int compute_scalar_element (pwd_session_t *sess, BN_CTX *bnctx) {
BIGNUM *mask = NULL;
int ret = -1;
if (((sess->private_value = BN_new()) == NULL) ||
((sess->my_element = EC_POINT_new(sess->group)) == NULL) ||
((sess->my_scalar = BN_new()) == NULL) ||
((mask = BN_new()) == NULL)) {
DEBUG2("server scalar allocation failed");
goto fail;
}
BN_rand_range(sess->private_value, sess->order);
BN_rand_range(mask, sess->order);
BN_add(sess->my_scalar, sess->private_value, mask);
BN_mod(sess->my_scalar, sess->my_scalar, sess->order, bnctx);
if (!EC_POINT_mul(sess->group, sess->my_element, NULL, sess->pwe, mask, bnctx)) {
DEBUG2("server element allocation failed");
goto fail;
}
if (!EC_POINT_invert(sess->group, sess->my_element, bnctx)) {
DEBUG2("server element inversion failed");
goto fail;
}
ret = 0;
fail:
BN_free(mask);
return ret;
}
// Generate each party's random numbers. xa is in [0, q), xb is in [1, q).
static void genrand(JPakeUser * user, const JPakeParameters * params)
{
BIGNUM *qm1;
// xa in [0, q)
user->xa = BN_new();
BN_rand_range(user->xa, params->q);
// q-1
qm1 = BN_new();
BN_copy(qm1, params->q);
BN_sub_word(qm1, 1);
// ... and xb in [0, q-1)
user->xb = BN_new();
BN_rand_range(user->xb, qm1);
// [1, q)
BN_add_word(user->xb, 1);
// cleanup
BN_free(qm1);
// Show
printf("x%d", user->p.base);
showbn("", user->xa);
printf("x%d", user->p.base + 1);
showbn("", user->xb);
}
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{
BN_CTX *ctx;
BIGNUM k,*kinv=NULL,*r=NULL;
int ret=0;
if (!dsa->p || !dsa->q || !dsa->g)
{
DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
return 0;
}
if (ctx_in == NULL)
{
if ((ctx=BN_CTX_new()) == NULL) goto err;
}
else
ctx=ctx_in;
BN_init(&k);
if ((r=BN_new()) == NULL) goto err;
kinv=NULL;
/* Get random k */
do
if (!BN_rand_range(&k, dsa->q)) goto err;
while (BN_is_zero(&k));
if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
{
if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
dsa->p,ctx)) goto err;
}
/* Compute r = (g^k mod p) mod q */
if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
if (!BN_mod(r,r,dsa->q,ctx)) goto err;
/* Compute part of 's = inv(k) (m + xr) mod q' */
if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
if (*kinvp != NULL) BN_clear_free(*kinvp);
*kinvp=kinv;
kinv=NULL;
if (*rp != NULL) BN_clear_free(*rp);
*rp=r;
ret=1;
err:
if (!ret)
{
DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
if (kinv != NULL) BN_clear_free(kinv);
if (r != NULL) BN_clear_free(r);
}
if (ctx_in == NULL) BN_CTX_free(ctx);
if (kinv != NULL) BN_clear_free(kinv);
BN_clear_free(&k);
return(ret);
}
int
gost2001_keygen(GOST_KEY *ec)
{
BIGNUM *order = BN_new(), *d = BN_new();
const EC_GROUP *group = GOST_KEY_get0_group(ec);
int rc = 0;
if (order == NULL || d == NULL)
goto err;
if (EC_GROUP_get_order(group, order, NULL) == 0)
goto err;
do {
if (BN_rand_range(d, order) == 0) {
GOSTerr(GOST_F_GOST2001_KEYGEN,
GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
goto err;
}
} while (BN_is_zero(d));
if (GOST_KEY_set_private_key(ec, d) == 0)
goto err;
rc = gost2001_compute_public(ec);
err:
BN_free(d);
BN_free(order);
return rc;
}
void PSPAKE_Message_generate(PSPAKE_Message *message, PSPAKE_CTX *ctx)
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
/* just for debugging */
static int cnt = 0;
cnt++;
/* r belongs to [0, q) */
BN_rand_range(ctx->r, ctx->q);
/* t1 = g^r mod q */
BN_mod_exp(t1, ctx->g, ctx->r, ctx->q, ctx->ctx);
/* t2 = h^secret mod q */
BN_mod_exp(t2, ctx->h, ctx->secret, ctx->q, ctx->ctx);
/* ctx->y = t1 * t2 mod q */
BN_mod_mul(ctx->y, t1, t2, ctx->q, ctx->ctx);
/* message->y = ctx->y */
message->y = BN_dup(ctx->y);
/* print the random number r generated (just for debugging) */
if (cnt == 1)
{
print_bn("alice's r", ctx->r);
}
else
{
print_bn("bob's r", ctx->r);
}
}
static int bn_blinding_create_param(BN_BLINDING *b, BN_CTX *ctx,
const BN_MONT_CTX *mont_ctx) {
int retry_counter = 32;
do {
if (!BN_rand_range(b->A, b->mod)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
}
int no_inverse;
if (BN_mod_inverse_ex(b->Ai, &no_inverse, b->A, b->mod, ctx) == NULL) {
/* this should almost never happen for good RSA keys */
if (no_inverse) {
if (retry_counter-- == 0) {
OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
return 0;
}
ERR_clear_error();
} else {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
}
} else {
break;
}
} while (1);
if (!BN_mod_exp_mont(b->A, b->A, b->e, b->mod, ctx, mont_ctx)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
}
return 1;
}
EC_KEY *EC_KEY_generate_key_ex(const EC_GROUP *group) {
EC_KEY *eckey = ec_key_new_ex(group);
if (!eckey) {
return NULL;
}
assert(eckey->priv_key == NULL);
eckey->priv_key = BN_new();
if (eckey->priv_key == NULL) {
goto err;
}
do {
if (!BN_rand_range(eckey->priv_key, &eckey->group->order)) {
goto err;
}
} while (BN_is_zero(eckey->priv_key));
assert(eckey->pub_key == NULL);
eckey->pub_key = EC_POINT_new(eckey->group);
if (eckey->pub_key == NULL) {
goto err;
}
if (!eckey->group->meth->mul_private(eckey->group, eckey->pub_key,
eckey->priv_key, NULL, NULL, NULL)) {
goto err;
}
return eckey;
err:
EC_KEY_free(eckey);
return NULL;
}
/* The secret integers s0 and s1 must be in the range 0 < s < n for
some n, and must be relatively prime to that n. We know a priori
that n is of the form 2**k * p for some small integer k and prime
p. Therefore, it suffices to choose a random integer in the range
[0, n/2), multiply by two and add one (enforcing oddness), and then
reject values which are divisible by p. */
static BIGNUM *
random_s(const BIGNUM *n, const BIGNUM *p, BN_CTX *c)
{
BIGNUM h, m, *r;
BN_init(&h);
BN_init(&m);
FAILZ(r = BN_new());
FAILZ(BN_copy(&h, n));
FAILZ(BN_rshift1(&h, &h));
do {
FAILZ(BN_rand_range(r, &h));
FAILZ(BN_lshift1(r, r));
FAILZ(BN_add(r, r, BN_value_one()));
FAILZ(BN_nnmod(&m, r, p, c));
} while (BN_is_zero(&m));
BN_clear(&h);
BN_clear(&m);
return r;
fail:
BN_clear(&h);
BN_clear(&m);
if (r) BN_clear_free(r);
return 0;
}
static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
{
const RSA_METHOD *meth;
BIGNUM *A, *Ai;
BN_BLINDING *ret = NULL;
/* added in OpenSSL 0.9.6j and 0.9.7b */
/* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
* this should be placed in a new function of its own, but for reasons
* of binary compatibility can't */
meth = rsa->meth;
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
if (rsa->d != NULL && rsa->d->d != NULL)
{
/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
}
else
{
if (!BN_rand_range(A,rsa->n)) goto err;
}
if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
if (!meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
goto err;
ret = BN_BLINDING_new(A,Ai,rsa->n);
BN_free(Ai);
err:
BN_CTX_end(ctx);
return ret;
}
/*
* Prove knowledge of x
* Note that p->gx has already been calculated
*/
static void generate_zkp(JPAKE_STEP_PART *p, const BIGNUM *x,
const BIGNUM *zkpg, JPAKE_CTX *ctx)
{
BIGNUM *r = BN_new();
BIGNUM *h = BN_new();
BIGNUM *t = BN_new();
/*
* r in [0,q)
* XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform
*/
BN_rand_range(r, ctx->p.q);
/* g^r */
BN_mod_exp(p->zkpx.gr, zkpg, r, ctx->p.p, ctx->ctx);
/* h=hash... */
zkp_hash(h, zkpg, p, ctx->p.name);
/* b = r - x*h */
BN_mod_mul(t, x, h, ctx->p.q, ctx->ctx);
BN_mod_sub(p->zkpx.b, r, t, ctx->p.q, ctx->ctx);
/* cleanup */
BN_free(t);
BN_free(h);
BN_free(r);
}
/*
*
* Generates GOST R 34.10-2001 keypair
*
*
*/
int gost2001_keygen(EC_KEY *ec)
{
BIGNUM *order = BN_new(), *d = BN_new();
const EC_GROUP *group = EC_KEY_get0_group(ec);
if (!group || !EC_GROUP_get_order(group, order, NULL)) {
GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR);
BN_free(d);
BN_free(order);
return 0;
}
do {
if (!BN_rand_range(d, order)) {
GOSTerr(GOST_F_GOST2001_KEYGEN,
GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
BN_free(d);
BN_free(order);
return 0;
}
}
while (BN_is_zero(d));
if (!EC_KEY_set_private_key(ec, d)) {
GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR);
BN_free(d);
BN_free(order);
return 0;
}
BN_free(d);
BN_free(order);
return gost2001_compute_public(ec);
}
int EC_KEY_generate_key(EC_KEY *eckey)
{
int ok = 0;
BN_CTX *ctx = NULL;
BIGNUM *priv_key = NULL, *order = NULL;
EC_POINT *pub_key = NULL;
if (!eckey || !eckey->group) {
ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if ((order = BN_new()) == NULL)
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if (eckey->priv_key == NULL) {
priv_key = BN_new();
if (priv_key == NULL)
goto err;
} else
priv_key = eckey->priv_key;
if (!EC_GROUP_get_order(eckey->group, order, ctx))
goto err;
do
if (!BN_rand_range(priv_key, order))
goto err;
while (BN_is_zero(priv_key)) ;
if (eckey->pub_key == NULL) {
pub_key = EC_POINT_new(eckey->group);
if (pub_key == NULL)
goto err;
} else
pub_key = eckey->pub_key;
if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
goto err;
eckey->priv_key = priv_key;
eckey->pub_key = pub_key;
ok = 1;
err:
if (order)
BN_free(order);
if (pub_key != NULL && eckey->pub_key == NULL)
EC_POINT_free(pub_key);
if (priv_key != NULL && eckey->priv_key == NULL)
BN_free(priv_key);
if (ctx != NULL)
BN_CTX_free(ctx);
return (ok);
}
void Person::set_keys() {
a = BN_new();
BN_rand_range(a, p);
A = BN_new();
BN_CTX *ctx = BN_CTX_new();
BN_mod_exp(A, g, a, p, ctx);
if (ctx) BN_CTX_free(ctx);
}
static int dsa_builtin_keygen(DSA *dsa)
{
int ok = 0;
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if (dsa->priv_key == NULL) {
if ((priv_key = BN_secure_new()) == NULL)
goto err;
} else
priv_key = dsa->priv_key;
do
if (!BN_rand_range(priv_key, dsa->q))
goto err;
while (BN_is_zero(priv_key)) ;
if (dsa->pub_key == NULL) {
if ((pub_key = BN_new()) == NULL)
goto err;
} else
pub_key = dsa->pub_key;
{
BIGNUM *local_prk = NULL;
BIGNUM *prk;
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
local_prk = prk = BN_new();
if (!local_prk)
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
} else
prk = priv_key;
if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
BN_free(local_prk);
goto err;
}
BN_free(local_prk);
}
dsa->priv_key = priv_key;
dsa->pub_key = pub_key;
ok = 1;
err:
if (pub_key != dsa->pub_key)
BN_free(pub_key);
if (priv_key != dsa->priv_key)
BN_free(priv_key);
BN_CTX_free(ctx);
return (ok);
}
CSignerECDSA::CSignerECDSA(const uint8_t PrivData[32], unsigned char Signature[65])
{
order.setuint256(g_Order);
EC_KEY* pkey = EC_KEY_new_by_curve_name(NID_secp256k1);
const EC_GROUP *group = EC_KEY_get0_group(pkey);
CBigNum privkey;
BN_bin2bn(PrivData, 32, &privkey);
EC_KEY_regenerate_key(pkey, &privkey);
EC_POINT *tmp_point = EC_POINT_new(group);
EC_POINT *test_point = EC_POINT_new(group);
CBigNum r, X, Y;
bool which = false;
do
{
// get random k
do
BN_rand_range(&kinv, &order);
while (!kinv);
/* We do not want timing information to leak the length of k,
* so we compute G*k using an equivalent scalar of fixed
* bit-length. */
kinv += order;
if (BN_num_bits(&kinv) <= 256)
kinv += order;
// compute r the x-coordinate of generator * k
EC_POINT_mul(group, tmp_point, &kinv, NULL, NULL, ctx);
EC_POINT_get_affine_coordinates_GFp(group, tmp_point, &X, &Y, ctx);
EC_POINT_set_compressed_coordinates_GFp(group, test_point, &X, 0, ctx);
which = !!EC_POINT_cmp(group, tmp_point, test_point, ctx);
BN_nnmod(&r, &X, &order, ctx);
}
while (!r);
// compute the inverse of k
BN_mod_inverse(&kinv, &kinv, &order, ctx);
BN_mod_mul(&pmr, &privkey, &r, &order, ctx);
BN_mod_mul(&prk, &pmr, &kinv, &order, ctx);
memset(Signature, 0, 65);
int nBitsR = BN_num_bits(&r);
BN_bn2bin(&r, &Signature[33-(nBitsR+7)/8]);
Signature[0] = 27 + which;
EC_POINT_free(tmp_point);
EC_POINT_free(test_point);
EC_KEY_free(pkey);
}
/* Generate each party's random numbers. xa is in [0, q), xb is in [1, q). */
static void genrand(JPAKE_CTX *ctx)
{
BIGNUM *qm1;
/* xa in [0, q) */
BN_rand_range(ctx->xa, ctx->p.q);
/* q-1 */
qm1 = BN_new();
BN_copy(qm1, ctx->p.q);
BN_sub_word(qm1, 1);
/* ... and xb in [0, q-1) */
BN_rand_range(ctx->xb, qm1);
/* [1, q) */
BN_add_word(ctx->xb, 1);
/* cleanup */
BN_free(qm1);
}
/**
* eccx08_generate_key()
*
* \brief Generates a 32-byte private key then replaces it with token
* data using the eccx08_eckey_encode_in_privkey() call
*
* \param[out] p_eckey Pointer to EC_KEY with Public Key on success
* \param[in] serial_number 9 bytes of ATECCX08 serial number
* \param[in] serial_len Size of the ATECCX08 serial number buffer
* \return 1 on success, 0 on error
*/
int eccx08_generate_key(EC_KEY *eckey, uint8_t *serial_number, int serial_len)
{
int ok = 0;
int ret = 0;
BN_CTX *ctx = NULL;
BIGNUM *priv_key = NULL, *order = NULL;
EC_POINT *pub_key = NULL;
uint8_t slotid = TLS_SLOT_AUTH_PRIV;
if (!eckey || !eckey->group) {
ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if ((order = BN_new()) == NULL) goto err;
if ((ctx = BN_CTX_new()) == NULL) goto err;
if (eckey->priv_key == NULL) {
priv_key = BN_new();
if (priv_key == NULL) goto err;
} else {
priv_key = eckey->priv_key;
}
eckey->priv_key = priv_key;
if (!EC_GROUP_get_order(eckey->group, order, ctx)) goto err;
do if (!BN_rand_range(priv_key, order)) goto err;
while (BN_is_zero(priv_key));
ret = eccx08_eckey_encode_in_privkey(eckey, slotid, serial_number, ATCA_SERIAL_NUM_SIZE);
if (!ret) goto err;
if (eckey->pub_key == NULL) {
pub_key = EC_POINT_new(eckey->group);
if (pub_key == NULL) goto err;
} else pub_key = eckey->pub_key;
if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) goto err;
eckey->pub_key = pub_key;
ok = 1;
err:
if (order) BN_free(order);
if (pub_key != NULL && eckey->pub_key == NULL) EC_POINT_free(pub_key);
if (priv_key != NULL && eckey->priv_key == NULL) BN_free(priv_key);
if (ctx != NULL) BN_CTX_free(ctx);
return (ok);
}
int CREDLIB_rand_range( BIGNUM* rnd, int Zps, BIGNUM* p ) {
EXCEPTION;
if ( !p || !rnd ) { THROW( CREDLIB_NULL_PTR ); }
again:
if ( !BN_rand_range( rnd, p ) ) { THROW( CREDLIB_RND_NOT_SEEDED ); }
if ( Zps && BN_is_zero( rnd ) ) { goto again; } /* Zp* */
/* Zp* means must not be 0 */
cleanup:
return ret;
}
/*
* Computes signature and returns it as DSA_SIG structure
*/
DSA_SIG *gost_do_sign (const unsigned char *dgst, int dlen, DSA * dsa)
{
BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL;
DSA_SIG *newsig = DSA_SIG_new ();
BIGNUM *md = hashsum2bn (dgst);
/* check if H(M) mod q is zero */
BN_CTX *ctx = BN_CTX_new ();
BN_CTX_start (ctx);
if (!newsig)
{
GOSTerr (GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY);
goto err;
}
tmp = BN_CTX_get (ctx);
k = BN_CTX_get (ctx);
tmp2 = BN_CTX_get (ctx);
BN_mod (tmp, md, dsa->q, ctx);
if (BN_is_zero (tmp))
{
BN_one (md);
}
do
{
do
{
/*Generate random number k less than q */
BN_rand_range (k, dsa->q);
/* generate r = (a^x mod p) mod q */
BN_mod_exp (tmp, dsa->g, k, dsa->p, ctx);
if (!(newsig->r))
newsig->r = BN_new ();
BN_mod (newsig->r, tmp, dsa->q, ctx);
}
while (BN_is_zero (newsig->r));
/* generate s = (xr + k(Hm)) mod q */
BN_mod_mul (tmp, dsa->priv_key, newsig->r, dsa->q, ctx);
BN_mod_mul (tmp2, k, md, dsa->q, ctx);
if (!newsig->s)
newsig->s = BN_new ();
BN_mod_add (newsig->s, tmp, tmp2, dsa->q, ctx);
}
while (BN_is_zero (newsig->s));
err:
BN_free (md);
BN_CTX_end (ctx);
BN_CTX_free (ctx);
return newsig;
}
int compute_scalar_element(REQUEST *request, pwd_session_t *session, BN_CTX *bn_ctx)
{
BIGNUM *mask = NULL;
int ret = -1;
MEM(session->private_value = BN_new());
MEM(session->my_element = EC_POINT_new(session->group));
MEM(session->my_scalar = BN_new());
MEM(mask = BN_new());
if (BN_rand_range(session->private_value, session->order) != 1) {
REDEBUG("Unable to get randomness for private_value");
goto error;
}
if (BN_rand_range(mask, session->order) != 1) {
REDEBUG("Unable to get randomness for mask");
goto error;
}
BN_add(session->my_scalar, session->private_value, mask);
BN_mod(session->my_scalar, session->my_scalar, session->order, bn_ctx);
if (!EC_POINT_mul(session->group, session->my_element, NULL, session->pwe, mask, bn_ctx)) {
REDEBUG("Server element allocation failed");
goto error;
}
if (!EC_POINT_invert(session->group, session->my_element, bn_ctx)) {
REDEBUG("Server element inversion failed");
goto error;
}
ret = 0;
error:
BN_clear_free(mask);
return ret;
}
static int generate_key(DH *dh)
{
int ok=0;
BN_CTX ctx;
BN_MONT_CTX *mont;
BIGNUM *pub_key=NULL,*priv_key=NULL;
BN_CTX_init(&ctx);
if (dh->priv_key == NULL)
{
priv_key=BN_new();
if (priv_key == NULL) goto err;
do
if (!BN_rand_range(priv_key, dh->p)) goto err;
while (BN_is_zero(priv_key));
}
else
priv_key=dh->priv_key;
if (dh->pub_key == NULL)
{
pub_key=BN_new();
if (pub_key == NULL) goto err;
}
else
pub_key=dh->pub_key;
if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
{
if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
dh->p,&ctx)) goto err;
}
mont=(BN_MONT_CTX *)dh->method_mont_p;
if (!dh->meth->bn_mod_exp(dh, pub_key,dh->g,priv_key,dh->p,&ctx,mont))
goto err;
dh->pub_key=pub_key;
dh->priv_key=priv_key;
ok=1;
err:
if (ok != 1)
DHerr(DH_F_DH_GENERATE_KEY,ERR_R_BN_LIB);
if ((pub_key != NULL) && (dh->pub_key == NULL)) BN_free(pub_key);
if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key);
BN_CTX_free(&ctx);
return(ok);
}
int ossl_ec_key_gen(EC_KEY *eckey)
{
int ok = 0;
BN_CTX *ctx = NULL;
BIGNUM *priv_key = NULL, *order = NULL;
EC_POINT *pub_key = NULL;
if ((order = BN_new()) == NULL)
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if (eckey->priv_key == NULL) {
priv_key = BN_new();
if (priv_key == NULL)
goto err;
} else
priv_key = eckey->priv_key;
if (!EC_GROUP_get_order(eckey->group, order, ctx))
goto err;
do
if (!BN_rand_range(priv_key, order))
goto err;
while (BN_is_zero(priv_key)) ;
if (eckey->pub_key == NULL) {
pub_key = EC_POINT_new(eckey->group);
if (pub_key == NULL)
goto err;
} else
pub_key = eckey->pub_key;
if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
goto err;
eckey->priv_key = priv_key;
eckey->pub_key = pub_key;
ok = 1;
err:
BN_free(order);
if (eckey->pub_key == NULL)
EC_POINT_free(pub_key);
if (eckey->priv_key != priv_key)
BN_free(priv_key);
BN_CTX_free(ctx);
return (ok);
}
static void
schnorr_selftest(void)
{
BIGNUM *x;
struct modp_group *grp;
u_int i;
char *hh;
grp = jpake_default_group();
if ((x = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
SCHNORR_DEBUG_BN((grp->p, "%s: grp->p = ", __func__));
SCHNORR_DEBUG_BN((grp->q, "%s: grp->q = ", __func__));
SCHNORR_DEBUG_BN((grp->g, "%s: grp->g = ", __func__));
/* [1, 20) */
for (i = 1; i < 20; i++) {
printf("x = %u\n", i);
fflush(stdout);
if (BN_set_word(x, i) != 1)
fatal("%s: set x word", __func__);
schnorr_selftest_one(grp->p, grp->q, grp->g, x);
}
/* 100 x random [0, p) */
for (i = 0; i < 100; i++) {
if (BN_rand_range(x, grp->p) != 1)
fatal("%s: BN_rand_range", __func__);
hh = BN_bn2hex(x);
printf("x = (random) 0x%s\n", hh);
free(hh);
fflush(stdout);
schnorr_selftest_one(grp->p, grp->q, grp->g, x);
}
/* [q-20, q) */
if (BN_set_word(x, 20) != 1)
fatal("%s: BN_set_word (x = 20)", __func__);
if (BN_sub(x, grp->q, x) != 1)
fatal("%s: BN_sub (q - x)", __func__);
for (i = 0; i < 19; i++) {
hh = BN_bn2hex(x);
printf("x = (q - %d) 0x%s\n", 20 - i, hh);
free(hh);
fflush(stdout);
schnorr_selftest_one(grp->p, grp->q, grp->g, x);
if (BN_add(x, x, BN_value_one()) != 1)
fatal("%s: BN_add (x + 1)", __func__);
}
BN_free(x);
}
int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
{
BIGNUM *A,*Ai = NULL;
BN_CTX *ctx;
int ret=0;
if (p_ctx == NULL)
{
if ((ctx=BN_CTX_new()) == NULL) goto err;
}
else
ctx=p_ctx;
/* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */
if (rsa->blinding != NULL)
{
BN_BLINDING_free(rsa->blinding);
rsa->blinding = NULL;
}
/* NB: similar code appears in setup_blinding (rsa_eay.c);
* this should be placed in a new function of its own, but for reasons
* of binary compatibility can't */
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
if (rsa->d != NULL && rsa->d->d != NULL)
{
if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
}
else
{
if (!BN_rand_range(A,rsa->n)) goto err;
}
if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
if (!rsa->meth->bn_mod_exp(A,A,
rsa->e,rsa->n,ctx,rsa->_method_mod_n))
goto err;
if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
/* to make things thread-safe without excessive locking,
* rsa->blinding will be used just by the current thread: */
rsa->flags |= RSA_FLAG_BLINDING;
rsa->flags &= ~RSA_FLAG_NO_BLINDING;
ret=1;
err:
if (Ai != NULL) BN_free(Ai);
BN_CTX_end(ctx);
if (ctx != p_ctx) BN_CTX_free(ctx);
return(ret);
}
int ec_key_simple_generate_key(EC_KEY *eckey)
{
int ok = 0;
BN_CTX *ctx = NULL;
BIGNUM *priv_key = NULL;
const BIGNUM *order = NULL;
EC_POINT *pub_key = NULL;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if (eckey->priv_key == NULL) {
priv_key = BN_new();
if (priv_key == NULL)
goto err;
} else
priv_key = eckey->priv_key;
order = EC_GROUP_get0_order(eckey->group);
if (order == NULL)
goto err;
do
if (!BN_rand_range(priv_key, order))
goto err;
while (BN_is_zero(priv_key)) ;
if (eckey->pub_key == NULL) {
pub_key = EC_POINT_new(eckey->group);
if (pub_key == NULL)
goto err;
} else
pub_key = eckey->pub_key;
if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
goto err;
eckey->priv_key = priv_key;
eckey->pub_key = pub_key;
ok = 1;
err:
if (eckey->pub_key == NULL)
EC_POINT_free(pub_key);
if (eckey->priv_key != priv_key)
BN_free(priv_key);
BN_CTX_free(ctx);
return ok;
}
pseudonym *polypseud_randomize(const polypseud_ctx *ctx, pseudonym *pseud) {
BIGNUM *l = BN_new();
if(BN_rand_range(l, ctx->p) == 0)
return NULL;
EC_POINT *t = EC_POINT_new(ctx->ec_group);
EC_POINT_mul(ctx->ec_group, t, NULL, ctx->g, l, ctx->bn_ctx);
EC_POINT_add(ctx->ec_group, pseud->a, pseud->a, t, ctx->bn_ctx);
EC_POINT_mul(ctx->ec_group, t, NULL, pseud->c, l, ctx->bn_ctx);
EC_POINT_add(ctx->ec_group, pseud->b, pseud->b, t, ctx->bn_ctx);
EC_POINT_free(t);
return pseud;
}
int bn_probable_prime_dh_coprime(BIGNUM *rnd, int bits, BN_CTX *ctx)
{
int i;
BIGNUM *offset_index;
BIGNUM *offset_count;
int ret = 0;
OPENSSL_assert(bits > prime_multiplier_bits);
BN_CTX_start(ctx);
if ((offset_index = BN_CTX_get(ctx)) == NULL)
goto err;
if ((offset_count = BN_CTX_get(ctx)) == NULL)
goto err;
if (!BN_add_word(offset_count, prime_offset_count))
goto err;
loop:
if (!BN_rand(rnd, bits - prime_multiplier_bits,
BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
goto err;
if (BN_is_bit_set(rnd, bits))
goto loop;
if (!BN_rand_range(offset_index, offset_count))
goto err;
if (!BN_mul_word(rnd, prime_multiplier)
|| !BN_add_word(rnd, prime_offsets[BN_get_word(offset_index)]))
goto err;
/* we now have a random number 'rand' to test. */
/* skip coprimes */
for (i = first_prime_index; i < NUMPRIMES; i++) {
/* check that rnd is a prime */
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
if (mod == (BN_ULONG)-1)
goto err;
if (mod <= 1)
goto loop;
}
ret = 1;
err:
BN_CTX_end(ctx);
bn_check_top(rnd);
return ret;
}
static int ssl_ec_point_offer(SSL_ECDH_CTX *ctx, CBB *out) {
assert(ctx->data == NULL);
BIGNUM *private_key = BN_new();
if (private_key == NULL) {
return 0;
}
ctx->data = private_key;
/* Set up a shared |BN_CTX| for all operations. */
BN_CTX *bn_ctx = BN_CTX_new();
if (bn_ctx == NULL) {
return 0;
}
BN_CTX_start(bn_ctx);
int ret = 0;
EC_POINT *public_key = NULL;
EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);
if (group == NULL) {
goto err;
}
/* Generate a private key. */
const BIGNUM *order = EC_GROUP_get0_order(group);
do {
if (!BN_rand_range(private_key, order)) {
goto err;
}
} while (BN_is_zero(private_key));
/* Compute the corresponding public key and serialize it. */
public_key = EC_POINT_new(group);
if (public_key == NULL ||
!EC_POINT_mul(group, public_key, private_key, NULL, NULL, bn_ctx) ||
!EC_POINT_point2cbb(out, group, public_key, POINT_CONVERSION_UNCOMPRESSED,
bn_ctx)) {
goto err;
}
ret = 1;
err:
EC_GROUP_free(group);
EC_POINT_free(public_key);
BN_CTX_end(bn_ctx);
BN_CTX_free(bn_ctx);
return ret;
}
int
MKEM_generate_message(const MKEM *kp, uint8_t *secret, uint8_t *message)
{
BIGNUM u;
uint8_t pad;
int rv = -1;
BN_init(&u);
if (BN_rand_range(&u, kp->params->maxu) &&
BN_add(&u, &u, BN_value_one()) &&
RAND_bytes(&pad, 1) &&
!MKEM_generate_message_u(kp, &u, pad, secret, message))
rv = 0;
BN_clear(&u);
return rv;
}
static int bn_blinding_create_param(BN_BLINDING *b, const RSA *rsa, BN_CTX *ctx) {
int retry_counter = 32;
do {
if (!BN_rand_range(b->A, rsa->n)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
}
/* `BN_from_montgomery` + `BN_mod_inverse_no_branch` is equivalent to, but
* more efficient than, `BN_mod_inverse_no_branch` + `BN_to_montgomery`. */
if (!BN_from_montgomery(b->Ai, b->A, rsa->mont_n, ctx)) {
return 0;
}
assert(BN_get_flags(b->A, BN_FLG_CONSTTIME));
int no_inverse;
if (BN_mod_inverse_no_branch(b->Ai, &no_inverse, b->Ai, rsa->n, ctx) ==
NULL) {
/* this should almost never happen for good RSA keys */
if (no_inverse) {
if (retry_counter-- == 0) {
OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
return 0;
}
ERR_clear_error();
} else {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
}
} else {
break;
}
} while (1);
if (!BN_mod_exp_mont(b->A, b->A, rsa->e, rsa->n, ctx, rsa->mont_n)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
}
if (!BN_to_montgomery(b->A, b->A, rsa->mont_n, ctx)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
}
return 1;
}
