int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {
int ret = 0;
BIGNUM *Ri, *R;
BIGNUM tmod;
BN_ULONG buf[2];
if (BN_is_zero(mod)) {
OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
return 0;
}
BN_CTX_start(ctx);
Ri = BN_CTX_get(ctx);
if (Ri == NULL) {
goto err;
}
R = &mont->RR; /* grab RR as a temp */
if (!BN_copy(&mont->N, mod)) {
goto err; /* Set N */
}
mont->N.neg = 0;
BN_init(&tmod);
tmod.d = buf;
tmod.dmax = 2;
tmod.neg = 0;
#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2 <= 32)
/* Only certain BN_BITS2<=32 platforms actually make use of
* n0[1], and we could use the #else case (with a shorter R
* value) for the others. However, currently only the assembler
* files do know which is which. */
BN_zero(R);
if (!BN_set_bit(R, 2 * BN_BITS2)) {
goto err;
}
tmod.top = 0;
if ((buf[0] = mod->d[0])) {
tmod.top = 1;
}
if ((buf[1] = mod->top > 1 ? mod->d[1] : 0)) {
tmod.top = 2;
}
if (BN_mod_inverse(Ri, R, &tmod, ctx) == NULL) {
goto err;
}
if (!BN_lshift(Ri, Ri, 2 * BN_BITS2)) {
goto err; /* R*Ri */
}
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1)) {
goto err;
}
} else {
/* if N mod word size == 1 */
if (bn_expand(Ri, (int)sizeof(BN_ULONG) * 2) == NULL) {
goto err;
}
/* Ri-- (mod double word size) */
Ri->neg = 0;
Ri->d[0] = BN_MASK2;
Ri->d[1] = BN_MASK2;
Ri->top = 2;
}
if (!BN_div(Ri, NULL, Ri, &tmod, ctx)) {
goto err;
}
/* Ni = (R*Ri-1)/N,
* keep only couple of least significant words: */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
#else
BN_zero(R);
if (!BN_set_bit(R, BN_BITS2)) {
goto err; /* R */
}
buf[0] = mod->d[0]; /* tmod = N mod word size */
buf[1] = 0;
tmod.top = buf[0] != 0 ? 1 : 0;
/* Ri = R^-1 mod N*/
if (BN_mod_inverse(Ri, R, &tmod, ctx) == NULL) {
goto err;
}
if (!BN_lshift(Ri, Ri, BN_BITS2)) {
goto err; /* R*Ri */
}
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1)) {
goto err;
}
} else {
/* if N mod word size == 1 */
if (!BN_set_word(Ri, BN_MASK2)) {
goto err; /* Ri-- (mod word size) */
}
}
if (!BN_div(Ri, NULL, Ri, &tmod, ctx)) {
goto err;
}
/* Ni = (R*Ri-1)/N,
* keep only least significant word: */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = 0;
#endif
/* RR = (2^ri)^2 == 2^(ri*2) == 1 << (ri*2), which has its (ri*2)th bit set. */
int ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
BN_zero(&(mont->RR));
if (!BN_set_bit(&(mont->RR), ri * 2)) {
goto err;
}
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx)) {
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
int
BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
{
int ret = 0;
BIGNUM *Ri, *R;
BN_CTX_start(ctx);
if ((Ri = BN_CTX_get(ctx)) == NULL)
goto err;
R = &(mont->RR); /* grab RR as a temp */
if (!BN_copy(&(mont->N), mod))
goto err; /* Set N */
mont->N.neg = 0;
#ifdef MONT_WORD
{
BIGNUM tmod;
BN_ULONG buf[2];
BN_init(&tmod);
tmod.d = buf;
tmod.dmax = 2;
tmod.neg = 0;
mont->ri = (BN_num_bits(mod) +
(BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
/* Only certain BN_BITS2<=32 platforms actually make use of
* n0[1], and we could use the #else case (with a shorter R
* value) for the others. However, currently only the assembler
* files do know which is which. */
BN_zero(R);
if (!(BN_set_bit(R, 2 * BN_BITS2)))
goto err;
tmod.top = 0;
if ((buf[0] = mod->d[0]))
tmod.top = 1;
if ((buf[1] = mod->top > 1 ? mod->d[1] : 0))
tmod.top = 2;
if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
goto err;
if (!BN_lshift(Ri, Ri, 2 * BN_BITS2))
goto err; /* R*Ri */
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1))
goto err;
}
else /* if N mod word size == 1 */
{
if (bn_expand(Ri, (int)sizeof(BN_ULONG) * 2) == NULL)
goto err;
/* Ri-- (mod double word size) */
Ri->neg = 0;
Ri->d[0] = BN_MASK2;
Ri->d[1] = BN_MASK2;
Ri->top = 2;
}
if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
goto err;
/* Ni = (R*Ri-1)/N,
* keep only couple of least significant words: */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0;
#else
BN_zero(R);
if (!(BN_set_bit(R, BN_BITS2)))
goto err; /* R */
buf[0] = mod->d[0]; /* tmod = N mod word size */
buf[1] = 0;
tmod.top = buf[0] != 0 ? 1 : 0;
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
goto err;
if (!BN_lshift(Ri, Ri, BN_BITS2))
goto err; /* R*Ri */
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1))
goto err;
}
else /* if N mod word size == 1 */
{
if (!BN_set_word(Ri, BN_MASK2))
goto err; /* Ri-- (mod word size) */
}
if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
goto err;
/* Ni = (R*Ri-1)/N,
* keep only least significant word: */
mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0;
mont->n0[1] = 0;
#endif
}
#else /* !MONT_WORD */
{ /* bignum version */
mont->ri = BN_num_bits(&mont->N);
BN_zero(R);
if (!BN_set_bit(R, mont->ri))
goto err; /* R = 2^ri */
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse(Ri, R, &mont->N, ctx)) == NULL)
goto err;
if (!BN_lshift(Ri, Ri, mont->ri))
goto err; /* R*Ri */
if (!BN_sub_word(Ri, 1))
goto err;
/* Ni = (R*Ri-1) / N */
if (!BN_div(&(mont->Ni), NULL, Ri, &mont->N, ctx))
goto err;
}
#endif
/* setup RR for conversions */
BN_zero(&(mont->RR));
if (!BN_set_bit(&(mont->RR), mont->ri*2))
goto err;
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
/*
* Find the bignum ranges that produce a given prefix.
*/
static int
get_prefix_ranges(int addrtype, const char *pfx, BIGNUM **result,
BN_CTX *bnctx)
{
int i, p, c;
int zero_prefix = 0;
int check_upper = 0;
int b58pow, b58ceil, b58top = 0;
int ret = -1;
BIGNUM bntarg, bnceil, bnfloor;
BIGNUM bnbase;
BIGNUM *bnap, *bnbp, *bntp;
BIGNUM *bnhigh = NULL, *bnlow = NULL, *bnhigh2 = NULL, *bnlow2 = NULL;
BIGNUM bntmp, bntmp2;
BN_init(&bntarg);
BN_init(&bnceil);
BN_init(&bnfloor);
BN_init(&bnbase);
BN_init(&bntmp);
BN_init(&bntmp2);
BN_set_word(&bnbase, 58);
p = strlen(pfx);
for (i = 0; i < p; i++) {
c = vg_b58_reverse_map[(int)pfx[i]];
if (c == -1) {
fprintf(stderr,
"Invalid character '%c' in prefix '%s'\n",
pfx[i], pfx);
goto out;
}
if (i == zero_prefix) {
if (c == 0) {
/* Add another zero prefix */
zero_prefix++;
if (zero_prefix > 19) {
fprintf(stderr,
"Prefix '%s' is too long\n",
pfx);
goto out;
}
continue;
}
/* First non-zero character */
b58top = c;
BN_set_word(&bntarg, c);
} else {
BN_set_word(&bntmp2, c);
BN_mul(&bntmp, &bntarg, &bnbase, bnctx);
BN_add(&bntarg, &bntmp, &bntmp2);
}
}
/* Power-of-two ceiling and floor values based on leading 1s */
BN_clear(&bntmp);
BN_set_bit(&bntmp, 200 - (zero_prefix * 8));
BN_sub(&bnceil, &bntmp, BN_value_one());
BN_set_bit(&bnfloor, 192 - (zero_prefix * 8));
bnlow = BN_new();
bnhigh = BN_new();
if (b58top) {
/*
* If a non-zero was given in the prefix, find the
* numeric boundaries of the prefix.
*/
BN_copy(&bntmp, &bnceil);
bnap = &bntmp;
bnbp = &bntmp2;
b58pow = 0;
while (BN_cmp(bnap, &bnbase) > 0) {
b58pow++;
BN_div(bnbp, NULL, bnap, &bnbase, bnctx);
bntp = bnap;
bnap = bnbp;
bnbp = bntp;
}
b58ceil = BN_get_word(bnap);
if ((b58pow - (p - zero_prefix)) <= 0) {
/*
* Do not allow the prefix to constrain the
* check value, this is ridiculous.
*/
fprintf(stderr, "Prefix '%s' is too long\n", pfx);
goto out;
}
BN_set_word(&bntmp2, b58pow - (p - zero_prefix));
BN_exp(&bntmp, &bnbase, &bntmp2, bnctx);
BN_mul(bnlow, &bntmp, &bntarg, bnctx);
BN_sub(&bntmp2, &bntmp, BN_value_one());
BN_add(bnhigh, bnlow, &bntmp2);
if (b58top <= b58ceil) {
/* Fill out the upper range too */
check_upper = 1;
bnlow2 = BN_new();
bnhigh2 = BN_new();
BN_mul(bnlow2, bnlow, &bnbase, bnctx);
BN_mul(&bntmp2, bnhigh, &bnbase, bnctx);
BN_set_word(&bntmp, 57);
BN_add(bnhigh2, &bntmp2, &bntmp);
/*
* Addresses above the ceiling will have one
* fewer "1" prefix in front than we require.
*/
if (BN_cmp(&bnceil, bnlow2) < 0) {
/* High prefix is above the ceiling */
check_upper = 0;
BN_free(bnhigh2);
bnhigh2 = NULL;
BN_free(bnlow2);
bnlow2 = NULL;
}
else if (BN_cmp(&bnceil, bnhigh2) < 0)
/* High prefix is partly above the ceiling */
BN_copy(bnhigh2, &bnceil);
/*
* Addresses below the floor will have another
* "1" prefix in front instead of our target.
*/
if (BN_cmp(&bnfloor, bnhigh) >= 0) {
/* Low prefix is completely below the floor */
assert(check_upper);
check_upper = 0;
BN_free(bnhigh);
bnhigh = bnhigh2;
bnhigh2 = NULL;
BN_free(bnlow);
bnlow = bnlow2;
bnlow2 = NULL;
}
else if (BN_cmp(&bnfloor, bnlow) > 0) {
/* Low prefix is partly below the floor */
BN_copy(bnlow, &bnfloor);
}
}
} else {
BN_copy(bnhigh, &bnceil);
BN_clear(bnlow);
}
/* Limit the prefix to the address type */
BN_clear(&bntmp);
BN_set_word(&bntmp, addrtype);
BN_lshift(&bntmp2, &bntmp, 192);
if (check_upper) {
if (BN_cmp(&bntmp2, bnhigh2) > 0) {
check_upper = 0;
BN_free(bnhigh2);
bnhigh2 = NULL;
BN_free(bnlow2);
bnlow2 = NULL;
}
else if (BN_cmp(&bntmp2, bnlow2) > 0)
BN_copy(bnlow2, &bntmp2);
}
if (BN_cmp(&bntmp2, bnhigh) > 0) {
if (!check_upper)
goto not_possible;
check_upper = 0;
BN_free(bnhigh);
bnhigh = bnhigh2;
bnhigh2 = NULL;
BN_free(bnlow);
bnlow = bnlow2;
bnlow2 = NULL;
}
else if (BN_cmp(&bntmp2, bnlow) > 0) {
BN_copy(bnlow, &bntmp2);
}
BN_set_word(&bntmp, addrtype + 1);
BN_lshift(&bntmp2, &bntmp, 192);
if (check_upper) {
if (BN_cmp(&bntmp2, bnlow2) < 0) {
check_upper = 0;
BN_free(bnhigh2);
bnhigh2 = NULL;
BN_free(bnlow2);
bnlow2 = NULL;
}
else if (BN_cmp(&bntmp2, bnhigh2) < 0)
BN_copy(bnlow2, &bntmp2);
}
if (BN_cmp(&bntmp2, bnlow) < 0) {
if (!check_upper)
goto not_possible;
check_upper = 0;
BN_free(bnhigh);
bnhigh = bnhigh2;
bnhigh2 = NULL;
BN_free(bnlow);
bnlow = bnlow2;
bnlow2 = NULL;
}
else if (BN_cmp(&bntmp2, bnhigh) < 0) {
BN_copy(bnhigh, &bntmp2);
}
/* Address ranges are complete */
assert(check_upper || ((bnlow2 == NULL) && (bnhigh2 == NULL)));
result[0] = bnlow;
result[1] = bnhigh;
result[2] = bnlow2;
result[3] = bnhigh2;
bnlow = NULL;
bnhigh = NULL;
bnlow2 = NULL;
bnhigh2 = NULL;
ret = 0;
if (0) {
not_possible:
ret = -2;
}
out:
BN_clear_free(&bntarg);
BN_clear_free(&bnceil);
BN_clear_free(&bnfloor);
BN_clear_free(&bnbase);
BN_clear_free(&bntmp);
BN_clear_free(&bntmp2);
if (bnhigh)
BN_free(bnhigh);
if (bnlow)
BN_free(bnlow);
if (bnhigh2)
BN_free(bnhigh2);
if (bnlow2)
BN_free(bnlow2);
return ret;
}
static isc_result_t
opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
#if OPENSSL_VERSION_NUMBER > 0x00908000L
BN_GENCB cb;
union {
void *dptr;
void (*fptr)(int);
} u;
RSA *rsa = RSA_new();
BIGNUM *e = BN_new();
#if USE_EVP
EVP_PKEY *pkey = EVP_PKEY_new();
#endif
if (rsa == NULL || e == NULL)
goto err;
#if USE_EVP
if (pkey == NULL)
goto err;
if (!EVP_PKEY_set1_RSA(pkey, rsa))
goto err;
#endif
if (exp == 0) {
/* RSA_F4 0x10001 */
BN_set_bit(e, 0);
BN_set_bit(e, 16);
} else {
/* F5 0x100000001 */
BN_set_bit(e, 0);
BN_set_bit(e, 32);
}
if (callback == NULL) {
BN_GENCB_set_old(&cb, NULL, NULL);
} else {
u.fptr = callback;
BN_GENCB_set(&cb, &progress_cb, u.dptr);
}
if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
BN_free(e);
SET_FLAGS(rsa);
#if USE_EVP
key->keydata.pkey = pkey;
RSA_free(rsa);
#else
key->keydata.rsa = rsa;
#endif
return (ISC_R_SUCCESS);
}
err:
#if USE_EVP
if (pkey != NULL)
EVP_PKEY_free(pkey);
#endif
if (e != NULL)
BN_free(e);
if (rsa != NULL)
RSA_free(rsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
#else
RSA *rsa;
unsigned long e;
#if USE_EVP
EVP_PKEY *pkey = EVP_PKEY_new();
UNUSED(callback);
if (pkey == NULL)
return (ISC_R_NOMEMORY);
#else
UNUSED(callback);
#endif
if (exp == 0)
e = RSA_F4;
else
e = 0x40000003;
rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
if (rsa == NULL) {
#if USE_EVP
EVP_PKEY_free(pkey);
#endif
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
SET_FLAGS(rsa);
#if USE_EVP
if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
EVP_PKEY_free(pkey);
RSA_free(rsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
key->keydata.pkey = pkey;
RSA_free(rsa);
#else
key->keydata.rsa = rsa;
#endif
return (ISC_R_SUCCESS);
#endif
}
/*
* Supplemental function to return BIGNUM containing value n = RndOddNum(k) algorithm
* @param: k numbits and char pointer to binary read in using x = ceil(k/8) bytes
* @return: BIGNUM n
*/
BIGNUM *RndOddNum(int k, char *temp, int x_byte)
{
BIGNUM *result = NULL;
result = BN_new();
if(result == NULL)
{
fprintf(stderr, "Can't allocate space to hold returned result for RndOddNum function\n");
return NULL;
}
BN_zero(result);
if(BN_bin2bn((unsigned char*)temp, x_byte, result) != NULL)
{
//Set bit 0 and k-1
if(BN_set_bit(result, 0))
{
if(BN_set_bit(result, k-1))
{
//Get total number of bits in result
int total_num_bits = BN_num_bits(result);
//Clear all higher order bit
while(k < total_num_bits)
{
if(BN_clear_bit(result, k) == 0) //error: can't clear bit
{
//error: can't clear bit
fprintf(stderr, "ERROR: can't clear bit %dth\n", k);
BN_free(result);
return NULL;
}
k += 1;
}
}
else
{
//error: can't set bit k-1
fprintf(stderr, "ERROR: can't set bit k-1\n");
BN_free(result);
return NULL;
}
}
else
{
//error: can't set bit 0
fprintf(stderr, "ERROR: can't set bit 0\n");
BN_free(result);
return NULL;
}
}
else
{
//error: can't convert from bin to bn
fprintf(stderr, "ERROR: can't convert binary read from rndfile to bn\n");
BN_free(result);
return NULL;
}
return result; //It is the calling function responsibility to free BIGNUM result
}
static int
vg_prefix_context_add_patterns(vg_context_t *vcp,
const char ** const patterns, int npatterns)
{
vg_prefix_context_t *vcpp = (vg_prefix_context_t *) vcp;
prefix_case_iter_t caseiter;
vg_prefix_t *vp, *vp2;
BN_CTX *bnctx;
BIGNUM bntmp, bntmp2, bntmp3;
BIGNUM *ranges[4];
int ret = 0;
int i, impossible = 0;
int case_impossible;
unsigned long npfx;
char *dbuf;
bnctx = BN_CTX_new();
BN_init(&bntmp);
BN_init(&bntmp2);
BN_init(&bntmp3);
npfx = 0;
for (i = 0; i < npatterns; i++) {
if (!vcpp->vcp_caseinsensitive) {
vp = NULL;
ret = get_prefix_ranges(vcpp->base.vc_addrtype,
patterns[i],
ranges, bnctx);
if (!ret) {
vp = vg_prefix_add_ranges(&vcpp->vcp_avlroot,
patterns[i],
ranges, NULL);
}
} else {
/* Case-enumerate the prefix */
if (!prefix_case_iter_init(&caseiter, patterns[i])) {
fprintf(stderr,
"Prefix '%s' is too long\n",
patterns[i]);
continue;
}
if (caseiter.ci_nbits > 16) {
fprintf(stderr,
"WARNING: Prefix '%s' has "
"2^%d case-varied derivatives\n",
patterns[i], caseiter.ci_nbits);
}
case_impossible = 0;
vp = NULL;
do {
ret = get_prefix_ranges(vcpp->base.vc_addrtype,
caseiter.ci_prefix,
ranges, bnctx);
if (ret == -2) {
case_impossible++;
ret = 0;
continue;
}
if (ret)
break;
vp2 = vg_prefix_add_ranges(&vcpp->vcp_avlroot,
patterns[i],
ranges,
vp);
if (!vp2) {
ret = -1;
break;
}
if (!vp)
vp = vp2;
} while (prefix_case_iter_next(&caseiter));
if (!vp && case_impossible)
ret = -2;
if (ret && vp) {
vg_prefix_delete(&vcpp->vcp_avlroot, vp);
vp = NULL;
}
}
if (ret == -2) {
fprintf(stderr,
"Prefix '%s' not possible\n", patterns[i]);
impossible++;
}
if (!vp)
continue;
npfx++;
/* Determine the probability of finding a match */
vg_prefix_range_sum(vp, &bntmp, &bntmp2);
BN_add(&bntmp2, &vcpp->vcp_difficulty, &bntmp);
BN_copy(&vcpp->vcp_difficulty, &bntmp2);
if (vcp->vc_verbose > 1) {
BN_clear(&bntmp2);
BN_set_bit(&bntmp2, 192);
BN_div(&bntmp3, NULL, &bntmp2, &bntmp, bnctx);
dbuf = BN_bn2dec(&bntmp3);
fprintf(stderr,
"Prefix difficulty: %20s %s\n",
dbuf, patterns[i]);
OPENSSL_free(dbuf);
}
}
vcpp->base.vc_npatterns += npfx;
vcpp->base.vc_npatterns_start += npfx;
if (!npfx && impossible) {
const char *ats = "bitcoin", *bw = "\"1\"";
switch (vcpp->base.vc_addrtype) {
case 5:
ats = "bitcoin script";
bw = "\"3\"";
break;
case 111:
ats = "testnet";
bw = "\"m\" or \"n\"";
break;
case 52:
ats = "namecoin";
bw = "\"M\" or \"N\"";
break;
case 48:
ats = "litecoin";
bw = "\"L\"";
break;
default:
break;
}
fprintf(stderr,
"Hint: valid %s addresses begin with %s\n", ats, bw);
}
if (npfx)
vg_prefix_context_next_difficulty(vcpp, &bntmp, &bntmp2, bnctx);
ret = (npfx != 0);
BN_clear_free(&bntmp);
BN_clear_free(&bntmp2);
BN_clear_free(&bntmp3);
BN_CTX_free(bnctx);
return ret;
}
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp,
const unsigned char *dgst, int dlen)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *X = NULL;
const BIGNUM *order;
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (!EC_KEY_can_sign(eckey)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
return 0;
}
if (ctx_in == NULL) {
if ((ctx = BN_CTX_new()) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
return 0;
}
} else
ctx = ctx_in;
k = BN_new(); /* this value is later returned in *kinvp */
r = BN_new(); /* this value is later returned in *rp */
X = BN_new();
if (k == NULL || r == NULL || X == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((tmp_point = EC_POINT_new(group)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
order = EC_GROUP_get0_order(group);
if (order == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
/* Preallocate space */
order_bits = BN_num_bits(order);
if (!BN_set_bit(k, order_bits)
|| !BN_set_bit(r, order_bits)
|| !BN_set_bit(X, order_bits))
goto err;
do {
/* get random k */
do
if (dgst != NULL) {
if (!BN_generate_dsa_nonce
(k, order, EC_KEY_get0_private_key(eckey), dgst, dlen,
ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
} else {
if (!BN_priv_rand_range(k, order)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
}
while (BN_is_zero(k));
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp
(group, tmp_point, X, NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else { /* NID_X9_62_characteristic_two_field */
if (!EC_POINT_get_affine_coordinates_GF2m(group,
tmp_point, X, NULL,
ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#endif
if (!BN_nnmod(r, X, order, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
while (BN_is_zero(r));
/* Check if optimized inverse is implemented */
if (EC_GROUP_do_inverse_ord(group, k, k, ctx) == 0) {
/* compute the inverse of k */
if (group->mont_data != NULL) {
/*
* We want inverse in constant time, therefore we utilize the fact
* order must be prime and use Fermats Little Theorem instead.
*/
if (!BN_set_word(X, 2)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
if (!BN_mod_sub(X, order, X, order, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
BN_set_flags(X, BN_FLG_CONSTTIME);
if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx,
group->mont_data)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
} else {
if (!BN_mod_inverse(k, k, order, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
}
/* clear old values if necessary */
BN_clear_free(*rp);
BN_clear_free(*kinvp);
/* save the pre-computed values */
*rp = r;
*kinvp = k;
ret = 1;
err:
if (!ret) {
BN_clear_free(k);
BN_clear_free(r);
}
if (ctx != ctx_in)
BN_CTX_free(ctx);
EC_POINT_free(tmp_point);
BN_clear_free(X);
return ret;
}
RSA *RSA_generate_key(int bits, unsigned long e_value,
void (*callback)(int,int,void *), void *cb_arg)
{
RSA *rsa=NULL;
BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
int bitsp,bitsq,ok= -1,n=0;
unsigned i;
BN_CTX *ctx=NULL,*ctx2=NULL;
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
ctx2=BN_CTX_new();
if (ctx2 == NULL) goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx);
r2 = BN_CTX_get(ctx);
r3 = BN_CTX_get(ctx);
if (r3 == NULL) goto err;
bitsp=(bits+1)/2;
bitsq=bits-bitsp;
rsa=RSA_new();
if (rsa == NULL) goto err;
/* set e */
rsa->e=BN_new();
if (rsa->e == NULL) goto err;
#if 1
/* The problem is when building with 8, 16, or 32 BN_ULONG,
* unsigned long can be larger */
for (i=0; i<sizeof(unsigned long)*8; i++)
{
if (e_value & (((unsigned long)1)<<i))
BN_set_bit(rsa->e,i);
}
#else
if (!BN_set_word(rsa->e,e_value)) goto err;
#endif
/* generate p and q */
for (;;)
{
rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
if (rsa->p == NULL) goto err;
if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
if (BN_is_one(r1)) break;
if (callback != NULL) callback(2,n++,cb_arg);
BN_free(rsa->p);
}
if (callback != NULL) callback(3,0,cb_arg);
for (;;)
{
rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
if (rsa->q == NULL) goto err;
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
break;
if (callback != NULL) callback(2,n++,cb_arg);
BN_free(rsa->q);
}
if (callback != NULL) callback(3,1,cb_arg);
if (BN_cmp(rsa->p,rsa->q) < 0)
{
tmp=rsa->p;
rsa->p=rsa->q;
rsa->q=tmp;
}
/* calculate n */
rsa->n=BN_new();
if (rsa->n == NULL) goto err;
if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
/* calculate d */
if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
/* for (;;)
{
if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
if (BN_is_one(r3)) break;
if (1)
{
if (!BN_add_word(rsa->e,2L)) goto err;
continue;
}
RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
goto err;
}
*/
rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
if (rsa->d == NULL) goto err;
/* calculate d mod (p-1) */
rsa->dmp1=BN_new();
if (rsa->dmp1 == NULL) goto err;
if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
/* calculate d mod (q-1) */
rsa->dmq1=BN_new();
if (rsa->dmq1 == NULL) goto err;
if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
/* calculate inverse of q mod p */
rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
if (rsa->iqmp == NULL) goto err;
ok=1;
err:
if (ok == -1)
{
RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN);
ok=0;
}
BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_CTX_free(ctx2);
if (!ok)
{
if (rsa != NULL) RSA_free(rsa);
return(NULL);
}
else
return(rsa);
}
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {
int ret = 0;
BIGNUM *Ri, *R;
BIGNUM tmod;
BN_ULONG buf[2];
if (BN_is_zero(mod)) {
OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
return 0;
}
BN_CTX_start(ctx);
Ri = BN_CTX_get(ctx);
if (Ri == NULL) {
goto err;
}
R = &mont->RR; /* grab RR as a temp */
if (!BN_copy(&mont->N, mod)) {
goto err; /* Set N */
}
mont->N.neg = 0;
BN_init(&tmod);
tmod.d = buf;
tmod.dmax = 2;
tmod.neg = 0;
BN_zero(R);
if (!BN_set_bit(R, BN_MONT_CTX_N0_LIMBS * BN_BITS2)) {
goto err;
}
tmod.top = 0;
buf[0] = mod->d[0];
if (buf[0] != 0) {
tmod.top = 1;
}
buf[1] = 0;
if (BN_MONT_CTX_N0_LIMBS == 2 && mod->top > 1 && mod->d[1] != 0) {
buf[1] = mod->d[1];
tmod.top = 2;
}
if (BN_mod_inverse(Ri, R, &tmod, ctx) == NULL) {
goto err;
}
if (!BN_lshift(Ri, Ri, BN_MONT_CTX_N0_LIMBS * BN_BITS2)) {
goto err; /* R*Ri */
}
const BIGNUM *Ri_dividend;
if (!BN_is_zero(Ri)) {
if (!BN_sub_word(Ri, 1)) {
goto err;
}
Ri_dividend = Ri;
} else {
/* Ri == 0 so Ri - 1 == -1. -1 % tmod == 0xff..ff. */
static const BN_ULONG kMinusOneLimbs[BN_MONT_CTX_N0_LIMBS] = {
BN_MASK2,
#if BN_MONT_CTX_N0_LIMBS == 2
BN_MASK2
#endif
};
STATIC_BIGNUM_DIAGNOSTIC_PUSH
static const BIGNUM kMinusOne = STATIC_BIGNUM(kMinusOneLimbs);
STATIC_BIGNUM_DIAGNOSTIC_POP
Ri_dividend = &kMinusOne;
}
if (!BN_div(Ri, NULL, Ri_dividend, &tmod, ctx)) {
goto err;
}
mont->n0[0] = 0;
if (Ri->top > 0) {
mont->n0[0] = Ri->d[0];
}
mont->n0[1] = 0;
if (BN_MONT_CTX_N0_LIMBS == 2 && Ri->top > 1) {
mont->n0[1] = Ri->d[1];
}
/* RR = (2^ri)^2 == 2^(ri*2) == 1 << (ri*2), which has its (ri*2)th bit set. */
int ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
BN_zero(&(mont->RR));
if (!BN_set_bit(&(mont->RR), ri * 2)) {
goto err;
}
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx)) {
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
static int
test_BN_bit(void)
{
BIGNUM *bn;
int ret = 0;
bn = BN_new();
/* test setting and getting of "word" */
if (!BN_set_word(bn, 1))
return 1;
if (!BN_is_bit_set(bn, 0))
ret += 1;
if (!BN_is_bit_set(bn, 0))
ret += 1;
if (!BN_set_word(bn, 2))
return 1;
if (!BN_is_bit_set(bn, 1))
ret += 1;
if (!BN_set_word(bn, 3))
return 1;
if (!BN_is_bit_set(bn, 0))
ret += 1;
if (!BN_is_bit_set(bn, 1))
ret += 1;
if (!BN_set_word(bn, 0x100))
return 1;
if (!BN_is_bit_set(bn, 8))
ret += 1;
if (!BN_set_word(bn, 0x1000))
return 1;
if (!BN_is_bit_set(bn, 12))
ret += 1;
/* test bitsetting */
if (!BN_set_word(bn, 1))
return 1;
if (!BN_set_bit(bn, 1))
return 1;
if (BN_get_word(bn) != 3)
return 1;
if (!BN_clear_bit(bn, 0))
return 1;
if (BN_get_word(bn) != 2)
return 1;
/* test bitsetting past end of current end */
BN_clear(bn);
if (!BN_set_bit(bn, 12))
return 1;
if (BN_get_word(bn) != 0x1000)
return 1;
/* test bit and byte counting functions */
if (BN_num_bits(bn) != 13)
return 1;
if (BN_num_bytes(bn) != 2)
return 1;
BN_free(bn);
return ret;
}
CHECK_RETVAL_BOOL \
static BOOLEAN selfTestGeneralOps2( void )
{
BIGNUM a;
int status;
/* More complex tests that need higher-level routines like importBignum(),
run after the tests of components of importBignum() have concluded */
BN_init( &a );
#if BN_BITS2 == 64
status = importBignum( &a, "\x01\x00\x00\x00\x00\x00\x00\x00\x00", 9,
1, 128, NULL, KEYSIZE_CHECK_NONE );
#else
status = importBignum( &a, "\x01\x00\x00\x00\x00", 5, 1, 128, NULL,
KEYSIZE_CHECK_NONE );
#endif /* 64- vs 32-bit */
if( cryptStatusError( status ) )
return( FALSE );
if( BN_is_zero( &a ) || BN_is_one( &a ) )
return( FALSE );
if( BN_is_word( &a, 0 ) || BN_is_word( &a, 1 ) )
return( FALSE );
if( BN_is_odd( &a ) )
return( FALSE );
if( BN_get_word( &a ) != BN_NAN )
return( FALSE );
if( BN_num_bytes( &a ) != ( BN_BITS2 / 8 ) + 1 )
return( FALSE );
if( BN_num_bits( &a ) != BN_BITS2 + 1 )
return( FALSE );
if( !BN_is_bit_set( &a, BN_BITS2 ) )
return( FALSE );
if( BN_is_bit_set( &a, 17 ) || !BN_set_bit( &a, 17 ) || \
!BN_is_bit_set( &a, 17 ) )
return( FALSE );
#if BN_BITS2 == 64
status = importBignum( &a, "\x01\x00\x00\x00\x00\x00\x00\x00\x01", 9,
1, 128, NULL, KEYSIZE_CHECK_NONE );
#else
status = importBignum( &a, "\x01\x00\x00\x00\x01", 5, 1, 128, NULL,
KEYSIZE_CHECK_NONE );
#endif /* 64- vs 32-bit */
if( cryptStatusError( status ) )
return( FALSE );
if( BN_is_zero( &a ) || BN_is_one( &a ) )
return( FALSE );
if( BN_is_word( &a, 0 ) || BN_is_word( &a, 1 ) )
return( FALSE );
if( !BN_is_odd( &a ) )
return( FALSE );
if( BN_num_bytes( &a ) != ( BN_BITS2 / 8 ) + 1 )
return( FALSE );
if( BN_get_word( &a ) != BN_NAN )
return( FALSE );
if( BN_num_bits( &a ) != BN_BITS2 + 1 )
return( FALSE );
if( !BN_is_bit_set( &a, BN_BITS2 ) )
return( FALSE );
if( BN_is_bit_set( &a, BN_BITS2 + 27 ) || \
!BN_set_bit( &a, BN_BITS2 + 27 ) || \
!BN_is_bit_set( &a, BN_BITS2 + 27 ) )
return( FALSE );
/* Setting a bit off the end of a bignum extends its size, which is why
the following value doesn't match the one from a few lines earlier */
if( BN_num_bytes( &a ) != ( BN_BITS2 / 8 ) + 4 )
return( FALSE );
/* The bit index for indexing bits is zero-based (since 1 == 1 << 0) but
for counting bits is one-based, which is why the following comparison
looks wrong. Yet another one of OpenSSL's many booby-traps */
if( BN_num_bits( &a ) != BN_BITS2 + 28 )
return( FALSE );
BN_clear( &a );
return( TRUE );
}
static isc_result_t
opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
#if OPENSSL_VERSION_NUMBER > 0x00908000L
isc_result_t ret = DST_R_OPENSSLFAILURE;
union {
void *dptr;
void (*fptr)(int);
} u;
RSA *rsa = RSA_new();
BIGNUM *e = BN_new();
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
BN_GENCB _cb;
#endif
BN_GENCB *cb = BN_GENCB_new();
#if USE_EVP
EVP_PKEY *pkey = EVP_PKEY_new();
#endif
/*
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
if (key->key_size > 4096)
goto err;
break;
case DST_ALG_RSASHA256:
/* From RFC 5702 */
if ((key->key_size < 512) ||
(key->key_size > 4096))
goto err;
break;
case DST_ALG_RSASHA512:
/* From RFC 5702 */
if ((key->key_size < 1024) ||
(key->key_size > 4096))
goto err;
break;
default:
INSIST(0);
}
if (rsa == NULL || e == NULL || cb == NULL)
goto err;
#if USE_EVP
if (pkey == NULL)
goto err;
if (!EVP_PKEY_set1_RSA(pkey, rsa))
goto err;
#endif
if (exp == 0) {
/* RSA_F4 0x10001 */
BN_set_bit(e, 0);
BN_set_bit(e, 16);
} else {
/* (phased-out) F5 0x100000001 */
BN_set_bit(e, 0);
BN_set_bit(e, 32);
}
if (callback == NULL) {
BN_GENCB_set_old(cb, NULL, NULL);
} else {
u.fptr = callback;
BN_GENCB_set(cb, &progress_cb, u.dptr);
}
if (RSA_generate_key_ex(rsa, key->key_size, e, cb)) {
BN_free(e);
BN_GENCB_free(cb);
SET_FLAGS(rsa);
#if USE_EVP
key->keydata.pkey = pkey;
RSA_free(rsa);
#else
key->keydata.rsa = rsa;
#endif
return (ISC_R_SUCCESS);
}
BN_GENCB_free(cb);
ret = dst__openssl_toresult2("RSA_generate_key_ex",
DST_R_OPENSSLFAILURE);
err:
#if USE_EVP
if (pkey != NULL)
EVP_PKEY_free(pkey);
#endif
if (e != NULL)
BN_free(e);
if (rsa != NULL)
RSA_free(rsa);
if (cb != NULL)
BN_GENCB_free(cb);
return (dst__openssl_toresult(ret));
#else
RSA *rsa;
unsigned long e;
#if USE_EVP
EVP_PKEY *pkey = EVP_PKEY_new();
UNUSED(callback);
if (pkey == NULL)
return (ISC_R_NOMEMORY);
#else
UNUSED(callback);
#endif
if (exp == 0)
e = RSA_F4;
else
e = 0x40000003;
rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
if (rsa == NULL) {
#if USE_EVP
EVP_PKEY_free(pkey);
#endif
return (dst__openssl_toresult2("RSA_generate_key",
DST_R_OPENSSLFAILURE));
}
SET_FLAGS(rsa);
#if USE_EVP
if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
EVP_PKEY_free(pkey);
RSA_free(rsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
key->keydata.pkey = pkey;
RSA_free(rsa);
#else
key->keydata.rsa = rsa;
#endif
return (ISC_R_SUCCESS);
#endif
}
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
{
int ret = 0;
BIGNUM *Ri,*R;
BN_CTX_start(ctx);
if((Ri = BN_CTX_get(ctx)) == NULL) goto err;
R= &(mont->RR); /* grab RR as a temp */
if (!BN_copy(&(mont->N),mod)) goto err; /* Set N */
mont->N.neg = 0;
#ifdef MONT_WORD
{
BIGNUM tmod;
BN_ULONG buf[2];
mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
BN_zero(R);
if (!(BN_set_bit(R,BN_BITS2))) goto err; /* R */
buf[0]=mod->d[0]; /* tmod = N mod word size */
buf[1]=0;
tmod.d=buf;
tmod.top = buf[0] != 0 ? 1 : 0;
tmod.dmax=2;
tmod.neg=0;
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)
goto err;
if (!BN_lshift(Ri,Ri,BN_BITS2)) goto err; /* R*Ri */
if (!BN_is_zero(Ri))
{
if (!BN_sub_word(Ri,1)) goto err;
}
else /* if N mod word size == 1 */
{
if (!BN_set_word(Ri,BN_MASK2)) goto err; /* Ri-- (mod word size) */
}
if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;
/* Ni = (R*Ri-1)/N,
* keep only least significant word: */
mont->n0 = (Ri->top > 0) ? Ri->d[0] : 0;
}
#else /* !MONT_WORD */
{ /* bignum version */
mont->ri=BN_num_bits(&mont->N);
BN_zero(R);
if (!BN_set_bit(R,mont->ri)) goto err; /* R = 2^ri */
/* Ri = R^-1 mod N*/
if ((BN_mod_inverse(Ri,R,&mont->N,ctx)) == NULL)
goto err;
if (!BN_lshift(Ri,Ri,mont->ri)) goto err; /* R*Ri */
if (!BN_sub_word(Ri,1)) goto err;
/* Ni = (R*Ri-1) / N */
if (!BN_div(&(mont->Ni),NULL,Ri,&mont->N,ctx)) goto err;
}
#endif
/* setup RR for conversions */
BN_zero(&(mont->RR));
if (!BN_set_bit(&(mont->RR),mont->ri*2)) goto err;
if (!BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx)) goto err;
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}