BIGNUM *SRP_Calc_B(BIGNUM *b, BIGNUM *N, BIGNUM *g, BIGNUM *v)
{
BIGNUM *kv = NULL, *gb = NULL;
BIGNUM *B = NULL, *k = NULL;
BN_CTX *bn_ctx;
if (b == NULL || N == NULL || g == NULL || v == NULL ||
(bn_ctx = BN_CTX_new()) == NULL)
return NULL;
if ((kv = BN_new()) == NULL ||
(gb = BN_new()) == NULL || (B = BN_new()) == NULL)
goto err;
/* B = g**b + k*v */
if (!BN_mod_exp(gb, g, b, N, bn_ctx)
|| (k = srp_Calc_k(N, g)) == NULL
|| !BN_mod_mul(kv, v, k, N, bn_ctx)
|| !BN_mod_add(B, gb, kv, N, bn_ctx)) {
BN_free(B);
B = NULL;
}
err:
BN_CTX_free(bn_ctx);
BN_clear_free(kv);
BN_clear_free(gb);
BN_free(k);
return B;
}
BIGNUM *ClientSide::Calc_S(BIGNUM *B,BIGNUM *k,BIGNUM *g,BIGNUM *a,BIGNUM *u,BIGNUM *x,BIGNUM *N)
{
//S = (B - kg^x) ^ (a + ux) (computes session key)
BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *S = NULL;
BN_CTX *bn_ctx;
if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL
|| a == NULL || (bn_ctx = BN_CTX_new()) == NULL || k == NULL)
return NULL;
if ((tmp = BN_new()) == NULL ||
(tmp2 = BN_new()) == NULL ||
(tmp3 = BN_new()) == NULL || (S = BN_new()) == NULL)
{
BN_CTX_free(bn_ctx);
BN_clear_free(tmp);
BN_clear_free(tmp2);
BN_clear_free(tmp3);
BN_free(S);
return NULL;
}
if(BN_mod_exp(tmp, g, x, N, bn_ctx))
if(BN_mod_mul(tmp2, tmp, k, N, bn_ctx))
if(BN_mod_sub(tmp, B, tmp2, N, bn_ctx))
if(BN_mod_mul(tmp3, u, x, N, bn_ctx))
if(BN_mod_add(tmp2, a, tmp3, N, bn_ctx))
if(BN_mod_exp(S, tmp, tmp2, N, bn_ctx))
;
BN_CTX_free(bn_ctx);
BN_clear_free(tmp);
BN_clear_free(tmp2);
BN_clear_free(tmp3);
return S;
}
static int verifystep2(const JPakeUser * us, const JPakeUserPublic * them,
const JPakeParameters * params)
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
int ret = 0;
printf("\n%s verifies %s:\n\n", us->p.name, them->name);
// g' = g^{xc + xa + xb} [from our POV]
// t1 = xa + xb
BN_mod_add(t1, us->xa, us->xb, params->q, params->ctx);
// t2 = g^{t1} = g^{xa+xb}
BN_mod_exp(t2, params->g, t1, params->p, params->ctx);
// t1 = g^{xc} * t2 = g^{xc + xa + xb}
BN_mod_mul(t1, us->p.s1c.gx, t2, params->p, params->ctx);
if (VerifyZKP
(&us->p.s2.zkpxbs, us->p.s2.X, them, t1, params, them->base + 1,
" * s"))
ret = 1;
// cleanup
BN_free(t2);
BN_free(t1);
return ret;
}
int Omega_vrfy(void *inner)
{
assert(inner!=NULL);
OmegaInner *self = (OmegaInner*)inner;
int ret;
BIGNUM *rbn;
/* Derive e0~,e1~ from d0, d1 */
rbn = BN_bin2bn(self->h0, self->bytelen_q, self->v_e0);
assert(rbn!=NULL);
rbn = BN_bin2bn(self->d1, self->bytelen_q, self->v_e1);
assert(rbn!=NULL);
assert(BN_cmp(self->v_e0, self->e0)==0);
assert(BN_cmp(self->v_e1, self->e1)==0);
/* Compute a~=g^z*h^(e0+e1) */
ret = BN_mod_exp(self->gz, self->g, self->z, self->p, self->bnctx);
assert(ret==1);
ret = BN_mod_add(self->e0e1, self->e0, self->e1, self->q, self->bnctx);
assert(ret==1);
ret = BN_mod_exp(self->he0e1, self->h, self->e0e1, self->p, self->bnctx);
assert(ret==1);
ret = BN_mod_mul(self->v_a, self->gz, self->he0e1, self->p, self->bnctx);
assert(ret==1);
assert(BN_cmp(self->v_a, self->a)==0);
/* Convert a~ to a~_bytes */
BN2LenBin(self->v_a, self->v_a_bytes, self->bytelen_p);
{
int i;
for (i=0; i<self->bytelen_p; i++)
assert(self->v_a_bytes[i]==self->a_bytes[i]);
}
/* Compute h0~=H(a~bytes||00) */
self->v_a_bytes[self->bytelen_p] = 0x00;
VHash(self->v_a_bytes, self->bytelen_p+1, self->v_h0, self->bytelen_red);
/* Check h0~==h0 */
int i;
int flag = 0;
for (i=0; i<self->bytelen_red; i++)
flag |= (self->h0[i] != self->v_h0[i]);
assert(flag == 0);
/* Compute h1~=H(a~bytes||01) */
self->v_a_bytes[self->bytelen_p] = 0x01;
VHash(self->v_a_bytes, self->bytelen_p+1, self->v_h1, self->bytelen_rec);
/* Copmute m = h1~ xor d1*/
for (i=0; i<self->bytelen_rec; i++)
self->v_m[i] = self->v_h1[i]^self->d1[i];
return 0;
}
int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
{
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
int ret = 0;
/*
* g' = g^{xc + xa + xb} [from our POV]
* t1 = xa + xb
*/
BN_mod_add(t1, ctx->xa, ctx->xb, ctx->p.q, ctx->ctx);
/* t2 = g^{t1} = g^{xa+xb} */
BN_mod_exp(t2, ctx->p.g, t1, ctx->p.p, ctx->ctx);
/* t1 = g^{xc} * t2 = g^{xc + xa + xb} */
BN_mod_mul(t1, ctx->p.gxc, t2, ctx->p.p, ctx->ctx);
if(verify_zkp(received, t1, ctx))
ret = 1;
else
JPAKEerr(JPAKE_F_JPAKE_STEP2_PROCESS, JPAKE_R_VERIFY_B_FAILED);
compute_key(ctx, received->gx);
/* cleanup */
BN_free(t2);
BN_free(t1);
return ret;
}
static DSA *extract_dsa_pub_key(CPK_PUBLIC_PARAMS *param, const char *id)
{
int e = 1;
DSA *dsa = NULL;
BIGNUM *bn = BN_new();
BN_CTX *ctx = BN_CTX_new();
const unsigned char *p;
int *index = NULL;
int i, num_indexes, bn_size;
if (!bn || !ctx) {
goto err;
}
if (!(dsa = X509_ALGOR_get1_DSA(param->pkey_algor))) {
goto err;
}
if ((num_indexes = CPK_MAP_num_indexes(param->map_algor)) <= 0) {
goto err;
}
if (!(index = OPENSSL_malloc(sizeof(int) * num_indexes))) {
goto err;
}
if (!CPK_MAP_str2index(param->map_algor, id, index)) {
goto err;
}
if (!dsa->pub_key) {
if (!(dsa->pub_key = BN_new())) {
goto err;
}
}
BN_zero(dsa->pub_key);
bn_size = BN_num_bytes(dsa->p);
for (i = 0; i < num_indexes; i++) {
p = M_ASN1_STRING_data(param->public_factors) + bn_size * index[i];
if (!BN_bin2bn(p, bn_size, bn)) {
goto err;
}
if (BN_is_zero(bn) || BN_cmp(bn, dsa->p) >= 0) {
goto err;
}
if (!BN_mod_add(dsa->pub_key, dsa->pub_key, bn, dsa->p, ctx)) {
goto err;
}
}
e = 0;
err:
if (e && dsa) {
DSA_free(dsa);
dsa = NULL;
}
if (bn) BN_free(bn);
if (ctx) BN_CTX_free(ctx);
if (index) OPENSSL_free(index);
return dsa;
}
// BCPKI
CKey CKey::GetDerivedKey(std::vector<unsigned char> ticket) const
{
BIGNUM *bn = BN_bin2bn(&ticket[0],ticket.size(),BN_new());
BN_CTX *ctx = NULL;
if ((ctx = BN_CTX_new()) == NULL)
throw key_error("CKey::DeriveKey() : BN_CTX_new failed");
CKey key;
if (HasPrivKey())
{ // privkey = privkey + ticket
// snippet from ECDSA_SIG_recover_key_GFp
// TODO check this again
BIGNUM *order = NULL;
if ((order = BN_new()) == NULL)
throw key_error("CKey::DeriveKey() : BN_new failed");
// BN_CTX_start(ctx);
//order = BN_CTX_get(ctx);
if (!EC_GROUP_get_order(EC_KEY_get0_group(pkey), order, ctx))
throw key_error("CKey::DeriveKey() : EC_GROUP_get_order failed");
if (!BN_mod_add(bn, bn, EC_KEY_get0_private_key(pkey), order, ctx))
throw key_error("CKey::DeriveKey() : BN_mod_add failed");
if (!EC_KEY_regenerate_key(key.pkey,bn)) // sets private AND public key
throw key_error("CKey::DeriveKey() : EC_KEY_regenerate_key failed");
// if (!EC_KEY_set_private_key(key.pkey, bn))
// throw key_error("CKey::DeriveKey() : EC_KEY_set_private_key failed");
if (!EC_KEY_check_key(key.pkey))
throw key_error("CKey::DeriveKey() : EC_KEY_check_key failed");
}
else
{ // add to pub key
// begin snippet from EC_KEY_regenerate_key
EC_POINT *pub_key = NULL;
const EC_GROUP *group = EC_KEY_get0_group(pkey);
pub_key = EC_POINT_new(group);
if (pub_key == NULL)
throw key_error("CKey::DeriveKey() : EC_POINT_new failed");
if (!EC_POINT_mul(group, pub_key, bn, NULL, NULL, ctx))
throw key_error("CKey::DeriveKey() : EC_POINT_mul failed");
// end snippet from EC_KEY_regenerate_key
// now pub_key = ticket * basepoint
//const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *);
//int EC_POINT_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
if (!EC_POINT_add(group, pub_key, pub_key, EC_KEY_get0_public_key(pkey), ctx))
throw key_error("CKey::DeriveKey() : EC_POINT_add failed");
//int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *);
if (!EC_KEY_set_public_key(key.pkey, pub_key))
throw key_error("CKey::DeriveKey() : EC_KEY_set_public_key failed");
};
key.fSet = true;
key.SetCompressedPubKey();
return key;
};
/*
* Computes signature and returns it as DSA_SIG structure
*/
DSA_SIG *gost_do_sign (const unsigned char *dgst, int dlen, DSA * dsa)
{
BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL;
DSA_SIG *newsig = DSA_SIG_new ();
BIGNUM *md = hashsum2bn (dgst);
/* check if H(M) mod q is zero */
BN_CTX *ctx = BN_CTX_new ();
BN_CTX_start (ctx);
if (!newsig)
{
GOSTerr (GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY);
goto err;
}
tmp = BN_CTX_get (ctx);
k = BN_CTX_get (ctx);
tmp2 = BN_CTX_get (ctx);
BN_mod (tmp, md, dsa->q, ctx);
if (BN_is_zero (tmp))
{
BN_one (md);
}
do
{
do
{
/*Generate random number k less than q */
BN_rand_range (k, dsa->q);
/* generate r = (a^x mod p) mod q */
BN_mod_exp (tmp, dsa->g, k, dsa->p, ctx);
if (!(newsig->r))
newsig->r = BN_new ();
BN_mod (newsig->r, tmp, dsa->q, ctx);
}
while (BN_is_zero (newsig->r));
/* generate s = (xr + k(Hm)) mod q */
BN_mod_mul (tmp, dsa->priv_key, newsig->r, dsa->q, ctx);
BN_mod_mul (tmp2, k, md, dsa->q, ctx);
if (!newsig->s)
newsig->s = BN_new ();
BN_mod_add (newsig->s, tmp, tmp2, dsa->q, ctx);
}
while (BN_is_zero (newsig->s));
err:
BN_free (md);
BN_CTX_end (ctx);
BN_CTX_free (ctx);
return newsig;
}
/* encrypts (or decrypts) with private key, not sensitive to
timing attacks (blind encryption)
*/
void rsa_encrypt_secure(BIGNUM* m, const BIGNUM* d,
const BIGNUM* e, const BIGNUM* n,
const unsigned char * r_bin, int r_len) {
BN_CTX *ctx;
BIGNUM *tmp = BN_new();
BIGNUM *r = BN_new();
BIGNUM *r_inv = BN_new();
ctx = BN_CTX_new();
BN_bin2bn(r_bin, r_len, r);
BN_mod(r, r, n, ctx); /* r = r % n */
/*
printf(" r input: ");BN_print_fp(stdout, r);
printf(" n: ");BN_print_fp(stdout, n);
printf("\n");
*/
BN_mod(tmp, n, r, ctx);
/*printf("r=");BN_print_fp(stdout, r); printf("; tmp=");BN_print_fp(stdout, tmp);*/
while (BN_is_zero(tmp)) { /* */
BN_mod_add(r, r, BN_value_one(), n, ctx);
BN_mod(tmp, n, r, ctx);
/*printf("r=");BN_print_fp(stdout, r); printf("; tmp=");BN_print_fp(stdout, tmp);*/
}
/*printf("\n");*/
BN_mod_inverse(r_inv, r, n, ctx);
/*
printf(" r = ");BN_print_fp(stdout, r);
printf(" r_inv = ");BN_print_fp(stdout, r_inv);
printf(" n = ");BN_print_fp(stdout, n);
printf("\n");
*/
BN_mod_exp(r, r, e, n, ctx); /* r = r^e % n */
BN_mod_mul(m, m, r, n, ctx); /* m = m * r % n */
rsa_encrypt(m, d, n);
BN_mod_mul(m, m, r_inv, n, ctx);
BN_free(r);
BN_free(r_inv);
BN_free(tmp);
BN_CTX_free(ctx);
}
/**
* Helper method to calculate the y-value
* for a given x-value and a polynomial
*
* @param x X-value
* @param polynomial The underlying polynomial
* @param t Threshold (determines the degree of the polynomial)
* @param prime Prime for finite field arithmetic
* @param y Pointer for storage of calculated y-value
*/
static void calculatePolynomialValue(const BIGNUM x, BIGNUM **polynomial, const unsigned char t, const BIGNUM prime, BIGNUM *y) {
BIGNUM **pp;
BIGNUM temp;
BIGNUM exponent;
unsigned long exp;
BN_CTX *ctx;
// Create context for temporary variables of OpenSSL engine
ctx = BN_CTX_new();
BN_CTX_init(ctx);
BN_init(&temp);
BN_init(&exponent);
// Set y to ZERO
BN_zero(y);
/* Initialize the result using the secret value at position 0 of the polynomial */
pp = polynomial;
BN_copy(y, *pp);
pp++;
for (exp = 1; exp < t; exp++) {
BN_copy(&temp, &x);
BN_set_word(&exponent, exp);
// temp = x^exponent mod prime
BN_mod_exp(&temp, &x, &exponent, &prime, ctx);
// exponent = temp * a = a * x^exponent mod prime
BN_mod_mul(&exponent, &temp, *pp, &prime, ctx);
// add the temp value from exponent to y
BN_copy(&temp, y);
BN_mod_add(y, &temp, &exponent, &prime, ctx);
pp++;
}
BN_clear_free(&temp);
BN_clear_free(&exponent);
BN_CTX_free(ctx);
}
BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM *g, BIGNUM *x,
BIGNUM *a, BIGNUM *u)
{
BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL;
BN_CTX *bn_ctx;
if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL
|| a == NULL || (bn_ctx = BN_CTX_new()) == NULL)
return NULL;
if ((tmp = BN_new()) == NULL ||
(tmp2 = BN_new()) == NULL ||
(tmp3 = BN_new()) == NULL ||
(K = BN_new()) == NULL)
goto err;
if (!BN_mod_exp(tmp, g, x, N, bn_ctx))
goto err;
if ((k = srp_Calc_k(N, g)) == NULL)
goto err;
if (!BN_mod_mul(tmp2, tmp, k, N, bn_ctx))
goto err;
if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx))
goto err;
if (!BN_mod_mul(tmp3, u, x, N, bn_ctx))
goto err;
if (!BN_mod_add(tmp2, a, tmp3, N, bn_ctx))
goto err;
if (!BN_mod_exp(K, tmp, tmp2, N, bn_ctx))
goto err;
err:
BN_CTX_free(bn_ctx);
BN_clear_free(tmp);
BN_clear_free(tmp2);
BN_clear_free(tmp3);
BN_free(k);
return K;
}
BIGNUM * Polynomial::GetFunctionValue(BIGNUM *x)
{
BN_CTX *ctx = BN_CTX_new();
BIGNUM * value = BN_new() ;
BN_copy(value,*(coefficients->begin()));
BIGNUM * tmp = BN_new();
BIGNUM * tmpx = BN_new();
BN_one(tmpx);
vector<BIGNUM *>::iterator iter;
for (iter=coefficients->begin()+1;iter!= coefficients->end();iter++)
{
BN_mod_mul(tmpx,tmpx,x,p,ctx);
BN_mod_mul(tmp,tmpx,*iter,p,ctx);
BN_mod_add(value,tmp,value,p,ctx);
}
BN_free(tmp);
BN_free(tmpx);
BN_CTX_free(ctx);
return value;
}
// unsigned char *rgbHashData, 哈希
// unsigned char *rgbKeyDb, 私钥
// unsigned char *rs 签名
void eccHashSign(unsigned char *rgbHashData, unsigned char *rgbKeyDb, unsigned char *rs)
{
int ok = 0;
const EC_GROUP *ec_group;
BIGNUM *priv_key;
const BIGNUM *ck;
BIGNUM *k = NULL;
BN_CTX *ctx = NULL;
BIGNUM *order = NULL;
BIGNUM *e = NULL;
BIGNUM *bn = NULL;
int i;
BIGNUM *r= BN_new(), *s = BN_new();
EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1);
ec_group = EC_KEY_get0_group(ec_key);
priv_key = BN_new();
BN_bin2bn(rgbKeyDb, 32, priv_key);
EC_KEY_set_private_key(ec_key, priv_key);
if (!ec_group || !priv_key) {
}
ctx = BN_CTX_new();
order = BN_new();
e = BN_new();
bn = BN_new();
if (!ctx || !order || !e || !bn) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_GROUP_get_order(ec_group, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
goto err;
}
/* convert dgst to e */
i = BN_num_bits(order);
#if 0
if (8 * dgst_len > i) {
dgst_len = (i + 7)/8;
}
#endif
if (!BN_bin2bn(rgbHashData, 32, e)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
#if 0
if ((8 * dgst_len > i) && !BN_rshift(e, e, 8 - (i & 0x7))) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
#endif
do {
/* use or compute k and (kG).x */
if (!sm2_sign_setup(ec_key, ctx, &k, &r)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
goto err;
}
ck = k;
/* r = e + x (mod n) */
if (!BN_mod_add(r, r, e, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_add(bn, r, ck, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
/* check r != 0 && r + k != n */
if (BN_is_zero(r) || BN_is_zero(bn)) {
continue;
}
/* s = ((1 + d)^-1 * (k - rd)) mod n */
if (!BN_one(bn)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_add(s, priv_key, bn, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_inverse(s, s, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_mul(bn, r, priv_key, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_sub(bn, ck, bn, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_mul(s, s, bn, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
/* check s != 0 */
if (!BN_is_zero(s))
break;
} while (1);
ok = 1;
BN_bn2bin(r, rs);
BN_bn2bin(s, rs + 32);
err:
if (k) BN_free(k);
if (ctx) BN_CTX_free(ctx);
if (order) BN_free(order);
if (e) BN_free(e);
if (bn) BN_free(bn);
}
int StealthSecretSpend(ec_secret& scanSecret, ec_point& ephemPubkey, ec_secret& spendSecret, ec_secret& secretOut)
{
/*
c = H(dP)
R' = R + cG [without decrypting wallet]
= (f + c)G [after decryption of wallet]
Remember: mod curve.order, pad with 0x00s where necessary?
*/
int rv = 0;
std::vector<uint8_t> vchOutP;
BN_CTX* bnCtx = NULL;
BIGNUM* bnScanSecret = NULL;
BIGNUM* bnP = NULL;
EC_POINT* P = NULL;
BIGNUM* bnOutP = NULL;
BIGNUM* bnc = NULL;
BIGNUM* bnOrder = NULL;
BIGNUM* bnSpend = NULL;
EC_GROUP* ecgrp = EC_GROUP_new_by_curve_name(NID_secp256k1);
if (!ecgrp)
{
printf("StealthSecretSpend(): EC_GROUP_new_by_curve_name failed.\n");
return 1;
};
if (!(bnCtx = BN_CTX_new()))
{
printf("StealthSecretSpend(): BN_CTX_new failed.\n");
rv = 1;
goto End;
};
if (!(bnScanSecret = BN_bin2bn(&scanSecret.e[0], ec_secret_size, BN_new())))
{
printf("StealthSecretSpend(): bnScanSecret BN_bin2bn failed.\n");
rv = 1;
goto End;
};
if (!(bnP = BN_bin2bn(&ephemPubkey[0], ephemPubkey.size(), BN_new())))
{
printf("StealthSecretSpend(): bnP BN_bin2bn failed\n");
rv = 1;
goto End;
};
if (!(P = EC_POINT_bn2point(ecgrp, bnP, NULL, bnCtx)))
{
printf("StealthSecretSpend(): P EC_POINT_bn2point failed\n");
rv = 1;
goto End;
};
// -- dP
if (!EC_POINT_mul(ecgrp, P, NULL, P, bnScanSecret, bnCtx))
{
printf("StealthSecretSpend(): dP EC_POINT_mul failed\n");
rv = 1;
goto End;
};
if (!(bnOutP = EC_POINT_point2bn(ecgrp, P, POINT_CONVERSION_COMPRESSED, BN_new(), bnCtx)))
{
printf("StealthSecretSpend(): P EC_POINT_bn2point failed\n");
rv = 1;
goto End;
};
vchOutP.resize(ec_compressed_size);
if (BN_num_bytes(bnOutP) != (int) ec_compressed_size
|| BN_bn2bin(bnOutP, &vchOutP[0]) != (int) ec_compressed_size)
{
printf("StealthSecretSpend(): bnOutP incorrect length.\n");
rv = 1;
goto End;
};
uint8_t hash1[32];
SHA256(&vchOutP[0], vchOutP.size(), (uint8_t*)hash1);
if (!(bnc = BN_bin2bn(&hash1[0], 32, BN_new())))
{
printf("StealthSecretSpend(): BN_bin2bn failed\n");
rv = 1;
goto End;
};
if (!(bnOrder = BN_new())
|| !EC_GROUP_get_order(ecgrp, bnOrder, bnCtx))
{
printf("StealthSecretSpend(): EC_GROUP_get_order failed\n");
rv = 1;
goto End;
};
if (!(bnSpend = BN_bin2bn(&spendSecret.e[0], ec_secret_size, BN_new())))
{
printf("StealthSecretSpend(): bnSpend BN_bin2bn failed.\n");
rv = 1;
goto End;
};
//if (!BN_add(r, a, b)) return 0;
//return BN_nnmod(r, r, m, ctx);
if (!BN_mod_add(bnSpend, bnSpend, bnc, bnOrder, bnCtx))
{
printf("StealthSecretSpend(): bnSpend BN_mod_add failed.\n");
rv = 1;
goto End;
};
if (BN_is_zero(bnSpend)) // possible?
{
printf("StealthSecretSpend(): bnSpend is zero.\n");
rv = 1;
goto End;
};
if (BN_num_bytes(bnSpend) != (int) ec_secret_size
|| BN_bn2bin(bnSpend, &secretOut.e[0]) != (int) ec_secret_size)
{
printf("StealthSecretSpend(): bnSpend incorrect length.\n");
rv = 1;
goto End;
};
End:
if (bnSpend) BN_free(bnSpend);
if (bnOrder) BN_free(bnOrder);
if (bnc) BN_free(bnc);
if (bnOutP) BN_free(bnOutP);
if (P) EC_POINT_free(P);
if (bnP) BN_free(bnP);
if (bnScanSecret) BN_free(bnScanSecret);
if (bnCtx) BN_CTX_free(bnCtx);
EC_GROUP_free(ecgrp);
return rv;
};
int StealthSharedToSecretSpend(ec_secret& sharedS, ec_secret& spendSecret, ec_secret& secretOut)
{
int rv = 0;
std::vector<uint8_t> vchOutP;
BN_CTX* bnCtx = NULL;
BIGNUM* bnc = NULL;
BIGNUM* bnOrder = NULL;
BIGNUM* bnSpend = NULL;
EC_GROUP* ecgrp = EC_GROUP_new_by_curve_name(NID_secp256k1);
if (!ecgrp)
{
printf("StealthSecretSpend(): EC_GROUP_new_by_curve_name failed.\n");
return 1;
};
if (!(bnCtx = BN_CTX_new()))
{
printf("StealthSecretSpend(): BN_CTX_new failed.\n");
rv = 1;
goto End;
};
if (!(bnc = BN_bin2bn(&sharedS.e[0], ec_secret_size, BN_new())))
{
printf("StealthSecretSpend(): BN_bin2bn failed\n");
rv = 1;
goto End;
};
if (!(bnOrder = BN_new())
|| !EC_GROUP_get_order(ecgrp, bnOrder, bnCtx))
{
printf("StealthSecretSpend(): EC_GROUP_get_order failed\n");
rv = 1;
goto End;
};
if (!(bnSpend = BN_bin2bn(&spendSecret.e[0], ec_secret_size, BN_new())))
{
printf("StealthSecretSpend(): bnSpend BN_bin2bn failed.\n");
rv = 1;
goto End;
};
//if (!BN_add(r, a, b)) return 0;
//return BN_nnmod(r, r, m, ctx);
if (!BN_mod_add(bnSpend, bnSpend, bnc, bnOrder, bnCtx))
{
printf("StealthSecretSpend(): bnSpend BN_mod_add failed.\n");
rv = 1;
goto End;
};
if (BN_is_zero(bnSpend)) // possible?
{
printf("StealthSecretSpend(): bnSpend is zero.\n");
rv = 1;
goto End;
};
if (BN_num_bytes(bnSpend) != (int) ec_secret_size
|| BN_bn2bin(bnSpend, &secretOut.e[0]) != (int) ec_secret_size)
{
printf("StealthSecretSpend(): bnSpend incorrect length.\n");
rv = 1;
goto End;
};
End:
if (bnSpend) BN_free(bnSpend);
if (bnOrder) BN_free(bnOrder);
if (bnc) BN_free(bnc);
if (bnCtx) BN_CTX_free(bnCtx);
EC_GROUP_free(ecgrp);
return rv;
};
ProductEvidence ProductEvidence_New(ProductStatement st,
const BIGNUM *a, const BIGNUM *r_a, const BIGNUM *r_b, const BIGNUM *r_c)
{
ProductEvidence ev = safe_malloc(sizeof(*ev));
const BIGNUM* g = IntegerGroup_GetG(st->group);
const BIGNUM* h = IntegerGroup_GetH(st->group);
const BIGNUM* q = IntegerGroup_GetQ(st->group);
BN_CTX* ctx = IntegerGroup_GetCtx(st->group);
// A = g^a h^{r_a}
// B = g^b h^{r_b}
// C = g^{ab} h^{r_c}
// r_prod = r_c - a*r_b
BIGNUM* r_prod;
CHECK_CALL(r_prod = BN_dup(a));
CHECK_CALL(BN_mod_mul(r_prod, r_prod, r_b, q, ctx));
CHECK_CALL(BN_mod_sub(r_prod, r_c, r_prod, q, ctx));
// == Commitment ==
// x, s1, s2 in [0, q)
BIGNUM *x = IntegerGroup_RandomExponent(st->group);
BIGNUM *s1 = IntegerGroup_RandomExponent(st->group);
BIGNUM *s2 = IntegerGroup_RandomExponent(st->group);
CHECK_CALL(x);
CHECK_CALL(s1);
CHECK_CALL(s2);
// m1 = g^x h^s1
BIGNUM* m1 = IntegerGroup_CascadeExponentiate(st->group, g, x, h, s1);
CHECK_CALL(m1);
// m2 = B^x h^s2
BIGNUM* m2 = IntegerGroup_CascadeExponentiate(st->group, st->commit_b, x, h, s2);
CHECK_CALL(m2);
// == Challenge ==
// c = H(g, h, q, p, A, B, C, m1, m2)
ev->c = Commit(st, m1, m2);
// == Response ==
// z = x + ca mod q
ev->z = BN_dup(ev->c);
CHECK_CALL(ev->z);
CHECK_CALL(BN_mod_mul(ev->z, ev->z, a, q, ctx));
CHECK_CALL(BN_mod_add(ev->z, ev->z, x, q, ctx));
// w1 = s1 + (c r_a) mod q
ev->w1 = BN_dup(r_a);
CHECK_CALL(ev->w1);
CHECK_CALL(BN_mod_mul(ev->w1, ev->w1, ev->c, q, ctx));
CHECK_CALL(BN_mod_add(ev->w1, ev->w1, s1, q, ctx));
// w2 = s2 + (c r_prod) mod q
ev->w2 = BN_dup(r_prod);
CHECK_CALL(ev->w2);
CHECK_CALL(BN_mod_mul(ev->w2, ev->w2, ev->c, q, ctx));
CHECK_CALL(BN_mod_add(ev->w2, ev->w2, s2, q, ctx));
// proof is (c, z, w1, w2)
BN_free(m1);
BN_free(m2);
BN_clear_free(x);
BN_clear_free(s1);
BN_clear_free(s2);
BN_clear_free(r_prod);
return ev;
}
ECDSA_SIG *
gost2001_do_sign(BIGNUM *md, GOST_KEY *eckey)
{
ECDSA_SIG *newsig = NULL;
BIGNUM *order = NULL;
const EC_GROUP *group;
const BIGNUM *priv_key;
BIGNUM *r = NULL, *s = NULL, *X = NULL, *tmp = NULL, *tmp2 = NULL, *k =
NULL, *e = NULL;
EC_POINT *C = NULL;
BN_CTX *ctx = BN_CTX_new();
int ok = 0;
if (ctx == NULL) {
GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE);
return NULL;
}
BN_CTX_start(ctx);
newsig = ECDSA_SIG_new();
if (newsig == NULL) {
GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
s = newsig->s;
r = newsig->r;
group = GOST_KEY_get0_group(eckey);
if ((order = BN_CTX_get(ctx)) == NULL)
goto err;
if (EC_GROUP_get_order(group, order, ctx) == 0)
goto err;
priv_key = GOST_KEY_get0_private_key(eckey);
if ((e = BN_CTX_get(ctx)) == NULL)
goto err;
if (BN_mod(e, md, order, ctx) == 0)
goto err;
if (BN_is_zero(e))
BN_one(e);
if ((k = BN_CTX_get(ctx)) == NULL)
goto err;
if ((X = BN_CTX_get(ctx)) == NULL)
goto err;
if ((C = EC_POINT_new(group)) == NULL)
goto err;
do {
do {
if (!BN_rand_range(k, order)) {
GOSTerr(GOST_F_GOST2001_DO_SIGN,
GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
goto err;
}
/*
* We do not want timing information to leak the length
* of k, so we compute G*k using an equivalent scalar
* of fixed bit-length.
*/
if (BN_add(k, k, order) == 0)
goto err;
if (BN_num_bits(k) <= BN_num_bits(order))
if (BN_add(k, k, order) == 0)
goto err;
if (EC_POINT_mul(group, C, k, NULL, NULL, ctx) == 0) {
GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_EC_LIB);
goto err;
}
if (EC_POINT_get_affine_coordinates_GFp(group, C, X,
NULL, ctx) == 0) {
GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_EC_LIB);
goto err;
}
if (BN_nnmod(r, X, order, ctx) == 0)
goto err;
} while (BN_is_zero(r));
/* s = (r*priv_key+k*e) mod order */
if (tmp == NULL) {
if ((tmp = BN_CTX_get(ctx)) == NULL)
goto err;
}
if (BN_mod_mul(tmp, priv_key, r, order, ctx) == 0)
goto err;
if (tmp2 == NULL) {
if ((tmp2 = BN_CTX_get(ctx)) == NULL)
goto err;
}
if (BN_mod_mul(tmp2, k, e, order, ctx) == 0)
goto err;
if (BN_mod_add(s, tmp, tmp2, order, ctx) == 0)
goto err;
} while (BN_is_zero(s));
ok = 1;
err:
EC_POINT_free(C);
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (ok == 0) {
ECDSA_SIG_free(newsig);
newsig = NULL;
}
return newsig;
}
int generateRingSignature(data_chunk &keyImage, uint256 &txnHash, int nRingSize, int nSecretOffset, ec_secret secret, const uint8_t *pPubkeys, uint8_t *pSigc, uint8_t *pSigr)
{
if (fDebugRingSig)
LogPrintf("%s: Ring size %d.\n", __func__, nRingSize);
int rv = 0;
int nBytes;
BN_CTX_start(bnCtx);
BIGNUM *bnKS = BN_CTX_get(bnCtx);
BIGNUM *bnK1 = BN_CTX_get(bnCtx);
BIGNUM *bnK2 = BN_CTX_get(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnH = BN_CTX_get(bnCtx);
BIGNUM *bnSum = BN_CTX_get(bnCtx);
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptKi = NULL;
EC_POINT *ptL = NULL;
EC_POINT *ptR = NULL;
uint8_t tempData[66]; // hold raw point data to hash
uint256 commitHash;
ec_secret scData1, scData2;
CHashWriter ssCommitHash(SER_GETHASH, PROTOCOL_VERSION);
ssCommitHash << txnHash;
// zero signature
memset(pSigc, 0, EC_SECRET_SIZE * nRingSize);
memset(pSigr, 0, EC_SECRET_SIZE * nRingSize);
// ks = random 256 bit int mod P
if (GenerateRandomSecret(scData1)
&& (rv = errorN(1, "%s: GenerateRandomSecret failed.", __func__)))
goto End;
if (!bnKS || !(BN_bin2bn(&scData1.e[0], EC_SECRET_SIZE, bnKS)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// zero sum
if (!bnSum || !(BN_zero(bnSum)))
{
LogPrintf("%s: BN_zero failed.\n", __func__);
rv = 1; goto End;
};
if ( !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptKi = EC_POINT_new(ecGrp))
|| !(ptL = EC_POINT_new(ecGrp))
|| !(ptR = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!(bnT = BN_bin2bn(&keyImage[0], EC_COMPRESSED_SIZE, bnT))
|| !(ptKi) || !(ptKi = EC_POINT_bn2point(ecGrp, bnT, ptKi, bnCtx)))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
for (int i = 0; i < nRingSize; ++i)
{
if (i == nSecretOffset)
{
// k = random 256 bit int mod P
// L = k * G
// R = k * HashToEC(PKi)
if (!EC_POINT_mul(ecGrp, ptL, bnKS, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT1) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
if (!EC_POINT_mul(ecGrp, ptR, NULL, ptT1, bnKS, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
} else
{
// k1 = random 256 bit int mod P
// k2 = random 256 bit int mod P
// Li = k1 * Pi + k2 * G
// Ri = k1 * I + k2 * Hp(Pi)
// ci = k1
// ri = k2
if (GenerateRandomSecret(scData1) != 0
|| !bnK1 || !(BN_bin2bn(&scData1.e[0], EC_SECRET_SIZE, bnK1))
|| GenerateRandomSecret(scData2) != 0
|| !bnK2 || !(BN_bin2bn(&scData2.e[0], EC_SECRET_SIZE, bnK2)))
{
LogPrintf("%s: k1 and k2 failed.\n", __func__);
rv = 1; goto End;
};
// get Pk i as point
if (!(bnT = BN_bin2bn(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT))
|| !(ptPk) || !(ptPk = EC_POINT_bn2point(ecGrp, bnT, ptPk, bnCtx)))
{
LogPrintf("%s: extract ptPk failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = k1 * Pi
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptPk, bnK1, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = k2 * G
if (!EC_POINT_mul(ecGrp, ptT2, bnK2, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptL = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptL, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
// ptT3 = Hp(Pi)
if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT3) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = k1 * I
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptKi, bnK1, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = k2 * ptT3
if (!EC_POINT_mul(ecGrp, ptT2, NULL, ptT3, bnK2, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptR = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptR, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
memcpy(&pSigc[i * EC_SECRET_SIZE], &scData1.e[0], EC_SECRET_SIZE);
memcpy(&pSigr[i * EC_SECRET_SIZE], &scData2.e[0], EC_SECRET_SIZE);
// sum = (sum + sigc) % N , sigc == bnK1
if (!BN_mod_add(bnSum, bnSum, bnK1, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_add failed.\n", __func__);
rv = 1; goto End;
};
};
// -- add ptL and ptR to hash
if ( !(EC_POINT_point2oct(ecGrp, ptL, POINT_CONVERSION_COMPRESSED, &tempData[0], 33, bnCtx) == (int) EC_COMPRESSED_SIZE)
|| !(EC_POINT_point2oct(ecGrp, ptR, POINT_CONVERSION_COMPRESSED, &tempData[33], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
LogPrintf("%s: extract ptL and ptR failed.\n", __func__);
rv = 1; goto End;
};
ssCommitHash.write((const char*)&tempData[0], 66);
};
commitHash = ssCommitHash.GetHash();
if (!(bnH) || !(bnH = BN_bin2bn(commitHash.begin(), EC_SECRET_SIZE, bnH)))
{
LogPrintf("%s: commitHash -> bnH failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_mod(bnH, bnH, bnOrder, bnCtx)) // this is necessary
{
LogPrintf("%s: BN_mod failed.\n", __func__);
rv = 1; goto End;
};
// sigc[nSecretOffset] = (bnH - bnSum) % N
if (!BN_mod_sub(bnT, bnH, bnSum, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_sub failed.\n", __func__);
rv = 1; goto End;
};
if ((nBytes = BN_num_bytes(bnT)) > (int)EC_SECRET_SIZE
|| BN_bn2bin(bnT, &pSigc[nSecretOffset * EC_SECRET_SIZE + (EC_SECRET_SIZE-nBytes)]) != nBytes)
{
LogPrintf("%s: bnT -> pSigc failed.\n", __func__);
rv = 1; goto End;
};
// sigr[nSecretOffset] = (bnKS - sigc[nSecretOffset] * bnSecret) % N
// reuse bnH for bnSecret
if (!bnH || !(BN_bin2bn(&secret.e[0], EC_SECRET_SIZE, bnH)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// bnT = sigc[nSecretOffset] * bnSecret , TODO: mod N ?
if (!BN_mul(bnT, bnT, bnH, bnCtx))
{
LogPrintf("%s: BN_mul failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_mod_sub(bnT, bnKS, bnT, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_sub failed.\n", __func__);
rv = 1; goto End;
};
if ((nBytes = BN_num_bytes(bnT)) > (int) EC_SECRET_SIZE
|| BN_bn2bin(bnT, &pSigr[nSecretOffset * EC_SECRET_SIZE + (EC_SECRET_SIZE-nBytes)]) != nBytes)
{
LogPrintf("%s: bnT -> pSigr failed.\n", __func__);
rv = 1; goto End;
};
End:
EC_POINT_free(ptT1);
EC_POINT_free(ptT2);
EC_POINT_free(ptT3);
EC_POINT_free(ptPk);
EC_POINT_free(ptKi);
EC_POINT_free(ptL);
EC_POINT_free(ptR);
BN_CTX_end(bnCtx);
return rv;
};
void f( BIGNUM * x, BIGNUM * m ) {
BN_mod_mul( x, x, x, m, bnctx ) ;
BN_mod_add( x, x, bn_one, m, bnctx ) ;
}
int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
{
int ret = 0;
BIGNUM *a, *b, *order, *tmp_1, *tmp_2;
const BIGNUM *p = group->field;
BN_CTX *new_ctx = NULL;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT,
ERR_R_MALLOC_FAILURE);
goto err;
}
}
BN_CTX_start(ctx);
a = BN_CTX_get(ctx);
b = BN_CTX_get(ctx);
tmp_1 = BN_CTX_get(ctx);
tmp_2 = BN_CTX_get(ctx);
order = BN_CTX_get(ctx);
if (order == NULL)
goto err;
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, a, group->a, ctx))
goto err;
if (!group->meth->field_decode(group, b, group->b, ctx))
goto err;
} else {
if (!BN_copy(a, group->a))
goto err;
if (!BN_copy(b, group->b))
goto err;
}
/*-
* check the discriminant:
* y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
* 0 =< a, b < p
*/
if (BN_is_zero(a)) {
if (BN_is_zero(b))
goto err;
} else if (!BN_is_zero(b)) {
if (!BN_mod_sqr(tmp_1, a, p, ctx))
goto err;
if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
goto err;
if (!BN_lshift(tmp_1, tmp_2, 2))
goto err;
/* tmp_1 = 4*a^3 */
if (!BN_mod_sqr(tmp_2, b, p, ctx))
goto err;
if (!BN_mul_word(tmp_2, 27))
goto err;
/* tmp_2 = 27*b^2 */
if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
goto err;
if (BN_is_zero(a))
goto err;
}
ret = 1;
err:
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
int main() {
clock_t begin, end;
double time_spent;
printf("====================================================================\n");
BIGNUM *a, *b, *c, *d, *gen, *prime_mod;
char *c_str;
BN_CTX *ctx; /* used internally by the bignum lib */
//DH *dhparms;
int csize;
ctx = BN_CTX_new();
a = BN_new();
b = BN_new();
c = BN_new();
d = BN_new();
prime_mod = BN_new();
BN_set_word(a, 6);
BN_set_word(b, 7);
BN_mul(c, a, b, ctx);
BN_generate_prime(prime_mod,1024,0,0,0,0,0);
//char * primeMOD= "D3BAAE3CE4015583027B1D822109B874CDC6A805BEFEB3DA4B6AD9C3DC1D90B1CF04D70906A1897AF231A03041D6456E7113C573E038DE0EDCF7CAE1B237AC2328110681C83AE86CC5E3268B5808551575E066858684448336E32A9BBCDDAA248BC2685C94142E88C6A68B021941B1C60744E137122A20A7D2CB1641B01E0117";
//BN_hex2bn(&prime_mod, primeMOD);
c_str = BN_bn2hex(prime_mod); /* there's also a BN_d ec2bn() */
csize = BN_num_bits(prime_mod);
//printf("prime_mod = %s size = %d\n", c_str, csize);
// BN_rand(c, 1024, 0, 0);
// c_str = BN_bn2hex(c); //there's also a BN_d ec2bn()
// csize = BN_num_bits(c);
// printf("C = %s size = %d\n", c_str, csize);
//char * BN_T= "DFB9E8DC1BA16AD6EB2ABE6C02E5A9C7B279EEB52DEEBFD550172FC59CAF08534DFEC64BDDE9BD1BE6F9FBDA376C917E615C1F639FE81B8A594812D3E64B3AE4D7BB3F735106845571E16C348CB5100B71B805B70D0CF293727FEAF48F3FFD2A88B09D14AD9D6E314E35BB72238DFAD2549FCF7554F3E1645B118AADACCA35FA";
// BN_hex2bn(&d, BN_T);
// c_str = BN_bn2hex(d);
// csize = BN_num_bits(d);
// printf("D = %s size = %d\n", c_str, csize);
// BN_sqr(c, d, ctx); // c = d^2
// c_str = BN_bn2hex(c);
// csize = BN_num_bits(c);
// printf("c sq = %s size = %d\n", c_str, csize);
// BN_mod_add(b, b, c, prime_mod, ctx); //b = b+c mod p
// BN_mod(d, c, prime_mod, ctx); // d = c mod p
// c_str = BN_bn2hex(d);
// csize = BN_num_bits(d);
// printf("c mod d = %s size = %d\n", c_str, csize);
// BN_mod_exp(b, c, d, prime_mod, ctx); // b = c^d mod p
// c_str = BN_bn2hex(b);
// csize = BN_num_bits(b);
// printf("c exp d = %s size = %d\n", c_str, csize);
int i, j, _ITERATION_NOR, _ITERATION_EXP;
_ITERATION_NOR = 1000000;
_ITERATION_EXP = 1000;
time_t now;
time(&now);
struct tm* now_tm;
now_tm = localtime(&now);
char out[80];
char fileNameT[80];
strftime (out, 80, "%Y-%m-%d %H:%M:%S", now_tm);
strftime (fileNameT, 80, "%Y.%m.%d.%H.%M.%S", now_tm);
char filename[20];
strcpy (filename,"Bignumber_");
strcat (filename,fileNameT);
strcat (filename,".txt");
FILE *f = fopen(filename, "a+");
//setbuf(f, NULL);
if (f == NULL)
{
printf("Error opening file!\n");
exit(1);
}
fprintf(f, "\nTested started on %s\n", out);
fprintf(f, "Normal iteration = %d\n", _ITERATION_NOR);
fprintf(f, "Exp iteration = %d\n", _ITERATION_EXP);
fprintf(f, "MOD iteration = %d\n", _ITERATION_NOR*10);
fprintf(f, "===================================\n");
for(j=0;j<100;j++){
printf("Iteration\t#%d\n", j+1);
fprintf(f, "Iteration #%d\n", j+1);
fflush(f);
BN_rand(a, 1024, 0, 0);
BN_rand(d, 1024, 0, 0);
// d^2
begin = clock();
for(i=0;i<_ITERATION_NOR;i++){
BN_sqr(c, d, ctx);
}
end = clock();
time_spent = (double)(end - begin) / CLOCKS_PER_SEC;
printf("Square %f\n", time_spent);
fprintf(f, "Square\t%f\n", time_spent);
fflush(f);
BN_rand(b, 1024, 0, 0);
BN_rand(c, 1024, 0, 0);
// b+c
begin = clock();
for(i=0;i<_ITERATION_NOR;i++){
BN_mod_add(b, b, c, prime_mod, ctx);
}
end = clock();
time_spent = (double)(end - begin) / CLOCKS_PER_SEC;
printf("Addition %f\n", time_spent);
fprintf(f, "Addition\t%f\n", time_spent);
fflush(f);
BN_rand(b, 1024, 0, 0);
// b mod p
begin = clock();
for(i=0;i<_ITERATION_NOR*10;i++){
BN_mod(d, b, prime_mod, ctx);
}
end = clock();
time_spent = (double)(end - begin) / CLOCKS_PER_SEC;
printf("Modulus %f\n", time_spent);
fprintf(f, "Modulus\t%f\n", time_spent);
fflush(f);
BN_rand(c, 1024, 0, 0);
BN_rand(d, 1024, 0, 0);
// c ^ d mod p
begin = clock();
for(i=0;i<_ITERATION_EXP;i++){
BN_mod_exp(b, c, d, prime_mod, ctx); // b = c^d mod p
}
end = clock();
time_spent = (double)(end - begin) / CLOCKS_PER_SEC;
printf("exponetial %f\n", time_spent);
fprintf(f, "exponetial\t%f\n", time_spent);
fflush(f);
}
time(&now);
now_tm = localtime(&now);
strftime (out, 80, "%Y-%m-%d %H:%M:%S", now_tm);
fprintf(f, "\nTested ended on %s\n", out);
BN_CTX_free(ctx);
printf("====================================================================\n");
fclose(f);
return 0;
}
/* Out: bytes_B, len_B.
*
* On failure, bytes_B will be set to NULL and len_B will be set to 0
*/
struct SRPVerifier * srp_verifier_new( SRP_HashAlgorithm alg, SRP_NGType ng_type, const char * username,
const unsigned char * bytes_s, int len_s,
const unsigned char * bytes_v, int len_v,
const unsigned char * bytes_A, int len_A,
const unsigned char ** bytes_B, int * len_B,
const char * n_hex, const char * g_hex,
int rfc5054_compat )
{
BIGNUM *s = BN_bin2bn(bytes_s, len_s, NULL);
BIGNUM *v = BN_bin2bn(bytes_v, len_v, NULL);
BIGNUM *A = BN_bin2bn(bytes_A, len_A, NULL);
BIGNUM *u = 0;
BIGNUM *B = BN_new();
BIGNUM *S = BN_new();
BIGNUM *b = BN_new();
BIGNUM *k = 0;
BIGNUM *tmp1 = BN_new();
BIGNUM *tmp2 = BN_new();
BN_CTX *ctx = BN_CTX_new();
int ulen = strlen(username) + 1;
NGConstant *ng = new_ng( ng_type, n_hex, g_hex );
struct SRPVerifier *ver = 0;
*len_B = 0;
*bytes_B = 0;
if( !s || !v || !A || !B || !S || !b || !tmp1 || !tmp2 || !ctx || !ng )
goto cleanup_and_exit;
ver = (struct SRPVerifier *) malloc( sizeof(struct SRPVerifier) );
if (!ver)
goto cleanup_and_exit;
init_random(); /* Only happens once */
ver->username = (char *) malloc( ulen );
ver->hash_alg = alg;
ver->ng = ng;
if (!ver->username)
{
free(ver);
ver = 0;
goto cleanup_and_exit;
}
memcpy( (char*)ver->username, username, ulen );
ver->authenticated = 0;
ver->rfc5054 = rfc5054_compat;
/* SRP-6a safety check */
BN_mod(tmp1, A, ng->N, ctx);
if ( !BN_is_zero(tmp1) )
{
BN_rand(b, 256, -1, 0);
if (rfc5054_compat)
k = H_nn_rfc5054(alg, ng->N, ng->N, ng->g);
else
k = H_nn_orig(alg, ng->N, ng->g);
/* B = kv + g^b */
if (rfc5054_compat)
{
BN_mod_mul(tmp1, k, v, ng->N, ctx);
BN_mod_exp(tmp2, ng->g, b, ng->N, ctx);
BN_mod_add(B, tmp1, tmp2, ng->N, ctx);
}
else
{
BN_mul(tmp1, k, v, ctx);
BN_mod_exp(tmp2, ng->g, b, ng->N, ctx);
BN_add(B, tmp1, tmp2);
}
if (rfc5054_compat)
u = H_nn_rfc5054(alg, ng->N, A, B);
else
u = H_nn_orig(alg, A, B);
/* S = (A *(v^u)) ^ b */
BN_mod_exp(tmp1, v, u, ng->N, ctx);
BN_mul(tmp2, A, tmp1, ctx);
BN_mod_exp(S, tmp2, b, ng->N, ctx);
hash_num(alg, S, ver->session_key);
calculate_M( alg, ng, ver->M, username, s, A, B, ver->session_key );
calculate_H_AMK( alg, ver->H_AMK, A, ver->M, ver->session_key );
*len_B = BN_num_bytes(B);
*bytes_B = (const unsigned char *)malloc( *len_B );
if( !((const unsigned char *)*bytes_B) )
{
free( (void*) ver->username );
free( ver );
ver = 0;
*len_B = 0;
goto cleanup_and_exit;
}
BN_bn2bin( B, (unsigned char *) *bytes_B );
ver->bytes_B = *bytes_B;
}
cleanup_and_exit:
BN_free(s);
BN_free(v);
BN_free(A);
if (u) BN_free(u);
if (k) BN_free(k);
BN_free(B);
BN_free(S);
BN_free(b);
BN_free(tmp1);
BN_free(tmp2);
BN_CTX_free(ctx);
return ver;
}
int verifyRingSignature(data_chunk &keyImage, uint256 &txnHash, int nRingSize, const uint8_t *pPubkeys, const uint8_t *pSigc, const uint8_t *pSigr)
{
if (fDebugRingSig)
{
// LogPrintf("%s size %d\n", __func__, nRingSize); // happens often
};
int rv = 0;
BN_CTX_start(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnH = BN_CTX_get(bnCtx);
BIGNUM *bnC = BN_CTX_get(bnCtx);
BIGNUM *bnR = BN_CTX_get(bnCtx);
BIGNUM *bnSum = BN_CTX_get(bnCtx);
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptKi = NULL;
EC_POINT *ptL = NULL;
EC_POINT *ptR = NULL;
EC_POINT *ptSi = NULL;
uint8_t tempData[66]; // hold raw point data to hash
uint256 commitHash;
CHashWriter ssCommitHash(SER_GETHASH, PROTOCOL_VERSION);
ssCommitHash << txnHash;
// zero sum
if (!bnSum || !(BN_zero(bnSum)))
{
LogPrintf("%s: BN_zero failed.\n", __func__);
rv = 1; goto End;
};
if ( !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptKi = EC_POINT_new(ecGrp))
|| !(ptL = EC_POINT_new(ecGrp))
|| !(ptSi = EC_POINT_new(ecGrp))
|| !(ptR = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!(bnT = BN_bin2bn(&keyImage[0], EC_COMPRESSED_SIZE, bnT))
|| !(ptKi) || !(ptKi = EC_POINT_bn2point(ecGrp, bnT, ptKi, bnCtx)))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
for (int i = 0; i < nRingSize; ++i)
{
// Li = ci * Pi + ri * G
// Ri = ci * I + ri * Hp(Pi)
if ( !bnC || !(bnC = BN_bin2bn(&pSigc[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnC))
|| !bnR || !(bnR = BN_bin2bn(&pSigr[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnR)))
{
LogPrintf("%s: extract bnC and bnR failed.\n", __func__);
rv = 1; goto End;
};
// get Pk i as point
if (!(bnT = BN_bin2bn(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT))
|| !(ptPk) || !(ptPk = EC_POINT_bn2point(ecGrp, bnT, ptPk, bnCtx)))
{
LogPrintf("%s: extract ptPk failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = ci * Pi
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptPk, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = ri * G
if (!EC_POINT_mul(ecGrp, ptT2, bnR, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptL = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptL, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
// ptT3 = Hp(Pi)
if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT3) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
// DEBUGGING: ------- check if we can find the signer...
// ptSi = Pi * bnT
if ((!EC_POINT_mul(ecGrp, ptSi, NULL, ptPk, bnT, bnCtx)
|| false)
&& (rv = errorN(1, "%s: EC_POINT_mul failed.1", __func__)))
goto End;
if (0 == EC_POINT_cmp(ecGrp, ptSi, ptKi, bnCtx) )
LogPrintf("signer is index %d\n", i);
// DEBUGGING: - End - check if we can find the signer...
// ptT1 = k1 * I
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptKi, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = k2 * ptT3
if (!EC_POINT_mul(ecGrp, ptT2, NULL, ptT3, bnR, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptR = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptR, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
// sum = (sum + ci) % N
if (!BN_mod_add(bnSum, bnSum, bnC, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_add failed.\n", __func__);
rv = 1; goto End;
};
// -- add ptL and ptR to hash
if ( !(EC_POINT_point2oct(ecGrp, ptL, POINT_CONVERSION_COMPRESSED, &tempData[0], 33, bnCtx) == (int) EC_COMPRESSED_SIZE)
|| !(EC_POINT_point2oct(ecGrp, ptR, POINT_CONVERSION_COMPRESSED, &tempData[33], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
LogPrintf("%s: extract ptL and ptR failed.\n", __func__);
rv = 1; goto End;
};
ssCommitHash.write((const char*)&tempData[0], 66);
};
commitHash = ssCommitHash.GetHash();
if (!(bnH) || !(bnH = BN_bin2bn(commitHash.begin(), EC_SECRET_SIZE, bnH)))
{
LogPrintf("%s: commitHash -> bnH failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_mod(bnH, bnH, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod failed.\n", __func__);
rv = 1; goto End;
};
// bnT = (bnH - bnSum) % N
if (!BN_mod_sub(bnT, bnH, bnSum, bnOrder, bnCtx))
{
LogPrintf("%s: BN_mod_sub failed.\n", __func__);
rv = 1; goto End;
};
// test bnT == 0 (bnSum == bnH)
if (!BN_is_zero(bnT))
{
LogPrintf("%s: signature does not verify.\n", __func__);
rv = 2;
};
End:
EC_POINT_free(ptT1);
EC_POINT_free(ptT2);
EC_POINT_free(ptT3);
EC_POINT_free(ptPk);
EC_POINT_free(ptKi);
EC_POINT_free(ptL);
EC_POINT_free(ptR);
EC_POINT_free(ptSi);
BN_CTX_end(bnCtx);
return rv;
};
int
ecdh_im_compute_key(PACE_CTX * ctx, const BUF_MEM * s, const BUF_MEM * in,
BN_CTX *bn_ctx)
{
int ret = 0;
BUF_MEM * x_mem = NULL;
BIGNUM * a = NULL, *b = NULL, *p = NULL;
BIGNUM * x = NULL, *y = NULL, *v = NULL, *u = NULL;
BIGNUM * tmp = NULL, *tmp2 = NULL, *bn_inv = NULL;
BIGNUM * two = NULL, *three = NULL, *four = NULL, *six = NULL;
BIGNUM * twentyseven = NULL;
EC_KEY *static_key = NULL, *ephemeral_key = NULL;
EC_POINT *g = NULL;
BN_CTX_start(bn_ctx);
check((ctx && ctx->static_key && s && ctx->ka_ctx), "Invalid arguments");
static_key = EVP_PKEY_get1_EC_KEY(ctx->static_key);
if (!static_key)
goto err;
/* Setup all the variables*/
a = BN_CTX_get(bn_ctx);
b = BN_CTX_get(bn_ctx);
p = BN_CTX_get(bn_ctx);
x = BN_CTX_get(bn_ctx);
y = BN_CTX_get(bn_ctx);
v = BN_CTX_get(bn_ctx);
two = BN_CTX_get(bn_ctx);
three = BN_CTX_get(bn_ctx);
four = BN_CTX_get(bn_ctx);
six = BN_CTX_get(bn_ctx);
twentyseven = BN_CTX_get(bn_ctx);
tmp = BN_CTX_get(bn_ctx);
tmp2 = BN_CTX_get(bn_ctx);
bn_inv = BN_CTX_get(bn_ctx);
if (!bn_inv)
goto err;
/* Encrypt the Nonce using the symmetric key in */
x_mem = cipher_no_pad(ctx->ka_ctx, NULL, in, s, 1);
if (!x_mem)
goto err;
/* Fetch the curve parameters */
if (!EC_GROUP_get_curve_GFp(EC_KEY_get0_group(static_key), p, a, b, bn_ctx))
goto err;
/* Assign constants */
if ( !BN_set_word(two,2)||
!BN_set_word(three,3)||
!BN_set_word(four,4)||
!BN_set_word(six,6)||
!BN_set_word(twentyseven,27)
) goto err;
/* Check prerequisites for curve parameters */
check(
/* p > 3;*/
(BN_cmp(p, three) == 1) &&
/* p mod 3 = 2; (p has the form p=q^n, q prime) */
BN_nnmod(tmp, p, three, bn_ctx) &&
(BN_cmp(tmp, two) == 0),
"Unsuited curve");
/* Convert encrypted nonce to BIGNUM */
u = BN_bin2bn((unsigned char *) x_mem->data, x_mem->length, u);
if (!u)
goto err;
if ( /* v = (3a - u^4) / 6u mod p */
!BN_mod_mul(tmp, three, a, p, bn_ctx) ||
!BN_mod_exp(tmp2, u, four, p, bn_ctx) ||
!BN_mod_sub(v, tmp, tmp2, p, bn_ctx) ||
!BN_mod_mul(tmp, u, six, p, bn_ctx) ||
/* For division within a galois field we need to compute
* the multiplicative inverse of a number */
!BN_mod_inverse(bn_inv, tmp, p, bn_ctx) ||
!BN_mod_mul(v, v, bn_inv, p, bn_ctx) ||
/* x = (v^2 - b - ((u^6)/27)) */
!BN_mod_sqr(tmp, v, p, bn_ctx) ||
!BN_mod_sub(tmp2, tmp, b, p, bn_ctx) ||
!BN_mod_exp(tmp, u, six, p, bn_ctx) ||
!BN_mod_inverse(bn_inv, twentyseven, p, bn_ctx) ||
!BN_mod_mul(tmp, tmp, bn_inv, p, bn_ctx) ||
!BN_mod_sub(x, tmp2, tmp, p, bn_ctx) ||
/* x -> x^(1/3) = x^((2p^n -1)/3) */
!BN_mul(tmp, two, p, bn_ctx) ||
!BN_sub(tmp, tmp, BN_value_one()) ||
/* Division is defined, because p^n = 2 mod 3 */
!BN_div(tmp, y, tmp, three, bn_ctx) ||
!BN_mod_exp(tmp2, x, tmp, p, bn_ctx) ||
!BN_copy(x, tmp2) ||
/* x += (u^2)/3 */
!BN_mod_sqr(tmp, u, p, bn_ctx) ||
!BN_mod_inverse(bn_inv, three, p, bn_ctx) ||
!BN_mod_mul(tmp2, tmp, bn_inv, p, bn_ctx) ||
!BN_mod_add(tmp, x, tmp2, p, bn_ctx) ||
!BN_copy(x, tmp) ||
/* y = ux + v */
!BN_mod_mul(y, u, x, p, bn_ctx) ||
!BN_mod_add(tmp, y, v, p, bn_ctx) ||
!BN_copy(y, tmp)
)
goto err;
/* Initialize ephemeral parameters with parameters from the static key */
ephemeral_key = EC_KEY_dup(static_key);
if (!ephemeral_key)
goto err;
EVP_PKEY_set1_EC_KEY(ctx->ka_ctx->key, ephemeral_key);
/* configure the new EC_KEY */
g = EC_POINT_new(EC_KEY_get0_group(ephemeral_key));
if (!g)
goto err;
if (!EC_POINT_set_affine_coordinates_GFp(EC_KEY_get0_group(ephemeral_key), g,
x, y, bn_ctx))
goto err;
ret = 1;
err:
if (x_mem)
BUF_MEM_free(x_mem);
if (u)
BN_free(u);
BN_CTX_end(bn_ctx);
if (g)
EC_POINT_clear_free(g);
/* Decrement reference count, keys are still available via PACE_CTX */
if (static_key)
EC_KEY_free(static_key);
if (ephemeral_key)
EC_KEY_free(ephemeral_key);
return ret;
}
static EC_KEY *extract_ec_priv_key(CPK_MASTER_SECRET *master, const char *id)
{
int e = 1;
EC_KEY *ec_key = NULL;
const EC_GROUP *ec_group;
EC_POINT *pub_key = NULL;
BIGNUM *priv_key = BN_new();
BIGNUM *order = BN_new();
BIGNUM *bn = BN_new();
BN_CTX *ctx = BN_CTX_new();
int *index = NULL;
int i, num_indexes, bn_size;
if (!priv_key || !bn || !order || !ctx) {
goto err;
}
if (!(ec_key = X509_ALGOR_get1_EC_KEY(master->pkey_algor))) {
goto err;
}
ec_group = EC_KEY_get0_group(ec_key);
if (!(pub_key = EC_POINT_new(ec_group))) {
goto err;
}
if ((num_indexes = CPK_MAP_num_indexes(master->map_algor)) <= 0) {
goto err;
}
if (!(index = OPENSSL_malloc(sizeof(int) * num_indexes))) {
goto err;
}
if (!CPK_MAP_str2index(master->map_algor, id, index)) {
goto err;
}
BN_zero(priv_key);
if (!(EC_GROUP_get_order(EC_KEY_get0_group(ec_key), order, ctx))) {
goto err;
}
bn_size = BN_num_bytes(order);
for (i = 0; i < num_indexes; i++) {
const unsigned char *p =
M_ASN1_STRING_data(master->secret_factors) +
bn_size * index[i];
if (!BN_bin2bn(p, bn_size, bn)) {
goto err;
}
if (BN_is_zero(bn) || BN_cmp(bn, order) >= 0) {
goto err;
}
if (!BN_mod_add(priv_key, priv_key, bn, order, ctx)) {
goto err;
}
}
if (!EC_KEY_set_private_key(ec_key, priv_key)) {
goto err;
}
if (!EC_POINT_mul(ec_group, pub_key, priv_key, NULL, NULL, ctx)) {
goto err;
}
if (!EC_KEY_set_public_key(ec_key, pub_key)) {
goto err;
}
e = 0;
err:
if (e && ec_key) {
EC_KEY_free(ec_key);
ec_key = NULL;
}
if (priv_key) BN_free(priv_key);
if (pub_key) EC_POINT_free(pub_key);
if (order) BN_free(order);
if (bn) BN_free(bn);
if (ctx) BN_CTX_free(ctx);
if (index) OPENSSL_free(index);
return ec_key;
}
// unsigned char *rgbHashData, 哈希数值
// unsigned char *rgbKeyPb, SM2公钥数据,Px Py 不含标志位 point_conversion_form_t
// unsigned char *rs 待验证的签名数据
unsigned char eccVerifySignature(unsigned char *rgbHashData, unsigned char *rgbKeyPb, unsigned char *rs)
{
int ret = SM2_VERIFY_INNER_ERROR;
EC_POINT *point = NULL;
BN_CTX *ctx = NULL;
BIGNUM *order = NULL;
BIGNUM *e = NULL;
BIGNUM *t = NULL;
int i;
EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1);
BIGNUM *x = BN_new();;
BIGNUM *y = BN_new();;
if (!BN_bin2bn(rgbKeyPb, 32, x)) {
goto err;
}
if (!BN_bin2bn(rgbKeyPb + 32, 32, y)) {
goto err;
}
if (!EC_KEY_set_public_key_affine_coordinates(ec_key, x, y)) {
goto err;
}
const EC_POINT *pub_key = EC_KEY_get0_public_key(ec_key);
BIGNUM *r= BN_new(), *s = BN_new();
BN_bin2bn(rs, 32, r);
BN_bin2bn(rs + 32, 32, s);
//// 相当于
//EC_KEY *ret = EC_KEY_new();
EC_GROUP *ec_group = EC_GROUP_new_by_curve_name(NID_sm2p256v1);
ctx = BN_CTX_new();
order = BN_new();
e = BN_new();
t = BN_new();
if (!ctx || !order || !e || !t) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_GROUP_get_order(ec_group, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
/* check r, s in [1, n-1] and r + s != 0 (mod n) */
if (BN_is_zero(r) ||
BN_is_negative(r) ||
BN_ucmp(r, order) >= 0 ||
BN_is_zero(s) ||
BN_is_negative(s) ||
BN_ucmp(s, order) >= 0) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
ret = 0;
goto err;
}
/* check t = r + s != 0 */
if (!BN_mod_add(t, r, s, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
if (BN_is_zero(t)) {
ret = 0;
goto err;
}
/* convert digest to e */
i = BN_num_bits(order);
#if 0
if (8 * dgstlen > i) {
dgstlen = (i + 7)/8;
}
#endif
if (!BN_bin2bn(rgbHashData, 32, e)) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
#if 0
if ((8 * dgstlen > i) && !BN_rshift(e, e, 8 - (i & 0x7))) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
#endif
/* compute (x, y) = sG + tP, P is pub_key */
if (!(point = EC_POINT_new(ec_group))) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(ec_group, point, s, pub_key, t, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(ec_group)) == NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp(ec_group, point, t, NULL, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
} else /* NID_X9_62_characteristic_two_field */ {
if (!EC_POINT_get_affine_coordinates_GF2m(ec_group, point, t, NULL, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
}
if (!BN_nnmod(t, t, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* check (sG + tP).x + e == sig.r */
if (!BN_mod_add(t, t, e, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
if (BN_ucmp(t, r) == 0) {
ret = SM2_VERIFY_SUCCESS;
} else {
ret = SM2_VERIFY_FAILED;
}
err:
if (point) EC_POINT_free(point);
if (order) BN_free(order);
if (e) BN_free(e);
if (t) BN_free(t);
if (ctx) BN_CTX_free(ctx);
return 0;
}
/*
* Computes gost_ec signature as DSA_SIG structure
*
*/
DSA_SIG *gost_ec_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
{
DSA_SIG *newsig = NULL, *ret = NULL;
BIGNUM *md = NULL;
BIGNUM *order = NULL;
const EC_GROUP *group;
const BIGNUM *priv_key;
BIGNUM *r = NULL, *s = NULL, *X = NULL, *tmp = NULL, *tmp2 = NULL,
*k = NULL, *e = NULL;
EC_POINT *C = NULL;
BN_CTX *ctx;
OPENSSL_assert(dgst != NULL && eckey != NULL);
if (!(ctx = BN_CTX_new())) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
return NULL;
}
BN_CTX_start(ctx);
OPENSSL_assert(dlen == 32 || dlen == 64);
md = hashsum2bn(dgst, dlen);
newsig = DSA_SIG_new();
if (!newsig || !md) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
group = EC_KEY_get0_group(eckey);
if (!group) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
order = BN_CTX_get(ctx);
if (!order || !EC_GROUP_get_order(group, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
priv_key = EC_KEY_get0_private_key(eckey);
if (!priv_key) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
e = BN_CTX_get(ctx);
if (!e || !BN_mod(e, md, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
#ifdef DEBUG_SIGN
fprintf(stderr, "digest as bignum=");
BN_print_fp(stderr, md);
fprintf(stderr, "\ndigest mod q=");
BN_print_fp(stderr, e);
fprintf(stderr, "\n");
#endif
if (BN_is_zero(e)) {
BN_one(e);
}
k = BN_CTX_get(ctx);
C = EC_POINT_new(group);
if (!k || !C) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
do {
do {
if (!BN_rand_range(k, order)) {
GOSTerr(GOST_F_GOST_EC_SIGN, GOST_R_RNG_ERROR);
goto err;
}
/*
* To avoid timing information leaking the length of k,
* compute C*k using an equivalent scalar of fixed bit-length */
if (!BN_add(k, k, order)
|| (BN_num_bits(k) <= BN_num_bits(order)
&& !BN_add(k, k, order))) {
goto err;
}
if (!EC_POINT_mul(group, C, k, NULL, NULL, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_EC_LIB);
goto err;
}
if (!X)
X = BN_CTX_get(ctx);
if (!r)
r = BN_CTX_get(ctx);
if (!X || !r) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_EC_LIB);
goto err;
}
if (!BN_nnmod(r, X, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
}
while (BN_is_zero(r));
/* s = (r*priv_key+k*e) mod order */
if (!tmp)
tmp = BN_CTX_get(ctx);
if (!tmp2)
tmp2 = BN_CTX_get(ctx);
if (!s)
s = BN_CTX_get(ctx);
if (!tmp || !tmp2 || !s) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!BN_mod_mul(tmp, priv_key, r, order, ctx)
|| !BN_mod_mul(tmp2, k, e, order, ctx)
|| !BN_mod_add(s, tmp, tmp2, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_INTERNAL_ERROR);
goto err;
}
}
while (BN_is_zero(s));
newsig->s = BN_dup(s);
newsig->r = BN_dup(r);
if (!newsig->s || !newsig->r) {
GOSTerr(GOST_F_GOST_EC_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
ret = newsig;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (C)
EC_POINT_free(C);
if (md)
BN_free(md);
if (!ret && newsig) {
DSA_SIG_free(newsig);
}
return ret;
}
/*
* Computes gost2001 signature as DSA_SIG structure
*
*
*/
DSA_SIG *gost2001_do_sign(const unsigned char *dgst,int dlen, EC_KEY *eckey)
{
DSA_SIG *newsig = NULL;
BIGNUM *md = hashsum2bn(dgst);
BIGNUM *order = NULL;
const EC_GROUP *group;
const BIGNUM *priv_key;
BIGNUM *r=NULL,*s=NULL,*X=NULL,*tmp=NULL,*tmp2=NULL, *k=NULL,*e=NULL;
EC_POINT *C=NULL;
BN_CTX *ctx = BN_CTX_new();
BN_CTX_start(ctx);
OPENSSL_assert(dlen==32);
newsig=DSA_SIG_new();
if (!newsig)
{
GOSTerr(GOST_F_GOST2001_DO_SIGN,GOST_R_NO_MEMORY);
goto err;
}
group = EC_KEY_get0_group(eckey);
order=BN_CTX_get(ctx);
EC_GROUP_get_order(group,order,ctx);
priv_key = EC_KEY_get0_private_key(eckey);
e = BN_CTX_get(ctx);
BN_mod(e,md,order,ctx);
#ifdef DEBUG_SIGN
fprintf(stderr,"digest as bignum=");
BN_print_fp(stderr,md);
fprintf(stderr,"\ndigest mod q=");
BN_print_fp(stderr,e);
fprintf(stderr,"\n");
#endif
if (BN_is_zero(e))
{
BN_one(e);
}
k =BN_CTX_get(ctx);
C=EC_POINT_new(group);
do
{
do
{
if (!BN_rand_range(k,order))
{
GOSTerr(GOST_F_GOST2001_DO_SIGN,GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
DSA_SIG_free(newsig);
goto err;
}
if (!EC_POINT_mul(group,C,k,NULL,NULL,ctx))
{
GOSTerr(GOST_F_GOST2001_DO_SIGN,ERR_R_EC_LIB);
DSA_SIG_free(newsig);
goto err;
}
if (!X) X=BN_CTX_get(ctx);
if (!EC_POINT_get_affine_coordinates_GFp(group,C,X,NULL,ctx))
{
GOSTerr(GOST_F_GOST2001_DO_SIGN,ERR_R_EC_LIB);
DSA_SIG_free(newsig);
goto err;
}
if (!r) r=BN_CTX_get(ctx);
BN_nnmod(r,X,order,ctx);
}
while (BN_is_zero(r));
/* s = (r*priv_key+k*e) mod order */
if (!tmp) tmp = BN_CTX_get(ctx);
BN_mod_mul(tmp,priv_key,r,order,ctx);
if (!tmp2) tmp2 = BN_CTX_get(ctx);
BN_mod_mul(tmp2,k,e,order,ctx);
if (!s) s=BN_CTX_get(ctx);
BN_mod_add(s,tmp,tmp2,order,ctx);
}
while (BN_is_zero(s));
newsig->s=BN_dup(s);
newsig->r=BN_dup(r);
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
EC_POINT_free(C);
BN_free(md);
return newsig;
}
