static BIGNUM *euclid(BIGNUM *a, BIGNUM *b) { BIGNUM *t; int shifts=0; bn_check_top(a); bn_check_top(b); /* 0 <= b <= a */ while (!BN_is_zero(b)) { /* 0 < b <= a */ if (BN_is_odd(a)) { if (BN_is_odd(b)) { if (!BN_sub(a,a,b)) goto err; if (!BN_rshift1(a,a)) goto err; if (BN_cmp(a,b) < 0) { t=a; a=b; b=t; } } else /* a odd - b even */ { if (!BN_rshift1(b,b)) goto err; if (BN_cmp(a,b) < 0) { t=a; a=b; b=t; } } } else /* a is even */ { if (BN_is_odd(b)) { if (!BN_rshift1(a,a)) goto err; if (BN_cmp(a,b) < 0) { t=a; a=b; b=t; } } else /* a even - b even */ { if (!BN_rshift1(a,a)) goto err; if (!BN_rshift1(b,b)) goto err; shifts++; } } /* 0 <= b <= a */ } if (shifts) { if (!BN_lshift(a,a,shifts)) goto err; } bn_check_top(a); return(a); err: return(NULL); }
static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd, const BIGNUM *rem, BN_CTX *ctx) { int i,ret=0; BIGNUM *t1,*qadd,*q; bits--; BN_CTX_start(ctx); t1 = BN_CTX_get(ctx); q = BN_CTX_get(ctx); qadd = BN_CTX_get(ctx); if (qadd == NULL) goto err; if (!BN_rshift1(qadd,padd)) goto err; if (!BN_rand(q,bits,0,1)) goto err; /* we need ((rnd-rem) % add) == 0 */ if (!BN_mod(t1,q,qadd,ctx)) goto err; if (!BN_sub(q,q,t1)) goto err; if (rem == NULL) { if (!BN_add_word(q,1)) goto err; } else { if (!BN_rshift1(t1,rem)) goto err; if (!BN_add(q,q,t1)) goto err; } /* we now have a random number 'rand' to test. */ if (!BN_lshift1(p,q)) goto err; if (!BN_add_word(p,1)) goto err; loop: for (i=1; i<NUMPRIMES; i++) { /* check that p and q are prime */ /* check that for p and q * gcd(p-1,primes) == 1 (except for 2) */ if ((BN_mod_word(p,(BN_ULONG)primes[i]) == 0) || (BN_mod_word(q,(BN_ULONG)primes[i]) == 0)) { if (!BN_add(p,p,padd)) goto err; if (!BN_add(q,q,qadd)) goto err; goto loop; } } ret=1; err: BN_CTX_end(ctx); bn_check_top(p); return(ret); }
// http://stackoverflow.com/questions/356090/how-to-compute-the-nth-root-of-a-very-big-integer static BIGNUM *nearest_cuberoot(BIGNUM *in) { BN_CTX *ctx = BN_CTX_new(); BN_CTX_start(ctx); BIGNUM *three = BN_CTX_get(ctx); BIGNUM *high = BN_CTX_get(ctx); BIGNUM *mid = BN_CTX_get(ctx); BIGNUM *low = BN_CTX_get(ctx); BIGNUM *tmp = BN_CTX_get(ctx); BN_set_word(three, 3); // Create the constant 3 BN_set_word(high, 1); // high = 1 do { BN_lshift1(high, high); // high = high << 1 (high * 2) BN_exp(tmp, high, three, ctx); // tmp = high^3 } while (BN_ucmp(tmp, in) <= -1); // while (tmp < in) BN_rshift1(low, high); // low = high >> 1 (high / 2) while (BN_ucmp(low, high) <= -1) // while (low < high) { BN_add(tmp, low, high); // tmp = low + high BN_rshift1(mid, tmp); // mid = tmp >> 1 (tmp / 2) BN_exp(tmp, mid, three, ctx); // tmp = mid^3 if (BN_ucmp(low, mid) <= -1 && BN_ucmp(tmp, in) <= -1) // if (low < mid && tmp < in) BN_copy(low, mid); // low = mid else if (BN_ucmp(high, mid) >= 1 && BN_ucmp(tmp, in) >= 1) // else if (high > mid && tmp > in) BN_copy(high, mid); // high = mid else { // subtract 1 from mid because 1 will be added after the loop BN_sub_word(mid, 1); // mid -= 1 break; } } BN_add_word(mid, 1); // mid += 1 BIGNUM *result = BN_dup(mid); BN_CTX_end(ctx); BN_CTX_free(ctx); return result; }
bool CKey::Sign(uint256 hash, std::vector<unsigned char>& vchSig) { vchSig.clear(); ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey); if (sig == NULL) return false; BN_CTX *ctx = BN_CTX_new(); BN_CTX_start(ctx); const EC_GROUP *group = EC_KEY_get0_group(pkey); BIGNUM *order = BN_CTX_get(ctx); BIGNUM *halforder = BN_CTX_get(ctx); EC_GROUP_get_order(group, order, ctx); BN_rshift1(halforder, order); if (BN_cmp(sig->s, halforder) > 0) { // enforce low S values, by negating the value (modulo the order) if above order/2. BN_sub(sig->s, order, sig->s); } BN_CTX_end(ctx); BN_CTX_free(ctx); unsigned int nSize = ECDSA_size(pkey); vchSig.resize(nSize); // Make sure it is big enough unsigned char *pos = &vchSig[0]; nSize = i2d_ECDSA_SIG(sig, &pos); ECDSA_SIG_free(sig); vchSig.resize(nSize); // Shrink to fit actual size return true; }
int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) { int i,nm,nd; int ret = 0; BIGNUM *D; bn_check_top(m); bn_check_top(d); if (BN_is_zero(d)) { BNerr(BN_F_BN_DIV,BN_R_DIV_BY_ZERO); return(0); } if (BN_ucmp(m,d) < 0) { if (rem != NULL) { if (BN_copy(rem,m) == NULL) return(0); } if (dv != NULL) BN_zero(dv); return(1); } BN_CTX_start(ctx); D = BN_CTX_get(ctx); if (dv == NULL) dv = BN_CTX_get(ctx); if (rem == NULL) rem = BN_CTX_get(ctx); if (D == NULL || dv == NULL || rem == NULL) goto end; nd=BN_num_bits(d); nm=BN_num_bits(m); if (BN_copy(D,d) == NULL) goto end; if (BN_copy(rem,m) == NULL) goto end; /* The next 2 are needed so we can do a dv->d[0]|=1 later * since BN_lshift1 will only work once there is a value :-) */ BN_zero(dv); if(bn_wexpand(dv,1) == NULL) goto end; dv->top=1; if (!BN_lshift(D,D,nm-nd)) goto end; for (i=nm-nd; i>=0; i--) { if (!BN_lshift1(dv,dv)) goto end; if (BN_ucmp(rem,D) >= 0) { dv->d[0]|=1; if (!BN_usub(rem,rem,D)) goto end; } /* CAN IMPROVE (and have now :=) */ if (!BN_rshift1(D,D)) goto end; } rem->neg=BN_is_zero(rem)?0:m->neg; dv->neg=m->neg^d->neg; ret = 1; end: BN_CTX_end(ctx); return(ret); }
bool CKey::Sign(uint256 hash, std::vector<unsigned char>& vchSig) { vchSig.clear(); ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey); if (sig==NULL) return false; const EC_GROUP *group = EC_KEY_get0_group(pkey); CBigNum order, halforder; EC_GROUP_get_order(group, &order, NULL); BN_rshift1(&halforder, &order); // enforce low S values, by negating the value (modulo the order) if above order/2. if (BN_cmp(sig->s, &halforder) > 0) { BN_sub(sig->s, &order, sig->s); } unsigned int nSize = ECDSA_size(pkey); vchSig.resize(nSize); // Make sure it is big enough unsigned char *pos = &vchSig[0]; nSize = i2d_ECDSA_SIG(sig, &pos); ECDSA_SIG_free(sig); vchSig.resize(nSize); // Shrink to fit actual size // Testing our new signature if (ECDSA_verify(0, (unsigned char*)&hash, sizeof(hash), &vchSig[0], vchSig.size(), pkey) != 1) { vchSig.clear(); return false; } return true; }
/* The secret integers s0 and s1 must be in the range 0 < s < n for some n, and must be relatively prime to that n. We know a priori that n is of the form 2**k * p for some small integer k and prime p. Therefore, it suffices to choose a random integer in the range [0, n/2), multiply by two and add one (enforcing oddness), and then reject values which are divisible by p. */ static BIGNUM * random_s(const BIGNUM *n, const BIGNUM *p, BN_CTX *c) { BIGNUM h, m, *r; BN_init(&h); BN_init(&m); FAILZ(r = BN_new()); FAILZ(BN_copy(&h, n)); FAILZ(BN_rshift1(&h, &h)); do { FAILZ(BN_rand_range(r, &h)); FAILZ(BN_lshift1(r, r)); FAILZ(BN_add(r, r, BN_value_one())); FAILZ(BN_nnmod(&m, r, p, c)); } while (BN_is_zero(&m)); BN_clear(&h); BN_clear(&m); return r; fail: BN_clear(&h); BN_clear(&m); if (r) BN_clear_free(r); return 0; }
/* rem != m */ int BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) { #if 0 /* The old slow way */ int i, nm, nd; BIGNUM *dv; if(BN_ucmp(m, d) < 0) { return ((BN_copy(rem, m) == NULL) ? 0 : 1); } BN_CTX_start(ctx); dv = BN_CTX_get(ctx); if(!BN_copy(rem, m)) { goto err; } nm = BN_num_bits(rem); nd = BN_num_bits(d); if(!BN_lshift(dv, d, nm - nd)) { goto err; } for(i = nm - nd; i >= 0; i--) { if(BN_cmp(rem, dv) >= 0) { if(!BN_sub(rem, rem, dv)) { goto err; } } if(!BN_rshift1(dv, dv)) { goto err; } } BN_CTX_end(ctx); return (1); err: BN_CTX_end(ctx); return (0); #else return (BN_div(NULL, rem, m, d, ctx)); #endif }
int DH_check(const DH *dh, int *ret) { int ok = 0; BN_CTX *ctx = NULL; BN_ULONG l; BIGNUM *q = NULL; *ret = 0; ctx = BN_CTX_new(); if (ctx == NULL) goto err; q = BN_new(); if (q == NULL) goto err; if (BN_is_word(dh->g, DH_GENERATOR_2)) { l = BN_mod_word(dh->p, 24); if (l != 11) *ret |= DH_NOT_SUITABLE_GENERATOR; } # if 0 else if (BN_is_word(dh->g, DH_GENERATOR_3)) { l = BN_mod_word(dh->p, 12); if (l != 5) *ret |= DH_NOT_SUITABLE_GENERATOR; } # endif else if (BN_is_word(dh->g, DH_GENERATOR_5)) { l = BN_mod_word(dh->p, 10); if ((l != 3) && (l != 7)) *ret |= DH_NOT_SUITABLE_GENERATOR; } else *ret |= DH_UNABLE_TO_CHECK_GENERATOR; if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL)) *ret |= DH_CHECK_P_NOT_PRIME; else { if (!BN_rshift1(q, dh->p)) goto err; if (!BN_is_prime_ex(q, BN_prime_checks, ctx, NULL)) *ret |= DH_CHECK_P_NOT_SAFE_PRIME; } ok = 1; err: if (ctx != NULL) BN_CTX_free(ctx); if (q != NULL) BN_free(q); return (ok); }
// create a compact signature (65 bytes), which allows reconstructing the used public key // The format is one header byte, followed by two times 32 bytes for the serialized r and s values. // The header byte: 0x1B = first key with even y, 0x1C = first key with odd y, // 0x1D = second key with even y, 0x1E = second key with odd y bool CKey::SignCompact(uint256 hash, std::vector<unsigned char>& vchSig) { bool fOk = false; ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey); if (sig==NULL) return false; const EC_GROUP *group = EC_KEY_get0_group(pkey); CBigNum order, halforder; EC_GROUP_get_order(group, &order, NULL); BN_rshift1(&halforder, &order); // enforce low S values, by negating the value (modulo the order) if above order/2. if (BN_cmp(sig->s, &halforder) > 0) { BN_sub(sig->s, &order, sig->s); } vchSig.clear(); vchSig.resize(65,0); int nBitsR = BN_num_bits(sig->r); int nBitsS = BN_num_bits(sig->s); if (nBitsR <= 256 && nBitsS <= 256) { int nRecId = -1; for (int i=0; i<4; i++) { CKey keyRec; keyRec.fSet = true; if (fCompressedPubKey) keyRec.SetCompressedPubKey(); if (ECDSA_SIG_recover_key_GFp(keyRec.pkey, sig, (unsigned char*)&hash, sizeof(hash), i, 1) == 1) if (keyRec.GetPubKey() == this->GetPubKey()) { nRecId = i; break; } } if (nRecId == -1) { ECDSA_SIG_free(sig); throw key_error("CKey::SignCompact() : unable to construct recoverable key"); } vchSig[0] = nRecId+27+(fCompressedPubKey ? 4 : 0); BN_bn2bin(sig->r,&vchSig[33-(nBitsR+7)/8]); BN_bn2bin(sig->s,&vchSig[65-(nBitsS+7)/8]); fOk = true; } ECDSA_SIG_free(sig); return fOk; }
static void bsqrt(void) { struct number *n; struct number *r; BIGNUM *x, *y; u_int scale, onecount; BN_CTX *ctx; onecount = 0; n = pop_number(); if (n == NULL) { return; } if (BN_is_zero(n->number)) { r = new_number(); push_number(r); } else if (BN_is_negative(n->number)) warnx("square root of negative number"); else { scale = max(bmachine.scale, n->scale); normalize(n, 2*scale); x = BN_dup(n->number); bn_checkp(x); bn_check(BN_rshift(x, x, BN_num_bits(x)/2)); y = BN_new(); bn_checkp(y); ctx = BN_CTX_new(); bn_checkp(ctx); for (;;) { bn_checkp(BN_copy(y, x)); bn_check(BN_div(x, NULL, n->number, x, ctx)); bn_check(BN_add(x, x, y)); bn_check(BN_rshift1(x, x)); if (bsqrt_stop(x, y, &onecount)) break; } r = bmalloc(sizeof(*r)); r->scale = scale; r->number = y; BN_free(x); BN_CTX_free(ctx); push_number(r); } free_number(n); }
/* * Construct a MODP group from hex strings p (which must be a safe * prime) and g, automatically calculating subgroup q as (p / 2) */ struct modp_group * modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p) { struct modp_group *ret; ret = xcalloc(1, sizeof(*ret)); ret->p = ret->q = ret->g = NULL; if (BN_hex2bn(&ret->p, grp_p) == 0 || BN_hex2bn(&ret->g, grp_g) == 0) fatal("%s: BN_hex2bn", __func__); /* Subgroup order is p/2 (p is a safe prime) */ if ((ret->q = BN_new()) == NULL) fatal("%s: BN_new", __func__); if (BN_rshift1(ret->q, ret->p) != 1) fatal("%s: BN_rshift1", __func__); return ret; }
struct jpake_group * jpake_default_group(void) { struct jpake_group *ret; ret = xmalloc(sizeof(*ret)); ret->p = ret->q = ret->g = NULL; if (BN_hex2bn(&ret->p, JPAKE_GROUP_P) == 0 || BN_hex2bn(&ret->g, JPAKE_GROUP_G) == 0) fatal("%s: BN_hex2bn", __func__); /* Subgroup order is p/2 (p is a safe prime) */ if ((ret->q = BN_new()) == NULL) fatal("%s: BN_new", __func__); if (BN_rshift1(ret->q, ret->p) != 1) fatal("%s: BN_rshift1", __func__); return ret; }
BIGNUM * DH_get_q(const DH *dh, BN_CTX *ctx) { BIGNUM *q_new = NULL, *bn = NULL; int i; const BIGNUM *p, *q; check(dh, "Invalid arguments"); DH_get0_pqg(dh, &p, &q, NULL); if (!q) { q_new = BN_new(); bn = BN_dup(p); /* DH primes should be strong, based on a Sophie Germain prime q * p=(2*q)+1 or (p-1)/2=q */ if (!q_new || !bn || !BN_sub_word(bn, 1) || !BN_rshift1(q_new, bn)) { goto err; } } else { q_new = BN_dup(q); } /* q should always be prime */ i = BN_is_prime_ex(q_new, BN_prime_checks, ctx, NULL); if (i <= 0) { if (i == 0) log_err("Unable to get Sophie Germain prime"); goto err; } return q_new; err: if (bn) BN_clear_free(bn); if (q_new) BN_clear_free(q_new); return NULL; }
void setup() { mod = BN_bin2bn( mod_buffer, /*len*/192, NULL ); // modOrder = ( mod - 1 ) / 2 BIGNUM* postSubtract = BN_new(); BIGNUM* oneBN = BN_new(); int ret = BN_one( oneBN ); if ( ret != 1 ) { printf( "setup: BN_one failed: %d", ret ); } ret = BN_sub( postSubtract, mod, oneBN ); // r = a - b if ( ret != 1 ) { printf( "setup: BN_sub failed: %d", ret ); } BN_clear_free( oneBN ); modOrder = BN_new(); ret = BN_rshift1( modOrder, postSubtract ); // r = a Ö 2 if ( ret != 1 ) { printf( "setup: BN_rshift1 failed: %d", ret ); } BN_clear_free( postSubtract ); g2 = BN_new(); g3 = BN_new(); c1 = BN_new(); c2 = BN_new(); d1 = BN_new(); d2 = BN_new(); g3a = BN_new(); // exponent used in step 1 gen = BN_new(); ret = BN_set_word( gen, 2 ); match = 0; }
DH *tr_create_dh_params(unsigned char *priv_key, size_t keylen) { DH *dh = NULL; int dh_err = 0; if (NULL == (dh = DH_new())) return NULL; if ((NULL == (dh->g = BN_new())) || (NULL == (dh->p = BN_new())) || (NULL == (dh->q = BN_new()))) { DH_free(dh); return NULL; } BN_set_word(dh->g, 2); dh->p = BN_bin2bn(tr_2048_dhprime, sizeof(tr_2048_dhprime), NULL); BN_rshift1(dh->q, dh->p); if ((priv_key) && (keylen > 0)) dh->priv_key = BN_bin2bn(priv_key, keylen, NULL); DH_generate_key(dh); /* generates the public key */ DH_check(dh, &dh_err); if (0 != dh_err) { tr_warning("Warning: dh_check failed with %d", dh_err); if (dh_err & DH_CHECK_P_NOT_PRIME) tr_warning(": p value is not prime"); else if (dh_err & DH_CHECK_P_NOT_SAFE_PRIME) tr_warning(": p value is not a safe prime"); else if (dh_err & DH_UNABLE_TO_CHECK_GENERATOR) tr_warning(": unable to check the generator value"); else if (dh_err & DH_NOT_SUITABLE_GENERATOR) tr_warning(": the g value is not a generator"); else tr_warning("unhandled error %i", dh_err); } return(dh); }
int test_rshift1(BIO *bp) { BIGNUM *a,*b,*c; int i; a=BN_new(); b=BN_new(); c=BN_new(); BN_bntest_rand(a,200,0,0); /**/ a->neg=rand_neg(); for (i=0; i<num0; i++) { BN_rshift1(b,a); if (bp != NULL) { if (!results) { BN_print(bp,a); BIO_puts(bp," / 2"); BIO_puts(bp," - "); } BN_print(bp,b); BIO_puts(bp,"\n"); } BN_sub(c,a,b); BN_sub(c,c,b); if(!BN_is_zero(c) && !BN_abs_is_word(c, 1)) { fprintf(stderr,"Right shift one test failed!\n"); return 0; } BN_copy(a,b); } BN_free(a); BN_free(b); BN_free(c); return(1); }
static int test_check_public_key(void) { int ret = 0; BIGNUM *n = NULL, *e = NULL; RSA *key = NULL; ret = TEST_ptr(key = RSA_new()) /* check NULL pointers fail */ && TEST_false(rsa_sp800_56b_check_public(key)) /* load public key */ && TEST_ptr(e = bn_load_new(cav_e, sizeof(cav_e))) && TEST_ptr(n = bn_load_new(cav_n, sizeof(cav_n))) && TEST_true(RSA_set0_key(key, n, e, NULL)); if (!ret) { BN_free(e); BN_free(n); goto end; } /* check public key is valid */ ret = TEST_true(rsa_sp800_56b_check_public(key)) /* check fail if n is even */ && TEST_true(BN_add_word(n, 1)) && TEST_false(rsa_sp800_56b_check_public(key)) && TEST_true(BN_sub_word(n, 1)) /* check fail if n is wrong number of bits */ && TEST_true(BN_lshift1(n, n)) && TEST_false(rsa_sp800_56b_check_public(key)) && TEST_true(BN_rshift1(n, n)) /* test odd exponent fails */ && TEST_true(BN_add_word(e, 1)) && TEST_false(rsa_sp800_56b_check_public(key)) && TEST_true(BN_sub_word(e, 1)) /* modulus fails composite check */ && TEST_true(BN_add_word(n, 2)) && TEST_false(rsa_sp800_56b_check_public(key)); end: RSA_free(key); return ret; }
int DH_check(const DH *dh, int *ret) { /* Check that p is a safe prime and if g is 2, 3 or 5, check that it is a * suitable generator where: * for 2, p mod 24 == 11 * for 3, p mod 12 == 5 * for 5, p mod 10 == 3 or 7 * should hold. */ int ok = 0, r; BN_CTX *ctx = NULL; BN_ULONG l; BIGNUM *t1 = NULL, *t2 = NULL; *ret = 0; ctx = BN_CTX_new(); if (ctx == NULL) { goto err; } BN_CTX_start(ctx); t1 = BN_CTX_get(ctx); if (t1 == NULL) { goto err; } t2 = BN_CTX_get(ctx); if (t2 == NULL) { goto err; } if (dh->q) { if (BN_cmp(dh->g, BN_value_one()) <= 0) { *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; } else if (BN_cmp(dh->g, dh->p) >= 0) { *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; } else { /* Check g^q == 1 mod p */ if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) { goto err; } if (!BN_is_one(t1)) { *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; } } r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL); if (r < 0) { goto err; } if (!r) { *ret |= DH_CHECK_Q_NOT_PRIME; } /* Check p == 1 mod q i.e. q divides p - 1 */ if (!BN_div(t1, t2, dh->p, dh->q, ctx)) { goto err; } if (!BN_is_one(t2)) { *ret |= DH_CHECK_INVALID_Q_VALUE; } if (dh->j && BN_cmp(dh->j, t1)) { *ret |= DH_CHECK_INVALID_J_VALUE; } } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { l = BN_mod_word(dh->p, 24); if (l == (BN_ULONG)-1) { goto err; } if (l != 11) { *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; } } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { l = BN_mod_word(dh->p, 10); if (l == (BN_ULONG)-1) { goto err; } if (l != 3 && l != 7) { *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; } } else { *ret |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR; } r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL); if (r < 0) { goto err; } if (!r) { *ret |= DH_CHECK_P_NOT_PRIME; } else if (!dh->q) { if (!BN_rshift1(t1, dh->p)) { goto err; } r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL); if (r < 0) { goto err; } if (!r) { *ret |= DH_CHECK_P_NOT_SAFE_PRIME; } } ok = 1; err: if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } return ok; }
BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, void (*callback)(int,int,void *), void *cb_arg) { BIGNUM *rnd=NULL; BIGNUM t; int found=0; int i,j,c1=0; BN_CTX *ctx; int checks = BN_prime_checks_for_size(bits); ctx=BN_CTX_new(); if (ctx == NULL) goto err; if (ret == NULL) { if ((rnd=BN_new()) == NULL) goto err; } else rnd=ret; BN_init(&t); loop: /* make a random number and set the top and bottom bits */ if (add == NULL) { if (!probable_prime(rnd,bits)) goto err; } else { if (safe) { if (!probable_prime_dh_safe(rnd,bits,add,rem,ctx)) goto err; } else { if (!probable_prime_dh(rnd,bits,add,rem,ctx)) goto err; } } /* if (BN_mod_word(rnd,(BN_ULONG)3) == 1) goto loop; */ if (callback != NULL) callback(0,c1++,cb_arg); if (!safe) { i=BN_is_prime_fasttest(rnd,checks,callback,ctx,cb_arg,0); if (i == -1) goto err; if (i == 0) goto loop; } else { /* for "safe prime" generation, * check that (p-1)/2 is prime. * Since a prime is odd, We just * need to divide by 2 */ if (!BN_rshift1(&t,rnd)) goto err; for (i=0; i<checks; i++) { j=BN_is_prime_fasttest(rnd,1,callback,ctx,cb_arg,0); if (j == -1) goto err; if (j == 0) goto loop; j=BN_is_prime_fasttest(&t,1,callback,ctx,cb_arg,0); if (j == -1) goto err; if (j == 0) goto loop; if (callback != NULL) callback(2,c1-1,cb_arg); /* We have a safe prime test pass */ } } /* we have a prime :-) */ found = 1; err: if (!found && (ret == NULL) && (rnd != NULL)) BN_free(rnd); BN_free(&t); if (ctx != NULL) BN_CTX_free(ctx); return(found ? rnd : NULL); }
int main(int argc, char **argv) { JPAKE_CTX *alice; JPAKE_CTX *bob; BIGNUM *p = NULL; BIGNUM *g = NULL; BIGNUM *q = NULL; BIGNUM *secret = BN_new(); BIO *bio_err; bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ERR_load_crypto_strings(); /* BN_hex2bn(&p, "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7"); BN_hex2bn(&g, "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a"); BN_hex2bn(&q, "9760508f15230bccb292b982a2eb840bf0581cf5"); */ /* p = BN_new(); BN_generate_prime(p, 1024, 1, NULL, NULL, NULL, NULL); */ /* Use a safe prime for p (that we found earlier) */ BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F"); showbn("p", p); g = BN_new(); BN_set_word(g, 2); showbn("g", g); q = BN_new(); BN_rshift1(q, p); showbn("q", q); BN_rand(secret, 32, -1, 0); /* A normal run, expect this to work... */ alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret); bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret); if(run_jpake(alice, bob) != 0) { fprintf(stderr, "Plain JPAKE run failed\n"); return 1; } JPAKE_CTX_free(bob); JPAKE_CTX_free(alice); /* Now give Alice and Bob different secrets */ alice = JPAKE_CTX_new("Alice", "Bob", p, g, q, secret); BN_add_word(secret, 1); bob = JPAKE_CTX_new("Bob", "Alice", p, g, q, secret); if(run_jpake(alice, bob) != 5) { fprintf(stderr, "Mismatched secret JPAKE run failed\n"); return 1; } JPAKE_CTX_free(bob); JPAKE_CTX_free(alice); BN_free(secret); BN_free(q); BN_free(g); BN_free(p); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); ERR_free_strings(); CRYPTO_mem_leaks(bio_err); return 0; }
static void bexp(void) { struct number *a, *p; struct number *r; bool neg; u_int scale; p = pop_number(); if (p == NULL) { return; } a = pop_number(); if (a == NULL) { push_number(p); return; } if (p->scale != 0) warnx("Runtime warning: non-zero scale in exponent"); normalize(p, 0); neg = false; if (BN_cmp(p->number, &zero) < 0) { neg = true; negate(p); scale = bmachine.scale; } else { /* Posix bc says min(a.scale * b, max(a.scale, scale) */ u_long b; u_int m; b = BN_get_word(p->number); m = max(a->scale, bmachine.scale); scale = a->scale * (u_int)b; if (scale > m || (a->scale > 0 && (b == BN_MASK2 || b > UINT_MAX))) scale = m; } if (BN_is_zero(p->number)) { r = new_number(); bn_check(BN_one(r->number)); normalize(r, scale); } else { while (!BN_is_bit_set(p->number, 0)) { bmul_number(a, a, a); bn_check(BN_rshift1(p->number, p->number)); } r = dup_number(a); normalize(r, scale); bn_check(BN_rshift1(p->number, p->number)); while (!BN_is_zero(p->number)) { bmul_number(a, a, a); if (BN_is_bit_set(p->number, 0)) bmul_number(r, r, a); bn_check(BN_rshift1(p->number, p->number)); } if (neg) { BN_CTX *ctx; BIGNUM *one; one = BN_new(); bn_checkp(one); bn_check(BN_one(one)); ctx = BN_CTX_new(); bn_checkp(ctx); scale_number(one, r->scale + scale); normalize(r, scale); bn_check(BN_div(r->number, NULL, one, r->number, ctx)); BN_free(one); BN_CTX_free(ctx); } else normalize(r, scale); } push_number(r); free_number(a); free_number(p); }
BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) /* Returns 'ret' such that * ret^2 == a (mod p), * using the Tonelli/Shanks algorithm (cf. Henri Cohen, "A Course * in Algebraic Computational Number Theory", algorithm 1.5.1). * 'p' must be prime! */ { BIGNUM *ret = in; int err = 1; int r; BIGNUM *A, *b, *q, *t, *x, *y; int e, i, j; if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { if (BN_abs_is_word(p, 2)) { if (ret == NULL) ret = BN_new(); if (ret == NULL) goto end; if (!BN_set_word(ret, BN_is_bit_set(a, 0))) { if (ret != in) BN_free(ret); return NULL; } bn_check_top(ret); return ret; } BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME); return(NULL); } if (BN_is_zero(a) || BN_is_one(a)) { if (ret == NULL) ret = BN_new(); if (ret == NULL) goto end; if (!BN_set_word(ret, BN_is_one(a))) { if (ret != in) BN_free(ret); return NULL; } bn_check_top(ret); return ret; } BN_CTX_start(ctx); A = BN_CTX_get(ctx); b = BN_CTX_get(ctx); q = BN_CTX_get(ctx); t = BN_CTX_get(ctx); x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); if (y == NULL) goto end; if (ret == NULL) ret = BN_new(); if (ret == NULL) goto end; /* A = a mod p */ if (!BN_nnmod(A, a, p, ctx)) goto end; /* now write |p| - 1 as 2^e*q where q is odd */ e = 1; while (!BN_is_bit_set(p, e)) e++; /* we'll set q later (if needed) */ if (e == 1) { /* The easy case: (|p|-1)/2 is odd, so 2 has an inverse * modulo (|p|-1)/2, and square roots can be computed * directly by modular exponentiation. * We have * 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2), * so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1. */ if (!BN_rshift(q, p, 2)) goto end; q->neg = 0; if (!BN_add_word(q, 1)) goto end; if (!BN_mod_exp(ret, A, q, p, ctx)) goto end; err = 0; goto vrfy; } if (e == 2) { /* |p| == 5 (mod 8) * * In this case 2 is always a non-square since * Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime. * So if a really is a square, then 2*a is a non-square. * Thus for * b := (2*a)^((|p|-5)/8), * i := (2*a)*b^2 * we have * i^2 = (2*a)^((1 + (|p|-5)/4)*2) * = (2*a)^((p-1)/2) * = -1; * so if we set * x := a*b*(i-1), * then * x^2 = a^2 * b^2 * (i^2 - 2*i + 1) * = a^2 * b^2 * (-2*i) * = a*(-i)*(2*a*b^2) * = a*(-i)*i * = a. * * (This is due to A.O.L. Atkin, * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>, * November 1992.) */ /* t := 2*a */ if (!BN_mod_lshift1_quick(t, A, p)) goto end; /* b := (2*a)^((|p|-5)/8) */ if (!BN_rshift(q, p, 3)) goto end; q->neg = 0; if (!BN_mod_exp(b, t, q, p, ctx)) goto end; /* y := b^2 */ if (!BN_mod_sqr(y, b, p, ctx)) goto end; /* t := (2*a)*b^2 - 1*/ if (!BN_mod_mul(t, t, y, p, ctx)) goto end; if (!BN_sub_word(t, 1)) goto end; /* x = a*b*t */ if (!BN_mod_mul(x, A, b, p, ctx)) goto end; if (!BN_mod_mul(x, x, t, p, ctx)) goto end; if (!BN_copy(ret, x)) goto end; err = 0; goto vrfy; } /* e > 2, so we really have to use the Tonelli/Shanks algorithm. * First, find some y that is not a square. */ if (!BN_copy(q, p)) goto end; /* use 'q' as temp */ q->neg = 0; i = 2; do { /* For efficiency, try small numbers first; * if this fails, try random numbers. */ if (i < 22) { if (!BN_set_word(y, i)) goto end; } else { if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) goto end; if (BN_ucmp(y, p) >= 0) { if (!(p->neg ? BN_add : BN_sub)(y, y, p)) goto end; } /* now 0 <= y < |p| */ if (BN_is_zero(y)) if (!BN_set_word(y, i)) goto end; } r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */ if (r < -1) goto end; if (r == 0) { /* m divides p */ BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME); goto end; } } while (r == 1 && ++i < 82); if (r != -1) { /* Many rounds and still no non-square -- this is more likely * a bug than just bad luck. * Even if p is not prime, we should have found some y * such that r == -1. */ BNerr(BN_F_BN_MOD_SQRT, BN_R_TOO_MANY_ITERATIONS); goto end; } /* Here's our actual 'q': */ if (!BN_rshift(q, q, e)) goto end; /* Now that we have some non-square, we can find an element * of order 2^e by computing its q'th power. */ if (!BN_mod_exp(y, y, q, p, ctx)) goto end; if (BN_is_one(y)) { BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME); goto end; } /* Now we know that (if p is indeed prime) there is an integer * k, 0 <= k < 2^e, such that * * a^q * y^k == 1 (mod p). * * As a^q is a square and y is not, k must be even. * q+1 is even, too, so there is an element * * X := a^((q+1)/2) * y^(k/2), * * and it satisfies * * X^2 = a^q * a * y^k * = a, * * so it is the square root that we are looking for. */ /* t := (q-1)/2 (note that q is odd) */ if (!BN_rshift1(t, q)) goto end; /* x := a^((q-1)/2) */ if (BN_is_zero(t)) /* special case: p = 2^e + 1 */ { if (!BN_nnmod(t, A, p, ctx)) goto end; if (BN_is_zero(t)) { /* special case: a == 0 (mod p) */ BN_zero(ret); err = 0; goto end; } else if (!BN_one(x)) goto end; } else { if (!BN_mod_exp(x, A, t, p, ctx)) goto end; if (BN_is_zero(x)) { /* special case: a == 0 (mod p) */ BN_zero(ret); err = 0; goto end; } } /* b := a*x^2 (= a^q) */ if (!BN_mod_sqr(b, x, p, ctx)) goto end; if (!BN_mod_mul(b, b, A, p, ctx)) goto end; /* x := a*x (= a^((q+1)/2)) */ if (!BN_mod_mul(x, x, A, p, ctx)) goto end; while (1) { /* Now b is a^q * y^k for some even k (0 <= k < 2^E * where E refers to the original value of e, which we * don't keep in a variable), and x is a^((q+1)/2) * y^(k/2). * * We have a*b = x^2, * y^2^(e-1) = -1, * b^2^(e-1) = 1. */ if (BN_is_one(b)) { if (!BN_copy(ret, x)) goto end; err = 0; goto vrfy; } /* find smallest i such that b^(2^i) = 1 */ i = 1; if (!BN_mod_sqr(t, b, p, ctx)) goto end; while (!BN_is_one(t)) { i++; if (i == e) { BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); goto end; } if (!BN_mod_mul(t, t, t, p, ctx)) goto end; } /* t := y^2^(e - i - 1) */ if (!BN_copy(t, y)) goto end; for (j = e - i - 1; j > 0; j--) { if (!BN_mod_sqr(t, t, p, ctx)) goto end; } if (!BN_mod_mul(y, t, t, p, ctx)) goto end; if (!BN_mod_mul(x, x, t, p, ctx)) goto end; if (!BN_mod_mul(b, b, y, p, ctx)) goto end; e = i; } vrfy: if (!err) { /* verify the result -- the input might have been not a square * (test added in 0.9.8) */ if (!BN_mod_sqr(x, ret, p, ctx)) err = 1; if (!err && 0 != BN_cmp(x, A)) { BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); err = 1; } } end: if (err) { if (ret != NULL && ret != in) { BN_clear_free(ret); } ret = NULL; } BN_CTX_end(ctx); bn_check_top(ret); return ret; }
int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb) { BIGNUM *t; int found=0; int i,j,c1=0; BN_CTX *ctx; int checks = BN_prime_checks_for_size(bits); if (bits < 2) { /* There are no prime numbers this small. */ BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL); return 0; } else if (bits == 2 && safe) { /* The smallest safe prime (7) is three bits. */ BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL); return 0; } ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); t = BN_CTX_get(ctx); if(!t) goto err; loop: /* make a random number and set the top and bottom bits */ if (add == NULL) { if (!probable_prime(ret,bits)) goto err; } else { if (safe) { if (!probable_prime_dh_safe(ret,bits,add,rem,ctx)) goto err; } else { if (!bn_probable_prime_dh(ret,bits,add,rem,ctx)) goto err; } } /* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */ if(!BN_GENCB_call(cb, 0, c1++)) /* aborted */ goto err; if (!safe) { i=BN_is_prime_fasttest_ex(ret,checks,ctx,0,cb); if (i == -1) goto err; if (i == 0) goto loop; } else { /* for "safe prime" generation, * check that (p-1)/2 is prime. * Since a prime is odd, We just * need to divide by 2 */ if (!BN_rshift1(t,ret)) goto err; for (i=0; i<checks; i++) { j=BN_is_prime_fasttest_ex(ret,1,ctx,0,cb); if (j == -1) goto err; if (j == 0) goto loop; j=BN_is_prime_fasttest_ex(t,1,ctx,0,cb); if (j == -1) goto err; if (j == 0) goto loop; if(!BN_GENCB_call(cb, 2, c1-1)) goto err; /* We have a safe prime test pass */ } } /* we have a prime :-) */ found = 1; err: if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } bn_check_top(ret); return found; }
static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd, const BIGNUM *rem, BN_CTX *ctx) { int i, ret = 0; BIGNUM *t1, *qadd, *q; bits--; BN_CTX_start(ctx); t1 = BN_CTX_get(ctx); q = BN_CTX_get(ctx); qadd = BN_CTX_get(ctx); if (qadd == NULL) { goto err; } if (!BN_rshift1(qadd, padd)) { goto err; } if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) { goto err; } /* we need ((rnd-rem) % add) == 0 */ if (!BN_mod(t1, q, qadd, ctx)) { goto err; } if (!BN_sub(q, q, t1)) { goto err; } if (rem == NULL) { if (!BN_add_word(q, 1)) { goto err; } } else { if (!BN_rshift1(t1, rem)) { goto err; } if (!BN_add(q, q, t1)) { goto err; } } /* we now have a random number 'rand' to test. */ if (!BN_lshift1(p, q)) { goto err; } if (!BN_add_word(p, 1)) { goto err; } loop: for (i = 1; i < NUMPRIMES; i++) { /* check that p and q are prime */ /* check that for p and q * gcd(p-1,primes) == 1 (except for 2) */ BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]); BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]); if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) { goto err; } if (pmod == 0 || qmod == 0) { if (!BN_add(p, p, padd)) { goto err; } if (!BN_add(q, q, qadd)) { goto err; } goto loop; } } ret = 1; err: BN_CTX_end(ctx); return ret; }
static void bexp(void) { struct number *a, *p; struct number *r; bool neg; u_int rscale; p = pop_number(); if (p == NULL) return; a = pop_number(); if (a == NULL) { push_number(p); return; } if (p->scale != 0) { BIGNUM *i, *f; i = BN_new(); bn_checkp(i); f = BN_new(); bn_checkp(f); split_number(p, i, f); if (!BN_is_zero(f)) warnx("Runtime warning: non-zero fractional part in exponent"); BN_free(i); BN_free(f); } normalize(p, 0); neg = false; if (BN_is_negative(p->number)) { neg = true; negate(p); rscale = bmachine.scale; } else { /* Posix bc says min(a.scale * b, max(a.scale, scale) */ u_long b; u_int m; b = BN_get_word(p->number); m = max(a->scale, bmachine.scale); rscale = a->scale * (u_int)b; if (rscale > m || (a->scale > 0 && (b == ULONG_MAX || b > UINT_MAX))) rscale = m; } if (BN_is_zero(p->number)) { r = new_number(); bn_check(BN_one(r->number)); normalize(r, rscale); } else { u_int ascale, mscale; ascale = a->scale; while (!BN_is_bit_set(p->number, 0)) { ascale *= 2; bmul_number(a, a, a, ascale); bn_check(BN_rshift1(p->number, p->number)); } r = dup_number(a); bn_check(BN_rshift1(p->number, p->number)); mscale = ascale; while (!BN_is_zero(p->number)) { ascale *= 2; bmul_number(a, a, a, ascale); if (BN_is_bit_set(p->number, 0)) { mscale += ascale; bmul_number(r, r, a, mscale); } bn_check(BN_rshift1(p->number, p->number)); } if (neg) { BN_CTX *ctx; BIGNUM *one; one = BN_new(); bn_checkp(one); bn_check(BN_one(one)); ctx = BN_CTX_new(); bn_checkp(ctx); scale_number(one, r->scale + rscale); if (BN_is_zero(r->number)) warnx("divide by zero"); else bn_check(BN_div(r->number, NULL, one, r->number, ctx)); BN_free(one); BN_CTX_free(ctx); r->scale = rscale; } else normalize(r, rscale); } push_number(r); free_number(a); free_number(p); }
int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); const BIGNUM *p; BN_CTX *new_ctx = NULL; BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6; int ret = 0; if (a == b) return EC_POINT_dbl(group, r, a, ctx); if (EC_POINT_is_at_infinity(group, a)) return EC_POINT_copy(r, b); if (EC_POINT_is_at_infinity(group, b)) return EC_POINT_copy(r, a); field_mul = group->meth->field_mul; field_sqr = group->meth->field_sqr; p = group->field; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); n0 = BN_CTX_get(ctx); n1 = BN_CTX_get(ctx); n2 = BN_CTX_get(ctx); n3 = BN_CTX_get(ctx); n4 = BN_CTX_get(ctx); n5 = BN_CTX_get(ctx); n6 = BN_CTX_get(ctx); if (n6 == NULL) goto end; /* * Note that in this function we must not read components of 'a' or 'b' * once we have written the corresponding components of 'r'. ('r' might * be one of 'a' or 'b'.) */ /* n1, n2 */ if (b->Z_is_one) { if (!BN_copy(n1, a->X)) goto end; if (!BN_copy(n2, a->Y)) goto end; /* n1 = X_a */ /* n2 = Y_a */ } else { if (!field_sqr(group, n0, b->Z, ctx)) goto end; if (!field_mul(group, n1, a->X, n0, ctx)) goto end; /* n1 = X_a * Z_b^2 */ if (!field_mul(group, n0, n0, b->Z, ctx)) goto end; if (!field_mul(group, n2, a->Y, n0, ctx)) goto end; /* n2 = Y_a * Z_b^3 */ } /* n3, n4 */ if (a->Z_is_one) { if (!BN_copy(n3, b->X)) goto end; if (!BN_copy(n4, b->Y)) goto end; /* n3 = X_b */ /* n4 = Y_b */ } else { if (!field_sqr(group, n0, a->Z, ctx)) goto end; if (!field_mul(group, n3, b->X, n0, ctx)) goto end; /* n3 = X_b * Z_a^2 */ if (!field_mul(group, n0, n0, a->Z, ctx)) goto end; if (!field_mul(group, n4, b->Y, n0, ctx)) goto end; /* n4 = Y_b * Z_a^3 */ } /* n5, n6 */ if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end; if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end; /* n5 = n1 - n3 */ /* n6 = n2 - n4 */ if (BN_is_zero(n5)) { if (BN_is_zero(n6)) { /* a is the same point as b */ BN_CTX_end(ctx); ret = EC_POINT_dbl(group, r, a, ctx); ctx = NULL; goto end; } else { /* a is the inverse of b */ BN_zero(r->Z); r->Z_is_one = 0; ret = 1; goto end; } } /* 'n7', 'n8' */ if (!BN_mod_add_quick(n1, n1, n3, p)) goto end; if (!BN_mod_add_quick(n2, n2, n4, p)) goto end; /* 'n7' = n1 + n3 */ /* 'n8' = n2 + n4 */ /* Z_r */ if (a->Z_is_one && b->Z_is_one) { if (!BN_copy(r->Z, n5)) goto end; } else { if (a->Z_is_one) { if (!BN_copy(n0, b->Z)) goto end; } else if (b->Z_is_one) { if (!BN_copy(n0, a->Z)) goto end; } else { if (!field_mul(group, n0, a->Z, b->Z, ctx)) goto end; } if (!field_mul(group, r->Z, n0, n5, ctx)) goto end; } r->Z_is_one = 0; /* Z_r = Z_a * Z_b * n5 */ /* X_r */ if (!field_sqr(group, n0, n6, ctx)) goto end; if (!field_sqr(group, n4, n5, ctx)) goto end; if (!field_mul(group, n3, n1, n4, ctx)) goto end; if (!BN_mod_sub_quick(r->X, n0, n3, p)) goto end; /* X_r = n6^2 - n5^2 * 'n7' */ /* 'n9' */ if (!BN_mod_lshift1_quick(n0, r->X, p)) goto end; if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end; /* n9 = n5^2 * 'n7' - 2 * X_r */ /* Y_r */ if (!field_mul(group, n0, n0, n6, ctx)) goto end; if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */ if (!field_mul(group, n1, n2, n5, ctx)) goto end; if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end; if (BN_is_odd(n0)) if (!BN_add(n0, n0, p)) goto end; /* now 0 <= n0 < 2*p, and n0 is even */ if (!BN_rshift1(r->Y, n0)) goto end; /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */ ret = 1; end: if (ctx) /* otherwise we already called BN_CTX_end */ BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; }
int RSA_recover_crt_params(RSA *rsa) { BN_CTX *ctx; BIGNUM *totient, *rem, *multiple, *p_plus_q, *p_minus_q; int ok = 0; if (rsa->n == NULL || rsa->e == NULL || rsa->d == NULL) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_EMPTY_PUBLIC_KEY); return 0; } if (rsa->p || rsa->q || rsa->dmp1 || rsa->dmq1 || rsa->iqmp) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_CRT_PARAMS_ALREADY_GIVEN); return 0; } /* This uses the algorithm from section 9B of the RSA paper: * http://people.csail.mit.edu/rivest/Rsapaper.pdf */ ctx = BN_CTX_new(); if (ctx == NULL) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE); return 0; } BN_CTX_start(ctx); totient = BN_CTX_get(ctx); rem = BN_CTX_get(ctx); multiple = BN_CTX_get(ctx); p_plus_q = BN_CTX_get(ctx); p_minus_q = BN_CTX_get(ctx); if (totient == NULL || rem == NULL || multiple == NULL || p_plus_q == NULL || p_minus_q == NULL) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE); goto err; } /* ed-1 is a small multiple of φ(n). */ if (!BN_mul(totient, rsa->e, rsa->d, ctx) || !BN_sub_word(totient, 1) || /* φ(n) = * pq - p - q + 1 = * n - (p + q) + 1 * * Thus n is a reasonable estimate for φ(n). So, (ed-1)/n will be very * close. But, when we calculate the quotient, we'll be truncating it * because we discard the remainder. Thus (ed-1)/multiple will be >= n, * which the totient cannot be. So we add one to the estimate. * * Consider ed-1 as: * * multiple * (n - (p+q) + 1) = * multiple*n - multiple*(p+q) + multiple * * When we divide by n, the first term becomes multiple and, since * multiple and p+q is tiny compared to n, the second and third terms can * be ignored. Thus I claim that subtracting one from the estimate is * sufficient. */ !BN_div(multiple, NULL, totient, rsa->n, ctx) || !BN_add_word(multiple, 1) || !BN_div(totient, rem, totient, multiple, ctx)) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB); goto err; } if (!BN_is_zero(rem)) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_BAD_RSA_PARAMETERS); goto err; } rsa->p = BN_new(); rsa->q = BN_new(); rsa->dmp1 = BN_new(); rsa->dmq1 = BN_new(); rsa->iqmp = BN_new(); if (rsa->p == NULL || rsa->q == NULL || rsa->dmp1 == NULL || rsa->dmq1 == NULL || rsa->iqmp == NULL) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_MALLOC_FAILURE); goto err; } /* φ(n) = n - (p + q) + 1 => * n - totient + 1 = p + q */ if (!BN_sub(p_plus_q, rsa->n, totient) || !BN_add_word(p_plus_q, 1) || /* p - q = sqrt((p+q)^2 - 4n) */ !BN_sqr(rem, p_plus_q, ctx) || !BN_lshift(multiple, rsa->n, 2) || !BN_sub(rem, rem, multiple) || !BN_sqrt(p_minus_q, rem, ctx) || /* q is 1/2 (p+q)-(p-q) */ !BN_sub(rsa->q, p_plus_q, p_minus_q) || !BN_rshift1(rsa->q, rsa->q) || !BN_div(rsa->p, NULL, rsa->n, rsa->q, ctx) || !BN_mul(multiple, rsa->p, rsa->q, ctx)) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB); goto err; } if (BN_cmp(multiple, rsa->n) != 0) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, RSA_R_INTERNAL_ERROR); goto err; } if (!BN_sub(rem, rsa->p, BN_value_one()) || !BN_mod(rsa->dmp1, rsa->d, rem, ctx) || !BN_sub(rem, rsa->q, BN_value_one()) || !BN_mod(rsa->dmq1, rsa->d, rem, ctx) || !BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) { OPENSSL_PUT_ERROR(RSA, RSA_recover_crt_params, ERR_R_BN_LIB); goto err; } ok = 1; err: BN_CTX_end(ctx); BN_CTX_free(ctx); if (!ok) { bn_free_and_null(&rsa->p); bn_free_and_null(&rsa->q); bn_free_and_null(&rsa->dmp1); bn_free_and_null(&rsa->dmq1); bn_free_and_null(&rsa->iqmp); } return ok; }
BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) { BIGNUM *A,*B,*X,*Y,*M,*D,*T,*R=NULL; BIGNUM *ret=NULL; int sign; if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) { return BN_mod_inverse_no_branch(in, a, n, ctx); } bn_check_top(a); bn_check_top(n); BN_CTX_start(ctx); A = BN_CTX_get(ctx); B = BN_CTX_get(ctx); X = BN_CTX_get(ctx); D = BN_CTX_get(ctx); M = BN_CTX_get(ctx); Y = BN_CTX_get(ctx); T = BN_CTX_get(ctx); if (T == NULL) goto err; if (in == NULL) R=BN_new(); else R=in; if (R == NULL) goto err; BN_one(X); BN_zero(Y); if (BN_copy(B,a) == NULL) goto err; if (BN_copy(A,n) == NULL) goto err; A->neg = 0; if (B->neg || (BN_ucmp(B, A) >= 0)) { if (!BN_nnmod(B, B, A, ctx)) goto err; } sign = -1; /* From B = a mod |n|, A = |n| it follows that * * 0 <= B < A, * -sign*X*a == B (mod |n|), * sign*Y*a == A (mod |n|). */ if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) { /* Binary inversion algorithm; requires odd modulus. * This is faster than the general algorithm if the modulus * is sufficiently small (about 400 .. 500 bits on 32-bit * sytems, but much more on 64-bit systems) */ int shift; while (!BN_is_zero(B)) { /* * 0 < B < |n|, * 0 < A <= |n|, * (1) -sign*X*a == B (mod |n|), * (2) sign*Y*a == A (mod |n|) */ /* Now divide B by the maximum possible power of two in the integers, * and divide X by the same value mod |n|. * When we're done, (1) still holds. */ shift = 0; while (!BN_is_bit_set(B, shift)) /* note that 0 < B */ { shift++; if (BN_is_odd(X)) { if (!BN_uadd(X, X, n)) goto err; } /* now X is even, so we can easily divide it by two */ if (!BN_rshift1(X, X)) goto err; } if (shift > 0) { if (!BN_rshift(B, B, shift)) goto err; } /* Same for A and Y. Afterwards, (2) still holds. */ shift = 0; while (!BN_is_bit_set(A, shift)) /* note that 0 < A */ { shift++; if (BN_is_odd(Y)) { if (!BN_uadd(Y, Y, n)) goto err; } /* now Y is even */ if (!BN_rshift1(Y, Y)) goto err; } if (shift > 0) { if (!BN_rshift(A, A, shift)) goto err; } /* We still have (1) and (2). * Both A and B are odd. * The following computations ensure that * * 0 <= B < |n|, * 0 < A < |n|, * (1) -sign*X*a == B (mod |n|), * (2) sign*Y*a == A (mod |n|), * * and that either A or B is even in the next iteration. */ if (BN_ucmp(B, A) >= 0) { /* -sign*(X + Y)*a == B - A (mod |n|) */ if (!BN_uadd(X, X, Y)) goto err; /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that * actually makes the algorithm slower */ if (!BN_usub(B, B, A)) goto err; } else { /* sign*(X + Y)*a == A - B (mod |n|) */ if (!BN_uadd(Y, Y, X)) goto err; /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */ if (!BN_usub(A, A, B)) goto err; } } } else { /* general inversion algorithm */ while (!BN_is_zero(B)) { BIGNUM *tmp; /* * 0 < B < A, * (*) -sign*X*a == B (mod |n|), * sign*Y*a == A (mod |n|) */ /* (D, M) := (A/B, A%B) ... */ if (BN_num_bits(A) == BN_num_bits(B)) { if (!BN_one(D)) goto err; if (!BN_sub(M,A,B)) goto err; } else if (BN_num_bits(A) == BN_num_bits(B) + 1) { /* A/B is 1, 2, or 3 */ if (!BN_lshift1(T,B)) goto err; if (BN_ucmp(A,T) < 0) { /* A < 2*B, so D=1 */ if (!BN_one(D)) goto err; if (!BN_sub(M,A,B)) goto err; } else { /* A >= 2*B, so D=2 or D=3 */ if (!BN_sub(M,A,T)) goto err; if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */ if (BN_ucmp(A,D) < 0) { /* A < 3*B, so D=2 */ if (!BN_set_word(D,2)) goto err; /* M (= A - 2*B) already has the correct value */ } else { /* only D=3 remains */ if (!BN_set_word(D,3)) goto err; /* currently M = A - 2*B, but we need M = A - 3*B */ if (!BN_sub(M,M,B)) goto err; } } } else { if (!BN_div(D,M,A,B,ctx)) goto err; } /* Now * A = D*B + M; * thus we have * (**) sign*Y*a == D*B + M (mod |n|). */ tmp=A; /* keep the BIGNUM object, the value does not matter */ /* (A, B) := (B, A mod B) ... */ A=B; B=M; /* ... so we have 0 <= B < A again */ /* Since the former M is now B and the former B is now A, * (**) translates into * sign*Y*a == D*A + B (mod |n|), * i.e. * sign*Y*a - D*A == B (mod |n|). * Similarly, (*) translates into * -sign*X*a == A (mod |n|). * * Thus, * sign*Y*a + D*sign*X*a == B (mod |n|), * i.e. * sign*(Y + D*X)*a == B (mod |n|). * * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at * -sign*X*a == B (mod |n|), * sign*Y*a == A (mod |n|). * Note that X and Y stay non-negative all the time. */ /* most of the time D is very small, so we can optimize tmp := D*X+Y */ if (BN_is_one(D)) { if (!BN_add(tmp,X,Y)) goto err; } else { if (BN_is_word(D,2)) { if (!BN_lshift1(tmp,X)) goto err; } else if (BN_is_word(D,4)) { if (!BN_lshift(tmp,X,2)) goto err; } else if (D->top == 1) { if (!BN_copy(tmp,X)) goto err; if (!BN_mul_word(tmp,D->d[0])) goto err; } else { if (!BN_mul(tmp,D,X,ctx)) goto err; } if (!BN_add(tmp,tmp,Y)) goto err; } M=Y; /* keep the BIGNUM object, the value does not matter */ Y=X; X=tmp; sign = -sign; } } /* * The while loop (Euclid's algorithm) ends when * A == gcd(a,n); * we have * sign*Y*a == A (mod |n|), * where Y is non-negative. */ if (sign < 0) { if (!BN_sub(Y,n,Y)) goto err; } /* Now Y*a == A (mod |n|). */ if (BN_is_one(A)) { /* Y*a == 1 (mod |n|) */ if (!Y->neg && BN_ucmp(Y,n) < 0) { if (!BN_copy(R,Y)) goto err; } else { if (!BN_nnmod(R,Y,n,ctx)) goto err; } } else { BNerr(BN_F_BN_MOD_INVERSE,BN_R_NO_INVERSE); goto err; } ret=R; err: if ((ret == NULL) && (in == NULL)) BN_free(R); BN_CTX_end(ctx); bn_check_top(ret); return(ret); }
int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb) { BIGNUM *t; int found = 0; int i, j, c1 = 0; BN_CTX *ctx; int checks = BN_prime_checks_for_size(bits); if (bits < 2) { /* There are no prime numbers this small. */ OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL); return 0; } else if (bits == 2 && safe) { /* The smallest safe prime (7) is three bits. */ OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL); return 0; } ctx = BN_CTX_new(); if (ctx == NULL) { goto err; } BN_CTX_start(ctx); t = BN_CTX_get(ctx); if (!t) { goto err; } loop: /* make a random number and set the top and bottom bits */ if (add == NULL) { if (!probable_prime(ret, bits)) { goto err; } } else { if (safe) { if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) { goto err; } } else { if (!probable_prime_dh(ret, bits, add, rem, ctx)) { goto err; } } } if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) { /* aborted */ goto err; } if (!safe) { i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb); if (i == -1) { goto err; } else if (i == 0) { goto loop; } } else { /* for "safe prime" generation, check that (p-1)/2 is prime. Since a prime * is odd, We just need to divide by 2 */ if (!BN_rshift1(t, ret)) { goto err; } for (i = 0; i < checks; i++) { j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, NULL); if (j == -1) { goto err; } else if (j == 0) { goto loop; } j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, NULL); if (j == -1) { goto err; } else if (j == 0) { goto loop; } if (!BN_GENCB_call(cb, i, c1 - 1)) { goto err; } /* We have a safe prime test pass */ } } /* we have a prime :-) */ found = 1; err: if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } return found; }