int compute_scalar_element (pwd_session_t *sess, BN_CTX *bnctx) { BIGNUM *mask = NULL; int ret = -1; if (((sess->private_value = BN_new()) == NULL) || ((sess->my_element = EC_POINT_new(sess->group)) == NULL) || ((sess->my_scalar = BN_new()) == NULL) || ((mask = BN_new()) == NULL)) { DEBUG2("server scalar allocation failed"); goto fail; } BN_rand_range(sess->private_value, sess->order); BN_rand_range(mask, sess->order); BN_add(sess->my_scalar, sess->private_value, mask); BN_mod(sess->my_scalar, sess->my_scalar, sess->order, bnctx); if (!EC_POINT_mul(sess->group, sess->my_element, NULL, sess->pwe, mask, bnctx)) { DEBUG2("server element allocation failed"); goto fail; } if (!EC_POINT_invert(sess->group, sess->my_element, bnctx)) { DEBUG2("server element inversion failed"); goto fail; } ret = 0; fail: BN_free(mask); return ret; }
// Generate each party's random numbers. xa is in [0, q), xb is in [1, q). static void genrand(JPakeUser * user, const JPakeParameters * params) { BIGNUM *qm1; // xa in [0, q) user->xa = BN_new(); BN_rand_range(user->xa, params->q); // q-1 qm1 = BN_new(); BN_copy(qm1, params->q); BN_sub_word(qm1, 1); // ... and xb in [0, q-1) user->xb = BN_new(); BN_rand_range(user->xb, qm1); // [1, q) BN_add_word(user->xb, 1); // cleanup BN_free(qm1); // Show printf("x%d", user->p.base); showbn("", user->xa); printf("x%d", user->p.base + 1); showbn("", user->xb); }
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { BN_CTX *ctx; BIGNUM k,*kinv=NULL,*r=NULL; int ret=0; if (!dsa->p || !dsa->q || !dsa->g) { DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS); return 0; } if (ctx_in == NULL) { if ((ctx=BN_CTX_new()) == NULL) goto err; } else ctx=ctx_in; BN_init(&k); if ((r=BN_new()) == NULL) goto err; kinv=NULL; /* Get random k */ do if (!BN_rand_range(&k, dsa->q)) goto err; while (BN_is_zero(&k)); if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL) if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p, dsa->p,ctx)) goto err; } /* Compute r = (g^k mod p) mod q */ if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx, (BN_MONT_CTX *)dsa->method_mont_p)) goto err; if (!BN_mod(r,r,dsa->q,ctx)) goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err; if (*kinvp != NULL) BN_clear_free(*kinvp); *kinvp=kinv; kinv=NULL; if (*rp != NULL) BN_clear_free(*rp); *rp=r; ret=1; err: if (!ret) { DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB); if (kinv != NULL) BN_clear_free(kinv); if (r != NULL) BN_clear_free(r); } if (ctx_in == NULL) BN_CTX_free(ctx); if (kinv != NULL) BN_clear_free(kinv); BN_clear_free(&k); return(ret); }
int gost2001_keygen(GOST_KEY *ec) { BIGNUM *order = BN_new(), *d = BN_new(); const EC_GROUP *group = GOST_KEY_get0_group(ec); int rc = 0; if (order == NULL || d == NULL) goto err; if (EC_GROUP_get_order(group, order, NULL) == 0) goto err; do { if (BN_rand_range(d, order) == 0) { GOSTerr(GOST_F_GOST2001_KEYGEN, GOST_R_RANDOM_NUMBER_GENERATOR_FAILED); goto err; } } while (BN_is_zero(d)); if (GOST_KEY_set_private_key(ec, d) == 0) goto err; rc = gost2001_compute_public(ec); err: BN_free(d); BN_free(order); return rc; }
void PSPAKE_Message_generate(PSPAKE_Message *message, PSPAKE_CTX *ctx) { BIGNUM *t1 = BN_new(); BIGNUM *t2 = BN_new(); /* just for debugging */ static int cnt = 0; cnt++; /* r belongs to [0, q) */ BN_rand_range(ctx->r, ctx->q); /* t1 = g^r mod q */ BN_mod_exp(t1, ctx->g, ctx->r, ctx->q, ctx->ctx); /* t2 = h^secret mod q */ BN_mod_exp(t2, ctx->h, ctx->secret, ctx->q, ctx->ctx); /* ctx->y = t1 * t2 mod q */ BN_mod_mul(ctx->y, t1, t2, ctx->q, ctx->ctx); /* message->y = ctx->y */ message->y = BN_dup(ctx->y); /* print the random number r generated (just for debugging) */ if (cnt == 1) { print_bn("alice's r", ctx->r); } else { print_bn("bob's r", ctx->r); } }
static int bn_blinding_create_param(BN_BLINDING *b, BN_CTX *ctx, const BN_MONT_CTX *mont_ctx) { int retry_counter = 32; do { if (!BN_rand_range(b->A, b->mod)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; } int no_inverse; if (BN_mod_inverse_ex(b->Ai, &no_inverse, b->A, b->mod, ctx) == NULL) { /* this should almost never happen for good RSA keys */ if (no_inverse) { if (retry_counter-- == 0) { OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS); return 0; } ERR_clear_error(); } else { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; } } else { break; } } while (1); if (!BN_mod_exp_mont(b->A, b->A, b->e, b->mod, ctx, mont_ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; } return 1; }
EC_KEY *EC_KEY_generate_key_ex(const EC_GROUP *group) { EC_KEY *eckey = ec_key_new_ex(group); if (!eckey) { return NULL; } assert(eckey->priv_key == NULL); eckey->priv_key = BN_new(); if (eckey->priv_key == NULL) { goto err; } do { if (!BN_rand_range(eckey->priv_key, &eckey->group->order)) { goto err; } } while (BN_is_zero(eckey->priv_key)); assert(eckey->pub_key == NULL); eckey->pub_key = EC_POINT_new(eckey->group); if (eckey->pub_key == NULL) { goto err; } if (!eckey->group->meth->mul_private(eckey->group, eckey->pub_key, eckey->priv_key, NULL, NULL, NULL)) { goto err; } return eckey; err: EC_KEY_free(eckey); return NULL; }
/* The secret integers s0 and s1 must be in the range 0 < s < n for some n, and must be relatively prime to that n. We know a priori that n is of the form 2**k * p for some small integer k and prime p. Therefore, it suffices to choose a random integer in the range [0, n/2), multiply by two and add one (enforcing oddness), and then reject values which are divisible by p. */ static BIGNUM * random_s(const BIGNUM *n, const BIGNUM *p, BN_CTX *c) { BIGNUM h, m, *r; BN_init(&h); BN_init(&m); FAILZ(r = BN_new()); FAILZ(BN_copy(&h, n)); FAILZ(BN_rshift1(&h, &h)); do { FAILZ(BN_rand_range(r, &h)); FAILZ(BN_lshift1(r, r)); FAILZ(BN_add(r, r, BN_value_one())); FAILZ(BN_nnmod(&m, r, p, c)); } while (BN_is_zero(&m)); BN_clear(&h); BN_clear(&m); return r; fail: BN_clear(&h); BN_clear(&m); if (r) BN_clear_free(r); return 0; }
static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) { const RSA_METHOD *meth; BIGNUM *A, *Ai; BN_BLINDING *ret = NULL; /* added in OpenSSL 0.9.6j and 0.9.7b */ /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); * this should be placed in a new function of its own, but for reasons * of binary compatibility can't */ meth = rsa->meth; BN_CTX_start(ctx); A = BN_CTX_get(ctx); if (rsa->d != NULL && rsa->d->d != NULL) { /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ if (!BN_pseudo_rand_range(A,rsa->n)) goto err; } else { if (!BN_rand_range(A,rsa->n)) goto err; } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; ret = BN_BLINDING_new(A,Ai,rsa->n); BN_free(Ai); err: BN_CTX_end(ctx); return ret; }
/* * Prove knowledge of x * Note that p->gx has already been calculated */ static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x, const BIGNUM *zkpg, JPAKE_CTX *ctx) { BIGNUM *r = BN_new(); BIGNUM *h = BN_new(); BIGNUM *t = BN_new(); /* * r in [0,q) * XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform */ BN_rand_range(r, ctx->p.q); /* g^r */ BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx); /* h=hash... */ zkp_hash(h, zkpg, p, ctx->p.name); /* b = r - x*h */ BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx); BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx); /* cleanup */ BN_free(t); BN_free(h); BN_free(r); }
/* * * Generates GOST R 34.10-2001 keypair * * */ int gost2001_keygen(EC_KEY *ec) { BIGNUM *order = BN_new(), *d = BN_new(); const EC_GROUP *group = EC_KEY_get0_group(ec); if (!group || !EC_GROUP_get_order(group, order, NULL)) { GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); BN_free(d); BN_free(order); return 0; } do { if (!BN_rand_range(d, order)) { GOSTerr(GOST_F_GOST2001_KEYGEN, GOST_R_RANDOM_NUMBER_GENERATOR_FAILED); BN_free(d); BN_free(order); return 0; } } while (BN_is_zero(d)); if (!EC_KEY_set_private_key(ec, d)) { GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); BN_free(d); BN_free(order); return 0; } BN_free(d); BN_free(order); return gost2001_compute_public(ec); }
int EC_KEY_generate_key(EC_KEY *eckey) { int ok = 0; BN_CTX *ctx = NULL; BIGNUM *priv_key = NULL, *order = NULL; EC_POINT *pub_key = NULL; if (!eckey || !eckey->group) { ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); return 0; } if ((order = BN_new()) == NULL) goto err; if ((ctx = BN_CTX_new()) == NULL) goto err; if (eckey->priv_key == NULL) { priv_key = BN_new(); if (priv_key == NULL) goto err; } else priv_key = eckey->priv_key; if (!EC_GROUP_get_order(eckey->group, order, ctx)) goto err; do if (!BN_rand_range(priv_key, order)) goto err; while (BN_is_zero(priv_key)) ; if (eckey->pub_key == NULL) { pub_key = EC_POINT_new(eckey->group); if (pub_key == NULL) goto err; } else pub_key = eckey->pub_key; if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) goto err; eckey->priv_key = priv_key; eckey->pub_key = pub_key; ok = 1; err: if (order) BN_free(order); if (pub_key != NULL && eckey->pub_key == NULL) EC_POINT_free(pub_key); if (priv_key != NULL && eckey->priv_key == NULL) BN_free(priv_key); if (ctx != NULL) BN_CTX_free(ctx); return (ok); }
void Person::set_keys() { a = BN_new(); BN_rand_range(a, p); A = BN_new(); BN_CTX *ctx = BN_CTX_new(); BN_mod_exp(A, g, a, p, ctx); if (ctx) BN_CTX_free(ctx); }
static int dsa_builtin_keygen(DSA *dsa) { int ok = 0; BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; if ((ctx = BN_CTX_new()) == NULL) goto err; if (dsa->priv_key == NULL) { if ((priv_key = BN_secure_new()) == NULL) goto err; } else priv_key = dsa->priv_key; do if (!BN_rand_range(priv_key, dsa->q)) goto err; while (BN_is_zero(priv_key)) ; if (dsa->pub_key == NULL) { if ((pub_key = BN_new()) == NULL) goto err; } else pub_key = dsa->pub_key; { BIGNUM *local_prk = NULL; BIGNUM *prk; if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { local_prk = prk = BN_new(); if (!local_prk) goto err; BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); } else prk = priv_key; if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { BN_free(local_prk); goto err; } BN_free(local_prk); } dsa->priv_key = priv_key; dsa->pub_key = pub_key; ok = 1; err: if (pub_key != dsa->pub_key) BN_free(pub_key); if (priv_key != dsa->priv_key) BN_free(priv_key); BN_CTX_free(ctx); return (ok); }
CSignerECDSA::CSignerECDSA(const uint8_t PrivData[32], unsigned char Signature[65]) { order.setuint256(g_Order); EC_KEY* pkey = EC_KEY_new_by_curve_name(NID_secp256k1); const EC_GROUP *group = EC_KEY_get0_group(pkey); CBigNum privkey; BN_bin2bn(PrivData, 32, &privkey); EC_KEY_regenerate_key(pkey, &privkey); EC_POINT *tmp_point = EC_POINT_new(group); EC_POINT *test_point = EC_POINT_new(group); CBigNum r, X, Y; bool which = false; do { // get random k do BN_rand_range(&kinv, &order); while (!kinv); /* We do not want timing information to leak the length of k, * so we compute G*k using an equivalent scalar of fixed * bit-length. */ kinv += order; if (BN_num_bits(&kinv) <= 256) kinv += order; // compute r the x-coordinate of generator * k EC_POINT_mul(group, tmp_point, &kinv, NULL, NULL, ctx); EC_POINT_get_affine_coordinates_GFp(group, tmp_point, &X, &Y, ctx); EC_POINT_set_compressed_coordinates_GFp(group, test_point, &X, 0, ctx); which = !!EC_POINT_cmp(group, tmp_point, test_point, ctx); BN_nnmod(&r, &X, &order, ctx); } while (!r); // compute the inverse of k BN_mod_inverse(&kinv, &kinv, &order, ctx); BN_mod_mul(&pmr, &privkey, &r, &order, ctx); BN_mod_mul(&prk, &pmr, &kinv, &order, ctx); memset(Signature, 0, 65); int nBitsR = BN_num_bits(&r); BN_bn2bin(&r, &Signature[33-(nBitsR+7)/8]); Signature[0] = 27 + which; EC_POINT_free(tmp_point); EC_POINT_free(test_point); EC_KEY_free(pkey); }
/* Generate each party's random numbers. xa is in [0, q), xb is in [1, q). */ static void genrand(JPAKE_CTX *ctx) { BIGNUM *qm1; /* xa in [0, q) */ BN_rand_range(ctx->xa, ctx->p.q); /* q-1 */ qm1 = BN_new(); BN_copy(qm1, ctx->p.q); BN_sub_word(qm1, 1); /* ... and xb in [0, q-1) */ BN_rand_range(ctx->xb, qm1); /* [1, q) */ BN_add_word(ctx->xb, 1); /* cleanup */ BN_free(qm1); }
/** * eccx08_generate_key() * * \brief Generates a 32-byte private key then replaces it with token * data using the eccx08_eckey_encode_in_privkey() call * * \param[out] p_eckey Pointer to EC_KEY with Public Key on success * \param[in] serial_number 9 bytes of ATECCX08 serial number * \param[in] serial_len Size of the ATECCX08 serial number buffer * \return 1 on success, 0 on error */ int eccx08_generate_key(EC_KEY *eckey, uint8_t *serial_number, int serial_len) { int ok = 0; int ret = 0; BN_CTX *ctx = NULL; BIGNUM *priv_key = NULL, *order = NULL; EC_POINT *pub_key = NULL; uint8_t slotid = TLS_SLOT_AUTH_PRIV; if (!eckey || !eckey->group) { ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); return 0; } if ((order = BN_new()) == NULL) goto err; if ((ctx = BN_CTX_new()) == NULL) goto err; if (eckey->priv_key == NULL) { priv_key = BN_new(); if (priv_key == NULL) goto err; } else { priv_key = eckey->priv_key; } eckey->priv_key = priv_key; if (!EC_GROUP_get_order(eckey->group, order, ctx)) goto err; do if (!BN_rand_range(priv_key, order)) goto err; while (BN_is_zero(priv_key)); ret = eccx08_eckey_encode_in_privkey(eckey, slotid, serial_number, ATCA_SERIAL_NUM_SIZE); if (!ret) goto err; if (eckey->pub_key == NULL) { pub_key = EC_POINT_new(eckey->group); if (pub_key == NULL) goto err; } else pub_key = eckey->pub_key; if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) goto err; eckey->pub_key = pub_key; ok = 1; err: if (order) BN_free(order); if (pub_key != NULL && eckey->pub_key == NULL) EC_POINT_free(pub_key); if (priv_key != NULL && eckey->priv_key == NULL) BN_free(priv_key); if (ctx != NULL) BN_CTX_free(ctx); return (ok); }
int CREDLIB_rand_range( BIGNUM* rnd, int Zps, BIGNUM* p ) { EXCEPTION; if ( !p || !rnd ) { THROW( CREDLIB_NULL_PTR ); } again: if ( !BN_rand_range( rnd, p ) ) { THROW( CREDLIB_RND_NOT_SEEDED ); } if ( Zps && BN_is_zero( rnd ) ) { goto again; } /* Zp* */ /* Zp* means must not be 0 */ cleanup: return ret; }
/* * Computes signature and returns it as DSA_SIG structure */ DSA_SIG *gost_do_sign (const unsigned char *dgst, int dlen, DSA * dsa) { BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL; DSA_SIG *newsig = DSA_SIG_new (); BIGNUM *md = hashsum2bn (dgst); /* check if H(M) mod q is zero */ BN_CTX *ctx = BN_CTX_new (); BN_CTX_start (ctx); if (!newsig) { GOSTerr (GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY); goto err; } tmp = BN_CTX_get (ctx); k = BN_CTX_get (ctx); tmp2 = BN_CTX_get (ctx); BN_mod (tmp, md, dsa->q, ctx); if (BN_is_zero (tmp)) { BN_one (md); } do { do { /*Generate random number k less than q */ BN_rand_range (k, dsa->q); /* generate r = (a^x mod p) mod q */ BN_mod_exp (tmp, dsa->g, k, dsa->p, ctx); if (!(newsig->r)) newsig->r = BN_new (); BN_mod (newsig->r, tmp, dsa->q, ctx); } while (BN_is_zero (newsig->r)); /* generate s = (xr + k(Hm)) mod q */ BN_mod_mul (tmp, dsa->priv_key, newsig->r, dsa->q, ctx); BN_mod_mul (tmp2, k, md, dsa->q, ctx); if (!newsig->s) newsig->s = BN_new (); BN_mod_add (newsig->s, tmp, tmp2, dsa->q, ctx); } while (BN_is_zero (newsig->s)); err: BN_free (md); BN_CTX_end (ctx); BN_CTX_free (ctx); return newsig; }
int compute_scalar_element(REQUEST *request, pwd_session_t *session, BN_CTX *bn_ctx) { BIGNUM *mask = NULL; int ret = -1; MEM(session->private_value = BN_new()); MEM(session->my_element = EC_POINT_new(session->group)); MEM(session->my_scalar = BN_new()); MEM(mask = BN_new()); if (BN_rand_range(session->private_value, session->order) != 1) { REDEBUG("Unable to get randomness for private_value"); goto error; } if (BN_rand_range(mask, session->order) != 1) { REDEBUG("Unable to get randomness for mask"); goto error; } BN_add(session->my_scalar, session->private_value, mask); BN_mod(session->my_scalar, session->my_scalar, session->order, bn_ctx); if (!EC_POINT_mul(session->group, session->my_element, NULL, session->pwe, mask, bn_ctx)) { REDEBUG("Server element allocation failed"); goto error; } if (!EC_POINT_invert(session->group, session->my_element, bn_ctx)) { REDEBUG("Server element inversion failed"); goto error; } ret = 0; error: BN_clear_free(mask); return ret; }
static int generate_key(DH *dh) { int ok=0; BN_CTX ctx; BN_MONT_CTX *mont; BIGNUM *pub_key=NULL,*priv_key=NULL; BN_CTX_init(&ctx); if (dh->priv_key == NULL) { priv_key=BN_new(); if (priv_key == NULL) goto err; do if (!BN_rand_range(priv_key, dh->p)) goto err; while (BN_is_zero(priv_key)); } else priv_key=dh->priv_key; if (dh->pub_key == NULL) { pub_key=BN_new(); if (pub_key == NULL) goto err; } else pub_key=dh->pub_key; if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P)) { if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL) if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p, dh->p,&ctx)) goto err; } mont=(BN_MONT_CTX *)dh->method_mont_p; if (!dh->meth->bn_mod_exp(dh, pub_key,dh->g,priv_key,dh->p,&ctx,mont)) goto err; dh->pub_key=pub_key; dh->priv_key=priv_key; ok=1; err: if (ok != 1) DHerr(DH_F_DH_GENERATE_KEY,ERR_R_BN_LIB); if ((pub_key != NULL) && (dh->pub_key == NULL)) BN_free(pub_key); if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key); BN_CTX_free(&ctx); return(ok); }
int ossl_ec_key_gen(EC_KEY *eckey) { int ok = 0; BN_CTX *ctx = NULL; BIGNUM *priv_key = NULL, *order = NULL; EC_POINT *pub_key = NULL; if ((order = BN_new()) == NULL) goto err; if ((ctx = BN_CTX_new()) == NULL) goto err; if (eckey->priv_key == NULL) { priv_key = BN_new(); if (priv_key == NULL) goto err; } else priv_key = eckey->priv_key; if (!EC_GROUP_get_order(eckey->group, order, ctx)) goto err; do if (!BN_rand_range(priv_key, order)) goto err; while (BN_is_zero(priv_key)) ; if (eckey->pub_key == NULL) { pub_key = EC_POINT_new(eckey->group); if (pub_key == NULL) goto err; } else pub_key = eckey->pub_key; if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) goto err; eckey->priv_key = priv_key; eckey->pub_key = pub_key; ok = 1; err: BN_free(order); if (eckey->pub_key == NULL) EC_POINT_free(pub_key); if (eckey->priv_key != priv_key) BN_free(priv_key); BN_CTX_free(ctx); return (ok); }
static void schnorr_selftest(void) { BIGNUM *x; struct modp_group *grp; u_int i; char *hh; grp = jpake_default_group(); if ((x = BN_new()) == NULL) fatal("%s: BN_new", __func__); SCHNORR_DEBUG_BN((grp->p, "%s: grp->p = ", __func__)); SCHNORR_DEBUG_BN((grp->q, "%s: grp->q = ", __func__)); SCHNORR_DEBUG_BN((grp->g, "%s: grp->g = ", __func__)); /* [1, 20) */ for (i = 1; i < 20; i++) { printf("x = %u\n", i); fflush(stdout); if (BN_set_word(x, i) != 1) fatal("%s: set x word", __func__); schnorr_selftest_one(grp->p, grp->q, grp->g, x); } /* 100 x random [0, p) */ for (i = 0; i < 100; i++) { if (BN_rand_range(x, grp->p) != 1) fatal("%s: BN_rand_range", __func__); hh = BN_bn2hex(x); printf("x = (random) 0x%s\n", hh); free(hh); fflush(stdout); schnorr_selftest_one(grp->p, grp->q, grp->g, x); } /* [q-20, q) */ if (BN_set_word(x, 20) != 1) fatal("%s: BN_set_word (x = 20)", __func__); if (BN_sub(x, grp->q, x) != 1) fatal("%s: BN_sub (q - x)", __func__); for (i = 0; i < 19; i++) { hh = BN_bn2hex(x); printf("x = (q - %d) 0x%s\n", 20 - i, hh); free(hh); fflush(stdout); schnorr_selftest_one(grp->p, grp->q, grp->g, x); if (BN_add(x, x, BN_value_one()) != 1) fatal("%s: BN_add (x + 1)", __func__); } BN_free(x); }
int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) { BIGNUM *A,*Ai = NULL; BN_CTX *ctx; int ret=0; if (p_ctx == NULL) { if ((ctx=BN_CTX_new()) == NULL) goto err; } else ctx=p_ctx; /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */ if (rsa->blinding != NULL) { BN_BLINDING_free(rsa->blinding); rsa->blinding = NULL; } /* NB: similar code appears in setup_blinding (rsa_eay.c); * this should be placed in a new function of its own, but for reasons * of binary compatibility can't */ BN_CTX_start(ctx); A = BN_CTX_get(ctx); if (rsa->d != NULL && rsa->d->d != NULL) { if (!BN_pseudo_rand_range(A,rsa->n)) goto err; } else { if (!BN_rand_range(A,rsa->n)) goto err; } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!rsa->meth->bn_mod_exp(A,A, rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err; /* to make things thread-safe without excessive locking, * rsa->blinding will be used just by the current thread: */ rsa->flags |= RSA_FLAG_BLINDING; rsa->flags &= ~RSA_FLAG_NO_BLINDING; ret=1; err: if (Ai != NULL) BN_free(Ai); BN_CTX_end(ctx); if (ctx != p_ctx) BN_CTX_free(ctx); return(ret); }
int ec_key_simple_generate_key(EC_KEY *eckey) { int ok = 0; BN_CTX *ctx = NULL; BIGNUM *priv_key = NULL; const BIGNUM *order = NULL; EC_POINT *pub_key = NULL; if ((ctx = BN_CTX_new()) == NULL) goto err; if (eckey->priv_key == NULL) { priv_key = BN_new(); if (priv_key == NULL) goto err; } else priv_key = eckey->priv_key; order = EC_GROUP_get0_order(eckey->group); if (order == NULL) goto err; do if (!BN_rand_range(priv_key, order)) goto err; while (BN_is_zero(priv_key)) ; if (eckey->pub_key == NULL) { pub_key = EC_POINT_new(eckey->group); if (pub_key == NULL) goto err; } else pub_key = eckey->pub_key; if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) goto err; eckey->priv_key = priv_key; eckey->pub_key = pub_key; ok = 1; err: if (eckey->pub_key == NULL) EC_POINT_free(pub_key); if (eckey->priv_key != priv_key) BN_free(priv_key); BN_CTX_free(ctx); return ok; }
pseudonym *polypseud_randomize(const polypseud_ctx *ctx, pseudonym *pseud) { BIGNUM *l = BN_new(); if(BN_rand_range(l, ctx->p) == 0) return NULL; EC_POINT *t = EC_POINT_new(ctx->ec_group); EC_POINT_mul(ctx->ec_group, t, NULL, ctx->g, l, ctx->bn_ctx); EC_POINT_add(ctx->ec_group, pseud->a, pseud->a, t, ctx->bn_ctx); EC_POINT_mul(ctx->ec_group, t, NULL, pseud->c, l, ctx->bn_ctx); EC_POINT_add(ctx->ec_group, pseud->b, pseud->b, t, ctx->bn_ctx); EC_POINT_free(t); return pseud; }
int bn_probable_prime_dh_coprime(BIGNUM *rnd, int bits, BN_CTX *ctx) { int i; BIGNUM *offset_index; BIGNUM *offset_count; int ret = 0; OPENSSL_assert(bits > prime_multiplier_bits); BN_CTX_start(ctx); if ((offset_index = BN_CTX_get(ctx)) == NULL) goto err; if ((offset_count = BN_CTX_get(ctx)) == NULL) goto err; if (!BN_add_word(offset_count, prime_offset_count)) goto err; loop: if (!BN_rand(rnd, bits - prime_multiplier_bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) goto err; if (BN_is_bit_set(rnd, bits)) goto loop; if (!BN_rand_range(offset_index, offset_count)) goto err; if (!BN_mul_word(rnd, prime_multiplier) || !BN_add_word(rnd, prime_offsets[BN_get_word(offset_index)])) goto err; /* we now have a random number 'rand' to test. */ /* skip coprimes */ for (i = first_prime_index; i < NUMPRIMES; i++) { /* check that rnd is a prime */ BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); if (mod == (BN_ULONG)-1) goto err; if (mod <= 1) goto loop; } ret = 1; err: BN_CTX_end(ctx); bn_check_top(rnd); return ret; }
static int ssl_ec_point_offer(SSL_ECDH_CTX *ctx, CBB *out) { assert(ctx->data == NULL); BIGNUM *private_key = BN_new(); if (private_key == NULL) { return 0; } ctx->data = private_key; /* Set up a shared |BN_CTX| for all operations. */ BN_CTX *bn_ctx = BN_CTX_new(); if (bn_ctx == NULL) { return 0; } BN_CTX_start(bn_ctx); int ret = 0; EC_POINT *public_key = NULL; EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid); if (group == NULL) { goto err; } /* Generate a private key. */ const BIGNUM *order = EC_GROUP_get0_order(group); do { if (!BN_rand_range(private_key, order)) { goto err; } } while (BN_is_zero(private_key)); /* Compute the corresponding public key and serialize it. */ public_key = EC_POINT_new(group); if (public_key == NULL || !EC_POINT_mul(group, public_key, private_key, NULL, NULL, bn_ctx) || !EC_POINT_point2cbb(out, group, public_key, POINT_CONVERSION_UNCOMPRESSED, bn_ctx)) { goto err; } ret = 1; err: EC_GROUP_free(group); EC_POINT_free(public_key); BN_CTX_end(bn_ctx); BN_CTX_free(bn_ctx); return ret; }
int MKEM_generate_message(const MKEM *kp, uint8_t *secret, uint8_t *message) { BIGNUM u; uint8_t pad; int rv = -1; BN_init(&u); if (BN_rand_range(&u, kp->params->maxu) && BN_add(&u, &u, BN_value_one()) && RAND_bytes(&pad, 1) && !MKEM_generate_message_u(kp, &u, pad, secret, message)) rv = 0; BN_clear(&u); return rv; }
static int bn_blinding_create_param(BN_BLINDING *b, const RSA *rsa, BN_CTX *ctx) { int retry_counter = 32; do { if (!BN_rand_range(b->A, rsa->n)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; } /* `BN_from_montgomery` + `BN_mod_inverse_no_branch` is equivalent to, but * more efficient than, `BN_mod_inverse_no_branch` + `BN_to_montgomery`. */ if (!BN_from_montgomery(b->Ai, b->A, rsa->mont_n, ctx)) { return 0; } assert(BN_get_flags(b->A, BN_FLG_CONSTTIME)); int no_inverse; if (BN_mod_inverse_no_branch(b->Ai, &no_inverse, b->Ai, rsa->n, ctx) == NULL) { /* this should almost never happen for good RSA keys */ if (no_inverse) { if (retry_counter-- == 0) { OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS); return 0; } ERR_clear_error(); } else { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; } } else { break; } } while (1); if (!BN_mod_exp_mont(b->A, b->A, rsa->e, rsa->n, ctx, rsa->mont_n)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; } if (!BN_to_montgomery(b->A, b->A, rsa->mont_n, ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; } return 1; }