int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
EC_POINT *point,
const BIGNUM *x,
const BIGNUM *y,
const BIGNUM *z,
BN_CTX *ctx)
{
BN_CTX *new_ctx = NULL;
int ret = 0;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return 0;
}
if (x != NULL) {
if (!BN_nnmod(&point->X, x, &group->field, ctx))
goto err;
if (group->meth->field_encode) {
if (!group->meth->field_encode(group, &point->X, &point->X, ctx))
goto err;
}
}
if (y != NULL) {
if (!BN_nnmod(&point->Y, y, &group->field, ctx))
goto err;
if (group->meth->field_encode) {
if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx))
goto err;
}
}
if (z != NULL) {
int Z_is_one;
if (!BN_nnmod(&point->Z, z, &group->field, ctx))
goto err;
Z_is_one = BN_is_one(&point->Z);
if (group->meth->field_encode) {
if (Z_is_one && (group->meth->field_set_to_one != 0)) {
if (!group->meth->field_set_to_one(group, &point->Z, ctx))
goto err;
} else {
if (!group->
meth->field_encode(group, &point->Z, &point->Z, ctx))
goto err;
}
}
point->Z_is_one = Z_is_one;
}
ret = 1;
err:
if (new_ctx != NULL)
BN_CTX_free(new_ctx);
return ret;
}
int ec_GFp_simple_group_set_curve(EC_GROUP *group,
const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx)
{
int ret = 0;
BN_CTX *new_ctx = NULL;
BIGNUM *tmp_a;
/* p must be a prime > 3 */
if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
return 0;
}
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return 0;
}
BN_CTX_start(ctx);
tmp_a = BN_CTX_get(ctx);
if (tmp_a == NULL)
goto err;
/* group->field */
if (!BN_copy(&group->field, p))
goto err;
BN_set_negative(&group->field, 0);
/* group->a */
if (!BN_nnmod(tmp_a, a, p, ctx))
goto err;
if (group->meth->field_encode) {
if (!group->meth->field_encode(group, &group->a, tmp_a, ctx))
goto err;
} else if (!BN_copy(&group->a, tmp_a))
goto err;
/* group->b */
if (!BN_nnmod(&group->b, b, p, ctx))
goto err;
if (group->meth->field_encode)
if (!group->meth->field_encode(group, &group->b, &group->b, ctx))
goto err;
/* group->a_is_minus3 */
if (!BN_add_word(tmp_a, 3))
goto err;
group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
ret = 1;
err:
BN_CTX_end(ctx);
if (new_ctx != NULL)
BN_CTX_free(new_ctx);
return ret;
}
/* slow but works */
int
BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx)
{
BIGNUM *t;
int ret = 0;
bn_check_top(a);
bn_check_top(b);
bn_check_top(m);
BN_CTX_start(ctx);
if ((t = BN_CTX_get(ctx)) == NULL)
goto err;
if (a == b) {
if (!BN_sqr(t, a, ctx))
goto err;
} else {
if (!BN_mul(t, a,b, ctx))
goto err;
}
if (!BN_nnmod(r, t,m, ctx))
goto err;
bn_check_top(r);
ret = 1;
err:
BN_CTX_end(ctx);
return (ret);
}
int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx)
{
if (!BN_sub(r, a, b))
return 0;
return BN_nnmod(r, r, m, ctx);
}
int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
{
if (!BN_lshift1(r, a))
return 0;
bn_check_top(r);
return BN_nnmod(r, r, m, ctx);
}
/* The secret integers s0 and s1 must be in the range 0 < s < n for
some n, and must be relatively prime to that n. We know a priori
that n is of the form 2**k * p for some small integer k and prime
p. Therefore, it suffices to choose a random integer in the range
[0, n/2), multiply by two and add one (enforcing oddness), and then
reject values which are divisible by p. */
static BIGNUM *
random_s(const BIGNUM *n, const BIGNUM *p, BN_CTX *c)
{
BIGNUM h, m, *r;
BN_init(&h);
BN_init(&m);
FAILZ(r = BN_new());
FAILZ(BN_copy(&h, n));
FAILZ(BN_rshift1(&h, &h));
do {
FAILZ(BN_rand_range(r, &h));
FAILZ(BN_lshift1(r, r));
FAILZ(BN_add(r, r, BN_value_one()));
FAILZ(BN_nnmod(&m, r, p, c));
} while (BN_is_zero(&m));
BN_clear(&h);
BN_clear(&m);
return r;
fail:
BN_clear(&h);
BN_clear(&m);
if (r) BN_clear_free(r);
return 0;
}
bool CECKey::TweakSecret(unsigned char vchSecretOut[32], const unsigned char vchSecretIn[32], const unsigned char vchTweak[32])
{
bool ret = true;
BN_CTX *ctx = BN_CTX_new();
BN_CTX_start(ctx);
BIGNUM *bnSecret = BN_CTX_get(ctx);
BIGNUM *bnTweak = BN_CTX_get(ctx);
BIGNUM *bnOrder = BN_CTX_get(ctx);
EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp256k1);
EC_GROUP_get_order(group, bnOrder, ctx); // what a grossly inefficient way to get the (constant) group order...
BN_bin2bn(vchTweak, 32, bnTweak);
if (BN_cmp(bnTweak, bnOrder) >= 0)
ret = false; // extremely unlikely
BN_bin2bn(vchSecretIn, 32, bnSecret);
BN_add(bnSecret, bnSecret, bnTweak);
BN_nnmod(bnSecret, bnSecret, bnOrder, ctx);
if (BN_is_zero(bnSecret))
ret = false; // ridiculously unlikely
int nBits = BN_num_bits(bnSecret);
memset(vchSecretOut, 0, 32);
BN_bn2bin(bnSecret, &vchSecretOut[32-(nBits+7)/8]);
EC_GROUP_free(group);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
CSignerECDSA::CSignerECDSA(const uint8_t PrivData[32], unsigned char Signature[65])
{
order.setuint256(g_Order);
EC_KEY* pkey = EC_KEY_new_by_curve_name(NID_secp256k1);
const EC_GROUP *group = EC_KEY_get0_group(pkey);
CBigNum privkey;
BN_bin2bn(PrivData, 32, &privkey);
EC_KEY_regenerate_key(pkey, &privkey);
EC_POINT *tmp_point = EC_POINT_new(group);
EC_POINT *test_point = EC_POINT_new(group);
CBigNum r, X, Y;
bool which = false;
do
{
// get random k
do
BN_rand_range(&kinv, &order);
while (!kinv);
/* We do not want timing information to leak the length of k,
* so we compute G*k using an equivalent scalar of fixed
* bit-length. */
kinv += order;
if (BN_num_bits(&kinv) <= 256)
kinv += order;
// compute r the x-coordinate of generator * k
EC_POINT_mul(group, tmp_point, &kinv, NULL, NULL, ctx);
EC_POINT_get_affine_coordinates_GFp(group, tmp_point, &X, &Y, ctx);
EC_POINT_set_compressed_coordinates_GFp(group, test_point, &X, 0, ctx);
which = !!EC_POINT_cmp(group, tmp_point, test_point, ctx);
BN_nnmod(&r, &X, &order, ctx);
}
while (!r);
// compute the inverse of k
BN_mod_inverse(&kinv, &kinv, &order, ctx);
BN_mod_mul(&pmr, &privkey, &r, &order, ctx);
BN_mod_mul(&prk, &pmr, &kinv, &order, ctx);
memset(Signature, 0, 65);
int nBitsR = BN_num_bits(&r);
BN_bn2bin(&r, &Signature[33-(nBitsR+7)/8]);
Signature[0] = 27 + which;
EC_POINT_free(tmp_point);
EC_POINT_free(test_point);
EC_KEY_free(pkey);
}
int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx)
{
BIGNUM *abs_m = NULL;
int ret;
if (!BN_nnmod(r, a, m, ctx)) return 0;
if (m->neg)
{
abs_m = BN_dup(m);
if (abs_m == NULL) return 0;
abs_m->neg = 0;
}
ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));
if (abs_m)
BN_free(abs_m);
return ret;
}
int SRP_Verify_B_mod_N(BIGNUM *B, BIGNUM *N)
{
BIGNUM *r;
BN_CTX *bn_ctx;
int ret = 0;
if (B == NULL || N == NULL || (bn_ctx = BN_CTX_new()) == NULL)
return 0;
if ((r = BN_new()) == NULL)
goto err;
/* Checks if B % N == 0 */
if (!BN_nnmod(r, B, N, bn_ctx))
goto err;
ret = !BN_is_zero(r);
err:
BN_CTX_free(bn_ctx);
BN_free(r);
return ret;
}
int test_mont(BIO *bp, BN_CTX *ctx)
{
BIGNUM a,b,c,d,A,B;
BIGNUM n;
int i;
BN_MONT_CTX *mont;
BN_init(&a);
BN_init(&b);
BN_init(&c);
BN_init(&d);
BN_init(&A);
BN_init(&B);
BN_init(&n);
mont=BN_MONT_CTX_new();
BN_bntest_rand(&a,100,0,0); /**/
BN_bntest_rand(&b,100,0,0); /**/
for (i=0; i<num2; i++)
{
int bits = (200*(i+1))/num2;
if (bits == 0)
continue;
BN_bntest_rand(&n,bits,0,1);
BN_MONT_CTX_set(mont,&n,ctx);
BN_nnmod(&a,&a,&n,ctx);
BN_nnmod(&b,&b,&n,ctx);
BN_to_montgomery(&A,&a,mont,ctx);
BN_to_montgomery(&B,&b,mont,ctx);
BN_mod_mul_montgomery(&c,&A,&B,mont,ctx);/**/
BN_from_montgomery(&A,&c,mont,ctx);/**/
if (bp != NULL)
{
if (!results)
{
#ifdef undef
fprintf(stderr,"%d * %d %% %d\n",
BN_num_bits(&a),
BN_num_bits(&b),
BN_num_bits(mont->N));
#endif
BN_print(bp,&a);
BIO_puts(bp," * ");
BN_print(bp,&b);
BIO_puts(bp," % ");
BN_print(bp,&(mont->N));
BIO_puts(bp," - ");
}
BN_print(bp,&A);
BIO_puts(bp,"\n");
}
BN_mod_mul(&d,&a,&b,&n,ctx);
BN_sub(&d,&d,&A);
if(!BN_is_zero(&d))
{
fprintf(stderr,"Montgomery multiplication test failed!\n");
return 0;
}
}
BN_MONT_CTX_free(mont);
BN_free(&a);
BN_free(&b);
BN_free(&c);
BN_free(&d);
BN_free(&A);
BN_free(&B);
BN_free(&n);
return(1);
}
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp,
const unsigned char *dgst, int dlen)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL;
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (ctx_in == NULL) {
if ((ctx = BN_CTX_new()) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
return 0;
}
} else
ctx = ctx_in;
k = BN_new(); /* this value is later returned in *kinvp */
r = BN_new(); /* this value is later returned in *rp */
order = BN_new();
X = BN_new();
if (k == NULL || r == NULL || order == NULL || X == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((tmp_point = EC_POINT_new(group)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
do {
/* get random k */
do
if (dgst != NULL) {
if (!BN_generate_dsa_nonce
(k, order, EC_KEY_get0_private_key(eckey), dgst, dlen,
ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
} else {
if (!BN_rand_range(k, order)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
}
while (BN_is_zero(k));
/*
* We do not want timing information to leak the length of k, so we
* compute G*k using an equivalent scalar of fixed bit-length.
*/
if (!BN_add(k, k, order))
goto err;
if (BN_num_bits(k) <= BN_num_bits(order))
if (!BN_add(k, k, order))
goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp
(group, tmp_point, X, NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else { /* NID_X9_62_characteristic_two_field */
if (!EC_POINT_get_affine_coordinates_GF2m(group,
tmp_point, X, NULL,
ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#endif
if (!BN_nnmod(r, X, order, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
while (BN_is_zero(r));
/* compute the inverse of k */
if (EC_GROUP_get_mont_data(group) != NULL) {
/*
* We want inverse in constant time, therefore we utilize the fact
* order must be prime and use Fermats Little Theorem instead.
*/
if (!BN_set_word(X, 2)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_sub(X, order, X, order, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
BN_set_flags(X, BN_FLG_CONSTTIME);
if (!BN_mod_exp_mont_consttime
(k, k, X, order, ctx, EC_GROUP_get_mont_data(group))) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
} else {
if (!BN_mod_inverse(k, k, order, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
/* clear old values if necessary */
BN_clear_free(*rp);
BN_clear_free(*kinvp);
/* save the pre-computed values */
*rp = r;
*kinvp = k;
ret = 1;
err:
if (!ret) {
BN_clear_free(k);
BN_clear_free(r);
}
if (ctx != ctx_in)
BN_CTX_free(ctx);
BN_free(order);
EC_POINT_free(tmp_point);
BN_clear_free(X);
return (ret);
}
/* Returns -2 for errors because both -1 and 0 are valid results. */
int BN_kronecker (const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
{
int i;
int ret = -2; /* avoid 'uninitialized' warning */
int err = 0;
BIGNUM *A, *B, *tmp;
/* In 'tab', only odd-indexed entries are relevant:
* For any odd BIGNUM n,
* tab[BN_lsw(n) & 7]
* is $(-1)^{(n^2-1)/8}$ (using TeX notation).
* Note that the sign of n does not matter.
*/
static const int tab[8] = { 0, 1, 0, -1, 0, -1, 0, 1 };
bn_check_top (a);
bn_check_top (b);
BN_CTX_start (ctx);
A = BN_CTX_get (ctx);
B = BN_CTX_get (ctx);
if (B == NULL)
goto end;
err = !BN_copy (A, a);
if (err)
goto end;
err = !BN_copy (B, b);
if (err)
goto end;
/*
* Kronecker symbol, imlemented according to Henri Cohen,
* "A Course in Computational Algebraic Number Theory"
* (algorithm 1.4.10).
*/
/* Cohen's step 1: */
if (BN_is_zero (B))
{
ret = BN_abs_is_word (A, 1);
goto end;
}
/* Cohen's step 2: */
if (!BN_is_odd (A) && !BN_is_odd (B))
{
ret = 0;
goto end;
}
/* now B is non-zero */
i = 0;
while (!BN_is_bit_set (B, i))
i++;
err = !BN_rshift (B, B, i);
if (err)
goto end;
if (i & 1)
{
/* i is odd */
/* (thus B was even, thus A must be odd!) */
/* set 'ret' to $(-1)^{(A^2-1)/8}$ */
ret = tab[BN_lsw (A) & 7];
}
else
{
/* i is even */
ret = 1;
}
if (B->neg)
{
B->neg = 0;
if (A->neg)
ret = -ret;
}
/* now B is positive and odd, so what remains to be done is
* to compute the Jacobi symbol (A/B) and multiply it by 'ret' */
while (1)
{
/* Cohen's step 3: */
/* B is positive and odd */
if (BN_is_zero (A))
{
ret = BN_is_one (B) ? ret : 0;
goto end;
}
/* now A is non-zero */
i = 0;
while (!BN_is_bit_set (A, i))
i++;
err = !BN_rshift (A, A, i);
if (err)
goto end;
if (i & 1)
{
/* i is odd */
/* multiply 'ret' by $(-1)^{(B^2-1)/8}$ */
ret = ret * tab[BN_lsw (B) & 7];
}
/* Cohen's step 4: */
/* multiply 'ret' by $(-1)^{(A-1)(B-1)/4}$ */
if ((A->neg ? ~BN_lsw (A) : BN_lsw (A)) & BN_lsw (B) & 2)
ret = -ret;
/* (A, B) := (B mod |A|, |A|) */
err = !BN_nnmod (B, B, A, ctx);
if (err)
goto end;
tmp = A;
A = B;
B = tmp;
tmp->neg = 0;
}
end:
BN_CTX_end (ctx);
if (err)
return -2;
else
return ret;
}
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL;
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (ctx_in == NULL) {
if ((ctx = BN_CTX_new()) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
return 0;
}
} else
ctx = ctx_in;
k = BN_new(); /* this value is later returned in *kinvp */
r = BN_new(); /* this value is later returned in *rp */
order = BN_new();
X = BN_new();
if (!k || !r || !order || !X) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((tmp_point = EC_POINT_new(group)) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
/* Preallocate space */
order_bits = BN_num_bits(order);
if (!BN_set_bit(k, order_bits)
|| !BN_set_bit(r, order_bits)
|| !BN_set_bit(X, order_bits))
goto err;
do {
/* get random k */
do
if (!BN_rand_range(k, order)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
while (BN_is_zero(k)) ;
/*
* We do not want timing information to leak the length of k, so we
* compute G*k using an equivalent scalar of fixed bit-length.
*
* We unconditionally perform both of these additions to prevent a
* small timing information leakage. We then choose the sum that is
* one bit longer than the order. This guarantees the code
* path used in the constant time implementations elsewhere.
*
* TODO: revisit the BN_copy aiming for a memory access agnostic
* conditional copy.
*/
if (!BN_add(r, k, order)
|| !BN_add(X, r, order)
|| !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp
(group, tmp_point, X, NULL, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else { /* NID_X9_62_characteristic_two_field */
if (!EC_POINT_get_affine_coordinates_GF2m(group,
tmp_point, X, NULL,
ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#endif
if (!BN_nnmod(r, X, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
while (BN_is_zero(r));
/* compute the inverse of k */
if (EC_GROUP_get_mont_data(group) != NULL) {
/*
* We want inverse in constant time, therefore we utilize the fact
* order must be prime and use Fermats Little Theorem instead.
*/
if (!BN_set_word(X, 2)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_sub(X, order, X, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
BN_set_flags(X, BN_FLG_CONSTTIME);
if (!BN_mod_exp_mont_consttime
(k, k, X, order, ctx, EC_GROUP_get_mont_data(group))) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
} else {
if (!BN_mod_inverse(k, k, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
/* clear old values if necessary */
if (*rp != NULL)
BN_clear_free(*rp);
if (*kinvp != NULL)
BN_clear_free(*kinvp);
/* save the pre-computed values */
*rp = r;
*kinvp = k;
ret = 1;
err:
if (!ret) {
if (k != NULL)
BN_clear_free(k);
if (r != NULL)
BN_clear_free(r);
}
if (ctx_in == NULL)
BN_CTX_free(ctx);
if (order != NULL)
BN_free(order);
if (tmp_point != NULL)
EC_POINT_free(tmp_point);
if (X)
BN_clear_free(X);
return (ret);
}
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL;
EC_POINT *tmp_point=NULL;
const EC_GROUP *group;
int ret = 0;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (ctx_in == NULL)
{
if ((ctx = BN_CTX_new()) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE);
return 0;
}
}
else
ctx = ctx_in;
k = BN_new(); /* this value is later returned in *kinvp */
r = BN_new(); /* this value is later returned in *rp */
order = BN_new();
X = BN_new();
if (!k || !r || !order || !X)
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((tmp_point = EC_POINT_new(group)) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
#ifdef OPENSSL_FIPS
if (!fips_check_ec_prng(eckey))
goto err;
#endif
do
{
/* get random k */
do
if (!BN_rand_range(k, order))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
while (BN_is_zero(k));
#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
/* We do not want timing information to leak the length of k,
* so we compute G*k using an equivalent scalar of fixed
* bit-length. */
if (!BN_add(k, k, order)) goto err;
if (BN_num_bits(k) <= BN_num_bits(order))
if (!BN_add(k, k, order)) goto err;
#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
{
if (!EC_POINT_get_affine_coordinates_GFp(group,
tmp_point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else /* NID_X9_62_characteristic_two_field */
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
tmp_point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
goto err;
}
}
#endif
if (!BN_nnmod(r, X, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
while (BN_is_zero(r));
/* compute the inverse of k */
if (!BN_mod_inverse(k, k, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
/* clear old values if necessary */
if (*rp != NULL)
BN_clear_free(*rp);
if (*kinvp != NULL)
BN_clear_free(*kinvp);
/* save the pre-computed values */
*rp = r;
*kinvp = k;
ret = 1;
err:
if (!ret)
{
if (k != NULL) BN_clear_free(k);
if (r != NULL) BN_clear_free(r);
}
if (ctx_in == NULL)
BN_CTX_free(ctx);
if (order != NULL)
BN_free(order);
if (tmp_point != NULL)
EC_POINT_free(tmp_point);
if (X)
BN_clear_free(X);
return(ret);
}
/* BN_mod_inverse_no_branch is a special version of BN_mod_inverse.
* It does not contain branches that may leak sensitive information.
*/
static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
BIGNUM *A,*B,*X,*Y,*M,*D,*T,*R=NULL;
BIGNUM local_A, local_B;
BIGNUM *pA, *pB;
BIGNUM *ret=NULL;
int sign;
bn_check_top(a);
bn_check_top(n);
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
B = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
D = BN_CTX_get(ctx);
M = BN_CTX_get(ctx);
Y = BN_CTX_get(ctx);
T = BN_CTX_get(ctx);
if (T == NULL) goto err;
if (in == NULL)
R=BN_new();
else
R=in;
if (R == NULL) goto err;
BN_one(X);
BN_zero(Y);
if (BN_copy(B,a) == NULL) goto err;
if (BN_copy(A,n) == NULL) goto err;
A->neg = 0;
if (B->neg || (BN_ucmp(B, A) >= 0))
{
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
* BN_div_no_branch will be called eventually.
*/
pB = &local_B;
BN_with_flags(pB, B, BN_FLG_CONSTTIME);
if (!BN_nnmod(B, pB, A, ctx)) goto err;
}
sign = -1;
/* From B = a mod |n|, A = |n| it follows that
*
* 0 <= B < A,
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
*/
while (!BN_is_zero(B))
{
BIGNUM *tmp;
/*
* 0 < B < A,
* (*) -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|)
*/
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
* BN_div_no_branch will be called eventually.
*/
pA = &local_A;
BN_with_flags(pA, A, BN_FLG_CONSTTIME);
/* (D, M) := (A/B, A%B) ... */
if (!BN_div(D,M,pA,B,ctx)) goto err;
/* Now
* A = D*B + M;
* thus we have
* (**) sign*Y*a == D*B + M (mod |n|).
*/
tmp=A; /* keep the BIGNUM object, the value does not matter */
/* (A, B) := (B, A mod B) ... */
A=B;
B=M;
/* ... so we have 0 <= B < A again */
/* Since the former M is now B and the former B is now A,
* (**) translates into
* sign*Y*a == D*A + B (mod |n|),
* i.e.
* sign*Y*a - D*A == B (mod |n|).
* Similarly, (*) translates into
* -sign*X*a == A (mod |n|).
*
* Thus,
* sign*Y*a + D*sign*X*a == B (mod |n|),
* i.e.
* sign*(Y + D*X)*a == B (mod |n|).
*
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
* Note that X and Y stay non-negative all the time.
*/
if (!BN_mul(tmp,D,X,ctx)) goto err;
if (!BN_add(tmp,tmp,Y)) goto err;
M=Y; /* keep the BIGNUM object, the value does not matter */
Y=X;
X=tmp;
sign = -sign;
}
/*
* The while loop (Euclid's algorithm) ends when
* A == gcd(a,n);
* we have
* sign*Y*a == A (mod |n|),
* where Y is non-negative.
*/
if (sign < 0)
{
if (!BN_sub(Y,n,Y)) goto err;
}
/* Now Y*a == A (mod |n|). */
if (BN_is_one(A))
{
/* Y*a == 1 (mod |n|) */
if (!Y->neg && BN_ucmp(Y,n) < 0)
{
if (!BN_copy(R,Y)) goto err;
}
else
{
if (!BN_nnmod(R,Y,n,ctx)) goto err;
}
}
else
{
BNerr(BN_F_BN_MOD_INVERSE_NO_BRANCH,BN_R_NO_INVERSE);
goto err;
}
ret=R;
err:
if ((ret == NULL) && (in == NULL)) BN_free(R);
BN_CTX_end(ctx);
bn_check_top(ret);
return(ret);
}
static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey)
{
int ret = -1;
BN_CTX *ctx;
BIGNUM *order, *u1, *u2, *m, *X;
EC_POINT *point = NULL;
const EC_GROUP *group;
const EC_POINT *pub_key;
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
return -1;
}
ctx = BN_CTX_new();
if (!ctx)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
return -1;
}
BN_CTX_start(ctx);
order = BN_CTX_get(ctx);
u1 = BN_CTX_get(ctx);
u2 = BN_CTX_get(ctx);
m = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
if (!X)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (8 * dgst_len > BN_num_bits(order))
{
/* XXX
*
* Should provide for optional hash truncation:
* Keep the BN_num_bits(order) leftmost bits of dgst
* (see March 2006 FIPS 186-3 draft, which has a few
* confusing errors in this part though)
*/
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
ret = 0;
goto err;
}
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
ret = 0; /* signature is invalid */
goto err;
}
/* calculate tmp1 = inv(S) mod order */
if (!BN_mod_inverse(u2, sig->s, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* digest -> m */
if (!BN_bin2bn(dgst, dgst_len, m))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* u1 = m * tmp mod order */
if (!BN_mod_mul(u1, m, u2, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* u2 = r * w mod q */
if (!BN_mod_mul(u2, sig->r, u2, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
if ((point = EC_POINT_new(group)) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
{
if (!EC_POINT_get_affine_coordinates_GFp(group,
point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
}
else /* NID_X9_62_characteristic_two_field */
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
}
if (!BN_nnmod(u1, X, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* if the signature is correct u1 is equal to sig->r */
ret = (BN_ucmp(u1, sig->r) == 0);
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (point)
EC_POINT_free(point);
return ret;
}
/**
* Reconstruct secret using the provided shares
*
* @param shares Shares used to reconstruct secret (should contain t entries)
* @param t Threshold used to reconstruct the secret
* @param prime Prime for finite field arithmetic
* @param s Pointer for storage of calculated secred
*/
static int reconstructSecret(secret_share_t *shares, unsigned char t, const BIGNUM prime, BIGNUM *s) {
unsigned char i;
unsigned char j;
// Array representing the polynomial a(x) = s + a_1 * x + ... + a_n-1 * x^n-1 mod p
BIGNUM **bValue = malloc(t * sizeof(BIGNUM *));
BIGNUM **pbValue;
BIGNUM numerator;
BIGNUM denominator;
BIGNUM temp;
secret_share_t *sp_i;
secret_share_t *sp_j;
BN_CTX *ctx;
// Initialize
pbValue = bValue;
for (i = 0; i < t; i++) {
*pbValue = BN_new();
BN_init(*pbValue);
pbValue++;
}
BN_init(&numerator);
BN_init(&denominator);
BN_init(&temp);
// Create context for temporary variables of engine
ctx = BN_CTX_new();
BN_CTX_init(ctx);
pbValue = bValue;
sp_i = shares;
for (i = 0; i < t; i++) {
BN_one(&numerator);
BN_one(&denominator);
sp_j = shares;
for (j = 0; j < t; j++) {
if (i == j) {
sp_j++;
continue;
}
BN_mul(&numerator, &numerator, &(sp_j->x), ctx);
BN_sub(&temp, &(sp_j->x), &(sp_i->x));
BN_mul(&denominator, &denominator, &temp, ctx);
sp_j++;
}
/*
* Use the modular inverse value of the denominator for the
* multiplication
*/
if (BN_mod_inverse(&denominator, &denominator, &prime, ctx) == NULL ) {
return -1;
}
BN_mod_mul(*pbValue, &numerator, &denominator, &prime, ctx);
pbValue++;
sp_i++;
}
/*
* Calculate the secret by multiplying all y-values with their
* corresponding intermediate values
*/
pbValue = bValue;
sp_i = shares;
BN_zero(s);
for (i = 0; i < t; i++) {
BN_mul(&temp, &(sp_i->y), *pbValue, ctx);
BN_add(s, s, &temp);
pbValue++;
sp_i++;
}
// Perform modulo operation and copy result
BN_nnmod(&temp, s, &prime, ctx);
BN_copy(s, &temp);
BN_clear_free(&numerator);
BN_clear_free(&denominator);
BN_clear_free(&temp);
BN_CTX_free(ctx);
// Deallocate the resource of the polynomial
pbValue = bValue;
for (i = 0; i < t; i++) {
BN_clear_free(*pbValue);
pbValue++;
}
free(bValue);
return 0;
}
int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
const BIGNUM *a, const BIGNUM *b,
BN_CTX *ctx) {
int ret = 0;
BN_CTX *new_ctx = NULL;
BIGNUM *tmp_a;
/* p must be a prime > 3 */
if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);
return 0;
}
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
return 0;
}
}
BN_CTX_start(ctx);
tmp_a = BN_CTX_get(ctx);
if (tmp_a == NULL) {
goto err;
}
/* group->field */
if (!BN_copy(&group->field, p)) {
goto err;
}
BN_set_negative(&group->field, 0);
/* group->a */
if (!BN_nnmod(tmp_a, a, p, ctx)) {
goto err;
}
if (group->meth->field_encode) {
if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
goto err;
}
} else if (!BN_copy(&group->a, tmp_a)) {
goto err;
}
/* group->b */
if (!BN_nnmod(&group->b, b, p, ctx)) {
goto err;
}
if (group->meth->field_encode &&
!group->meth->field_encode(group, &group->b, &group->b, ctx)) {
goto err;
}
#if !defined(NDEBUG)
/* ring: assert a == -3. */
if (!BN_add_word(tmp_a, 3)) {
goto err;
}
assert(0 == BN_cmp(tmp_a, &group->field));
#endif
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
const BIGNUM *a, const BIGNUM *b,
BN_CTX *ctx) {
int ret = 0;
BN_CTX *new_ctx = NULL;
BIGNUM *tmp_a;
// p must be a prime > 3
if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);
return 0;
}
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
return 0;
}
}
BN_CTX_start(ctx);
tmp_a = BN_CTX_get(ctx);
if (tmp_a == NULL) {
goto err;
}
// group->field
if (!BN_copy(&group->field, p)) {
goto err;
}
BN_set_negative(&group->field, 0);
// Store the field in minimal form, so it can be used with |BN_ULONG| arrays.
bn_set_minimal_width(&group->field);
// group->a
if (!BN_nnmod(tmp_a, a, &group->field, ctx)) {
goto err;
}
if (group->meth->field_encode) {
if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
goto err;
}
} else if (!BN_copy(&group->a, tmp_a)) {
goto err;
}
// group->b
if (!BN_nnmod(&group->b, b, &group->field, ctx)) {
goto err;
}
if (group->meth->field_encode &&
!group->meth->field_encode(group, &group->b, &group->b, ctx)) {
goto err;
}
// group->a_is_minus3
if (!BN_add_word(tmp_a, 3)) {
goto err;
}
group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
if (group->meth->field_encode != NULL) {
if (!group->meth->field_encode(group, &group->one, BN_value_one(), ctx)) {
goto err;
}
} else if (!BN_copy(&group->one, BN_value_one())) {
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/* Returns 'ret' such that
* ret^2 == a (mod p),
* using the Tonelli/Shanks algorithm (cf. Henri Cohen, "A Course
* in Algebraic Computational Number Theory", algorithm 1.5.1).
* 'p' must be prime!
*/
{
BIGNUM *ret = in;
int err = 1;
int r;
BIGNUM *A, *b, *q, *t, *x, *y;
int e, i, j;
if (!BN_is_odd(p) || BN_abs_is_word(p, 1))
{
if (BN_abs_is_word(p, 2))
{
if (ret == NULL)
ret = BN_new();
if (ret == NULL)
goto end;
if (!BN_set_word(ret, BN_is_bit_set(a, 0)))
{
if (ret != in)
BN_free(ret);
return NULL;
}
bn_check_top(ret);
return ret;
}
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
return(NULL);
}
if (BN_is_zero(a) || BN_is_one(a))
{
if (ret == NULL)
ret = BN_new();
if (ret == NULL)
goto end;
if (!BN_set_word(ret, BN_is_one(a)))
{
if (ret != in)
BN_free(ret);
return NULL;
}
bn_check_top(ret);
return ret;
}
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
b = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
t = BN_CTX_get(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
if (y == NULL) goto end;
if (ret == NULL)
ret = BN_new();
if (ret == NULL) goto end;
/* A = a mod p */
if (!BN_nnmod(A, a, p, ctx)) goto end;
/* now write |p| - 1 as 2^e*q where q is odd */
e = 1;
while (!BN_is_bit_set(p, e))
e++;
/* we'll set q later (if needed) */
if (e == 1)
{
/* The easy case: (|p|-1)/2 is odd, so 2 has an inverse
* modulo (|p|-1)/2, and square roots can be computed
* directly by modular exponentiation.
* We have
* 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
* so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
*/
if (!BN_rshift(q, p, 2)) goto end;
q->neg = 0;
if (!BN_add_word(q, 1)) goto end;
if (!BN_mod_exp(ret, A, q, p, ctx)) goto end;
err = 0;
goto vrfy;
}
if (e == 2)
{
/* |p| == 5 (mod 8)
*
* In this case 2 is always a non-square since
* Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
* So if a really is a square, then 2*a is a non-square.
* Thus for
* b := (2*a)^((|p|-5)/8),
* i := (2*a)*b^2
* we have
* i^2 = (2*a)^((1 + (|p|-5)/4)*2)
* = (2*a)^((p-1)/2)
* = -1;
* so if we set
* x := a*b*(i-1),
* then
* x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
* = a^2 * b^2 * (-2*i)
* = a*(-i)*(2*a*b^2)
* = a*(-i)*i
* = a.
*
* (This is due to A.O.L. Atkin,
* <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
* November 1992.)
*/
/* t := 2*a */
if (!BN_mod_lshift1_quick(t, A, p)) goto end;
/* b := (2*a)^((|p|-5)/8) */
if (!BN_rshift(q, p, 3)) goto end;
q->neg = 0;
if (!BN_mod_exp(b, t, q, p, ctx)) goto end;
/* y := b^2 */
if (!BN_mod_sqr(y, b, p, ctx)) goto end;
/* t := (2*a)*b^2 - 1*/
if (!BN_mod_mul(t, t, y, p, ctx)) goto end;
if (!BN_sub_word(t, 1)) goto end;
/* x = a*b*t */
if (!BN_mod_mul(x, A, b, p, ctx)) goto end;
if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
if (!BN_copy(ret, x)) goto end;
err = 0;
goto vrfy;
}
/* e > 2, so we really have to use the Tonelli/Shanks algorithm.
* First, find some y that is not a square. */
if (!BN_copy(q, p)) goto end; /* use 'q' as temp */
q->neg = 0;
i = 2;
do
{
/* For efficiency, try small numbers first;
* if this fails, try random numbers.
*/
if (i < 22)
{
if (!BN_set_word(y, i)) goto end;
}
else
{
if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) goto end;
if (BN_ucmp(y, p) >= 0)
{
if (!(p->neg ? BN_add : BN_sub)(y, y, p)) goto end;
}
/* now 0 <= y < |p| */
if (BN_is_zero(y))
if (!BN_set_word(y, i)) goto end;
}
r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */
if (r < -1) goto end;
if (r == 0)
{
/* m divides p */
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
goto end;
}
}
while (r == 1 && ++i < 82);
if (r != -1)
{
/* Many rounds and still no non-square -- this is more likely
* a bug than just bad luck.
* Even if p is not prime, we should have found some y
* such that r == -1.
*/
BNerr(BN_F_BN_MOD_SQRT, BN_R_TOO_MANY_ITERATIONS);
goto end;
}
/* Here's our actual 'q': */
if (!BN_rshift(q, q, e)) goto end;
/* Now that we have some non-square, we can find an element
* of order 2^e by computing its q'th power. */
if (!BN_mod_exp(y, y, q, p, ctx)) goto end;
if (BN_is_one(y))
{
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
goto end;
}
/* Now we know that (if p is indeed prime) there is an integer
* k, 0 <= k < 2^e, such that
*
* a^q * y^k == 1 (mod p).
*
* As a^q is a square and y is not, k must be even.
* q+1 is even, too, so there is an element
*
* X := a^((q+1)/2) * y^(k/2),
*
* and it satisfies
*
* X^2 = a^q * a * y^k
* = a,
*
* so it is the square root that we are looking for.
*/
/* t := (q-1)/2 (note that q is odd) */
if (!BN_rshift1(t, q)) goto end;
/* x := a^((q-1)/2) */
if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
{
if (!BN_nnmod(t, A, p, ctx)) goto end;
if (BN_is_zero(t))
{
/* special case: a == 0 (mod p) */
BN_zero(ret);
err = 0;
goto end;
}
else
if (!BN_one(x)) goto end;
}
else
{
if (!BN_mod_exp(x, A, t, p, ctx)) goto end;
if (BN_is_zero(x))
{
/* special case: a == 0 (mod p) */
BN_zero(ret);
err = 0;
goto end;
}
}
/* b := a*x^2 (= a^q) */
if (!BN_mod_sqr(b, x, p, ctx)) goto end;
if (!BN_mod_mul(b, b, A, p, ctx)) goto end;
/* x := a*x (= a^((q+1)/2)) */
if (!BN_mod_mul(x, x, A, p, ctx)) goto end;
while (1)
{
/* Now b is a^q * y^k for some even k (0 <= k < 2^E
* where E refers to the original value of e, which we
* don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
*
* We have a*b = x^2,
* y^2^(e-1) = -1,
* b^2^(e-1) = 1.
*/
if (BN_is_one(b))
{
if (!BN_copy(ret, x)) goto end;
err = 0;
goto vrfy;
}
/* find smallest i such that b^(2^i) = 1 */
i = 1;
if (!BN_mod_sqr(t, b, p, ctx)) goto end;
while (!BN_is_one(t))
{
i++;
if (i == e)
{
BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
goto end;
}
if (!BN_mod_mul(t, t, t, p, ctx)) goto end;
}
/* t := y^2^(e - i - 1) */
if (!BN_copy(t, y)) goto end;
for (j = e - i - 1; j > 0; j--)
{
if (!BN_mod_sqr(t, t, p, ctx)) goto end;
}
if (!BN_mod_mul(y, t, t, p, ctx)) goto end;
if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
if (!BN_mod_mul(b, b, y, p, ctx)) goto end;
e = i;
}
vrfy:
if (!err)
{
/* verify the result -- the input might have been not a square
* (test added in 0.9.8) */
if (!BN_mod_sqr(x, ret, p, ctx))
err = 1;
if (!err && 0 != BN_cmp(x, A))
{
BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
err = 1;
}
}
end:
if (err)
{
if (ret != NULL && ret != in)
{
BN_clear_free(ret);
}
ret = NULL;
}
BN_CTX_end(ctx);
bn_check_top(ret);
return ret;
}
int test_sqrt(BIO *bp, BN_CTX *ctx)
{
BIGNUM *a,*p,*r;
int i, j;
int ret = 0;
a = BN_new();
p = BN_new();
r = BN_new();
if (a == NULL || p == NULL || r == NULL) goto err;
for (i = 0; i < 16; i++)
{
if (i < 8)
{
unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
if (!BN_set_word(p, primes[i])) goto err;
}
else
{
if (!BN_set_word(a, 32)) goto err;
if (!BN_set_word(r, 2*i + 1)) goto err;
if (!BN_generate_prime(p, 256, 0, a, r, genprime_cb, NULL)) goto err;
putc('\n', stderr);
}
p->neg = rand_neg();
for (j = 0; j < num2; j++)
{
/* construct 'a' such that it is a square modulo p,
* but in general not a proper square and not reduced modulo p */
if (!BN_bntest_rand(r, 256, 0, 3)) goto err;
if (!BN_nnmod(r, r, p, ctx)) goto err;
if (!BN_mod_sqr(r, r, p, ctx)) goto err;
if (!BN_bntest_rand(a, 256, 0, 3)) goto err;
if (!BN_nnmod(a, a, p, ctx)) goto err;
if (!BN_mod_sqr(a, a, p, ctx)) goto err;
if (!BN_mul(a, a, r, ctx)) goto err;
if (rand_neg())
if (!BN_sub(a, a, p)) goto err;
if (!BN_mod_sqrt(r, a, p, ctx)) goto err;
if (!BN_mod_sqr(r, r, p, ctx)) goto err;
if (!BN_nnmod(a, a, p, ctx)) goto err;
if (BN_cmp(a, r) != 0)
{
fprintf(stderr, "BN_mod_sqrt failed: a = ");
BN_print_fp(stderr, a);
fprintf(stderr, ", r = ");
BN_print_fp(stderr, r);
fprintf(stderr, ", p = ");
BN_print_fp(stderr, p);
fprintf(stderr, "\n");
goto err;
}
putc('.', stderr);
fflush(stderr);
}
putc('\n', stderr);
fflush(stderr);
}
ret = 1;
err:
if (a != NULL) BN_free(a);
if (p != NULL) BN_free(p);
if (r != NULL) BN_free(r);
return ret;
}
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL;
EC_POINT *tmp_point=NULL;
const EC_GROUP *group;
int ret = 0;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (ctx_in == NULL)
{
if ((ctx = BN_CTX_new()) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE);
return 0;
}
}
else
ctx = ctx_in;
k = BN_new(); /* this value is later returned in *kinvp */
r = BN_new(); /* this value is later returned in *rp */
order = BN_new();
X = BN_new();
if (!k || !r || !order || !X)
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((tmp_point = EC_POINT_new(group)) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
do
{
/* get random k */
do
if (!BN_rand_range(k, order))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
while (BN_is_zero(k));
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
{
if (!EC_POINT_get_affine_coordinates_GFp(group,
tmp_point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
goto err;
}
}
else /* NID_X9_62_characteristic_two_field */
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
tmp_point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
goto err;
}
}
if (!BN_nnmod(r, X, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
while (BN_is_zero(r));
/* compute the inverse of k */
if (!BN_mod_inverse(k, k, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
/* clear old values if necessary */
if (*rp != NULL)
BN_clear_free(*rp);
if (*kinvp != NULL)
BN_clear_free(*kinvp);
/* save the pre-computed values */
*rp = r;
*kinvp = k;
ret = 1;
err:
if (!ret)
{
if (k != NULL) BN_clear_free(k);
if (r != NULL) BN_clear_free(r);
}
if (ctx_in == NULL)
BN_CTX_free(ctx);
if (order != NULL)
BN_free(order);
if (tmp_point != NULL)
EC_POINT_free(tmp_point);
if (X)
BN_clear_free(X);
return(ret);
}
/*
* Computes gost2001 signature as DSA_SIG structure
*
*
*/
DSA_SIG *gost2001_do_sign(const unsigned char *dgst,int dlen, EC_KEY *eckey)
{
DSA_SIG *newsig = NULL;
BIGNUM *md = hashsum2bn(dgst);
BIGNUM *order = NULL;
const EC_GROUP *group;
const BIGNUM *priv_key;
BIGNUM *r=NULL,*s=NULL,*X=NULL,*tmp=NULL,*tmp2=NULL, *k=NULL,*e=NULL;
EC_POINT *C=NULL;
BN_CTX *ctx = BN_CTX_new();
BN_CTX_start(ctx);
OPENSSL_assert(dlen==32);
newsig=DSA_SIG_new();
if (!newsig)
{
GOSTerr(GOST_F_GOST2001_DO_SIGN,GOST_R_NO_MEMORY);
goto err;
}
group = EC_KEY_get0_group(eckey);
order=BN_CTX_get(ctx);
EC_GROUP_get_order(group,order,ctx);
priv_key = EC_KEY_get0_private_key(eckey);
e = BN_CTX_get(ctx);
BN_mod(e,md,order,ctx);
#ifdef DEBUG_SIGN
fprintf(stderr,"digest as bignum=");
BN_print_fp(stderr,md);
fprintf(stderr,"\ndigest mod q=");
BN_print_fp(stderr,e);
fprintf(stderr,"\n");
#endif
if (BN_is_zero(e))
{
BN_one(e);
}
k =BN_CTX_get(ctx);
C=EC_POINT_new(group);
do
{
do
{
if (!BN_rand_range(k,order))
{
GOSTerr(GOST_F_GOST2001_DO_SIGN,GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
DSA_SIG_free(newsig);
goto err;
}
if (!EC_POINT_mul(group,C,k,NULL,NULL,ctx))
{
GOSTerr(GOST_F_GOST2001_DO_SIGN,ERR_R_EC_LIB);
DSA_SIG_free(newsig);
goto err;
}
if (!X) X=BN_CTX_get(ctx);
if (!EC_POINT_get_affine_coordinates_GFp(group,C,X,NULL,ctx))
{
GOSTerr(GOST_F_GOST2001_DO_SIGN,ERR_R_EC_LIB);
DSA_SIG_free(newsig);
goto err;
}
if (!r) r=BN_CTX_get(ctx);
BN_nnmod(r,X,order,ctx);
}
while (BN_is_zero(r));
/* s = (r*priv_key+k*e) mod order */
if (!tmp) tmp = BN_CTX_get(ctx);
BN_mod_mul(tmp,priv_key,r,order,ctx);
if (!tmp2) tmp2 = BN_CTX_get(ctx);
BN_mod_mul(tmp2,k,e,order,ctx);
if (!s) s=BN_CTX_get(ctx);
BN_mod_add(s,tmp,tmp2,order,ctx);
}
while (BN_is_zero(s));
newsig->s=BN_dup(s);
newsig->r=BN_dup(r);
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
EC_POINT_free(C);
BN_free(md);
return newsig;
}
BIGNUM *BN_mod_inverse(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
BIGNUM *A,*B,*X,*Y,*M,*D,*T,*R=NULL;
BIGNUM *ret=NULL;
int sign;
if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0))
{
return BN_mod_inverse_no_branch(in, a, n, ctx);
}
bn_check_top(a);
bn_check_top(n);
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
B = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
D = BN_CTX_get(ctx);
M = BN_CTX_get(ctx);
Y = BN_CTX_get(ctx);
T = BN_CTX_get(ctx);
if (T == NULL) goto err;
if (in == NULL)
R=BN_new();
else
R=in;
if (R == NULL) goto err;
BN_one(X);
BN_zero(Y);
if (BN_copy(B,a) == NULL) goto err;
if (BN_copy(A,n) == NULL) goto err;
A->neg = 0;
if (B->neg || (BN_ucmp(B, A) >= 0))
{
if (!BN_nnmod(B, B, A, ctx)) goto err;
}
sign = -1;
/* From B = a mod |n|, A = |n| it follows that
*
* 0 <= B < A,
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
*/
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048)))
{
/* Binary inversion algorithm; requires odd modulus.
* This is faster than the general algorithm if the modulus
* is sufficiently small (about 400 .. 500 bits on 32-bit
* sytems, but much more on 64-bit systems) */
int shift;
while (!BN_is_zero(B))
{
/*
* 0 < B < |n|,
* 0 < A <= |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|)
*/
/* Now divide B by the maximum possible power of two in the integers,
* and divide X by the same value mod |n|.
* When we're done, (1) still holds. */
shift = 0;
while (!BN_is_bit_set(B, shift)) /* note that 0 < B */
{
shift++;
if (BN_is_odd(X))
{
if (!BN_uadd(X, X, n)) goto err;
}
/* now X is even, so we can easily divide it by two */
if (!BN_rshift1(X, X)) goto err;
}
if (shift > 0)
{
if (!BN_rshift(B, B, shift)) goto err;
}
/* Same for A and Y. Afterwards, (2) still holds. */
shift = 0;
while (!BN_is_bit_set(A, shift)) /* note that 0 < A */
{
shift++;
if (BN_is_odd(Y))
{
if (!BN_uadd(Y, Y, n)) goto err;
}
/* now Y is even */
if (!BN_rshift1(Y, Y)) goto err;
}
if (shift > 0)
{
if (!BN_rshift(A, A, shift)) goto err;
}
/* We still have (1) and (2).
* Both A and B are odd.
* The following computations ensure that
*
* 0 <= B < |n|,
* 0 < A < |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|),
*
* and that either A or B is even in the next iteration.
*/
if (BN_ucmp(B, A) >= 0)
{
/* -sign*(X + Y)*a == B - A (mod |n|) */
if (!BN_uadd(X, X, Y)) goto err;
/* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
* actually makes the algorithm slower */
if (!BN_usub(B, B, A)) goto err;
}
else
{
/* sign*(X + Y)*a == A - B (mod |n|) */
if (!BN_uadd(Y, Y, X)) goto err;
/* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
if (!BN_usub(A, A, B)) goto err;
}
}
}
else
{
/* general inversion algorithm */
while (!BN_is_zero(B))
{
BIGNUM *tmp;
/*
* 0 < B < A,
* (*) -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|)
*/
/* (D, M) := (A/B, A%B) ... */
if (BN_num_bits(A) == BN_num_bits(B))
{
if (!BN_one(D)) goto err;
if (!BN_sub(M,A,B)) goto err;
}
else if (BN_num_bits(A) == BN_num_bits(B) + 1)
{
/* A/B is 1, 2, or 3 */
if (!BN_lshift1(T,B)) goto err;
if (BN_ucmp(A,T) < 0)
{
/* A < 2*B, so D=1 */
if (!BN_one(D)) goto err;
if (!BN_sub(M,A,B)) goto err;
}
else
{
/* A >= 2*B, so D=2 or D=3 */
if (!BN_sub(M,A,T)) goto err;
if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */
if (BN_ucmp(A,D) < 0)
{
/* A < 3*B, so D=2 */
if (!BN_set_word(D,2)) goto err;
/* M (= A - 2*B) already has the correct value */
}
else
{
/* only D=3 remains */
if (!BN_set_word(D,3)) goto err;
/* currently M = A - 2*B, but we need M = A - 3*B */
if (!BN_sub(M,M,B)) goto err;
}
}
}
else
{
if (!BN_div(D,M,A,B,ctx)) goto err;
}
/* Now
* A = D*B + M;
* thus we have
* (**) sign*Y*a == D*B + M (mod |n|).
*/
tmp=A; /* keep the BIGNUM object, the value does not matter */
/* (A, B) := (B, A mod B) ... */
A=B;
B=M;
/* ... so we have 0 <= B < A again */
/* Since the former M is now B and the former B is now A,
* (**) translates into
* sign*Y*a == D*A + B (mod |n|),
* i.e.
* sign*Y*a - D*A == B (mod |n|).
* Similarly, (*) translates into
* -sign*X*a == A (mod |n|).
*
* Thus,
* sign*Y*a + D*sign*X*a == B (mod |n|),
* i.e.
* sign*(Y + D*X)*a == B (mod |n|).
*
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
* Note that X and Y stay non-negative all the time.
*/
/* most of the time D is very small, so we can optimize tmp := D*X+Y */
if (BN_is_one(D))
{
if (!BN_add(tmp,X,Y)) goto err;
}
else
{
if (BN_is_word(D,2))
{
if (!BN_lshift1(tmp,X)) goto err;
}
else if (BN_is_word(D,4))
{
if (!BN_lshift(tmp,X,2)) goto err;
}
else if (D->top == 1)
{
if (!BN_copy(tmp,X)) goto err;
if (!BN_mul_word(tmp,D->d[0])) goto err;
}
else
{
if (!BN_mul(tmp,D,X,ctx)) goto err;
}
if (!BN_add(tmp,tmp,Y)) goto err;
}
M=Y; /* keep the BIGNUM object, the value does not matter */
Y=X;
X=tmp;
sign = -sign;
}
}
/*
* The while loop (Euclid's algorithm) ends when
* A == gcd(a,n);
* we have
* sign*Y*a == A (mod |n|),
* where Y is non-negative.
*/
if (sign < 0)
{
if (!BN_sub(Y,n,Y)) goto err;
}
/* Now Y*a == A (mod |n|). */
if (BN_is_one(A))
{
/* Y*a == 1 (mod |n|) */
if (!Y->neg && BN_ucmp(Y,n) < 0)
{
if (!BN_copy(R,Y)) goto err;
}
else
{
if (!BN_nnmod(R,Y,n,ctx)) goto err;
}
}
else
{
BNerr(BN_F_BN_MOD_INVERSE,BN_R_NO_INVERSE);
goto err;
}
ret=R;
err:
if ((ret == NULL) && (in == NULL)) BN_free(R);
BN_CTX_end(ctx);
bn_check_top(ret);
return(ret);
}
/*
* Computes gost_ec signature as DSA_SIG structure
*
*/
DSA_SIG *gost_ec_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
{
DSA_SIG *newsig = NULL, *ret = NULL;
BIGNUM *md = NULL;
BIGNUM *order = NULL;
const EC_GROUP *group;
const BIGNUM *priv_key;
BIGNUM *r = NULL, *s = NULL, *X = NULL, *tmp = NULL, *tmp2 = NULL,
*k = NULL, *e = NULL;
EC_POINT *C = NULL;
BN_CTX *ctx;
OPENSSL_assert(dgst != NULL && eckey != NULL);
if (!(ctx = BN_CTX_new())) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
return NULL;
}
BN_CTX_start(ctx);
OPENSSL_assert(dlen == 32 || dlen == 64);
md = hashsum2bn(dgst, dlen);
newsig = DSA_SIG_new();
if (!newsig || !md) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
group = EC_KEY_get0_group(eckey);
if (!group) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
order = BN_CTX_get(ctx);
if (!order || !EC_GROUP_get_order(group, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
priv_key = EC_KEY_get0_private_key(eckey);
if (!priv_key) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
e = BN_CTX_get(ctx);
if (!e || !BN_mod(e, md, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
#ifdef DEBUG_SIGN
fprintf(stderr, "digest as bignum=");
BN_print_fp(stderr, md);
fprintf(stderr, "\ndigest mod q=");
BN_print_fp(stderr, e);
fprintf(stderr, "\n");
#endif
if (BN_is_zero(e)) {
BN_one(e);
}
k = BN_CTX_get(ctx);
C = EC_POINT_new(group);
if (!k || !C) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
do {
do {
if (!BN_rand_range(k, order)) {
GOSTerr(GOST_F_GOST_EC_SIGN, GOST_R_RNG_ERROR);
goto err;
}
/*
* To avoid timing information leaking the length of k,
* compute C*k using an equivalent scalar of fixed bit-length */
if (!BN_add(k, k, order)
|| (BN_num_bits(k) <= BN_num_bits(order)
&& !BN_add(k, k, order))) {
goto err;
}
if (!EC_POINT_mul(group, C, k, NULL, NULL, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_EC_LIB);
goto err;
}
if (!X)
X = BN_CTX_get(ctx);
if (!r)
r = BN_CTX_get(ctx);
if (!X || !r) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_EC_LIB);
goto err;
}
if (!BN_nnmod(r, X, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
}
while (BN_is_zero(r));
/* s = (r*priv_key+k*e) mod order */
if (!tmp)
tmp = BN_CTX_get(ctx);
if (!tmp2)
tmp2 = BN_CTX_get(ctx);
if (!s)
s = BN_CTX_get(ctx);
if (!tmp || !tmp2 || !s) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!BN_mod_mul(tmp, priv_key, r, order, ctx)
|| !BN_mod_mul(tmp2, k, e, order, ctx)
|| !BN_mod_add(s, tmp, tmp2, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
}
while (BN_is_zero(s));
newsig->s = BN_dup(s);
newsig->r = BN_dup(r);
if (!newsig->s || !newsig->r) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
ret = newsig;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (C)
EC_POINT_free(C);
if (md)
BN_free(md);
if (!ret && newsig) {
DSA_SIG_free(newsig);
}
return ret;
}
static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey)
{
int ret = -1, i;
BN_CTX *ctx;
BIGNUM *order, *u1, *u2, *m, *X;
EC_POINT *point = NULL;
const EC_GROUP *group;
const EC_POINT *pub_key;
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
return -1;
}
ctx = BN_CTX_new();
if (!ctx)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
return -1;
}
BN_CTX_start(ctx);
order = BN_CTX_get(ctx);
u1 = BN_CTX_get(ctx);
u2 = BN_CTX_get(ctx);
m = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
if (!X)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
ret = 0; /* signature is invalid */
goto err;
}
/* calculate tmp1 = inv(S) mod order */
if (!BN_mod_inverse(u2, sig->s, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* digest -> m */
i = BN_num_bits(order);
/* Need to truncate digest if it is too long: first truncate whole
* bytes.
*/
if (8 * dgst_len > i)
dgst_len = (i + 7)/8;
if (!BN_bin2bn(dgst, dgst_len, m))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* If still too long truncate remaining bits with a shift */
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* u1 = m * tmp mod order */
if (!BN_mod_mul(u1, m, u2, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* u2 = r * w mod q */
if (!BN_mod_mul(u2, sig->r, u2, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
if ((point = EC_POINT_new(group)) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
{
if (!EC_POINT_get_affine_coordinates_GFp(group,
point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else /* NID_X9_62_characteristic_two_field */
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
}
#endif
if (!BN_nnmod(u1, X, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* if the signature is correct u1 is equal to sig->r */
ret = (BN_ucmp(u1, sig->r) == 0);
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (point)
EC_POINT_free(point);
return ret;
}
int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
const ECDSA_SIG *sig, const EC_KEY *eckey) {
int ret = 0;
BN_CTX *ctx;
BIGNUM *u1, *u2, *m, *X;
EC_POINT *point = NULL;
const EC_GROUP *group;
const EC_POINT *pub_key;
// check input values
if ((group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL ||
sig == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_MISSING_PARAMETERS);
return 0;
}
ctx = BN_CTX_new();
if (!ctx) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
return 0;
}
BN_CTX_start(ctx);
u1 = BN_CTX_get(ctx);
u2 = BN_CTX_get(ctx);
m = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
if (u1 == NULL || u2 == NULL || m == NULL || X == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
const BIGNUM *order = EC_GROUP_get0_order(group);
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
goto err;
}
// calculate tmp1 = inv(S) mod order
int no_inverse;
if (!BN_mod_inverse_odd(u2, &no_inverse, sig->s, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
if (!digest_to_bn(m, digest, digest_len, order)) {
goto err;
}
// u1 = m * tmp mod order
if (!BN_mod_mul(u1, m, u2, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
// u2 = r * w mod q
if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
point = EC_POINT_new(group);
if (point == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(group, point, X, NULL, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
goto err;
}
if (!BN_nnmod(u1, X, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
// if the signature is correct u1 is equal to sig->r
if (BN_ucmp(u1, sig->r) != 0) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
EC_POINT_free(point);
return ret;
}
int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
EC_POINT *point, const BIGNUM *x_,
int y_bit, BN_CTX *ctx) {
BN_CTX *new_ctx = NULL;
BIGNUM *tmp1, *tmp2, *x, *y;
int ret = 0;
ERR_clear_error();
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
return 0;
}
}
y_bit = (y_bit != 0);
BN_CTX_start(ctx);
tmp1 = BN_CTX_get(ctx);
tmp2 = BN_CTX_get(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
if (y == NULL) {
goto err;
}
/* Recover y. We have a Weierstrass equation
* y^2 = x^3 + a*x + b,
* so y is one of the square roots of x^3 + a*x + b. */
/* tmp1 := x^3 */
if (!BN_nnmod(x, x_, &group->field, ctx)) {
goto err;
}
if (group->meth->field_decode == 0) {
/* field_{sqr,mul} work on standard representation */
if (!group->meth->field_sqr(group, tmp2, x_, ctx) ||
!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) {
goto err;
}
} else {
if (!BN_mod_sqr(tmp2, x_, &group->field, ctx) ||
!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) {
goto err;
}
}
/* tmp1 := tmp1 + a*x */
if (group->a_is_minus3) {
if (!BN_mod_lshift1_quick(tmp2, x, &group->field) ||
!BN_mod_add_quick(tmp2, tmp2, x, &group->field) ||
!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) {
goto err;
}
} else {
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, tmp2, &group->a, ctx) ||
!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) {
goto err;
}
} else {
/* field_mul works on standard representation */
if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) {
goto err;
}
}
if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) {
goto err;
}
}
/* tmp1 := tmp1 + b */
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, tmp2, &group->b, ctx) ||
!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) {
goto err;
}
} else {
if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) {
goto err;
}
}
if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) {
unsigned long err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_BN &&
ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
ERR_clear_error();
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates, EC_R_INVALID_COMPRESSED_POINT);
} else {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates, ERR_R_BN_LIB);
}
goto err;
}
if (y_bit != BN_is_odd(y)) {
if (BN_is_zero(y)) {
int kron;
kron = BN_kronecker(x, &group->field, ctx);
if (kron == -2) {
goto err;
}
if (kron == 1) {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates,
EC_R_INVALID_COMPRESSION_BIT);
} else {
/* BN_mod_sqrt() should have cought this error (not a square) */
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates,
EC_R_INVALID_COMPRESSED_POINT);
}
goto err;
}
if (!BN_usub(y, &group->field, y)) {
goto err;
}
}
if (y_bit != BN_is_odd(y)) {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates,
ERR_R_INTERNAL_ERROR);
goto err;
}
if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
if (new_ctx != NULL)
BN_CTX_free(new_ctx);
return ret;
}
static int ecdsa_sign_setup(const EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp, const uint8_t *digest,
size_t digest_len) {
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *kinv = NULL, *r = NULL, *tmp = NULL;
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (ctx_in == NULL) {
if ((ctx = BN_CTX_new()) == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
return 0;
}
} else {
ctx = ctx_in;
}
k = BN_new();
kinv = BN_new(); // this value is later returned in *kinvp
r = BN_new(); // this value is later returned in *rp
tmp = BN_new();
if (k == NULL || kinv == NULL || r == NULL || tmp == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
goto err;
}
tmp_point = EC_POINT_new(group);
if (tmp_point == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
goto err;
}
const BIGNUM *order = EC_GROUP_get0_order(group);
// Check that the size of the group order is FIPS compliant (FIPS 186-4
// B.5.2).
if (BN_num_bits(order) < 160) {
OPENSSL_PUT_ERROR(ECDSA, EC_R_INVALID_GROUP_ORDER);
goto err;
}
do {
// If possible, we'll include the private key and message digest in the k
// generation. The |digest| argument is only empty if |ECDSA_sign_setup| is
// being used.
if (eckey->fixed_k != NULL) {
if (!BN_copy(k, eckey->fixed_k)) {
goto err;
}
} else if (digest_len > 0) {
do {
if (!BN_generate_dsa_nonce(k, order, EC_KEY_get0_private_key(eckey),
digest, digest_len, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
} while (BN_is_zero(k));
} else if (!BN_rand_range_ex(k, 1, order)) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
// Compute the inverse of k. The order is a prime, so use Fermat's Little
// Theorem. Note |ec_group_get_order_mont| may return NULL but
// |bn_mod_inverse_prime| allows this.
if (!bn_mod_inverse_prime(kinv, k, order, ctx,
ec_group_get_order_mont(group))) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
// We do not want timing information to leak the length of k,
// so we compute G*k using an equivalent scalar of fixed
// bit-length.
if (!BN_add(k, k, order)) {
goto err;
}
if (BN_num_bits(k) <= BN_num_bits(order)) {
if (!BN_add(k, k, order)) {
goto err;
}
}
// compute r the x-coordinate of generator * k
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(group, tmp_point, tmp, NULL,
ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
goto err;
}
if (!BN_nnmod(r, tmp, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
} while (BN_is_zero(r));
// clear old values if necessary
BN_clear_free(*rp);
BN_clear_free(*kinvp);
// save the pre-computed values
*rp = r;
*kinvp = kinv;
ret = 1;
err:
BN_clear_free(k);
if (!ret) {
BN_clear_free(kinv);
BN_clear_free(r);
}
if (ctx_in == NULL) {
BN_CTX_free(ctx);
}
EC_POINT_free(tmp_point);
BN_clear_free(tmp);
return ret;
}
