int rsa_ENCRYPTPRIVATE(RSA_CTX *ctx,unsigned char *data,unsigned long
int *datLen){
int t;
struct BigNum enc,m;
/* encrypt (sign) data with private key */
/* datLen must be == to bitsize/8 */
if(*datLen!=ctx->bits/8)
return BADDATALEN;
bnBegin(&enc);
bnBegin(&m);
t=bnInsertLittleBytes(&m,(void*)data,0,ctx->bits/8);
if(t<0){
bnEnd(&enc);
bnEnd(&m);
return BADTHINGS;
}
t=bnExpMod(&enc,&m,&ctx->d,&ctx->n);
if(t<0){
bnEnd(&enc);
bnEnd(&m);
return BADMOD;
}
bnExtractLittleBytes(&enc,(void*)data,0,ctx->bits/8);
bnEnd(&enc);
bnEnd(&m);
return OK;
}
int rsa_DECRYPTPUBLIC(RSA_CTX *ctx,unsigned char *data,unsigned long
int *datLen){
int t;
struct BigNum enc,m;
/* decrypt (verify) data encrypted with private key (verfied by public key) */
/* datLen must be == to bitsize/8 */
if(*datLen!=ctx->bits/8)
return BADDATALEN;
bnBegin(&enc);
bnBegin(&m);
t=bnInsertLittleBytes(&m,(void*)data,0,ctx->bits/8);
if(t<0){
bnEnd(&enc);
bnEnd(&m);
return BADTHINGS;
}
t=bnExpMod(&enc,&m,&ctx->e,&ctx->n);
if(t<0){
bnEnd(&enc);
bnEnd(&m);
return BADMOD;
}
bnExtractLittleBytes(&enc,(void*)data,0,ctx->bits/8);
bnEnd(&enc);
bnEnd(&m);
return OK;
}
static zrtp_status_t zrtp_dh_initialize( zrtp_pk_scheme_t *self,
zrtp_dh_crypto_context_t *dh_cc)
{
unsigned char* buffer = zrtp_sys_alloc(sizeof(zrtp_uchar128_t));
struct BigNum* p = _zrtp_get_p(self);
zrtp_time_t start_ts = zrtp_time_now();
ZRTP_LOG(1,(_ZTU_,"\tDH TEST: %.4s zrtp_dh_initialize() START. now=%llums.\n", self->base.type, start_ts));
if (!buffer) {
return zrtp_status_alloc_fail;
}
if (!p) {
zrtp_sys_free(buffer);
return zrtp_status_bad_param;
}
if (64 != zrtp_randstr(self->base.zrtp, buffer, 64)) {
zrtp_sys_free(buffer);
return zrtp_status_rng_fail;
}
bnBegin(&dh_cc->sv);
bnInsertBigBytes(&dh_cc->sv, (const unsigned char *)buffer, 0, self->sv_length);
bnBegin(&dh_cc->pv);
bnExpMod(&dh_cc->pv, &self->base.zrtp->G, &dh_cc->sv, p);
zrtp_sys_free(buffer);
ZRTP_LOG(1,(_ZTU_,"\tDH TEST: zrtp_dh_initialize() for %.4s was executed ts=%llums d=%llums.\n", self->base.type, zrtp_time_now(), zrtp_time_now()-start_ts));
return zrtp_status_ok;
}
int rsa_ENCRYPTPUBLIC(RSA_CTX *ctx,unsigned char *data,unsigned long int
*datLen){
int t;
struct BigNum enc,m;
/* encrypt data using public key */
/* datLen must be == to bitsize/8 */
if(*datLen!=ctx->bits/8)
return BADDATALEN;
bnBegin(&enc);
bnBegin(&m);
t=bnInsertLittleBytes(&m,(void*)data,0,ctx->bits/8);
if(t<0){
bnEnd(&enc);
bnEnd(&m);
return BADTHINGS;
}
t=bnExpMod(&enc,&m,&ctx->e,&ctx->n);
if(t<0){
bnEnd(&enc);
bnEnd(&m);
return BADTHINGS;
}
bnExtractLittleBytes(&enc,(void*)data,0,(ctx->bits/8));
bnEnd(&enc);
bnEnd(&m);
return OK;
}
int
rsaPublicEncrypt(BigNum *bn, PGPByte const *in, unsigned len,
RSApub const *pub, PGPRandomContext const *rc)
{
unsigned bytes = (bnBits(&pub->n)+7)/8;
pgpPKCSPack(bn, in, len, PKCS_PAD_ENCRYPTED, bytes, rc);
bndPrintf("RSA encrypting.\n");
bndPut("plaintext = ", bn);
return bnExpMod(bn, bn, &pub->e, &pub->n);
}
/*
* Decrypt a message with a public key.
* These destroy (actually, replace with a decrypted version) the
* input bignum bn.
*
* It recongizes the PGP 2.2 format, but not in all its generality;
* only the one case (framing byte = 1, length = 16) which was ever
* generated. It fakes the DER prefix in that case.
*
* Performs an RSA signature check. Returns a prefix of the unwrapped
* data in the given buf. Returns the length of the untruncated
* data, which may exceed "len". Returns <0 on error.
*/
int
rsaPublicDecrypt(PGPByte *buf, unsigned len, BigNum *bn,
RSApub const *pub)
{
unsigned bytes;
bndPrintf("RSA signature checking.\n");
if (bnExpMod(bn, bn, &pub->e, &pub->n) < 0)
return kPGPError_OutOfMemory;
bndPut("decrypted = ", bn);
bytes = (bnBits(&pub->n)+7)/8;
return pgpPKCSUnpack(buf, len, bn, PKCS_PAD_SIGNED, bytes);
}
int32_t ZrtpDH::generatePublicKey()
{
dhCtx* tmpCtx = static_cast<dhCtx*>(ctx);
bnBegin(&tmpCtx->pubKey);
switch (pkType) {
case DH2K:
bnExpMod(&tmpCtx->pubKey, &two, &tmpCtx->privKey, &bnP2048);
break;
case DH3K:
bnExpMod(&tmpCtx->pubKey, &two, &tmpCtx->privKey, &bnP3072);
break;
case EC25:
case EC38:
case E255:
case E414:
while (!ecdhGeneratePublic(&tmpCtx->curve, &tmpCtx->pubPoint, &tmpCtx->privKey))
ecGenerateRandomNumber(&tmpCtx->curve, &tmpCtx->privKey);
}
return 0;
}
/*----------------------------------------------------------------------------*/
static zrtp_status_t zrtp_dh_compute( zrtp_pk_scheme_t *self,
zrtp_dh_crypto_context_t *dh_cc,
struct BigNum *dhresult,
struct BigNum *pv)
{
struct BigNum* p = _zrtp_get_p(self);
zrtp_time_t start_ts = zrtp_time_now();
if (!p) {
return zrtp_status_bad_param;
}
ZRTP_LOG(1,(_ZTU_,"\tDH TEST: %.4s zrtp_dh_compute() START. now=%llums.\n", self->base.type, start_ts));
bnExpMod(dhresult, pv, &dh_cc->sv, p);
ZRTP_LOG(1,(_ZTU_,"\tDH TEST: zrtp_dh_compute() for %.4s was executed ts=%llums d=%llums.\n", self->base.type, zrtp_time_now(), zrtp_time_now()-start_ts));
return zrtp_status_ok;
}
/* n = n^exp, modulo "mod" "mod" *must* be odd */
PGPError
PGPBigNumExpMod(
PGPBigNumRef n,
PGPBigNumRef exponent,
PGPBigNumRef mod,
PGPBigNumRef dest )
{
PGPError err = kPGPError_NoErr;
pgpValidateBigNum( n );
pgpValidateBigNum( exponent );
pgpValidateBigNum( mod );
pgpValidateBigNum( dest );
PGPValidateParam( dest != n && dest != exponent && dest != mod );
if ( IsBNError( bnExpMod( &dest->bn,
&n->bn, &exponent->bn, &mod->bn ) ) )
{
err = kPGPError_OutOfMemory;
}
return( err );
}
static int
dsaSign(PGPSecKey *seckey, PGPHashVTBL const *h, PGPByte const *hash,
PGPByte *sig, size_t *siglen, PGPRandomContext const *rc,
PGPPublicKeyMessageFormat format)
{
#if PGP_SIGN_DISABLE /* [ */
(void)seckey;
(void)h;
(void)hash;
(void)sig;
(void)siglen;
(void)rc;
(void)format;
return kPGPError_FeatureNotAvailable;
#else /* PGP_SIGN_DISABLE */ /* ] [ */
DSAsecPlus *sec = (DSAsecPlus *)seckey->priv;
BigNum r, s, bn, k;
unsigned t;
unsigned qbits;
unsigned qbytes;
int i;
PGPRandomContext *rc2;
PGPMemoryMgrRef mgr = NULL;
mgr = PGPGetContextMemoryMgr( seckey->context );
(void)h;
/* We don't need this argument, although other algorithms may... */
(void)format;
ASSERTDSA(seckey->pkAlg);
/* Allow generalizations of SHA as long as they are big enough */
#if 0
pgpAssert(h->algorithm == kPGPHashAlgorithm_SHA);
#else
pgpAssert(h->hashsize*8 >= bnBits(&sec->s.q));
/* Make sure that q is the right size of we are using regular SHA hash */
pgpAssert( ! (h->algorithm == kPGPHashAlgorithm_SHA
&& bnBits(&sec->s.q) != h->hashsize*8) );
#endif
if (sec->locked)
return kPGPError_KeyIsLocked;
/*
* DSA requires a secret k. This k is *very* important
* to keep secret. Consider, the DSA signing equations are:
* r = (g^k mod p) mod q, and
* s = k^-1 * (H(m) + x*r) mod q,
* so if you know k (and, the signature r, s and H), then
* x = r^-1 * (k*s - H(m))
* If we ever pick two k values the same, then
* r = (g^k mod p) mod q is the same for both signatures, and
* s1 = k^-1 * (H1 + x * r)
* s2 = k^-1 * (H2 + x * r)
* k = (H1-H2) / (s1-s2)
* and proceed from there.
*
* So we need to make *very* sure there's no problem. To make
* sure, we add a layer on top of the passed-in RNG. We assume
* the passed-in RNG is good enough to never repeat (not a
* difficult task), and apply an additional X9.17 generator on
* top of that, seeded with the secret x, which is destroyed
* before leaving this function.
*
* In addition, we add entropy from the hash to the original RNG.
* This will prevent us from using the same k value twice if the
* messages are different.
*/
pgpRandomAddBytes(rc, hash, bnBytes(&sec->s.q));
rc2 = pgpRandomCreateX9_17( rc->context, kPGPCipherAlgorithm_CAST5, rc);
if (!rc2)
return kPGPError_OutOfMemory;
pgpRandomBnSeed(rc2, &sec->s.x);
/*
* Of these values, only k is inherently sensitive, but others may
* hold some intermediate results we would prefer not to have leaked.
* So mark all as sensitive.
*/
bnBegin(&r, mgr, TRUE );
bnBegin(&s, mgr, TRUE );
bnBegin(&bn, mgr, TRUE );
bnBegin(&k, mgr, TRUE );
/*
* Choose the random k value to be used for this signature.
* Make it a bit bigger than q so it is fairly uniform mod q.
*/
qbits = bnBits(&sec->s.q);
qbytes = bnBytes(&sec->s.q);
if (pgpBnGenRand(&k, rc2, qbits+8, 0, 1, qbits) < 0 ||
bnMod(&k, &k, &sec->s.q) < 0)
goto nomem;
/* Raise g to k power mod p then mod q to get r */
if (bnExpMod(&r, &sec->s.g, &k, &sec->s.p) < 0 ||
bnMod(&r, &r, &sec->s.q) < 0)
goto nomem;
/* r*x mod q into s */
if (bnMul(&s, &r, &sec->s.x) < 0 ||
bnMod(&s, &s, &sec->s.q) < 0)
goto nomem;
/* Pack message hash M into buffer bn */
if (bnInsertBigBytes(&bn, hash, 0, bnBytes(&sec->s.q)) < 0)
goto nomem;
if (bnMod(&bn, &bn, &sec->s.q) < 0)
goto nomem;
/* Add into s */
if (bnAdd(&s, &bn) < 0 ||
bnMod(&s, &s, &sec->s.q) < 0)
goto nomem;
/* Divide by k, mod q (k inverse held in bn) */
if (bnInv(&bn, &k, &sec->s.q) < 0 ||
bnMul(&s, &s, &bn) < 0 ||
bnMod(&s, &s, &sec->s.q) < 0)
goto nomem;
/* That's it, now to pack r and then s into the buffer */
t = 0;
if (format == kPGPPublicKeyMessageFormat_X509) {
/* Put in SEQUENCE header for 509 sig data */
PGPUInt32 len_seq, lenlen_seq;
/* Count size of sequence, counting a 0 byte if hi bit is set */
if (8*qbytes == bnBits(&r))
len_seq = pgpBnX509LenLen(qbytes+1) + 1 + qbytes+1;
else
len_seq = pgpBnX509LenLen(qbytes) + 1 + qbytes;
if (8*qbytes == bnBits(&s))
len_seq += pgpBnX509LenLen(qbytes+1) + 1 + qbytes+1;
else
len_seq += pgpBnX509LenLen(qbytes) + 1 + qbytes;
lenlen_seq = pgpBnX509LenLen(len_seq);
sig[t++] = X509_TAG_SEQUENCE | X509_TAG_CONSTRUCTED;
if (--lenlen_seq == 0) {
sig[t++] = len_seq;
} else {
sig[t++] = 0x80 | lenlen_seq;
len_seq <<= 8 * (4-lenlen_seq);
while (lenlen_seq--) {
sig[t++] = (PGPByte)(len_seq >> 24);
len_seq <<= 8;
}
}
}
/*
* This performs a modular exponentiation using the Chinese Remainder
* Algorithm when the modulus is known to have two relatively prime
* factors n = p * q, and u = p^-1 (mod q) has been precomputed.
*
* The chinese remainder algorithm lets a computation mod n be performed
* mod p and mod q, and the results combined. Since it takes
* (considerably) more than twice as long to perform modular exponentiation
* mod n as it does to perform it mod p and mod q, time is saved.
*
* If x is the desired result, let xp and xq be the values of x mod p
* and mod q, respectively. Obviously, x = xp + p * k for some k.
* Taking this mod q, xq == xp + p*k (mod q), so p*k == xq-xp (mod q)
* and k == p^-1 * (xq-xp) (mod q), so k = u * (xq-xp mod q) mod q.
* After that, x = xp + p * k.
*
* Another savings comes from reducing the exponent d modulo phi(p)
* and phi(q). Here, we assume that p and q are prime, so phi(p) = p-1
* and phi(q) = q-1.
*/
static int
bnExpModCRA(BigNum *x, BigNum const *d,
BigNum const *p, BigNum const *q, BigNum const *u)
{
BigNum xp, xq, k;
int i;
PGPMemoryMgrRef mgr = x->mgr;
bndPrintf("Performing Chinese Remainder Algorithm\n");
bndPut("x = ", x);
bndPut("p = ", p);
bndPut("q = ", q);
bndPut("d = ", d);
bndPut("u = ", u);
bnBegin(&xp, mgr, TRUE);
bnBegin(&xq, mgr, TRUE);
bnBegin(&k, mgr, TRUE);
/* Compute xp = (x mod p) ^ (d mod p-1) mod p */
if (bnCopy(&xp, p) < 0) /* First, use xp to hold p-1 */
goto fail;
(void)bnSubQ(&xp, 1); /* p > 1, so subtracting is safe. */
if (bnMod(&k, d, &xp) < 0) /* k = d mod (p-1) */
goto fail;
bndPut("d mod p-1 = ", &k);
if (bnMod(&xp, x, p) < 0) /* Now xp = (x mod p) */
goto fail;
bndPut("x mod p = ", &xp);
if (bnExpMod(&xp, &xp, &k, p) < 0) /* xp = (x mod p)^k mod p */
goto fail;
bndPut("xp = x^d mod p = ", &xp);
/* Compute xq = (x mod q) ^ (d mod q-1) mod q */
if (bnCopy(&xq, q) < 0) /* First, use xq to hold q-1 */
goto fail;
(void)bnSubQ(&xq, 1); /* q > 1, so subtracting is safe. */
if (bnMod(&k, d, &xq) < 0) /* k = d mod (q-1) */
goto fail;
bndPut("d mod q-1 = ", &k);
if (bnMod(&xq, x, q) < 0) /* Now xq = (x mod q) */
goto fail;
bndPut("x mod q = ", &xq);
if (bnExpMod(&xq, &xq, &k, q) < 0) /* xq = (x mod q)^k mod q */
goto fail;
bndPut("xq = x^d mod q = ", &xq);
/* xp < p and PGP has p < q, so this is a no-op, but just in case */
if (bnMod(&k, &xp, q) < 0)
goto fail;
bndPut("xp mod q = ", &k);
i = bnSub(&xq, &k);
bndPut("xq - xp = ", &xq);
bndPrintf("With sign %d\n", i);
if (i < 0)
goto fail;
if (i) {
/*
* Borrow out - xq-xp is negative, so bnSub returned
* xp-xq instead, the negative of the true answer.
* Add q back (which is subtracting from the negative)
* so the sign flips again.
*/
i = bnSub(&xq, q);
if (i < 0)
goto fail;
bndPut("xq - xp mod q = ", &xq);
bndPrintf("With sign %d\n", i); /* Must be 1 */
}
/* Compute k = xq * u mod q */
if (bnMul(&k, u, &xq) < 0)
goto fail;
bndPut("(xq-xp) * u = ", &k);
if (bnMod(&k, &k, q) < 0)
goto fail;
bndPut("k = (xq-xp)*u % q = ", &k);
/* Now x = k * p + xp is the final answer */
if (bnMul(x, &k, p) < 0)
goto fail;
bndPut("k * p = ", x);
if (bnAdd(x, &xp) < 0)
goto fail;
bndPut("k*p + xp = ", x);
#if BNDEBUG /* @@@ DEBUG - do it the slow way for comparison */
if (bnMul(&xq, p, q) < 0)
goto fail;
bndPut("n = p*q = ", &xq);
if (bnExpMod(&xp, x, d, &xq) < 0)
goto fail;
bndPut("x^d mod n = ", &xp);
if (bnCmp(x, &xp) != 0) {
bndPrintf("Nasty!!!\n");
goto fail;
}
bnSetQ(&k, 17);
bnExpMod(&xp, &xp, &k, &xq);
bndPut("x^17 mod n = ", &xp);
#endif
bnEnd(&xp);
bnEnd(&xq);
bnEnd(&k);
return 0;
fail:
bnEnd(&xp);
bnEnd(&xq);
bnEnd(&k);
return kPGPError_OutOfMemory;
}
/*
* Modifies the bignum to return a nearby (slightly larger) number which
* is a probable prime. Returns >=0 on success or -1 on failure (out of
* memory). The return value is the number of unsuccessful modular
* exponentiations performed. This never gives up searching.
*
* All other arguments are optional. They may be NULL. They are:
*
* unsigned (*randfunc)(unsigned limit)
* For better distributed numbers, supply a non-null pointer to a
* function which returns a random x, 0 <= x < limit. (It may make it
* simpler to know that 0 < limit <= SHUFFLE, so you need at most a byte.)
* The program generates a large window of sieve data and then does
* pseudoprimality tests on the data. If a randfunc function is supplied,
* the candidates which survive sieving are shuffled with a window of
* size SHUFFLE before testing to increase the uniformity of the prime
* selection. This isn't perfect, but it reduces the correlation between
* the size of the prime-free gap before a prime and the probability
* that that prime will be found by a sequential search.
*
* If randfunc is NULL, sequential search is used. If you want sequential
* search, note that the search begins with the given number; if you're
* trying to generate consecutive primes, you must increment the previous
* one by two before calling this again.
*
* int (*f)(void *arg, int c), void *arg
* The function f argument, if non-NULL, is called with progress indicator
* characters for printing. A dot (.) is written every time a primality test
* is failed, a star (*) every time one is passed, and a slash (/) in the
* (very rare) case that the sieve was emptied without finding a prime
* and is being refilled. f is also passed the void *arg argument for
* private context storage. If f returns < 0, the test aborts and returns
* that value immediately. (bn is set to the last value tested, so you
* can increment bn and continue.)
*
* The "exponent" argument, and following unsigned numbers, are exponents
* for which an inverse is desired, modulo p. For a d to exist such that
* (x^e)^d == x (mod p), then d*e == 1 (mod p-1), so gcd(e,p-1) must be 1.
* The prime returned is constrained to not be congruent to 1 modulo
* any of the zero-terminated list of 16-bit numbers. Note that this list
* should contain all the small prime factors of e. (You'll have to test
* for large prime factors of e elsewhere, but the chances of needing to
* generate another prime are low.)
*
* The list is terminated by a 0, and may be empty.
*/
int
bnPrimeGen(BigNum *bn, unsigned (*randfunc)(unsigned),
int (*f)(void *arg, int c), void *arg, unsigned exponent, ...)
{
int retval;
int modexps = 0;
unsigned short offsets[SHUFFLE];
unsigned i, j;
unsigned p, q, prev;
BigNum a, e;
#ifdef MSDOS
unsigned char *sieve;
#else
unsigned char sieve[SIEVE];
#endif
#ifdef MSDOS
sieve = bniMemAlloc(SIEVE);
if (!sieve)
return -1;
#endif
PGPBoolean isSecure = TRUE;
PGPMemoryMgrRef mgr = bn->mgr;
bnBegin(&a, mgr, isSecure);
bnBegin(&e, mgr, isSecure);
#if 0 /* Self-test (not used for production) */
{
BigNum t;
static unsigned char const prime1[] = {5};
static unsigned char const prime2[] = {7};
static unsigned char const prime3[] = {11};
static unsigned char const prime4[] = {1, 1}; /* 257 */
static unsigned char const prime5[] = {0xFF, 0xF1}; /* 65521 */
static unsigned char const prime6[] = {1, 0, 1}; /* 65537 */
static unsigned char const prime7[] = {1, 0, 3}; /* 65539 */
/* A small prime: 1234567891 */
static unsigned char const prime8[] = {0x49, 0x96, 0x02, 0xD3};
/* A slightly larger prime: 12345678901234567891 */
static unsigned char const prime9[] = {
0xAB, 0x54, 0xA9, 0x8C, 0xEB, 0x1F, 0x0A, 0xD3 };
/*
* No, 123456789012345678901234567891 isn't prime; it's just a
* lucky, easy-to-remember conicidence. (You have to go to
* ...4567907 for a prime.)
*/
static struct {
unsigned char const *prime;
unsigned size;
} const primelist[] = {
{ prime1, sizeof(prime1) },
{ prime2, sizeof(prime2) },
{ prime3, sizeof(prime3) },
{ prime4, sizeof(prime4) },
{ prime5, sizeof(prime5) },
{ prime6, sizeof(prime6) },
{ prime7, sizeof(prime7) },
{ prime8, sizeof(prime8) },
{ prime9, sizeof(prime9) } };
bnBegin(&t);
for (i = 0; i < sizeof(primelist)/sizeof(primelist[0]); i++) {
bnInsertBytes(&t, primelist[i].prime, 0,
primelist[i].size);
bnCopy(&e, &t);
(void)bnSubQ(&e, 1);
bnTwoExpMod(&a, &e, &t);
p = bnBits(&a);
if (p != 1) {
printf(
"Bug: Fermat(2) %u-bit output (1 expected)\n", p);
fputs("Prime = 0x", stdout);
for (j = 0; j < primelist[i].size; j++)
printf("%02X", primelist[i].prime[j]);
putchar('\n');
}
bnSetQ(&a, 3);
bnExpMod(&a, &a, &e, &t);
p = bnBits(&a);
if (p != 1) {
printf(
"Bug: Fermat(3) %u-bit output (1 expected)\n", p);
fputs("Prime = 0x", stdout);
for (j = 0; j < primelist[i].size; j++)
printf("%02X", primelist[i].prime[j]);
putchar('\n');
}
}
bnEnd(&t);
}
#endif
/* First, make sure that bn is odd. */
if ((bnLSWord(bn) & 1) == 0)
(void)bnAddQ(bn, 1);
retry:
/* Then build a sieve starting at bn. */
sieveBuild(sieve, SIEVE, bn, 2, 0);
/* Do the extra exponent sieving */
if (exponent) {
va_list ap;
unsigned t = exponent;
va_start(ap, exponent);
do {
/* The exponent had better be odd! */
pgpAssert(t & 1);
i = bnModQ(bn, t);
/* Find 1-i */
if (i == 0)
i = 1;
else if (--i)
i = t - i;
/* Divide by 2, modulo the exponent */
i = (i & 1) ? i/2 + t/2 + 1 : i/2;
/* Remove all following multiples from the sieve. */
sieveSingle(sieve, SIEVE, i, t);
/* Get the next exponent value */
t = va_arg(ap, unsigned);
} while (t);
va_end(ap);
}
/* Fill up the offsets array with the first SHUFFLE candidates */
i = p = 0;
/* Get first prime */
if (sieve[0] & 1 || (p = sieveSearch(sieve, SIEVE, p)) != 0) {
offsets[i++] = p;
p = sieveSearch(sieve, SIEVE, p);
}
/*
* Okay, from this point onwards, p is always the next entry
* from the sieve, that has not been added to the shuffle table,
* and is 0 iff the sieve has been exhausted.
*
* If we want to shuffle, then fill the shuffle table until the
* sieve is exhausted or the table is full.
*/
if (randfunc && p) {
do {
offsets[i++] = p;
p = sieveSearch(sieve, SIEVE, p);
} while (p && i < SHUFFLE);
}
/* Choose a random candidate for experimentation */
prev = 0;
while (i) {
/* Pick a random entry from the shuffle table */
j = randfunc ? randfunc(i) : 0;
q = offsets[j]; /* The entry to use */
/* Replace the entry with some more data, if possible */
if (p) {
offsets[j] = p;
p = sieveSearch(sieve, SIEVE, p);
} else {
offsets[j] = offsets[--i];
offsets[i] = 0;
}
/* Adjust bn to have the right value */
if ((q > prev ? bnAddMult(bn, q-prev, 2)
: bnSubMult(bn, prev-q, 2)) < 0)
goto failed;
prev = q;
/* Now do the Fermat tests */
retval = primeTest(bn, &e, &a, f, arg);
if (retval <= 0)
goto done; /* Success or error */
modexps += retval;
if (f && (retval = f(arg, '.')) < 0)
goto done;
}
/* Ran out of sieve space - increase bn and keep trying. */
if (bnAddMult(bn, SIEVE*8-prev, 2) < 0)
goto failed;
if (f && (retval = f(arg, '/')) < 0)
goto done;
goto retry;
failed:
retval = -1;
done:
bnEnd(&e);
bnEnd(&a);
bniMemWipe(offsets, sizeof(offsets));
#ifdef MSDOS
bniMemFree(sieve, SIEVE);
#else
bniMemWipe(sieve, sizeof(sieve));
#endif
return retval < 0 ? retval : modexps + CONFIRMTESTS;
}
/*
* Helper function that does the slow primality test.
* bn is the input bignum; a and e are temporary buffers that are
* allocated by the caller to save overhead.
*
* Returns 0 if prime, >0 if not prime, and -1 on error (out of memory).
* If not prime, returns the number of modular exponentiations performed.
* Calls the given progress function with a '*' for each primality test
* that is passed.
*
* The testing consists of strong pseudoprimality tests, to the bases given
* in the confirm[] array above. (Also called Miller-Rabin, although that's
* not technically correct if we're using fixed bases.) Some people worry
* that this might not be enough. Number theorists may wish to generate
* primality proofs, but for random inputs, this returns non-primes with
* a probability which is quite negligible, which is good enough.
*
* It has been proved (see Carl Pomerance, "On the Distribution of
* Pseudoprimes", Math. Comp. v.37 (1981) pp. 587-593) that the number of
* pseudoprimes (composite numbers that pass a Fermat test to the base 2)
* less than x is bounded by:
* exp(ln(x)^(5/14)) <= P_2(x) ### CHECK THIS FORMULA - it looks wrong! ###
* P_2(x) <= x * exp(-1/2 * ln(x) * ln(ln(ln(x))) / ln(ln(x))).
* Thus, the local density of Pseudoprimes near x is at most
* exp(-1/2 * ln(x) * ln(ln(ln(x))) / ln(ln(x))), and at least
* exp(ln(x)^(5/14) - ln(x)). Here are some values of this function
* for various k-bit numbers x = 2^k:
* Bits Density <= Bit equivalent Density >= Bit equivalent
* 128 3.577869e-07 21.414396 4.202213e-37 120.840190
* 192 4.175629e-10 31.157288 4.936250e-56 183.724558
* 256 5.804314e-13 40.647940 4.977813e-75 246.829095
* 384 1.578039e-18 59.136573 3.938861e-113 373.400096
* 512 5.858255e-24 77.175803 2.563353e-151 500.253110
* 768 1.489276e-34 112.370944 7.872825e-228 754.422724
* 1024 6.633188e-45 146.757062 1.882404e-304 1008.953565
*
* As you can see, there's quite a bit of slop between these estimates.
* In fact, the density of pseudoprimes is conjectured to be closer to the
* square of that upper bound. E.g. the density of pseudoprimes of size
* 256 is around 3 * 10^-27. The density of primes is very high, from
* 0.005636 at 256 bits to 0.001409 at 1024 bits, i.e. more than 10^-3.
*
* For those people used to cryptographic levels of security where the
* 56 bits of DES key space is too small because it's exhaustible with
* custom hardware searching engines, note that you are not generating
* 50,000,000 primes per second on each of 56,000 custom hardware chips
* for several hours. The chances that another Dinosaur Killer asteroid
* will land today is about 10^-11 or 2^-36, so it would be better to
* spend your time worrying about *that*. Well, okay, there should be
* some derating for the chance that astronomers haven't seen it yet,
* but I think you get the idea. For a good feel about the probability
* of various events, I have heard that a good book is by E'mile Borel,
* "Les Probabilite's et la vie". (The 's are accents, not apostrophes.)
*
* For more on the subject, try "Finding Four Million Large Random Primes",
* by Ronald Rivest, in Advancess in Cryptology: Proceedings of Crypto
* '90. He used a small-divisor test, then a Fermat test to the base 2,
* and then 8 iterations of a Miller-Rabin test. About 718 million random
* 256-bit integers were generated, 43,741,404 passed the small divisor
* test, 4,058,000 passed the Fermat test, and all 4,058,000 passed all
* 8 iterations of the Miller-Rabin test, proving their primality beyond
* most reasonable doubts.
*
* If the probability of getting a pseudoprime is some small p, then the
* probability of not getting it in t trials is (1-p)^t. Remember that,
* for small p, (1-p)^(1/p) ~ 1/e, the base of natural logarithms.
* (This is more commonly expressed as e = lim_{x\to\infty} (1+1/x)^x.)
* Thus, (1-p)^t ~ e^(-p*t) = exp(-p*t). So the odds of being able to
* do this many tests without seeing a pseudoprime if you assume that
* p = 10^-6 (one in a million) is one in 57.86. If you assume that
* p = 2*10^-6, it's one in 3347.6. So it's implausible that the density
* of pseudoprimes is much more than one millionth the density of primes.
*
* He also gives a theoretical argument that the chance of finding a
* 256-bit non-prime which satisfies one Fermat test to the base 2 is
* less than 10^-22. The small divisor test improves this number, and
* if the numbers are 512 bits (as needed for a 1024-bit key) the odds
* of failure shrink to about 10^-44. Thus, he concludes, for practical
* purposes *one* Fermat test to the base 2 is sufficient.
*/
static int
primeTest(BigNum const *bn, BigNum *e, BigNum *a,
int (*f)(void *arg, int c), void *arg)
{
unsigned i, j;
unsigned k, l;
int err;
#if BNDEBUG /* Debugging */
/*
* This is debugging code to test the sieving stage.
* If the sieving is wrong, it will let past numbers with
* small divisors. The prime test here will still work, and
* weed them out, but you'll be doing a lot more slow tests,
* and presumably excluding from consideration some other numbers
* which might be prime. This check just verifies that none
* of the candidates have any small divisors. If this
* code is enabled and never triggers, you can feel quite
* confident that the sieving is doing its job.
*/
i = bnLSWord(bn);
if (!(i % 2)) printf("bn div by 2!");
i = bnModQ(bn, 51051); /* 51051 = 3 * 7 * 11 * 13 * 17 */
if (!(i % 3)) printf("bn div by 3!");
if (!(i % 7)) printf("bn div by 7!");
if (!(i % 11)) printf("bn div by 11!");
if (!(i % 13)) printf("bn div by 13!");
if (!(i % 17)) printf("bn div by 17!");
i = bnModQ(bn, 63365); /* 63365 = 5 * 19 * 23 * 29 */
if (!(i % 5)) printf("bn div by 5!");
if (!(i % 19)) printf("bn div by 19!");
if (!(i % 23)) printf("bn div by 23!");
if (!(i % 29)) printf("bn div by 29!");
i = bnModQ(bn, 47027); /* 47027 = 31 * 37 * 41 */
if (!(i % 31)) printf("bn div by 31!");
if (!(i % 37)) printf("bn div by 37!");
if (!(i % 41)) printf("bn div by 41!");
#endif
/*
* Now, check that bn is prime. If it passes to the base 2,
* it's prime beyond all reasonable doubt, and everything else
* is just gravy, but it gives people warm fuzzies to do it.
*
* This starts with verifying Euler's criterion for a base of 2.
* This is the fastest pseudoprimality test that I know of,
* saving a modular squaring over a Fermat test, as well as
* being stronger. 7/8 of the time, it's as strong as a strong
* pseudoprimality test, too. (The exception being when bn ==
* 1 mod 8 and 2 is a quartic residue, i.e. bn is of the form
* a^2 + (8*b)^2.) The precise series of tricks used here is
* not documented anywhere, so here's an explanation.
* Euler's criterion states that if p is prime then a^((p-1)/2)
* is congruent to Jacobi(a,p), modulo p. Jacobi(a,p) is
* a function which is +1 if a is a square modulo p, and -1 if
* it is not. For a = 2, this is particularly simple. It's
* +1 if p == +/-1 (mod 8), and -1 if m == +/-3 (mod 8).
* If p == 3 mod 4, then all a strong test does is compute
* 2^((p-1)/2). and see if it's +1 or -1. (Euler's criterion
* says *which* it should be.) If p == 5 (mod 8), then
* 2^((p-1)/2) is -1, so the initial step in a strong test,
* looking at 2^((p-1)/4), is wasted - you're not going to
* find a +/-1 before then if it *is* prime, and it shouldn't
* have either of those values if it isn't. So don't bother.
*
* The remaining case is p == 1 (mod 8). In this case, we
* expect 2^((p-1)/2) == 1 (mod p), so we expect that the
* square root of this, 2^((p-1)/4), will be +/-1 (mod p).
* Evaluating this saves us a modular squaring 1/4 of the time.
* If it's -1, a strong pseudoprimality test would call p
* prime as well. Only if the result is +1, indicating that
* 2 is not only a quadratic residue, but a quartic one as well,
* does a strong pseudoprimality test verify more things than
* this test does. Good enough.
*
* We could back that down another step, looking at 2^((p-1)/8)
* if there was a cheap way to determine if 2 were expected to
* be a quartic residue or not. Dirichlet proved that 2 is
* a quartic residue iff p is of the form a^2 + (8*b^2).
* All primes == 1 (mod 4) can be expressed as a^2 + (2*b)^2,
* but I see no cheap way to evaluate this condition.
*/
if (bnCopy(e, bn) < 0)
return -1;
(void)bnSubQ(e, 1);
l = bnLSWord(e);
j = 1; /* Where to start in prime array for strong prime tests */
if (l & 7) {
bnRShift(e, 1);
if (bnTwoExpMod(a, e, bn) < 0)
return -1;
if ((l & 7) == 6) {
/* bn == 7 mod 8, expect +1 */
if (bnBits(a) != 1)
return 1; /* Not prime */
k = 1;
} else {
/* bn == 3 or 5 mod 8, expect -1 == bn-1 */
if (bnAddQ(a, 1) < 0)
return -1;
if (bnCmp(a, bn) != 0)
return 1; /* Not prime */
k = 1;
if (l & 4) {
/* bn == 5 mod 8, make odd for strong tests */
bnRShift(e, 1);
k = 2;
}
}
} else {
/* bn == 1 mod 8, expect 2^((bn-1)/4) == +/-1 mod bn */
bnRShift(e, 2);
if (bnTwoExpMod(a, e, bn) < 0)
return -1;
if (bnBits(a) == 1) {
j = 0; /* Re-do strong prime test to base 2 */
} else {
if (bnAddQ(a, 1) < 0)
return -1;
if (bnCmp(a, bn) != 0)
return 1; /* Not prime */
}
k = 2 + bnMakeOdd(e);
}
/* It's prime! Now go on to confirmation tests */
/*
* Now, e = (bn-1)/2^k is odd. k >= 1, and has a given value
* with probability 2^-k, so its expected value is 2.
* j = 1 in the usual case when the previous test was as good as
* a strong prime test, but 1/8 of the time, j = 0 because
* the strong prime test to the base 2 needs to be re-done.
*/
for (i = j; i < CONFIRMTESTS; i++) {
if (f && (err = f(arg, '*')) < 0)
return err;
(void)bnSetQ(a, confirm[i]);
if (bnExpMod(a, a, e, bn) < 0)
return -1;
if (bnBits(a) == 1)
continue; /* Passed this test */
l = k;
for (;;) {
if (bnAddQ(a, 1) < 0)
return -1;
if (bnCmp(a, bn) == 0) /* Was result bn-1? */
break; /* Prime */
if (!--l) /* Reached end, not -1? luck? */
return i+2-j; /* Failed, not prime */
/* This portion is executed, on average, once. */
(void)bnSubQ(a, 1); /* Put a back where it was. */
if (bnSquare(a, a) < 0 || bnMod(a, a, bn) < 0)
return -1;
if (bnBits(a) == 1)
return i+2-j; /* Failed, not prime */
}
/* It worked (to the base confirm[i]) */
}
/* Yes, we've decided that it's prime. */
if (f && (err = f(arg, '*')) < 0)
return err;
return 0; /* Prime! */
}
int32_t ZrtpDH::computeSecretKey(uint8_t *pubKeyBytes, uint8_t *secret) {
dhCtx* tmpCtx = static_cast<dhCtx*>(ctx);
int32_t length = getDhSize();
BigNum sec;
if (pkType == DH2K || pkType == DH3K) {
BigNum pubKeyOther;
bnBegin(&pubKeyOther);
bnBegin(&sec);
bnInsertBigBytes(&pubKeyOther, pubKeyBytes, 0, length);
if (pkType == DH2K) {
bnExpMod(&sec, &pubKeyOther, &tmpCtx->privKey, &bnP2048);
}
else if (pkType == DH3K) {
bnExpMod(&sec, &pubKeyOther, &tmpCtx->privKey, &bnP3072);
}
else {
return 0;
}
bnEnd(&pubKeyOther);
bnExtractBigBytes(&sec, secret, 0, length);
bnEnd(&sec);
return length;
}
if (pkType == EC25 || pkType == EC38 || pkType == E414) {
int32_t len = getPubKeySize() / 2;
EcPoint pub;
bnBegin(&sec);
INIT_EC_POINT(&pub);
bnSetQ(pub.z, 1); // initialze Z to one, these are affine coords
bnInsertBigBytes(pub.x, pubKeyBytes, 0, len);
bnInsertBigBytes(pub.y, pubKeyBytes+len, 0, len);
/* Generate agreement for responder: sec = pub * privKey */
ecdhComputeAgreement(&tmpCtx->curve, &sec, &pub, &tmpCtx->privKey);
bnExtractBigBytes(&sec, secret, 0, length);
bnEnd(&sec);
FREE_EC_POINT(&pub);
return length;
}
if (pkType == E255) {
int32_t len = getPubKeySize();
EcPoint pub;
bnBegin(&sec);
INIT_EC_POINT(&pub);
bnInsertLittleBytes(pub.x, pubKeyBytes, 0, len);
/* Generate agreement for responder: sec = pub * privKey */
ecdhComputeAgreement(&tmpCtx->curve, &sec, &pub, &tmpCtx->privKey);
bnExtractLittleBytes(&sec, secret, 0, length);
bnEnd(&sec);
FREE_EC_POINT(&pub);
return length;
}
return -1;
}
static int
testDH(struct BigNum *bn)
{
struct BigNum pub1, pub2, sec1, sec2;
unsigned bits;
int i = 0;
char buf[4];
bnBegin(&pub1);
bnBegin(&pub2);
bnBegin(&sec1);
bnBegin(&sec2);
/* Bits of secret - add a few to ensure an even distribution */
bits = bnBits(bn)+4;
/* Temporarily decrement bn for some operations */
(void)bnSubQ(bn, 1);
strcpy(buf, "foo");
i = genRandBn(&sec1, bits, 0, 0, (unsigned char *)buf, 4);
if (i < 0)
goto done;
/* Reduce sec1 to the correct range */
i = bnMod(&sec1, &sec1, bn);
if (i < 0)
goto done;
strcpy(buf, "bar");
i = genRandBn(&sec2, bits, 0, 0, (unsigned char *)buf, 4);
if (i < 0)
goto done;
/* Reduce sec2 to the correct range */
i = bnMod(&sec2, &sec2, bn);
if (i < 0)
goto done;
/* Re-increment bn */
(void)bnAddQ(bn, 1);
puts("Doing first half for party 1");
i = bnTwoExpMod(&pub1, &sec1, bn);
if (i < 0)
goto done;
puts("Doing first half for party 2");
i = bnTwoExpMod(&pub2, &sec2, bn);
if (i < 0)
goto done;
/* In a real protocol, pub1 and pub2 are now exchanged */
puts("Doing second half for party 1");
i = bnExpMod(&pub2, &pub2, &sec1, bn);
if (i < 0)
goto done;
bndPut("shared = ", &pub2);
puts("Doing second half for party 2");
i = bnExpMod(&pub1, &pub1, &sec2, bn);
if (i < 0)
goto done;
bndPut("shared = ", &pub1);
if (bnCmp(&pub1, &pub2) != 0) {
puts("Diffie-Hellman failed!");
i = -1;
} else {
puts("Test successful.");
}
done:
bnEnd(&sec2);
bnEnd(&sec1);
bnEnd(&pub2);
bnEnd(&pub1);
return i;
}
