int point_decompress(struct affine_point *p, const gcry_mpi_t x, int yflag,
const struct domain_params *dp)
{
gcry_mpi_t h, y;
int res;
h = gcry_mpi_snew(0);
y = gcry_mpi_snew(0);
gcry_mpi_mulm(h, x, x, dp->m);
gcry_mpi_addm(h, h, dp->a, dp->m);
gcry_mpi_mulm(h, h, x, dp->m);
gcry_mpi_addm(h, h, dp->b, dp->m);
if ((res = mod_root(y, h, dp->m)))
if ((res = (gcry_mpi_cmp_ui(y, 0) || ! yflag))) {
p->x = gcry_mpi_snew(0);
p->y = gcry_mpi_snew(0);
gcry_mpi_set(p->x, x);
if (gcry_mpi_test_bit(y, 0) == yflag)
gcry_mpi_set(p->y, y);
else
gcry_mpi_sub(p->y, dp->m, y);
assert(point_on_curve(p, dp));
}
gcry_mpi_release(h);
gcry_mpi_release(y);
return res;
}
void jacobian_load_affine(struct jacobian_point *p1,
const struct affine_point *p2)
{
if (! point_is_zero(p2)) {
gcry_mpi_set(p1->x, p2->x);
gcry_mpi_set(p1->y, p2->y);
gcry_mpi_set_ui(p1->z, 1);
}
else
gcry_mpi_set_ui(p1->z, 0);
}
void point_double(struct affine_point *p, const struct domain_params *dp)
{
if (gcry_mpi_cmp_ui(p->y, 0)) {
gcry_mpi_t t1, t2;
t1 = gcry_mpi_snew(0);
t2 = gcry_mpi_snew(0);
gcry_mpi_mulm(t2, p->x, p->x, dp->m);
gcry_mpi_addm(t1, t2, t2, dp->m);
gcry_mpi_addm(t1, t1, t2, dp->m);
gcry_mpi_addm(t1, t1, dp->a, dp->m);
gcry_mpi_addm(t2, p->y, p->y, dp->m);
gcry_mpi_invm(t2, t2, dp->m);
gcry_mpi_mulm(t1, t1, t2, dp->m);
gcry_mpi_mulm(t2, t1, t1, dp->m);
gcry_mpi_subm(t2, t2, p->x, dp->m);
gcry_mpi_subm(t2, t2, p->x, dp->m);
gcry_mpi_subm(p->x, p->x, t2, dp->m);
gcry_mpi_mulm(t1, t1, p->x, dp->m);
gcry_mpi_subm(p->y, t1, p->y, dp->m);
gcry_mpi_set(p->x, t2);
gcry_mpi_release(t1);
gcry_mpi_release(t2);
}
else
gcry_mpi_set_ui(p->x, 0);
}
nuts_mpi_t nuts_mpi_copy(const nuts_mpi_t mpi) {
if (mpi != NULL) {
gcry_check();
gcry_mpi_t mpi2 = gcry_mpi_set(NULL, mpi->mpi);
return nuts_mpi_alloc(mpi2);
} else {
return NULL;
}
}
/**
* Return true if n is probably a prime
*/
static int
is_prime (gcry_mpi_t n, int steps, struct GNUNET_HashCode * hc)
{
gcry_mpi_t x;
gcry_mpi_t y;
gcry_mpi_t z;
gcry_mpi_t nminus1;
gcry_mpi_t a2;
gcry_mpi_t q;
unsigned int i, j, k;
int rc = 0;
unsigned int nbits;
x = gcry_mpi_new (0);
y = gcry_mpi_new (0);
z = gcry_mpi_new (0);
nminus1 = gcry_mpi_new (0);
a2 = gcry_mpi_set_ui (NULL, 2);
nbits = gcry_mpi_get_nbits (n);
gcry_mpi_sub_ui (nminus1, n, 1);
/* Find q and k, so that n = 1 + 2^k * q . */
q = gcry_mpi_set (NULL, nminus1);
k = mpz_trailing_zeroes (q);
mpz_tdiv_q_2exp (q, q, k);
for (i = 0; i < steps; i++)
{
if (!i)
{
gcry_mpi_set_ui (x, 2);
}
else
{
mpz_randomize (x, nbits - 1, hc);
GNUNET_assert (gcry_mpi_cmp (x, nminus1) < 0);
GNUNET_assert (gcry_mpi_cmp_ui (x, 1) > 0);
}
gcry_mpi_powm (y, x, q, n);
if (gcry_mpi_cmp_ui (y, 1) && gcry_mpi_cmp (y, nminus1))
{
for (j = 1; j < k && gcry_mpi_cmp (y, nminus1); j++)
{
gcry_mpi_powm (y, y, a2, n);
if (!gcry_mpi_cmp_ui (y, 1))
goto leave; /* Not a prime. */
}
if (gcry_mpi_cmp (y, nminus1))
goto leave; /* Not a prime. */
}
}
rc = 1; /* May be a prime. */
leave:
gcry_mpi_release (x);
gcry_mpi_release (y);
gcry_mpi_release (z);
gcry_mpi_release (nminus1);
gcry_mpi_release (q);
gcry_mpi_release (a2);
return rc;
}
static int
test_const_and_immutable (void)
{
gcry_mpi_t one, second_one;
one = gcry_mpi_set_ui (NULL, 1);
if (gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE)
|| gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("immutable or const flag initially set\n");
second_one = gcry_mpi_copy (one);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag set after copy\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag set after copy\n");
gcry_mpi_release (second_one);
gcry_mpi_set_flag (one, GCRYMPI_FLAG_IMMUTABLE);
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE))
die ("failed to set immutable flag\n");
if (gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("const flag unexpectly set\n");
second_one = gcry_mpi_copy (one);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag not cleared after copy\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag unexpectly set after copy\n");
gcry_mpi_release (second_one);
gcry_mpi_clear_flag (one, GCRYMPI_FLAG_IMMUTABLE);
if (gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE))
die ("failed to clear immutable flag\n");
if (gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("const flag unexpectly set\n");
gcry_mpi_set_flag (one, GCRYMPI_FLAG_CONST);
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("failed to set const flag\n");
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE))
die ("failed to set immutable flag with const flag\n");
second_one = gcry_mpi_copy (one);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag not cleared after copy\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag not cleared after copy\n");
gcry_mpi_release (second_one);
gcry_mpi_clear_flag (one, GCRYMPI_FLAG_IMMUTABLE);
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_IMMUTABLE))
die ("clearing immutable flag not ignored for a constant MPI\n");
if (!gcry_mpi_get_flag (one, GCRYMPI_FLAG_CONST))
die ("const flag unexpectly cleared\n");
second_one = gcry_mpi_set (NULL, GCRYMPI_CONST_ONE);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag not cleared by mpi_set (NULL,x)\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag not cleared by mpi_set (NULL,x)\n");
gcry_mpi_release (second_one);
second_one = gcry_mpi_set_ui (NULL, 42);
gcry_mpi_set (second_one, GCRYMPI_CONST_ONE);
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_IMMUTABLE))
die ("immutable flag not cleared after mpi_set (a,x)\n");
if (gcry_mpi_get_flag (second_one, GCRYMPI_FLAG_CONST))
die ("const flag not cleared mpi_set (a,x)\n");
gcry_mpi_release (second_one);
/* Due to the the constant flag the release below should be a NOP
and will leak memory. */
gcry_mpi_release (one);
return 1;
}
void point_set(struct affine_point *p1, const struct affine_point *p2)
{
gcry_mpi_set(p1->x, p2->x);
gcry_mpi_set(p1->y, p2->y);
}
/* Check that the RSA secret key SKEY is valid. Swap parameters to
the libgcrypt standard. */
static gpg_error_t
rsa_key_check (struct rsa_secret_key_s *skey)
{
int err = 0;
gcry_mpi_t t = gcry_mpi_snew (0);
gcry_mpi_t t1 = gcry_mpi_snew (0);
gcry_mpi_t t2 = gcry_mpi_snew (0);
gcry_mpi_t phi = gcry_mpi_snew (0);
/* Check that n == p * q. */
gcry_mpi_mul (t, skey->p, skey->q);
if (gcry_mpi_cmp( t, skey->n) )
{
log_error ("RSA oops: n != p * q\n");
err++;
}
/* Check that p is less than q. */
if (gcry_mpi_cmp (skey->p, skey->q) > 0)
{
gcry_mpi_t tmp;
log_info ("swapping secret primes\n");
tmp = gcry_mpi_copy (skey->p);
gcry_mpi_set (skey->p, skey->q);
gcry_mpi_set (skey->q, tmp);
gcry_mpi_release (tmp);
/* Recompute u. */
gcry_mpi_invm (skey->u, skey->p, skey->q);
}
/* Check that e divides neither p-1 nor q-1. */
gcry_mpi_sub_ui (t, skey->p, 1 );
gcry_mpi_div (NULL, t, t, skey->e, 0);
if (!gcry_mpi_cmp_ui( t, 0) )
{
log_error ("RSA oops: e divides p-1\n");
err++;
}
gcry_mpi_sub_ui (t, skey->q, 1);
gcry_mpi_div (NULL, t, t, skey->e, 0);
if (!gcry_mpi_cmp_ui( t, 0))
{
log_info ("RSA oops: e divides q-1\n" );
err++;
}
/* Check that d is correct. */
gcry_mpi_sub_ui (t1, skey->p, 1);
gcry_mpi_sub_ui (t2, skey->q, 1);
gcry_mpi_mul (phi, t1, t2);
gcry_mpi_invm (t, skey->e, phi);
if (gcry_mpi_cmp (t, skey->d))
{
/* No: try universal exponent. */
gcry_mpi_gcd (t, t1, t2);
gcry_mpi_div (t, NULL, phi, t, 0);
gcry_mpi_invm (t, skey->e, t);
if (gcry_mpi_cmp (t, skey->d))
{
log_error ("RSA oops: bad secret exponent\n");
err++;
}
}
/* Check for correctness of u. */
gcry_mpi_invm (t, skey->p, skey->q);
if (gcry_mpi_cmp (t, skey->u))
{
log_info ("RSA oops: bad u parameter\n");
err++;
}
if (err)
log_info ("RSA secret key check failed\n");
gcry_mpi_release (t);
gcry_mpi_release (t1);
gcry_mpi_release (t2);
gcry_mpi_release (phi);
return err? gpg_error (GPG_ERR_BAD_SECKEY):0;
}
static bigint_t
wrap_gcry_mpi_set (bigint_t w, const bigint_t u)
{
return gcry_mpi_set (w, u);
}
/*
* Test iterative X25519 computation through lower layer MPI routines.
*
* Input: K (as hex string), ITER, R (as hex string)
*
* where R is expected result of iterating X25519 by ITER times.
*
*/
static void
test_it (int testno, const char *k_str, int iter, const char *result_str)
{
gcry_ctx_t ctx;
gpg_error_t err;
void *buffer = NULL;
size_t buflen;
gcry_mpi_t mpi_k = NULL;
gcry_mpi_t mpi_x = NULL;
gcry_mpi_point_t P = NULL;
gcry_mpi_point_t Q;
int i;
gcry_mpi_t mpi_kk = NULL;
if (verbose > 1)
info ("Running test %d: iteration=%d\n", testno, iter);
gcry_mpi_ec_new (&ctx, NULL, "Curve25519");
Q = gcry_mpi_point_new (0);
if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 32)
{
fail ("error scanning MPI for test %d, %s: %s",
testno, "k", "invalid hex string");
goto leave;
}
reverse_buffer (buffer, buflen);
if ((err = gcry_mpi_scan (&mpi_x, GCRYMPI_FMT_USG, buffer, buflen, NULL)))
{
fail ("error scanning MPI for test %d, %s: %s",
testno, "x", gpg_strerror (err));
goto leave;
}
xfree (buffer);
buffer = NULL;
P = gcry_mpi_point_set (NULL, mpi_x, NULL, GCRYMPI_CONST_ONE);
mpi_k = gcry_mpi_copy (mpi_x);
if (debug)
print_mpi ("k", mpi_k);
for (i = 0; i < iter; i++)
{
/*
* Another variant of decodeScalar25519 thing.
*/
mpi_kk = gcry_mpi_set (mpi_kk, mpi_k);
gcry_mpi_set_bit (mpi_kk, 254);
gcry_mpi_clear_bit (mpi_kk, 255);
gcry_mpi_clear_bit (mpi_kk, 0);
gcry_mpi_clear_bit (mpi_kk, 1);
gcry_mpi_clear_bit (mpi_kk, 2);
gcry_mpi_ec_mul (Q, mpi_kk, P, ctx);
P = gcry_mpi_point_set (P, mpi_k, NULL, GCRYMPI_CONST_ONE);
gcry_mpi_ec_get_affine (mpi_k, NULL, Q, ctx);
if (debug)
print_mpi ("k", mpi_k);
}
{
unsigned char res[32];
char *r, *r0;
gcry_mpi_print (GCRYMPI_FMT_USG, res, 32, NULL, mpi_k);
reverse_buffer (res, 32);
r0 = r = xmalloc (65);
if (!r0)
{
fail ("memory allocation for test %d", testno);
goto leave;
}
for (i=0; i < 32; i++, r += 2)
snprintf (r, 3, "%02x", res[i]);
if (strcmp (result_str, r0))
{
fail ("curv25519 failed for test %d: %s",
testno, "wrong value returned");
info (" expected: '%s'", result_str);
info (" got: '%s'", r0);
}
xfree (r0);
}
leave:
gcry_mpi_release (mpi_kk);
gcry_mpi_release (mpi_k);
gcry_mpi_point_release (P);
gcry_mpi_release (mpi_x);
xfree (buffer);
gcry_mpi_point_release (Q);
gcry_ctx_release (ctx);
}
