int add_points_up(EC_GROUP *curveGroup, EC_POINT *resR[], EC_POINT *resS[], EC_POINT *src1R[], EC_POINT *src1S[],
EC_POINT *src2R[], EC_POINT *src2S[], int numPoints) {
int ind;
BN_CTX *ctx = BN_CTX_new();
for (ind = 0; ind < numPoints; ind++) {
EC_POINT_add(curveGroup, resR[ind], src1R[ind], src2R[ind], ctx);
EC_POINT_add(curveGroup, resS[ind], src1S[ind], src2S[ind], ctx);
}
BN_CTX_free(ctx);
}
pseudonym *polypseud_randomize(const polypseud_ctx *ctx, pseudonym *pseud) {
BIGNUM *l = BN_new();
if(BN_rand_range(l, ctx->p) == 0)
return NULL;
EC_POINT *t = EC_POINT_new(ctx->ec_group);
EC_POINT_mul(ctx->ec_group, t, NULL, ctx->g, l, ctx->bn_ctx);
EC_POINT_add(ctx->ec_group, pseud->a, pseud->a, t, ctx->bn_ctx);
EC_POINT_mul(ctx->ec_group, t, NULL, pseud->c, l, ctx->bn_ctx);
EC_POINT_add(ctx->ec_group, pseud->b, pseud->b, t, ctx->bn_ctx);
EC_POINT_free(t);
return pseud;
}
void
vg_exec_context_calc_address(vg_exec_context_t *vxcp)
{
EC_POINT *pubkey;
const EC_GROUP *pgroup;
unsigned char eckey_buf[96], hash1[32], hash2[20];
int len;
vg_exec_context_consolidate_key(vxcp);
pgroup = EC_KEY_get0_group(vxcp->vxc_key);
pubkey = EC_POINT_new(pgroup);
EC_POINT_copy(pubkey, EC_KEY_get0_public_key(vxcp->vxc_key));
if (vxcp->vxc_vc->vc_pubkey_base) {
EC_POINT_add(pgroup,
pubkey,
pubkey,
vxcp->vxc_vc->vc_pubkey_base,
vxcp->vxc_bnctx);
}
len = EC_POINT_point2oct(pgroup,
pubkey,
POINT_CONVERSION_UNCOMPRESSED,
eckey_buf,
sizeof(eckey_buf),
vxcp->vxc_bnctx);
SHA256(eckey_buf, len, hash1);
RIPEMD160(hash1, sizeof(hash1), hash2);
memcpy(&vxcp->vxc_binres[1],
hash2, 20);
EC_POINT_free(pubkey);
}
// BCPKI
CKey CKey::GetDerivedKey(std::vector<unsigned char> ticket) const
{
BIGNUM *bn = BN_bin2bn(&ticket[0],ticket.size(),BN_new());
BN_CTX *ctx = NULL;
if ((ctx = BN_CTX_new()) == NULL)
throw key_error("CKey::DeriveKey() : BN_CTX_new failed");
CKey key;
if (HasPrivKey())
{ // privkey = privkey + ticket
// snippet from ECDSA_SIG_recover_key_GFp
// TODO check this again
BIGNUM *order = NULL;
if ((order = BN_new()) == NULL)
throw key_error("CKey::DeriveKey() : BN_new failed");
// BN_CTX_start(ctx);
//order = BN_CTX_get(ctx);
if (!EC_GROUP_get_order(EC_KEY_get0_group(pkey), order, ctx))
throw key_error("CKey::DeriveKey() : EC_GROUP_get_order failed");
if (!BN_mod_add(bn, bn, EC_KEY_get0_private_key(pkey), order, ctx))
throw key_error("CKey::DeriveKey() : BN_mod_add failed");
if (!EC_KEY_regenerate_key(key.pkey,bn)) // sets private AND public key
throw key_error("CKey::DeriveKey() : EC_KEY_regenerate_key failed");
// if (!EC_KEY_set_private_key(key.pkey, bn))
// throw key_error("CKey::DeriveKey() : EC_KEY_set_private_key failed");
if (!EC_KEY_check_key(key.pkey))
throw key_error("CKey::DeriveKey() : EC_KEY_check_key failed");
}
else
{ // add to pub key
// begin snippet from EC_KEY_regenerate_key
EC_POINT *pub_key = NULL;
const EC_GROUP *group = EC_KEY_get0_group(pkey);
pub_key = EC_POINT_new(group);
if (pub_key == NULL)
throw key_error("CKey::DeriveKey() : EC_POINT_new failed");
if (!EC_POINT_mul(group, pub_key, bn, NULL, NULL, ctx))
throw key_error("CKey::DeriveKey() : EC_POINT_mul failed");
// end snippet from EC_KEY_regenerate_key
// now pub_key = ticket * basepoint
//const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *);
//int EC_POINT_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
if (!EC_POINT_add(group, pub_key, pub_key, EC_KEY_get0_public_key(pkey), ctx))
throw key_error("CKey::DeriveKey() : EC_POINT_add failed");
//int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *);
if (!EC_KEY_set_public_key(key.pkey, pub_key))
throw key_error("CKey::DeriveKey() : EC_KEY_set_public_key failed");
};
key.fSet = true;
key.SetCompressedPubKey();
return key;
};
int xy_ecpoint_add_xy_ecpoint(xy_ecpoint *result, xy_ecpoint *a, xy_ecpoint *b
, ec_param *ecp)
{
EC_POINT_add(ecp->group, (result)->ec_point, a->ec_point, b->ec_point, ecp->ctx);
ecp->EC_POINT_get_affine_coordinates(ecp->group, (result)->ec_point
, (result)->x, (result)->y
, ecp->ctx);
return SUCCESS;
}
void add_to (EC_GROUP const* group,
ec_point const& a,
ec_point& b,
bn_ctx& ctx)
{
if (!EC_POINT_add (group, b.get(), a.get(), b.get(), ctx.get()))
{
throw std::runtime_error ("EC_POINT_add() failed");
}
}
// public_key public_key::mult( const fc::sha256& digest ) const
// {
// // get point from this public key
// const EC_POINT* master_pub = EC_KEY_get0_public_key( my->_key );
// ec_group group(EC_GROUP_new_by_curve_name(NID_secp256k1));
//
// ssl_bignum z;
// BN_bin2bn((unsigned char*)&digest, sizeof(digest), z);
//
// // multiply by digest
// ssl_bignum one;
// BN_one(one);
// bn_ctx ctx(BN_CTX_new());
//
// ec_point result(EC_POINT_new(group));
// EC_POINT_mul(group, result, z, master_pub, one, ctx);
//
// public_key rtn;
// rtn.my->_key = EC_KEY_new_by_curve_name( NID_secp256k1 );
// EC_KEY_set_public_key(rtn.my->_key,result);
//
// return rtn;
// }
public_key public_key::add( const fc::sha256& digest )const
{
try {
ec_group group(EC_GROUP_new_by_curve_name(NID_secp256k1));
bn_ctx ctx(BN_CTX_new());
fc::bigint digest_bi( (char*)&digest, sizeof(digest) );
ssl_bignum order;
EC_GROUP_get_order(group, order, ctx);
if( digest_bi > fc::bigint(order) )
{
FC_THROW_EXCEPTION( exception, "digest > group order" );
}
public_key digest_key = private_key::regenerate(digest).get_public_key();
const EC_POINT* digest_point = EC_KEY_get0_public_key( digest_key.my->_key );
// get point from this public key
const EC_POINT* master_pub = EC_KEY_get0_public_key( my->_key );
// ssl_bignum z;
// BN_bin2bn((unsigned char*)&digest, sizeof(digest), z);
// multiply by digest
// ssl_bignum one;
// BN_one(one);
ec_point result(EC_POINT_new(group));
EC_POINT_add(group, result, digest_point, master_pub, ctx);
if (EC_POINT_is_at_infinity(group, result))
{
FC_THROW_EXCEPTION( exception, "point at infinity" );
}
public_key rtn;
rtn.my->_key = EC_KEY_new_by_curve_name( NID_secp256k1 );
EC_KEY_set_public_key(rtn.my->_key,result);
return rtn;
} FC_RETHROW_EXCEPTIONS( debug, "digest: ${digest}", ("digest",digest) );
}
int main(int argc, char **argv)
{
unsigned char ecprot[128];
unsigned char pbuf[1024];
EC_KEY *pkey;
EC_POINT *ptnew, *ptmpk, *ptz;
BIGNUM z;
unsigned char *pend = (unsigned char *) pbuf, *px;
unsigned char hash1[32], hashz[32];
int n, zlen;
if(argc < 3) {
printf("Usage: %s <mpk> <seq>\n", argv[0]);
exit(1);
}
OpenSSL_add_all_algorithms();
strcpy(pbuf, argv[2]);
strcat(pbuf, ":0:");
zlen = strlen(pbuf);
px = pbuf + zlen;
for(n=0; n < 64; n++)
px[n] = hex(argv[1][n*2])*16 + hex(argv[1][n*2+1]);
SHA256(pbuf, zlen+64, hash1);
SHA256(hash1, sizeof(hash1), hashz);
BN_init(&z);
BN_bin2bn(hashz, 32, &z);
pkey = EC_KEY_new_by_curve_name(NID_secp256k1);
ptmpk = EC_POINT_new(EC_KEY_get0_group(pkey));
pbuf[zlen-1] = 0x04;
EC_POINT_oct2point(EC_KEY_get0_group(pkey), ptmpk, pbuf+zlen-1, 65, NULL);
ptz = EC_POINT_new(EC_KEY_get0_group(pkey));
EC_POINT_mul(EC_KEY_get0_group(pkey), ptz, NULL, EC_GROUP_get0_generator(EC_KEY_get0_group(pkey)), &z, NULL);
ptnew = EC_POINT_new(EC_KEY_get0_group(pkey));
EC_POINT_add(EC_KEY_get0_group(pkey), ptnew, ptmpk, ptz, NULL);
EC_KEY_set_public_key(pkey, ptnew);
i2o_ECPublicKey(pkey, &pend);
b58encode_address(EC_KEY_get0_public_key(pkey), EC_KEY_get0_group(pkey), 0, ecprot);
printf("%s\n", ecprot);
}
pseudonym *polypseud_encrypt(const polypseud_ctx *ctx, EC_POINT *yK, const char *uid) {
BIGNUM *k = BN_new();
if(BN_rand_range(k, ctx->p) == 0)
return NULL;
EC_POINT *point = embed(ctx, (unsigned char*)uid, strlen(uid));
pseudonym *pseud = (pseudonym*)malloc(sizeof(pseudonym));
pseud->a = EC_POINT_new(ctx->ec_group);
pseud->b = EC_POINT_new(ctx->ec_group);
pseud->c = EC_POINT_dup(yK, ctx->ec_group);
EC_POINT_mul(ctx->ec_group, pseud->a, NULL, ctx->g, k, ctx->bn_ctx);
EC_POINT_mul(ctx->ec_group, pseud->b, NULL, yK, k, ctx->bn_ctx);
EC_POINT_add(ctx->ec_group, pseud->b, pseud->b, point, ctx->bn_ctx);
EC_POINT_free(point);
BN_free(k);
return pseud;
}
size_t polypseud_decrypt(const polypseud_ctx *ctx, pseudonym *ep, const BIGNUM *privkey, const BIGNUM *closingkey, unsigned char **pp) {
if(EC_POINT_mul(ctx->ec_group, ep->a, NULL, ep->a, privkey, ctx->bn_ctx) == 0)
return 0;
if(EC_POINT_invert(ctx->ec_group, ep->a, ctx->bn_ctx) == 0)
return 0;
if(EC_POINT_add(ctx->ec_group, ep->a, ep->b, ep->a, ctx->bn_ctx) == 0)
return 0;
if(EC_POINT_mul(ctx->ec_group, ep->a, NULL, ep->a, closingkey, ctx->bn_ctx) == 0)
return 0;
unsigned char octstring[100];
size_t len = EC_POINT_point2oct(ctx->ec_group, ep->a, POINT_CONVERSION_UNCOMPRESSED, octstring, 100, ctx->bn_ctx);
return hash(octstring, len, pp);
}
void CBAddPoints(uint8_t * point1, uint8_t * point2){
// Get group
EC_GROUP * group = EC_GROUP_new_by_curve_name(NID_secp256k1);
// Get OpenSSL representations of points
EC_POINT * p1 = EC_POINT_new(group);
EC_POINT * p2 = EC_POINT_new(group);
BN_CTX * ctx = BN_CTX_new();
EC_POINT_oct2point(group, p1, point1, 33, ctx);
EC_POINT_oct2point(group, p2, point2, 33, ctx);
// Add points together
EC_POINT * result = EC_POINT_new(group);
EC_POINT_add(group, result, p1, p2, ctx);
// Free points
EC_POINT_free(p1);
EC_POINT_free(p2);
// Write result to point1
EC_POINT_point2oct(group, result, POINT_CONVERSION_COMPRESSED, point1, 33, ctx);
// Free result, group and ctx
EC_POINT_free(result);
EC_GROUP_free(group);
BN_CTX_free(ctx);
}
void *
vg_thread_loop(void *arg)
{
unsigned char hash_buf[128];
unsigned char *eckey_buf;
unsigned char hash1[32];
int i, c, len, output_interval;
int hash_len;
const BN_ULONG rekey_max = 10000000;
BN_ULONG npoints, rekey_at, nbatch;
vg_context_t *vcp = (vg_context_t *) arg;
EC_KEY *pkey = NULL;
const EC_GROUP *pgroup;
const EC_POINT *pgen;
const int ptarraysize = 256;
EC_POINT *ppnt[ptarraysize];
EC_POINT *pbatchinc;
vg_test_func_t test_func = vcp->vc_test;
vg_exec_context_t ctx;
vg_exec_context_t *vxcp;
struct timeval tvstart;
memset(&ctx, 0, sizeof(ctx));
vxcp = &ctx;
vg_exec_context_init(vcp, &ctx);
pkey = vxcp->vxc_key;
pgroup = EC_KEY_get0_group(pkey);
pgen = EC_GROUP_get0_generator(pgroup);
for (i = 0; i < ptarraysize; i++) {
ppnt[i] = EC_POINT_new(pgroup);
if (!ppnt[i]) {
fprintf(stderr, "ERROR: out of memory?\n");
exit(1);
}
}
pbatchinc = EC_POINT_new(pgroup);
if (!pbatchinc) {
fprintf(stderr, "ERROR: out of memory?\n");
exit(1);
}
BN_set_word(&vxcp->vxc_bntmp, ptarraysize);
EC_POINT_mul(pgroup, pbatchinc, &vxcp->vxc_bntmp, NULL, NULL,
vxcp->vxc_bnctx);
EC_POINT_make_affine(pgroup, pbatchinc, vxcp->vxc_bnctx);
npoints = 0;
rekey_at = 0;
nbatch = 0;
vxcp->vxc_key = pkey;
vxcp->vxc_binres[0] = vcp->vc_addrtype;
c = 0;
output_interval = 1000;
gettimeofday(&tvstart, NULL);
if (vcp->vc_format == VCF_SCRIPT) {
hash_buf[ 0] = 0x51; // OP_1
hash_buf[ 1] = 0x41; // pubkey length
// gap for pubkey
hash_buf[67] = 0x51; // OP_1
hash_buf[68] = 0xae; // OP_CHECKMULTISIG
eckey_buf = hash_buf + 2;
hash_len = 69;
} else {
eckey_buf = hash_buf;
hash_len = 65;
}
while (!vcp->vc_halt) {
if (++npoints >= rekey_at) {
vg_exec_context_upgrade_lock(vxcp);
/* Generate a new random private key */
EC_KEY_generate_key(pkey);
npoints = 0;
/* Determine rekey interval */
EC_GROUP_get_order(pgroup, &vxcp->vxc_bntmp,
vxcp->vxc_bnctx);
BN_sub(&vxcp->vxc_bntmp2,
&vxcp->vxc_bntmp,
EC_KEY_get0_private_key(pkey));
rekey_at = BN_get_word(&vxcp->vxc_bntmp2);
if ((rekey_at == BN_MASK2) || (rekey_at > rekey_max))
rekey_at = rekey_max;
assert(rekey_at > 0);
EC_POINT_copy(ppnt[0], EC_KEY_get0_public_key(pkey));
vg_exec_context_downgrade_lock(vxcp);
npoints++;
vxcp->vxc_delta = 0;
if (vcp->vc_pubkey_base)
EC_POINT_add(pgroup,
ppnt[0],
ppnt[0],
vcp->vc_pubkey_base,
vxcp->vxc_bnctx);
for (nbatch = 1;
(nbatch < ptarraysize) && (npoints < rekey_at);
nbatch++, npoints++) {
EC_POINT_add(pgroup,
ppnt[nbatch],
ppnt[nbatch-1],
pgen, vxcp->vxc_bnctx);
}
} else {
/*
* Common case
*
* EC_POINT_add() can skip a few multiplies if
* one or both inputs are affine (Z_is_one).
* This is the case for every point in ppnt, as
* well as pbatchinc.
*/
assert(nbatch == ptarraysize);
for (nbatch = 0;
(nbatch < ptarraysize) && (npoints < rekey_at);
nbatch++, npoints++) {
EC_POINT_add(pgroup,
ppnt[nbatch],
ppnt[nbatch],
pbatchinc,
vxcp->vxc_bnctx);
}
}
/*
* The single most expensive operation performed in this
* loop is modular inversion of ppnt->Z. There is an
* algorithm implemented in OpenSSL to do batched inversion
* that only does one actual BN_mod_inverse(), and saves
* a _lot_ of time.
*
* To take advantage of this, we batch up a few points,
* and feed them to EC_POINTs_make_affine() below.
*/
EC_POINTs_make_affine(pgroup, nbatch, ppnt, vxcp->vxc_bnctx);
for (i = 0; i < nbatch; i++, vxcp->vxc_delta++) {
/* Hash the public key */
len = EC_POINT_point2oct(pgroup, ppnt[i],
POINT_CONVERSION_UNCOMPRESSED,
eckey_buf,
65,
vxcp->vxc_bnctx);
assert(len == 65);
SHA256(hash_buf, hash_len, hash1);
RIPEMD160(hash1, sizeof(hash1), &vxcp->vxc_binres[1]);
switch (test_func(vxcp)) {
case 1:
npoints = 0;
rekey_at = 0;
i = nbatch;
break;
case 2:
goto out;
default:
break;
}
}
c += i;
if (c >= output_interval) {
output_interval = vg_output_timing(vcp, c, &tvstart);
if (output_interval > 250000)
output_interval = 250000;
c = 0;
}
vg_exec_context_yield(vxcp);
}
out:
vg_exec_context_del(&ctx);
vg_context_thread_exit(vcp);
for (i = 0; i < ptarraysize; i++)
if (ppnt[i])
EC_POINT_free(ppnt[i]);
if (pbatchinc)
EC_POINT_free(pbatchinc);
return NULL;
}
void
vg_output_match_console(vg_context_t *vcp, EC_KEY *pkey, const char *pattern)
{
unsigned char key_buf[512], *pend;
char addr_buf[64], addr2_buf[64];
char privkey_buf[VG_PROTKEY_MAX_B58];
const char *keytype = "Privkey";
int len;
int isscript = (vcp->vc_format == VCF_SCRIPT);
EC_POINT *ppnt;
int free_ppnt = 0;
if (vcp->vc_pubkey_base) {
ppnt = EC_POINT_new(EC_KEY_get0_group(pkey));
EC_POINT_copy(ppnt, EC_KEY_get0_public_key(pkey));
EC_POINT_add(EC_KEY_get0_group(pkey),
ppnt,
ppnt,
vcp->vc_pubkey_base,
NULL);
free_ppnt = 1;
keytype = "PrivkeyPart";
} else {
ppnt = (EC_POINT *) EC_KEY_get0_public_key(pkey);
}
assert(EC_KEY_check_key(pkey));
vg_encode_address(ppnt,
EC_KEY_get0_group(pkey),
vcp->vc_pubkeytype, addr_buf);
if (isscript)
vg_encode_script_address(ppnt,
EC_KEY_get0_group(pkey),
vcp->vc_addrtype, addr2_buf);
if (vcp->vc_key_protect_pass) {
len = vg_protect_encode_privkey(privkey_buf,
pkey, vcp->vc_privtype,
VG_PROTKEY_DEFAULT,
vcp->vc_key_protect_pass);
if (len) {
keytype = "Protkey";
} else {
fprintf(stderr,
"ERROR: could not password-protect key\n");
vcp->vc_key_protect_pass = NULL;
}
}
if (!vcp->vc_key_protect_pass) {
vg_encode_privkey(pkey, vcp->vc_privtype, privkey_buf);
}
if (!vcp->vc_result_file || (vcp->vc_verbose > 0)) {
printf("\r%79s\r\nPattern: %s\n", "", pattern);
}
if (vcp->vc_verbose > 0) {
if (vcp->vc_verbose > 1) {
pend = key_buf;
len = i2o_ECPublicKey(pkey, &pend);
printf("Pubkey (hex): ");
dumphex(key_buf, len);
printf("Privkey (hex): ");
dumpbn(EC_KEY_get0_private_key(pkey));
pend = key_buf;
len = i2d_ECPrivateKey(pkey, &pend);
printf("Privkey (ASN1): ");
dumphex(key_buf, len);
}
}
if (!vcp->vc_result_file || (vcp->vc_verbose > 0)) {
if (isscript)
printf("P2SHAddress: %s\n", addr2_buf);
printf("Address: %s\n"
"%s: %s\n",
addr_buf, keytype, privkey_buf);
}
if (vcp->vc_result_file) {
FILE *fp = fopen(vcp->vc_result_file, "a");
if (!fp) {
fprintf(stderr,
"ERROR: could not open result file: %s\n",
strerror(errno));
} else {
fprintf(fp,
"Pattern: %s\n"
, pattern);
if (isscript)
fprintf(fp, "P2SHAddress: %s\n", addr2_buf);
fprintf(fp,
"Address: %s\n"
"%s: %s\n",
addr_buf, keytype, privkey_buf);
fclose(fp);
}
}
if (free_ppnt)
EC_POINT_free(ppnt);
}
int verifyRingSignatureAB(data_chunk &keyImage, uint256 &txnHash, int nRingSize, const uint8_t *pPubkeys, const data_chunk &sigC, const uint8_t *pSigS)
{
// https://bitcointalk.org/index.php?topic=972541.msg10619684
// forall_{i=1..n} compute e_i=s_i*G+c_i*P_i and E_i=s_i*H(P_i)+c_i*I_j and c_{i+1}=h(P_1,...,P_n,e_i,E_i)
// check c_{n+1}=c_1
if (fDebugRingSig)
{
//LogPrintf("%s size %d\n", __func__, nRingSize); // happens often
};
if (sigC.size() != EC_SECRET_SIZE)
return errorN(1, "%s: sigC size != EC_SECRET_SIZE.", __func__);
if (keyImage.size() != EC_COMPRESSED_SIZE)
return errorN(1, "%s: keyImage size != EC_COMPRESSED_SIZE.", __func__);
int rv = 0;
uint256 tmpPkHash;
uint256 tmpHash;
uint8_t tempData[66]; // hold raw point data to hash
CHashWriter ssPkHash(SER_GETHASH, PROTOCOL_VERSION);
CHashWriter ssCjHash(SER_GETHASH, PROTOCOL_VERSION);
for (int i = 0; i < nRingSize; ++i)
{
ssPkHash.write((const char*)&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE);
};
tmpPkHash = ssPkHash.GetHash();
BN_CTX_start(bnCtx);
BIGNUM *bnC = BN_CTX_get(bnCtx);
BIGNUM *bnC1 = BN_CTX_get(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnS = BN_CTX_get(bnCtx);
EC_POINT *ptKi = NULL;
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptSi = NULL;
if ( !(ptKi = EC_POINT_new(ecGrp))
|| !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptSi = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!EC_POINT_oct2point(ecGrp, ptKi, &keyImage[0], EC_COMPRESSED_SIZE, bnCtx))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
if (!bnC1 || !BN_bin2bn(&sigC[0], EC_SECRET_SIZE, bnC1))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_copy(bnC, bnC1))
{
LogPrintf("%s: BN_copy failed.\n", __func__);
rv = 1; goto End;
};
for (int i = 0; i < nRingSize; ++i)
{
if (!bnS || !(BN_bin2bn(&pSigS[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnS)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 <- pk
if (!EC_POINT_oct2point(ecGrp, ptPk, &pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnCtx))
{
LogPrintf("%s: EC_POINT_oct2point failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = e_i=s_i*G+c_i*P_i
if (!EC_POINT_mul(ecGrp, ptT1, bnS, ptPk, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
if (!(EC_POINT_point2oct(ecGrp, ptT1, POINT_CONVERSION_COMPRESSED, &tempData[0], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
LogPrintf("%s: extract ptT1 failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 =E_i=s_i*H(P_i)+c_i*I_j
// ptT2 =H(P_i)
if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT2) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
// DEBUGGING: ------- check if we can find the signer...
// ptSi = Pi * bnT
if ((!EC_POINT_mul(ecGrp, ptSi, NULL, ptPk, bnT, bnCtx)
|| false)
&& (rv = errorN(1, "%s: EC_POINT_mul failed.", __func__)))
goto End;
if (0 == EC_POINT_cmp(ecGrp, ptSi, ptKi, bnCtx) )
LogPrintf("signer is index %d\n", i);
// DEBUGGING: - End - check if we can find the signer...
// ptT3 = s_i*ptT2
if (!EC_POINT_mul(ecGrp, ptT3, NULL, ptT2, bnS, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = c_i*I_j
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptKi, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = ptT3 + ptT1
if (!EC_POINT_add(ecGrp, ptT2, ptT3, ptT1, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
if (!(EC_POINT_point2oct(ecGrp, ptT2, POINT_CONVERSION_COMPRESSED, &tempData[33], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
LogPrintf("%s: extract ptT2 failed.\n", __func__);
rv = 1; goto End;
};
CHashWriter ssCHash(SER_GETHASH, PROTOCOL_VERSION);
ssCHash.write((const char*)tmpPkHash.begin(), 32);
ssCHash.write((const char*)&tempData[0], 66);
tmpHash = ssCHash.GetHash();
if (!bnC || !(BN_bin2bn(tmpHash.begin(), EC_SECRET_SIZE, bnC))
|| !BN_mod(bnC, bnC, bnOrder, bnCtx))
{
LogPrintf("%s: tmpHash -> bnC failed.\n", __func__);
rv = 1; goto End;
};
};
// bnT = (bnC - bnC1) % N
if (!BN_mod_sub(bnT, bnC, bnC1, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_sub failed.\n", __func__);
rv = 1; goto End;
};
// test bnT == 0 (bnC == bnC1)
if (!BN_is_zero(bnT))
{
LogPrintf("%s: signature does not verify.\n", __func__);
rv = 2;
};
End:
BN_CTX_end(bnCtx);
EC_POINT_free(ptKi);
EC_POINT_free(ptT1);
EC_POINT_free(ptT2);
EC_POINT_free(ptT3);
EC_POINT_free(ptPk);
EC_POINT_free(ptSi);
return rv;
};
int generateRingSignature(data_chunk &keyImage, uint256 &txnHash, int nRingSize, int nSecretOffset, ec_secret secret, const uint8_t *pPubkeys, uint8_t *pSigc, uint8_t *pSigr)
{
if (fDebugRingSig)
LogPrintf("%s: Ring size %d.\n", __func__, nRingSize);
int rv = 0;
int nBytes;
BN_CTX_start(bnCtx);
BIGNUM *bnKS = BN_CTX_get(bnCtx);
BIGNUM *bnK1 = BN_CTX_get(bnCtx);
BIGNUM *bnK2 = BN_CTX_get(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnH = BN_CTX_get(bnCtx);
BIGNUM *bnSum = BN_CTX_get(bnCtx);
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptKi = NULL;
EC_POINT *ptL = NULL;
EC_POINT *ptR = NULL;
uint8_t tempData[66]; // hold raw point data to hash
uint256 commitHash;
ec_secret scData1, scData2;
CHashWriter ssCommitHash(SER_GETHASH, PROTOCOL_VERSION);
ssCommitHash << txnHash;
// zero signature
memset(pSigc, 0, EC_SECRET_SIZE * nRingSize);
memset(pSigr, 0, EC_SECRET_SIZE * nRingSize);
// ks = random 256 bit int mod P
if (GenerateRandomSecret(scData1)
&& (rv = errorN(1, "%s: GenerateRandomSecret failed.", __func__)))
goto End;
if (!bnKS || !(BN_bin2bn(&scData1.e[0], EC_SECRET_SIZE, bnKS)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// zero sum
if (!bnSum || !(BN_zero(bnSum)))
{
LogPrintf("%s: BN_zero failed.\n", __func__);
rv = 1; goto End;
};
if ( !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptKi = EC_POINT_new(ecGrp))
|| !(ptL = EC_POINT_new(ecGrp))
|| !(ptR = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!(bnT = BN_bin2bn(&keyImage[0], EC_COMPRESSED_SIZE, bnT))
|| !(ptKi) || !(ptKi = EC_POINT_bn2point(ecGrp, bnT, ptKi, bnCtx)))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
for (int i = 0; i < nRingSize; ++i)
{
if (i == nSecretOffset)
{
// k = random 256 bit int mod P
// L = k * G
// R = k * HashToEC(PKi)
if (!EC_POINT_mul(ecGrp, ptL, bnKS, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT1) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
if (!EC_POINT_mul(ecGrp, ptR, NULL, ptT1, bnKS, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
} else
{
// k1 = random 256 bit int mod P
// k2 = random 256 bit int mod P
// Li = k1 * Pi + k2 * G
// Ri = k1 * I + k2 * Hp(Pi)
// ci = k1
// ri = k2
if (GenerateRandomSecret(scData1) != 0
|| !bnK1 || !(BN_bin2bn(&scData1.e[0], EC_SECRET_SIZE, bnK1))
|| GenerateRandomSecret(scData2) != 0
|| !bnK2 || !(BN_bin2bn(&scData2.e[0], EC_SECRET_SIZE, bnK2)))
{
LogPrintf("%s: k1 and k2 failed.\n", __func__);
rv = 1; goto End;
};
// get Pk i as point
if (!(bnT = BN_bin2bn(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT))
|| !(ptPk) || !(ptPk = EC_POINT_bn2point(ecGrp, bnT, ptPk, bnCtx)))
{
LogPrintf("%s: extract ptPk failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = k1 * Pi
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptPk, bnK1, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = k2 * G
if (!EC_POINT_mul(ecGrp, ptT2, bnK2, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptL = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptL, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
// ptT3 = Hp(Pi)
if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT3) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = k1 * I
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptKi, bnK1, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = k2 * ptT3
if (!EC_POINT_mul(ecGrp, ptT2, NULL, ptT3, bnK2, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptR = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptR, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
memcpy(&pSigc[i * EC_SECRET_SIZE], &scData1.e[0], EC_SECRET_SIZE);
memcpy(&pSigr[i * EC_SECRET_SIZE], &scData2.e[0], EC_SECRET_SIZE);
// sum = (sum + sigc) % N , sigc == bnK1
if (!BN_mod_add(bnSum, bnSum, bnK1, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_add failed.\n", __func__);
rv = 1; goto End;
};
};
// -- add ptL and ptR to hash
if ( !(EC_POINT_point2oct(ecGrp, ptL, POINT_CONVERSION_COMPRESSED, &tempData[0], 33, bnCtx) == (int) EC_COMPRESSED_SIZE)
|| !(EC_POINT_point2oct(ecGrp, ptR, POINT_CONVERSION_COMPRESSED, &tempData[33], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
LogPrintf("%s: extract ptL and ptR failed.\n", __func__);
rv = 1; goto End;
};
ssCommitHash.write((const char*)&tempData[0], 66);
};
commitHash = ssCommitHash.GetHash();
if (!(bnH) || !(bnH = BN_bin2bn(commitHash.begin(), EC_SECRET_SIZE, bnH)))
{
LogPrintf("%s: commitHash -> bnH failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_mod(bnH, bnH, bnOrder, bnCtx)) // this is necessary
{
LogPrintf("%s: BN_mod failed.\n", __func__);
rv = 1; goto End;
};
// sigc[nSecretOffset] = (bnH - bnSum) % N
if (!BN_mod_sub(bnT, bnH, bnSum, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_sub failed.\n", __func__);
rv = 1; goto End;
};
if ((nBytes = BN_num_bytes(bnT)) > (int)EC_SECRET_SIZE
|| BN_bn2bin(bnT, &pSigc[nSecretOffset * EC_SECRET_SIZE + (EC_SECRET_SIZE-nBytes)]) != nBytes)
{
LogPrintf("%s: bnT -> pSigc failed.\n", __func__);
rv = 1; goto End;
};
// sigr[nSecretOffset] = (bnKS - sigc[nSecretOffset] * bnSecret) % N
// reuse bnH for bnSecret
if (!bnH || !(BN_bin2bn(&secret.e[0], EC_SECRET_SIZE, bnH)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// bnT = sigc[nSecretOffset] * bnSecret , TODO: mod N ?
if (!BN_mul(bnT, bnT, bnH, bnCtx))
{
LogPrintf("%s: BN_mul failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_mod_sub(bnT, bnKS, bnT, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_sub failed.\n", __func__);
rv = 1; goto End;
};
if ((nBytes = BN_num_bytes(bnT)) > (int) EC_SECRET_SIZE
|| BN_bn2bin(bnT, &pSigr[nSecretOffset * EC_SECRET_SIZE + (EC_SECRET_SIZE-nBytes)]) != nBytes)
{
LogPrintf("%s: bnT -> pSigr failed.\n", __func__);
rv = 1; goto End;
};
End:
EC_POINT_free(ptT1);
EC_POINT_free(ptT2);
EC_POINT_free(ptT3);
EC_POINT_free(ptPk);
EC_POINT_free(ptKi);
EC_POINT_free(ptL);
EC_POINT_free(ptR);
BN_CTX_end(bnCtx);
return rv;
};
int generateRingSignatureAB(data_chunk &keyImage, uint256 &txnHash, int nRingSize, int nSecretOffset, ec_secret secret, const uint8_t *pPubkeys, data_chunk &sigC, uint8_t *pSigS)
{
// https://bitcointalk.org/index.php?topic=972541.msg10619684
if (fDebugRingSig)
LogPrintf("%s: Ring size %d.\n", __func__, nRingSize);
assert(nRingSize < 200);
RandAddSeedPerfmon();
memset(pSigS, 0, EC_SECRET_SIZE * nRingSize);
int rv = 0;
int nBytes;
uint256 tmpPkHash;
uint256 tmpHash;
uint8_t tempData[66]; // hold raw point data to hash
ec_secret sAlpha;
if (0 != GenerateRandomSecret(sAlpha))
return errorN(1, "%s: GenerateRandomSecret failed.", __func__);
CHashWriter ssPkHash(SER_GETHASH, PROTOCOL_VERSION);
CHashWriter ssCjHash(SER_GETHASH, PROTOCOL_VERSION);
uint256 test;
for (int i = 0; i < nRingSize; ++i)
{
ssPkHash.write((const char*)&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE);
if (i == nSecretOffset)
continue;
int k;
// NOTE: necessary to clamp?
for (k = 0; k < 32; ++k)
{
if (1 != RAND_bytes(&pSigS[i * EC_SECRET_SIZE], 32))
return errorN(1, "%s: RAND_bytes ERR_get_error %u.", __func__, ERR_get_error());
memcpy(test.begin(), &pSigS[i * EC_SECRET_SIZE], 32);
if (test > MIN_SECRET && test < MAX_SECRET)
break;
};
if (k > 31)
return errorN(1, "%s: Failed to generate a valid key.", __func__);
};
tmpPkHash = ssPkHash.GetHash();
BN_CTX_start(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnT2 = BN_CTX_get(bnCtx);
BIGNUM *bnS = BN_CTX_get(bnCtx);
BIGNUM *bnC = BN_CTX_get(bnCtx);
BIGNUM *bnCj = BN_CTX_get(bnCtx);
BIGNUM *bnA = BN_CTX_get(bnCtx);
EC_POINT *ptKi = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptT4 = NULL;
if ( !(ptKi = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptT4 = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!EC_POINT_oct2point(ecGrp, ptKi, &keyImage[0], EC_COMPRESSED_SIZE, bnCtx))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
// c_{j+1} = h(P_1,...,P_n,alpha*G,alpha*H(P_j))
if (!bnA || !(BN_bin2bn(&sAlpha.e[0], EC_SECRET_SIZE, bnA)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = alpha * G
if (!EC_POINT_mul(ecGrp, ptT1, bnA, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT3 = H(Pj)
if (hashToEC(&pPubkeys[nSecretOffset * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT2, ptT3) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
ssCjHash.write((const char*)tmpPkHash.begin(), 32);
// ptT2 = alpha * H(P_j)
// ptT2 = alpha * ptT3
if (!EC_POINT_mul(ecGrp, ptT2, NULL, ptT3, bnA, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
if ( !(EC_POINT_point2oct(ecGrp, ptT1, POINT_CONVERSION_COMPRESSED, &tempData[0], 33, bnCtx) == (int) EC_COMPRESSED_SIZE)
|| !(EC_POINT_point2oct(ecGrp, ptT2, POINT_CONVERSION_COMPRESSED, &tempData[33], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
LogPrintf("%s: extract ptL and ptR failed.\n", __func__);
rv = 1; goto End;
};
ssCjHash.write((const char*)&tempData[0], 66);
tmpHash = ssCjHash.GetHash();
if (!bnC || !(BN_bin2bn(tmpHash.begin(), EC_SECRET_SIZE, bnC)) // bnC lags i by 1
|| !BN_mod(bnC, bnC, bnOrder, bnCtx))
{
LogPrintf("%s: hash -> bnC failed.\n", __func__);
rv = 1; goto End;
};
// c_{j+2} = h(P_1,...,P_n,s_{j+1}*G+c_{j+1}*P_{j+1},s_{j+1}*H(P_{j+1})+c_{j+1}*I_j)
for (int k = 0, ib = (nSecretOffset + 1) % nRingSize, i = (nSecretOffset + 2) % nRingSize;
k < nRingSize;
++k, ib=i, i=(i+1) % nRingSize)
{
if (k == nRingSize - 1)
{
// s_j = alpha - c_j*x_j mod n.
if (!bnT || !BN_bin2bn(&secret.e[0], EC_SECRET_SIZE, bnT))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_mul(bnT2, bnCj, bnT, bnCtx))
{
LogPrintf("%s: BN_mul failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_mod_sub(bnS, bnA, bnT2, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_sub failed.\n", __func__);
rv = 1; goto End;
};
if (!bnS || (nBytes = BN_num_bytes(bnS)) > (int) EC_SECRET_SIZE
|| BN_bn2bin(bnS, &pSigS[nSecretOffset * EC_SECRET_SIZE + (EC_SECRET_SIZE-nBytes)]) != nBytes)
{
LogPrintf("%s: bnS -> pSigS failed.\n", __func__);
rv = 1; goto End;
};
if (nSecretOffset != nRingSize - 1)
break;
};
if (!bnS || !(BN_bin2bn(&pSigS[ib * EC_SECRET_SIZE], EC_SECRET_SIZE, bnS)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// bnC is from last round (ib)
if (!EC_POINT_oct2point(ecGrp, ptPk, &pPubkeys[ib * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnCtx))
{
LogPrintf("%s: EC_POINT_oct2point failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = s_{j+1}*G+c_{j+1}*P_{j+1}
if (!EC_POINT_mul(ecGrp, ptT1, bnS, ptPk, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
//s_{j+1}*H(P_{j+1})+c_{j+1}*I_j
if (hashToEC(&pPubkeys[ib * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT2, ptT2) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
// ptT3 = s_{j+1}*H(P_{j+1})
if (!EC_POINT_mul(ecGrp, ptT3, NULL, ptT2, bnS, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT4 = c_{j+1}*I_j
if (!EC_POINT_mul(ecGrp, ptT4, NULL, ptKi, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = ptT3 + ptT4
if (!EC_POINT_add(ecGrp, ptT2, ptT3, ptT4, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
if ( !(EC_POINT_point2oct(ecGrp, ptT1, POINT_CONVERSION_COMPRESSED, &tempData[0], 33, bnCtx) == (int) EC_COMPRESSED_SIZE)
|| !(EC_POINT_point2oct(ecGrp, ptT2, POINT_CONVERSION_COMPRESSED, &tempData[33], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
LogPrintf("%s: extract ptL and ptR failed.\n", __func__);
rv = 1; goto End;
};
CHashWriter ssCHash(SER_GETHASH, PROTOCOL_VERSION);
ssCHash.write((const char*)tmpPkHash.begin(), 32);
ssCHash.write((const char*)&tempData[0], 66);
tmpHash = ssCHash.GetHash();
if (!bnC || !(BN_bin2bn(tmpHash.begin(), EC_SECRET_SIZE, bnC)) // bnC lags i by 1
|| !BN_mod(bnC, bnC, bnOrder, bnCtx))
{
LogPrintf("%s: hash -> bnC failed.\n", __func__);
rv = 1; goto End;
};
if (i == nSecretOffset
&& !BN_copy(bnCj, bnC))
{
LogPrintf("%s: BN_copy failed.\n", __func__);
rv = 1; goto End;
};
if (i == 0)
{
memset(tempData, 0, EC_SECRET_SIZE);
if ((nBytes = BN_num_bytes(bnC)) > (int) EC_SECRET_SIZE
|| BN_bn2bin(bnC, &tempData[0 + (EC_SECRET_SIZE-nBytes)]) != nBytes)
{
LogPrintf("%s: bnC -> sigC failed.\n", __func__);
rv = 1; goto End;
};
try { sigC.resize(32); } catch (std::exception& e)
{
LogPrintf("%s: sigC.resize failed.\n", __func__);
rv = 1; goto End;
};
memcpy(&sigC[0], tempData, EC_SECRET_SIZE);
};
};
End:
EC_POINT_free(ptKi);
EC_POINT_free(ptPk);
EC_POINT_free(ptT1);
EC_POINT_free(ptT2);
EC_POINT_free(ptT3);
EC_POINT_free(ptT4);
BN_CTX_end(bnCtx);
return rv;
};
int verifyRingSignature(data_chunk &keyImage, uint256 &txnHash, int nRingSize, const uint8_t *pPubkeys, const uint8_t *pSigc, const uint8_t *pSigr)
{
if (fDebugRingSig)
{
// LogPrintf("%s size %d\n", __func__, nRingSize); // happens often
};
int rv = 0;
BN_CTX_start(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnH = BN_CTX_get(bnCtx);
BIGNUM *bnC = BN_CTX_get(bnCtx);
BIGNUM *bnR = BN_CTX_get(bnCtx);
BIGNUM *bnSum = BN_CTX_get(bnCtx);
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptKi = NULL;
EC_POINT *ptL = NULL;
EC_POINT *ptR = NULL;
EC_POINT *ptSi = NULL;
uint8_t tempData[66]; // hold raw point data to hash
uint256 commitHash;
CHashWriter ssCommitHash(SER_GETHASH, PROTOCOL_VERSION);
ssCommitHash << txnHash;
// zero sum
if (!bnSum || !(BN_zero(bnSum)))
{
LogPrintf("%s: BN_zero failed.\n", __func__);
rv = 1; goto End;
};
if ( !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptKi = EC_POINT_new(ecGrp))
|| !(ptL = EC_POINT_new(ecGrp))
|| !(ptSi = EC_POINT_new(ecGrp))
|| !(ptR = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!(bnT = BN_bin2bn(&keyImage[0], EC_COMPRESSED_SIZE, bnT))
|| !(ptKi) || !(ptKi = EC_POINT_bn2point(ecGrp, bnT, ptKi, bnCtx)))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
for (int i = 0; i < nRingSize; ++i)
{
// Li = ci * Pi + ri * G
// Ri = ci * I + ri * Hp(Pi)
if ( !bnC || !(bnC = BN_bin2bn(&pSigc[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnC))
|| !bnR || !(bnR = BN_bin2bn(&pSigr[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnR)))
{
LogPrintf("%s: extract bnC and bnR failed.\n", __func__);
rv = 1; goto End;
};
// get Pk i as point
if (!(bnT = BN_bin2bn(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT))
|| !(ptPk) || !(ptPk = EC_POINT_bn2point(ecGrp, bnT, ptPk, bnCtx)))
{
LogPrintf("%s: extract ptPk failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = ci * Pi
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptPk, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = ri * G
if (!EC_POINT_mul(ecGrp, ptT2, bnR, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptL = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptL, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
// ptT3 = Hp(Pi)
if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT3) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
// DEBUGGING: ------- check if we can find the signer...
// ptSi = Pi * bnT
if ((!EC_POINT_mul(ecGrp, ptSi, NULL, ptPk, bnT, bnCtx)
|| false)
&& (rv = errorN(1, "%s: EC_POINT_mul failed.1", __func__)))
goto End;
if (0 == EC_POINT_cmp(ecGrp, ptSi, ptKi, bnCtx) )
LogPrintf("signer is index %d\n", i);
// DEBUGGING: - End - check if we can find the signer...
// ptT1 = k1 * I
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptKi, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = k2 * ptT3
if (!EC_POINT_mul(ecGrp, ptT2, NULL, ptT3, bnR, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptR = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptR, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
// sum = (sum + ci) % N
if (!BN_mod_add(bnSum, bnSum, bnC, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_add failed.\n", __func__);
rv = 1; goto End;
};
// -- add ptL and ptR to hash
if ( !(EC_POINT_point2oct(ecGrp, ptL, POINT_CONVERSION_COMPRESSED, &tempData[0], 33, bnCtx) == (int) EC_COMPRESSED_SIZE)
|| !(EC_POINT_point2oct(ecGrp, ptR, POINT_CONVERSION_COMPRESSED, &tempData[33], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
LogPrintf("%s: extract ptL and ptR failed.\n", __func__);
rv = 1; goto End;
};
ssCommitHash.write((const char*)&tempData[0], 66);
};
commitHash = ssCommitHash.GetHash();
if (!(bnH) || !(bnH = BN_bin2bn(commitHash.begin(), EC_SECRET_SIZE, bnH)))
{
LogPrintf("%s: commitHash -> bnH failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_mod(bnH, bnH, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod failed.\n", __func__);
rv = 1; goto End;
};
// bnT = (bnH - bnSum) % N
if (!BN_mod_sub(bnT, bnH, bnSum, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_sub failed.\n", __func__);
rv = 1; goto End;
};
// test bnT == 0 (bnSum == bnH)
if (!BN_is_zero(bnT))
{
LogPrintf("%s: signature does not verify.\n", __func__);
rv = 2;
};
End:
EC_POINT_free(ptT1);
EC_POINT_free(ptT2);
EC_POINT_free(ptT3);
EC_POINT_free(ptPk);
EC_POINT_free(ptKi);
EC_POINT_free(ptL);
EC_POINT_free(ptR);
EC_POINT_free(ptSi);
BN_CTX_end(bnCtx);
return rv;
};
int SM9_do_verify_type1curve(SM9PublicParameters *mpk,
const unsigned char *dgst, size_t dgstlen,
const SM9Signature *sig, const char *id, size_t idlen)
{
int ret = 0;
BN_CTX *bn_ctx = NULL;
EC_GROUP *group = NULL;
EC_POINT *point = NULL;
EC_POINT *pointS = NULL;
EC_POINT *Ppub = NULL;
BN_GFP2 *t = NULL;
BN_GFP2 *u = NULL;
BN_GFP2 *w = NULL;
unsigned char *buf = NULL;
BIGNUM *h1;
BIGNUM *h2;
size_t size;
const EVP_MD *md;
if (!mpk || !dgst || dgstlen <= 0 || !sig || !id || idlen <= 0) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (dgstlen > EVP_MAX_MD_SIZE) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_INVALID_DIGEST);
return 0;
}
if (idlen > SM9_MAX_ID_LENGTH) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_INVALID_ID);
return 0;
}
/* BN_CTX */
if (!(bn_ctx = BN_CTX_new())) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_MALLOC_FAILURE);
goto end;
}
BN_CTX_start(bn_ctx);
/* EC_GROUP */
if (!(group = EC_GROUP_new_type1curve_ex(mpk->p,
mpk->a, mpk->b, mpk->pointP1->data, mpk->pointP1->length,
mpk->order, mpk->cofactor, bn_ctx))) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_INVALID_TYPE1CURVE);
goto end;
}
/* malloc */
point = EC_POINT_new(group);
pointS = EC_POINT_new(group);
Ppub = EC_POINT_new(group);
t = BN_GFP2_new();
u = BN_GFP2_new();
w = BN_GFP2_new();
h1 = BN_CTX_get(bn_ctx);
h2 = BN_CTX_get(bn_ctx);
if (!point || !pointS || !Ppub || !t || !u || !w || !h1 || !h2) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_MALLOC_FAILURE);
goto end;
}
/* md = mpk->hashfcn */
if (!(md = EVP_get_digestbyobj(mpk->hashfcn))) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_INVALID_MD);
goto end;
}
/* check sig->h in [1, mpk->order - 1] */
//FIXME: do we need to check sig->h > 0 ?
if (BN_is_zero(sig->h) || BN_cmp(sig->h, mpk->order) >= 0) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_INVALID_SIGNATURE);
goto end;
}
/* pointS = sig->pointS */
if (!EC_POINT_oct2point(group, pointS,
sig->pointS->data, sig->pointS->length, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_INVALID_SIGNATURE);
goto end;
}
/* decode t from mpk->g in F_p^2 */
if (!BN_bn2gfp2(mpk->g1, t, mpk->p, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_BN_LIB);
goto end;
}
/* t = t^(sig->h) = (mpk->g)^(sig->h) in F_p^2 */
if (!BN_GFP2_exp(t, t, sig->h, mpk->p, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_BN_LIB);
goto end;
}
/* h1 = H1(ID||hid) to range [0, mpk->order) */
if (!SM9_hash1(md, &h1, id, idlen, SM9_HID, mpk->order, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_SM9_LIB);
goto end;
}
/* point = mpk->pointP2 * h1 + mpk->pointPpub */
if (!EC_POINT_mul(group, point, h1, NULL, NULL, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_EC_LIB);
goto end;
}
if (!EC_POINT_oct2point(group, Ppub,
mpk->pointPpub->data, mpk->pointPpub->length, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_INVALID_TYPE1CURVE);
goto end;
}
if (!EC_POINT_add(group, point, point, Ppub, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_EC_LIB);
goto end;
}
/* u = e(sig->pointS, point) in F_p^2 */
if (!EC_type1curve_tate(group, u, pointS, point, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_COMPUTE_PAIRING_FAILURE);
goto end;
}
/* w = u * t in F_p^2 */
if (!BN_GFP2_mul(w, u, t, mpk->p, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_BN_LIB);
goto end;
}
/* buf = canonical(w) */
if (!BN_GFP2_canonical(w, NULL, &size, 0, mpk->p, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_BN_LIB);
goto end;
}
if (!(buf = OPENSSL_malloc(size))) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_MALLOC_FAILURE);
goto end;
}
if (!BN_GFP2_canonical(w, buf, &size, 0, mpk->p, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, ERR_R_BN_LIB);
goto end;
}
/* h2 = H2(M||w) in [0, mpk->order - 1] */
if (!SM9_hash2(md, &h2, dgst, dgstlen, buf, size, mpk->order, bn_ctx)) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_HASH_FAILURE);
goto end;
}
/* check if h2 == sig->h */
if (BN_cmp(h2, sig->h) != 0) {
SM9err(SM9_F_SM9_DO_VERIFY_TYPE1CURVE, SM9_R_INVALID_SIGNATURE);
goto end;
}
//FIXME: return value of sig verify
ret = 1;
end:
if (bn_ctx) {
BN_CTX_end(bn_ctx);
}
BN_CTX_free(bn_ctx);
EC_GROUP_free(group);
EC_POINT_free(point);
EC_POINT_free(pointS);
EC_POINT_free(Ppub);
BN_GFP2_free(t);
BN_GFP2_free(u);
BN_GFP2_free(w);
OPENSSL_free(buf);
return ret;
}
static void
eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
const u8 *payload, size_t payload_len)
{
u8 *ptr;
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int res = 0;
wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
if (((data->peer_scalar = BN_new()) == NULL) ||
((data->k = BN_new()) == NULL) ||
((cofactor = BN_new()) == NULL) ||
((x = BN_new()) == NULL) ||
((y = BN_new()) == NULL) ||
((point = EC_POINT_new(data->grp->group)) == NULL) ||
((K = EC_POINT_new(data->grp->group)) == NULL) ||
((data->peer_element = EC_POINT_new(data->grp->group)) == NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
"fail");
goto fin;
}
if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (server): unable to get "
"cofactor for curve");
goto fin;
}
/* element, x then y, followed by scalar */
ptr = (u8 *) payload;
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
ptr += BN_num_bytes(data->grp->prime);
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
ptr += BN_num_bytes(data->grp->prime);
BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->peer_scalar);
if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
data->peer_element, x, y,
data->bnctx)) {
wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
"fail");
goto fin;
}
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(data->grp->group, point, NULL,
data->peer_element, cofactor, NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
"multiply peer element by order");
goto fin;
}
if (EC_POINT_is_at_infinity(data->grp->group, point)) {
wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
"is at infinity!\n");
goto fin;
}
}
/* compute the shared key, k */
if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
data->peer_scalar, data->bnctx)) ||
(!EC_POINT_add(data->grp->group, K, K, data->peer_element,
data->bnctx)) ||
(!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
data->bnctx))) {
wpa_printf(MSG_INFO, "EAP-PWD (server): computing shared key "
"fail");
goto fin;
}
/* ensure that the shared key isn't in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
"multiply shared key point by order!\n");
goto fin;
}
}
/*
* This check is strictly speaking just for the case above where
* co-factor > 1 but it was suggested that even though this is probably
* never going to happen it is a simple and safe check "just to be
* sure" so let's be safe.
*/
if (EC_POINT_is_at_infinity(data->grp->group, K)) {
wpa_printf(MSG_INFO, "EAP-PWD (server): shared key point is "
"at infinity");
goto fin;
}
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
NULL, data->bnctx)) {
wpa_printf(MSG_INFO, "EAP-PWD (server): unable to extract "
"shared secret from secret point");
goto fin;
}
res = 1;
fin:
EC_POINT_free(K);
EC_POINT_free(point);
BN_free(cofactor);
BN_free(x);
BN_free(y);
if (res)
eap_pwd_state(data, PWD_Confirm_Req);
else
eap_pwd_state(data, FAILURE);
}
static EC_KEY *extract_ec_pub_key(CPK_PUBLIC_PARAMS *param, const char *id)
{
int e = 1;
EC_KEY *ec_key = NULL;
const EC_GROUP *ec_group;
EC_POINT *pub_key = NULL;
EC_POINT *pt = NULL;
BIGNUM *order = BN_new();
BIGNUM *bn = BN_new();
BN_CTX *ctx = BN_CTX_new();
int *index = NULL;
int i, bn_size, pt_size, num_indexes, num_factors;
if (!(ec_key = X509_ALGOR_get1_EC_KEY(param->pkey_algor))) {
goto err;
}
ec_group = EC_KEY_get0_group(ec_key);
if (!(pub_key = EC_POINT_new(ec_group))) {
goto err;
}
if (!(pt = EC_POINT_new(ec_group))) {
goto err;
}
if (!EC_GROUP_get_order(ec_group, order, ctx)) {
goto err;
}
bn_size = BN_num_bytes(order);
pt_size = bn_size + 1;
if ((num_factors = CPK_MAP_num_factors(param->map_algor)) <= 0) {
goto err;
}
if (M_ASN1_STRING_length(param->public_factors) != pt_size * num_factors) {
goto err;
}
if ((num_indexes = CPK_MAP_num_indexes(param->map_algor)) <= 0) {
goto err;
}
if (!(index = OPENSSL_malloc(sizeof(int) * num_indexes))) {
goto err;
}
if (!CPK_MAP_str2index(param->map_algor, id, index)) {
goto err;
}
if (!EC_POINT_set_to_infinity(ec_group, pub_key)) {
goto err;
}
for (i = 0; i < num_indexes; i++) {
const unsigned char *p =
M_ASN1_STRING_data(param->public_factors) +
pt_size * index[i];
if (!EC_POINT_oct2point(ec_group, pt, p, pt_size, ctx)) {
goto err;
}
if (!EC_POINT_add(ec_group, pub_key, pub_key, pt, ctx)) {
goto err;
}
}
if (!EC_KEY_set_public_key(ec_key, pub_key)) {
goto err;
}
e = 0;
err:
if (e && ec_key) {
EC_KEY_free(ec_key);
ec_key = NULL;
}
if (pub_key) EC_POINT_free(pub_key);
if (order) BN_free(order);
if (bn) BN_free(bn);
if (ctx) BN_CTX_free(ctx);
if (index) OPENSSL_free(index);
return ec_key;
}
void char2_field_tests()
{
BN_CTX *ctx = NULL;
BIGNUM *p, *a, *b;
EC_GROUP *group;
EC_GROUP *C2_K163 = NULL, *C2_K233 = NULL, *C2_K283 = NULL, *C2_K409 = NULL, *C2_K571 = NULL;
EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 = NULL, *C2_B571 = NULL;
EC_POINT *P, *Q, *R;
BIGNUM *x, *y, *z, *cof;
unsigned char buf[100];
size_t i, len;
int k;
#if 1 /* optional */
ctx = BN_CTX_new();
if (!ctx) ABORT;
#endif
p = BN_new();
a = BN_new();
b = BN_new();
if (!p || !a || !b) ABORT;
if (!BN_hex2bn(&p, "13")) ABORT;
if (!BN_hex2bn(&a, "3")) ABORT;
if (!BN_hex2bn(&b, "1")) ABORT;
group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use EC_GROUP_new_curve_GF2m
* so that the library gets to choose the EC_METHOD */
if (!group) ABORT;
if (!EC_GROUP_set_curve_GF2m(group, p, a, b, ctx)) ABORT;
{
EC_GROUP *tmp;
tmp = EC_GROUP_new(EC_GROUP_method_of(group));
if (!tmp) ABORT;
if (!EC_GROUP_copy(tmp, group)) ABORT;
EC_GROUP_free(group);
group = tmp;
}
if (!EC_GROUP_get_curve_GF2m(group, p, a, b, ctx)) ABORT;
fprintf(stdout, "Curve defined by Weierstrass equation\n y^2 + x*y = x^3 + a*x^2 + b (mod 0x");
BN_print_fp(stdout, p);
fprintf(stdout, ")\n a = 0x");
BN_print_fp(stdout, a);
fprintf(stdout, "\n b = 0x");
BN_print_fp(stdout, b);
fprintf(stdout, "\n(0x... means binary polynomial)\n");
P = EC_POINT_new(group);
Q = EC_POINT_new(group);
R = EC_POINT_new(group);
if (!P || !Q || !R) ABORT;
if (!EC_POINT_set_to_infinity(group, P)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
buf[0] = 0;
if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
x = BN_new();
y = BN_new();
z = BN_new();
cof = BN_new();
if (!x || !y || !z || !cof) ABORT;
if (!BN_hex2bn(&x, "6")) ABORT;
/* Change test based on whether binary point compression is enabled or not. */
#ifdef OPENSSL_EC_BIN_PT_COMP
if (!EC_POINT_set_compressed_coordinates_GF2m(group, Q, x, 1, ctx)) ABORT;
#else
if (!BN_hex2bn(&y, "8")) ABORT;
if (!EC_POINT_set_affine_coordinates_GF2m(group, Q, x, y, ctx)) ABORT;
#endif
if (!EC_POINT_is_on_curve(group, Q, ctx))
{
/* Change test based on whether binary point compression is enabled or not. */
#ifdef OPENSSL_EC_BIN_PT_COMP
if (!EC_POINT_get_affine_coordinates_GF2m(group, Q, x, y, ctx)) ABORT;
#endif
fprintf(stderr, "Point is not on curve: x = 0x");
BN_print_fp(stderr, x);
fprintf(stderr, ", y = 0x");
BN_print_fp(stderr, y);
fprintf(stderr, "\n");
ABORT;
}
fprintf(stdout, "A cyclic subgroup:\n");
k = 100;
do
{
if (k-- == 0) ABORT;
if (EC_POINT_is_at_infinity(group, P))
fprintf(stdout, " point at infinity\n");
else
{
if (!EC_POINT_get_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT;
fprintf(stdout, " x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, ", y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
}
if (!EC_POINT_copy(R, P)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
}
while (!EC_POINT_is_at_infinity(group, P));
if (!EC_POINT_add(group, P, Q, R, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
/* Change test based on whether binary point compression is enabled or not. */
#ifdef OPENSSL_EC_BIN_PT_COMP
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "Generator as octet string, compressed form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
#endif
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "\nGenerator as octet string, uncompressed form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
/* Change test based on whether binary point compression is enabled or not. */
#ifdef OPENSSL_EC_BIN_PT_COMP
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "\nGenerator as octet string, hybrid form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
#endif
fprintf(stdout, "\n");
if (!EC_POINT_invert(group, P, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
/* Curve K-163 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve K-163",
"0800000000000000000000000000000000000000C9",
"1",
"1",
"02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
"0289070FB05D38FF58321F2E800536D538CCDAA3D9",
1,
"04000000000000000000020108A2E0CC0D99F8A5EF",
"2",
163,
C2_K163
);
/* Curve B-163 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve B-163",
"0800000000000000000000000000000000000000C9",
"1",
"020A601907B8C953CA1481EB10512F78744A3205FD",
"03F0EBA16286A2D57EA0991168D4994637E8343E36",
"00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
1,
"040000000000000000000292FE77E70C12A4234C33",
"2",
163,
C2_B163
);
/* Curve K-233 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve K-233",
"020000000000000000000000000000000000000004000000000000000001",
"0",
"1",
"017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
"01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
0,
"008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF",
"4",
233,
C2_K233
);
/* Curve B-233 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve B-233",
"020000000000000000000000000000000000000004000000000000000001",
"000000000000000000000000000000000000000000000000000000000001",
"0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
"00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
"01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
1,
"01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7",
"2",
233,
C2_B233
);
/* Curve K-283 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve K-283",
"0800000000000000000000000000000000000000000000000000000000000000000010A1",
"0",
"1",
"0503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836",
"01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259",
0,
"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61",
"4",
283,
C2_K283
);
/* Curve B-283 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve B-283",
"0800000000000000000000000000000000000000000000000000000000000000000010A1",
"000000000000000000000000000000000000000000000000000000000000000000000001",
"027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5",
"05F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053",
"03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4",
1,
"03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307",
"2",
283,
C2_B283
);
/* Curve K-409 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve K-409",
"02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001",
"0",
"1",
"0060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746",
"01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B",
1,
"007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF",
"4",
409,
C2_K409
);
/* Curve B-409 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve B-409",
"02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001",
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
"0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F",
"015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7",
"0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706",
1,
"010000000000000000000000000000000000000000000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173",
"2",
409,
C2_B409
);
/* Curve K-571 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve K-571",
"80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425",
"0",
"1",
"026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972",
"0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3",
0,
"020000000000000000000000000000000000000000000000000000000000000000000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001",
"4",
571,
C2_K571
);
/* Curve B-571 (FIPS PUB 186-2, App. 6) */
CHAR2_CURVE_TEST
(
"NIST curve B-571",
"80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425",
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
"02F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A",
"0303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19",
"037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B",
1,
"03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47",
"2",
571,
C2_B571
);
/* more tests using the last curve */
if (!EC_POINT_copy(Q, P)) ABORT;
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
{
const EC_POINT *points[3];
const BIGNUM *scalars[3];
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
points[0] = Q;
points[1] = Q;
points[2] = Q;
if (!BN_add(y, z, BN_value_one())) ABORT;
if (BN_is_odd(y)) ABORT;
if (!BN_rshift1(y, y)) ABORT;
scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
scalars[1] = y;
fprintf(stdout, "combined multiplication ...");
fflush(stdout);
/* z is still the group order */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
if (!BN_add(z, z, y)) ABORT;
BN_set_negative(z, 1);
scalars[0] = y;
scalars[1] = z; /* z = -(order + y) */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
if (!BN_add(z, x, y)) ABORT;
BN_set_negative(z, 1);
scalars[0] = x;
scalars[1] = y;
scalars[2] = z; /* z = -(x+y) */
if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
fprintf(stdout, " ok\n\n");
}
#if 0
timings(C2_K163, TIMING_BASE_PT, ctx);
timings(C2_K163, TIMING_RAND_PT, ctx);
timings(C2_K163, TIMING_SIMUL, ctx);
timings(C2_B163, TIMING_BASE_PT, ctx);
timings(C2_B163, TIMING_RAND_PT, ctx);
timings(C2_B163, TIMING_SIMUL, ctx);
timings(C2_K233, TIMING_BASE_PT, ctx);
timings(C2_K233, TIMING_RAND_PT, ctx);
timings(C2_K233, TIMING_SIMUL, ctx);
timings(C2_B233, TIMING_BASE_PT, ctx);
timings(C2_B233, TIMING_RAND_PT, ctx);
timings(C2_B233, TIMING_SIMUL, ctx);
timings(C2_K283, TIMING_BASE_PT, ctx);
timings(C2_K283, TIMING_RAND_PT, ctx);
timings(C2_K283, TIMING_SIMUL, ctx);
timings(C2_B283, TIMING_BASE_PT, ctx);
timings(C2_B283, TIMING_RAND_PT, ctx);
timings(C2_B283, TIMING_SIMUL, ctx);
timings(C2_K409, TIMING_BASE_PT, ctx);
timings(C2_K409, TIMING_RAND_PT, ctx);
timings(C2_K409, TIMING_SIMUL, ctx);
timings(C2_B409, TIMING_BASE_PT, ctx);
timings(C2_B409, TIMING_RAND_PT, ctx);
timings(C2_B409, TIMING_SIMUL, ctx);
timings(C2_K571, TIMING_BASE_PT, ctx);
timings(C2_K571, TIMING_RAND_PT, ctx);
timings(C2_K571, TIMING_SIMUL, ctx);
timings(C2_B571, TIMING_BASE_PT, ctx);
timings(C2_B571, TIMING_RAND_PT, ctx);
timings(C2_B571, TIMING_SIMUL, ctx);
#endif
if (ctx)
BN_CTX_free(ctx);
BN_free(p); BN_free(a); BN_free(b);
EC_GROUP_free(group);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
BN_free(x); BN_free(y); BN_free(z); BN_free(cof);
if (C2_K163) EC_GROUP_free(C2_K163);
if (C2_B163) EC_GROUP_free(C2_B163);
if (C2_K233) EC_GROUP_free(C2_K233);
if (C2_B233) EC_GROUP_free(C2_B233);
if (C2_K283) EC_GROUP_free(C2_K283);
if (C2_B283) EC_GROUP_free(C2_B283);
if (C2_K409) EC_GROUP_free(C2_K409);
if (C2_B409) EC_GROUP_free(C2_B409);
if (C2_K571) EC_GROUP_free(C2_K571);
if (C2_B571) EC_GROUP_free(C2_B571);
}
void prime_field_tests()
{
BN_CTX *ctx = NULL;
BIGNUM *p, *a, *b;
EC_GROUP *group;
EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
EC_POINT *P, *Q, *R;
BIGNUM *x, *y, *z;
unsigned char buf[100];
size_t i, len;
int k;
#if 1 /* optional */
ctx = BN_CTX_new();
if (!ctx) ABORT;
#endif
p = BN_new();
a = BN_new();
b = BN_new();
if (!p || !a || !b) ABORT;
if (!BN_hex2bn(&p, "17")) ABORT;
if (!BN_hex2bn(&a, "1")) ABORT;
if (!BN_hex2bn(&b, "1")) ABORT;
group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
* so that the library gets to choose the EC_METHOD */
if (!group) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
{
EC_GROUP *tmp;
tmp = EC_GROUP_new(EC_GROUP_method_of(group));
if (!tmp) ABORT;
if (!EC_GROUP_copy(tmp, group)) ABORT;
EC_GROUP_free(group);
group = tmp;
}
if (!EC_GROUP_get_curve_GFp(group, p, a, b, ctx)) ABORT;
fprintf(stdout, "Curve defined by Weierstrass equation\n y^2 = x^3 + a*x + b (mod 0x");
BN_print_fp(stdout, p);
fprintf(stdout, ")\n a = 0x");
BN_print_fp(stdout, a);
fprintf(stdout, "\n b = 0x");
BN_print_fp(stdout, b);
fprintf(stdout, "\n");
P = EC_POINT_new(group);
Q = EC_POINT_new(group);
R = EC_POINT_new(group);
if (!P || !Q || !R) ABORT;
if (!EC_POINT_set_to_infinity(group, P)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
buf[0] = 0;
if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
x = BN_new();
y = BN_new();
z = BN_new();
if (!x || !y || !z) ABORT;
if (!BN_hex2bn(&x, "D")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, Q, ctx))
{
if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT;
fprintf(stderr, "Point is not on curve: x = 0x");
BN_print_fp(stderr, x);
fprintf(stderr, ", y = 0x");
BN_print_fp(stderr, y);
fprintf(stderr, "\n");
ABORT;
}
fprintf(stdout, "A cyclic subgroup:\n");
k = 100;
do
{
if (k-- == 0) ABORT;
if (EC_POINT_is_at_infinity(group, P))
fprintf(stdout, " point at infinity\n");
else
{
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, " x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, ", y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
}
if (!EC_POINT_copy(R, P)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
#if 0 /* optional */
{
EC_POINT *points[3];
points[0] = R;
points[1] = Q;
points[2] = P;
if (!EC_POINTs_make_affine(group, 2, points, ctx)) ABORT;
}
#endif
}
while (!EC_POINT_is_at_infinity(group, P));
if (!EC_POINT_add(group, P, Q, R, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "Generator as octect string, compressed form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "\nGenerator as octect string, uncompressed form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx);
if (len == 0) ABORT;
if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
fprintf(stdout, "\nGenerator as octect string, hybrid form:\n ");
for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) ABORT;
fprintf(stdout, "\nA representation of the inverse of that generator in\nJacobian projective coordinates:\n X = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, ", Y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, ", Z = 0x");
BN_print_fp(stdout, z);
fprintf(stdout, "\n");
if (!EC_POINT_invert(group, P, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
/* Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, 2000)
* -- not a NIST curve, but commonly used */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "4A96B5688EF573284664698968C38BB913CBFC82")) ABORT;
if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nSEC2 curve secp160r1 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 160) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_160, group)) ABORT;
/* Curve P-192 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-192 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 192) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_192, group)) ABORT;
/* Curve P-224 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) ABORT;
if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 224) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_224, group)) ABORT;
/* Curve P-256 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
"84F3B9CAC2FC632551")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 256) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_256, group)) ABORT;
/* Curve P-384 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
"120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
"9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
"7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 384) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_384, group)) ABORT;
/* Curve P-521 (FIPS PUB 186-2, App. 6) */
if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
"315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
"DF883D2C34F1EF451FD46B503F00")) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
"B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
"3C1856A429BF97E7E31C2E5BD66")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
"C9B8899C47AEBB6FB71E91386409")) ABORT;
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, "\n y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
/* G_y value taken from the standard: */
if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
"B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
"7086A272C24088BE94769FD16650")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 521) ABORT;
fprintf(stdout, " ok\n");
fprintf(stdout, "verify group order ...");
fflush(stdout);
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
#if 0
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
#endif
if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
if (!EC_GROUP_copy(P_521, group)) ABORT;
/* more tests using the last curve */
if (!EC_POINT_copy(Q, P)) ABORT;
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
{
const EC_POINT *points[3];
const BIGNUM *scalars[3];
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
points[0] = Q;
points[1] = Q;
points[2] = Q;
if (!BN_add(y, z, BN_value_one())) ABORT;
if (BN_is_odd(y)) ABORT;
if (!BN_rshift1(y, y)) ABORT;
scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
scalars[1] = y;
fprintf(stdout, "combined multiplication ...");
fflush(stdout);
/* z is still the group order */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
if (!BN_add(z, z, y)) ABORT;
BN_set_negative(z, 1);
scalars[0] = y;
scalars[1] = z; /* z = -(order + y) */
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
fprintf(stdout, ".");
fflush(stdout);
if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
if (!BN_add(z, x, y)) ABORT;
BN_set_negative(z, 1);
scalars[0] = x;
scalars[1] = y;
scalars[2] = z; /* z = -(x+y) */
if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
fprintf(stdout, " ok\n\n");
}
#if 0
timings(P_160, TIMING_BASE_PT, ctx);
timings(P_160, TIMING_RAND_PT, ctx);
timings(P_160, TIMING_SIMUL, ctx);
timings(P_192, TIMING_BASE_PT, ctx);
timings(P_192, TIMING_RAND_PT, ctx);
timings(P_192, TIMING_SIMUL, ctx);
timings(P_224, TIMING_BASE_PT, ctx);
timings(P_224, TIMING_RAND_PT, ctx);
timings(P_224, TIMING_SIMUL, ctx);
timings(P_256, TIMING_BASE_PT, ctx);
timings(P_256, TIMING_RAND_PT, ctx);
timings(P_256, TIMING_SIMUL, ctx);
timings(P_384, TIMING_BASE_PT, ctx);
timings(P_384, TIMING_RAND_PT, ctx);
timings(P_384, TIMING_SIMUL, ctx);
timings(P_521, TIMING_BASE_PT, ctx);
timings(P_521, TIMING_RAND_PT, ctx);
timings(P_521, TIMING_SIMUL, ctx);
#endif
if (ctx)
BN_CTX_free(ctx);
BN_free(p); BN_free(a); BN_free(b);
EC_GROUP_free(group);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
BN_free(x); BN_free(y); BN_free(z);
if (P_160) EC_GROUP_free(P_160);
if (P_192) EC_GROUP_free(P_192);
if (P_224) EC_GROUP_free(P_224);
if (P_256) EC_GROUP_free(P_256);
if (P_384) EC_GROUP_free(P_384);
if (P_521) EC_GROUP_free(P_521);
}
int StealthSecret(ec_secret& secret, ec_point& pubkey, const ec_point& pkSpend, ec_secret& sharedSOut, ec_point& pkOut)
{
/*
send:
secret = ephem_secret, pubkey = scan_pubkey
receive:
secret = scan_secret, pubkey = ephem_pubkey
c = H(dP)
Q = public scan key (EC point, 33 bytes)
d = private scan key (integer, 32 bytes)
R = public spend key
f = private spend key
Q = dG //单次使用的私钥
R = fG
Sender (has Q and R, not d or f):
P = eG
c = H(eQ) = H(dP)
R' = R + cG
Recipient gets R' and P
test 0 and infinity?
*/
int rv = 0;
std::vector<uint8_t> vchOutQ;
BN_CTX* bnCtx = NULL;
BIGNUM* bnEphem = NULL;
BIGNUM* bnQ = NULL;
EC_POINT* Q = NULL;
BIGNUM* bnOutQ = NULL;
BIGNUM* bnc = NULL;
EC_POINT* C = NULL;
BIGNUM* bnR = NULL;
EC_POINT* R = NULL;
EC_POINT* Rout = NULL;
BIGNUM* bnOutR = NULL;
EC_GROUP* ecgrp = EC_GROUP_new_by_curve_name(NID_secp256k1);
if (!ecgrp)
{
printf("StealthSecret(): EC_GROUP_new_by_curve_name failed.\n");
return 1;
};
if (!(bnCtx = BN_CTX_new()))
{
printf("StealthSecret(): BN_CTX_new failed.\n");
rv = 2;
goto End;
};
if (!(bnEphem = BN_bin2bn(&secret.e[0], ec_secret_size, BN_new())))
{
printf("StealthSecret(): bnEphem BN_bin2bn failed.\n");
rv = 3;
goto End;
};
if (!(bnQ = BN_bin2bn(&pubkey[0], pubkey.size(), BN_new())))
{
printf("StealthSecret(): bnQ BN_bin2bn failed\n");
rv = 4;
goto End;
};
if (!(Q = EC_POINT_bn2point(ecgrp, bnQ, NULL, bnCtx)))
{
printf("StealthSecret(): Q EC_POINT_bn2point failed\n");
rv = 5;
goto End;
};
// -- eQ
// EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx);
// EC_POINT_mul calculates the value generator * n + q * m and stores the result in r. The value n may be NULL in which case the result is just q * m.
if (!EC_POINT_mul(ecgrp, Q, NULL, Q, bnEphem, bnCtx))
{
printf("StealthSecret(): eQ EC_POINT_mul failed\n");
rv = 6;
goto End;
};
if (!(bnOutQ = EC_POINT_point2bn(ecgrp, Q, POINT_CONVERSION_COMPRESSED, BN_new(), bnCtx)))
{
printf("StealthSecret(): Q EC_POINT_bn2point failed\n");
rv = 7;
goto End;
};
vchOutQ.resize(ec_compressed_size);
if (BN_num_bytes(bnOutQ) != (int) ec_compressed_size
|| BN_bn2bin(bnOutQ, &vchOutQ[0]) != (int) ec_compressed_size)
{
printf("StealthSecret(): bnOutQ incorrect length.\n");
rv = 8;
goto End;
};
SHA256(&vchOutQ[0], vchOutQ.size(), &sharedSOut.e[0]);
if (!(bnc = BN_bin2bn(&sharedSOut.e[0], ec_secret_size, BN_new())))
{
printf("StealthSecret(): BN_bin2bn failed\n");
rv = 9;
goto End;
};
// -- cG
if (!(C = EC_POINT_new(ecgrp)))
{
printf("StealthSecret(): C EC_POINT_new failed\n");
rv = 10;
goto End;
};
if (!EC_POINT_mul(ecgrp, C, bnc, NULL, NULL, bnCtx))
{
printf("StealthSecret(): C EC_POINT_mul failed\n");
rv = 11;
goto End;
};
if (!(bnR = BN_bin2bn(&pkSpend[0], pkSpend.size(), BN_new())))
{
printf("StealthSecret(): bnR BN_bin2bn failed\n");
rv = 12;
goto End;
};
if (!(R = EC_POINT_bn2point(ecgrp, bnR, NULL, bnCtx)))
{
printf("StealthSecret(): R EC_POINT_bn2point failed\n");
rv = 13;
goto End;
};
if (!EC_POINT_mul(ecgrp, C, bnc, NULL, NULL, bnCtx))
{
printf("StealthSecret(): C EC_POINT_mul failed\n");
rv = 14;
goto End;
};
if (!(Rout = EC_POINT_new(ecgrp)))
{
printf("StealthSecret(): Rout EC_POINT_new failed\n");
rv = 15;
goto End;
};
if (!EC_POINT_add(ecgrp, Rout, R, C, bnCtx))
{
printf("StealthSecret(): Rout EC_POINT_add failed\n");
rv = 16;
goto End;
};
if (!(bnOutR = EC_POINT_point2bn(ecgrp, Rout, POINT_CONVERSION_COMPRESSED, BN_new(), bnCtx)))
{
printf("StealthSecret(): Rout EC_POINT_bn2point failed\n");
rv = 17;
goto End;
};
pkOut.resize(ec_compressed_size);
if (BN_num_bytes(bnOutR) != (int) ec_compressed_size
|| BN_bn2bin(bnOutR, &pkOut[0]) != (int) ec_compressed_size)
{
printf("StealthSecret(): pkOut incorrect length.\n");
rv = 18;
goto End;
};
End:
if (bnOutR) BN_free(bnOutR);
if (Rout) EC_POINT_free(Rout);
if (R) EC_POINT_free(R);
if (bnR) BN_free(bnR);
if (C) EC_POINT_free(C);
if (bnc) BN_free(bnc);
if (bnOutQ) BN_free(bnOutQ);
if (Q) EC_POINT_free(Q);
if (bnQ) BN_free(bnQ);
if (bnEphem) BN_free(bnEphem);
if (bnCtx) BN_CTX_free(bnCtx);
EC_GROUP_free(ecgrp);
return rv;
};
static void
eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
struct eap_method_ret *ret,
const struct wpabuf *reqData,
const u8 *payload, size_t payload_len)
{
EC_POINT *K = NULL, *point = NULL;
BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
u16 offset;
u8 *ptr, *scalar = NULL, *element = NULL;
if (((data->private_value = BN_new()) == NULL) ||
((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
((cofactor = BN_new()) == NULL) ||
((data->my_scalar = BN_new()) == NULL) ||
((mask = BN_new()) == NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
goto fin;
}
if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
"for curve");
goto fin;
}
BN_rand_range(data->private_value, data->grp->order);
BN_rand_range(mask, data->grp->order);
BN_add(data->my_scalar, data->private_value, mask);
BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
data->bnctx);
if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
data->grp->pwe, mask, data->bnctx)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation "
"fail");
eap_pwd_state(data, FAILURE);
goto fin;
}
if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
{
wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail");
goto fin;
}
BN_free(mask);
if (((x = BN_new()) == NULL) ||
((y = BN_new()) == NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail");
goto fin;
}
/* process the request */
if (((data->server_scalar = BN_new()) == NULL) ||
((data->k = BN_new()) == NULL) ||
((K = EC_POINT_new(data->grp->group)) == NULL) ||
((point = EC_POINT_new(data->grp->group)) == NULL) ||
((data->server_element = EC_POINT_new(data->grp->group)) == NULL))
{
wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
"fail");
goto fin;
}
/* element, x then y, followed by scalar */
ptr = (u8 *) payload;
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
ptr += BN_num_bytes(data->grp->prime);
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
ptr += BN_num_bytes(data->grp->prime);
BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar);
if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
data->server_element, x, y,
data->bnctx)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
"fail");
goto fin;
}
/* check to ensure server's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(data->grp->group, point, NULL,
data->server_element, cofactor, NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
"server element by order!\n");
goto fin;
}
if (EC_POINT_is_at_infinity(data->grp->group, point)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
"is at infinity!\n");
goto fin;
}
}
/* compute the shared key, k */
if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
data->server_scalar, data->bnctx)) ||
(!EC_POINT_add(data->grp->group, K, K, data->server_element,
data->bnctx)) ||
(!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
data->bnctx))) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): computing shared key "
"fail");
goto fin;
}
/* ensure that the shared key isn't in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
"shared key point by order");
goto fin;
}
}
/*
* This check is strictly speaking just for the case above where
* co-factor > 1 but it was suggested that even though this is probably
* never going to happen it is a simple and safe check "just to be
* sure" so let's be safe.
*/
if (EC_POINT_is_at_infinity(data->grp->group, K)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): shared key point is at "
"infinity!\n");
goto fin;
}
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
NULL, data->bnctx)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to extract "
"shared secret from point");
goto fin;
}
/* now do the response */
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
data->my_element, x, y,
data->bnctx)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail");
goto fin;
}
if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) ||
((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) ==
NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): data allocation fail");
goto fin;
}
/*
* bignums occupy as little memory as possible so one that is
* sufficiently smaller than the prime or order might need pre-pending
* with zeros.
*/
os_memset(scalar, 0, BN_num_bytes(data->grp->order));
os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2);
offset = BN_num_bytes(data->grp->order) -
BN_num_bytes(data->my_scalar);
BN_bn2bin(data->my_scalar, scalar + offset);
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
BN_bn2bin(x, element + offset);
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset);
data->outbuf = wpabuf_alloc(BN_num_bytes(data->grp->order) +
2 * BN_num_bytes(data->grp->prime));
if (data->outbuf == NULL)
goto fin;
/* we send the element as (x,y) follwed by the scalar */
wpabuf_put_data(data->outbuf, element,
2 * BN_num_bytes(data->grp->prime));
wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order));
fin:
os_free(scalar);
os_free(element);
BN_free(x);
BN_free(y);
BN_free(cofactor);
EC_POINT_free(K);
EC_POINT_free(point);
if (data->outbuf == NULL)
eap_pwd_state(data, FAILURE);
else
eap_pwd_state(data, PWD_Confirm_Req);
}
int main(int argc, const char *argv[])
{
int r;
int ok = 0;
char *prog = "ecc";
// libpopt var
poptContext popt_ctx;
const char **rest;
int command = 0;
char *curve_name = "secp192k1";
int point_compressed = 0;
point_conversion_form_t point_form;
struct poptOption options[] = {
{"curve-name", 'c', POPT_ARG_STRING, &curve_name, 0, "elliptic curve name", "NAME"},
{"point-compressed", 'z', POPT_ARG_NONE, &point_compressed, 0, "point format, compress or uncompress", NULL},
{"print-curve", 'p', POPT_ARG_VAL, &command, ECC_PRINT, "print elliptic curve parameters", NULL},
{"random-private-key", 0, POPT_ARG_VAL, &command, ECC_RAND_SKEY, "random generate a private key\n", NULL},
{"random-keypair", 0, POPT_ARG_VAL, &command, ECC_RAND_KEYPAIR, "generate a random key pair\n", NULL},
{"check-point", 'e', POPT_ARG_VAL, &command, ECC_CHECK_POINT, "check if point is valid\n", NULL},
{"point-add", 'a', POPT_ARG_VAL, &command, ECC_ADD, "elliptic curve point addition", NULL},
{"point-double", 'b', POPT_ARG_VAL, &command, ECC_DOUBLE, "elliptic curve point double", NULL},
{"point-mul", 'x', POPT_ARG_VAL, &command, ECC_MUL, "k*G", NULL},
{"point-mul-generator", 'X', POPT_ARG_VAL, &command, ECC_MUL_G, "elliptic curve point scalar multiply", NULL},
{"point-invert", 'i', POPT_ARG_VAL, &command, ECC_INVERT, "elliptic curve point inverse", NULL},
{"ecdsa-sign", 's', POPT_ARG_VAL, &command, ECC_SIGN, "ecdsa sign", NULL},
{"ecdsa-verify", 'v', POPT_ARG_VAL, &command, ECC_VERIFY, "ecdsa verify", NULL},
POPT_AUTOHELP
POPT_TABLEEND
};
// openssl var
EC_GROUP *ec_group = NULL;
EC_POINT *P = NULL;
EC_POINT *Q = NULL;
EC_POINT *R = NULL;
BIGNUM *k = BN_new();
BN_CTX *bn_ctx = BN_CTX_new();
// argument parsing
popt_ctx = poptGetContext(argv[0], argc, argv, options, 0);
if ((r = poptGetNextOpt(popt_ctx)) < -1) {
fprintf(stderr, "%s: bad argument %s: %s\n", argv[0],
poptBadOption(popt_ctx, POPT_BADOPTION_NOALIAS),
poptStrerror(r));
goto exit;
}
rest = poptGetArgs(popt_ctx);
// check arguments
ec_group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve_name));
if (ec_group == NULL) {
fprintf(stderr, "%s: unknown curve name\n", prog);
goto exit;
}
P = EC_POINT_new(ec_group);
Q = EC_POINT_new(ec_group);
R = EC_POINT_new(ec_group);
point_form = point_compressed ? POINT_CONVERSION_COMPRESSED : POINT_CONVERSION_UNCOMPRESSED;
switch (command) {
case ECC_PRINT:
{
BIGNUM *p = BN_new();
BIGNUM *a = BN_new();
BIGNUM *b = BN_new();
char *generator;
BIGNUM *order = BN_new();
BIGNUM *cofactor = BN_new();
EC_GROUP_get_curve_GFp(ec_group, p, a, b, bn_ctx);
generator = EC_POINT_point2hex(ec_group, EC_GROUP_get0_generator(ec_group), point_form, bn_ctx);
EC_GROUP_get_order(ec_group, order, bn_ctx);
EC_GROUP_get_cofactor(ec_group, cofactor, bn_ctx);
fprintf(stdout, "Name : %s\n", OBJ_nid2sn(EC_GROUP_get_curve_name(ec_group)));
fprintf(stdout, "FieldType : %s\n", "PrimeField");
fprintf(stdout, "Prime : %s\n", BN_bn2hex(p));
fprintf(stdout, "A : %s\n", BN_bn2hex(a));
fprintf(stdout, "B : %s\n", BN_bn2hex(b));
fprintf(stdout, "Generator : %s\n", generator);
fprintf(stdout, "Order : %s\n", BN_bn2hex(order));
fprintf(stdout, "Cofactor : %s\n", BN_bn2hex(cofactor));
BN_free(p);
BN_free(a);
BN_free(b);
BN_free(order);
BN_free(cofactor);
break;
}
case ECC_CHECK_POINT:
{
if (!rest) {
fprintf(stderr, "%s: short of point\n", prog);
goto exit;
}
if (!rest[0]) {
fprintf(stderr, "%s: short of point\n", prog);
goto exit;
}
if (EC_POINT_hex2point(ec_group, rest[0], P, bn_ctx))
fprintf(stdout, "ture\n");
else
fprintf(stdout, "false\n");
break;
}
case ECC_RAND_SKEY:
{
EC_KEY *ec_key = EC_KEY_new();
EC_KEY_set_group(ec_key, ec_group);
EC_KEY_generate_key(ec_key);
fprintf(stdout, "%s\n", BN_bn2hex(EC_KEY_get0_private_key(ec_key)));
EC_KEY_free(ec_key);
break;
}
case ECC_RAND_KEYPAIR:
{
EC_KEY *ec_key = EC_KEY_new();
EC_KEY_set_group(ec_key, ec_group);
EC_KEY_generate_key(ec_key);
fprintf(stdout, "%s\n", BN_bn2hex(EC_KEY_get0_private_key(ec_key)));
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, EC_KEY_get0_public_key(ec_key), point_form, bn_ctx));
EC_KEY_free(ec_key);
break;
}
case ECC_ADD:
{
if (!rest) {
fprintf(stderr, "%s: short of point\n", prog);
goto exit;
}
if (!rest[0] || !rest[1]) {
fprintf(stderr, "%s: short of point\n", prog);
goto exit;
}
if (!EC_POINT_hex2point(ec_group, rest[1], P, bn_ctx)) {
fprintf(stderr, "%s: first point invalid\n", prog);
goto exit;
}
if (!EC_POINT_hex2point(ec_group, rest[1], Q, bn_ctx)) {
fprintf(stderr, "%s: second point invalid\n", prog);
goto exit;
}
EC_POINT_add(ec_group, R, P, Q, bn_ctx);
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));
break;
}
case ECC_DOUBLE:
{
EC_POINT_dbl(ec_group, R, P, bn_ctx);
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));
break;
}
case ECC_MUL:
{
BIGNUM *order = NULL;
if (!BN_hex2bn(&k, rest[0])) {
fprintf(stderr, "%s: integer invalid\n", prog);
goto exit;
}
order = BN_new();
EC_GROUP_get_order(ec_group, order, bn_ctx);
if (BN_cmp(k, order) >= 0) {
fprintf(stderr, "%s: integer value invalid\n", prog);
BN_free(order);
goto exit;
}
BN_free(order);
if (!EC_POINT_hex2point(ec_group, rest[1], P, bn_ctx)) {
fprintf(stderr, "%s: point invalid\n", prog);
goto exit;
}
EC_POINT_mul(ec_group, R, k, P, NULL, bn_ctx);
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));
break;
}
case ECC_MUL_G:
{
BIGNUM *order = NULL;
if (!BN_hex2bn(&k, rest[0])) {
fprintf(stderr, "%s: integer format invalid\n", prog);
goto exit;
}
order = BN_new();
EC_GROUP_get_order(ec_group, order, bn_ctx);
if (BN_cmp(k, order) >= 0) {
fprintf(stderr, "%s: integer value invalid\n", prog);
BN_free(order);
goto exit;
}
BN_free(order);
EC_POINT_mul(ec_group, R, k, EC_GROUP_get0_generator(ec_group), NULL, bn_ctx);
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));
break;
}
default:
fprintf(stderr, "%s: command is required\n", prog);
break;
}
ok = 1;
exit:
if (ec_group) EC_GROUP_free(ec_group);
if (P) EC_POINT_free(P);
if (k) BN_free(k);
if (bn_ctx) BN_CTX_free(bn_ctx);
return ok ? 0 : -1;
}
int
process_peer_commit (pwd_session_t *sess, uint8_t *commit, BN_CTX *bnctx)
{
uint8_t *ptr;
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int res = 1;
if (((sess->peer_scalar = BN_new()) == NULL) ||
((sess->k = BN_new()) == NULL) ||
((cofactor = BN_new()) == NULL) ||
((x = BN_new()) == NULL) ||
((y = BN_new()) == NULL) ||
((point = EC_POINT_new(sess->group)) == NULL) ||
((K = EC_POINT_new(sess->group)) == NULL) ||
((sess->peer_element = EC_POINT_new(sess->group)) == NULL)) {
DEBUG2("pwd: failed to allocate room to process peer's commit");
goto fin;
}
if (!EC_GROUP_get_cofactor(sess->group, cofactor, NULL)) {
DEBUG2("pwd: unable to get group co-factor");
goto fin;
}
/* element, x then y, followed by scalar */
ptr = (uint8_t *)commit;
BN_bin2bn(ptr, BN_num_bytes(sess->prime), x);
ptr += BN_num_bytes(sess->prime);
BN_bin2bn(ptr, BN_num_bytes(sess->prime), y);
ptr += BN_num_bytes(sess->prime);
BN_bin2bn(ptr, BN_num_bytes(sess->order), sess->peer_scalar);
if (!EC_POINT_set_affine_coordinates_GFp(sess->group,
sess->peer_element, x, y,
bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto fin;
}
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(sess->group, point, NULL,
sess->peer_element, cofactor, NULL)) {
DEBUG2("pwd: unable to multiply element by co-factor");
goto fin;
}
if (EC_POINT_is_at_infinity(sess->group, point)) {
DEBUG2("pwd: peer's element is in small sub-group");
goto fin;
}
}
/* compute the shared key, k */
if ((!EC_POINT_mul(sess->group, K, NULL, sess->pwe,
sess->peer_scalar, bnctx)) ||
(!EC_POINT_add(sess->group, K, K, sess->peer_element,
bnctx)) ||
(!EC_POINT_mul(sess->group, K, NULL, K, sess->private_value,
bnctx))) {
DEBUG2("pwd: unable to compute shared key, k");
goto fin;
}
/* ensure that the shared key isn't in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(sess->group, K, NULL, K, cofactor,
NULL)) {
DEBUG2("pwd: unable to multiply k by co-factor");
goto fin;
}
}
/*
* This check is strictly speaking just for the case above where
* co-factor > 1 but it was suggested that even though this is probably
* never going to happen it is a simple and safe check "just to be
* sure" so let's be safe.
*/
if (EC_POINT_is_at_infinity(sess->group, K)) {
DEBUG2("pwd: k is point-at-infinity!");
goto fin;
}
if (!EC_POINT_get_affine_coordinates_GFp(sess->group, K, sess->k,
NULL, bnctx)) {
DEBUG2("pwd: unable to get shared secret from K");
goto fin;
}
res = 0;
fin:
EC_POINT_free(K);
EC_POINT_free(point);
BN_free(cofactor);
BN_free(x);
BN_free(y);
return res;
}
int process_peer_commit(REQUEST *request, pwd_session_t *session, uint8_t *in, size_t in_len, BN_CTX *bn_ctx)
{
uint8_t *ptr;
size_t data_len;
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int ret = 1;
MEM(session->peer_scalar = BN_new());
MEM(session->k = BN_new());
MEM(session->peer_element = EC_POINT_new(session->group));
MEM(point = EC_POINT_new(session->group));
MEM(K = EC_POINT_new(session->group));
MEM(cofactor = BN_new());
MEM(x = BN_new());
MEM(y = BN_new());
if (!EC_GROUP_get_cofactor(session->group, cofactor, NULL)) {
REDEBUG("Unable to get group co-factor");
goto finish;
}
/* element, x then y, followed by scalar */
ptr = (uint8_t *)in;
data_len = BN_num_bytes(session->prime);
/*
* Did the peer send enough data?
*/
if (in_len < (2 * data_len + BN_num_bytes(session->order))) {
REDEBUG("Invalid commit packet");
goto finish;
}
BN_bin2bn(ptr, data_len, x);
ptr += data_len;
BN_bin2bn(ptr, data_len, y);
ptr += data_len;
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
/* validate received scalar */
if (BN_is_zero(session->peer_scalar) ||
BN_is_one(session->peer_scalar) ||
BN_cmp(session->peer_scalar, session->order) >= 0) {
REDEBUG("Peer's scalar is not within the allowed range");
goto finish;
}
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bn_ctx)) {
REDEBUG("Unable to get coordinates of peer's element");
goto finish;
}
/* validate received element */
if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
EC_POINT_is_at_infinity(session->group, session->peer_element)) {
REDEBUG("Peer's element is not a point on the elliptic curve");
goto finish;
}
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
REDEBUG("Unable to multiply element by co-factor");
goto finish;
}
if (EC_POINT_is_at_infinity(session->group, point)) {
REDEBUG("Peer's element is in small sub-group");
goto finish;
}
}
/* detect reflection attacks */
if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
REDEBUG("Reflection attack detected");
goto finish;
}
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bn_ctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bn_ctx)) ||
(!EC_POINT_mul(session->group, K, NULL, K, session->private_value, bn_ctx))) {
REDEBUG("Unable to compute shared key, k");
goto finish;
}
/* ensure that the shared key isn't in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, K, NULL, K, cofactor, NULL)) {
REDEBUG("Unable to multiply k by co-factor");
goto finish;
}
}
/*
* This check is strictly speaking just for the case above where
* co-factor > 1 but it was suggested that even though this is probably
* never going to happen it is a simple and safe check "just to be
* sure" so let's be safe.
*/
if (EC_POINT_is_at_infinity(session->group, K)) {
REDEBUG("K is point-at-infinity");
goto finish;
}
if (!EC_POINT_get_affine_coordinates_GFp(session->group, K, session->k, NULL, bn_ctx)) {
REDEBUG("Unable to get shared secret from K");
goto finish;
}
ret = 0;
finish:
EC_POINT_clear_free(K);
EC_POINT_clear_free(point);
BN_clear_free(cofactor);
BN_clear_free(x);
BN_clear_free(y);
return ret;
}
