil, bnhigh2) < 0)
/* High prefix is partly above the ceiling */
BN_copy(bnhigh2, &bnceil);
/*
* Addresses below the floor will have another
* "1" prefix in front instead of our target.
*/
if (BN_cmp(&bnfloor, bnhigh) >= 0) {
/* Low prefix is completely below the floor */
assert(check_upper);
check_upper = 0;
BN_free(bnhigh);
bnhigh = bnhigh2;
bnhigh2 = NULL;
BN_free(bnlow);
bnlow = bnlow2;
bnlow2 = NULL;
}
else if (BN_cmp(&bnfloor, bnlow) > 0) {
/* Low prefix is partly below the floor */
BN_copy(bnlow, &bnfloor);
}
}
} else {
BN_copy(bnhigh, &bnceil);
BN_clear(bnlow);
}
/* Limit the prefix to the address type */
BN_clear(&bntmp);
BN_set_word(&bntmp, addrtype);
BN_lshift(&bntmp2, &bntmp, 192);
if (check_upper) {
if (BN_cmp(&bntmp2, bnhigh2) > 0) {
check_upper = 0;
BN_free(bnhigh2);
bnhigh2 = NULL;
BN_free(bnlow2);
bnlow2 = NULL;
}
else if (BN_cmp(&bntmp2, bnlow2) > 0)
BN_copy(bnlow2, &bntmp2);
}
if (BN_cmp(&bntmp2, bnhigh) > 0) {
if (!check_upper)
goto not_possible;
check_upper = 0;
BN_free(bnhigh);
bnhigh = bnhigh2;
bnhigh2 = NULL;
BN_free(bnlow);
bnlow = bnlow2;
bnlow2 = NULL;
}
else if (BN_cmp(&bntmp2, bnlow) > 0) {
BN_copy(bnlow, &bntmp2);
}
BN_set_word(&bntmp, addrtype + 1);
BN_lshift(&bntmp2, &bntmp, 192);
if (check_upper) {
if (BN_cmp(&bntmp2, bnlow2) < 0) {
check_upper = 0;
BN_free(bnhigh2);
bnhigh2 = NULL;
BN_free(bnlow2);
bnlow2 = NULL;
}
else if (BN_cmp(&bntmp2, bnhigh2) < 0)
BN_copy(bnlow2, &bntmp2);
}
if (BN_cmp(&bntmp2, bnlow) < 0) {
if (!check_upper)
goto not_possible;
check_upper = 0;
BN_free(bnhigh);
bnhigh = bnhigh2;
bnhigh2 = NULL;
BN_free(bnlow);
bnlow = bnlow2;
bnlow2 = NULL;
}
else if (BN_cmp(&bntmp2, bnhigh) < 0) {
BN_copy(bnhigh, &bntmp2);
}
/* Address ranges are complete */
assert(check_upper || ((bnlow2 == NULL) && (bnhigh2 == NULL)));
result[0] = bnlow;
result[1] = bnhigh;
result[2] = bnlow2;
result[3] = bnhigh2;
bnlow = NULL;
bnhigh = NULL;
bnlow2 = NULL;
bnhigh2 = NULL;
ret = 0;
if (0) {
not_possible:
ret = -2;
}
out:
BN_clear_free(&bntarg);
BN_clear_free(&bnceil);
BN_clear_free(&bnfloor);
BN_clear_free(&bnbase);
BN_clear_free(&bntmp);
BN_clear_free(&bntmp2);
if (bnhigh)
BN_free(bnhigh);
if (bnlow)
BN_free(bnlow);
if (bnhigh2)
BN_free(bnhigh2);
if (bnlow2)
BN_free(bnlow2);
return ret;
}
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
{
int ret = 0;
BIGNUM *Ri,*R;
BN_CTX_start(ctx);
if((Ri = BN_CTX_get(ctx)) == NULL) goto err;
R= &(mont->RR); /* grab RR as a temp */
if (!BN_copy(&(mont->N),mod)) goto err; /* Set N */
mont->N.neg = 0;
#ifdef MONT_WORD
{
BIGNUM tmod;
BN_ULONG buf[2];
mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
BN_zero(R);
if (!(BN_set_bit(R,BN_BITS2))) goto err; /* R */
buf[0]=mod->d[0]; /* tmod = N mod word size */
buf[1]=0;
tmod.d=buf;
tmod.top = buf[0] != 0 ? 1 : 0;
tmod.dmax=2;
tmod.neg=0;
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)
goto err;
if (!BN_lshift(Ri,Ri,BN_BITS2)) goto err; /* R*Ri */
if (!BN_is_zero(Ri))
{
if (!BN_sub_word(Ri,1)) goto err;
}
else /* if N mod word size == 1 */
{
if (!BN_set_word(Ri,BN_MASK2)) goto err; /* Ri-- (mod word size) */
}
if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;
/* Ni = (R*Ri-1)/N,
* keep only least significant word: */
mont->n0 = (Ri->top > 0) ? Ri->d[0] : 0;
}
#else /* !MONT_WORD */
{ /* bignum version */
mont->ri=BN_num_bits(&mont->N);
BN_zero(R);
if (!BN_set_bit(R,mont->ri)) goto err; /* R = 2^ri */
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse(Ri,R,&mont->N,ctx)) == NULL)
goto err;
if (!BN_lshift(Ri,Ri,mont->ri)) goto err; /* R*Ri */
if (!BN_sub_word(Ri,1)) goto err;
/* Ni = (R*Ri-1) / N */
if (!BN_div(&(mont->Ni),NULL,Ri,&mont->N,ctx)) goto err;
}
#endif
/* setup RR for conversions */
BN_zero(&(mont->RR));
if (!BN_set_bit(&(mont->RR),mont->ri*2)) goto err;
if (!BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx)) goto err;
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
// See FIPS 186-4 appendix B.3. This function implements a generalized version
// of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
// for FIPS-compliant key generation.
// Always generate RSA keys which are a multiple of 128 bits. Round |bits|
// down as needed.
bits &= ~127;
// Reject excessively small keys.
if (bits < 256) {
OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
}
// Reject excessively large public exponents. Windows CryptoAPI and Go don't
// support values larger than 32 bits, so match their limits for generating
// keys. (|check_modulus_and_exponent_sizes| uses a slightly more conservative
// value, but we don't need to support generating such keys.)
// https://github.com/golang/go/issues/3161
// https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
if (BN_num_bits(e_value) > 32) {
OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
return 0;
}
int ret = 0;
int prime_bits = bits / 2;
BN_CTX *ctx = BN_CTX_new();
if (ctx == NULL) {
goto bn_err;
}
BN_CTX_start(ctx);
BIGNUM *totient = BN_CTX_get(ctx);
BIGNUM *pm1 = BN_CTX_get(ctx);
BIGNUM *qm1 = BN_CTX_get(ctx);
BIGNUM *sqrt2 = BN_CTX_get(ctx);
BIGNUM *pow2_prime_bits_100 = BN_CTX_get(ctx);
BIGNUM *pow2_prime_bits = BN_CTX_get(ctx);
if (totient == NULL || pm1 == NULL || qm1 == NULL || sqrt2 == NULL ||
pow2_prime_bits_100 == NULL || pow2_prime_bits == NULL ||
!BN_set_bit(pow2_prime_bits_100, prime_bits - 100) ||
!BN_set_bit(pow2_prime_bits, prime_bits)) {
goto bn_err;
}
// We need the RSA components non-NULL.
if (!ensure_bignum(&rsa->n) ||
!ensure_bignum(&rsa->d) ||
!ensure_bignum(&rsa->e) ||
!ensure_bignum(&rsa->p) ||
!ensure_bignum(&rsa->q) ||
!ensure_bignum(&rsa->dmp1) ||
!ensure_bignum(&rsa->dmq1)) {
goto bn_err;
}
if (!BN_copy(rsa->e, e_value)) {
goto bn_err;
}
// Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋.
if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) {
goto bn_err;
}
int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
assert(sqrt2_bits == (int)BN_num_bits(sqrt2));
if (sqrt2_bits > prime_bits) {
// For key sizes up to 3072 (prime_bits = 1536), this is exactly
// ⌊2^(prime_bits-1)×√2⌋.
if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) {
goto bn_err;
}
} else if (prime_bits > sqrt2_bits) {
// For key sizes beyond 3072, this is approximate. We err towards retrying
// to ensure our key is the right size and round up.
if (!BN_add_word(sqrt2, 1) ||
!BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) {
goto bn_err;
}
}
assert(prime_bits == (int)BN_num_bits(sqrt2));
do {
// Generate p and q, each of size |prime_bits|, using the steps outlined in
// appendix FIPS 186-4 appendix B.3.3.
if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2,
pow2_prime_bits_100, ctx, cb) ||
!BN_GENCB_call(cb, 3, 0) ||
!generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2,
pow2_prime_bits_100, ctx, cb) ||
!BN_GENCB_call(cb, 3, 1)) {
goto bn_err;
}
if (BN_cmp(rsa->p, rsa->q) < 0) {
BIGNUM *tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
// Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
// from typical RSA implementations which use (p-1)*(q-1).
//
// Note this means the size of d might reveal information about p-1 and
// q-1. However, we do operations with Chinese Remainder Theorem, so we only
// use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
// does not affect those two values.
int no_inverse;
if (!bn_usub_consttime(pm1, rsa->p, BN_value_one()) ||
!bn_usub_consttime(qm1, rsa->q, BN_value_one()) ||
!bn_lcm_consttime(totient, pm1, qm1, ctx) ||
!bn_mod_inverse_consttime(rsa->d, &no_inverse, rsa->e, totient, ctx)) {
goto bn_err;
}
// Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on
// values for d.
} while (BN_cmp(rsa->d, pow2_prime_bits) <= 0);
if (// Calculate n.
!bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) ||
// Calculate d mod (p-1).
!bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, ctx) ||
// Calculate d mod (q-1)
!bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, ctx)) {
goto bn_err;
}
bn_set_minimal_width(rsa->n);
// Sanity-check that |rsa->n| has the specified size. This is implied by
// |generate_prime|'s bounds.
if (BN_num_bits(rsa->n) != (unsigned)bits) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
// Call |freeze_private_key| to compute the inverse of q mod p, by way of
// |rsa->mont_p|.
if (!freeze_private_key(rsa, ctx)) {
goto bn_err;
}
// The key generation process is complex and thus error-prone. It could be
// disastrous to generate and then use a bad key so double-check that the key
// makes sense.
if (!RSA_check_key(rsa)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
goto err;
}
ret = 1;
bn_err:
if (!ret) {
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
}
err:
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
return ret;
}
BIGNUM *BN_mod_inverse(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
BIGNUM *A,*B,*X,*Y,*M,*D,*T,*R=NULL;
BIGNUM *ret=NULL;
int sign;
if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0))
{
return BN_mod_inverse_no_branch(in, a, n, ctx);
}
bn_check_top(a);
bn_check_top(n);
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
B = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
D = BN_CTX_get(ctx);
M = BN_CTX_get(ctx);
Y = BN_CTX_get(ctx);
T = BN_CTX_get(ctx);
if (T == NULL) goto err;
if (in == NULL)
R=BN_new();
else
R=in;
if (R == NULL) goto err;
BN_one(X);
BN_zero(Y);
if (BN_copy(B,a) == NULL) goto err;
if (BN_copy(A,n) == NULL) goto err;
A->neg = 0;
if (B->neg || (BN_ucmp(B, A) >= 0))
{
if (!BN_nnmod(B, B, A, ctx)) goto err;
}
sign = -1;
/* From B = a mod |n|, A = |n| it follows that
*
* 0 <= B < A,
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
*/
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048)))
{
/* Binary inversion algorithm; requires odd modulus.
* This is faster than the general algorithm if the modulus
* is sufficiently small (about 400 .. 500 bits on 32-bit
* sytems, but much more on 64-bit systems) */
int shift;
while (!BN_is_zero(B))
{
/*
* 0 < B < |n|,
* 0 < A <= |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|)
*/
/* Now divide B by the maximum possible power of two in the integers,
* and divide X by the same value mod |n|.
* When we're done, (1) still holds. */
shift = 0;
while (!BN_is_bit_set(B, shift)) /* note that 0 < B */
{
shift++;
if (BN_is_odd(X))
{
if (!BN_uadd(X, X, n)) goto err;
}
/* now X is even, so we can easily divide it by two */
if (!BN_rshift1(X, X)) goto err;
}
if (shift > 0)
{
if (!BN_rshift(B, B, shift)) goto err;
}
/* Same for A and Y. Afterwards, (2) still holds. */
shift = 0;
while (!BN_is_bit_set(A, shift)) /* note that 0 < A */
{
shift++;
if (BN_is_odd(Y))
{
if (!BN_uadd(Y, Y, n)) goto err;
}
/* now Y is even */
if (!BN_rshift1(Y, Y)) goto err;
}
if (shift > 0)
{
if (!BN_rshift(A, A, shift)) goto err;
}
/* We still have (1) and (2).
* Both A and B are odd.
* The following computations ensure that
*
* 0 <= B < |n|,
* 0 < A < |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|),
*
* and that either A or B is even in the next iteration.
*/
if (BN_ucmp(B, A) >= 0)
{
/* -sign*(X + Y)*a == B - A (mod |n|) */
if (!BN_uadd(X, X, Y)) goto err;
/* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
* actually makes the algorithm slower */
if (!BN_usub(B, B, A)) goto err;
}
else
{
/* sign*(X + Y)*a == A - B (mod |n|) */
if (!BN_uadd(Y, Y, X)) goto err;
/* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
if (!BN_usub(A, A, B)) goto err;
}
}
}
else
{
/* general inversion algorithm */
while (!BN_is_zero(B))
{
BIGNUM *tmp;
/*
* 0 < B < A,
* (*) -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|)
*/
/* (D, M) := (A/B, A%B) ... */
if (BN_num_bits(A) == BN_num_bits(B))
{
if (!BN_one(D)) goto err;
if (!BN_sub(M,A,B)) goto err;
}
else if (BN_num_bits(A) == BN_num_bits(B) + 1)
{
/* A/B is 1, 2, or 3 */
if (!BN_lshift1(T,B)) goto err;
if (BN_ucmp(A,T) < 0)
{
/* A < 2*B, so D=1 */
if (!BN_one(D)) goto err;
if (!BN_sub(M,A,B)) goto err;
}
else
{
/* A >= 2*B, so D=2 or D=3 */
if (!BN_sub(M,A,T)) goto err;
if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */
if (BN_ucmp(A,D) < 0)
{
/* A < 3*B, so D=2 */
if (!BN_set_word(D,2)) goto err;
/* M (= A - 2*B) already has the correct value */
}
else
{
/* only D=3 remains */
if (!BN_set_word(D,3)) goto err;
/* currently M = A - 2*B, but we need M = A - 3*B */
if (!BN_sub(M,M,B)) goto err;
}
}
}
else
{
if (!BN_div(D,M,A,B,ctx)) goto err;
}
/* Now
* A = D*B + M;
* thus we have
* (**) sign*Y*a == D*B + M (mod |n|).
*/
tmp=A; /* keep the BIGNUM object, the value does not matter */
/* (A, B) := (B, A mod B) ... */
A=B;
B=M;
/* ... so we have 0 <= B < A again */
/* Since the former M is now B and the former B is now A,
* (**) translates into
* sign*Y*a == D*A + B (mod |n|),
* i.e.
* sign*Y*a - D*A == B (mod |n|).
* Similarly, (*) translates into
* -sign*X*a == A (mod |n|).
*
* Thus,
* sign*Y*a + D*sign*X*a == B (mod |n|),
* i.e.
* sign*(Y + D*X)*a == B (mod |n|).
*
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
* Note that X and Y stay non-negative all the time.
*/
/* most of the time D is very small, so we can optimize tmp := D*X+Y */
if (BN_is_one(D))
{
if (!BN_add(tmp,X,Y)) goto err;
}
else
{
if (BN_is_word(D,2))
{
if (!BN_lshift1(tmp,X)) goto err;
}
else if (BN_is_word(D,4))
{
if (!BN_lshift(tmp,X,2)) goto err;
}
else if (D->top == 1)
{
if (!BN_copy(tmp,X)) goto err;
if (!BN_mul_word(tmp,D->d[0])) goto err;
}
else
{
if (!BN_mul(tmp,D,X,ctx)) goto err;
}
if (!BN_add(tmp,tmp,Y)) goto err;
}
M=Y; /* keep the BIGNUM object, the value does not matter */
Y=X;
X=tmp;
sign = -sign;
}
}
/*
* The while loop (Euclid's algorithm) ends when
* A == gcd(a,n);
* we have
* sign*Y*a == A (mod |n|),
* where Y is non-negative.
*/
if (sign < 0)
{
if (!BN_sub(Y,n,Y)) goto err;
}
/* Now Y*a == A (mod |n|). */
if (BN_is_one(A))
{
/* Y*a == 1 (mod |n|) */
if (!Y->neg && BN_ucmp(Y,n) < 0)
{
if (!BN_copy(R,Y)) goto err;
}
else
{
if (!BN_nnmod(R,Y,n,ctx)) goto err;
}
}
else
{
BNerr(BN_F_BN_MOD_INVERSE,BN_R_NO_INVERSE);
goto err;
}
ret=R;
err:
if ((ret == NULL) && (in == NULL)) BN_free(R);
BN_CTX_end(ctx);
bn_check_top(ret);
return(ret);
}
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx)
{
int norm_shift, i, j, loop;
BIGNUM *tmp, wnum, *snum, *sdiv, *res;
BN_ULONG *resp, *wnump;
BN_ULONG d0, d1;
int num_n, div_n;
bn_check_top(num);
bn_check_top(divisor);
if(BN_is_zero(divisor))
{
return (0);
}
if(BN_ucmp(num, divisor) < 0)
{
if(rm != NULL)
{
if(BN_copy(rm, num) == NULL) { return (0); }
}
if(dv != NULL) { BN_zero(dv); }
return (1);
}
BN_CTX_start(ctx);
tmp = BN_CTX_get(ctx);
snum = BN_CTX_get(ctx);
sdiv = BN_CTX_get(ctx);
if(dv == NULL)
{ res = BN_CTX_get(ctx); }
else { res = dv; }
if(sdiv == NULL || res == NULL) { goto err; }
tmp->neg = 0;
/* First we normalise the numbers */
norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
BN_lshift(sdiv, divisor, norm_shift);
sdiv->neg = 0;
norm_shift += BN_BITS2;
BN_lshift(snum, num, norm_shift);
snum->neg = 0;
div_n = sdiv->top;
num_n = snum->top;
loop = num_n - div_n;
/* Lets setup a 'window' into snum
* This is the part that corresponds to the current
* 'area' being divided */
BN_init(&wnum);
wnum.d = &(snum->d[loop]);
wnum.top = div_n;
wnum.dmax = snum->dmax + 1; /* a bit of a lie */
/* Get the top 2 words of sdiv */
/* i=sdiv->top; */
d0 = sdiv->d[div_n - 1];
d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
/* pointer to the 'top' of snum */
wnump = &(snum->d[num_n - 1]);
/* Setup to 'res' */
res->neg = (num->neg ^ divisor->neg);
if(!bn_wexpand(res, (loop + 1))) { goto err; }
res->top = loop;
resp = &(res->d[loop - 1]);
/* space for temp */
if(!bn_wexpand(tmp, (div_n + 1))) { goto err; }
if(BN_ucmp(&wnum, sdiv) >= 0)
{
if(!BN_usub(&wnum, &wnum, sdiv)) { goto err; }
*resp = 1;
res->d[res->top - 1] = 1;
}
else
{ res->top--; }
resp--;
for(i = 0; i < loop - 1; i++)
{
BN_ULONG q, l0;
#if defined(BN_DIV3W) && !defined(NO_ASM)
BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
q = bn_div_3_words(wnump, d1, d0);
#else
BN_ULONG n0, n1, rem = 0;
n0 = wnump[0];
n1 = wnump[-1];
if(n0 == d0)
{ q = BN_MASK2; }
else /* n0 < d0 */
{
#ifdef BN_LLONG
BN_ULLONG t2;
#if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
q = (BN_ULONG)(((((BN_ULLONG)n0) << BN_BITS2) | n1) / d0);
#else
q = bn_div_words(n0, n1, d0);
#endif
#ifndef REMAINDER_IS_ALREADY_CALCULATED
/*
* rem doesn't have to be BN_ULLONG. The least we
* know it's less that d0, isn't it?
*/
rem = (n1 - q * d0)&BN_MASK2;
#endif
t2 = (BN_ULLONG)d1 * q;
for(;;)
{
if(t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | wnump[-2]))
{ break; }
q--;
rem += d0;
if(rem < d0) { break; } /* don't let rem overflow */
t2 -= d1;
}
#else /* !BN_LLONG */
BN_ULONG t2l, t2h, ql, qh;
q = bn_div_words(n0, n1, d0);
#ifndef REMAINDER_IS_ALREADY_CALCULATED
rem = (n1 - q * d0)&BN_MASK2;
#endif
#ifdef BN_UMULT_HIGH
t2l = d1 * q;
t2h = BN_UMULT_HIGH(d1, q);
#else
t2l = LBITS(d1);
t2h = HBITS(d1);
ql = LBITS(q);
qh = HBITS(q);
mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */
#endif
for(;;)
{
if((t2h < rem) ||
((t2h == rem) && (t2l <= wnump[-2])))
{ break; }
q--;
rem += d0;
if(rem < d0) { break; } /* don't let rem overflow */
if(t2l < d1) { t2h--; }
t2l -= d1;
}
#endif /* !BN_LLONG */
}
#endif /* !BN_DIV3W */
l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
wnum.d--;
wnum.top++;
tmp->d[div_n] = l0;
for(j = div_n + 1; j > 0; j--)
if(tmp->d[j - 1]) { break; }
tmp->top = j;
j = wnum.top;
BN_sub(&wnum, &wnum, tmp);
snum->top = snum->top + wnum.top - j;
if(wnum.neg)
{
q--;
j = wnum.top;
BN_add(&wnum, &wnum, sdiv);
snum->top += wnum.top - j;
}
*(resp--) = q;
wnump--;
}
if(rm != NULL)
{
BN_rshift(rm, snum, norm_shift);
rm->neg = num->neg;
}
BN_CTX_end(ctx);
return (1);
err:
BN_CTX_end(ctx);
return (0);
}
int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
{
int ret = 0;
BIGNUM *a, *b, *order, *tmp_1, *tmp_2;
const BIGNUM *p = group->field;
BN_CTX *new_ctx = NULL;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT,
ERR_R_MALLOC_FAILURE);
goto err;
}
}
BN_CTX_start(ctx);
a = BN_CTX_get(ctx);
b = BN_CTX_get(ctx);
tmp_1 = BN_CTX_get(ctx);
tmp_2 = BN_CTX_get(ctx);
order = BN_CTX_get(ctx);
if (order == NULL)
goto err;
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, a, group->a, ctx))
goto err;
if (!group->meth->field_decode(group, b, group->b, ctx))
goto err;
} else {
if (!BN_copy(a, group->a))
goto err;
if (!BN_copy(b, group->b))
goto err;
}
/*-
* check the discriminant:
* y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
* 0 =< a, b < p
*/
if (BN_is_zero(a)) {
if (BN_is_zero(b))
goto err;
} else if (!BN_is_zero(b)) {
if (!BN_mod_sqr(tmp_1, a, p, ctx))
goto err;
if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
goto err;
if (!BN_lshift(tmp_1, tmp_2, 2))
goto err;
/* tmp_1 = 4*a^3 */
if (!BN_mod_sqr(tmp_2, b, p, ctx))
goto err;
if (!BN_mul_word(tmp_2, 27))
goto err;
/* tmp_2 = 27*b^2 */
if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
goto err;
if (BN_is_zero(a))
goto err;
}
ret = 1;
err:
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx)
{
int norm_shift,i,loop;
BIGNUM *tmp,*snum,*sdiv,*res;
#ifdef BN_ALLOC /* pcg */
BIGNUM wnum;
#else
BN_ULONG *wnum_d;
#endif /* !BN_ALLOC */
BN_ULONG *resp,*wnump;
BN_ULONG d0,d1;
int num_n,div_n;
/* Invalid zero-padding would have particularly bad consequences
* in the case of 'num', so don't just rely on bn_check_top() for this one
* (bn_check_top() works only for BN_DEBUG builds) */
if (num->top > 0 && num->d[num->top - 1] == 0)
{
BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
return 0;
}
bn_check_top(num);
if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
{
return BN_div_no_branch(dv, rm, num, divisor, ctx);
}
bn_check_top(dv);
bn_check_top(rm);
/* bn_check_top(num); */ /* 'num' has been checked already */
bn_check_top(divisor);
if (BN_is_zero(divisor))
{
BNerr(BN_F_BN_DIV,BN_R_DIV_BY_ZERO);
return(0);
}
if (BN_ucmp(num,divisor) < 0)
{
if (rm != NULL)
{ if (BN_copy(rm,num) == NULL) return(0); }
if (dv != NULL) BN_zero(dv);
return(1);
}
BN_CTX_start(ctx);
tmp=BN_CTX_get(ctx);
snum=BN_CTX_get_ext( ctx, BIGNUM_EXT_MUL1 ); /* pcg */
sdiv=BN_CTX_get(ctx);
if (dv == NULL)
res=BN_CTX_get(ctx);
else res=dv;
if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL)
goto err;
/* First we normalise the numbers */
norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
if (!(BN_lshift(sdiv,divisor,norm_shift))) goto err;
sdiv->neg=0;
norm_shift+=BN_BITS2;
if (!(BN_lshift(snum,num,norm_shift))) goto err;
snum->neg=0;
div_n=sdiv->top;
num_n=snum->top;
loop=num_n-div_n;
/* Lets setup a 'window' into snum
* This is the part that corresponds to the current
* 'area' being divided */
#ifdef BN_ALLOC /* pcg */
wnum.neg = 0;
wnum.d = &(snum->d[loop]);
wnum.top = div_n;
/* only needed when BN_ucmp messes up the values between top and max */
wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
#else
wnum_d = &(snum->d[loop]);
#endif /* BN_ALLOC */
/* Get the top 2 words of sdiv */
/* div_n=sdiv->top; */
d0=sdiv->d[div_n-1];
d1=(div_n == 1)?0:sdiv->d[div_n-2];
/* pointer to the 'top' of snum */
wnump= &(snum->d[num_n-1]);
/* Setup to 'res' */
res->neg= (num->neg^divisor->neg);
if (!bn_wexpand(res,(loop+1))) goto err;
res->top=loop;
resp= &(res->d[loop-1]);
/* space for temp */
if( div_n+1 > BIGNUM_ALLOC_WORDS ) { assert( 0 ); goto err; }
if (BN_ucmp_word(wnum_d,div_n,sdiv) >= 0)
{
/* If BN_DEBUG_RAND is defined BN_ucmp changes (via
* bn_pollute) the const bignum arguments =>
* clean the values between top and max again */
bn_clear_top2max(&wnum);
bn_sub_words(wnum_d, wnum_d, sdiv->d, div_n);
*resp=1;
}
else
res->top--;
/* if res->top == 0 then clear the neg value otherwise decrease
* the resp pointer */
if (res->top == 0)
res->neg = 0;
else
resp--;
for (i=0; i<loop-1; i++, wnump--, resp--)
{
BN_ULONG q,l0;
/* the first part of the loop uses the top two words of
* snum and sdiv to calculate a BN_ULONG q such that
* | wnum - sdiv * q | < sdiv */
#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
BN_ULONG bn_div_3_words(BN_ULONG*,BN_ULONG,BN_ULONG);
q=bn_div_3_words(wnump,d1,d0);
#else
BN_ULONG n0,n1,rem=0;
n0=wnump[0];
n1=wnump[-1];
if (n0 == d0)
q=BN_MASK2;
else /* n0 < d0 */
{
#ifdef BN_LLONG
BN_ULLONG t2;
#if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
q=(BN_ULONG)(((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0);
#else
q=bn_div_words(n0,n1,d0);
#ifdef BN_DEBUG_LEVITTE
fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
X) -> 0x%08X\n",
n0, n1, d0, q);
#endif
#endif
#ifndef REMAINDER_IS_ALREADY_CALCULATED
/*
* rem doesn't have to be BN_ULLONG. The least we
* know it's less that d0, isn't it?
*/
rem=(n1-q*d0)&BN_MASK2;
#endif
t2=(BN_ULLONG)d1*q;
for (;;)
{
if (t2 <= ((((BN_ULLONG)rem)<<BN_BITS2)|wnump[-2]))
break;
q--;
rem += d0;
if (rem < d0) break; /* don't let rem overflow */
t2 -= d1;
}
#else /* !BN_LLONG */
BN_ULONG t2l,t2h;
#if !defined( BN_UMULT_LOHI ) && !defined( BN_UMULT_HIGH ) /* pcg */
BN_ULONG ql,qh;
#endif
q=bn_div_words(n0,n1,d0);
#ifdef BN_DEBUG_LEVITTE
fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
X) -> 0x%08X\n",
n0, n1, d0, q);
#endif
#ifndef REMAINDER_IS_ALREADY_CALCULATED
rem=(n1-q*d0)&BN_MASK2;
#endif
#if defined(BN_UMULT_LOHI)
BN_UMULT_LOHI(t2l,t2h,d1,q);
#elif defined(BN_UMULT_HIGH)
t2l = d1 * q;
t2h = BN_UMULT_HIGH(d1,q);
#else
{
BN_ULONG ql, qh;
t2l=LBITS(d1); t2h=HBITS(d1);
ql =LBITS(q); qh =HBITS(q);
mul64(t2l,t2h,ql,qh); /* t2=(BN_ULLONG)d1*q; */
}
#endif
for (;;)
{
if ((t2h < rem) ||
((t2h == rem) && (t2l <= wnump[-2])))
break;
q--;
rem += d0;
if (rem < d0) break; /* don't let rem overflow */
if (t2l < d1) t2h--; t2l -= d1;
}
#endif /* !BN_LLONG */
}
#endif /* !BN_DIV3W */
l0=bn_mul_words(tmp->d,sdiv->d,div_n,q);
tmp->d[div_n]=l0;
wnum_d--;
/* ingore top values of the bignums just sub the two
* BN_ULONG arrays with bn_sub_words */
if (bn_sub_words(wnum_d, wnum_d, tmp->d, div_n+1))
{
/* Note: As we have considered only the leading
* two BN_ULONGs in the calculation of q, sdiv * q
* might be greater than wnum (but then (q-1) * sdiv
* is less or equal than wnum)
*/
q--;
if (bn_add_words(wnum_d, wnum_d, sdiv->d, div_n))
/* we can't have an overflow here (assuming
* that q != 0, but if q == 0 then tmp is
* zero anyway) */
(*wnump)++;
}
/* store part of the result */
*resp = q;
}
bn_correct_top(snum);
if (rm != NULL)
{
/* Keep a copy of the neg flag in num because if rm==num
* BN_rshift() will overwrite it.
*/
int neg = num->neg;
BN_rshift(rm,snum,norm_shift);
if (!BN_is_zero(rm))
rm->neg = neg;
bn_check_top(rm);
}
BN_CTX_end_ext( ctx, BIGNUM_EXT_MUL1 ); /* pcg */
return(1);
err:
bn_check_top(rm);
BN_CTX_end_ext( ctx, BIGNUM_EXT_MUL1 ); /* pcg */
return(0);
}
int
dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
const unsigned char *seed_in, size_t seed_len, unsigned char *seed_out,
int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
{
int ok = 0;
unsigned char seed[SHA256_DIGEST_LENGTH];
unsigned char md[SHA256_DIGEST_LENGTH];
unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
BIGNUM *r0, *W, *X, *c, *test;
BIGNUM *g = NULL, *q = NULL, *p = NULL;
BN_MONT_CTX *mont = NULL;
int i, k, n = 0, m = 0, qsize = qbits >> 3;
int counter = 0;
int r = 0;
BN_CTX *ctx = NULL;
unsigned int h = 2;
if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
qsize != SHA256_DIGEST_LENGTH)
/* invalid q size */
return 0;
if (evpmd == NULL)
/* use SHA1 as default */
evpmd = EVP_sha1();
if (bits < 512)
bits = 512;
bits = (bits + 63) / 64 * 64;
/*
* NB: seed_len == 0 is special case: copy generated seed to
* seed_in if it is not NULL.
*/
if (seed_len && seed_len < (size_t)qsize)
seed_in = NULL; /* seed buffer too small -- ignore */
/*
* App. 2.2 of FIPS PUB 186 allows larger SEED,
* but our internal buffers are restricted to 160 bits
*/
if (seed_len > (size_t)qsize)
seed_len = qsize;
if (seed_in != NULL)
memcpy(seed, seed_in, seed_len);
if ((ctx=BN_CTX_new()) == NULL)
goto err;
if ((mont=BN_MONT_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
g = BN_CTX_get(ctx);
W = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
c = BN_CTX_get(ctx);
p = BN_CTX_get(ctx);
test = BN_CTX_get(ctx);
if (!BN_lshift(test, BN_value_one(), bits - 1))
goto err;
for (;;) {
for (;;) { /* find q */
int seed_is_random;
/* step 1 */
if (!BN_GENCB_call(cb, 0, m++))
goto err;
if (!seed_len) {
RAND_pseudo_bytes(seed, qsize);
seed_is_random = 1;
} else {
seed_is_random = 0;
/* use random seed if 'seed_in' turns out
to be bad */
seed_len = 0;
}
memcpy(buf, seed, qsize);
memcpy(buf2, seed, qsize);
/* precompute "SEED + 1" for step 7: */
for (i = qsize - 1; i >= 0; i--) {
buf[i]++;
if (buf[i] != 0)
break;
}
/* step 2 */
if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
goto err;
if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
goto err;
for (i = 0; i < qsize; i++)
md[i] ^= buf2[i];
/* step 3 */
md[0] |= 0x80;
md[qsize - 1] |= 0x01;
if (!BN_bin2bn(md, qsize, q))
goto err;
/* step 4 */
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
seed_is_random, cb);
if (r > 0)
break;
if (r != 0)
goto err;
/* do a callback call */
/* step 5 */
}
if (!BN_GENCB_call(cb, 2, 0))
goto err;
if (!BN_GENCB_call(cb, 3, 0))
goto err;
/* step 6 */
counter = 0;
/* "offset = 2" */
n = (bits - 1) / 160;
for (;;) {
if (counter != 0 && !BN_GENCB_call(cb, 0, counter))
goto err;
/* step 7 */
BN_zero(W);
/* now 'buf' contains "SEED + offset - 1" */
for (k = 0; k <= n; k++) {
/* obtain "SEED + offset + k" by incrementing: */
for (i = qsize - 1; i >= 0; i--) {
buf[i]++;
if (buf[i] != 0)
break;
}
if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
NULL))
goto err;
/* step 8 */
if (!BN_bin2bn(md, qsize, r0))
goto err;
if (!BN_lshift(r0, r0, (qsize << 3) * k))
goto err;
if (!BN_add(W, W, r0))
goto err;
}
/* more of step 8 */
if (!BN_mask_bits(W, bits - 1))
goto err;
if (!BN_copy(X, W))
goto err;
if (!BN_add(X, X, test))
goto err;
/* step 9 */
if (!BN_lshift1(r0, q))
goto err;
if (!BN_mod(c, X, r0, ctx))
goto err;
if (!BN_sub(r0, c, BN_value_one()))
goto err;
if (!BN_sub(p, X, r0))
goto err;
/* step 10 */
if (BN_cmp(p, test) >= 0) {
/* step 11 */
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
ctx, 1, cb);
if (r > 0)
goto end; /* found it */
if (r != 0)
goto err;
}
/* step 13 */
counter++;
/* "offset = offset + n + 1" */
/* step 14 */
if (counter >= 4096)
break;
}
}
end:
if (!BN_GENCB_call(cb, 2, 1))
goto err;
/* We now need to generate g */
/* Set r0=(p-1)/q */
if (!BN_sub(test, p, BN_value_one()))
goto err;
if (!BN_div(r0, NULL, test, q, ctx))
goto err;
if (!BN_set_word(test, h))
goto err;
if (!BN_MONT_CTX_set(mont, p, ctx))
goto err;
for (;;) {
/* g=test^r0%p */
if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont))
goto err;
if (!BN_is_one(g))
break;
if (!BN_add(test, test, BN_value_one()))
goto err;
h++;
}
if (!BN_GENCB_call(cb, 3, 1))
goto err;
ok = 1;
err:
if (ok) {
if (ret->p)
BN_free(ret->p);
if (ret->q)
BN_free(ret->q);
if (ret->g)
BN_free(ret->g);
ret->p = BN_dup(p);
ret->q = BN_dup(q);
ret->g = BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
ok = 0;
goto err;
}
if (counter_ret != NULL)
*counter_ret = counter;
if (h_ret != NULL)
*h_ret = h;
if (seed_out)
memcpy(seed_out, seed, qsize);
}
if (ctx) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (mont != NULL)
BN_MONT_CTX_free(mont);
return ok;
}
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {
int ret = 0;
BIGNUM *Ri, *R;
BIGNUM tmod;
BN_ULONG buf[2];
if (BN_is_zero(mod)) {
OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
return 0;
}
BN_CTX_start(ctx);
Ri = BN_CTX_get(ctx);
if (Ri == NULL) {
goto err;
}
R = &mont->RR; /* grab RR as a temp */
if (!BN_copy(&mont->N, mod)) {
goto err; /* Set N */
}
mont->N.neg = 0;
BN_init(&tmod);
tmod.d = buf;
tmod.dmax = 2;
tmod.neg = 0;
#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2 <= 32)
/* Only certain BN_BITS2<=32 platforms actually make use of
* n0[1], and we could use the #else case (with a shorter R
* value) for the others. However, currently only the assembler
* files do know which is which. */
BN_zero(R);
if (!BN_set_bit(R, 2 * BN_BITS2)) {
goto err;
}
tmod.top = 0;
if ((buf[0] = mod->d[0])) {
tmod.top = 1;
}
if ((buf[1] = mod->top > 1 ? mod->d[1] : 0)) {
tmod.top = 2;
}
if (BN_mod_inverse(Ri, R, &tmod, ctx) == NULL) {
goto err;
}
if (!BN_lshift(Ri, Ri, 2 * BN_BITS2)) {
goto err; /* R*Ri */
}
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1)) {
goto err;
}
} else {
/* if N mod word size == 1 */
if (bn_expand(Ri, (int)sizeof(BN_ULONG) * 2) == NULL) {
goto err;
}
/* Ri-- (mod double word size) */
Ri->neg = 0;
Ri->d[0] = BN_MASK2;
Ri->d[1] = BN_MASK2;
Ri->top = 2;
}
if (!BN_div(Ri, NULL, Ri, &tmod, ctx)) {
goto err;
}
/* Ni = (R*Ri-1)/N,
* keep only couple of least significant words: */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
#else
BN_zero(R);
if (!BN_set_bit(R, BN_BITS2)) {
goto err; /* R */
}
buf[0] = mod->d[0]; /* tmod = N mod word size */
buf[1] = 0;
tmod.top = buf[0] != 0 ? 1 : 0;
/* Ri = R^-1 mod N*/
if (BN_mod_inverse(Ri, R, &tmod, ctx) == NULL) {
goto err;
}
if (!BN_lshift(Ri, Ri, BN_BITS2)) {
goto err; /* R*Ri */
}
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1)) {
goto err;
}
} else {
/* if N mod word size == 1 */
if (!BN_set_word(Ri, BN_MASK2)) {
goto err; /* Ri-- (mod word size) */
}
}
if (!BN_div(Ri, NULL, Ri, &tmod, ctx)) {
goto err;
}
/* Ni = (R*Ri-1)/N,
* keep only least significant word: */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = 0;
#endif
/* RR = (2^ri)^2 == 2^(ri*2) == 1 << (ri*2), which has its (ri*2)th bit set. */
int ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
BN_zero(&(mont->RR));
if (!BN_set_bit(&(mont->RR), ri * 2)) {
goto err;
}
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx)) {
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
