void rsaEXP(BIGNUM *message , rsaKey * key){
BN_CTX * t = BN_CTX_new();
BN_mod_exp(message , message, key->exponent , key->modulo , t);
BN_CTX_free(t);
}
void Person::set_keys() {
a = BN_new();
BN_rand_range(a, p);
A = BN_new();
BN_CTX *ctx = BN_CTX_new();
BN_mod_exp(A, g, a, p, ctx);
if (ctx) BN_CTX_free(ctx);
}
static int dsa_builtin_keygen(DSA *dsa)
{
int ok = 0;
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if (dsa->priv_key == NULL) {
if ((priv_key = BN_secure_new()) == NULL)
goto err;
} else
priv_key = dsa->priv_key;
do
if (!BN_rand_range(priv_key, dsa->q))
goto err;
while (BN_is_zero(priv_key)) ;
if (dsa->pub_key == NULL) {
if ((pub_key = BN_new()) == NULL)
goto err;
} else
pub_key = dsa->pub_key;
{
BIGNUM *local_prk = NULL;
BIGNUM *prk;
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
local_prk = prk = BN_new();
if (!local_prk)
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
} else
prk = priv_key;
if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
BN_free(local_prk);
goto err;
}
BN_free(local_prk);
}
dsa->priv_key = priv_key;
dsa->pub_key = pub_key;
ok = 1;
err:
if (pub_key != dsa->pub_key)
BN_free(pub_key);
if (priv_key != dsa->priv_key)
BN_free(priv_key);
BN_CTX_free(ctx);
return (ok);
}
static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx)
{
int y_len = 0;
int fd;
if (ubsec_dso == NULL) {
UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_NOT_LOADED);
return 0;
}
/* Check if hardware can't handle this argument. */
y_len = BN_num_bits(m);
if (y_len > max_key_len) {
UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
return BN_mod_exp(r, a, p, m, ctx);
}
if (!bn_wexpand(r, m->top)) {
UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
return 0;
}
if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
fd = 0;
UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_UNIT_FAILURE);
return BN_mod_exp(r, a, p, m, ctx);
}
if (p_UBSEC_rsa_mod_exp_ioctl(fd, (unsigned char *)a->d, BN_num_bits(a),
(unsigned char *)m->d, BN_num_bits(m),
(unsigned char *)p->d, BN_num_bits(p),
(unsigned char *)r->d, &y_len) != 0) {
UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
p_UBSEC_ubsec_close(fd);
return BN_mod_exp(r, a, p, m, ctx);
}
p_UBSEC_ubsec_close(fd);
r->top = (BN_num_bits(m) + BN_BITS2 - 1) / BN_BITS2;
return 1;
}
int AO_vrfy(void *inner)
{
assert(inner!=NULL);
AOInner *self = (AOInner*)inner;
int ret;
BIGNUM *rbn;
/* e_bytes~ := H(n) */
VHash(self->n, self->bytelen_rec+self->bytelen_red, self->v_e_bytes, self->bytelen_q);
/* e~ := int(e_bytes) */
rbn = BN_bin2bn(self->v_e_bytes, self->bytelen_q, self->v_e);
assert(rbn!=NULL);
/* a~ := g^z * h^e~ */
ret = BN_mod_exp(self->gz, self->g, self->z, self->p, self->bnctx);
assert(ret==1);
ret = BN_mod_exp(self->he, self->h, self->v_e, self->p, self->bnctx);
assert(ret==1);
ret = BN_mod_mul(self->v_a, self->gz, self->he, self->p, self->bnctx);
assert(ret==1);
/* a_bytes~ := bytes(a~) */
BN2LenBin(self->v_a, self->v_am_bytes, self->bytelen_p);
/* h2m~ := H2(a_bytes~ || h1~) */
memcpy(&self->v_am_bytes[self->bytelen_p], self->n, self->bytelen_red);
VHash(self->v_am_bytes, self->bytelen_p+self->bytelen_red, self->v_mh2, self->bytelen_rec);
/* msg~ := mh2~ xor h2 */
BinXor(self->v_mh2, &self->n[self->bytelen_red], self->v_mh2, self->bytelen_rec);
/* h1~ := H1(a_bytes~||msg~) */
memcpy(&self->v_am_bytes[self->bytelen_p], self->v_mh2, self->bytelen_rec);
VHash(self->v_am_bytes, self->bytelen_p+self->bytelen_rec, self->v_h1, self->bytelen_red);
/* Check if h1~ == h1 */
ret = memcmp(self->v_h1, self->n, self->bytelen_red);
assert(ret==0);
return 0;
}
/*const*/ BIGNUM *Bank::SignRequest(PublicCoinRequest &req)
{
InitCTX();
BIGNUM *BtoA=BN_new();
BN_mod_exp(BtoA,req.Request(),priv_key(),p(),m_ctx);
DumpNumber("B->A= ",BtoA);
return BtoA;
}
/* key = (y_ * (h^(-1))^secret) ^ r */
void PSPAKE_compute_key(PSPAKE_CTX *ctx)
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
BIGNUM *inv_h = BN_new();
/* inv_h = h ^ (-1) */
BN_mod_inverse(inv_h, ctx->h, ctx->q, ctx->ctx);
/* t1 = inv_h ^ secret */
BN_mod_exp(t1, inv_h, ctx->secret, ctx->q, ctx->ctx);
/* t2 = y_ * t1 */
BN_mod_mul(t2, ctx->y_, t1, ctx->q, ctx->ctx);
/* key = t2 ^ r */
ctx->key = BN_new();
BN_mod_exp(ctx->key, t2, ctx->r, ctx->q, ctx->ctx);
}
int APP_CC
ssl_mod_exp(char* out, int out_len, char* in, int in_len,
char* mod, int mod_len, char* exp, int exp_len)
{
BN_CTX* ctx;
BIGNUM lmod;
BIGNUM lexp;
BIGNUM lin;
BIGNUM lout;
int rv;
char* l_out;
char* l_in;
char* l_mod;
char* l_exp;
l_out = (char*)g_malloc(out_len, 1);
l_in = (char*)g_malloc(in_len, 1);
l_mod = (char*)g_malloc(mod_len, 1);
l_exp = (char*)g_malloc(exp_len, 1);
g_memcpy(l_in, in, in_len);
g_memcpy(l_mod, mod, mod_len);
g_memcpy(l_exp, exp, exp_len);
ssl_reverse_it(l_in, in_len);
ssl_reverse_it(l_mod, mod_len);
ssl_reverse_it(l_exp, exp_len);
ctx = BN_CTX_new();
BN_init(&lmod);
BN_init(&lexp);
BN_init(&lin);
BN_init(&lout);
BN_bin2bn((tui8*)l_mod, mod_len, &lmod);
BN_bin2bn((tui8*)l_exp, exp_len, &lexp);
BN_bin2bn((tui8*)l_in, in_len, &lin);
BN_mod_exp(&lout, &lin, &lexp, &lmod, ctx);
rv = BN_bn2bin(&lout, (tui8*)l_out);
if (rv <= out_len)
{
ssl_reverse_it(l_out, rv);
g_memcpy(out, l_out, out_len);
}
else
{
rv = 0;
}
BN_free(&lin);
BN_free(&lout);
BN_free(&lexp);
BN_free(&lmod);
BN_CTX_free(ctx);
g_free(l_out);
g_free(l_in);
g_free(l_mod);
g_free(l_exp);
return rv;
}
static void sendstep1_substep(JPakeStep1 * s1, const BIGNUM *x,
const JPakeUser * us,
const JPakeParameters * params, int n)
{
s1->gx = BN_new();
BN_mod_exp(s1->gx, params->g, x, params->p, params->ctx);
printf(" g^{x%d}", n);
showbn("", s1->gx);
CreateZKP(&s1->zkpx, x, us, params->g, params, n, "");
}
BigNumber BigNumber::modExp(const BigNumber &bn1, const BigNumber &bn2)
{
BigNumber ret;
BN_CTX *bnctx;
bnctx = BN_CTX_new();
BN_mod_exp(ret.m_bn, m_bn, bn1.m_bn, bn2.m_bn, bnctx);
BN_CTX_free(bnctx);
return ret;
}
static int VerifyZKP(const JPakeZKP * zkp, BIGNUM *gx,
const JPakeUserPublic * them, const BIGNUM *zkpg,
const JPakeParameters * params, int n,
const char *suffix)
{
BIGNUM *h = BN_new();
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
BIGNUM *t3 = BN_new();
int ret = 0;
zkpHash(h, zkp, gx, them, params);
// t1 = g^b
BN_mod_exp(t1, zkpg, zkp->b, params->p, params->ctx);
// t2 = (g^x)^h = g^{hx}
BN_mod_exp(t2, gx, h, params->p, params->ctx);
// t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly)
BN_mod_mul(t3, t1, t2, params->p, params->ctx);
printf(" ZKP(x%d%s)\n", n, suffix);
showbn(" zkpg", zkpg);
showbn(" g^r'", t3);
// verify t3 == g^r
if (BN_cmp(t3, zkp->gr) == 0)
ret = 1;
// cleanup
BN_free(t3);
BN_free(t2);
BN_free(t1);
BN_free(h);
if (ret)
puts(" OK");
else
puts(" FAIL");
return ret;
}
// Check Fermat probable primality test (2-PRP): 2 ** (n-1) = 1 (mod n)
// true: n is probable prime
// false: n is composite; set fractional length in the nLength output
static bool FermatProbablePrimalityTest(const CBigNum& n, unsigned int& nLength) {
//CBigNum a = 2; // base; Fermat witness
CBigNum e = n - 1;CBigNum r;
BN_mod_exp(&r, &bnTwo, &e, &n, pctx);
if (r == 1) { return true; }
// Failed Fermat test, calculate fractional length
unsigned int nFractionalLength = (((n-r) << nFractionalBits) / n).getuint();
if (nFractionalLength >= (1 << nFractionalBits))
return error("FermatProbablePrimalityTest() : fractional assert");
nLength = (nLength & TARGET_LENGTH_MASK) | nFractionalLength;
return false;
}
bool ProductEvidence_Verify(const_ProductEvidence ev, const_ProductStatement st)
{
const BIGNUM* g = IntegerGroup_GetG(st->group);
const BIGNUM* h = IntegerGroup_GetH(st->group);
const BIGNUM* p = IntegerGroup_GetP(st->group);
BN_CTX* ctx = IntegerGroup_GetCtx(st->group);
BIGNUM *tmp = BN_new();
// Recompute commitments
// m1' = (g^z h^w1) / A^c
BIGNUM* m1 = IntegerGroup_CascadeExponentiate(st->group, g, ev->z, h, ev->w1);
CHECK_CALL(m1);
CHECK_CALL(BN_copy(tmp, st->commit_a));
CHECK_CALL(BN_mod_exp(tmp, tmp, ev->c, p, ctx));
CHECK_CALL(BN_mod_inverse(tmp, tmp, p, ctx));
CHECK_CALL(BN_mod_mul(m1, m1, tmp, p, ctx));
// m2' = (B^z h^w2) / C^c
BIGNUM* m2 = IntegerGroup_CascadeExponentiate(st->group, st->commit_b, ev->z, h, ev->w2);
CHECK_CALL(m2);
CHECK_CALL(BN_copy(tmp, st->commit_c));
CHECK_CALL(BN_mod_exp(tmp, tmp, ev->c, p, ctx));
CHECK_CALL(BN_mod_inverse(tmp, tmp, p, ctx));
CHECK_CALL(BN_mod_mul(m2, m2, tmp, p, ctx));
BN_clear_free(tmp);
// Check challenge
// c =? H(g, h, q, p, A, B, C, m1', m2')
BIGNUM *c_prime = Commit(st, m1, m2);
BN_free(m1);
BN_free(m2);
bool retval = !BN_cmp(ev->c, c_prime);
BN_clear_free(c_prime);
return retval;
}
/*
* Computes signature and returns it as DSA_SIG structure
*/
DSA_SIG *gost_do_sign (const unsigned char *dgst, int dlen, DSA * dsa)
{
BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL;
DSA_SIG *newsig = DSA_SIG_new ();
BIGNUM *md = hashsum2bn (dgst);
/* check if H(M) mod q is zero */
BN_CTX *ctx = BN_CTX_new ();
BN_CTX_start (ctx);
if (!newsig)
{
GOSTerr (GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY);
goto err;
}
tmp = BN_CTX_get (ctx);
k = BN_CTX_get (ctx);
tmp2 = BN_CTX_get (ctx);
BN_mod (tmp, md, dsa->q, ctx);
if (BN_is_zero (tmp))
{
BN_one (md);
}
do
{
do
{
/*Generate random number k less than q */
BN_rand_range (k, dsa->q);
/* generate r = (a^x mod p) mod q */
BN_mod_exp (tmp, dsa->g, k, dsa->p, ctx);
if (!(newsig->r))
newsig->r = BN_new ();
BN_mod (newsig->r, tmp, dsa->q, ctx);
}
while (BN_is_zero (newsig->r));
/* generate s = (xr + k(Hm)) mod q */
BN_mod_mul (tmp, dsa->priv_key, newsig->r, dsa->q, ctx);
BN_mod_mul (tmp2, k, md, dsa->q, ctx);
if (!newsig->s)
newsig->s = BN_new ();
BN_mod_add (newsig->s, tmp, tmp2, dsa->q, ctx);
}
while (BN_is_zero (newsig->s));
err:
BN_free (md);
BN_CTX_end (ctx);
BN_CTX_free (ctx);
return newsig;
}
static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* exponent, int exponent_size, BYTE* output)
{
BN_CTX* ctx;
int output_length = -1;
BYTE* input_reverse;
BYTE* modulus_reverse;
BYTE* exponent_reverse;
BIGNUM mod, exp, x, y;
input_reverse = (BYTE*) malloc(2 * key_length + exponent_size);
if (!input_reverse)
return -1;
modulus_reverse = input_reverse + key_length;
exponent_reverse = modulus_reverse + key_length;
memcpy(modulus_reverse, modulus, key_length);
crypto_reverse(modulus_reverse, key_length);
memcpy(exponent_reverse, exponent, exponent_size);
crypto_reverse(exponent_reverse, exponent_size);
memcpy(input_reverse, input, length);
crypto_reverse(input_reverse, length);
ctx = BN_CTX_new();
if (!ctx)
goto out_free_input_reverse;
BN_init(&mod);
BN_init(&exp);
BN_init(&x);
BN_init(&y);
BN_bin2bn(modulus_reverse, key_length, &mod);
BN_bin2bn(exponent_reverse, exponent_size, &exp);
BN_bin2bn(input_reverse, length, &x);
BN_mod_exp(&y, &x, &exp, &mod, ctx);
output_length = BN_bn2bin(&y, output);
crypto_reverse(output, output_length);
if (output_length < (int) key_length)
memset(output + output_length, 0, key_length - output_length);
BN_free(&y);
BN_clear_free(&x);
BN_free(&exp);
BN_free(&mod);
BN_CTX_free(ctx);
out_free_input_reverse:
free(input_reverse);
return output_length;
}
// Prove knowledge of x
// Note that we don't send g^x because, as it happens, we've always
// sent it elsewhere. Also note that because of that, we could avoid
// calculating it here, but we don't, for clarity...
static void CreateZKP(JPakeZKP * zkp, const BIGNUM *x, const JPakeUser * us,
const BIGNUM *zkpg, const JPakeParameters * params,
int n, const char *suffix)
{
BIGNUM *r = BN_new();
BIGNUM *gx = BN_new();
BIGNUM *h = BN_new();
BIGNUM *t = BN_new();
// r in [0,q)
// XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
BN_rand_range(r, params->q);
// g^r
zkp->gr = BN_new();
BN_mod_exp(zkp->gr, zkpg, r, params->p, params->ctx);
// g^x
BN_mod_exp(gx, zkpg, x, params->p, params->ctx);
// h=hash...
zkpHash(h, zkp, gx, &us->p, params);
// b = r - x*h
BN_mod_mul(t, x, h, params->q, params->ctx);
zkp->b = BN_new();
BN_mod_sub(zkp->b, r, t, params->q, params->ctx);
// show
printf(" ZKP(x%d%s)\n", n, suffix);
showbn(" zkpg", zkpg);
showbn(" g^x", gx);
showbn(" g^r", zkp->gr);
showbn(" b", zkp->b);
// cleanup
BN_free(t);
BN_free(h);
BN_free(gx);
BN_free(r);
}
BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM *g, BIGNUM *x,
BIGNUM *a, BIGNUM *u)
{
BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL;
BN_CTX *bn_ctx;
if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL
|| a == NULL || (bn_ctx = BN_CTX_new()) == NULL)
return NULL;
if ((tmp = BN_new()) == NULL ||
(tmp2 = BN_new()) == NULL ||
(tmp3 = BN_new()) == NULL ||
(K = BN_new()) == NULL)
goto err;
if (!BN_mod_exp(tmp, g, x, N, bn_ctx))
goto err;
if ((k = srp_Calc_k(N, g)) == NULL)
goto err;
if (!BN_mod_mul(tmp2, tmp, k, N, bn_ctx))
goto err;
if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx))
goto err;
if (!BN_mod_mul(tmp3, u, x, N, bn_ctx))
goto err;
if (!BN_mod_add(tmp2, a, tmp3, N, bn_ctx))
goto err;
if (!BN_mod_exp(K, tmp, tmp2, N, bn_ctx))
goto err;
err:
BN_CTX_free(bn_ctx);
BN_clear_free(tmp);
BN_clear_free(tmp2);
BN_clear_free(tmp3);
BN_free(k);
return K;
}
void meteor_user_generate_kgx(SRPUser *usr,
BN_CTX *ctx,
BIGNUM *x,
BIGNUM *k,
BIGNUM **kgx) {
BN_CTX *lctx = BN_CTX_new();
BIGNUM *inner_kgx = BN_new();
BN_mod_exp(inner_kgx, usr->ng->g, x, usr->ng->N, lctx);
BN_mul(*kgx, inner_kgx, k, lctx);
BN_free(inner_kgx);
BN_CTX_free(lctx);
}
/* pollard p-1, algorithm from Jim Gillogly, May 2000 */
static void
pollard_pminus1(BIGNUM *val)
{
BIGNUM *base, *rbase, *num, *i, *x;
base = BN_new();
rbase = BN_new();
num = BN_new();
i = BN_new();
x = BN_new();
BN_set_word(rbase, 1);
newbase:
if (!BN_add_word(rbase, 1))
errx(1, "error in BN_add_word()");
BN_set_word(i, 2);
BN_copy(base, rbase);
for (;;) {
BN_mod_exp(base, base, i, val, ctx);
if (BN_is_one(base))
goto newbase;
BN_copy(x, base);
BN_sub_word(x, 1);
if (!BN_gcd(x, x, val, ctx))
errx(1, "error in BN_gcd()");
if (!BN_is_one(x)) {
if (BN_is_prime(x, PRIME_CHECKS, NULL, NULL,
NULL) == 1)
pr_print(x);
else
pollard_pminus1(x);
fflush(stdout);
BN_div(num, NULL, val, x, ctx);
if (BN_is_one(num))
return;
if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL,
NULL) == 1) {
pr_print(num);
fflush(stdout);
return;
}
BN_copy(val, num);
}
if (!BN_add_word(i, 1))
errx(1, "error in BN_add_word()");
}
}
BIGNUM *
DH_get_order(const DH *dh, BN_CTX *ctx)
{
BIGNUM *order = NULL, *bn = NULL;
const BIGNUM *p, *g;
check(dh && ctx, "Invalid argument");
BN_CTX_start(ctx);
DH_get0_pqg(dh, &p, NULL, &g);
/* suppose the order of g is q-1 */
order = DH_get_q(dh, ctx);
bn = BN_CTX_get(ctx);
if (!bn || !order || !BN_sub_word(order, 1)
|| !BN_mod_exp(bn, g, order, p, ctx))
goto err;
if (BN_cmp(bn, BN_value_one()) != 0) {
/* if bn != 1, then q-1 is not the order of g, but p-1 should be */
if (!BN_sub(order, p, BN_value_one()) ||
!BN_mod_exp(bn, g, order, p, ctx))
goto err;
check(BN_cmp(bn, BN_value_one()) == 0, "Unable to get order");
}
BN_CTX_end(ctx);
return order;
err:
if (order)
BN_clear_free(order);
BN_CTX_end(ctx);
return NULL;
}
static void sendstep2(const JPakeUser * us, JPakeUserPublic * them,
const JPakeParameters * params)
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
printf("\n%s sends %s:\n\n", us->p.name, them->name);
// X = g^{(xa + xc + xd) * xb * s}
// t1 = g^xa
BN_mod_exp(t1, params->g, us->xa, params->p, params->ctx);
// t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc}
BN_mod_mul(t2, t1, us->p.s1c.gx, params->p, params->ctx);
// t1 = t2 * g^{xd} = g^{xa + xc + xd}
BN_mod_mul(t1, t2, us->p.s1d.gx, params->p, params->ctx);
// t2 = xb * s
BN_mod_mul(t2, us->xb, us->secret, params->q, params->ctx);
// X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}
them->s2.X = BN_new();
BN_mod_exp(them->s2.X, t1, t2, params->p, params->ctx);
// Show
printf(" g^{(x%d + x%d + x%d) * x%d * s)", us->p.base, them->base,
them->base + 1, us->p.base + 1);
showbn("", them->s2.X);
// ZKP(xb * s)
// XXX: this is kinda funky, because we're using
//
// g' = g^{xa + xc + xd}
//
// as the generator, which means X is g'^{xb * s}
CreateZKP(&them->s2.zkpxbs, t2, us, t1, params, us->p.base + 1, " * s");
// cleanup
BN_free(t1);
BN_free(t2);
}
int
pgp_elgamal_decrypt(PGP_PubKey * pk, PGP_MPI * _c1, PGP_MPI * _c2,
PGP_MPI ** msg_p)
{
int res = PXE_PGP_MATH_FAILED;
BIGNUM *c1 = mpi_to_bn(_c1);
BIGNUM *c2 = mpi_to_bn(_c2);
BIGNUM *p = mpi_to_bn(pk->pub.elg.p);
BIGNUM *x = mpi_to_bn(pk->sec.elg.x);
BIGNUM *c1x = BN_new();
BIGNUM *div = BN_new();
BIGNUM *m = BN_new();
BN_CTX *tmp = BN_CTX_new();
if (!c1 || !c2 || !p || !x || !c1x || !div || !m || !tmp)
goto err;
/*
* m = c2 / (c1^x)
*/
if (!BN_mod_exp(c1x, c1, x, p, tmp))
goto err;
if (!BN_mod_inverse(div, c1x, p, tmp))
goto err;
if (!BN_mod_mul(m, c2, div, p, tmp))
goto err;
/* result */
*msg_p = bn_to_mpi(m);
if (*msg_p)
res = 0;
err:
if (tmp)
BN_CTX_free(tmp);
if (m)
BN_clear_free(m);
if (div)
BN_clear_free(div);
if (c1x)
BN_clear_free(c1x);
if (x)
BN_clear_free(x);
if (p)
BN_clear_free(p);
if (c2)
BN_clear_free(c2);
if (c1)
BN_clear_free(c1);
return res;
}
int test_mod_exp(BIO *bp, BN_CTX *ctx)
{
BIGNUM *a,*b,*c,*d,*e;
int i;
a=BN_new();
b=BN_new();
c=BN_new();
d=BN_new();
e=BN_new();
BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
for (i=0; i<num2; i++)
{
BN_bntest_rand(a,20+i*5,0,0); /**/
BN_bntest_rand(b,2+i,0,0); /**/
if (!BN_mod_exp(d,a,b,c,ctx))
return(00);
if (bp != NULL)
{
if (!results)
{
BN_print(bp,a);
BIO_puts(bp," ^ ");
BN_print(bp,b);
BIO_puts(bp," % ");
BN_print(bp,c);
BIO_puts(bp," - ");
}
BN_print(bp,d);
BIO_puts(bp,"\n");
}
BN_exp(e,a,b,ctx);
BN_sub(e,e,d);
BN_div(a,b,e,c,ctx);
if(!BN_is_zero(b))
{
fprintf(stderr,"Modulo exponentiation test failed!\n");
return 0;
}
}
BN_free(a);
BN_free(b);
BN_free(c);
BN_free(d);
BN_free(e);
return(1);
}
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) {
*ret = 0;
BN_CTX *ctx = BN_CTX_new();
if (ctx == NULL) {
return 0;
}
BN_CTX_start(ctx);
int ok = 0;
/* Check |pub_key| is greater than 1. */
BIGNUM *tmp = BN_CTX_get(ctx);
if (tmp == NULL ||
!BN_set_word(tmp, 1)) {
goto err;
}
if (BN_cmp(pub_key, tmp) <= 0) {
*ret |= DH_CHECK_PUBKEY_TOO_SMALL;
}
/* Check |pub_key| is less than |dh->p| - 1. */
if (!BN_copy(tmp, dh->p) ||
!BN_sub_word(tmp, 1)) {
goto err;
}
if (BN_cmp(pub_key, tmp) >= 0) {
*ret |= DH_CHECK_PUBKEY_TOO_LARGE;
}
if (dh->q != NULL) {
/* Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
* groups which are not safe primes but pick a generator on a prime-order
* subgroup of size |dh->q|. */
if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) {
goto err;
}
if (!BN_is_one(tmp)) {
*ret |= DH_CHECK_PUBKEY_INVALID;
}
}
ok = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ok;
}
/*
Operates in-place, the result is stored over m
*/
void rsa_encrypt(BIGNUM* m, const BIGNUM* e, const BIGNUM* n) {
BIGNUM* tmp;
BN_CTX *ctx;
assert(BN_cmp(m, n) < 0); /* assert m < n */
ctx = BN_CTX_new();
tmp = BN_new();
BN_copy(tmp, m); /* tmp = m */
BN_mod_exp(m, tmp, e, n, ctx); /* m = tmp ^ e (mod n) */
BN_free(tmp);
BN_CTX_free(ctx);
}
/* g^x is a legal value */
static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)
{
BIGNUM *t;
int res;
if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)
return 0;
t = BN_new();
BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);
res = BN_is_one(t);
BN_free(t);
return res;
}
/*
* Computes public keys for GOST R 34.10-94 algorithm
*
*/
int gost94_compute_public(DSA *dsa)
{
/* Now fill algorithm parameters with correct values */
BN_CTX *ctx = BN_CTX_new();
if (!dsa->g)
{
GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC,GOST_R_KEY_IS_NOT_INITALIZED);
return 0;
}
/* Compute public key y = a^x mod p */
dsa->pub_key=BN_new();
BN_mod_exp(dsa->pub_key, dsa->g,dsa->priv_key,dsa->p,ctx);
BN_CTX_free(ctx);
return 1;
}
BIGNUM *SRP_Calc_A(BIGNUM *a, BIGNUM *N, BIGNUM *g)
{
BN_CTX *bn_ctx;
BIGNUM *A = NULL;
if (a == NULL || N == NULL || g == NULL || (bn_ctx = BN_CTX_new()) == NULL)
return NULL;
if ((A = BN_new()) != NULL && !BN_mod_exp(A, g, a, N, bn_ctx)) {
BN_free(A);
A = NULL;
}
BN_CTX_free(bn_ctx);
return A;
}
/* encrypts (or decrypts) with private key, not sensitive to
timing attacks (blind encryption)
*/
void rsa_encrypt_secure(BIGNUM* m, const BIGNUM* d,
const BIGNUM* e, const BIGNUM* n,
const unsigned char * r_bin, int r_len) {
BN_CTX *ctx;
BIGNUM *tmp = BN_new();
BIGNUM *r = BN_new();
BIGNUM *r_inv = BN_new();
ctx = BN_CTX_new();
BN_bin2bn(r_bin, r_len, r);
BN_mod(r, r, n, ctx); /* r = r % n */
/*
printf(" r input: ");BN_print_fp(stdout, r);
printf(" n: ");BN_print_fp(stdout, n);
printf("\n");
*/
BN_mod(tmp, n, r, ctx);
/*printf("r=");BN_print_fp(stdout, r); printf("; tmp=");BN_print_fp(stdout, tmp);*/
while (BN_is_zero(tmp)) { /* */
BN_mod_add(r, r, BN_value_one(), n, ctx);
BN_mod(tmp, n, r, ctx);
/*printf("r=");BN_print_fp(stdout, r); printf("; tmp=");BN_print_fp(stdout, tmp);*/
}
/*printf("\n");*/
BN_mod_inverse(r_inv, r, n, ctx);
/*
printf(" r = ");BN_print_fp(stdout, r);
printf(" r_inv = ");BN_print_fp(stdout, r_inv);
printf(" n = ");BN_print_fp(stdout, n);
printf("\n");
*/
BN_mod_exp(r, r, e, n, ctx); /* r = r^e % n */
BN_mod_mul(m, m, r, n, ctx); /* m = m * r % n */
rsa_encrypt(m, d, n);
BN_mod_mul(m, m, r_inv, n, ctx);
BN_free(r);
BN_free(r_inv);
BN_free(tmp);
BN_CTX_free(ctx);
}
static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,
unsigned int bitlen, int ispub)
{
const unsigned char *p = *in;
EVP_PKEY *ret = NULL;
DSA *dsa = NULL;
BN_CTX *ctx = NULL;
unsigned int nbyte;
nbyte = (bitlen + 7) >> 3;
dsa = DSA_new();
ret = EVP_PKEY_new();
if (!dsa || !ret)
goto memerr;
if (!read_lebn(&p, nbyte, &dsa->p))
goto memerr;
if (!read_lebn(&p, 20, &dsa->q))
goto memerr;
if (!read_lebn(&p, nbyte, &dsa->g))
goto memerr;
if (ispub)
{
if (!read_lebn(&p, nbyte, &dsa->pub_key))
goto memerr;
}
else
{
if (!read_lebn(&p, 20, &dsa->priv_key))
goto memerr;
/* Calculate public key */
if (!(dsa->pub_key = BN_new()))
goto memerr;
if (!(ctx = BN_CTX_new()))
goto memerr;
if (!BN_mod_exp(dsa->pub_key, dsa->g,
dsa->priv_key, dsa->p, ctx))
goto memerr;
BN_CTX_free(ctx);
}
EVP_PKEY_set1_DSA(ret, dsa);
DSA_free(dsa);
*in = p;
return ret;
memerr:
PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE);
if (dsa)
DSA_free(dsa);
if (ret)
EVP_PKEY_free(ret);
if (ctx)
BN_CTX_free(ctx);
return NULL;
}