static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
{
BIGNUM *t;
int shifts=0;
bn_check_top(a);
bn_check_top(b);
/* 0 <= b <= a */
while (!BN_is_zero(b))
{
/* 0 < b <= a */
if (BN_is_odd(a))
{
if (BN_is_odd(b))
{
if (!BN_sub(a,a,b)) goto err;
if (!BN_rshift1(a,a)) goto err;
if (BN_cmp(a,b) < 0)
{ t=a; a=b; b=t; }
}
else /* a odd - b even */
{
if (!BN_rshift1(b,b)) goto err;
if (BN_cmp(a,b) < 0)
{ t=a; a=b; b=t; }
}
}
else /* a is even */
{
if (BN_is_odd(b))
{
if (!BN_rshift1(a,a)) goto err;
if (BN_cmp(a,b) < 0)
{ t=a; a=b; b=t; }
}
else /* a even - b even */
{
if (!BN_rshift1(a,a)) goto err;
if (!BN_rshift1(b,b)) goto err;
shifts++;
}
}
/* 0 <= b <= a */
}
if (shifts)
{
if (!BN_lshift(a,a,shifts)) goto err;
}
bn_check_top(a);
return(a);
err:
return(NULL);
}
static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
const BIGNUM *rem, BN_CTX *ctx)
{
int i,ret=0;
BIGNUM *t1,*qadd,*q;
bits--;
BN_CTX_start(ctx);
t1 = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
qadd = BN_CTX_get(ctx);
if (qadd == NULL) goto err;
if (!BN_rshift1(qadd,padd)) goto err;
if (!BN_rand(q,bits,0,1)) goto err;
/* we need ((rnd-rem) % add) == 0 */
if (!BN_mod(t1,q,qadd,ctx)) goto err;
if (!BN_sub(q,q,t1)) goto err;
if (rem == NULL)
{ if (!BN_add_word(q,1)) goto err; }
else
{
if (!BN_rshift1(t1,rem)) goto err;
if (!BN_add(q,q,t1)) goto err;
}
/* we now have a random number 'rand' to test. */
if (!BN_lshift1(p,q)) goto err;
if (!BN_add_word(p,1)) goto err;
loop:
for (i=1; i<NUMPRIMES; i++)
{
/* check that p and q are prime */
/* check that for p and q
* gcd(p-1,primes) == 1 (except for 2) */
if ((BN_mod_word(p,(BN_ULONG)primes[i]) == 0) ||
(BN_mod_word(q,(BN_ULONG)primes[i]) == 0))
{
if (!BN_add(p,p,padd)) goto err;
if (!BN_add(q,q,qadd)) goto err;
goto loop;
}
}
ret=1;
err:
BN_CTX_end(ctx);
bn_check_top(p);
return(ret);
}
// http://stackoverflow.com/questions/356090/how-to-compute-the-nth-root-of-a-very-big-integer
static BIGNUM *nearest_cuberoot(BIGNUM *in)
{
BN_CTX *ctx = BN_CTX_new();
BN_CTX_start(ctx);
BIGNUM *three = BN_CTX_get(ctx);
BIGNUM *high = BN_CTX_get(ctx);
BIGNUM *mid = BN_CTX_get(ctx);
BIGNUM *low = BN_CTX_get(ctx);
BIGNUM *tmp = BN_CTX_get(ctx);
BN_set_word(three, 3); // Create the constant 3
BN_set_word(high, 1); // high = 1
do
{
BN_lshift1(high, high); // high = high << 1 (high * 2)
BN_exp(tmp, high, three, ctx); // tmp = high^3
} while (BN_ucmp(tmp, in) <= -1); // while (tmp < in)
BN_rshift1(low, high); // low = high >> 1 (high / 2)
while (BN_ucmp(low, high) <= -1) // while (low < high)
{
BN_add(tmp, low, high); // tmp = low + high
BN_rshift1(mid, tmp); // mid = tmp >> 1 (tmp / 2)
BN_exp(tmp, mid, three, ctx); // tmp = mid^3
if (BN_ucmp(low, mid) <= -1 && BN_ucmp(tmp, in) <= -1) // if (low < mid && tmp < in)
BN_copy(low, mid); // low = mid
else if (BN_ucmp(high, mid) >= 1 && BN_ucmp(tmp, in) >= 1) // else if (high > mid && tmp > in)
BN_copy(high, mid); // high = mid
else
{
// subtract 1 from mid because 1 will be added after the loop
BN_sub_word(mid, 1); // mid -= 1
break;
}
}
BN_add_word(mid, 1); // mid += 1
BIGNUM *result = BN_dup(mid);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return result;
}
bool CKey::Sign(uint256 hash, std::vector<unsigned char>& vchSig)
{
vchSig.clear();
ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);
if (sig == NULL)
return false;
BN_CTX *ctx = BN_CTX_new();
BN_CTX_start(ctx);
const EC_GROUP *group = EC_KEY_get0_group(pkey);
BIGNUM *order = BN_CTX_get(ctx);
BIGNUM *halforder = BN_CTX_get(ctx);
EC_GROUP_get_order(group, order, ctx);
BN_rshift1(halforder, order);
if (BN_cmp(sig->s, halforder) > 0) {
// enforce low S values, by negating the value (modulo the order) if above order/2.
BN_sub(sig->s, order, sig->s);
}
BN_CTX_end(ctx);
BN_CTX_free(ctx);
unsigned int nSize = ECDSA_size(pkey);
vchSig.resize(nSize); // Make sure it is big enough
unsigned char *pos = &vchSig[0];
nSize = i2d_ECDSA_SIG(sig, &pos);
ECDSA_SIG_free(sig);
vchSig.resize(nSize); // Shrink to fit actual size
return true;
}
int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
BN_CTX *ctx)
{
int i,nm,nd;
int ret = 0;
BIGNUM *D;
bn_check_top(m);
bn_check_top(d);
if (BN_is_zero(d))
{
BNerr(BN_F_BN_DIV,BN_R_DIV_BY_ZERO);
return(0);
}
if (BN_ucmp(m,d) < 0)
{
if (rem != NULL)
{ if (BN_copy(rem,m) == NULL) return(0); }
if (dv != NULL) BN_zero(dv);
return(1);
}
BN_CTX_start(ctx);
D = BN_CTX_get(ctx);
if (dv == NULL) dv = BN_CTX_get(ctx);
if (rem == NULL) rem = BN_CTX_get(ctx);
if (D == NULL || dv == NULL || rem == NULL)
goto end;
nd=BN_num_bits(d);
nm=BN_num_bits(m);
if (BN_copy(D,d) == NULL) goto end;
if (BN_copy(rem,m) == NULL) goto end;
/* The next 2 are needed so we can do a dv->d[0]|=1 later
* since BN_lshift1 will only work once there is a value :-) */
BN_zero(dv);
if(bn_wexpand(dv,1) == NULL) goto end;
dv->top=1;
if (!BN_lshift(D,D,nm-nd)) goto end;
for (i=nm-nd; i>=0; i--)
{
if (!BN_lshift1(dv,dv)) goto end;
if (BN_ucmp(rem,D) >= 0)
{
dv->d[0]|=1;
if (!BN_usub(rem,rem,D)) goto end;
}
/* CAN IMPROVE (and have now :=) */
if (!BN_rshift1(D,D)) goto end;
}
rem->neg=BN_is_zero(rem)?0:m->neg;
dv->neg=m->neg^d->neg;
ret = 1;
end:
BN_CTX_end(ctx);
return(ret);
}
bool CKey::Sign(uint256 hash, std::vector<unsigned char>& vchSig)
{
vchSig.clear();
ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);
if (sig==NULL)
return false;
const EC_GROUP *group = EC_KEY_get0_group(pkey);
CBigNum order, halforder;
EC_GROUP_get_order(group, &order, NULL);
BN_rshift1(&halforder, &order);
// enforce low S values, by negating the value (modulo the order) if above order/2.
if (BN_cmp(sig->s, &halforder) > 0) {
BN_sub(sig->s, &order, sig->s);
}
unsigned int nSize = ECDSA_size(pkey);
vchSig.resize(nSize); // Make sure it is big enough
unsigned char *pos = &vchSig[0];
nSize = i2d_ECDSA_SIG(sig, &pos);
ECDSA_SIG_free(sig);
vchSig.resize(nSize); // Shrink to fit actual size
// Testing our new signature
if (ECDSA_verify(0, (unsigned char*)&hash, sizeof(hash), &vchSig[0], vchSig.size(), pkey) != 1) {
vchSig.clear();
return false;
}
return true;
}
/* The secret integers s0 and s1 must be in the range 0 < s < n for
some n, and must be relatively prime to that n. We know a priori
that n is of the form 2**k * p for some small integer k and prime
p. Therefore, it suffices to choose a random integer in the range
[0, n/2), multiply by two and add one (enforcing oddness), and then
reject values which are divisible by p. */
static BIGNUM *
random_s(const BIGNUM *n, const BIGNUM *p, BN_CTX *c)
{
BIGNUM h, m, *r;
BN_init(&h);
BN_init(&m);
FAILZ(r = BN_new());
FAILZ(BN_copy(&h, n));
FAILZ(BN_rshift1(&h, &h));
do {
FAILZ(BN_rand_range(r, &h));
FAILZ(BN_lshift1(r, r));
FAILZ(BN_add(r, r, BN_value_one()));
FAILZ(BN_nnmod(&m, r, p, c));
} while (BN_is_zero(&m));
BN_clear(&h);
BN_clear(&m);
return r;
fail:
BN_clear(&h);
BN_clear(&m);
if (r) BN_clear_free(r);
return 0;
}
/* rem != m */
int BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
{
#if 0 /* The old slow way */
int i, nm, nd;
BIGNUM *dv;
if(BN_ucmp(m, d) < 0)
{ return ((BN_copy(rem, m) == NULL) ? 0 : 1); }
BN_CTX_start(ctx);
dv = BN_CTX_get(ctx);
if(!BN_copy(rem, m)) { goto err; }
nm = BN_num_bits(rem);
nd = BN_num_bits(d);
if(!BN_lshift(dv, d, nm - nd)) { goto err; }
for(i = nm - nd; i >= 0; i--)
{
if(BN_cmp(rem, dv) >= 0)
{
if(!BN_sub(rem, rem, dv)) { goto err; }
}
if(!BN_rshift1(dv, dv)) { goto err; }
}
BN_CTX_end(ctx);
return (1);
err:
BN_CTX_end(ctx);
return (0);
#else
return (BN_div(NULL, rem, m, d, ctx));
#endif
}
int DH_check(const DH *dh, int *ret)
{
int ok = 0;
BN_CTX *ctx = NULL;
BN_ULONG l;
BIGNUM *q = NULL;
*ret = 0;
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
q = BN_new();
if (q == NULL)
goto err;
if (BN_is_word(dh->g, DH_GENERATOR_2)) {
l = BN_mod_word(dh->p, 24);
if (l != 11)
*ret |= DH_NOT_SUITABLE_GENERATOR;
}
# if 0
else if (BN_is_word(dh->g, DH_GENERATOR_3)) {
l = BN_mod_word(dh->p, 12);
if (l != 5)
*ret |= DH_NOT_SUITABLE_GENERATOR;
}
# endif
else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
l = BN_mod_word(dh->p, 10);
if ((l != 3) && (l != 7))
*ret |= DH_NOT_SUITABLE_GENERATOR;
} else
*ret |= DH_UNABLE_TO_CHECK_GENERATOR;
if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL))
*ret |= DH_CHECK_P_NOT_PRIME;
else {
if (!BN_rshift1(q, dh->p))
goto err;
if (!BN_is_prime_ex(q, BN_prime_checks, ctx, NULL))
*ret |= DH_CHECK_P_NOT_SAFE_PRIME;
}
ok = 1;
err:
if (ctx != NULL)
BN_CTX_free(ctx);
if (q != NULL)
BN_free(q);
return (ok);
}
// create a compact signature (65 bytes), which allows reconstructing the used public key
// The format is one header byte, followed by two times 32 bytes for the serialized r and s values.
// The header byte: 0x1B = first key with even y, 0x1C = first key with odd y,
// 0x1D = second key with even y, 0x1E = second key with odd y
bool CKey::SignCompact(uint256 hash, std::vector<unsigned char>& vchSig)
{
bool fOk = false;
ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);
if (sig==NULL)
return false;
const EC_GROUP *group = EC_KEY_get0_group(pkey);
CBigNum order, halforder;
EC_GROUP_get_order(group, &order, NULL);
BN_rshift1(&halforder, &order);
// enforce low S values, by negating the value (modulo the order) if above order/2.
if (BN_cmp(sig->s, &halforder) > 0) {
BN_sub(sig->s, &order, sig->s);
}
vchSig.clear();
vchSig.resize(65,0);
int nBitsR = BN_num_bits(sig->r);
int nBitsS = BN_num_bits(sig->s);
if (nBitsR <= 256 && nBitsS <= 256)
{
int nRecId = -1;
for (int i=0; i<4; i++)
{
CKey keyRec;
keyRec.fSet = true;
if (fCompressedPubKey)
keyRec.SetCompressedPubKey();
if (ECDSA_SIG_recover_key_GFp(keyRec.pkey, sig, (unsigned char*)&hash, sizeof(hash), i, 1) == 1)
if (keyRec.GetPubKey() == this->GetPubKey())
{
nRecId = i;
break;
}
}
if (nRecId == -1)
{
ECDSA_SIG_free(sig);
throw key_error("CKey::SignCompact() : unable to construct recoverable key");
}
vchSig[0] = nRecId+27+(fCompressedPubKey ? 4 : 0);
BN_bn2bin(sig->r,&vchSig[33-(nBitsR+7)/8]);
BN_bn2bin(sig->s,&vchSig[65-(nBitsS+7)/8]);
fOk = true;
}
ECDSA_SIG_free(sig);
return fOk;
}
static void
bsqrt(void)
{
struct number *n;
struct number *r;
BIGNUM *x, *y;
u_int scale, onecount;
BN_CTX *ctx;
onecount = 0;
n = pop_number();
if (n == NULL) {
return;
}
if (BN_is_zero(n->number)) {
r = new_number();
push_number(r);
} else if (BN_is_negative(n->number))
warnx("square root of negative number");
else {
scale = max(bmachine.scale, n->scale);
normalize(n, 2*scale);
x = BN_dup(n->number);
bn_checkp(x);
bn_check(BN_rshift(x, x, BN_num_bits(x)/2));
y = BN_new();
bn_checkp(y);
ctx = BN_CTX_new();
bn_checkp(ctx);
for (;;) {
bn_checkp(BN_copy(y, x));
bn_check(BN_div(x, NULL, n->number, x, ctx));
bn_check(BN_add(x, x, y));
bn_check(BN_rshift1(x, x));
if (bsqrt_stop(x, y, &onecount))
break;
}
r = bmalloc(sizeof(*r));
r->scale = scale;
r->number = y;
BN_free(x);
BN_CTX_free(ctx);
push_number(r);
}
free_number(n);
}
/*
* Construct a MODP group from hex strings p (which must be a safe
* prime) and g, automatically calculating subgroup q as (p / 2)
*/
struct modp_group *
modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p)
{
struct modp_group *ret;
ret = xcalloc(1, sizeof(*ret));
ret->p = ret->q = ret->g = NULL;
if (BN_hex2bn(&ret->p, grp_p) == 0 ||
BN_hex2bn(&ret->g, grp_g) == 0)
fatal("%s: BN_hex2bn", __func__);
/* Subgroup order is p/2 (p is a safe prime) */
if ((ret->q = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
if (BN_rshift1(ret->q, ret->p) != 1)
fatal("%s: BN_rshift1", __func__);
return ret;
}
struct jpake_group *
jpake_default_group(void)
{
struct jpake_group *ret;
ret = xmalloc(sizeof(*ret));
ret->p = ret->q = ret->g = NULL;
if (BN_hex2bn(&ret->p, JPAKE_GROUP_P) == 0 ||
BN_hex2bn(&ret->g, JPAKE_GROUP_G) == 0)
fatal("%s: BN_hex2bn", __func__);
/* Subgroup order is p/2 (p is a safe prime) */
if ((ret->q = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
if (BN_rshift1(ret->q, ret->p) != 1)
fatal("%s: BN_rshift1", __func__);
return ret;
}
BIGNUM *
DH_get_q(const DH *dh, BN_CTX *ctx)
{
BIGNUM *q_new = NULL, *bn = NULL;
int i;
const BIGNUM *p, *q;
check(dh, "Invalid arguments");
DH_get0_pqg(dh, &p, &q, NULL);
if (!q) {
q_new = BN_new();
bn = BN_dup(p);
/* DH primes should be strong, based on a Sophie Germain prime q
* p=(2*q)+1 or (p-1)/2=q */
if (!q_new || !bn ||
!BN_sub_word(bn, 1) ||
!BN_rshift1(q_new, bn)) {
goto err;
}
} else {
q_new = BN_dup(q);
}
/* q should always be prime */
i = BN_is_prime_ex(q_new, BN_prime_checks, ctx, NULL);
if (i <= 0) {
if (i == 0)
log_err("Unable to get Sophie Germain prime");
goto err;
}
return q_new;
err:
if (bn)
BN_clear_free(bn);
if (q_new)
BN_clear_free(q_new);
return NULL;
}
void setup()
{
mod = BN_bin2bn( mod_buffer, /*len*/192, NULL );
// modOrder = ( mod - 1 ) / 2
BIGNUM* postSubtract = BN_new();
BIGNUM* oneBN = BN_new();
int ret = BN_one( oneBN );
if ( ret != 1 )
{
printf( "setup: BN_one failed: %d", ret );
}
ret = BN_sub( postSubtract, mod, oneBN ); // r = a - b
if ( ret != 1 )
{
printf( "setup: BN_sub failed: %d", ret );
}
BN_clear_free( oneBN );
modOrder = BN_new();
ret = BN_rshift1( modOrder, postSubtract ); // r = a Ö 2
if ( ret != 1 )
{
printf( "setup: BN_rshift1 failed: %d", ret );
}
BN_clear_free( postSubtract );
g2 = BN_new();
g3 = BN_new();
c1 = BN_new();
c2 = BN_new();
d1 = BN_new();
d2 = BN_new();
g3a = BN_new();
// exponent used in step 1
gen = BN_new();
ret = BN_set_word( gen, 2 );
match = 0;
}
DH *tr_create_dh_params(unsigned char *priv_key,
size_t keylen) {
DH *dh = NULL;
int dh_err = 0;
if (NULL == (dh = DH_new()))
return NULL;
if ((NULL == (dh->g = BN_new())) ||
(NULL == (dh->p = BN_new())) ||
(NULL == (dh->q = BN_new()))) {
DH_free(dh);
return NULL;
}
BN_set_word(dh->g, 2);
dh->p = BN_bin2bn(tr_2048_dhprime, sizeof(tr_2048_dhprime), NULL);
BN_rshift1(dh->q, dh->p);
if ((priv_key) && (keylen > 0))
dh->priv_key = BN_bin2bn(priv_key, keylen, NULL);
DH_generate_key(dh); /* generates the public key */
DH_check(dh, &dh_err);
if (0 != dh_err) {
tr_warning("Warning: dh_check failed with %d", dh_err);
if (dh_err & DH_CHECK_P_NOT_PRIME)
tr_warning(": p value is not prime");
else if (dh_err & DH_CHECK_P_NOT_SAFE_PRIME)
tr_warning(": p value is not a safe prime");
else if (dh_err & DH_UNABLE_TO_CHECK_GENERATOR)
tr_warning(": unable to check the generator value");
else if (dh_err & DH_NOT_SUITABLE_GENERATOR)
tr_warning(": the g value is not a generator");
else
tr_warning("unhandled error %i", dh_err);
}
return(dh);
}
int test_rshift1(BIO *bp)
{
BIGNUM *a,*b,*c;
int i;
a=BN_new();
b=BN_new();
c=BN_new();
BN_bntest_rand(a,200,0,0); /**/
a->neg=rand_neg();
for (i=0; i<num0; i++)
{
BN_rshift1(b,a);
if (bp != NULL)
{
if (!results)
{
BN_print(bp,a);
BIO_puts(bp," / 2");
BIO_puts(bp," - ");
}
BN_print(bp,b);
BIO_puts(bp,"\n");
}
BN_sub(c,a,b);
BN_sub(c,c,b);
if(!BN_is_zero(c) && !BN_abs_is_word(c, 1))
{
fprintf(stderr,"Right shift one test failed!\n");
return 0;
}
BN_copy(a,b);
}
BN_free(a);
BN_free(b);
BN_free(c);
return(1);
}
static int test_check_public_key(void)
{
int ret = 0;
BIGNUM *n = NULL, *e = NULL;
RSA *key = NULL;
ret = TEST_ptr(key = RSA_new())
/* check NULL pointers fail */
&& TEST_false(rsa_sp800_56b_check_public(key))
/* load public key */
&& TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e)))
&& TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n)))
&& TEST_true(RSA_set0_key(key, n, e, NULL));
if (!ret) {
BN_free(e);
BN_free(n);
goto end;
}
/* check public key is valid */
ret = TEST_true(rsa_sp800_56b_check_public(key))
/* check fail if n is even */
&& TEST_true(BN_add_word(n, 1))
&& TEST_false(rsa_sp800_56b_check_public(key))
&& TEST_true(BN_sub_word(n, 1))
/* check fail if n is wrong number of bits */
&& TEST_true(BN_lshift1(n, n))
&& TEST_false(rsa_sp800_56b_check_public(key))
&& TEST_true(BN_rshift1(n, n))
/* test odd exponent fails */
&& TEST_true(BN_add_word(e, 1))
&& TEST_false(rsa_sp800_56b_check_public(key))
&& TEST_true(BN_sub_word(e, 1))
/* modulus fails composite check */
&& TEST_true(BN_add_word(n, 2))
&& TEST_false(rsa_sp800_56b_check_public(key));
end:
RSA_free(key);
return ret;
}
int DH_check(const DH *dh, int *ret) {
/* Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
* suitable generator where:
* for 2, p mod 24 == 11
* for 3, p mod 12 == 5
* for 5, p mod 10 == 3 or 7
* should hold.
*/
int ok = 0, r;
BN_CTX *ctx = NULL;
BN_ULONG l;
BIGNUM *t1 = NULL, *t2 = NULL;
*ret = 0;
ctx = BN_CTX_new();
if (ctx == NULL) {
goto err;
}
BN_CTX_start(ctx);
t1 = BN_CTX_get(ctx);
if (t1 == NULL) {
goto err;
}
t2 = BN_CTX_get(ctx);
if (t2 == NULL) {
goto err;
}
if (dh->q) {
if (BN_cmp(dh->g, BN_value_one()) <= 0) {
*ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
} else if (BN_cmp(dh->g, dh->p) >= 0) {
*ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
} else {
/* Check g^q == 1 mod p */
if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) {
goto err;
}
if (!BN_is_one(t1)) {
*ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
}
}
r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
if (r < 0) {
goto err;
}
if (!r) {
*ret |= DH_CHECK_Q_NOT_PRIME;
}
/* Check p == 1 mod q i.e. q divides p - 1 */
if (!BN_div(t1, t2, dh->p, dh->q, ctx)) {
goto err;
}
if (!BN_is_one(t2)) {
*ret |= DH_CHECK_INVALID_Q_VALUE;
}
if (dh->j && BN_cmp(dh->j, t1)) {
*ret |= DH_CHECK_INVALID_J_VALUE;
}
} else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
l = BN_mod_word(dh->p, 24);
if (l == (BN_ULONG)-1) {
goto err;
}
if (l != 11) {
*ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
}
} else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
l = BN_mod_word(dh->p, 10);
if (l == (BN_ULONG)-1) {
goto err;
}
if (l != 3 && l != 7) {
*ret |= DH_CHECK_NOT_SUITABLE_GENERATOR;
}
} else {
*ret |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR;
}
r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
if (r < 0) {
goto err;
}
if (!r) {
*ret |= DH_CHECK_P_NOT_PRIME;
} else if (!dh->q) {
if (!BN_rshift1(t1, dh->p)) {
goto err;
}
r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
if (r < 0) {
goto err;
}
if (!r) {
*ret |= DH_CHECK_P_NOT_SAFE_PRIME;
}
}
ok = 1;
err:
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
return ok;
}
BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
const BIGNUM *add, const BIGNUM *rem,
void (*callback)(int,int,void *), void *cb_arg)
{
BIGNUM *rnd=NULL;
BIGNUM t;
int found=0;
int i,j,c1=0;
BN_CTX *ctx;
int checks = BN_prime_checks_for_size(bits);
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
if (ret == NULL)
{
if ((rnd=BN_new()) == NULL) goto err;
}
else
rnd=ret;
BN_init(&t);
loop:
/* make a random number and set the top and bottom bits */
if (add == NULL)
{
if (!probable_prime(rnd,bits)) goto err;
}
else
{
if (safe)
{
if (!probable_prime_dh_safe(rnd,bits,add,rem,ctx))
goto err;
}
else
{
if (!probable_prime_dh(rnd,bits,add,rem,ctx))
goto err;
}
}
/* if (BN_mod_word(rnd,(BN_ULONG)3) == 1) goto loop; */
if (callback != NULL) callback(0,c1++,cb_arg);
if (!safe)
{
i=BN_is_prime_fasttest(rnd,checks,callback,ctx,cb_arg,0);
if (i == -1) goto err;
if (i == 0) goto loop;
}
else
{
/* for "safe prime" generation,
* check that (p-1)/2 is prime.
* Since a prime is odd, We just
* need to divide by 2 */
if (!BN_rshift1(&t,rnd)) goto err;
for (i=0; i<checks; i++)
{
j=BN_is_prime_fasttest(rnd,1,callback,ctx,cb_arg,0);
if (j == -1) goto err;
if (j == 0) goto loop;
j=BN_is_prime_fasttest(&t,1,callback,ctx,cb_arg,0);
if (j == -1) goto err;
if (j == 0) goto loop;
if (callback != NULL) callback(2,c1-1,cb_arg);
/* We have a safe prime test pass */
}
}
/* we have a prime :-) */
found = 1;
err:
if (!found && (ret == NULL) && (rnd != NULL)) BN_free(rnd);
BN_free(&t);
if (ctx != NULL) BN_CTX_free(ctx);
return(found ? rnd : NULL);
}
int main(int argc, char **argv)
{
JPAKE_CTX *alice;
JPAKE_CTX *bob;
BIGNUM *p = NULL;
BIGNUM *g = NULL;
BIGNUM *q = NULL;
BIGNUM *secret = BN_new();
BIO *bio_err;
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
ERR_load_crypto_strings();
/*
BN_hex2bn(&p, "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7");
BN_hex2bn(&g, "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a");
BN_hex2bn(&q, "9760508f15230bccb292b982a2eb840bf0581cf5");
*/
/*
p = BN_new();
BN_generate_prime(p, 1024, 1, NULL, NULL, NULL, NULL);
*/
/* Use a safe prime for p (that we found earlier) */
BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
showbn("p", p);
g = BN_new();
BN_set_word(g, 2);
showbn("g", g);
q = BN_new();
BN_rshift1(q, p);
showbn("q", q);
BN_rand(secret, 32, -1, 0);
/* A normal run, expect this to work... */
alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret);
bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret);
if(run_jpake(alice, bob) != 0)
{
fprintf(stderr, "Plain JPAKE run failed\n");
return 1;
}
JPAKE_CTX_free(bob);
JPAKE_CTX_free(alice);
/* Now give Alice and Bob different secrets */
alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret);
BN_add_word(secret, 1);
bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret);
if(run_jpake(alice, bob) != 5)
{
fprintf(stderr, "Mismatched secret JPAKE run failed\n");
return 1;
}
JPAKE_CTX_free(bob);
JPAKE_CTX_free(alice);
BN_free(secret);
BN_free(q);
BN_free(g);
BN_free(p);
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();
CRYPTO_mem_leaks(bio_err);
return 0;
}
static void
bexp(void)
{
struct number *a, *p;
struct number *r;
bool neg;
u_int scale;
p = pop_number();
if (p == NULL) {
return;
}
a = pop_number();
if (a == NULL) {
push_number(p);
return;
}
if (p->scale != 0)
warnx("Runtime warning: non-zero scale in exponent");
normalize(p, 0);
neg = false;
if (BN_cmp(p->number, &zero) < 0) {
neg = true;
negate(p);
scale = bmachine.scale;
} else {
/* Posix bc says min(a.scale * b, max(a.scale, scale) */
u_long b;
u_int m;
b = BN_get_word(p->number);
m = max(a->scale, bmachine.scale);
scale = a->scale * (u_int)b;
if (scale > m || (a->scale > 0 && (b == BN_MASK2 ||
b > UINT_MAX)))
scale = m;
}
if (BN_is_zero(p->number)) {
r = new_number();
bn_check(BN_one(r->number));
normalize(r, scale);
} else {
while (!BN_is_bit_set(p->number, 0)) {
bmul_number(a, a, a);
bn_check(BN_rshift1(p->number, p->number));
}
r = dup_number(a);
normalize(r, scale);
bn_check(BN_rshift1(p->number, p->number));
while (!BN_is_zero(p->number)) {
bmul_number(a, a, a);
if (BN_is_bit_set(p->number, 0))
bmul_number(r, r, a);
bn_check(BN_rshift1(p->number, p->number));
}
if (neg) {
BN_CTX *ctx;
BIGNUM *one;
one = BN_new();
bn_checkp(one);
bn_check(BN_one(one));
ctx = BN_CTX_new();
bn_checkp(ctx);
scale_number(one, r->scale + scale);
normalize(r, scale);
bn_check(BN_div(r->number, NULL, one, r->number, ctx));
BN_free(one);
BN_CTX_free(ctx);
} else
normalize(r, scale);
}
push_number(r);
free_number(a);
free_number(p);
}
BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/* Returns 'ret' such that
* ret^2 == a (mod p),
* using the Tonelli/Shanks algorithm (cf. Henri Cohen, "A Course
* in Algebraic Computational Number Theory", algorithm 1.5.1).
* 'p' must be prime!
*/
{
BIGNUM *ret = in;
int err = 1;
int r;
BIGNUM *A, *b, *q, *t, *x, *y;
int e, i, j;
if (!BN_is_odd(p) || BN_abs_is_word(p, 1))
{
if (BN_abs_is_word(p, 2))
{
if (ret == NULL)
ret = BN_new();
if (ret == NULL)
goto end;
if (!BN_set_word(ret, BN_is_bit_set(a, 0)))
{
if (ret != in)
BN_free(ret);
return NULL;
}
bn_check_top(ret);
return ret;
}
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
return(NULL);
}
if (BN_is_zero(a) || BN_is_one(a))
{
if (ret == NULL)
ret = BN_new();
if (ret == NULL)
goto end;
if (!BN_set_word(ret, BN_is_one(a)))
{
if (ret != in)
BN_free(ret);
return NULL;
}
bn_check_top(ret);
return ret;
}
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
b = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
t = BN_CTX_get(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
if (y == NULL) goto end;
if (ret == NULL)
ret = BN_new();
if (ret == NULL) goto end;
/* A = a mod p */
if (!BN_nnmod(A, a, p, ctx)) goto end;
/* now write |p| - 1 as 2^e*q where q is odd */
e = 1;
while (!BN_is_bit_set(p, e))
e++;
/* we'll set q later (if needed) */
if (e == 1)
{
/* The easy case: (|p|-1)/2 is odd, so 2 has an inverse
* modulo (|p|-1)/2, and square roots can be computed
* directly by modular exponentiation.
* We have
* 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
* so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
*/
if (!BN_rshift(q, p, 2)) goto end;
q->neg = 0;
if (!BN_add_word(q, 1)) goto end;
if (!BN_mod_exp(ret, A, q, p, ctx)) goto end;
err = 0;
goto vrfy;
}
if (e == 2)
{
/* |p| == 5 (mod 8)
*
* In this case 2 is always a non-square since
* Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
* So if a really is a square, then 2*a is a non-square.
* Thus for
* b := (2*a)^((|p|-5)/8),
* i := (2*a)*b^2
* we have
* i^2 = (2*a)^((1 + (|p|-5)/4)*2)
* = (2*a)^((p-1)/2)
* = -1;
* so if we set
* x := a*b*(i-1),
* then
* x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
* = a^2 * b^2 * (-2*i)
* = a*(-i)*(2*a*b^2)
* = a*(-i)*i
* = a.
*
* (This is due to A.O.L. Atkin,
* <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
* November 1992.)
*/
/* t := 2*a */
if (!BN_mod_lshift1_quick(t, A, p)) goto end;
/* b := (2*a)^((|p|-5)/8) */
if (!BN_rshift(q, p, 3)) goto end;
q->neg = 0;
if (!BN_mod_exp(b, t, q, p, ctx)) goto end;
/* y := b^2 */
if (!BN_mod_sqr(y, b, p, ctx)) goto end;
/* t := (2*a)*b^2 - 1*/
if (!BN_mod_mul(t, t, y, p, ctx)) goto end;
if (!BN_sub_word(t, 1)) goto end;
/* x = a*b*t */
if (!BN_mod_mul(x, A, b, p, ctx)) goto end;
if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
if (!BN_copy(ret, x)) goto end;
err = 0;
goto vrfy;
}
/* e > 2, so we really have to use the Tonelli/Shanks algorithm.
* First, find some y that is not a square. */
if (!BN_copy(q, p)) goto end; /* use 'q' as temp */
q->neg = 0;
i = 2;
do
{
/* For efficiency, try small numbers first;
* if this fails, try random numbers.
*/
if (i < 22)
{
if (!BN_set_word(y, i)) goto end;
}
else
{
if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) goto end;
if (BN_ucmp(y, p) >= 0)
{
if (!(p->neg ? BN_add : BN_sub)(y, y, p)) goto end;
}
/* now 0 <= y < |p| */
if (BN_is_zero(y))
if (!BN_set_word(y, i)) goto end;
}
r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */
if (r < -1) goto end;
if (r == 0)
{
/* m divides p */
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
goto end;
}
}
while (r == 1 && ++i < 82);
if (r != -1)
{
/* Many rounds and still no non-square -- this is more likely
* a bug than just bad luck.
* Even if p is not prime, we should have found some y
* such that r == -1.
*/
BNerr(BN_F_BN_MOD_SQRT, BN_R_TOO_MANY_ITERATIONS);
goto end;
}
/* Here's our actual 'q': */
if (!BN_rshift(q, q, e)) goto end;
/* Now that we have some non-square, we can find an element
* of order 2^e by computing its q'th power. */
if (!BN_mod_exp(y, y, q, p, ctx)) goto end;
if (BN_is_one(y))
{
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
goto end;
}
/* Now we know that (if p is indeed prime) there is an integer
* k, 0 <= k < 2^e, such that
*
* a^q * y^k == 1 (mod p).
*
* As a^q is a square and y is not, k must be even.
* q+1 is even, too, so there is an element
*
* X := a^((q+1)/2) * y^(k/2),
*
* and it satisfies
*
* X^2 = a^q * a * y^k
* = a,
*
* so it is the square root that we are looking for.
*/
/* t := (q-1)/2 (note that q is odd) */
if (!BN_rshift1(t, q)) goto end;
/* x := a^((q-1)/2) */
if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
{
if (!BN_nnmod(t, A, p, ctx)) goto end;
if (BN_is_zero(t))
{
/* special case: a == 0 (mod p) */
BN_zero(ret);
err = 0;
goto end;
}
else
if (!BN_one(x)) goto end;
}
else
{
if (!BN_mod_exp(x, A, t, p, ctx)) goto end;
if (BN_is_zero(x))
{
/* special case: a == 0 (mod p) */
BN_zero(ret);
err = 0;
goto end;
}
}
/* b := a*x^2 (= a^q) */
if (!BN_mod_sqr(b, x, p, ctx)) goto end;
if (!BN_mod_mul(b, b, A, p, ctx)) goto end;
/* x := a*x (= a^((q+1)/2)) */
if (!BN_mod_mul(x, x, A, p, ctx)) goto end;
while (1)
{
/* Now b is a^q * y^k for some even k (0 <= k < 2^E
* where E refers to the original value of e, which we
* don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
*
* We have a*b = x^2,
* y^2^(e-1) = -1,
* b^2^(e-1) = 1.
*/
if (BN_is_one(b))
{
if (!BN_copy(ret, x)) goto end;
err = 0;
goto vrfy;
}
/* find smallest i such that b^(2^i) = 1 */
i = 1;
if (!BN_mod_sqr(t, b, p, ctx)) goto end;
while (!BN_is_one(t))
{
i++;
if (i == e)
{
BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
goto end;
}
if (!BN_mod_mul(t, t, t, p, ctx)) goto end;
}
/* t := y^2^(e - i - 1) */
if (!BN_copy(t, y)) goto end;
for (j = e - i - 1; j > 0; j--)
{
if (!BN_mod_sqr(t, t, p, ctx)) goto end;
}
if (!BN_mod_mul(y, t, t, p, ctx)) goto end;
if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
if (!BN_mod_mul(b, b, y, p, ctx)) goto end;
e = i;
}
vrfy:
if (!err)
{
/* verify the result -- the input might have been not a square
* (test added in 0.9.8) */
if (!BN_mod_sqr(x, ret, p, ctx))
err = 1;
if (!err && 0 != BN_cmp(x, A))
{
BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
err = 1;
}
}
end:
if (err)
{
if (ret != NULL && ret != in)
{
BN_clear_free(ret);
}
ret = NULL;
}
BN_CTX_end(ctx);
bn_check_top(ret);
return ret;
}
int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb)
{
BIGNUM *t;
int found=0;
int i,j,c1=0;
BN_CTX *ctx;
int checks = BN_prime_checks_for_size(bits);
if (bits < 2)
{
/* There are no prime numbers this small. */
BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
return 0;
}
else if (bits == 2 && safe)
{
/* The smallest safe prime (7) is three bits. */
BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
return 0;
}
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
BN_CTX_start(ctx);
t = BN_CTX_get(ctx);
if(!t) goto err;
loop:
/* make a random number and set the top and bottom bits */
if (add == NULL)
{
if (!probable_prime(ret,bits)) goto err;
}
else
{
if (safe)
{
if (!probable_prime_dh_safe(ret,bits,add,rem,ctx))
goto err;
}
else
{
if (!bn_probable_prime_dh(ret,bits,add,rem,ctx))
goto err;
}
}
/* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */
if(!BN_GENCB_call(cb, 0, c1++))
/* aborted */
goto err;
if (!safe)
{
i=BN_is_prime_fasttest_ex(ret,checks,ctx,0,cb);
if (i == -1) goto err;
if (i == 0) goto loop;
}
else
{
/* for "safe prime" generation,
* check that (p-1)/2 is prime.
* Since a prime is odd, We just
* need to divide by 2 */
if (!BN_rshift1(t,ret)) goto err;
for (i=0; i<checks; i++)
{
j=BN_is_prime_fasttest_ex(ret,1,ctx,0,cb);
if (j == -1) goto err;
if (j == 0) goto loop;
j=BN_is_prime_fasttest_ex(t,1,ctx,0,cb);
if (j == -1) goto err;
if (j == 0) goto loop;
if(!BN_GENCB_call(cb, 2, c1-1))
goto err;
/* We have a safe prime test pass */
}
}
/* we have a prime :-) */
found = 1;
err:
if (ctx != NULL)
{
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
bn_check_top(ret);
return found;
}
static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
const BIGNUM *rem, BN_CTX *ctx) {
int i, ret = 0;
BIGNUM *t1, *qadd, *q;
bits--;
BN_CTX_start(ctx);
t1 = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
qadd = BN_CTX_get(ctx);
if (qadd == NULL) {
goto err;
}
if (!BN_rshift1(qadd, padd)) {
goto err;
}
if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
goto err;
}
/* we need ((rnd-rem) % add) == 0 */
if (!BN_mod(t1, q, qadd, ctx)) {
goto err;
}
if (!BN_sub(q, q, t1)) {
goto err;
}
if (rem == NULL) {
if (!BN_add_word(q, 1)) {
goto err;
}
} else {
if (!BN_rshift1(t1, rem)) {
goto err;
}
if (!BN_add(q, q, t1)) {
goto err;
}
}
/* we now have a random number 'rand' to test. */
if (!BN_lshift1(p, q)) {
goto err;
}
if (!BN_add_word(p, 1)) {
goto err;
}
loop:
for (i = 1; i < NUMPRIMES; i++) {
/* check that p and q are prime */
/* check that for p and q
* gcd(p-1,primes) == 1 (except for 2) */
BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) {
goto err;
}
if (pmod == 0 || qmod == 0) {
if (!BN_add(p, p, padd)) {
goto err;
}
if (!BN_add(q, q, qadd)) {
goto err;
}
goto loop;
}
}
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
static void
bexp(void)
{
struct number *a, *p;
struct number *r;
bool neg;
u_int rscale;
p = pop_number();
if (p == NULL)
return;
a = pop_number();
if (a == NULL) {
push_number(p);
return;
}
if (p->scale != 0) {
BIGNUM *i, *f;
i = BN_new();
bn_checkp(i);
f = BN_new();
bn_checkp(f);
split_number(p, i, f);
if (!BN_is_zero(f))
warnx("Runtime warning: non-zero fractional part in exponent");
BN_free(i);
BN_free(f);
}
normalize(p, 0);
neg = false;
if (BN_is_negative(p->number)) {
neg = true;
negate(p);
rscale = bmachine.scale;
} else {
/* Posix bc says min(a.scale * b, max(a.scale, scale) */
u_long b;
u_int m;
b = BN_get_word(p->number);
m = max(a->scale, bmachine.scale);
rscale = a->scale * (u_int)b;
if (rscale > m || (a->scale > 0 && (b == ULONG_MAX ||
b > UINT_MAX)))
rscale = m;
}
if (BN_is_zero(p->number)) {
r = new_number();
bn_check(BN_one(r->number));
normalize(r, rscale);
} else {
u_int ascale, mscale;
ascale = a->scale;
while (!BN_is_bit_set(p->number, 0)) {
ascale *= 2;
bmul_number(a, a, a, ascale);
bn_check(BN_rshift1(p->number, p->number));
}
r = dup_number(a);
bn_check(BN_rshift1(p->number, p->number));
mscale = ascale;
while (!BN_is_zero(p->number)) {
ascale *= 2;
bmul_number(a, a, a, ascale);
if (BN_is_bit_set(p->number, 0)) {
mscale += ascale;
bmul_number(r, r, a, mscale);
}
bn_check(BN_rshift1(p->number, p->number));
}
if (neg) {
BN_CTX *ctx;
BIGNUM *one;
one = BN_new();
bn_checkp(one);
bn_check(BN_one(one));
ctx = BN_CTX_new();
bn_checkp(ctx);
scale_number(one, r->scale + rscale);
if (BN_is_zero(r->number))
warnx("divide by zero");
else
bn_check(BN_div(r->number, NULL, one,
r->number, ctx));
BN_free(one);
BN_CTX_free(ctx);
r->scale = rscale;
} else
normalize(r, rscale);
}
push_number(r);
free_number(a);
free_number(p);
}
int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
const EC_POINT *b, BN_CTX *ctx)
{
int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
const BIGNUM *, BN_CTX *);
int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
const BIGNUM *p;
BN_CTX *new_ctx = NULL;
BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
int ret = 0;
if (a == b)
return EC_POINT_dbl(group, r, a, ctx);
if (EC_POINT_is_at_infinity(group, a))
return EC_POINT_copy(r, b);
if (EC_POINT_is_at_infinity(group, b))
return EC_POINT_copy(r, a);
field_mul = group->meth->field_mul;
field_sqr = group->meth->field_sqr;
p = group->field;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return 0;
}
BN_CTX_start(ctx);
n0 = BN_CTX_get(ctx);
n1 = BN_CTX_get(ctx);
n2 = BN_CTX_get(ctx);
n3 = BN_CTX_get(ctx);
n4 = BN_CTX_get(ctx);
n5 = BN_CTX_get(ctx);
n6 = BN_CTX_get(ctx);
if (n6 == NULL)
goto end;
/*
* Note that in this function we must not read components of 'a' or 'b'
* once we have written the corresponding components of 'r'. ('r' might
* be one of 'a' or 'b'.)
*/
/* n1, n2 */
if (b->Z_is_one) {
if (!BN_copy(n1, a->X))
goto end;
if (!BN_copy(n2, a->Y))
goto end;
/* n1 = X_a */
/* n2 = Y_a */
} else {
if (!field_sqr(group, n0, b->Z, ctx))
goto end;
if (!field_mul(group, n1, a->X, n0, ctx))
goto end;
/* n1 = X_a * Z_b^2 */
if (!field_mul(group, n0, n0, b->Z, ctx))
goto end;
if (!field_mul(group, n2, a->Y, n0, ctx))
goto end;
/* n2 = Y_a * Z_b^3 */
}
/* n3, n4 */
if (a->Z_is_one) {
if (!BN_copy(n3, b->X))
goto end;
if (!BN_copy(n4, b->Y))
goto end;
/* n3 = X_b */
/* n4 = Y_b */
} else {
if (!field_sqr(group, n0, a->Z, ctx))
goto end;
if (!field_mul(group, n3, b->X, n0, ctx))
goto end;
/* n3 = X_b * Z_a^2 */
if (!field_mul(group, n0, n0, a->Z, ctx))
goto end;
if (!field_mul(group, n4, b->Y, n0, ctx))
goto end;
/* n4 = Y_b * Z_a^3 */
}
/* n5, n6 */
if (!BN_mod_sub_quick(n5, n1, n3, p))
goto end;
if (!BN_mod_sub_quick(n6, n2, n4, p))
goto end;
/* n5 = n1 - n3 */
/* n6 = n2 - n4 */
if (BN_is_zero(n5)) {
if (BN_is_zero(n6)) {
/* a is the same point as b */
BN_CTX_end(ctx);
ret = EC_POINT_dbl(group, r, a, ctx);
ctx = NULL;
goto end;
} else {
/* a is the inverse of b */
BN_zero(r->Z);
r->Z_is_one = 0;
ret = 1;
goto end;
}
}
/* 'n7', 'n8' */
if (!BN_mod_add_quick(n1, n1, n3, p))
goto end;
if (!BN_mod_add_quick(n2, n2, n4, p))
goto end;
/* 'n7' = n1 + n3 */
/* 'n8' = n2 + n4 */
/* Z_r */
if (a->Z_is_one && b->Z_is_one) {
if (!BN_copy(r->Z, n5))
goto end;
} else {
if (a->Z_is_one) {
if (!BN_copy(n0, b->Z))
goto end;
} else if (b->Z_is_one) {
if (!BN_copy(n0, a->Z))
goto end;
} else {
if (!field_mul(group, n0, a->Z, b->Z, ctx))
goto end;
}
if (!field_mul(group, r->Z, n0, n5, ctx))
goto end;
}
r->Z_is_one = 0;
/* Z_r = Z_a * Z_b * n5 */
/* X_r */
if (!field_sqr(group, n0, n6, ctx))
goto end;
if (!field_sqr(group, n4, n5, ctx))
goto end;
if (!field_mul(group, n3, n1, n4, ctx))
goto end;
if (!BN_mod_sub_quick(r->X, n0, n3, p))
goto end;
/* X_r = n6^2 - n5^2 * 'n7' */
/* 'n9' */
if (!BN_mod_lshift1_quick(n0, r->X, p))
goto end;
if (!BN_mod_sub_quick(n0, n3, n0, p))
goto end;
/* n9 = n5^2 * 'n7' - 2 * X_r */
/* Y_r */
if (!field_mul(group, n0, n0, n6, ctx))
goto end;
if (!field_mul(group, n5, n4, n5, ctx))
goto end; /* now n5 is n5^3 */
if (!field_mul(group, n1, n2, n5, ctx))
goto end;
if (!BN_mod_sub_quick(n0, n0, n1, p))
goto end;
if (BN_is_odd(n0))
if (!BN_add(n0, n0, p))
goto end;
/* now 0 <= n0 < 2*p, and n0 is even */
if (!BN_rshift1(r->Y, n0))
goto end;
/* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
ret = 1;
end:
if (ctx) /* otherwise we already called BN_CTX_end */
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
int RSA_recover_crt_params(RSA *rsa) {
BN_CTX *ctx;
BIGNUM *totient, *rem, *multiple, *p_plus_q, *p_minus_q;
int ok = 0;
if (rsa->n == NULL || rsa->e == NULL || rsa->d == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_EMPTY_PUBLIC_KEY);
return 0;
}
if (rsa->p || rsa->q || rsa->dmp1 || rsa->dmq1 || rsa->iqmp) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params,
RSA_R_CRT_PARAMS_ALREADY_GIVEN);
return 0;
}
/* This uses the algorithm from section 9B of the RSA paper:
* http://people.csail.mit.edu/rivest/Rsapaper.pdf */
ctx = BN_CTX_new();
if (ctx == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
return 0;
}
BN_CTX_start(ctx);
totient = BN_CTX_get(ctx);
rem = BN_CTX_get(ctx);
multiple = BN_CTX_get(ctx);
p_plus_q = BN_CTX_get(ctx);
p_minus_q = BN_CTX_get(ctx);
if (totient == NULL || rem == NULL || multiple == NULL || p_plus_q == NULL ||
p_minus_q == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
goto err;
}
/* ed-1 is a small multiple of φ(n). */
if (!BN_mul(totient, rsa->e, rsa->d, ctx) ||
!BN_sub_word(totient, 1) ||
/* φ(n) =
* pq - p - q + 1 =
* n - (p + q) + 1
*
* Thus n is a reasonable estimate for φ(n). So, (ed-1)/n will be very
* close. But, when we calculate the quotient, we'll be truncating it
* because we discard the remainder. Thus (ed-1)/multiple will be >= n,
* which the totient cannot be. So we add one to the estimate.
*
* Consider ed-1 as:
*
* multiple * (n - (p+q) + 1) =
* multiple*n - multiple*(p+q) + multiple
*
* When we divide by n, the first term becomes multiple and, since
* multiple and p+q is tiny compared to n, the second and third terms can
* be ignored. Thus I claim that subtracting one from the estimate is
* sufficient. */
!BN_div(multiple, NULL, totient, rsa->n, ctx) ||
!BN_add_word(multiple, 1) ||
!BN_div(totient, rem, totient, multiple, ctx)) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}
if (!BN_is_zero(rem)) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_BAD_RSA_PARAMETERS);
goto err;
}
rsa->p = BN_new();
rsa->q = BN_new();
rsa->dmp1 = BN_new();
rsa->dmq1 = BN_new();
rsa->iqmp = BN_new();
if (rsa->p == NULL || rsa->q == NULL || rsa->dmp1 == NULL || rsa->dmq1 ==
NULL || rsa->iqmp == NULL) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE);
goto err;
}
/* φ(n) = n - (p + q) + 1 =>
* n - totient + 1 = p + q */
if (!BN_sub(p_plus_q, rsa->n, totient) ||
!BN_add_word(p_plus_q, 1) ||
/* p - q = sqrt((p+q)^2 - 4n) */
!BN_sqr(rem, p_plus_q, ctx) ||
!BN_lshift(multiple, rsa->n, 2) ||
!BN_sub(rem, rem, multiple) ||
!BN_sqrt(p_minus_q, rem, ctx) ||
/* q is 1/2 (p+q)-(p-q) */
!BN_sub(rsa->q, p_plus_q, p_minus_q) ||
!BN_rshift1(rsa->q, rsa->q) ||
!BN_div(rsa->p, NULL, rsa->n, rsa->q, ctx) ||
!BN_mul(multiple, rsa->p, rsa->q, ctx)) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}
if (BN_cmp(multiple, rsa->n) != 0) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_INTERNAL_ERROR);
goto err;
}
if (!BN_sub(rem, rsa->p, BN_value_one()) ||
!BN_mod(rsa->dmp1, rsa->d, rem, ctx) ||
!BN_sub(rem, rsa->q, BN_value_one()) ||
!BN_mod(rsa->dmq1, rsa->d, rem, ctx) ||
!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) {
OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB);
goto err;
}
ok = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (!ok) {
bn_free_and_null(&rsa->p);
bn_free_and_null(&rsa->q);
bn_free_and_null(&rsa->dmp1);
bn_free_and_null(&rsa->dmq1);
bn_free_and_null(&rsa->iqmp);
}
return ok;
}
BIGNUM *BN_mod_inverse(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
BIGNUM *A,*B,*X,*Y,*M,*D,*T,*R=NULL;
BIGNUM *ret=NULL;
int sign;
if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0))
{
return BN_mod_inverse_no_branch(in, a, n, ctx);
}
bn_check_top(a);
bn_check_top(n);
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
B = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
D = BN_CTX_get(ctx);
M = BN_CTX_get(ctx);
Y = BN_CTX_get(ctx);
T = BN_CTX_get(ctx);
if (T == NULL) goto err;
if (in == NULL)
R=BN_new();
else
R=in;
if (R == NULL) goto err;
BN_one(X);
BN_zero(Y);
if (BN_copy(B,a) == NULL) goto err;
if (BN_copy(A,n) == NULL) goto err;
A->neg = 0;
if (B->neg || (BN_ucmp(B, A) >= 0))
{
if (!BN_nnmod(B, B, A, ctx)) goto err;
}
sign = -1;
/* From B = a mod |n|, A = |n| it follows that
*
* 0 <= B < A,
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
*/
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048)))
{
/* Binary inversion algorithm; requires odd modulus.
* This is faster than the general algorithm if the modulus
* is sufficiently small (about 400 .. 500 bits on 32-bit
* sytems, but much more on 64-bit systems) */
int shift;
while (!BN_is_zero(B))
{
/*
* 0 < B < |n|,
* 0 < A <= |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|)
*/
/* Now divide B by the maximum possible power of two in the integers,
* and divide X by the same value mod |n|.
* When we're done, (1) still holds. */
shift = 0;
while (!BN_is_bit_set(B, shift)) /* note that 0 < B */
{
shift++;
if (BN_is_odd(X))
{
if (!BN_uadd(X, X, n)) goto err;
}
/* now X is even, so we can easily divide it by two */
if (!BN_rshift1(X, X)) goto err;
}
if (shift > 0)
{
if (!BN_rshift(B, B, shift)) goto err;
}
/* Same for A and Y. Afterwards, (2) still holds. */
shift = 0;
while (!BN_is_bit_set(A, shift)) /* note that 0 < A */
{
shift++;
if (BN_is_odd(Y))
{
if (!BN_uadd(Y, Y, n)) goto err;
}
/* now Y is even */
if (!BN_rshift1(Y, Y)) goto err;
}
if (shift > 0)
{
if (!BN_rshift(A, A, shift)) goto err;
}
/* We still have (1) and (2).
* Both A and B are odd.
* The following computations ensure that
*
* 0 <= B < |n|,
* 0 < A < |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|),
*
* and that either A or B is even in the next iteration.
*/
if (BN_ucmp(B, A) >= 0)
{
/* -sign*(X + Y)*a == B - A (mod |n|) */
if (!BN_uadd(X, X, Y)) goto err;
/* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
* actually makes the algorithm slower */
if (!BN_usub(B, B, A)) goto err;
}
else
{
/* sign*(X + Y)*a == A - B (mod |n|) */
if (!BN_uadd(Y, Y, X)) goto err;
/* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
if (!BN_usub(A, A, B)) goto err;
}
}
}
else
{
/* general inversion algorithm */
while (!BN_is_zero(B))
{
BIGNUM *tmp;
/*
* 0 < B < A,
* (*) -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|)
*/
/* (D, M) := (A/B, A%B) ... */
if (BN_num_bits(A) == BN_num_bits(B))
{
if (!BN_one(D)) goto err;
if (!BN_sub(M,A,B)) goto err;
}
else if (BN_num_bits(A) == BN_num_bits(B) + 1)
{
/* A/B is 1, 2, or 3 */
if (!BN_lshift1(T,B)) goto err;
if (BN_ucmp(A,T) < 0)
{
/* A < 2*B, so D=1 */
if (!BN_one(D)) goto err;
if (!BN_sub(M,A,B)) goto err;
}
else
{
/* A >= 2*B, so D=2 or D=3 */
if (!BN_sub(M,A,T)) goto err;
if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */
if (BN_ucmp(A,D) < 0)
{
/* A < 3*B, so D=2 */
if (!BN_set_word(D,2)) goto err;
/* M (= A - 2*B) already has the correct value */
}
else
{
/* only D=3 remains */
if (!BN_set_word(D,3)) goto err;
/* currently M = A - 2*B, but we need M = A - 3*B */
if (!BN_sub(M,M,B)) goto err;
}
}
}
else
{
if (!BN_div(D,M,A,B,ctx)) goto err;
}
/* Now
* A = D*B + M;
* thus we have
* (**) sign*Y*a == D*B + M (mod |n|).
*/
tmp=A; /* keep the BIGNUM object, the value does not matter */
/* (A, B) := (B, A mod B) ... */
A=B;
B=M;
/* ... so we have 0 <= B < A again */
/* Since the former M is now B and the former B is now A,
* (**) translates into
* sign*Y*a == D*A + B (mod |n|),
* i.e.
* sign*Y*a - D*A == B (mod |n|).
* Similarly, (*) translates into
* -sign*X*a == A (mod |n|).
*
* Thus,
* sign*Y*a + D*sign*X*a == B (mod |n|),
* i.e.
* sign*(Y + D*X)*a == B (mod |n|).
*
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
* Note that X and Y stay non-negative all the time.
*/
/* most of the time D is very small, so we can optimize tmp := D*X+Y */
if (BN_is_one(D))
{
if (!BN_add(tmp,X,Y)) goto err;
}
else
{
if (BN_is_word(D,2))
{
if (!BN_lshift1(tmp,X)) goto err;
}
else if (BN_is_word(D,4))
{
if (!BN_lshift(tmp,X,2)) goto err;
}
else if (D->top == 1)
{
if (!BN_copy(tmp,X)) goto err;
if (!BN_mul_word(tmp,D->d[0])) goto err;
}
else
{
if (!BN_mul(tmp,D,X,ctx)) goto err;
}
if (!BN_add(tmp,tmp,Y)) goto err;
}
M=Y; /* keep the BIGNUM object, the value does not matter */
Y=X;
X=tmp;
sign = -sign;
}
}
/*
* The while loop (Euclid's algorithm) ends when
* A == gcd(a,n);
* we have
* sign*Y*a == A (mod |n|),
* where Y is non-negative.
*/
if (sign < 0)
{
if (!BN_sub(Y,n,Y)) goto err;
}
/* Now Y*a == A (mod |n|). */
if (BN_is_one(A))
{
/* Y*a == 1 (mod |n|) */
if (!Y->neg && BN_ucmp(Y,n) < 0)
{
if (!BN_copy(R,Y)) goto err;
}
else
{
if (!BN_nnmod(R,Y,n,ctx)) goto err;
}
}
else
{
BNerr(BN_F_BN_MOD_INVERSE,BN_R_NO_INVERSE);
goto err;
}
ret=R;
err:
if ((ret == NULL) && (in == NULL)) BN_free(R);
BN_CTX_end(ctx);
bn_check_top(ret);
return(ret);
}
int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
const BIGNUM *rem, BN_GENCB *cb) {
BIGNUM *t;
int found = 0;
int i, j, c1 = 0;
BN_CTX *ctx;
int checks = BN_prime_checks_for_size(bits);
if (bits < 2) {
/* There are no prime numbers this small. */
OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
return 0;
} else if (bits == 2 && safe) {
/* The smallest safe prime (7) is three bits. */
OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
return 0;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
goto err;
}
BN_CTX_start(ctx);
t = BN_CTX_get(ctx);
if (!t) {
goto err;
}
loop:
/* make a random number and set the top and bottom bits */
if (add == NULL) {
if (!probable_prime(ret, bits)) {
goto err;
}
} else {
if (safe) {
if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) {
goto err;
}
} else {
if (!probable_prime_dh(ret, bits, add, rem, ctx)) {
goto err;
}
}
}
if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) {
/* aborted */
goto err;
}
if (!safe) {
i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);
if (i == -1) {
goto err;
} else if (i == 0) {
goto loop;
}
} else {
/* for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
* is odd, We just need to divide by 2 */
if (!BN_rshift1(t, ret)) {
goto err;
}
for (i = 0; i < checks; i++) {
j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, NULL);
if (j == -1) {
goto err;
} else if (j == 0) {
goto loop;
}
j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, NULL);
if (j == -1) {
goto err;
} else if (j == 0) {
goto loop;
}
if (!BN_GENCB_call(cb, i, c1 - 1)) {
goto err;
}
/* We have a safe prime test pass */
}
}
/* we have a prime :-) */
found = 1;
err:
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
return found;
}
