void rsaEXP(BIGNUM *message , rsaKey * key){

	BN_CTX * t = BN_CTX_new();

	BN_mod_exp(message , message, key->exponent , key->modulo , t);
	
	BN_CTX_free(t);

}
Esempio n. 2
0
void Person::set_keys() {
  a = BN_new();
  BN_rand_range(a, p);
  A = BN_new();
  BN_CTX *ctx = BN_CTX_new();
  BN_mod_exp(A, g, a, p, ctx);

  if (ctx) BN_CTX_free(ctx);
}
Esempio n. 3
0
static int dsa_builtin_keygen(DSA *dsa)
{
    int ok = 0;
    BN_CTX *ctx = NULL;
    BIGNUM *pub_key = NULL, *priv_key = NULL;

    if ((ctx = BN_CTX_new()) == NULL)
        goto err;

    if (dsa->priv_key == NULL) {
        if ((priv_key = BN_secure_new()) == NULL)
            goto err;
    } else
        priv_key = dsa->priv_key;

    do
        if (!BN_rand_range(priv_key, dsa->q))
            goto err;
    while (BN_is_zero(priv_key)) ;

    if (dsa->pub_key == NULL) {
        if ((pub_key = BN_new()) == NULL)
            goto err;
    } else
        pub_key = dsa->pub_key;

    {
        BIGNUM *local_prk = NULL;
        BIGNUM *prk;

        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
            local_prk = prk = BN_new();
            if (!local_prk)
                goto err;
            BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
        } else
            prk = priv_key;

        if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
            BN_free(local_prk);
            goto err;
        }
        BN_free(local_prk);
    }

    dsa->priv_key = priv_key;
    dsa->pub_key = pub_key;
    ok = 1;

 err:
    if (pub_key != dsa->pub_key)
        BN_free(pub_key);
    if (priv_key != dsa->priv_key)
        BN_free(priv_key);
    BN_CTX_free(ctx);
    return (ok);
}
Esempio n. 4
0
static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx)
{
    int y_len = 0;
    int fd;

    if (ubsec_dso == NULL) {
        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_NOT_LOADED);
        return 0;
    }

    /* Check if hardware can't handle this argument. */
    y_len = BN_num_bits(m);
    if (y_len > max_key_len) {
        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
        return BN_mod_exp(r, a, p, m, ctx);
    }

    if (!bn_wexpand(r, m->top)) {
        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
        return 0;
    }

    if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
        fd = 0;
        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_UNIT_FAILURE);
        return BN_mod_exp(r, a, p, m, ctx);
    }

    if (p_UBSEC_rsa_mod_exp_ioctl(fd, (unsigned char *)a->d, BN_num_bits(a),
                                  (unsigned char *)m->d, BN_num_bits(m),
                                  (unsigned char *)p->d, BN_num_bits(p),
                                  (unsigned char *)r->d, &y_len) != 0) {
        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
        p_UBSEC_ubsec_close(fd);

        return BN_mod_exp(r, a, p, m, ctx);
    }

    p_UBSEC_ubsec_close(fd);

    r->top = (BN_num_bits(m) + BN_BITS2 - 1) / BN_BITS2;
    return 1;
}
Esempio n. 5
0
int AO_vrfy(void *inner)
{
    assert(inner!=NULL);
    AOInner *self = (AOInner*)inner;
    
    int ret;
    BIGNUM *rbn;
    
    /* e_bytes~ := H(n) */
    VHash(self->n, self->bytelen_rec+self->bytelen_red, self->v_e_bytes, self->bytelen_q);

    /* e~ := int(e_bytes) */
    rbn = BN_bin2bn(self->v_e_bytes, self->bytelen_q, self->v_e);
    assert(rbn!=NULL);

    /* a~ := g^z * h^e~ */
    ret = BN_mod_exp(self->gz, self->g, self->z, self->p, self->bnctx);
    assert(ret==1);
    ret = BN_mod_exp(self->he, self->h, self->v_e, self->p, self->bnctx);
    assert(ret==1);
    ret = BN_mod_mul(self->v_a, self->gz, self->he, self->p, self->bnctx);
    assert(ret==1);

    /* a_bytes~ := bytes(a~) */
    BN2LenBin(self->v_a, self->v_am_bytes, self->bytelen_p);

    /* h2m~ := H2(a_bytes~ || h1~) */
    memcpy(&self->v_am_bytes[self->bytelen_p], self->n, self->bytelen_red);
    VHash(self->v_am_bytes, self->bytelen_p+self->bytelen_red, self->v_mh2, self->bytelen_rec);
    
    /* msg~ := mh2~ xor h2 */
    BinXor(self->v_mh2, &self->n[self->bytelen_red], self->v_mh2, self->bytelen_rec);

    /* h1~ := H1(a_bytes~||msg~) */
    memcpy(&self->v_am_bytes[self->bytelen_p], self->v_mh2, self->bytelen_rec);
    VHash(self->v_am_bytes, self->bytelen_p+self->bytelen_rec, self->v_h1, self->bytelen_red);

    /* Check if h1~ == h1 */
    ret = memcmp(self->v_h1, self->n, self->bytelen_red);
    assert(ret==0);

    return 0;
}
Esempio n. 6
0
/*const*/ BIGNUM *Bank::SignRequest(PublicCoinRequest &req)
    {
    InitCTX();

    BIGNUM *BtoA=BN_new();
    BN_mod_exp(BtoA,req.Request(),priv_key(),p(),m_ctx);
    DumpNumber("B->A=     ",BtoA);

    return BtoA;
    }
Esempio n. 7
0
/* key = (y_ * (h^(-1))^secret) ^ r */
void PSPAKE_compute_key(PSPAKE_CTX *ctx)
{
    BIGNUM *t1 = BN_new();
    BIGNUM *t2 = BN_new();
    BIGNUM *inv_h = BN_new();

    /* inv_h = h ^ (-1) */
    BN_mod_inverse(inv_h, ctx->h, ctx->q, ctx->ctx);

    /* t1 = inv_h ^ secret */
    BN_mod_exp(t1, inv_h, ctx->secret, ctx->q, ctx->ctx);

    /* t2 = y_ * t1 */
    BN_mod_mul(t2, ctx->y_, t1, ctx->q, ctx->ctx);

    /* key = t2 ^ r */
    ctx->key = BN_new();
    BN_mod_exp(ctx->key, t2, ctx->r, ctx->q, ctx->ctx);
}
Esempio n. 8
0
int APP_CC
ssl_mod_exp(char* out, int out_len, char* in, int in_len,
            char* mod, int mod_len, char* exp, int exp_len)
{
  BN_CTX* ctx;
  BIGNUM lmod;
  BIGNUM lexp;
  BIGNUM lin;
  BIGNUM lout;
  int rv;
  char* l_out;
  char* l_in;
  char* l_mod;
  char* l_exp;

  l_out = (char*)g_malloc(out_len, 1);
  l_in = (char*)g_malloc(in_len, 1);
  l_mod = (char*)g_malloc(mod_len, 1);
  l_exp = (char*)g_malloc(exp_len, 1);
  g_memcpy(l_in, in, in_len);
  g_memcpy(l_mod, mod, mod_len);
  g_memcpy(l_exp, exp, exp_len);
  ssl_reverse_it(l_in, in_len);
  ssl_reverse_it(l_mod, mod_len);
  ssl_reverse_it(l_exp, exp_len);
  ctx = BN_CTX_new();
  BN_init(&lmod);
  BN_init(&lexp);
  BN_init(&lin);
  BN_init(&lout);
  BN_bin2bn((tui8*)l_mod, mod_len, &lmod);
  BN_bin2bn((tui8*)l_exp, exp_len, &lexp);
  BN_bin2bn((tui8*)l_in, in_len, &lin);
  BN_mod_exp(&lout, &lin, &lexp, &lmod, ctx);
  rv = BN_bn2bin(&lout, (tui8*)l_out);
  if (rv <= out_len)
  {
    ssl_reverse_it(l_out, rv);
    g_memcpy(out, l_out, out_len);
  }
  else
  {
    rv = 0;
  }
  BN_free(&lin);
  BN_free(&lout);
  BN_free(&lexp);
  BN_free(&lmod);
  BN_CTX_free(ctx);
  g_free(l_out);
  g_free(l_in);
  g_free(l_mod);
  g_free(l_exp);
  return rv;
}
Esempio n. 9
0
static void sendstep1_substep(JPakeStep1 * s1, const BIGNUM *x,
                              const JPakeUser * us,
                              const JPakeParameters * params, int n)
{
    s1->gx = BN_new();
    BN_mod_exp(s1->gx, params->g, x, params->p, params->ctx);
    printf("  g^{x%d}", n);
    showbn("", s1->gx);

    CreateZKP(&s1->zkpx, x, us, params->g, params, n, "");
}
Esempio n. 10
0
BigNumber BigNumber::modExp(const BigNumber &bn1, const BigNumber &bn2)
{
	BigNumber ret;
	BN_CTX *bnctx;

	bnctx = BN_CTX_new();
	BN_mod_exp(ret.m_bn, m_bn, bn1.m_bn, bn2.m_bn, bnctx);
	BN_CTX_free(bnctx);

	return ret;
}
Esempio n. 11
0
static int VerifyZKP(const JPakeZKP * zkp, BIGNUM *gx,
                     const JPakeUserPublic * them, const BIGNUM *zkpg,
                     const JPakeParameters * params, int n,
                     const char *suffix)
{
    BIGNUM *h = BN_new();
    BIGNUM *t1 = BN_new();
    BIGNUM *t2 = BN_new();
    BIGNUM *t3 = BN_new();
    int ret = 0;

    zkpHash(h, zkp, gx, them, params);

    // t1 = g^b
    BN_mod_exp(t1, zkpg, zkp->b, params->p, params->ctx);
    // t2 = (g^x)^h = g^{hx}
    BN_mod_exp(t2, gx, h, params->p, params->ctx);
    // t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly)
    BN_mod_mul(t3, t1, t2, params->p, params->ctx);

    printf("  ZKP(x%d%s)\n", n, suffix);
    showbn("    zkpg", zkpg);
    showbn("    g^r'", t3);

    // verify t3 == g^r
    if (BN_cmp(t3, zkp->gr) == 0)
        ret = 1;

    // cleanup
    BN_free(t3);
    BN_free(t2);
    BN_free(t1);
    BN_free(h);

    if (ret)
        puts("    OK");
    else
        puts("    FAIL");

    return ret;
}
Esempio n. 12
0
// Check Fermat probable primality test (2-PRP): 2 ** (n-1) = 1 (mod n)
// true: n is probable prime
// false: n is composite; set fractional length in the nLength output
static bool FermatProbablePrimalityTest(const CBigNum& n, unsigned int& nLength) {
   //CBigNum a = 2; // base; Fermat witness
   CBigNum e = n - 1;CBigNum r;
   BN_mod_exp(&r, &bnTwo, &e, &n, pctx);
   if (r == 1) { return true; }
   // Failed Fermat test, calculate fractional length
   unsigned int nFractionalLength = (((n-r) << nFractionalBits) / n).getuint();
   if (nFractionalLength >= (1 << nFractionalBits))
      return error("FermatProbablePrimalityTest() : fractional assert");
   nLength = (nLength & TARGET_LENGTH_MASK) | nFractionalLength;
   return false;
}
Esempio n. 13
0
bool ProductEvidence_Verify(const_ProductEvidence ev, const_ProductStatement st)
{
  const BIGNUM* g = IntegerGroup_GetG(st->group);
  const BIGNUM* h = IntegerGroup_GetH(st->group);
  const BIGNUM* p = IntegerGroup_GetP(st->group);
  BN_CTX* ctx = IntegerGroup_GetCtx(st->group);
  BIGNUM *tmp = BN_new();

  // Recompute commitments
  // m1' = (g^z h^w1) / A^c
  BIGNUM* m1 = IntegerGroup_CascadeExponentiate(st->group, g, ev->z, h, ev->w1);
  CHECK_CALL(m1);
  CHECK_CALL(BN_copy(tmp, st->commit_a));
  CHECK_CALL(BN_mod_exp(tmp, tmp, ev->c, p, ctx));
  CHECK_CALL(BN_mod_inverse(tmp, tmp, p, ctx));
  CHECK_CALL(BN_mod_mul(m1, m1, tmp, p, ctx));

  // m2' = (B^z h^w2) / C^c
  BIGNUM* m2 = IntegerGroup_CascadeExponentiate(st->group, st->commit_b, ev->z, h, ev->w2);
  CHECK_CALL(m2);
  CHECK_CALL(BN_copy(tmp, st->commit_c));
  CHECK_CALL(BN_mod_exp(tmp, tmp, ev->c, p, ctx));
  CHECK_CALL(BN_mod_inverse(tmp, tmp, p, ctx));
  CHECK_CALL(BN_mod_mul(m2, m2, tmp, p, ctx));

  BN_clear_free(tmp);

  // Check challenge 
  // c =? H(g, h, q, p, A, B, C, m1', m2')
  BIGNUM *c_prime = Commit(st, m1, m2);

  BN_free(m1);
  BN_free(m2);

  bool retval = !BN_cmp(ev->c, c_prime);

  BN_clear_free(c_prime);

  return retval;
}
Esempio n. 14
0
/*
 * Computes signature and returns it as DSA_SIG structure
 */
DSA_SIG *gost_do_sign (const unsigned char *dgst, int dlen, DSA * dsa)
{
    BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL;

    DSA_SIG *newsig = DSA_SIG_new ();

    BIGNUM *md = hashsum2bn (dgst);

    /* check if H(M) mod q is zero */
    BN_CTX *ctx = BN_CTX_new ();

    BN_CTX_start (ctx);
    if (!newsig)
    {
        GOSTerr (GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY);
        goto err;
    }
    tmp = BN_CTX_get (ctx);
    k = BN_CTX_get (ctx);
    tmp2 = BN_CTX_get (ctx);
    BN_mod (tmp, md, dsa->q, ctx);
    if (BN_is_zero (tmp))
    {
        BN_one (md);
    }
    do
    {
        do
        {
            /*Generate random number k less than q */
            BN_rand_range (k, dsa->q);
            /* generate r = (a^x mod p) mod q */
            BN_mod_exp (tmp, dsa->g, k, dsa->p, ctx);
            if (!(newsig->r))
                newsig->r = BN_new ();
            BN_mod (newsig->r, tmp, dsa->q, ctx);
        }
        while (BN_is_zero (newsig->r));
        /* generate s = (xr + k(Hm)) mod q */
        BN_mod_mul (tmp, dsa->priv_key, newsig->r, dsa->q, ctx);
        BN_mod_mul (tmp2, k, md, dsa->q, ctx);
        if (!newsig->s)
            newsig->s = BN_new ();
        BN_mod_add (newsig->s, tmp, tmp2, dsa->q, ctx);
    }
    while (BN_is_zero (newsig->s));
  err:
    BN_free (md);
    BN_CTX_end (ctx);
    BN_CTX_free (ctx);
    return newsig;
}
Esempio n. 15
0
static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* exponent, int exponent_size, BYTE* output)
{
	BN_CTX* ctx;
	int output_length = -1;
	BYTE* input_reverse;
	BYTE* modulus_reverse;
	BYTE* exponent_reverse;
	BIGNUM mod, exp, x, y;

	input_reverse = (BYTE*) malloc(2 * key_length + exponent_size);
	if (!input_reverse)
		return -1;
	modulus_reverse = input_reverse + key_length;
	exponent_reverse = modulus_reverse + key_length;

	memcpy(modulus_reverse, modulus, key_length);
	crypto_reverse(modulus_reverse, key_length);
	memcpy(exponent_reverse, exponent, exponent_size);
	crypto_reverse(exponent_reverse, exponent_size);
	memcpy(input_reverse, input, length);
	crypto_reverse(input_reverse, length);

	ctx = BN_CTX_new();
	if (!ctx)
		goto out_free_input_reverse;
	BN_init(&mod);
	BN_init(&exp);
	BN_init(&x);
	BN_init(&y);

	BN_bin2bn(modulus_reverse, key_length, &mod);
	BN_bin2bn(exponent_reverse, exponent_size, &exp);
	BN_bin2bn(input_reverse, length, &x);
	BN_mod_exp(&y, &x, &exp, &mod, ctx);

	output_length = BN_bn2bin(&y, output);
	crypto_reverse(output, output_length);

	if (output_length < (int) key_length)
		memset(output + output_length, 0, key_length - output_length);

	BN_free(&y);
	BN_clear_free(&x);
	BN_free(&exp);
	BN_free(&mod);
	BN_CTX_free(ctx);

out_free_input_reverse:
	free(input_reverse);

	return output_length;
}
Esempio n. 16
0
// Prove knowledge of x
// Note that we don't send g^x because, as it happens, we've always
// sent it elsewhere. Also note that because of that, we could avoid
// calculating it here, but we don't, for clarity...
static void CreateZKP(JPakeZKP * zkp, const BIGNUM *x, const JPakeUser * us,
                      const BIGNUM *zkpg, const JPakeParameters * params,
                      int n, const char *suffix)
{
    BIGNUM *r = BN_new();
    BIGNUM *gx = BN_new();
    BIGNUM *h = BN_new();
    BIGNUM *t = BN_new();

    // r in [0,q)
    // XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
    BN_rand_range(r, params->q);
    // g^r
    zkp->gr = BN_new();
    BN_mod_exp(zkp->gr, zkpg, r, params->p, params->ctx);
    // g^x
    BN_mod_exp(gx, zkpg, x, params->p, params->ctx);

    // h=hash...
    zkpHash(h, zkp, gx, &us->p, params);

    // b = r - x*h
    BN_mod_mul(t, x, h, params->q, params->ctx);
    zkp->b = BN_new();
    BN_mod_sub(zkp->b, r, t, params->q, params->ctx);

    // show
    printf("  ZKP(x%d%s)\n", n, suffix);
    showbn("   zkpg", zkpg);
    showbn("    g^x", gx);
    showbn("    g^r", zkp->gr);
    showbn("      b", zkp->b);

    // cleanup
    BN_free(t);
    BN_free(h);
    BN_free(gx);
    BN_free(r);
}
Esempio n. 17
0
BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM *g, BIGNUM *x,
                            BIGNUM *a, BIGNUM *u)
{
    BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL;
    BN_CTX *bn_ctx;

    if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL
        || a == NULL || (bn_ctx = BN_CTX_new()) == NULL)
        return NULL;

    if ((tmp = BN_new()) == NULL ||
        (tmp2 = BN_new()) == NULL ||
        (tmp3 = BN_new()) == NULL ||
        (K = BN_new()) == NULL)
        goto err;

    if (!BN_mod_exp(tmp, g, x, N, bn_ctx))
        goto err;
    if ((k = srp_Calc_k(N, g)) == NULL)
        goto err;
    if (!BN_mod_mul(tmp2, tmp, k, N, bn_ctx))
        goto err;
    if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx))
        goto err;
    if (!BN_mod_mul(tmp3, u, x, N, bn_ctx))
        goto err;
    if (!BN_mod_add(tmp2, a, tmp3, N, bn_ctx))
        goto err;
    if (!BN_mod_exp(K, tmp, tmp2, N, bn_ctx))
        goto err;

 err:
    BN_CTX_free(bn_ctx);
    BN_clear_free(tmp);
    BN_clear_free(tmp2);
    BN_clear_free(tmp3);
    BN_free(k);
    return K;
}
Esempio n. 18
0
void meteor_user_generate_kgx(SRPUser *usr,
                              BN_CTX *ctx,
                              BIGNUM *x,
                              BIGNUM *k,
                              BIGNUM **kgx) {
    BN_CTX *lctx = BN_CTX_new();
    BIGNUM *inner_kgx = BN_new();
    BN_mod_exp(inner_kgx, usr->ng->g, x, usr->ng->N, lctx);
    BN_mul(*kgx, inner_kgx, k, lctx);
    
    BN_free(inner_kgx);
    BN_CTX_free(lctx);
}
Esempio n. 19
0
/* pollard p-1, algorithm from Jim Gillogly, May 2000 */
static void
pollard_pminus1(BIGNUM *val)
{
	BIGNUM *base, *rbase, *num, *i, *x;

	base = BN_new();
	rbase = BN_new();
	num = BN_new();
	i = BN_new();
	x = BN_new();

	BN_set_word(rbase, 1);
newbase:
	if (!BN_add_word(rbase, 1))
		errx(1, "error in BN_add_word()");
	BN_set_word(i, 2);
	BN_copy(base, rbase);

	for (;;) {
		BN_mod_exp(base, base, i, val, ctx);
		if (BN_is_one(base))
			goto newbase;

		BN_copy(x, base);
		BN_sub_word(x, 1);
		if (!BN_gcd(x, x, val, ctx))
			errx(1, "error in BN_gcd()");

		if (!BN_is_one(x)) {
			if (BN_is_prime(x, PRIME_CHECKS, NULL, NULL,
			    NULL) == 1)
				pr_print(x);
			else
				pollard_pminus1(x);
			fflush(stdout);

			BN_div(num, NULL, val, x, ctx);
			if (BN_is_one(num))
				return;
			if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL,
			    NULL) == 1) {
				pr_print(num);
				fflush(stdout);
				return;
			}
			BN_copy(val, num);
		}
		if (!BN_add_word(i, 1))
			errx(1, "error in BN_add_word()");
	}
}
Esempio n. 20
0
BIGNUM *
DH_get_order(const DH *dh, BN_CTX *ctx)
{
    BIGNUM *order = NULL, *bn = NULL;
    const BIGNUM *p, *g;

    check(dh && ctx, "Invalid argument");

    BN_CTX_start(ctx);

    DH_get0_pqg(dh, &p, NULL, &g);

    /* suppose the order of g is q-1 */
    order = DH_get_q(dh, ctx);
    bn = BN_CTX_get(ctx);
    if (!bn || !order || !BN_sub_word(order, 1)
          || !BN_mod_exp(bn, g, order, p, ctx))
        goto err;

    if (BN_cmp(bn, BN_value_one()) != 0) {
        /* if bn != 1, then q-1 is not the order of g, but p-1 should be */
        if (!BN_sub(order, p, BN_value_one()) ||
              !BN_mod_exp(bn, g, order, p, ctx))
           goto err;
        check(BN_cmp(bn, BN_value_one()) == 0, "Unable to get order");
    }

    BN_CTX_end(ctx);

    return order;

err:
    if (order)
        BN_clear_free(order);
    BN_CTX_end(ctx);

    return NULL;
}
Esempio n. 21
0
static void sendstep2(const JPakeUser * us, JPakeUserPublic * them,
                      const JPakeParameters * params)
{
    BIGNUM *t1 = BN_new();
    BIGNUM *t2 = BN_new();

    printf("\n%s sends %s:\n\n", us->p.name, them->name);

    // X = g^{(xa + xc + xd) * xb * s}
    // t1 = g^xa
    BN_mod_exp(t1, params->g, us->xa, params->p, params->ctx);
    // t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc}
    BN_mod_mul(t2, t1, us->p.s1c.gx, params->p, params->ctx);
    // t1 = t2 * g^{xd} = g^{xa + xc + xd}
    BN_mod_mul(t1, t2, us->p.s1d.gx, params->p, params->ctx);
    // t2 = xb * s
    BN_mod_mul(t2, us->xb, us->secret, params->q, params->ctx);
    // X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
    them->s2.X = BN_new();
    BN_mod_exp(them->s2.X, t1, t2, params->p, params->ctx);

    // Show
    printf("  g^{(x%d + x%d + x%d) * x%d * s)", us->p.base, them->base,
           them->base + 1, us->p.base + 1);
    showbn("", them->s2.X);

    // ZKP(xb * s)
    // XXX: this is kinda funky, because we're using
    //
    // g' = g^{xa + xc + xd}
    //
    // as the generator, which means X is g'^{xb * s}
    CreateZKP(&them->s2.zkpxbs, t2, us, t1, params, us->p.base + 1, " * s");

    // cleanup
    BN_free(t1);
    BN_free(t2);
}
Esempio n. 22
0
int
pgp_elgamal_decrypt(PGP_PubKey * pk, PGP_MPI * _c1, PGP_MPI * _c2,
					PGP_MPI ** msg_p)
{
	int			res = PXE_PGP_MATH_FAILED;
	BIGNUM	   *c1 = mpi_to_bn(_c1);
	BIGNUM	   *c2 = mpi_to_bn(_c2);
	BIGNUM	   *p = mpi_to_bn(pk->pub.elg.p);
	BIGNUM	   *x = mpi_to_bn(pk->sec.elg.x);
	BIGNUM	   *c1x = BN_new();
	BIGNUM	   *div = BN_new();
	BIGNUM	   *m = BN_new();
	BN_CTX	   *tmp = BN_CTX_new();

	if (!c1 || !c2 || !p || !x || !c1x || !div || !m || !tmp)
		goto err;

	/*
	 * m = c2 / (c1^x)
	 */
	if (!BN_mod_exp(c1x, c1, x, p, tmp))
		goto err;
	if (!BN_mod_inverse(div, c1x, p, tmp))
		goto err;
	if (!BN_mod_mul(m, c2, div, p, tmp))
		goto err;

	/* result */
	*msg_p = bn_to_mpi(m);
	if (*msg_p)
		res = 0;
err:
	if (tmp)
		BN_CTX_free(tmp);
	if (m)
		BN_clear_free(m);
	if (div)
		BN_clear_free(div);
	if (c1x)
		BN_clear_free(c1x);
	if (x)
		BN_clear_free(x);
	if (p)
		BN_clear_free(p);
	if (c2)
		BN_clear_free(c2);
	if (c1)
		BN_clear_free(c1);
	return res;
}
Esempio n. 23
0
int test_mod_exp(BIO *bp, BN_CTX *ctx)
	{
	BIGNUM *a,*b,*c,*d,*e;
	int i;

	a=BN_new();
	b=BN_new();
	c=BN_new();
	d=BN_new();
	e=BN_new();

	BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
	for (i=0; i<num2; i++)
		{
		BN_bntest_rand(a,20+i*5,0,0); /**/
		BN_bntest_rand(b,2+i,0,0); /**/

		if (!BN_mod_exp(d,a,b,c,ctx))
			return(00);

		if (bp != NULL)
			{
			if (!results)
				{
				BN_print(bp,a);
				BIO_puts(bp," ^ ");
				BN_print(bp,b);
				BIO_puts(bp," % ");
				BN_print(bp,c);
				BIO_puts(bp," - ");
				}
			BN_print(bp,d);
			BIO_puts(bp,"\n");
			}
		BN_exp(e,a,b,ctx);
		BN_sub(e,e,d);
		BN_div(a,b,e,c,ctx);
		if(!BN_is_zero(b))
		    {
		    fprintf(stderr,"Modulo exponentiation test failed!\n");
		    return 0;
		    }
		}
	BN_free(a);
	BN_free(b);
	BN_free(c);
	BN_free(d);
	BN_free(e);
	return(1);
	}
Esempio n. 24
0
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) {
  *ret = 0;

  BN_CTX *ctx = BN_CTX_new();
  if (ctx == NULL) {
    return 0;
  }
  BN_CTX_start(ctx);

  int ok = 0;

  /* Check |pub_key| is greater than 1. */
  BIGNUM *tmp = BN_CTX_get(ctx);
  if (tmp == NULL ||
      !BN_set_word(tmp, 1)) {
    goto err;
  }
  if (BN_cmp(pub_key, tmp) <= 0) {
    *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
  }

  /* Check |pub_key| is less than |dh->p| - 1. */
  if (!BN_copy(tmp, dh->p) ||
      !BN_sub_word(tmp, 1)) {
    goto err;
  }
  if (BN_cmp(pub_key, tmp) >= 0) {
    *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
  }

  if (dh->q != NULL) {
    /* Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
     * groups which are not safe primes but pick a generator on a prime-order
     * subgroup of size |dh->q|. */
    if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) {
      goto err;
    }
    if (!BN_is_one(tmp)) {
      *ret |= DH_CHECK_PUBKEY_INVALID;
    }
  }

  ok = 1;

err:
  BN_CTX_end(ctx);
  BN_CTX_free(ctx);
  return ok;
}
Esempio n. 25
0
/*
  Operates in-place, the result is stored over m
 */
void rsa_encrypt(BIGNUM* m, const BIGNUM* e, const BIGNUM* n) {
  BIGNUM* tmp;
  BN_CTX *ctx;

  assert(BN_cmp(m, n) < 0); /* assert m < n */

  ctx = BN_CTX_new();
  tmp = BN_new();
  BN_copy(tmp, m);  /* tmp = m */

  BN_mod_exp(m, tmp, e, n, ctx); /* m = tmp ^ e (mod n) */

  BN_free(tmp);
  BN_CTX_free(ctx);
}
Esempio n. 26
0
/* g^x is a legal value */
static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)
    {
    BIGNUM *t;
    int res;
    
    if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)
	return 0;

    t = BN_new();
    BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
    res = BN_is_one(t);
    BN_free(t);

    return res;
    }
/*
 * Computes public keys for GOST R 34.10-94 algorithm
 *
 */
int gost94_compute_public(DSA *dsa)
	{
	/* Now fill algorithm parameters with correct values */
	BN_CTX *ctx = BN_CTX_new();
	if (!dsa->g)
		{
		GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC,GOST_R_KEY_IS_NOT_INITALIZED);
		return 0;
		}	
	/* Compute public key  y = a^x mod p */
	dsa->pub_key=BN_new();
	BN_mod_exp(dsa->pub_key, dsa->g,dsa->priv_key,dsa->p,ctx);
	BN_CTX_free(ctx);
	return 1;
	}
Esempio n. 28
0
BIGNUM *SRP_Calc_A(BIGNUM *a, BIGNUM *N, BIGNUM *g)
{
    BN_CTX *bn_ctx;
    BIGNUM *A = NULL;

    if (a == NULL || N == NULL || g == NULL || (bn_ctx = BN_CTX_new()) == NULL)
        return NULL;

    if ((A = BN_new()) != NULL && !BN_mod_exp(A, g, a, N, bn_ctx)) {
        BN_free(A);
        A = NULL;
    }
    BN_CTX_free(bn_ctx);
    return A;
}
Esempio n. 29
0
/* encrypts (or decrypts) with private key, not sensitive to
   timing attacks (blind encryption)
*/
void rsa_encrypt_secure(BIGNUM* m, const BIGNUM* d,
                        const BIGNUM* e, const BIGNUM* n,
                        const unsigned char * r_bin, int r_len) {
  BN_CTX *ctx;
  BIGNUM *tmp = BN_new();
  BIGNUM *r = BN_new();
  BIGNUM *r_inv = BN_new();

  ctx = BN_CTX_new();
  BN_bin2bn(r_bin, r_len, r);
  BN_mod(r, r, n, ctx); /* r = r % n */

  /*
  printf(" r input: ");BN_print_fp(stdout, r);
  printf(" n: ");BN_print_fp(stdout, n);
  printf("\n");
  */

  BN_mod(tmp, n, r, ctx);
  /*printf("r=");BN_print_fp(stdout, r); printf("; tmp=");BN_print_fp(stdout, tmp);*/
  while (BN_is_zero(tmp)) { /*  */
    BN_mod_add(r, r, BN_value_one(), n, ctx);
    BN_mod(tmp, n, r, ctx);
    /*printf("r=");BN_print_fp(stdout, r); printf("; tmp=");BN_print_fp(stdout, tmp);*/
  }
  /*printf("\n");*/

  BN_mod_inverse(r_inv, r, n, ctx);

  /*
  printf(" r = ");BN_print_fp(stdout, r);
  printf(" r_inv = ");BN_print_fp(stdout, r_inv);
  printf(" n = ");BN_print_fp(stdout, n);
  printf("\n");
  */

  BN_mod_exp(r, r, e, n, ctx);  /* r = r^e % n */
  BN_mod_mul(m, m, r, n, ctx);  /* m = m * r % n */

  rsa_encrypt(m, d, n);

  BN_mod_mul(m, m, r_inv, n, ctx);

  BN_free(r);
  BN_free(r_inv);
  BN_free(tmp);
  BN_CTX_free(ctx);
}
static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,
						unsigned int bitlen, int ispub)
	{
	const unsigned char *p = *in;
	EVP_PKEY *ret = NULL;
	DSA *dsa = NULL;
	BN_CTX *ctx = NULL;
	unsigned int nbyte;
	nbyte = (bitlen + 7) >> 3;

	dsa = DSA_new();
	ret = EVP_PKEY_new();
	if (!dsa || !ret)
		goto memerr;
	if (!read_lebn(&p, nbyte, &dsa->p))
		goto memerr;
	if (!read_lebn(&p, 20, &dsa->q))
		goto memerr;
	if (!read_lebn(&p, nbyte, &dsa->g))
		goto memerr;
	if (ispub)
		{
		if (!read_lebn(&p, nbyte, &dsa->pub_key))
			goto memerr;
		}
	else
		{
		if (!read_lebn(&p, 20, &dsa->priv_key))
			goto memerr;
		/* Calculate public key */
		if (!(dsa->pub_key = BN_new()))
			goto memerr;
		if (!(ctx = BN_CTX_new()))
			goto memerr;
			
		if (!BN_mod_exp(dsa->pub_key, dsa->g,
						 dsa->priv_key, dsa->p, ctx))
			
			goto memerr;
		BN_CTX_free(ctx);
		}

	EVP_PKEY_set1_DSA(ret, dsa);
	DSA_free(dsa);
	*in = p;
	return ret;

	memerr:
	PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE);
	if (dsa)
		DSA_free(dsa);
	if (ret)
		EVP_PKEY_free(ret);
	if (ctx)
		BN_CTX_free(ctx);
	return NULL;
	}