/* pollard p-1, algorithm from Jim Gillogly, May 2000 */
static void
pollard_pminus1(BIGNUM *val)
{
BIGNUM *base, *rbase, *num, *i, *x;
base = BN_new();
rbase = BN_new();
num = BN_new();
i = BN_new();
x = BN_new();
BN_set_word(rbase, 1);
newbase:
if (!BN_add_word(rbase, 1))
errx(1, "error in BN_add_word()");
BN_set_word(i, 2);
BN_copy(base, rbase);
for (;;) {
BN_mod_exp(base, base, i, val, ctx);
if (BN_is_one(base))
goto newbase;
BN_copy(x, base);
BN_sub_word(x, 1);
if (!BN_gcd(x, x, val, ctx))
errx(1, "error in BN_gcd()");
if (!BN_is_one(x)) {
if (BN_is_prime(x, PRIME_CHECKS, NULL, NULL,
NULL) == 1)
pr_print(x);
else
pollard_pminus1(x);
fflush(stdout);
BN_div(num, NULL, val, x, ctx);
if (BN_is_one(num))
return;
if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL,
NULL) == 1) {
pr_print(num);
fflush(stdout);
return;
}
BN_copy(val, num);
}
if (!BN_add_word(i, 1))
errx(1, "error in BN_add_word()");
}
}
int DH_check(const DH *dh, int *ret)
{
int ok=0;
BN_CTX *ctx=NULL;
BN_ULONG l;
BIGNUM *q=NULL;
*ret=0;
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
q=BN_new();
if (q == NULL) goto err;
if (BN_is_word(dh->g,DH_GENERATOR_2))
{
l=BN_mod_word(dh->p,24);
if (l != 11) *ret|=DH_NOT_SUITABLE_GENERATOR;
}
#if 0
else if (BN_is_word(dh->g,DH_GENERATOR_3))
{
l=BN_mod_word(dh->p,12);
if (l != 5) *ret|=DH_NOT_SUITABLE_GENERATOR;
}
#endif
else if (BN_is_word(dh->g,DH_GENERATOR_5))
{
l=BN_mod_word(dh->p,10);
if ((l != 3) && (l != 7))
*ret|=DH_NOT_SUITABLE_GENERATOR;
}
else
*ret|=DH_UNABLE_TO_CHECK_GENERATOR;
if (!BN_is_prime(dh->p,BN_prime_checks,NULL,ctx,NULL))
*ret|=DH_CHECK_P_NOT_PRIME;
else
{
if (!BN_rshift1(q,dh->p)) goto err;
if (!BN_is_prime(q,BN_prime_checks,NULL,ctx,NULL))
*ret|=DH_CHECK_P_NOT_SAFE_PRIME;
}
ok=1;
err:
if (ctx != NULL) BN_CTX_free(ctx);
if (q != NULL) BN_free(q);
return(ok);
}
/* Return the next prime number after its arg */
unsigned int
next_prime_after(unsigned int val)
{
/* Calculate primes on the fly using OpenSSL. Takes up less space
than using a table, deals better with pathologically large tables. */
static BIGNUM *p = NULL;
static BN_CTX *ctx = NULL;
if (!ctx)
ctx = BN_CTX_new();
if (!p)
p = BN_new();
/* Make sure we only try odd numbers; evens can't be primes. */
if (val & 0x1)
val += 2;
else
val += 1;
while (1) {
BN_set_word(p, val);
if (BN_is_prime(p, BN_prime_checks, NULL, ctx, NULL) > 0)
break;
val += 2;
}
return val;
}
/*
* pr_fact - print the factors of a number
*
* Print the factors of the number, from the lowest to the highest.
* A factor will be printed multiple times if it divides the value
* multiple times.
*
* Factors are printed with leading tabs.
*/
static void
pr_fact(BIGNUM *val)
{
const ubig *fact; /* The factor found. */
/* Firewall - catch 0 and 1. */
if (BN_is_zero(val)) /* Historical practice; 0 just exits. */
exit(0);
if (BN_is_one(val)) {
printf("1: 1\n");
return;
}
/* Factor value. */
if (hflag) {
fputs("0x", stdout);
BN_print_fp(stdout, val);
} else
BN_print_dec_fp(stdout, val);
putchar(':');
for (fact = &prime[0]; !BN_is_one(val); ++fact) {
/* Look for the smallest factor. */
do {
if (BN_mod_word(val, (BN_ULONG)*fact) == 0)
break;
} while (++fact <= pr_limit);
/* Watch for primes larger than the table. */
if (fact > pr_limit) {
#ifdef HAVE_OPENSSL
BIGNUM *bnfact;
bnfact = BN_new();
BN_set_word(bnfact, *(fact - 1));
if (!BN_sqr(bnfact, bnfact, ctx))
errx(1, "error in BN_sqr()");
if (BN_cmp(bnfact, val) > 0 ||
BN_is_prime(val, PRIME_CHECKS,
NULL, NULL, NULL) == 1)
pr_print(val);
else
pollard_pminus1(val);
#else
pr_print(val);
#endif
break;
}
/* Divide factor out until none are left. */
do {
printf(hflag ? " 0x%lx" : " %lu", *fact);
BN_div_word(val, (BN_ULONG)*fact);
} while (BN_mod_word(val, (BN_ULONG)*fact) == 0);
/* Let the user know we're doing something. */
fflush(stdout);
}
putchar('\n');
}
/*
* pr_fact - print the factors of a number
*
* If the number is 0 or 1, then print the number and return.
* If the number is < 0, print -1, negate the number and continue
* processing.
*
* Print the factors of the number, from the lowest to the highest.
* A factor will be printed numtiple times if it divides the value
* multiple times.
*
* Factors are printed with leading tabs.
*/
static void
pr_fact(BIGNUM *val)
{
const ubig *fact; /* The factor found. */
/* Firewall - catch 0 and 1. */
if (BN_is_zero(val) || BN_is_one(val))
errx(1, "numbers <= 1 aren't permitted.");
/* Factor value. */
BN_print_dec_fp(stdout, val);
putchar(':');
for (fact = &prime[0]; !BN_is_one(val); ++fact) {
/* Look for the smallest factor. */
while (fact <= pr_limit) {
if (BN_mod_word(val, (BN_ULONG)*fact) == 0)
break;
fact++;
}
/* Watch for primes larger than the table. */
if (fact > pr_limit) {
#ifdef HAVE_OPENSSL
BIGNUM *bnfact;
bnfact = BN_new();
BN_set_word(bnfact, (BN_ULONG)*(fact - 1));
BN_sqr(bnfact, bnfact, ctx);
if (BN_cmp(bnfact, val) > 0
|| BN_is_prime(val, PRIME_CHECKS, NULL, NULL,
NULL) == 1) {
putchar(' ');
BN_print_dec_fp(stdout, val);
} else
pollard_rho(val);
#else
printf(" %s", BN_bn2dec(val));
#endif
break;
}
/* Divide factor out until none are left. */
do {
printf(" %lu", *fact);
BN_div_word(val, (BN_ULONG)*fact);
} while (BN_mod_word(val, (BN_ULONG)*fact) == 0);
/* Let the user know we're doing something. */
fflush(stdout);
}
putchar('\n');
}
void primes()
{
char buf[10240];
while(fgets(buf,sizeof buf,stdin) != NULL)
{
fputs(buf,stdout);
if(!strncmp(buf,"Prime= ",7))
{
BIGNUM *pp;
pp=BN_new();
BN_hex2bn(&pp,buf+7);
printf("result= %c\n",
BN_is_prime(pp,20,NULL,NULL,NULL) ? 'P' : 'F');
}
}
}
/*
* call-seq:
* bn.prime? => true | false
* bn.prime?(checks) => true | false
*
* === Parameters
* * +checks+ - integer
*/
static VALUE
ossl_bn_is_prime(int argc, VALUE *argv, VALUE self)
{
BIGNUM *bn;
VALUE vchecks;
int checks = BN_prime_checks;
if (rb_scan_args(argc, argv, "01", &vchecks) == 0) {
checks = NUM2INT(vchecks);
}
GetBN(self, bn);
switch (BN_is_prime(bn, checks, NULL, ossl_bn_ctx, NULL)) {
case 1:
return Qtrue;
case 0:
return Qfalse;
default:
ossl_raise(eBNError, NULL);
}
/* not reachable */
return Qnil;
}
static DH * _dh_init(const uint8 * g, size_t glen,
const uint8 * p, size_t plen,
const uint8 * x, size_t xlen)
{
DH * dh;
x4_assert(p && plen && g && glen && x && xlen);
/* */
dh = DH_new();
x4_assert(dh);
/* set p */
dh->p=BN_bin2bn(p, plen, 0);
x4_assert(BN_is_prime(dh->p, 0,0,0,0));
/* set g */
dh->g=BN_bin2bn(g, glen, 0);
/* set private part if given */
dh->priv_key = BN_bin2bn(x, xlen, 0);
return dh;
}
int RSA_check_key(RSA *key)
{
BIGNUM *i, *j, *k, *l, *m;
BN_CTX *ctx;
int r;
int ret=1;
i = BN_new();
j = BN_new();
k = BN_new();
l = BN_new();
m = BN_new();
ctx = BN_CTX_new();
if (i == NULL || j == NULL || k == NULL || l == NULL ||
m == NULL || ctx == NULL)
{
ret = -1;
RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
/* p prime? */
r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL);
if (r != 1)
{
ret = r;
if (r != 0)
goto err;
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
}
/* q prime? */
r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL);
if (r != 1)
{
ret = r;
if (r != 0)
goto err;
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
}
/* n = p*q? */
r = BN_mul(i, key->p, key->q, ctx);
if (!r) { ret = -1; goto err; }
if (BN_cmp(i, key->n) != 0)
{
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
}
/* d*e = 1 mod lcm(p-1,q-1)? */
r = BN_sub(i, key->p, BN_value_one());
if (!r) { ret = -1; goto err; }
r = BN_sub(j, key->q, BN_value_one());
if (!r) { ret = -1; goto err; }
/* now compute k = lcm(i,j) */
r = BN_mul(l, i, j, ctx);
if (!r) { ret = -1; goto err; }
r = BN_gcd(m, i, j, ctx);
if (!r) { ret = -1; goto err; }
r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
if (!r) { ret = -1; goto err; }
r = BN_mod_mul(i, key->d, key->e, k, ctx);
if (!r) { ret = -1; goto err; }
if (!BN_is_one(i))
{
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
}
if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL)
{
/* dmp1 = d mod (p-1)? */
r = BN_sub(i, key->p, BN_value_one());
if (!r) { ret = -1; goto err; }
r = BN_mod(j, key->d, i, ctx);
if (!r) { ret = -1; goto err; }
if (BN_cmp(j, key->dmp1) != 0)
{
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY,
RSA_R_DMP1_NOT_CONGRUENT_TO_D);
}
/* dmq1 = d mod (q-1)? */
r = BN_sub(i, key->q, BN_value_one());
if (!r) { ret = -1; goto err; }
r = BN_mod(j, key->d, i, ctx);
if (!r) { ret = -1; goto err; }
if (BN_cmp(j, key->dmq1) != 0)
{
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY,
RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
}
/* iqmp = q^-1 mod p? */
if(!BN_mod_inverse(i, key->q, key->p, ctx))
{
ret = -1;
goto err;
}
if (BN_cmp(i, key->iqmp) != 0)
{
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY,
RSA_R_IQMP_NOT_INVERSE_OF_Q);
}
}
err:
if (i != NULL) BN_free(i);
if (j != NULL) BN_free(j);
if (k != NULL) BN_free(k);
if (l != NULL) BN_free(l);
if (m != NULL) BN_free(m);
if (ctx != NULL) BN_CTX_free(ctx);
return (ret);
}
qint32 CryptoUtils::checkPrime (BIGNUM *p) {
qint32 r = BN_is_prime (p, BN_prime_checks, 0, BN_ctx, 0);
Utils::ensure (r >= 0);
return r;
}
int main(int argc, char *argv[])
{
BN_CTX *ctx = NULL;
BIGNUM *p, *a, *b;
EC_GROUP *group;
EC_GROUP *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
EC_POINT *P, *Q, *R;
BIGNUM *x, *y, *z;
unsigned char buf[100];
size_t i, len;
int k;
/* enable memory leak checking unless explicitly disabled */
if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
{
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
}
else
{
/* OPENSSL_DEBUG_MEMORY=off */
CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
}
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
ERR_load_crypto_strings();
#if 1 /* optional */
ctx = BN_CTX_new();
if (!ctx) ABORT;
#endif
p = BN_new();
a = BN_new();
b = BN_new();
if (!p || !a || !b) ABORT;
if (!BN_hex2bn(&p, "17")) ABORT;
if (!BN_hex2bn(&a, "1")) ABORT;
if (!BN_hex2bn(&b, "1")) ABORT;
group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
* so that the library gets to choose the EC_METHOD */
if (!group) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
{
EC_GROUP *tmp;
tmp = EC_GROUP_new(EC_GROUP_method_of(group));
if (!tmp) ABORT;
if (!EC_GROUP_copy(tmp, group));
EC_GROUP_free(group);
group = tmp;
}
if (!EC_GROUP_get_curve_GFp(group, p, a, b, ctx)) ABORT;
fprintf(stdout, "Curve defined by Weierstrass equation\n y^2 = x^3 + a*x + b (mod 0x");
BN_print_fp(stdout, p);
fprintf(stdout, ")\n a = 0x");
BN_print_fp(stdout, a);
fprintf(stdout, "\n b = 0x");
BN_print_fp(stdout, b);
fprintf(stdout, "\n");
P = EC_POINT_new(group);
Q = EC_POINT_new(group);
R = EC_POINT_new(group);
if (!P || !Q || !R) ABORT;
if (!EC_POINT_set_to_infinity(group, P)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
buf[0] = 0;
if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
x = BN_new();
y = BN_new();
z = BN_new();
if (!x || !y || !z) ABORT;
if (!BN_hex2bn(&x, "D")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, Q, ctx))
{
if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT;
fprintf(stderr, "Point is not on curve: x = 0x");
BN_print_fp(stderr, x);
fprintf(stderr, ", y = 0x");
BN_print_fp(stderr, y);
fprintf(stderr, "\n");
ABORT;
}
fprintf(stdout, "A cyclic subgroup:\n");
k = 100;
do
{
if (k-- == 0) ABORT;
if (EC_POINT_is_at_infinity(group, P))
fprintf(stdout, " point at infinity\n");
else
{
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, " x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, ", y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
}
if (!EC_POINT_copy(R, P)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
#if 0 /* optional */
{
EC_POINT *points[3];
points[0] = R;
points[1] = Q;
points[2] = P;
if (!EC_POINTs_make_affine(group, 2, points, ctx)) ABORT;
}
#endif
}
while (!EC_POINT_is_at_infinity(group, P));
if (!EC_POINT_add(group, P, Q, R, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "Generator as octect string, compressed form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "\nGenerator as octect string, uncompressed form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "\nGenerator as octect string, hybrid form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) ABORT;
fprintf(stdout, "\nA representation of the inverse of that generator in\nJacobian projective coordinates:\n X = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, ", Y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, ", Z = 0x");
BN_print_fp(stdout, z);
fprintf(stdout, "\n");
if (!EC_POINT_invert(group, P, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
/* Curve P-192 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-192 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_192, group)) ABORT;
/* Curve P-224 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) ABORT;
if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) ABORT;
if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_224, group)) ABORT;
/* Curve P-256 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
"84F3B9CAC2FC632551")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_256, group)) ABORT;
/* Curve P-384 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
"120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
"9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
"7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_384, group)) ABORT;
/* Curve P-521 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
"315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
"DF883D2C34F1EF451FD46B503F00")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
"B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
"3C1856A429BF97E7E31C2E5BD66")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
"C9B8899C47AEBB6FB71E91386409")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
"B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
"7086A272C24088BE94769FD16650")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_521, group)) ABORT;
/* more tests using the last curve */
if (!EC_POINT_copy(Q, P)) ABORT;
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
{
const EC_POINT *points[3];
const BIGNUM *scalars[3];
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
points[0] = Q;
points[1] = Q;
points[2] = Q;
if (!BN_add(y, z, BN_value_one())) ABORT;
if (BN_is_odd(y)) ABORT;
if (!BN_rshift1(y, y)) ABORT;
scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
scalars[1] = y;
fprintf(stdout, "combined multiplication ...");
fflush(stdout);
/* z is still the group order */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
if (!BN_add(z, z, y)) ABORT;
z->neg = 1;
scalars[0] = y;
scalars[1] = z; /* z = -(order + y) */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
if (!BN_add(z, x, y)) ABORT;
z->neg = 1;
scalars[0] = x;
scalars[1] = y;
scalars[2] = z; /* z = -(x+y) */
if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
fprintf(stdout, " ok\n\n");
}
#if 0
timings(P_192, 0, ctx);
timings(P_192, 1, ctx);
timings(P_224, 0, ctx);
timings(P_224, 1, ctx);
timings(P_256, 0, ctx);
timings(P_256, 1, ctx);
timings(P_384, 0, ctx);
timings(P_384, 1, ctx);
timings(P_521, 0, ctx);
timings(P_521, 1, ctx);
#endif
if (ctx)
BN_CTX_free(ctx);
BN_free(p); BN_free(a); BN_free(b);
EC_GROUP_free(group);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
BN_free(x); BN_free(y); BN_free(z);
if (P_192) EC_GROUP_free(P_192);
if (P_224) EC_GROUP_free(P_224);
if (P_256) EC_GROUP_free(P_256);
if (P_384) EC_GROUP_free(P_384);
if (P_521) EC_GROUP_free(P_521);
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_state(0);
CRYPTO_mem_leaks_fp(stderr);
return 0;
}
static void
pollard_rho(BIGNUM *val)
{
BIGNUM *x, *y, *tmp, *num;
BN_ULONG a;
unsigned int steps_taken, steps_limit;
x = BN_new();
y = BN_new();
tmp = BN_new();
num = BN_new();
a = 1;
restart:
steps_taken = 0;
steps_limit = 2;
BN_set_word(x, 1);
BN_copy(y, x);
for (;;) {
BN_sqr(tmp, x, ctx);
BN_add_word(tmp, a);
BN_mod(x, tmp, val, ctx);
BN_sub(tmp, x, y);
if (BN_is_zero(tmp)) {
#ifdef DEBUG
printf(" (loop)");
#endif
a++;
goto restart;
}
BN_gcd(tmp, tmp, val, ctx);
if (!BN_is_one(tmp)) {
if (BN_is_prime(tmp, PRIME_CHECKS, NULL, NULL,
NULL) == 1) {
putchar(' ');
BN_print_dec_fp(stdout, tmp);
} else {
#ifdef DEBUG
printf(" (recurse for ");
BN_print_dec_fp(stdout, tmp);
putchar(')');
#endif
pollard_rho(BN_dup(tmp));
#ifdef DEBUG
printf(" (back)");
#endif
}
fflush(stdout);
BN_div(num, NULL, val, tmp, ctx);
if (BN_is_one(num))
return;
if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL,
NULL) == 1) {
putchar(' ');
BN_print_dec_fp(stdout, num);
fflush(stdout);
return;
}
BN_copy(val, num);
goto restart;
}
steps_taken++;
if (steps_taken == steps_limit) {
BN_copy(y, x); /* teleport the turtle */
steps_taken = 0;
steps_limit *= 2;
if (steps_limit == 0) {
#ifdef DEBUG
printf(" (overflow)");
#endif
a++;
goto restart;
}
}
}
}