/* flatten RsaKey structure into individual elements (e, n) */
int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
word32* nSz)
{
int sz, ret;
if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL)
return BAD_FUNC_ARG;
sz = mp_unsigned_bin_size(&key->e);
if ((word32)sz > *nSz)
return RSA_BUFFER_E;
ret = mp_to_unsigned_bin(&key->e, e);
if (ret != MP_OKAY)
return ret;
*eSz = (word32)sz;
sz = mp_unsigned_bin_size(&key->n);
if ((word32)sz > *nSz)
return RSA_BUFFER_E;
ret = mp_to_unsigned_bin(&key->n, n);
if (ret != MP_OKAY)
return ret;
*nSz = (word32)sz;
return 0;
}
uint8_t *rsa_serialize_pair(rsa_keypair_t *pair, size_t *len) {
uint32_t bytes_m, bytes_e, bytes_d;
uint32_t bytes_p, bytes_q, bytes_dp, bytes_dq, bytes_qi;
size_t offs = 0;
uint8_t *out;
if(pair == NULL) return NULL;
if((pair->public == NULL) || (pair->secret == NULL) || (pair->modulus == NULL))
return NULL;
bytes_m = mp_unsigned_bin_size(pair->modulus);
bytes_e = mp_unsigned_bin_size(pair->public);
bytes_d = mp_unsigned_bin_size(pair->secret);
*len = bytes_e + bytes_d + bytes_m + 3 * INT_SIZE;
if((pair->p == NULL) || (pair->q == NULL) || (pair->dp == NULL) || (pair->dq == NULL) || (pair->qi == NULL)) {
if((out = malloc(*len)) == NULL)
return NULL;
memcpy(out + offs, &bytes_m, INT_SIZE); offs += INT_SIZE;
mp_to_unsigned_bin(pair->modulus, out + offs); offs += bytes_m;
memcpy(out + offs, &bytes_e, INT_SIZE); offs += INT_SIZE;
mp_to_unsigned_bin(pair->public, out + offs); offs += bytes_e;
memcpy(out + offs, &bytes_d, INT_SIZE); offs += INT_SIZE;
mp_to_unsigned_bin(pair->secret, out + offs); offs += bytes_d;
} else {
/** ECC X9.63 (Sec. 4.3.6) uncompressed export
@param key Key to export
@param out [out] destination of export
@param outlen [in/out] Length of destination and final output size
Return CRYPT_OK on success
*/
int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen) {
unsigned char buf[ECC_BUF_SIZE];
unsigned long numlen;
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
if (ltc_ecc_is_valid_idx(key->idx) == 0) {
return CRYPT_INVALID_ARG;
}
numlen = key->dp->size;
if (*outlen < (1 + 2 * numlen)) {
*outlen = 1 + 2 * numlen;
return CRYPT_BUFFER_OVERFLOW;
}
/* store byte 0x04 */
out[0] = 0x04;
/* pad and store x */
zeromem(buf, sizeof(buf));
mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - mp_unsigned_bin_size(key->pubkey.x)));
XMEMCPY(out + 1, buf, numlen);
/* pad and store y */
zeromem(buf, sizeof(buf));
mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - mp_unsigned_bin_size(key->pubkey.y)));
XMEMCPY(out + 1 + numlen, buf, numlen);
*outlen = 1 + 2 * numlen;
return CRYPT_OK;
}
uint8_t *rsa_serialize_public(rsa_keypair_t *pair, size_t *len) {
uint32_t bytes_m, bytes_e;
size_t offs = 0;
uint8_t *out;
if(pair == NULL)
return NULL;
if((pair->public == NULL) || (pair->modulus == NULL))
return NULL;
bytes_m = mp_unsigned_bin_size(pair->modulus);
bytes_e = mp_unsigned_bin_size(pair->public);
*len = bytes_m + bytes_e + 2 * INT_SIZE;
if((out = malloc(*len)) == NULL)
return NULL;
memcpy(out + offs, &bytes_m, INT_SIZE); offs += INT_SIZE;
mp_to_unsigned_bin(pair->modulus, out + offs); offs += bytes_m;
memcpy(out + offs, &bytes_e, INT_SIZE); offs += INT_SIZE;
mp_to_unsigned_bin(pair->public, out + offs); offs += bytes_e;
return out;
}
/**
Convert data from a specific radix to binary
The default MPI descriptors #ltm_desc, #tfm_desc and #gmp_desc
have the following restrictions on parameters:
\p in - NUL-terminated char buffer
\p radix - 2..64
@param in The input
@param radix The radix of the input
@param out The output buffer
@param len [in/out] The length of the output buffer
@return CRYPT_OK on success.
*/
int radix_to_bin(const void *in, int radix, void *out, unsigned long *len)
{
unsigned long l;
void* mpi;
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(len != NULL);
if ((err = mp_init(&mpi)) != CRYPT_OK) return err;
if ((err = mp_read_radix(mpi, in, radix)) != CRYPT_OK) goto LBL_ERR;
if ((l = mp_unsigned_bin_size(mpi)) > *len) {
*len = l;
err = CRYPT_BUFFER_OVERFLOW;
goto LBL_ERR;
}
*len = l;
if ((err = mp_to_unsigned_bin(mpi, out)) != CRYPT_OK) goto LBL_ERR;
LBL_ERR:
mp_clear(mpi);
return err;
}
int DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv,
word32 privSz, const byte* otherPub, word32 pubSz)
{
int ret = 0;
mp_int x;
mp_int y;
mp_int z;
if (mp_init_multi(&x, &y, &z, 0, 0, 0) != MP_OKAY)
return MP_INIT_E;
if (mp_read_unsigned_bin(&x, priv, privSz) != MP_OKAY)
ret = MP_READ_E;
if (ret == 0 && mp_read_unsigned_bin(&y, otherPub, pubSz) != MP_OKAY)
ret = MP_READ_E;
if (ret == 0 && mp_exptmod(&y, &x, &key->p, &z) != MP_OKAY)
ret = MP_EXPTMOD_E;
if (ret == 0 && mp_to_unsigned_bin(&z, agree) != MP_OKAY)
ret = MP_TO_E;
if (ret == 0)
*agreeSz = mp_unsigned_bin_size(&z);
mp_clear(&z);
mp_clear(&y);
mp_clear(&x);
return ret;
}
static int GeneratePublic(DhKey* key, const byte* priv, word32 privSz,
byte* pub, word32* pubSz)
{
int ret = 0;
mp_int x;
mp_int y;
if (mp_init_multi(&x, &y, 0, 0, 0, 0) != MP_OKAY)
return MP_INIT_E;
if (mp_read_unsigned_bin(&x, priv, privSz) != MP_OKAY)
ret = MP_READ_E;
if (ret == 0 && mp_exptmod(&key->g, &x, &key->p, &y) != MP_OKAY)
ret = MP_EXPTMOD_E;
if (ret == 0 && mp_to_unsigned_bin(&y, pub) != MP_OKAY)
ret = MP_TO_E;
if (ret == 0)
*pubSz = mp_unsigned_bin_size(&y);
mp_clear(&y);
mp_clear(&x);
return ret;
}
int wc_SrpGetVerifier(Srp* srp, byte* verifier, word32* size)
{
mp_int v;
int r;
if (!srp || !verifier || !size || srp->side != SRP_CLIENT_SIDE)
return BAD_FUNC_ARG;
if (mp_iszero(&srp->auth) == MP_YES)
return SRP_CALL_ORDER_E;
r = mp_init(&v);
if (r != MP_OKAY)
return MP_INIT_E;
/* v = g ^ x % N */
if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &v);
if (!r) r = *size < (word32)mp_unsigned_bin_size(&v) ? BUFFER_E : MP_OKAY;
if (!r) r = mp_to_unsigned_bin(&v, verifier);
if (!r) *size = mp_unsigned_bin_size(&v);
mp_clear(&v);
return r;
}
/* store in unsigned [big endian] format */
int mp_to_unsigned_bin_n (mp_int * a, unsigned char *b, unsigned long *outlen)
{
if (*outlen < (unsigned long)mp_unsigned_bin_size(a)) {
return MP_VAL;
}
*outlen = mp_unsigned_bin_size(a);
return mp_to_unsigned_bin(a, b);
}
/**
Create an ECC shared secret between two keys
@param private_key The private ECC key
@param public_key The public key
@param out [out] Destination of the shared secret (Conforms to EC-DH from ANSI X9.63)
@param outlen [in/out] The max size and resulting size of the shared secret
@return CRYPT_OK if successful
*/
int ecc_shared_secret(ecc_key *private_key, ecc_key *public_key,
unsigned char *out, unsigned long *outlen)
{
unsigned long x;
ecc_point *result;
void *prime;
int err;
LTC_ARGCHK(private_key != NULL);
LTC_ARGCHK(public_key != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
/* type valid? */
if (private_key->type != PK_PRIVATE) {
return CRYPT_PK_NOT_PRIVATE;
}
if (ltc_ecc_is_valid_idx(private_key->idx) == 0 || ltc_ecc_is_valid_idx(public_key->idx) == 0) {
return CRYPT_INVALID_ARG;
}
if (XSTRCMP(private_key->dp->name, public_key->dp->name) != 0) {
return CRYPT_PK_TYPE_MISMATCH;
}
/* make new point */
result = ltc_ecc_new_point();
if (result == NULL) {
return CRYPT_MEM;
}
if ((err = mp_init(&prime)) != CRYPT_OK) {
ltc_ecc_del_point(result);
return err;
}
if ((err = mp_read_radix(prime, (char *)private_key->dp->prime, 16)) != CRYPT_OK) { goto done; }
if ((err = ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1)) != CRYPT_OK) { goto done; }
x = (unsigned long)mp_unsigned_bin_size(prime);
if (*outlen < x) {
*outlen = x;
err = CRYPT_BUFFER_OVERFLOW;
goto done;
}
zeromem(out, x);
if ((err = mp_to_unsigned_bin(result->x, out + (x - mp_unsigned_bin_size(result->x)))) != CRYPT_OK) { goto done; }
err = CRYPT_OK;
*outlen = x;
done:
mp_clear(prime);
ltc_ecc_del_point(result);
return err;
}
/* store in signed [big endian] format */
int mp_to_signed_bin(const mp_int *a, unsigned char *b)
{
int res;
if ((res = mp_to_unsigned_bin(a, b + 1)) != MP_OKAY) {
return res;
}
b[0] = (a->sign == MP_ZPOS) ? (unsigned char)0 : (unsigned char)1;
return MP_OKAY;
}
/* store in signed [big endian] format */
int mp_to_signed_bin (mp_int * a, unsigned char *b)
{
int res;
if ((res = mp_to_unsigned_bin (a, b + 1)) != MP_OKAY) {
return res;
}
b[0] = (unsigned char) ((a->sign == MP_ZPOS) ? 0 : 1);
return MP_OKAY;
}
/**
LTC_PKCS #1 Integer to binary
@param n The integer to store
@param modulus_len The length of the RSA modulus
@param out [out] The destination for the integer
@return CRYPT_OK if successful
*/
int pkcs_1_i2osp(void *n, unsigned long modulus_len, unsigned char *out) {
unsigned long size;
size = mp_unsigned_bin_size(n);
if (size > modulus_len) {
return CRYPT_BUFFER_OVERFLOW;
}
/* store it */
zeromem(out, modulus_len);
return mp_to_unsigned_bin(n, out + (modulus_len - size));
}
/**
* bignum_get_unsigned_bin - Set binary buffer to unsigned bignum
* @n: Bignum from bignum_init()
* @buf: Buffer for the binary number
* @len: Length of the buffer, can be %NULL if buffer is known to be long
* enough. Set to used buffer length on success if not %NULL.
* Returns: 0 on success, -1 on failure
*/
int bignum_get_unsigned_bin(const struct bignum *n, u8 *buf, size_t *len) {
size_t need = mp_unsigned_bin_size((mp_int *) n);
if (len && need > *len) {
*len = need;
return -1;
}
if (mp_to_unsigned_bin((mp_int *) n, buf) != MP_OKAY) {
wpa_printf(MSG_DEBUG, "BIGNUM: %s failed", __func__);
return -1;
}
if (len)
*len = need;
return 0;
}
int wc_mp_to_bigint(mp_int* src, WC_BIGINT* dst)
{
int err;
word32 sz;
if (src == NULL || dst == NULL)
return BAD_FUNC_ARG;
sz = mp_unsigned_bin_size(src);
err = wc_bigint_alloc(dst, sz);
if (err == MP_OKAY)
err = mp_to_unsigned_bin(src, dst->buf);
return err;
}
static BIGNUM *
mpz2BN(mp_int *s)
{
size_t size;
BIGNUM *bn;
void *p;
size = mp_unsigned_bin_size(s);
p = malloc(size);
if (p == NULL && size != 0)
return NULL;
mp_to_unsigned_bin(s, p);
bn = BN_bin2bn(p, size, NULL);
free(p);
return bn;
}
/* always stores the same # of bytes, pads with leading zero bytes
as required
*/
int pkcs_1_i2osp(mp_int *n, unsigned long modulus_len, unsigned char *out)
{
int err;
unsigned long size;
size = mp_unsigned_bin_size(n);
if (size > modulus_len) {
return CRYPT_BUFFER_OVERFLOW;
}
/* store it */
zeromem(out, modulus_len);
if ((err = mp_to_unsigned_bin(n, out+(modulus_len-size))) != MP_OKAY) {
return mpi_to_ltc_error(err);
}
return CRYPT_OK;
}
mp_err mp_i2osp(mp_int *x, char *out, int len)
{
int xlen;
ARGCHK(x != NULL && out != NULL && len > 0, MP_BADARG);
if((xlen = mp_unsigned_bin_size(x)) > len) {
return MP_RANGE;
}
xlen -= len;
if(xlen > 0)
memset(out, 0, xlen);
mp_to_unsigned_bin(x, (unsigned char *)out + xlen);
return MP_OKAY;
} /* end mp_i2osp() */
/* for our purposes we only need positive (or 0) numbers, so will
* fail if we get negative numbers */
void buf_putmpint(buffer* buf, mp_int * mp) {
unsigned int len, pad = 0;
TRACE2(("enter buf_putmpint"))
dropbear_assert(mp != NULL);
if (SIGN(mp) == MP_NEG) {
dropbear_exit("negative bignum");
}
/* zero check */
if (USED(mp) == 1 && DIGIT(mp, 0) == 0) {
len = 0;
} else {
/* SSH spec requires padding for mpints with the MSB set, this code
* implements it */
len = mp_count_bits(mp);
/* if the top bit of MSB is set, we need to pad */
pad = (len%8 == 0) ? 1 : 0;
len = len / 8 + 1; /* don't worry about rounding, we need it for
padding anyway when len%8 == 0 */
}
/* store the length */
buf_putint(buf, len);
/* store the actual value */
if (len > 0) {
if (pad) {
buf_putbyte(buf, 0x00);
}
if (mp_to_unsigned_bin(mp, buf_getwriteptr(buf, len-pad)) != MP_OKAY) {
dropbear_exit("mpint error");
}
buf_incrwritepos(buf, len-pad);
}
TRACE2(("leave buf_putmpint"))
}
static int
ltm_dh_compute_key(unsigned char *shared, const BIGNUM * pub, DH *dh)
{
mp_int s, priv_key, p, peer_pub;
int ret;
if (dh->pub_key == NULL || dh->g == NULL || dh->priv_key == NULL)
return -1;
mp_init_multi(&s, &priv_key, &p, &peer_pub, NULL);
BN2mpz(&p, dh->p);
BN2mpz(&peer_pub, pub);
/* check if peers pubkey is reasonable */
if (mp_isneg(&peer_pub)
|| mp_cmp(&peer_pub, &p) >= 0
|| mp_cmp_d(&peer_pub, 1) <= 0)
{
ret = -1;
goto out;
}
BN2mpz(&priv_key, dh->priv_key);
ret = mp_exptmod(&peer_pub, &priv_key, &p, &s);
if (ret != 0) {
ret = -1;
goto out;
}
ret = mp_unsigned_bin_size(&s);
mp_to_unsigned_bin(&s, shared);
out:
mp_clear_multi(&s, &priv_key, &p, &peer_pub, NULL);
return ret;
}
/**
Create a DSA shared secret between two keys
@param private_key The private DSA key (the exponent)
@param base The base of the exponentiation (allows this to be used for both encrypt and decrypt)
@param public_key The public key
@param out [out] Destination of the shared secret
@param outlen [in/out] The max size and resulting size of the shared secret
@return CRYPT_OK if successful
*/
int dsa_shared_secret(void *private_key, void *base,
dsa_key *public_key,
unsigned char *out, unsigned long *outlen)
{
unsigned long x;
void *res;
int err;
LTC_ARGCHK(private_key != NULL);
LTC_ARGCHK(public_key != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
/* make new point */
if ((err = mp_init(&res)) != CRYPT_OK) {
return err;
}
if ((err = mp_exptmod(base, private_key, public_key->p, res)) != CRYPT_OK) {
mp_clear(res);
return err;
}
x = (unsigned long)mp_unsigned_bin_size(res);
if (*outlen < x) {
*outlen = x;
err = CRYPT_BUFFER_OVERFLOW;
goto done;
}
zeromem(out, x);
if ((err = mp_to_unsigned_bin(res, out + (x - mp_unsigned_bin_size(res)))) != CRYPT_OK) { goto done; }
err = CRYPT_OK;
*outlen = x;
done:
mp_clear(res);
return err;
}
int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv,
word32 privSz, const byte* otherPub, word32 pubSz)
{
int ret = 0;
mp_int x;
mp_int y;
mp_int z;
if (wc_DhCheckPubKey(key, otherPub, pubSz) != 0) {
WOLFSSL_MSG("wc_DhAgree wc_DhCheckPubKey failed");
return DH_CHECK_PUB_E;
}
if (mp_init_multi(&x, &y, &z, 0, 0, 0) != MP_OKAY)
return MP_INIT_E;
if (mp_read_unsigned_bin(&x, priv, privSz) != MP_OKAY)
ret = MP_READ_E;
if (ret == 0 && mp_read_unsigned_bin(&y, otherPub, pubSz) != MP_OKAY)
ret = MP_READ_E;
if (ret == 0 && mp_exptmod(&y, &x, &key->p, &z) != MP_OKAY)
ret = MP_EXPTMOD_E;
if (ret == 0 && mp_to_unsigned_bin(&z, agree) != MP_OKAY)
ret = MP_TO_E;
if (ret == 0)
*agreeSz = mp_unsigned_bin_size(&z);
mp_clear(&z);
mp_clear(&y);
mp_clear(&x);
return ret;
}
void BigInteger::getBytes(Firebird::UCharBuffer& bytes) const
{
CHECK_MP(mp_to_unsigned_bin(const_cast<mp_int*>(&t), bytes.getBuffer(length())));
}
int ecc_export_full(unsigned char *out, unsigned long *outlen, int type, ecc_key *key)
{
int err;
void *prime, *order, *a, *b, *gx, *gy;
unsigned char bin_a[256], bin_b[256], bin_k[256], bin_g[512], bin_xy[512];
unsigned long len_a, len_b, len_k, len_g, len_xy;
unsigned long cofactor, one = 1;
oid_st oid;
ltc_asn1_list seq_fieldid[2], seq_curve[2], seq_ecparams[6], seq_priv[4];
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
if (key->type != PK_PRIVATE && type == PK_PRIVATE) return CRYPT_PK_TYPE_MISMATCH;
if (ltc_ecc_is_valid_idx(key->idx) == 0) return CRYPT_INVALID_ARG;
if ((err = mp_init_multi(&prime, &order, &a, &b, &gx, &gy, NULL)) != CRYPT_OK) return err;
if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(order, key->dp->order, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(a, key->dp->A, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(gx, key->dp->Gx, 16)) != CRYPT_OK) goto error;
if ((err = mp_read_radix(gy, key->dp->Gy, 16)) != CRYPT_OK) goto error;
/* curve param a */
len_a = mp_unsigned_bin_size(a);
if (len_a > sizeof(bin_a)) { err = CRYPT_BUFFER_OVERFLOW; goto error; }
if ((err = mp_to_unsigned_bin(a, bin_a)) != CRYPT_OK) goto error;
if (len_a == 0) { len_a = 1; bin_a[0] = 0; } /* XXX-TODO hack to handle case a == 0 */
/* curve param b */
len_b = mp_unsigned_bin_size(b);
if (len_b > sizeof(bin_b)) { err = CRYPT_BUFFER_OVERFLOW; goto error; }
if ((err = mp_to_unsigned_bin(b, bin_b)) != CRYPT_OK) goto error;
if (len_b == 0) { len_b = 1; bin_b[0] = 0; } /* XXX-TODO hack to handle case b == 0 */
/* base point - we export uncompressed form */
len_g = sizeof(bin_g);
if ((err = ecc_export_point(bin_g, &len_g, gx, gy, key->dp->size, 0)) != CRYPT_OK) goto error;
/* public key */
len_xy = sizeof(bin_xy);
if ((err = ecc_export_point(bin_xy, &len_xy, key->pubkey.x, key->pubkey.y, key->dp->size, 0)) != CRYPT_OK) goto error;
/* co-factor */
cofactor = key->dp->cofactor;
/* we support only prime-field EC */
if ((err = pk_get_oid(EC_PRIME_FIELD, &oid)) != CRYPT_OK) goto error;
/* FieldID SEQUENCE */
LTC_SET_ASN1(seq_fieldid, 0, LTC_ASN1_OBJECT_IDENTIFIER, oid.OID, oid.OIDlen);
LTC_SET_ASN1(seq_fieldid, 1, LTC_ASN1_INTEGER, prime, 1UL);
/* Curve SEQUENCE */
LTC_SET_ASN1(seq_curve, 0, LTC_ASN1_OCTET_STRING, bin_a, len_a);
LTC_SET_ASN1(seq_curve, 1, LTC_ASN1_OCTET_STRING, bin_b, len_b);
/* ECParameters SEQUENCE */
LTC_SET_ASN1(seq_ecparams, 0, LTC_ASN1_SHORT_INTEGER, &one, 1UL);
LTC_SET_ASN1(seq_ecparams, 1, LTC_ASN1_SEQUENCE, seq_fieldid, 2UL);
LTC_SET_ASN1(seq_ecparams, 2, LTC_ASN1_SEQUENCE, seq_curve, 2UL);
LTC_SET_ASN1(seq_ecparams, 3, LTC_ASN1_OCTET_STRING, bin_g, len_g);
LTC_SET_ASN1(seq_ecparams, 4, LTC_ASN1_INTEGER, order, 1UL);
LTC_SET_ASN1(seq_ecparams, 5, LTC_ASN1_SHORT_INTEGER, &cofactor, 1UL);
if (type == PK_PRIVATE) {
/* private key format: http://tools.ietf.org/html/rfc5915
ECPrivateKey ::= SEQUENCE { # SEQUENCE
version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), # INTEGER :01
privateKey OCTET STRING, # OCTET STRING
[0] ECParameters ::= SEQUENCE { # SEQUENCE
version INTEGER { ecpVer1(1) } (ecpVer1), # INTEGER :01
FieldID ::= SEQUENCE { # SEQUENCE
fieldType FIELD-ID.&id({IOSet}), # OBJECT :prime-field
parameters FIELD-ID.&Type({IOSet}{@fieldType}) # INTEGER
}
Curve ::= SEQUENCE { # SEQUENCE
a FieldElement ::= OCTET STRING # OCTET STRING
b FieldElement ::= OCTET STRING # OCTET STRING
seed BIT STRING OPTIONAL
}
base ECPoint ::= OCTET STRING # OCTET STRING
order INTEGER, # INTEGER
cofactor INTEGER OPTIONAL # INTEGER
}
[1] publicKey # BIT STRING
}
*/
/* private key */
len_k = mp_unsigned_bin_size(key->k);
if (len_k > sizeof(bin_k)) { err = CRYPT_BUFFER_OVERFLOW; goto error; }
if ((err = mp_to_unsigned_bin(key->k, bin_k)) != CRYPT_OK) goto error;
LTC_SET_ASN1(seq_priv, 0, LTC_ASN1_SHORT_INTEGER, &one, 1UL);
LTC_SET_ASN1(seq_priv, 1, LTC_ASN1_OCTET_STRING, bin_k, len_k);
LTC_SET_ASN1(seq_priv, 2, LTC_ASN1_SEQUENCE, seq_ecparams, 6UL);
LTC_SET_ASN1(seq_priv, 3, LTC_ASN1_RAW_BIT_STRING, bin_xy, 8*len_xy);
seq_priv[2].tag = 0xA0;
seq_priv[3].tag = 0xA1;
err = der_encode_sequence(seq_priv, 4, out, outlen);
}
else {
/* public key format: http://tools.ietf.org/html/rfc5480
SubjectPublicKeyInfo ::= SEQUENCE { # SEQUENCE
AlgorithmIdentifier ::= SEQUENCE { # SEQUENCE
algorithm OBJECT IDENTIFIER # OBJECT :id-ecPublicKey
ECParameters ::= SEQUENCE { # SEQUENCE
version INTEGER { ecpVer1(1) } (ecpVer1), # INTEGER :01
FieldID ::= SEQUENCE { # SEQUENCE
fieldType FIELD-ID.&id({IOSet}), # OBJECT :prime-field
parameters FIELD-ID.&Type({IOSet}{@fieldType}) # INTEGER
}
Curve ::= SEQUENCE { # SEQUENCE
a FieldElement ::= OCTET STRING # OCTET STRING
b FieldElement ::= OCTET STRING # OCTET STRING
seed BIT STRING OPTIONAL
}
base ECPoint ::= OCTET STRING # OCTET STRING
order INTEGER, # INTEGER
cofactor INTEGER OPTIONAL # INTEGER
}
}
subjectPublicKey BIT STRING # BIT STRING
}
*/
err = der_encode_subject_public_key_info( out, outlen,
PKA_EC, bin_xy, len_xy,
LTC_ASN1_SEQUENCE, seq_ecparams, 6 );
}
error:
mp_clear_multi(prime, order, a, b, gx, gy, NULL);
return err;
}
/**
Create DSA parameters (INTERNAL ONLY, not part of public API)
@param prng An active PRNG state
@param wprng The index of the PRNG desired
@param group_size Size of the multiplicative group (octets)
@param modulus_size Size of the modulus (octets)
@param p [out] bignum where generated 'p' is stored (must be initialized by caller)
@param q [out] bignum where generated 'q' is stored (must be initialized by caller)
@param g [out] bignum where generated 'g' is stored (must be initialized by caller)
@return CRYPT_OK if successful, upon error this function will free all allocated memory
*/
static int _dsa_make_params(prng_state *prng, int wprng, int group_size, int modulus_size, void *p, void *q, void *g)
{
unsigned long L, N, n, outbytes, seedbytes, counter, j, i;
int err, res, mr_tests_q, mr_tests_p, found_p, found_q, hash;
unsigned char *wbuf, *sbuf, digest[MAXBLOCKSIZE];
void *t2L1, *t2N1, *t2q, *t2seedlen, *U, *W, *X, *c, *h, *e, *seedinc;
/* check size */
if (group_size >= LTC_MDSA_MAX_GROUP || group_size < 1 || group_size >= modulus_size) {
return CRYPT_INVALID_ARG;
}
/* FIPS-186-4 A.1.1.2 Generation of the Probable Primes p and q Using an Approved Hash Function
*
* L = The desired length of the prime p (in bits e.g. L = 1024)
* N = The desired length of the prime q (in bits e.g. N = 160)
* seedlen = The desired bit length of the domain parameter seed; seedlen shallbe equal to or greater than N
* outlen = The bit length of Hash function
*
* 1. Check that the (L, N)
* 2. If (seedlen <N), then return INVALID.
* 3. n = ceil(L / outlen) - 1
* 4. b = L- 1 - (n * outlen)
* 5. domain_parameter_seed = an arbitrary sequence of seedlen bits
* 6. U = Hash (domain_parameter_seed) mod 2^(N-1)
* 7. q = 2^(N-1) + U + 1 - (U mod 2)
* 8. Test whether or not q is prime as specified in Appendix C.3
* 9. If qis not a prime, then go to step 5.
* 10. offset = 1
* 11. For counter = 0 to (4L- 1) do {
* For j=0 to n do {
* Vj = Hash ((domain_parameter_seed+ offset + j) mod 2^seedlen
* }
* W = V0 + (V1 *2^outlen) + ... + (Vn-1 * 2^((n-1) * outlen)) + ((Vn mod 2^b) * 2^(n * outlen))
* X = W + 2^(L-1) Comment: 0 <= W < 2^(L-1); hence 2^(L-1) <= X < 2^L
* c = X mod 2*q
* p = X - (c - 1) Comment: p ~ 1 (mod 2*q)
* If (p >= 2^(L-1)) {
* Test whether or not p is prime as specified in Appendix C.3.
* If p is determined to be prime, then return VALID and the values of p, qand (optionally) the values of domain_parameter_seed and counter
* }
* offset = offset + n + 1 Comment: Increment offset
* }
*/
seedbytes = group_size;
L = (unsigned long)modulus_size * 8;
N = (unsigned long)group_size * 8;
/* XXX-TODO no Lucas test */
#ifdef LTC_MPI_HAS_LUCAS_TEST
/* M-R tests (when followed by one Lucas test) according FIPS-186-4 - Appendix C.3 - table C.1 */
mr_tests_p = (L <= 2048) ? 3 : 2;
if (N <= 160) { mr_tests_q = 19; }
else if (N <= 224) { mr_tests_q = 24; }
else { mr_tests_q = 27; }
#else
/* M-R tests (without Lucas test) according FIPS-186-4 - Appendix C.3 - table C.1 */
if (L <= 1024) { mr_tests_p = 40; }
else if (L <= 2048) { mr_tests_p = 56; }
else { mr_tests_p = 64; }
if (N <= 160) { mr_tests_q = 40; }
else if (N <= 224) { mr_tests_q = 56; }
else { mr_tests_q = 64; }
#endif
if (N <= 256) {
hash = register_hash(&sha256_desc);
}
else if (N <= 384) {
hash = register_hash(&sha384_desc);
}
else if (N <= 512) {
hash = register_hash(&sha512_desc);
}
else {
return CRYPT_INVALID_ARG; /* group_size too big */
}
if ((err = hash_is_valid(hash)) != CRYPT_OK) { return err; }
outbytes = hash_descriptor[hash].hashsize;
n = ((L + outbytes*8 - 1) / (outbytes*8)) - 1;
if ((wbuf = XMALLOC((n+1)*outbytes)) == NULL) { err = CRYPT_MEM; goto cleanup3; }
if ((sbuf = XMALLOC(seedbytes)) == NULL) { err = CRYPT_MEM; goto cleanup2; }
err = mp_init_multi(&t2L1, &t2N1, &t2q, &t2seedlen, &U, &W, &X, &c, &h, &e, &seedinc, NULL);
if (err != CRYPT_OK) { goto cleanup1; }
if ((err = mp_2expt(t2L1, L-1)) != CRYPT_OK) { goto cleanup; }
/* t2L1 = 2^(L-1) */
if ((err = mp_2expt(t2N1, N-1)) != CRYPT_OK) { goto cleanup; }
/* t2N1 = 2^(N-1) */
if ((err = mp_2expt(t2seedlen, seedbytes*8)) != CRYPT_OK) { goto cleanup; }
/* t2seedlen = 2^seedlen */
for(found_p=0; !found_p;) {
/* q */
for(found_q=0; !found_q;) {
if (prng_descriptor[wprng].read(sbuf, seedbytes, prng) != seedbytes) { err = CRYPT_ERROR_READPRNG; goto cleanup; }
i = outbytes;
if ((err = hash_memory(hash, sbuf, seedbytes, digest, &i)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_read_unsigned_bin(U, digest, outbytes)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_mod(U, t2N1, U)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_add(t2N1, U, q)) != CRYPT_OK) { goto cleanup; }
if (!mp_isodd(q)) mp_add_d(q, 1, q);
if ((err = mp_prime_is_prime(q, mr_tests_q, &res)) != CRYPT_OK) { goto cleanup; }
if (res == LTC_MP_YES) found_q = 1;
}
/* p */
if ((err = mp_read_unsigned_bin(seedinc, sbuf, seedbytes)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_add(q, q, t2q)) != CRYPT_OK) { goto cleanup; }
for(counter=0; counter < 4*L && !found_p; counter++) {
for(j=0; j<=n; j++) {
if ((err = mp_add_d(seedinc, 1, seedinc)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_mod(seedinc, t2seedlen, seedinc)) != CRYPT_OK) { goto cleanup; }
/* seedinc = (seedinc+1) % 2^seed_bitlen */
if ((i = mp_unsigned_bin_size(seedinc)) > seedbytes) { err = CRYPT_INVALID_ARG; goto cleanup; }
zeromem(sbuf, seedbytes);
if ((err = mp_to_unsigned_bin(seedinc, sbuf + seedbytes-i)) != CRYPT_OK) { goto cleanup; }
i = outbytes;
err = hash_memory(hash, sbuf, seedbytes, wbuf+(n-j)*outbytes, &i);
if (err != CRYPT_OK) { goto cleanup; }
}
if ((err = mp_read_unsigned_bin(W, wbuf, (n+1)*outbytes)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_mod(W, t2L1, W)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_add(W, t2L1, X)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_mod(X, t2q, c)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_sub_d(c, 1, p)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_sub(X, p, p)) != CRYPT_OK) { goto cleanup; }
if (mp_cmp(p, t2L1) != LTC_MP_LT) {
/* p >= 2^(L-1) */
if ((err = mp_prime_is_prime(p, mr_tests_p, &res)) != CRYPT_OK) { goto cleanup; }
if (res == LTC_MP_YES) {
found_p = 1;
}
}
}
}
/* FIPS-186-4 A.2.1 Unverifiable Generation of the Generator g
* 1. e = (p - 1)/q
* 2. h = any integer satisfying: 1 < h < (p - 1)
* h could be obtained from a random number generator or from a counter that changes after each use
* 3. g = h^e mod p
* 4. if (g == 1), then go to step 2.
*
*/
if ((err = mp_sub_d(p, 1, e)) != CRYPT_OK) { goto cleanup; }
if ((err = mp_div(e, q, e, c)) != CRYPT_OK) { goto cleanup; }
/* e = (p - 1)/q */
i = mp_count_bits(p);
do {
do {
if ((err = rand_bn_bits(h, i, prng, wprng)) != CRYPT_OK) { goto cleanup; }
} while (mp_cmp(h, p) != LTC_MP_LT || mp_cmp_d(h, 2) != LTC_MP_GT);
if ((err = mp_sub_d(h, 1, h)) != CRYPT_OK) { goto cleanup; }
/* h is randon and 1 < h < (p-1) */
if ((err = mp_exptmod(h, e, p, g)) != CRYPT_OK) { goto cleanup; }
} while (mp_cmp_d(g, 1) == LTC_MP_EQ);
err = CRYPT_OK;
cleanup:
mp_clear_multi(t2L1, t2N1, t2q, t2seedlen, U, W, X, c, h, e, seedinc, NULL);
cleanup1:
XFREE(sbuf);
cleanup2:
XFREE(wbuf);
cleanup3:
return err;
}
static int _set_test(void)
{
dh_key k1, k2, k3;
unsigned char buf[4096];
unsigned long len;
int i;
unsigned char gbin[] = { 0x02 };
unsigned char pbin[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
};
unsigned char xbin[] = {
0xA6, 0x68, 0x1A, 0xDC, 0x38, 0x6C, 0xE9, 0x44, 0xC3, 0xDE, 0xD9, 0xA7, 0x30, 0x1D, 0xCC, 0x9C,
0x51, 0x82, 0x50, 0xE3, 0xED, 0xB6, 0x2F, 0x95, 0x91, 0x98, 0xF8, 0xDC, 0x00, 0x57, 0xDD, 0x6F,
0xB5, 0x7A, 0xBA, 0xFD, 0x78, 0x81, 0x98, 0xB1
};
unsigned char ybin[] = {
0x39, 0x04, 0x66, 0x32, 0xC8, 0x34, 0x41, 0x8D, 0xFA, 0x07, 0xB3, 0x09, 0x15, 0x38, 0xB6, 0x14,
0xD1, 0xFB, 0x5D, 0xBB, 0x78, 0x5C, 0x0F, 0xBE, 0xA3, 0xB9, 0x8B, 0x29, 0x5B, 0xC0, 0xCD, 0x07,
0x6A, 0x88, 0xD9, 0x45, 0x21, 0x41, 0xA2, 0x69, 0xE8, 0xBA, 0xEB, 0x1D, 0xD6, 0x54, 0xEB, 0xA0,
0x3A, 0x57, 0x05, 0x31, 0x8D, 0x12, 0x97, 0x54, 0xCD, 0xF4, 0x00, 0x3A, 0x8C, 0x39, 0x92, 0x40,
0xFB, 0xB8, 0xF1, 0x62, 0x49, 0x0F, 0x6F, 0x0D, 0xC7, 0x0E, 0x41, 0x4B, 0x6F, 0xEE, 0x88, 0x08,
0x6A, 0xFA, 0xA4, 0x8E, 0x9F, 0x3A, 0x24, 0x8E, 0xDC, 0x09, 0x34, 0x52, 0x66, 0x3D, 0x34, 0xE0,
0xE8, 0x09, 0xD4, 0xF6, 0xBA, 0xDB, 0xB3, 0x6F, 0x80, 0xB6, 0x81, 0x3E, 0xBF, 0x7C, 0x32, 0x81,
0xB8, 0x62, 0x20, 0x9E, 0x56, 0x04, 0xBD, 0xEA, 0x8B, 0x8F, 0x5F, 0x7B, 0xFD, 0xC3, 0xEE, 0xB7,
0xAD, 0xB7, 0x30, 0x48, 0x28, 0x9B, 0xCE, 0xA0, 0xF5, 0xA5, 0xCD, 0xEE, 0x7D, 0xF9, 0x1C, 0xD1,
0xF0, 0xBA, 0x63, 0x2F, 0x06, 0xDB, 0xE9, 0xBA, 0x7E, 0xF0, 0x14, 0xB8, 0x4B, 0x02, 0xD4, 0x97,
0xCA, 0x7D, 0x0C, 0x60, 0xF7, 0x34, 0x75, 0x2A, 0x64, 0x9D, 0xA4, 0x96, 0x94, 0x6B, 0x4E, 0x53,
0x1B, 0x30, 0xD9, 0xF8, 0x2E, 0xDD, 0x85, 0x56, 0x36, 0xC0, 0xB0, 0xF2, 0xAE, 0x23, 0x2E, 0x41,
0x86, 0x45, 0x4E, 0x88, 0x87, 0xBB, 0x42, 0x3E, 0x32, 0xA5, 0xA2, 0x49, 0x5E, 0xAC, 0xBA, 0x99,
0x62, 0x0A, 0xCD, 0x03, 0xA3, 0x83, 0x45, 0xEB, 0xB6, 0x73, 0x5E, 0x62, 0x33, 0x0A, 0x8E, 0xE9,
0xAA, 0x6C, 0x83, 0x70, 0x41, 0x0F, 0x5C, 0xD4, 0x5A, 0xF3, 0x7E, 0xE9, 0x0A, 0x0D, 0xA9, 0x5B,
0xE9, 0x6F, 0xC9, 0x39, 0xE8, 0x8F, 0xE0, 0xBD, 0x2C, 0xD0, 0x9F, 0xC8, 0xF5, 0x24, 0x20, 0x8C
};
struct {
int radix;
void* g; int glen;
void* p; int plen;
void* x; int xlen;
void* y; int ylen;
} test[1] = {
{ 256, gbin, sizeof(gbin), pbin, sizeof(pbin), xbin, sizeof(xbin), ybin, sizeof(ybin) }
};
unsigned char export_private[] = {
0x30, 0x82, 0x01, 0x3A, 0x02, 0x01, 0x00, 0x03, 0x02, 0x07, 0x80, 0x02, 0x82, 0x01, 0x01, 0x00,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0x02, 0x01, 0x02, 0x02, 0x29, 0x00, 0xA6, 0x68, 0x1A, 0xDC, 0x38, 0x6C, 0xE9, 0x44, 0xC3, 0xDE,
0xD9, 0xA7, 0x30, 0x1D, 0xCC, 0x9C, 0x51, 0x82, 0x50, 0xE3, 0xED, 0xB6, 0x2F, 0x95, 0x91, 0x98,
0xF8, 0xDC, 0x00, 0x57, 0xDD, 0x6F, 0xB5, 0x7A, 0xBA, 0xFD, 0x78, 0x81, 0x98, 0xB1
};
unsigned char export_public[] = {
0x30, 0x82, 0x02, 0x13, 0x02, 0x01, 0x00, 0x03, 0x02, 0x07, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0x02, 0x01, 0x02, 0x02, 0x82, 0x01, 0x00, 0x39, 0x04, 0x66, 0x32, 0xC8, 0x34, 0x41, 0x8D, 0xFA,
0x07, 0xB3, 0x09, 0x15, 0x38, 0xB6, 0x14, 0xD1, 0xFB, 0x5D, 0xBB, 0x78, 0x5C, 0x0F, 0xBE, 0xA3,
0xB9, 0x8B, 0x29, 0x5B, 0xC0, 0xCD, 0x07, 0x6A, 0x88, 0xD9, 0x45, 0x21, 0x41, 0xA2, 0x69, 0xE8,
0xBA, 0xEB, 0x1D, 0xD6, 0x54, 0xEB, 0xA0, 0x3A, 0x57, 0x05, 0x31, 0x8D, 0x12, 0x97, 0x54, 0xCD,
0xF4, 0x00, 0x3A, 0x8C, 0x39, 0x92, 0x40, 0xFB, 0xB8, 0xF1, 0x62, 0x49, 0x0F, 0x6F, 0x0D, 0xC7,
0x0E, 0x41, 0x4B, 0x6F, 0xEE, 0x88, 0x08, 0x6A, 0xFA, 0xA4, 0x8E, 0x9F, 0x3A, 0x24, 0x8E, 0xDC,
0x09, 0x34, 0x52, 0x66, 0x3D, 0x34, 0xE0, 0xE8, 0x09, 0xD4, 0xF6, 0xBA, 0xDB, 0xB3, 0x6F, 0x80,
0xB6, 0x81, 0x3E, 0xBF, 0x7C, 0x32, 0x81, 0xB8, 0x62, 0x20, 0x9E, 0x56, 0x04, 0xBD, 0xEA, 0x8B,
0x8F, 0x5F, 0x7B, 0xFD, 0xC3, 0xEE, 0xB7, 0xAD, 0xB7, 0x30, 0x48, 0x28, 0x9B, 0xCE, 0xA0, 0xF5,
0xA5, 0xCD, 0xEE, 0x7D, 0xF9, 0x1C, 0xD1, 0xF0, 0xBA, 0x63, 0x2F, 0x06, 0xDB, 0xE9, 0xBA, 0x7E,
0xF0, 0x14, 0xB8, 0x4B, 0x02, 0xD4, 0x97, 0xCA, 0x7D, 0x0C, 0x60, 0xF7, 0x34, 0x75, 0x2A, 0x64,
0x9D, 0xA4, 0x96, 0x94, 0x6B, 0x4E, 0x53, 0x1B, 0x30, 0xD9, 0xF8, 0x2E, 0xDD, 0x85, 0x56, 0x36,
0xC0, 0xB0, 0xF2, 0xAE, 0x23, 0x2E, 0x41, 0x86, 0x45, 0x4E, 0x88, 0x87, 0xBB, 0x42, 0x3E, 0x32,
0xA5, 0xA2, 0x49, 0x5E, 0xAC, 0xBA, 0x99, 0x62, 0x0A, 0xCD, 0x03, 0xA3, 0x83, 0x45, 0xEB, 0xB6,
0x73, 0x5E, 0x62, 0x33, 0x0A, 0x8E, 0xE9, 0xAA, 0x6C, 0x83, 0x70, 0x41, 0x0F, 0x5C, 0xD4, 0x5A,
0xF3, 0x7E, 0xE9, 0x0A, 0x0D, 0xA9, 0x5B, 0xE9, 0x6F, 0xC9, 0x39, 0xE8, 0x8F, 0xE0, 0xBD, 0x2C,
0xD0, 0x9F, 0xC8, 0xF5, 0x24, 0x20, 0x8C
};
for (i = 0; i < 1; i++) {
DO(dh_set_pg(test[i].p, test[i].plen, test[i].g, test[i].glen, &k1));
DO(dh_set_key(test[i].x, test[i].xlen, PK_PRIVATE, &k1));
len = sizeof(buf);
DO(dh_export(buf, &len, PK_PRIVATE, &k1));
if (compare_testvector(buf, len, export_private, sizeof(export_private), "radix_test", i*10 + 0)) {
printf("radix_test: dh_export+PK_PRIVATE mismatch\n");
dh_free(&k1);
return CRYPT_ERROR;
}
len = sizeof(buf);
DO(dh_export(buf, &len, PK_PUBLIC, &k1));
if (compare_testvector(buf, len, export_public, sizeof(export_public), "radix_test", i*10 + 1)) {
printf("radix_test: dh_export+PK_PUBLIC mismatch\n");
dh_free(&k1);
return CRYPT_ERROR;
}
len = sizeof(buf);
DO(dh_export_key(buf, &len, PK_PRIVATE, &k1));
if (compare_testvector(buf, len, xbin, sizeof(xbin), "radix_test", i*10 + 2)) {
printf("radix_test: dh_export+PK_PRIVATE mismatch\n");
dh_free(&k1);
return CRYPT_ERROR;
}
len = sizeof(buf);
DO(dh_export_key(buf, &len, PK_PUBLIC, &k1));
if (compare_testvector(buf, len, ybin, sizeof(ybin), "radix_test", i*10 + 3)) {
printf("radix_test: dh_export+PK_PUBLIC mismatch\n");
dh_free(&k1);
return CRYPT_ERROR;
}
dh_free(&k1);
DO(dh_set_pg(test[i].p, test[i].plen, test[i].g, test[i].glen, &k1));
DO(dh_set_key(test[i].x, test[i].xlen, PK_PRIVATE, &k1));
len = sizeof(buf);
DO(dh_export(buf, &len, PK_PRIVATE, &k1));
if (compare_testvector(buf, len, export_private, sizeof(export_private), "radix_test", i*10 + 4)) {
printf("radix_test: dh_export+PK_PRIVATE mismatch\n");
dh_free(&k1);
return CRYPT_ERROR;
}
len = sizeof(buf);
DO(dh_export(buf, &len, PK_PUBLIC, &k1));
if (compare_testvector(buf, len, export_public, sizeof(export_public), "radix_test", i*10 + 5)) {
printf("radix_test: dh_export+PK_PUBLIC mismatch\n");
dh_free(&k1);
return CRYPT_ERROR;
}
dh_free(&k1);
DO(dh_set_pg(test[i].p, test[i].plen, test[i].g, test[i].glen, &k2));
DO(dh_set_key(test[i].y, test[i].ylen, PK_PUBLIC, &k2));
len = sizeof(buf);
DO(dh_export(buf, &len, PK_PUBLIC, &k2));
if (compare_testvector(buf, len, export_public, sizeof(export_public), "radix_test", i*10 + 6)) {
printf("radix_test: dh_export+PK_PUBLIC mismatch\n");
dh_free(&k2);
return CRYPT_ERROR;
}
len = sizeof(buf);
DO(dh_export_key(buf, &len, PK_PUBLIC, &k2));
if (compare_testvector(buf, len, ybin, sizeof(ybin), "radix_test", i*10 + 7)) {
printf("radix_test: dh_export+PK_PUBLIC mismatch\n");
dh_free(&k2);
return CRYPT_ERROR;
}
dh_free(&k2);
DO(dh_set_pg(test[i].p, test[i].plen, test[i].g, test[i].glen, &k3));
DO(dh_generate_key(&yarrow_prng, find_prng("yarrow"), &k3));
len = mp_unsigned_bin_size(k3.prime);
DO(mp_to_unsigned_bin(k3.prime, buf));
if (compare_testvector(buf, len, pbin, sizeof(pbin), "radix_test", i*10 + 8)) {
printf("radix_test: dh_make_key_ex prime mismatch\n");
dh_free(&k3);
return CRYPT_ERROR;
}
len = mp_unsigned_bin_size(k3.base);
DO(mp_to_unsigned_bin(k3.base, buf));
if (compare_testvector(buf, len, gbin, sizeof(gbin), "radix_test", i*10 + 9)) {
printf("radix_test: dh_make_key_ex base mismatch\n");
dh_free(&k3);
return CRYPT_ERROR;
}
dh_free(&k3);
}
return CRYPT_OK;
}
/**
Compute an RSA modular exponentiation
@param in The input data to send into RSA
@param inlen The length of the input (octets)
@param out [out] The destination
@param outlen [in/out] The max size and resulting size of the output
@param which Which exponent to use, e.g. PK_PRIVATE or PK_PUBLIC
@param key The RSA key to use
@return CRYPT_OK if successful
*/
int rsa_exptmod(const unsigned char *in, unsigned long inlen,
unsigned char *out, unsigned long *outlen, int which,
rsa_key *key)
{
void *tmp, *tmpa, *tmpb;
unsigned long x;
int err;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(out != NULL);
LTC_ARGCHK(outlen != NULL);
LTC_ARGCHK(key != NULL);
/* is the key of the right type for the operation? */
if (which == PK_PRIVATE && (key->type != PK_PRIVATE)) {
return CRYPT_PK_NOT_PRIVATE;
}
/* must be a private or public operation */
if (which != PK_PRIVATE && which != PK_PUBLIC) {
return CRYPT_PK_INVALID_TYPE;
}
/* init and copy into tmp */
if ((err = mp_init_multi(&tmp, &tmpa, &tmpb, NULL)) != CRYPT_OK) {
return err;
}
if ((err = mp_read_unsigned_bin(tmp, (unsigned char *)in, (int)inlen)) != CRYPT_OK) {
goto error;
}
/* sanity check on the input */
if (mp_cmp(key->N, tmp) == LTC_MP_LT) {
err = CRYPT_PK_INVALID_SIZE;
goto error;
}
/* are we using the private exponent and is the key optimized? */
if (which == PK_PRIVATE) {
/* tmpa = tmp^dP mod p */
if ((err = mp_exptmod(tmp, key->dP, key->p, tmpa)) != CRYPT_OK) {
goto error;
}
/* tmpb = tmp^dQ mod q */
if ((err = mp_exptmod(tmp, key->dQ, key->q, tmpb)) != CRYPT_OK) {
goto error;
}
/* tmp = (tmpa - tmpb) * qInv (mod p) */
if ((err = mp_sub(tmpa, tmpb, tmp)) != CRYPT_OK) {
goto error;
}
if ((err = mp_mulmod(tmp, key->qP, key->p, tmp)) != CRYPT_OK) {
goto error;
}
/* tmp = tmpb + q * tmp */
if ((err = mp_mul(tmp, key->q, tmp)) != CRYPT_OK) {
goto error;
}
if ((err = mp_add(tmp, tmpb, tmp)) != CRYPT_OK) {
goto error;
}
} else {
/* exptmod it */
if ((err = mp_exptmod(tmp, key->e, key->N, tmp)) != CRYPT_OK) {
goto error;
}
}
/* read it back */
x = (unsigned long)mp_unsigned_bin_size(key->N);
if (x > *outlen) {
*outlen = x;
err = CRYPT_BUFFER_OVERFLOW;
goto error;
}
/* this should never happen ... */
if (mp_unsigned_bin_size(tmp) > mp_unsigned_bin_size(key->N)) {
err = CRYPT_ERROR;
goto error;
}
*outlen = x;
/* convert it */
zeromem(out, x);
if ((err = mp_to_unsigned_bin(tmp, out+(x-mp_unsigned_bin_size(tmp)))) != CRYPT_OK) {
goto error;
}
/* clean up and return */
err = CRYPT_OK;
error:
mp_clear_multi(tmp, tmpa, tmpb, NULL);
return err;
}
/* store */
static int unsigned_write(void *a, unsigned char *b)
{
LTC_ARGCHK(a != NULL);
LTC_ARGCHK(b != NULL);
return mpi_to_ltc_error(mp_to_unsigned_bin(a, b));
}
static int RsaFunction(const byte* in, word32 inLen, byte* out, word32* outLen,
int type, RsaKey* key)
{
#define ERROR_OUT(x) { ret = x; goto done;}
mp_int tmp;
int ret = 0;
word32 keyLen, len;
if (mp_init(&tmp) != MP_OKAY)
return MP_INIT_E;
if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY)
ERROR_OUT(MP_READ_E);
if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
#ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
if (mp_exptmod(&tmp, &key->d, &key->n, &tmp) != MP_OKAY)
ERROR_OUT(MP_EXPTMOD_E);
#else
#define INNER_ERROR_OUT(x) { ret = x; goto inner_done; }
mp_int tmpa, tmpb;
if (mp_init(&tmpa) != MP_OKAY)
ERROR_OUT(MP_INIT_E);
if (mp_init(&tmpb) != MP_OKAY) {
mp_clear(&tmpa);
ERROR_OUT(MP_INIT_E);
}
/* tmpa = tmp^dP mod p */
if (mp_exptmod(&tmp, &key->dP, &key->p, &tmpa) != MP_OKAY)
INNER_ERROR_OUT(MP_EXPTMOD_E);
/* tmpb = tmp^dQ mod q */
if (mp_exptmod(&tmp, &key->dQ, &key->q, &tmpb) != MP_OKAY)
INNER_ERROR_OUT(MP_EXPTMOD_E);
/* tmp = (tmpa - tmpb) * qInv (mod p) */
if (mp_sub(&tmpa, &tmpb, &tmp) != MP_OKAY)
INNER_ERROR_OUT(MP_SUB_E);
if (mp_mulmod(&tmp, &key->u, &key->p, &tmp) != MP_OKAY)
INNER_ERROR_OUT(MP_MULMOD_E);
/* tmp = tmpb + q * tmp */
if (mp_mul(&tmp, &key->q, &tmp) != MP_OKAY)
INNER_ERROR_OUT(MP_MUL_E);
if (mp_add(&tmp, &tmpb, &tmp) != MP_OKAY)
INNER_ERROR_OUT(MP_ADD_E);
inner_done:
mp_clear(&tmpa);
mp_clear(&tmpb);
if (ret != 0) return ret;
#endif /* RSA_LOW_MEM */
}
else if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
if (mp_exptmod(&tmp, &key->e, &key->n, &tmp) != MP_OKAY)
ERROR_OUT(MP_EXPTMOD_E);
}
else
ERROR_OUT(RSA_WRONG_TYPE_E);
keyLen = mp_unsigned_bin_size(&key->n);
if (keyLen > *outLen)
ERROR_OUT(RSA_BUFFER_E);
len = mp_unsigned_bin_size(&tmp);
/* pad front w/ zeros to match key length */
while (len < keyLen) {
*out++ = 0x00;
len++;
}
*outLen = keyLen;
/* convert */
if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY)
ERROR_OUT(MP_TO_E);
done:
mp_clear(&tmp);
return ret;
}
static int _dhparam_test(void)
{
dh_key k;
unsigned char buf[1024];
/* generated by: openssl dhparam -outform der -out dhparam.der 2048 */
unsigned char dhparam_der[] = {
0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xae, 0xfe, 0x78, 0xce, 0x80, 0xd5, 0xd7,
0x8e, 0xcc, 0x4f, 0x0c, 0x1b, 0xb0, 0x95, 0x10, 0xe1, 0x41, 0x15, 0x53, 0x4d, 0x0e, 0x68, 0xb0,
0xf8, 0x5a, 0x41, 0x0e, 0x65, 0x2f, 0x9f, 0xac, 0x9c, 0x30, 0xb0, 0x76, 0xec, 0x02, 0xe9, 0x43,
0x55, 0x08, 0xb4, 0x20, 0x60, 0xd9, 0x52, 0xda, 0x2d, 0xab, 0x9a, 0xba, 0xe6, 0xcf, 0x11, 0xa7,
0x00, 0x44, 0xc2, 0x5e, 0xd1, 0xba, 0x9b, 0xaa, 0xfe, 0x03, 0xdd, 0xdc, 0xef, 0x41, 0x89, 0x9c,
0xac, 0x64, 0x13, 0xd9, 0x6a, 0x8a, 0x55, 0xa0, 0x5b, 0xff, 0x12, 0x92, 0x37, 0x52, 0x6a, 0x91,
0xa4, 0x6e, 0x9e, 0x61, 0xb7, 0xfe, 0xb0, 0x17, 0x8e, 0x67, 0x0f, 0x88, 0x46, 0xa7, 0x9e, 0xb1,
0xdb, 0x68, 0x77, 0x70, 0xb5, 0x77, 0xf2, 0x7e, 0x33, 0xb1, 0x3e, 0x10, 0xc4, 0x63, 0x36, 0xd0,
0x13, 0x27, 0xd3, 0x29, 0xc3, 0xb6, 0x5d, 0xf6, 0x5d, 0xa7, 0xd8, 0x25, 0x5c, 0x0b, 0x65, 0x99,
0xfa, 0xf9, 0x5f, 0x1d, 0xee, 0xd1, 0x86, 0x64, 0x7c, 0x44, 0xcb, 0xa0, 0x12, 0x52, 0x4c, 0xd4,
0x46, 0x81, 0xae, 0x07, 0xdb, 0xc7, 0x13, 0x29, 0xce, 0x9b, 0xcf, 0x1c, 0x06, 0xd2, 0x0f, 0x2d,
0xbb, 0x12, 0x33, 0xb9, 0xb1, 0x0f, 0x67, 0x5d, 0x3f, 0x0c, 0xe4, 0xfa, 0x67, 0x26, 0xe2, 0x89,
0xa2, 0xd5, 0x66, 0x29, 0x1c, 0xe2, 0x8e, 0xbb, 0x7b, 0xcb, 0xcc, 0x70, 0x7e, 0x4f, 0x0e, 0xd3,
0x5d, 0x64, 0x64, 0x1b, 0x27, 0xbb, 0xda, 0xa9, 0x08, 0x2b, 0x62, 0xd4, 0xca, 0xc3, 0x3a, 0x23,
0x39, 0x58, 0x57, 0xaf, 0x7b, 0x8b, 0x0c, 0x5b, 0x2e, 0xfc, 0x42, 0x57, 0x59, 0x39, 0x2e, 0x6d,
0x39, 0x97, 0xdb, 0x5b, 0x5c, 0xb9, 0x59, 0x71, 0x42, 0xf3, 0xcd, 0xea, 0xda, 0x86, 0x54, 0x86,
0x61, 0x8d, 0x93, 0x66, 0xc7, 0x65, 0xd1, 0x98, 0xcb, 0x02, 0x01, 0x02
};
/* text dump: openssl dh -inform DER -in dhparam.der -text
DH Parameters: (2048 bit)
prime:
00:ae:fe:78:ce:80:d5:d7:8e:cc:4f:0c:1b:b0:95:
10:e1:41:15:53:4d:0e:68:b0:f8:5a:41:0e:65:2f:
9f:ac:9c:30:b0:76:ec:02:e9:43:55:08:b4:20:60:
d9:52:da:2d:ab:9a:ba:e6:cf:11:a7:00:44:c2:5e:
d1:ba:9b:aa:fe:03:dd:dc:ef:41:89:9c:ac:64:13:
d9:6a:8a:55:a0:5b:ff:12:92:37:52:6a:91:a4:6e:
9e:61:b7:fe:b0:17:8e:67:0f:88:46:a7:9e:b1:db:
68:77:70:b5:77:f2:7e:33:b1:3e:10:c4:63:36:d0:
13:27:d3:29:c3:b6:5d:f6:5d:a7:d8:25:5c:0b:65:
99:fa:f9:5f:1d:ee:d1:86:64:7c:44:cb:a0:12:52:
4c:d4:46:81:ae:07:db:c7:13:29:ce:9b:cf:1c:06:
d2:0f:2d:bb:12:33:b9:b1:0f:67:5d:3f:0c:e4:fa:
67:26:e2:89:a2:d5:66:29:1c:e2:8e:bb:7b:cb:cc:
70:7e:4f:0e:d3:5d:64:64:1b:27:bb:da:a9:08:2b:
62:d4:ca:c3:3a:23:39:58:57:af:7b:8b:0c:5b:2e:
fc:42:57:59:39:2e:6d:39:97:db:5b:5c:b9:59:71:
42:f3:cd:ea:da:86:54:86:61:8d:93:66:c7:65:d1:
98:cb
generator: 2 (0x2)
*/
unsigned char prime[] = {
0xae, 0xfe, 0x78, 0xce, 0x80, 0xd5, 0xd7, 0x8e, 0xcc, 0x4f, 0x0c, 0x1b, 0xb0, 0x95,
0x10, 0xe1, 0x41, 0x15, 0x53, 0x4d, 0x0e, 0x68, 0xb0, 0xf8, 0x5a, 0x41, 0x0e, 0x65, 0x2f,
0x9f, 0xac, 0x9c, 0x30, 0xb0, 0x76, 0xec, 0x02, 0xe9, 0x43, 0x55, 0x08, 0xb4, 0x20, 0x60,
0xd9, 0x52, 0xda, 0x2d, 0xab, 0x9a, 0xba, 0xe6, 0xcf, 0x11, 0xa7, 0x00, 0x44, 0xc2, 0x5e,
0xd1, 0xba, 0x9b, 0xaa, 0xfe, 0x03, 0xdd, 0xdc, 0xef, 0x41, 0x89, 0x9c, 0xac, 0x64, 0x13,
0xd9, 0x6a, 0x8a, 0x55, 0xa0, 0x5b, 0xff, 0x12, 0x92, 0x37, 0x52, 0x6a, 0x91, 0xa4, 0x6e,
0x9e, 0x61, 0xb7, 0xfe, 0xb0, 0x17, 0x8e, 0x67, 0x0f, 0x88, 0x46, 0xa7, 0x9e, 0xb1, 0xdb,
0x68, 0x77, 0x70, 0xb5, 0x77, 0xf2, 0x7e, 0x33, 0xb1, 0x3e, 0x10, 0xc4, 0x63, 0x36, 0xd0,
0x13, 0x27, 0xd3, 0x29, 0xc3, 0xb6, 0x5d, 0xf6, 0x5d, 0xa7, 0xd8, 0x25, 0x5c, 0x0b, 0x65,
0x99, 0xfa, 0xf9, 0x5f, 0x1d, 0xee, 0xd1, 0x86, 0x64, 0x7c, 0x44, 0xcb, 0xa0, 0x12, 0x52,
0x4c, 0xd4, 0x46, 0x81, 0xae, 0x07, 0xdb, 0xc7, 0x13, 0x29, 0xce, 0x9b, 0xcf, 0x1c, 0x06,
0xd2, 0x0f, 0x2d, 0xbb, 0x12, 0x33, 0xb9, 0xb1, 0x0f, 0x67, 0x5d, 0x3f, 0x0c, 0xe4, 0xfa,
0x67, 0x26, 0xe2, 0x89, 0xa2, 0xd5, 0x66, 0x29, 0x1c, 0xe2, 0x8e, 0xbb, 0x7b, 0xcb, 0xcc,
0x70, 0x7e, 0x4f, 0x0e, 0xd3, 0x5d, 0x64, 0x64, 0x1b, 0x27, 0xbb, 0xda, 0xa9, 0x08, 0x2b,
0x62, 0xd4, 0xca, 0xc3, 0x3a, 0x23, 0x39, 0x58, 0x57, 0xaf, 0x7b, 0x8b, 0x0c, 0x5b, 0x2e,
0xfc, 0x42, 0x57, 0x59, 0x39, 0x2e, 0x6d, 0x39, 0x97, 0xdb, 0x5b, 0x5c, 0xb9, 0x59, 0x71,
0x42, 0xf3, 0xcd, 0xea, 0xda, 0x86, 0x54, 0x86, 0x61, 0x8d, 0x93, 0x66, 0xc7, 0x65, 0xd1,
0x98, 0xcb
};
DO(dh_set_pg_dhparam(dhparam_der, sizeof(dhparam_der), &k));
DO(dh_generate_key(&yarrow_prng, find_prng ("yarrow"), &k));
if (mp_unsigned_bin_size(k.prime) > sizeof(buf)) {
printf("dhparam_test: short buf\n");
dh_free(&k);
return CRYPT_ERROR;
}
DO(mp_to_unsigned_bin(k.prime, buf));
if (compare_testvector(buf, sizeof(prime), prime, sizeof(prime), "dhparam_test", 1)) {
printf("dhparam_test: prime mismatch\n");
dh_free(&k);
return CRYPT_ERROR;
}
if (mp_cmp_d(k.base, 2) != LTC_MP_EQ) {
printf("dhparam_test: base mismatch\n");
dh_free(&k);
return CRYPT_ERROR;
}
dh_free(&k);
return CRYPT_OK;
}
