static int extract_dsa_params(CPK_MASTER_SECRET *master, CPK_PUBLIC_PARAMS *param) { int ret = 0; DSA *dsa = NULL; BIGNUM *pri = BN_new(); BIGNUM *pub = BN_new(); BN_CTX *ctx = BN_CTX_new(); int i, pri_size, pub_size, num_factors; const unsigned char *pri_ptr; unsigned char *pub_ptr; if (!pri || !pub || !ctx) { goto err; } if (!(dsa = (DSA *)X509_ALGOR_get1_DSA(master->pkey_algor))) { goto err; } pri_size = BN_num_bytes(dsa->q); pub_size = BN_num_bytes(dsa->p); if ((num_factors = CPK_MAP_num_factors(master->map_algor)) <= 0) { goto err; } if (M_ASN1_STRING_length(master->secret_factors) != pri_size * num_factors) { goto err; } ASN1_STRING_free(param->public_factors); if (!ASN1_STRING_set(param->public_factors, NULL, pub_size * num_factors)) { goto err; } pri_ptr = M_ASN1_STRING_data(master->secret_factors); pub_ptr = M_ASN1_STRING_data(param->public_factors); memset(pub_ptr, 0, M_ASN1_STRING_length(param->public_factors)); for (i = 0; i < num_factors; i++) { if (!BN_bin2bn(pri_ptr, pri_size, pri)) { goto err; } if (BN_is_zero(pri) || BN_cmp(pri, dsa->q) >= 0) { goto err; } if (!BN_mod_exp(pub, dsa->g, pri, dsa->p, ctx)) { goto err; } if (!BN_bn2bin(pub, pub_ptr + pub_size - BN_num_bytes(pub))) { goto err; } pri_ptr += pri_size; pub_ptr += pub_size; } ret = 1; err: if (dsa) DSA_free(dsa); if (pri) BN_free(pri); if (pub) BN_free(pub); if (ctx) BN_CTX_free(ctx); return ret; }
static EVP_PKEY* sureware_load_public(ENGINE *e,const char *key_id,char *hptr,unsigned long el,char keytype) { EVP_PKEY *res = NULL; #ifndef OPENSSL_NO_RSA RSA *rsatmp = NULL; #endif #ifndef OPENSSL_NO_DSA DSA *dsatmp=NULL; #endif char msg[64]="sureware_load_public"; int ret=0; if(!p_surewarehk_Load_Rsa_Pubkey || !p_surewarehk_Load_Dsa_Pubkey) { SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_NOT_INITIALISED); goto err; } switch (keytype) { #ifndef OPENSSL_NO_RSA case 1: /*RSA*/ /* set private external reference */ rsatmp = RSA_new_method(e); RSA_set_ex_data(rsatmp,rsaHndidx,hptr); rsatmp->flags |= RSA_FLAG_EXT_PKEY; /* set public big nums*/ rsatmp->e = BN_new(); rsatmp->n = BN_new(); bn_expand2(rsatmp->e, el/sizeof(BN_ULONG)); bn_expand2(rsatmp->n, el/sizeof(BN_ULONG)); if (!rsatmp->e || rsatmp->e->dmax!=(int)(el/sizeof(BN_ULONG))|| !rsatmp->n || rsatmp->n->dmax!=(int)(el/sizeof(BN_ULONG))) goto err; ret=p_surewarehk_Load_Rsa_Pubkey(msg,key_id,el, (unsigned long *)rsatmp->n->d, (unsigned long *)rsatmp->e->d); surewarehk_error_handling(msg,SUREWARE_F_SUREWARE_LOAD_PUBLIC,ret); if (ret!=1) { SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); goto err; } /* normalise pub e and pub n */ rsatmp->e->top=el/sizeof(BN_ULONG); bn_fix_top(rsatmp->e); rsatmp->n->top=el/sizeof(BN_ULONG); bn_fix_top(rsatmp->n); /* create an EVP object: engine + rsa key */ res = EVP_PKEY_new(); EVP_PKEY_assign_RSA(res, rsatmp); break; #endif #ifndef OPENSSL_NO_DSA case 2:/*DSA*/ /* set private/public external reference */ dsatmp = DSA_new_method(e); DSA_set_ex_data(dsatmp,dsaHndidx,hptr); /*dsatmp->flags |= DSA_FLAG_EXT_PKEY;*/ /* set public key*/ dsatmp->pub_key = BN_new(); dsatmp->p = BN_new(); dsatmp->q = BN_new(); dsatmp->g = BN_new(); bn_expand2(dsatmp->pub_key, el/sizeof(BN_ULONG)); bn_expand2(dsatmp->p, el/sizeof(BN_ULONG)); bn_expand2(dsatmp->q, 20/sizeof(BN_ULONG)); bn_expand2(dsatmp->g, el/sizeof(BN_ULONG)); if (!dsatmp->pub_key || dsatmp->pub_key->dmax!=(int)(el/sizeof(BN_ULONG))|| !dsatmp->p || dsatmp->p->dmax!=(int)(el/sizeof(BN_ULONG)) || !dsatmp->q || dsatmp->q->dmax!=20/sizeof(BN_ULONG) || !dsatmp->g || dsatmp->g->dmax!=(int)(el/sizeof(BN_ULONG))) goto err; ret=p_surewarehk_Load_Dsa_Pubkey(msg,key_id,el, (unsigned long *)dsatmp->pub_key->d, (unsigned long *)dsatmp->p->d, (unsigned long *)dsatmp->q->d, (unsigned long *)dsatmp->g->d); surewarehk_error_handling(msg,SUREWARE_F_SUREWARE_LOAD_PUBLIC,ret); if (ret!=1) { SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PUBLIC_KEY); goto err; } /* set parameters */ /* normalise pubkey and parameters in case of */ dsatmp->pub_key->top=el/sizeof(BN_ULONG); bn_fix_top(dsatmp->pub_key); dsatmp->p->top=el/sizeof(BN_ULONG); bn_fix_top(dsatmp->p); dsatmp->q->top=20/sizeof(BN_ULONG); bn_fix_top(dsatmp->q); dsatmp->g->top=el/sizeof(BN_ULONG); bn_fix_top(dsatmp->g); /* create an EVP object: engine + rsa key */ res = EVP_PKEY_new(); EVP_PKEY_assign_DSA(res, dsatmp); break; #endif default: SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PRIVATE_KEY); goto err; } return res; err: #ifndef OPENSSL_NO_RSA if (rsatmp) RSA_free(rsatmp); #endif #ifndef OPENSSL_NO_DSA if (dsatmp) DSA_free(dsatmp); #endif return NULL; }
int __ops_elgamal_public_encrypt(uint8_t *g_to_k, uint8_t *encm, const uint8_t *in, size_t size, const __ops_elgamal_pubkey_t *pubkey) { int ret = 0; int k_bits; BIGNUM *m; BIGNUM *p; BIGNUM *g; BIGNUM *y; BIGNUM *k; BIGNUM *yk; BIGNUM *c1; BIGNUM *c2; BN_CTX *tmp; m = BN_bin2bn(in, (int)size, NULL); p = pubkey->p; g = pubkey->g; y = pubkey->y; k = BN_new(); yk = BN_new(); c1 = BN_new(); c2 = BN_new(); tmp = BN_CTX_new(); if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp) { goto done; } /* * generate k */ k_bits = decide_k_bits(BN_num_bits(p)); if (!BN_rand(k, k_bits, 0, 0)) { goto done; } /* * c1 = g^k c2 = m * y^k */ if (!BN_mod_exp(c1, g, k, p, tmp)) { goto done; } if (!BN_mod_exp(yk, y, k, p, tmp)) { goto done; } if (!BN_mod_mul(c2, m, yk, p, tmp)) { goto done; } /* result */ BN_bn2bin(c1, g_to_k); ret = BN_num_bytes(c1); /* c1 = g^k */ BN_bn2bin(c2, encm); ret += BN_num_bytes(c2); /* c2 = m * y^k */ done: if (tmp) { BN_CTX_free(tmp); } if (c2) { BN_clear_free(c2); } if (c1) { BN_clear_free(c1); } if (yk) { BN_clear_free(yk); } if (k) { BN_clear_free(k); } if (g) { BN_clear_free(g); } return ret; }
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp, const unsigned char *dgst, int dlen) { BN_CTX *ctx = NULL; BIGNUM *k = NULL, *r = NULL, *X = NULL; const BIGNUM *order; EC_POINT *tmp_point = NULL; const EC_GROUP *group; int ret = 0; int order_bits; if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER); return 0; } if (!EC_KEY_can_sign(eckey)) { ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); return 0; } if (ctx_in == NULL) { if ((ctx = BN_CTX_new()) == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); return 0; } } else ctx = ctx_in; k = BN_new(); /* this value is later returned in *kinvp */ r = BN_new(); /* this value is later returned in *rp */ X = BN_new(); if (k == NULL || r == NULL || X == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); goto err; } if ((tmp_point = EC_POINT_new(group)) == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } order = EC_GROUP_get0_order(group); if (order == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } /* Preallocate space */ order_bits = BN_num_bits(order); if (!BN_set_bit(k, order_bits) || !BN_set_bit(r, order_bits) || !BN_set_bit(X, order_bits)) goto err; do { /* get random k */ do if (dgst != NULL) { if (!BN_generate_dsa_nonce (k, order, EC_KEY_get0_private_key(eckey), dgst, dlen, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } else { if (!BN_priv_rand_range(k, order)) { ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } while (BN_is_zero(k)); /* compute r the x-coordinate of generator * k */ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { if (!EC_POINT_get_affine_coordinates_GFp (group, tmp_point, X, NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } } #ifndef OPENSSL_NO_EC2M else { /* NID_X9_62_characteristic_two_field */ if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp_point, X, NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } } #endif if (!BN_nnmod(r, X, order, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } } while (BN_is_zero(r)); /* Check if optimized inverse is implemented */ if (EC_GROUP_do_inverse_ord(group, k, k, ctx) == 0) { /* compute the inverse of k */ if (group->mont_data != NULL) { /* * We want inverse in constant time, therefore we utilize the fact * order must be prime and use Fermats Little Theorem instead. */ if (!BN_set_word(X, 2)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } if (!BN_mod_sub(X, order, X, order, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } BN_set_flags(X, BN_FLG_CONSTTIME); if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx, group->mont_data)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } } else { if (!BN_mod_inverse(k, k, order, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } } } /* clear old values if necessary */ BN_clear_free(*rp); BN_clear_free(*kinvp); /* save the pre-computed values */ *rp = r; *kinvp = k; ret = 1; err: if (!ret) { BN_clear_free(k); BN_clear_free(r); } if (ctx != ctx_in) BN_CTX_free(ctx); EC_POINT_free(tmp_point); BN_clear_free(X); return ret; }
/* solves ax == 1 (mod n) */ BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) { BIGNUM *A,*B,*X,*Y,*M,*D,*T,*R=NULL; BIGNUM *ret=NULL; int sign; bn_check_top(a); bn_check_top(n); BN_CTX_start(ctx); A = BN_CTX_get(ctx); B = BN_CTX_get(ctx); X = BN_CTX_get(ctx); D = BN_CTX_get(ctx); M = BN_CTX_get(ctx); Y = BN_CTX_get(ctx); T = BN_CTX_get(ctx); if (T == NULL) goto err; if (in == NULL) R=BN_new(); else R=in; if (R == NULL) goto err; BN_one(X); BN_zero(Y); if (BN_copy(B,a) == NULL) goto err; if (BN_copy(A,n) == NULL) goto err; A->neg = 0; if (B->neg || (BN_ucmp(B, A) >= 0)) { if (!BN_nnmod(B, B, A, ctx)) goto err; } sign = -1; /* From B = a mod |n|, A = |n| it follows that * * 0 <= B < A, * -sign*X*a == B (mod |n|), * sign*Y*a == A (mod |n|). */ if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) { /* Binary inversion algorithm; requires odd modulus. * This is faster than the general algorithm if the modulus * is sufficiently small (about 400 .. 500 bits on 32-bit * sytems, but much more on 64-bit systems) */ int shift; while (!BN_is_zero(B)) { /* * 0 < B < |n|, * 0 < A <= |n|, * (1) -sign*X*a == B (mod |n|), * (2) sign*Y*a == A (mod |n|) */ /* Now divide B by the maximum possible power of two in the integers, * and divide X by the same value mod |n|. * When we're done, (1) still holds. */ shift = 0; while (!BN_is_bit_set(B, shift)) /* note that 0 < B */ { shift++; if (BN_is_odd(X)) { if (!BN_uadd(X, X, n)) goto err; } /* now X is even, so we can easily divide it by two */ if (!BN_rshift1(X, X)) goto err; } if (shift > 0) { if (!BN_rshift(B, B, shift)) goto err; } /* Same for A and Y. Afterwards, (2) still holds. */ shift = 0; while (!BN_is_bit_set(A, shift)) /* note that 0 < A */ { shift++; if (BN_is_odd(Y)) { if (!BN_uadd(Y, Y, n)) goto err; } /* now Y is even */ if (!BN_rshift1(Y, Y)) goto err; } if (shift > 0) { if (!BN_rshift(A, A, shift)) goto err; } /* We still have (1) and (2). * Both A and B are odd. * The following computations ensure that * * 0 <= B < |n|, * 0 < A < |n|, * (1) -sign*X*a == B (mod |n|), * (2) sign*Y*a == A (mod |n|), * * and that either A or B is even in the next iteration. */ if (BN_ucmp(B, A) >= 0) { /* -sign*(X + Y)*a == B - A (mod |n|) */ if (!BN_uadd(X, X, Y)) goto err; /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that * actually makes the algorithm slower */ if (!BN_usub(B, B, A)) goto err; } else { /* sign*(X + Y)*a == A - B (mod |n|) */ if (!BN_uadd(Y, Y, X)) goto err; /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */ if (!BN_usub(A, A, B)) goto err; } } } else { /* general inversion algorithm */ while (!BN_is_zero(B)) { BIGNUM *tmp; /* * 0 < B < A, * (*) -sign*X*a == B (mod |n|), * sign*Y*a == A (mod |n|) */ /* (D, M) := (A/B, A%B) ... */ if (BN_num_bits(A) == BN_num_bits(B)) { if (!BN_one(D)) goto err; if (!BN_sub(M,A,B)) goto err; } else if (BN_num_bits(A) == BN_num_bits(B) + 1) { /* A/B is 1, 2, or 3 */ if (!BN_lshift1(T,B)) goto err; if (BN_ucmp(A,T) < 0) { /* A < 2*B, so D=1 */ if (!BN_one(D)) goto err; if (!BN_sub(M,A,B)) goto err; } else { /* A >= 2*B, so D=2 or D=3 */ if (!BN_sub(M,A,T)) goto err; if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */ if (BN_ucmp(A,D) < 0) { /* A < 3*B, so D=2 */ if (!BN_set_word(D,2)) goto err; /* M (= A - 2*B) already has the correct value */ } else { /* only D=3 remains */ if (!BN_set_word(D,3)) goto err; /* currently M = A - 2*B, but we need M = A - 3*B */ if (!BN_sub(M,M,B)) goto err; } } } else { if (!BN_div(D,M,A,B,ctx)) goto err; } /* Now * A = D*B + M; * thus we have * (**) sign*Y*a == D*B + M (mod |n|). */ tmp=A; /* keep the BIGNUM object, the value does not matter */ /* (A, B) := (B, A mod B) ... */ A=B; B=M; /* ... so we have 0 <= B < A again */ /* Since the former M is now B and the former B is now A, * (**) translates into * sign*Y*a == D*A + B (mod |n|), * i.e. * sign*Y*a - D*A == B (mod |n|). * Similarly, (*) translates into * -sign*X*a == A (mod |n|). * * Thus, * sign*Y*a + D*sign*X*a == B (mod |n|), * i.e. * sign*(Y + D*X)*a == B (mod |n|). * * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at * -sign*X*a == B (mod |n|), * sign*Y*a == A (mod |n|). * Note that X and Y stay non-negative all the time. */ /* most of the time D is very small, so we can optimize tmp := D*X+Y */ if (BN_is_one(D)) { if (!BN_add(tmp,X,Y)) goto err; } else { if (BN_is_word(D,2)) { if (!BN_lshift1(tmp,X)) goto err; } else if (BN_is_word(D,4)) { if (!BN_lshift(tmp,X,2)) goto err; } else if (D->top == 1) { if (!BN_copy(tmp,X)) goto err; if (!BN_mul_word(tmp,D->d[0])) goto err; } else { if (!BN_mul(tmp,D,X,ctx)) goto err; } if (!BN_add(tmp,tmp,Y)) goto err; } M=Y; /* keep the BIGNUM object, the value does not matter */ Y=X; X=tmp; sign = -sign; } } /* * The while loop (Euclid's algorithm) ends when * A == gcd(a,n); * we have * sign*Y*a == A (mod |n|), * where Y is non-negative. */ if (sign < 0) { if (!BN_sub(Y,n,Y)) goto err; } /* Now Y*a == A (mod |n|). */ if (BN_is_one(A)) { /* Y*a == 1 (mod |n|) */ if (!Y->neg && BN_ucmp(Y,n) < 0) { if (!BN_copy(R,Y)) goto err; } else { if (!BN_nnmod(R,Y,n,ctx)) goto err; } } else { BNerr(BN_F_BN_MOD_INVERSE,BN_R_NO_INVERSE); goto err; } ret=R; err: if ((ret == NULL) && (in == NULL)) BN_free(R); BN_CTX_end(ctx); return(ret); }
/* * compute a "random" secret point on an elliptic curve based * on the password and identities. */ int compute_password_element(EAP_PWD_group *grp, u16 num, u8 *password, int password_len, u8 *id_server, int id_server_len, u8 *id_peer, int id_peer_len, u8 *token) { BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL; HMAC_CTX ctx; unsigned char pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr; int nid, is_odd, primebitlen, primebytelen, ret = 0; switch (num) { /* from IANA registry for IKE D-H groups */ case 19: nid = NID_X9_62_prime256v1; break; case 20: nid = NID_secp384r1; break; case 21: nid = NID_secp521r1; break; case 25: nid = NID_X9_62_prime192v1; break; case 26: nid = NID_secp224r1; break; default: wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num); return -1; } grp->pwe = NULL; grp->order = NULL; grp->prime = NULL; if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) { wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP"); goto fail; } if (((rnd = BN_new()) == NULL) || ((cofactor = BN_new()) == NULL) || ((grp->pwe = EC_POINT_new(grp->group)) == NULL) || ((grp->order = BN_new()) == NULL) || ((grp->prime = BN_new()) == NULL) || ((x_candidate = BN_new()) == NULL)) { wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums"); goto fail; } if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL)) { wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp " "curve"); goto fail; } if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) { wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve"); goto fail; } if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) { wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for " "curve"); goto fail; } primebitlen = BN_num_bits(grp->prime); primebytelen = BN_num_bytes(grp->prime); if ((prfbuf = os_malloc(primebytelen)) == NULL) { wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " "buffer"); goto fail; } os_memset(prfbuf, 0, primebytelen); ctr = 0; while (1) { if (ctr > 30) { wpa_printf(MSG_INFO, "EAP-pwd: unable to find random " "point on curve for group %d, something's " "fishy", num); goto fail; } ctr++; /* * compute counter-mode password value and stretch to prime * pwd-seed = H(token | peer-id | server-id | password | * counter) */ H_Init(&ctx); H_Update(&ctx, token, sizeof(u32)); H_Update(&ctx, id_peer, id_peer_len); H_Update(&ctx, id_server, id_server_len); H_Update(&ctx, password, password_len); H_Update(&ctx, &ctr, sizeof(ctr)); H_Final(&ctx, pwe_digest); BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd); eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, (unsigned char *) "EAP-pwd Hunting And Pecking", os_strlen("EAP-pwd Hunting And Pecking"), prfbuf, primebitlen); BN_bin2bn(prfbuf, primebytelen, x_candidate); /* * eap_pwd_kdf() returns a string of bits 0..primebitlen but * BN_bin2bn will treat that string of bits as a big endian * number. If the primebitlen is not an even multiple of 8 * then excessive bits-- those _after_ primebitlen-- so now * we have to shift right the amount we masked off. */ if (primebitlen % 8) BN_rshift(x_candidate, x_candidate, (8 - (primebitlen % 8))); if (BN_ucmp(x_candidate, grp->prime) >= 0) continue; wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate", prfbuf, primebytelen); /* * need to unambiguously identify the solution, if there is * one... */ if (BN_is_odd(rnd)) is_odd = 1; else is_odd = 0; /* * solve the quadratic equation, if it's not solvable then we * don't have a point */ if (!EC_POINT_set_compressed_coordinates_GFp(grp->group, grp->pwe, x_candidate, is_odd, NULL)) continue; /* * If there's a solution to the equation then the point must be * on the curve so why check again explicitly? OpenSSL code * says this is required by X9.62. We're not X9.62 but it can't * hurt just to be sure. */ if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) { wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve"); continue; } if (BN_cmp(cofactor, BN_value_one())) { /* make sure the point is not in a small sub-group */ if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe, cofactor, NULL)) { wpa_printf(MSG_INFO, "EAP-pwd: cannot " "multiply generator by order"); continue; } if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) { wpa_printf(MSG_INFO, "EAP-pwd: point is at " "infinity"); continue; } } /* if we got here then we have a new generator. */ break; } wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr); grp->group_num = num; if (0) { fail: EC_GROUP_free(grp->group); EC_POINT_free(grp->pwe); BN_free(grp->order); BN_free(grp->prime); os_free(grp); grp = NULL; ret = 1; } /* cleanliness and order.... */ BN_free(cofactor); BN_free(x_candidate); BN_free(rnd); os_free(prfbuf); return ret; }
int RSA_check_key(const RSA *key) { BIGNUM *i, *j, *k, *l, *m; BN_CTX *ctx; int r; int ret=1; if (!key->p || !key->q || !key->n || !key->e || !key->d) { RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING); return 0; } i = BN_new(); j = BN_new(); k = BN_new(); l = BN_new(); m = BN_new(); ctx = BN_CTX_new(); if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL || ctx == NULL) { ret = -1; RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE); goto err; } /* p prime? */ r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL); if (r != 1) { ret = r; if (r != 0) goto err; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME); } /* q prime? */ r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL); if (r != 1) { ret = r; if (r != 0) goto err; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME); } /* n = p*q? */ r = BN_mul(i, key->p, key->q, ctx); if (!r) { ret = -1; goto err; } if (BN_cmp(i, key->n) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q); } /* d*e = 1 mod lcm(p-1,q-1)? */ r = BN_sub(i, key->p, BN_value_one()); if (!r) { ret = -1; goto err; } r = BN_sub(j, key->q, BN_value_one()); if (!r) { ret = -1; goto err; } /* now compute k = lcm(i,j) */ r = BN_mul(l, i, j, ctx); if (!r) { ret = -1; goto err; } r = BN_gcd(m, i, j, ctx); if (!r) { ret = -1; goto err; } r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */ if (!r) { ret = -1; goto err; } r = BN_mod_mul(i, key->d, key->e, k, ctx); if (!r) { ret = -1; goto err; } if (!BN_is_one(i)) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1); } if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { /* dmp1 = d mod (p-1)? */ r = BN_sub(i, key->p, BN_value_one()); if (!r) { ret = -1; goto err; } r = BN_mod(j, key->d, i, ctx); if (!r) { ret = -1; goto err; } if (BN_cmp(j, key->dmp1) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMP1_NOT_CONGRUENT_TO_D); } /* dmq1 = d mod (q-1)? */ r = BN_sub(i, key->q, BN_value_one()); if (!r) { ret = -1; goto err; } r = BN_mod(j, key->d, i, ctx); if (!r) { ret = -1; goto err; } if (BN_cmp(j, key->dmq1) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); } /* iqmp = q^-1 mod p? */ if(!BN_mod_inverse(i, key->q, key->p, ctx)) { ret = -1; goto err; } if (BN_cmp(i, key->iqmp) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_IQMP_NOT_INVERSE_OF_Q); } } err: if (i != NULL) BN_free(i); if (j != NULL) BN_free(j); if (k != NULL) BN_free(k); if (l != NULL) BN_free(l); if (m != NULL) BN_free(m); if (ctx != NULL) BN_CTX_free(ctx); return (ret); }
RSA* readRSA() { nfc_device *device = NULL; MifareTag *tag = NULL; MifareDESFireAID aid; RSA *rsa = NULL; uint8_t key_data_null[8] = { 0,0,0,0,0,0,0,0}; MifareDESFireKey defaultKey = mifare_desfire_des_key_new_with_version (key_data_null); device = getRfidDevice(); if (!device) return NULL; tag = freefare_get_tags(device); mifare_desfire_connect (tag[0]); aid = mifare_desfire_aid_new(AID_NUMBER); mifare_desfire_select_application (tag[0], aid); if (authApplication(tag[0], defaultKeyNumber) < 0) { fprintf(stderr,"Falscher Key\n"); nfc_close(device); return NULL; } if (!rsa) rsa = RSA_new(); if (!rsa->n) rsa->n = BN_new(); if (!rsa->d) rsa->d = BN_new(); if (!rsa->e) rsa->e = BN_new(); if (readBignum(tag[0],aid,rsa->n,0) < 0) { fprintf(stderr,"readBignum %d failed\n",0); nfc_close(device); return NULL; } if (readBignum(tag[0],aid,rsa->d,5) < 0) { fprintf(stderr,"readBignum %d failed\n",0); nfc_close(device); return NULL; } if (readBignum(tag[0],aid,rsa->e,10) < 0) { fprintf(stderr,"readBignum %d failed\n",0); nfc_close(device); return NULL; } nfc_close(device); return rsa; }
BigNumber::BigNumber() { _bn = BN_new(); _array = NULL; }
static EC_KEY *extract_ec_priv_key(CPK_MASTER_SECRET *master, const char *id) { int e = 1; EC_KEY *ec_key = NULL; const EC_GROUP *ec_group; EC_POINT *pub_key = NULL; BIGNUM *priv_key = BN_new(); BIGNUM *order = BN_new(); BIGNUM *bn = BN_new(); BN_CTX *ctx = BN_CTX_new(); int *index = NULL; int i, num_indexes, bn_size; if (!priv_key || !bn || !order || !ctx) { goto err; } if (!(ec_key = X509_ALGOR_get1_EC_KEY(master->pkey_algor))) { goto err; } ec_group = EC_KEY_get0_group(ec_key); if (!(pub_key = EC_POINT_new(ec_group))) { goto err; } if ((num_indexes = CPK_MAP_num_indexes(master->map_algor)) <= 0) { goto err; } if (!(index = OPENSSL_malloc(sizeof(int) * num_indexes))) { goto err; } if (!CPK_MAP_str2index(master->map_algor, id, index)) { goto err; } BN_zero(priv_key); if (!(EC_GROUP_get_order(EC_KEY_get0_group(ec_key), order, ctx))) { goto err; } bn_size = BN_num_bytes(order); for (i = 0; i < num_indexes; i++) { const unsigned char *p = M_ASN1_STRING_data(master->secret_factors) + bn_size * index[i]; if (!BN_bin2bn(p, bn_size, bn)) { goto err; } if (BN_is_zero(bn) || BN_cmp(bn, order) >= 0) { goto err; } if (!BN_mod_add(priv_key, priv_key, bn, order, ctx)) { goto err; } } if (!EC_KEY_set_private_key(ec_key, priv_key)) { goto err; } if (!EC_POINT_mul(ec_group, pub_key, priv_key, NULL, NULL, ctx)) { goto err; } if (!EC_KEY_set_public_key(ec_key, pub_key)) { goto err; } e = 0; err: if (e && ec_key) { EC_KEY_free(ec_key); ec_key = NULL; } if (priv_key) BN_free(priv_key); if (pub_key) EC_POINT_free(pub_key); if (order) BN_free(order); if (bn) BN_free(bn); if (ctx) BN_CTX_free(ctx); if (index) OPENSSL_free(index); return ec_key; }
static EC_KEY *extract_ec_pub_key(CPK_PUBLIC_PARAMS *param, const char *id) { int e = 1; EC_KEY *ec_key = NULL; const EC_GROUP *ec_group; EC_POINT *pub_key = NULL; EC_POINT *pt = NULL; BIGNUM *order = BN_new(); BIGNUM *bn = BN_new(); BN_CTX *ctx = BN_CTX_new(); int *index = NULL; int i, bn_size, pt_size, num_indexes, num_factors; if (!(ec_key = X509_ALGOR_get1_EC_KEY(param->pkey_algor))) { goto err; } ec_group = EC_KEY_get0_group(ec_key); if (!(pub_key = EC_POINT_new(ec_group))) { goto err; } if (!(pt = EC_POINT_new(ec_group))) { goto err; } if (!EC_GROUP_get_order(ec_group, order, ctx)) { goto err; } bn_size = BN_num_bytes(order); pt_size = bn_size + 1; if ((num_factors = CPK_MAP_num_factors(param->map_algor)) <= 0) { goto err; } if (M_ASN1_STRING_length(param->public_factors) != pt_size * num_factors) { goto err; } if ((num_indexes = CPK_MAP_num_indexes(param->map_algor)) <= 0) { goto err; } if (!(index = OPENSSL_malloc(sizeof(int) * num_indexes))) { goto err; } if (!CPK_MAP_str2index(param->map_algor, id, index)) { goto err; } if (!EC_POINT_set_to_infinity(ec_group, pub_key)) { goto err; } for (i = 0; i < num_indexes; i++) { const unsigned char *p = M_ASN1_STRING_data(param->public_factors) + pt_size * index[i]; if (!EC_POINT_oct2point(ec_group, pt, p, pt_size, ctx)) { goto err; } if (!EC_POINT_add(ec_group, pub_key, pub_key, pt, ctx)) { goto err; } } if (!EC_KEY_set_public_key(ec_key, pub_key)) { goto err; } e = 0; err: if (e && ec_key) { EC_KEY_free(ec_key); ec_key = NULL; } if (pub_key) EC_POINT_free(pub_key); if (order) BN_free(order); if (bn) BN_free(bn); if (ctx) BN_CTX_free(ctx); if (index) OPENSSL_free(index); return ec_key; }
static int extract_ec_params(CPK_MASTER_SECRET *master, CPK_PUBLIC_PARAMS *param) { int ret = 0; EC_KEY *ec_key = NULL; const EC_GROUP *ec_group; BIGNUM *bn = BN_new(); BIGNUM *order = BN_new(); BN_CTX *ctx = BN_CTX_new(); EC_POINT *pt = NULL; int i, bn_size, pt_size, num_factors; const unsigned char *bn_ptr; unsigned char *pt_ptr; if (!bn || !order || !ctx) { goto err; } if (!(ec_key = X509_ALGOR_get1_EC_KEY(master->pkey_algor))) { goto err; } ec_group = EC_KEY_get0_group(ec_key); if (!(EC_GROUP_get_order(ec_group, order, ctx))) { goto err; } bn_size = BN_num_bytes(order); pt_size = bn_size + 1; if ((num_factors = CPK_MAP_num_factors(master->map_algor)) <= 0) { goto err; } if (M_ASN1_STRING_length(master->secret_factors) != bn_size * num_factors) { goto err; } if (!ASN1_STRING_set(param->public_factors, NULL, pt_size * num_factors)) { goto err; } bn_ptr = M_ASN1_STRING_data(master->secret_factors); pt_ptr = M_ASN1_STRING_data(param->public_factors); memset(pt_ptr, 0, M_ASN1_STRING_length(param->public_factors)); if (!(pt = EC_POINT_new(ec_group))) { goto err; } for (i = 0; i < num_factors; i++) { if (!BN_bin2bn(bn_ptr, bn_size, bn)) { goto err; } if (BN_is_zero(bn) || BN_cmp(bn, order) >= 0) { goto err; } if (!EC_POINT_mul(ec_group, pt, bn, NULL, NULL, ctx)) { goto err; } if (!EC_POINT_point2oct(ec_group, pt, POINT_CONVERSION_COMPRESSED, pt_ptr, pt_size, ctx)) { goto err; } bn_ptr += bn_size; pt_ptr += pt_size; } ret = 1; err: if (ec_key) EC_KEY_free(ec_key); if (bn) BN_free(bn); if (order) BN_free(order); if (ctx) BN_CTX_free(ctx); if (pt) EC_POINT_free(pt); return ret; }
CPK_MASTER_SECRET *CPK_MASTER_SECRET_create(const char *domain_id, EVP_PKEY *pkey, X509_ALGOR *map_algor) { int e = 1; CPK_MASTER_SECRET *master = NULL; BIGNUM *bn = NULL, *order = NULL; X509_PUBKEY *pubkey = NULL; int pkey_type; int i, bn_size, num_factors; unsigned char *bn_ptr; if (strlen(domain_id) <= 0 || strlen(domain_id) > CPK_MAX_ID_LENGTH) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_ID_LENGTH); goto err; } pkey_type = EVP_PKEY_id(pkey); if (pkey_type == EVP_PKEY_DSA) { if (!(order = ((DSA *)EVP_PKEY_get0(pkey))->q)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_BAD_ARGUMENT); goto err; } } else if (pkey_type == EVP_PKEY_EC) { const EC_GROUP *ec_group; if (!(order = BN_new())) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE); goto err; } ec_group = EC_KEY_get0_group((EC_KEY *)EVP_PKEY_get0(pkey)); if (!EC_GROUP_get_order(ec_group, order, NULL)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB); goto err; } //FIXME OPENSSL_assert assert(EC_KEY_get0_public_key((EC_KEY *)EVP_PKEY_get0(pkey)) != NULL); } else { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_PKEY_TYPE); goto err; } if (!(master = CPK_MASTER_SECRET_new())) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE); goto err; } master->version = 1; if (!X509_NAME_add_entry_by_NID(master->id, NID_organizationName, MBSTRING_UTF8, (unsigned char *)domain_id, -1, -1, 0)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB); goto err; } /* * convert EVP_PKEY to X509_ALGOR through X509_PUBKEY_set * X509_ALGOR_set0() is another choice but require more code */ // FIXME: X509_PUBKEY require pkey has a public key if (!X509_PUBKEY_set(&pubkey, pkey)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB); goto err; } X509_ALGOR_free(master->pkey_algor); if (!(master->pkey_algor = X509_ALGOR_dup(pubkey->algor))) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB); goto err; } //FIXME: check the validity of CPK_MAP X509_ALGOR_free(master->map_algor); if (!(master->map_algor = X509_ALGOR_dup(map_algor))) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE); goto err; } if ((num_factors = CPK_MAP_num_factors(map_algor)) <= 0) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_MAP_ALGOR); goto err; } /* * create secret factors, for both DSA and EC, * the private keys are both big integers, */ bn_size = BN_num_bytes(order); if (!ASN1_STRING_set(master->secret_factors, NULL, bn_size * num_factors)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_ASN1_LIB); goto err; } bn_ptr = M_ASN1_STRING_data(master->secret_factors); memset(bn_ptr, 0, M_ASN1_STRING_length(master->secret_factors)); if (!(bn = BN_new())) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE); goto err; } for (i = 0; i < num_factors; i++) { do { if (!BN_rand_range(bn, order)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_RAND_LIB); goto err; } } while (BN_is_zero(bn)); if (!BN_bn2bin(bn, bn_ptr + bn_size - BN_num_bytes(bn))) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_BN_LIB); goto err; } bn_ptr += bn_size; } e = 0; err: if (e && master) { CPK_MASTER_SECRET_free(master); master = NULL; } if (pubkey) X509_PUBKEY_free(pubkey); if (order && pkey_type == EVP_PKEY_EC) BN_free(order); if (bn) BN_free(bn); return master; }
static DSA *extract_dsa_priv_key(CPK_MASTER_SECRET *master, const char *id) { int e = 1; DSA *dsa = NULL; BIGNUM *bn = BN_new(); BN_CTX *ctx = BN_CTX_new(); const unsigned char *p; int *index = NULL; int i, num_indexes, bn_size; if (!bn || !ctx) { goto err; } if (!(dsa = X509_ALGOR_get1_DSA(master->pkey_algor))) { goto err; } if ((num_indexes = CPK_MAP_num_indexes(master->map_algor)) <= 0) { goto err; } if (!(index = OPENSSL_malloc(sizeof(int) * num_indexes))) { goto err; } if (!CPK_MAP_str2index(master->map_algor, id, index)) { goto err; } if (!dsa->priv_key) { if (!(dsa->priv_key = BN_new())) { goto err; } } BN_zero(dsa->priv_key); bn_size = BN_num_bytes(dsa->q); for (i = 0; i < num_indexes; i++) { p = M_ASN1_STRING_data(master->secret_factors) + bn_size * index[i]; if (!BN_bin2bn(p, bn_size, bn)) { goto err; } if (BN_is_zero(bn) || BN_cmp(bn, dsa->q) >= 0) { goto err; } if (!BN_mod_add(dsa->priv_key, dsa->priv_key, bn, dsa->q, ctx)) { goto err; } } if (!(dsa->pub_key)) if (!(dsa->pub_key = BN_new())) { goto err; } if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) { goto err; } e = 0; err: if (e && dsa) { DSA_free(dsa); dsa = NULL; } if (bn) BN_free(bn); if (ctx) BN_CTX_free(ctx); if (index) OPENSSL_free(index); return dsa; }
BigNumber::BigNumber() : _bn(BN_new()) , _array(NULL) { }
BigNumber::BigNumber(uint32 val) { _bn = BN_new(); BN_set_word(_bn, val); _array = NULL; }
BigNumber::BigNumber(uint32 val) : _bn(BN_new()) , _array(NULL) { BN_set_word(_bn, val); }
static void JPAKE_ZKP_init(JPAKE_ZKP *zkp) { zkp->gr = BN_new(); zkp->b = BN_new(); }
static BIGNUM* NativeBN_BN_new(JNIEnv*, jclass) { return BN_new(); }
void JPAKE_STEP_PART_init(JPAKE_STEP_PART *p) { p->gx = BN_new(); JPAKE_ZKP_init(&p->zkpx); }
ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) { int ok = 0, i; BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; const BIGNUM *order, *ckinv; BN_CTX *ctx = NULL; const EC_GROUP *group; ECDSA_SIG *ret; const BIGNUM *priv_key; group = EC_KEY_get0_group(eckey); priv_key = EC_KEY_get0_private_key(eckey); if (group == NULL || priv_key == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER); return NULL; } if (!EC_KEY_can_sign(eckey)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); return NULL; } ret = ECDSA_SIG_new(); if (ret == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); return NULL; } ret->r = BN_new(); ret->s = BN_new(); if (ret->r == NULL || ret->s == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); goto err; } s = ret->s; if ((ctx = BN_CTX_new()) == NULL || (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); goto err; } order = EC_GROUP_get0_order(group); if (order == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_EC_LIB); goto err; } i = BN_num_bits(order); /* * Need to truncate digest if it is too long: first truncate whole bytes. */ if (8 * dgst_len > i) dgst_len = (i + 7) / 8; if (!BN_bin2bn(dgst, dgst_len, m)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } /* If still too long truncate remaining bits with a shift */ if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } do { if (in_kinv == NULL || in_r == NULL) { if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB); goto err; } ckinv = kinv; } else { ckinv = in_kinv; if (BN_copy(ret->r, in_r) == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); goto err; } } if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } if (!BN_mod_add_quick(s, tmp, m, order)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } if (!BN_mod_mul(s, s, ckinv, order, ctx)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } if (BN_is_zero(s)) { /* * if kinv and r have been supplied by the caller, don't * generate new kinv and r values */ if (in_kinv != NULL && in_r != NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); goto err; } } else /* s != 0 => we have a valid signature */ break; } while (1); ok = 1; err: if (!ok) { ECDSA_SIG_free(ret); ret = NULL; } BN_CTX_free(ctx); BN_clear_free(m); BN_clear_free(tmp); BN_clear_free(kinv); return ret; }
extern_socket = -1; ret = -1; return ret; } fail = 0; return ret; } return ret; } #ifdef LIBOPENSSL RSA *ssl_temp_rsa_cb(SSL * ssl, int export, int keylength) { if (rsa == NULL) { #ifdef NO_RSA_LEGACY RSA *private = RSA_new(); BIGNUM *f4 = BN_new(); BN_set_word(f4, RSA_F4); RSA_generate_key_ex(rsa, 1024, f4, NULL); #else rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL); #endif } return rsa; } int internal__hydra_connect_to_ssl(int socket) { int err; if (ssl_first) {
static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out) { printf("in ecdh test\n"); EC_KEY *a = NULL; //EC_KEY is a structure EC_KEY *b = NULL; BIGNUM *x_a = NULL, *y_a = NULL, *x_b = NULL, *y_b = NULL; char buf[12]; unsigned char *abuf = NULL, *bbuf = NULL; int i, alen, blen, aout, bout, ret = 0; const EC_GROUP *group; a = EC_KEY_new_by_curve_name(nid); // creates a new key according to the curve specified //it fills in the EC_KEY structure // use function called EC_KEY *EC_KEY_new(void) //also use a function called EC_GROUP_new_by_curve_name() creates a EC_GROUP structure specified by a curve name (in form of a NID) */ // the group returned is set in the EC_KEY structure. b = EC_KEY_new_by_curve_name(nid); if (a == NULL || b == NULL) goto err; group = EC_KEY_get0_group(a); //returns the EC_GROUP structure created by the EC_KEY structure //EC_GROUP structure is present in the EC_KEY structure. if ((x_a = BN_new()) == NULL) goto err; //BN_new returns a pointer to the bignum if ((y_a = BN_new()) == NULL) goto err; if ((x_b = BN_new()) == NULL) goto err; if ((y_b = BN_new()) == NULL) goto err; BIO_puts(out, "Testing key generation with "); BIO_puts(out, text); #ifdef NOISY printf ("noisy"); BIO_puts(out,"\n"); BIO_puts(out,"\n"); BIO_puts(out,"\n"); #else BIO_flush(out); #endif //public key number one is created here if (!EC_KEY_generate_key(a)) goto err; //pass the filled EC_KEY structure and it will create a public or private ec key. //it places the key in a->priv_key a->pub_key /// PUBLIC AND PVT KEYS ARE GENERATED BY THE SCALAR MULTIPLICATION printf("\n1 ) generating keys\n"); if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { if (!EC_POINT_get_affine_coordinates_GFp(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err; } //returns the public key else { if (!EC_POINT_get_affine_coordinates_GF2m(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err; } //BN_print_fp(stdout, a->pub_key); printf("private key is : "); BN_print_fp(stdout, EC_KEY_get0_private_key(a)); printf("\nAffine cordinates x:"); BN_print_fp(stdout, x_a); printf("\nAffine cordinates y:"); BN_print_fp(stdout, y_a); printf( "\n2 ) generated keys , generated affine points x and y , and also determided the primse brinary case\n"); #ifdef NOISY printf("no generation"); BIO_puts(out," pri 1="); BN_print(out,a->priv_key); BIO_puts(out,"\n pub 1="); BN_print(out,x_a); BIO_puts(out,","); BN_print(out,y_a); BIO_puts(out,"\n"); #else BIO_printf(out, " ."); BIO_flush(out); #endif //public key number two is created here if (!EC_KEY_generate_key(b)) goto err; if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { if (!EC_POINT_get_affine_coordinates_GFp(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err; // not well } else { if (!EC_POINT_get_affine_coordinates_GF2m(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err; } // printf("public key is : "); // BN_print_fp(stdout, EC_KEY_get0_private_key(b)); // for public key they will exchange the whole EC_POINT structure printf("private key is : "); BN_print_fp(stdout, EC_KEY_get0_private_key(b)); printf("\nAffine cordinates x"); BN_print_fp(stdout, x_b); printf("\nAffine cordinates y"); BN_print_fp(stdout, y_b); #ifdef NOISY BIO_puts(out," pri 2="); BN_print(out,b->priv_key); BIO_puts(out,"\n pub 2="); BN_print(out,x_b); BIO_puts(out,","); BN_print(out,y_b); BIO_puts(out,"\n"); #else BIO_printf(out, "."); BIO_flush(out); #endif alen = KDF1_SHA1_len; ///it is a static constant integer. abuf = (unsigned char *) OPENSSL_malloc(alen); aout = ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(b), a, KDF1_SHA1); //generating session key // BN_print(out, abuf); //BIO_puts(out,"\n"); #ifdef NOISY BIO_puts(out," key1 ="); for (i=0; i<aout; i++) { sprintf(buf,"%02X",abuf[i]); BIO_puts(out,buf); } BIO_puts(out,"\n"); #else BIO_printf(out, "."); BIO_flush(out); #endif blen = KDF1_SHA1_len; bbuf = (unsigned char *) OPENSSL_malloc(blen); bout = ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(a), b, KDF1_SHA1); // BN_print(out, bbuf); // BIO_puts(out,"\n"); #ifdef NOISY BIO_puts(out," key2 ="); for (i=0; i<bout; i++) { sprintf(buf,"%02X",bbuf[i]); BIO_puts(out,buf); } BIO_puts(out,"\n"); #else BIO_printf(out, "."); BIO_flush(out); #endif if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) { #ifndef NOISY BIO_printf(out, " failed\n\n"); BIO_printf(out, "key a:\n"); BIO_printf(out, "private key: "); BN_print(out, EC_KEY_get0_private_key(a)); BIO_printf(out, "\n"); BIO_printf(out, "public key (x,y): "); BN_print(out, x_a); BIO_printf(out, ","); BN_print(out, y_a); BIO_printf(out, "\nkey b:\n"); BIO_printf(out, "private key: "); BN_print(out, EC_KEY_get0_private_key(b)); BIO_printf(out, "\n"); BIO_printf(out, "public key (x,y): "); BN_print(out, x_b); BIO_printf(out, ","); BN_print(out, y_b); BIO_printf(out, "\n"); BIO_printf(out, "generated key a: "); for (i = 0; i < bout; i++) { sprintf(buf, "%02X", bbuf[i]); BIO_puts(out, buf); } BIO_printf(out, "\n"); BIO_printf(out, "generated key b: "); for (i = 0; i < aout; i++) { sprintf(buf, "%02X", abuf[i]); BIO_puts(out, buf); } BIO_printf(out, "\n"); #endif fprintf(stderr, "Error in ECDH routines\n"); ret = 0; } else { #ifndef NOISY BIO_printf(out, " ok\n"); #endif ret = 1; } err: ERR_print_errors_fp(stderr); if (abuf != NULL) OPENSSL_free(abuf); if (bbuf != NULL) OPENSSL_free(bbuf); if (x_a) BN_free(x_a); if (y_a) BN_free(y_a); if (x_b) BN_free(x_b); if (y_b) BN_free(y_b); if (b) EC_KEY_free(b); if (a) EC_KEY_free(a); return (ret); }
int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type) { unsigned char *B, *D, *I, *p, *Ai; int Slen, Plen, Ilen, Ijlen; int i, j, u, v; BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ EVP_MD_CTX ctx; #ifdef DEBUG_KEYGEN unsigned char *tmpout = out; int tmpn = n; #endif #if 0 if (!pass) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_PASSED_NULL_PARAMETER); return 0; } #endif EVP_MD_CTX_init(&ctx); #ifdef DEBUG_KEYGEN TINYCLR_SSL_FPRINTF(OPENSSL_TYPE__FILE_STDERR, "KEYGEN DEBUG\n"); TINYCLR_SSL_FPRINTF(OPENSSL_TYPE__FILE_STDERR, "ID %d, ITER %d\n", id, iter); TINYCLR_SSL_FPRINTF(OPENSSL_TYPE__FILE_STDERR, "Password (length %d):\n", passlen); h__dump(pass, passlen); TINYCLR_SSL_FPRINTF(OPENSSL_TYPE__FILE_STDERR, "Salt (length %d):\n", saltlen); h__dump(salt, saltlen); #endif v = EVP_MD_block_size (md_type); u = EVP_MD_size (md_type); if (u < 0) return 0; D = (unsigned char*)OPENSSL_malloc (v); Ai = (unsigned char*)OPENSSL_malloc (u); B = (unsigned char*)OPENSSL_malloc (v + 1); Slen = v * ((saltlen+v-1)/v); if(passlen) Plen = v * ((passlen+v-1)/v); else Plen = 0; Ilen = Slen + Plen; I = (unsigned char*)OPENSSL_malloc (Ilen); Ij = BN_new(); Bpl1 = BN_new(); if (!D || !Ai || !B || !I || !Ij || !Bpl1) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE); return 0; } for (i = 0; i < v; i++) D[i] = id; p = I; for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen]; for (i = 0; i < Plen; i++) *p++ = pass[i % passlen]; for (;;) { EVP_DigestInit_ex(&ctx, md_type, NULL); EVP_DigestUpdate(&ctx, D, v); EVP_DigestUpdate(&ctx, I, Ilen); EVP_DigestFinal_ex(&ctx, Ai, NULL); for (j = 1; j < iter; j++) { EVP_DigestInit_ex(&ctx, md_type, NULL); EVP_DigestUpdate(&ctx, Ai, u); EVP_DigestFinal_ex(&ctx, Ai, NULL); } TINYCLR_SSL_MEMCPY (out, Ai, min (n, u)); if (u >= n) { OPENSSL_free (Ai); OPENSSL_free (B); OPENSSL_free (D); OPENSSL_free (I); BN_free (Ij); BN_free (Bpl1); EVP_MD_CTX_cleanup(&ctx); #ifdef DEBUG_KEYGEN TINYCLR_SSL_FPRINTF(OPENSSL_TYPE__FILE_STDERR, "Output KEY (length %d)\n", tmpn); h__dump(tmpout, tmpn); #endif return 1; } n -= u; out += u; for (j = 0; j < v; j++) B[j] = Ai[j % u]; /* Work out B + 1 first then can use B as tmp space */ BN_bin2bn (B, v, Bpl1); BN_add_word (Bpl1, 1); for (j = 0; j < Ilen ; j+=v) { BN_bin2bn (I + j, v, Ij); BN_add (Ij, Ij, Bpl1); BN_bn2bin (Ij, B); Ijlen = BN_num_bytes (Ij); /* If more than 2^(v*8) - 1 cut off MSB */ if (Ijlen > v) { BN_bn2bin (Ij, B); TINYCLR_SSL_MEMCPY (I + j, B + 1, v); #ifndef PKCS12_BROKEN_KEYGEN /* If less than v bytes pad with zeroes */ } else if (Ijlen < v) { TINYCLR_SSL_MEMSET(I + j, 0, v - Ijlen); BN_bn2bin(Ij, I + j + v - Ijlen); #endif } else BN_bn2bin (Ij, I + j); } } }
int GOST_KEY_check_key(const GOST_KEY *key) { int ok = 0; BN_CTX *ctx = NULL; BIGNUM *order = NULL; EC_POINT *point = NULL; if (!key || !key->group || !key->pub_key) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER); return 0; } if (EC_POINT_is_at_infinity(key->group, key->pub_key)) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_POINT_AT_INFINITY); goto err; } if ((ctx = BN_CTX_new()) == NULL) goto err; if ((point = EC_POINT_new(key->group)) == NULL) goto err; /* testing whether the pub_key is on the elliptic curve */ if (EC_POINT_is_on_curve(key->group, key->pub_key, ctx) <= 0) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } /* testing whether pub_key * order is the point at infinity */ if ((order = BN_new()) == NULL) goto err; if (!EC_GROUP_get_order(key->group, order, ctx)) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER); goto err; } if (!EC_POINT_mul(key->group, point, NULL, key->pub_key, order, ctx)) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, ERR_R_EC_LIB); goto err; } if (!EC_POINT_is_at_infinity(key->group, point)) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_WRONG_ORDER); goto err; } /* * in case the priv_key is present : check if generator * priv_key == * pub_key */ if (key->priv_key) { if (BN_cmp(key->priv_key, order) >= 0) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_WRONG_ORDER); goto err; } if (!EC_POINT_mul(key->group, point, key->priv_key, NULL, NULL, ctx)) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, ERR_R_EC_LIB); goto err; } if (EC_POINT_cmp(key->group, point, key->pub_key, ctx) != 0) { GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY); goto err; } } ok = 1; err: BN_free(order); BN_CTX_free(ctx); EC_POINT_free(point); return (ok); }
static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) { unsigned char *buffer=NULL; const char *ecstr; size_t buf_len=0, i; int ret=0, reason=ERR_R_BIO_LIB; BIGNUM *pub_key=NULL, *order=NULL; BN_CTX *ctx=NULL; const EC_GROUP *group; const EC_POINT *public_key; const BIGNUM *priv_key; if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) { reason = ERR_R_PASSED_NULL_PARAMETER; goto err; } ctx = BN_CTX_new(); if (ctx == NULL) { reason = ERR_R_MALLOC_FAILURE; goto err; } if (ktype > 0) { public_key = EC_KEY_get0_public_key(x); if ((pub_key = EC_POINT_point2bn(group, public_key, EC_KEY_get_conv_form(x), NULL, ctx)) == NULL) { reason = ERR_R_EC_LIB; goto err; } if (pub_key) buf_len = (size_t)BN_num_bytes(pub_key); } if (ktype == 2) { priv_key = EC_KEY_get0_private_key(x); if (priv_key && (i = (size_t)BN_num_bytes(priv_key)) > buf_len) buf_len = i; } else priv_key = NULL; if (ktype > 0) { buf_len += 10; if ((buffer = OPENSSL_malloc(buf_len)) == NULL) { reason = ERR_R_MALLOC_FAILURE; goto err; } } if (ktype == 2) ecstr = "Private-Key"; else if (ktype == 1) ecstr = "Public-Key"; else ecstr = "ECDSA-Parameters"; if (!BIO_indent(bp, off, 128)) goto err; if ((order = BN_new()) == NULL) goto err; if (!EC_GROUP_get_order(group, order, NULL)) goto err; if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, BN_num_bits(order)) <= 0) goto err; if ((priv_key != NULL) && !ASN1_bn_print(bp, "priv:", priv_key, buffer, off)) goto err; if ((pub_key != NULL) && !ASN1_bn_print(bp, "pub: ", pub_key, buffer, off)) goto err; if (!ECPKParameters_print(bp, group, off)) goto err; ret=1; err: if (!ret) ECerr(EC_F_DO_EC_KEY_PRINT, reason); if (pub_key) BN_free(pub_key); if (order) BN_free(order); if (ctx) BN_CTX_free(ctx); if (buffer != NULL) OPENSSL_free(buffer); return(ret); }
int ssl_test_exp(int argc, char *argv[]) { BN_CTX *ctx; BIO *out=NULL; int i,ret; unsigned char c; BIGNUM *r_mont,*r_mont_const,*r_recp,*r_simple,*a,*b,*m; RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't * even check its return value * (which we should) */ ERR_load_BN_strings(); ctx=BN_CTX_new(); if (ctx == NULL) return(1); r_mont=BN_new(); r_mont_const=BN_new(); r_recp=BN_new(); r_simple=BN_new(); a=BN_new(); b=BN_new(); m=BN_new(); if ( (r_mont == NULL) || (r_recp == NULL) || (a == NULL) || (b == NULL)) goto err; #ifndef OPENSSL_SYS_WINDOWS out = BIO_new(BIO_s_mem()); if (out == NULL) return(1); #else out=BIO_new(BIO_s_file()); if (out == NULL) return(1); BIO_set_fp(out,OPENSSL_TYPE__FILE_STDOUT,BIO_NOCLOSE); #endif for (i=0; i<200; i++) { RAND_bytes(&c,1); c=(c%BN_BITS)-BN_BITS2; BN_rand(a,NUM_BITS+c,0,0); RAND_bytes(&c,1); c=(c%BN_BITS)-BN_BITS2; BN_rand(b,NUM_BITS+c,0,0); RAND_bytes(&c,1); c=(c%BN_BITS)-BN_BITS2; BN_rand(m,NUM_BITS+c,0,1); BN_mod(a,a,m,ctx); BN_mod(b,b,m,ctx); ret=BN_mod_exp_mont(r_mont,a,b,m,ctx,NULL); if (ret <= 0) { TINYCLR_SSL_PRINTF("BN_mod_exp_mont() problems\n"); ERR_print_errors(out); return(1); } ret=BN_mod_exp_recp(r_recp,a,b,m,ctx); if (ret <= 0) { TINYCLR_SSL_PRINTF("BN_mod_exp_recp() problems\n"); ERR_print_errors(out); return(1); } ret=BN_mod_exp_simple(r_simple,a,b,m,ctx); if (ret <= 0) { TINYCLR_SSL_PRINTF("BN_mod_exp_simple() problems\n"); ERR_print_errors(out); return(1); } ret=BN_mod_exp_mont_consttime(r_mont_const,a,b,m,ctx,NULL); if (ret <= 0) { TINYCLR_SSL_PRINTF("BN_mod_exp_mont_consttime() problems\n"); ERR_print_errors(out); return(1); } if (BN_cmp(r_simple, r_mont) == 0 && BN_cmp(r_simple,r_recp) == 0 && BN_cmp(r_simple,r_mont_const) == 0) { TINYCLR_SSL_PRINTF("."); } else { if (BN_cmp(r_simple,r_mont) != 0) TINYCLR_SSL_PRINTF("\nsimple and mont results differ\n"); if (BN_cmp(r_simple,r_mont_const) != 0) TINYCLR_SSL_PRINTF("\nsimple and mont const time results differ\n"); if (BN_cmp(r_simple,r_recp) != 0) TINYCLR_SSL_PRINTF("\nsimple and recp results differ\n"); TINYCLR_SSL_PRINTF("a (%3d) = ",BN_num_bits(a)); BN_print(out,a); TINYCLR_SSL_PRINTF("\nb (%3d) = ",BN_num_bits(b)); BN_print(out,b); TINYCLR_SSL_PRINTF("\nm (%3d) = ",BN_num_bits(m)); BN_print(out,m); TINYCLR_SSL_PRINTF("\nsimple ="); BN_print(out,r_simple); TINYCLR_SSL_PRINTF("\nrecp ="); BN_print(out,r_recp); TINYCLR_SSL_PRINTF("\nmont ="); BN_print(out,r_mont); TINYCLR_SSL_PRINTF("\nmont_ct ="); BN_print(out,r_mont_const); TINYCLR_SSL_PRINTF("\n"); return(1); } } BN_free(r_mont); BN_free(r_mont_const); BN_free(r_recp); BN_free(r_simple); BN_free(a); BN_free(b); BN_free(m); BN_CTX_free(ctx); ERR_remove_thread_state(NULL); CRYPTO_mem_leaks(out); BIO_free(out); TINYCLR_SSL_PRINTF(" done\n"); return(0); err: ERR_load_crypto_strings(); ERR_print_errors(out); #ifdef OPENSSL_SYS_NETWARE TINYCLR_SSL_PRINTF("ERROR\n"); #endif return(1); }
void Decode_RSA(unsigned char *encData, int fd ,char *getData) { RSA *r; BIGNUM *bne,*bnn,*bnd; int bits = 1024, ret, len, flen, padding, i; unsigned char *key, *p; BIO *b; /*unsigned char *encData;*/ unsigned char *decData,*tmpData;//加密后的数据/解密后的数据/临时指针 /* Key data */ unsigned long e = 75011; /* 构建RSA数据结构 */ bne = BN_new(); bnd = BN_new(); bnn = BN_new(); ret = BN_set_word(bne, e); BN_hex2bn(&bnd, PRIVATE); BN_hex2bn(&bnn, MODULUS); r = RSA_new(); r->e=bne; r->d=bnd; r->n=bnn; /* output key */ /*RSA_print_fp(stdout, r, 5);*/ flen = RSA_size(r);// - 11; /*encData = (unsigned char *)malloc(flen); */ /*bzero(encData, flen);//memset(encData, 0, flen); */ //JCG("Begin RSA_private_decrypt \n"); if(ret < 0){ JCG("Encrypt failed!\n"); return; } #if 0 tmpData=encData; for (i=0; i<ret; i++) { JDG("0x%02x, ", *tmpData); if(i%16 == 7) JDG("\t"); else if(i%16 == 15) JDG("\n"); tmpData++; } JDG("\n"); #endif flen = RSA_size(r);// - 11; decData = (unsigned char *)malloc(flen); bzero(decData, flen);//memset(encData, 0, flen); ret = RSA_public_decrypt(flen, encData, decData, r, RSA_NO_PADDING); if(ret < 0){ JCG("RSA_public_decrypt failed!"); return; } sprintf(getData,"%s",decData); free(decData); RSA_free(r); }
int __ops_elgamal_private_decrypt(uint8_t *out, const uint8_t *g_to_k, const uint8_t *in, size_t length, const __ops_elgamal_seckey_t *seckey, const __ops_elgamal_pubkey_t *pubkey) { BIGNUM *bndiv; BIGNUM *c1x; BN_CTX *tmp; BIGNUM *c1; BIGNUM *c2; BIGNUM *p; BIGNUM *x; BIGNUM *m; int ret; ret = 0; /* c1 and c2 are in g_to_k and in, respectively*/ c1 = BN_bin2bn(g_to_k, (int)length, NULL); c2 = BN_bin2bn(in, (int)length, NULL); /* other bits */ p = pubkey->p; x = seckey->x; c1x = BN_new(); bndiv = BN_new(); m = BN_new(); tmp = BN_CTX_new(); if (!c1 || !c2 || !p || !x || !c1x || !bndiv || !m || !tmp) { goto done; } /* * m = c2 / (c1^x) */ if (!BN_mod_exp(c1x, c1, x, p, tmp)) { goto done; } if (!BN_mod_inverse(bndiv, c1x, p, tmp)) { goto done; } if (!BN_mod_mul(m, c2, bndiv, p, tmp)) { goto done; } /* result */ ret = BN_bn2bin(m, out); done: if (tmp) { BN_CTX_free(tmp); } if (m) { BN_clear_free(m); } if (bndiv) { BN_clear_free(bndiv); } if (c1x) { BN_clear_free(c1x); } if (x) { BN_clear_free(x); } if (p) { BN_clear_free(p); } if (c1) { BN_clear_free(c1); } if (c2) { BN_clear_free(c2); } return ret; }
int ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { DSA_SIG *sig; const EVP_MD *evp_md = EVP_sha1(); EVP_MD_CTX md; u_char digest[EVP_MAX_MD_SIZE], *sigblob; u_int len, dlen; int rlen, ret; Buffer b; if (key == NULL || key->dsa == NULL || (key->type != KEY_DSA && key->type != KEY_DSA_CERT && key->type != KEY_DSA_CERT_V00)) { error("ssh_dss_verify: no DSA key"); return -1; } /* fetch signature */ if (datafellows & SSH_BUG_SIGBLOB) { sigblob = xmalloc(signaturelen); memcpy(sigblob, signature, signaturelen); len = signaturelen; } else { /* ietf-drafts */ char *ktype; buffer_init(&b); buffer_append(&b, signature, signaturelen); ktype = buffer_get_cstring(&b, NULL); if (strcmp("ssh-dss", ktype) != 0) { error("ssh_dss_verify: cannot handle type %s", ktype); buffer_free(&b); free(ktype); return -1; } free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("ssh_dss_verify: " "remaining bytes in signature %d", rlen); free(sigblob); return -1; } } if (len != SIGBLOB_LEN) { fatal("bad sigbloblen %u != SIGBLOB_LEN", len); } /* parse signature */ if ((sig = DSA_SIG_new()) == NULL) fatal("ssh_dss_verify: DSA_SIG_new failed"); if ((sig->r = BN_new()) == NULL) fatal("ssh_dss_verify: BN_new failed"); if ((sig->s = BN_new()) == NULL) fatal("ssh_dss_verify: BN_new failed"); if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) || (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) fatal("ssh_dss_verify: BN_bin2bn failed"); /* clean up */ memset(sigblob, 0, len); free(sigblob); /* sha1 the data */ EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, data, datalen); EVP_DigestFinal(&md, digest, &dlen); ret = DSA_do_verify(digest, dlen, sig, key->dsa); memset(digest, 'd', sizeof(digest)); DSA_SIG_free(sig); debug("ssh_dss_verify: signature %s", ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error"); return ret; }