/**
* Computes c = a ^ b mod m.
*
* @param c - the result.
* @param a - the basis.
* @param b - the exponent.
* @param m - the modulus.
*/
static void bn_exp(bn_t c, const bn_t a, const bn_t b, const bn_t m) {
int i, l;
bn_t t;
bn_null(t);
TRY {
bn_new(t);
l = bn_bits(b);
bn_copy(t, a);
for (i = l - 2; i >= 0; i--) {
bn_sqr(t, t);
bn_mod(t, t, m);
if (bn_get_bit(b, i)) {
bn_mul(t, t, a);
bn_mod(t, t, m);
}
}
bn_copy(c, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t);
}
}
int cp_ecss_sig(bn_t e, bn_t s, uint8_t *msg, int len, bn_t d) {
bn_t n, k, x, r;
ec_t p;
uint8_t hash[MD_LEN];
uint8_t m[len + FC_BYTES];
int result = STS_OK;
bn_null(n);
bn_null(k);
bn_null(x);
bn_null(r);
ec_null(p);
TRY {
bn_new(n);
bn_new(k);
bn_new(x);
bn_new(r);
ec_new(p);
ec_curve_get_ord(n);
do {
bn_rand_mod(k, n);
ec_mul_gen(p, k);
ec_get_x(x, p);
bn_mod(r, x, n);
} while (bn_is_zero(r));
memcpy(m, msg, len);
bn_write_bin(m + len, FC_BYTES, r);
md_map(hash, m, len + FC_BYTES);
if (8 * MD_LEN > bn_bits(n)) {
len = CEIL(bn_bits(n), 8);
bn_read_bin(e, hash, len);
bn_rsh(e, e, 8 * MD_LEN - bn_bits(n));
} else {
bn_read_bin(e, hash, MD_LEN);
}
bn_mod(e, e, n);
bn_mul(s, d, e);
bn_mod(s, s, n);
bn_sub(s, n, s);
bn_add(s, s, k);
bn_mod(s, s, n);
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(n);
bn_free(k);
bn_free(x);
bn_free(r);
ec_free(p);
}
return result;
}
int cp_pss_sig(g1_t a, g1_t b, uint8_t *msg, int len, bn_t r, bn_t s) {
bn_t m, n;
int result = RLC_OK;
bn_null(m);
bn_null(n);
TRY {
bn_new(m);
bn_new(n);
g1_get_ord(n);
bn_read_bin(m, msg, len);
bn_mul(m, m, s);
bn_mod(m, m, n);
bn_add(m, m, r);
bn_mod(m, m, n);
g1_rand(a);
g1_mul(b, a, m);
}
CATCH_ANY {
result = RLC_ERR;
}
FINALLY {
bn_free(m);
bn_free(n);
}
return result;
}
void bn_mxp_monty(bn_t c, const bn_t a, const bn_t b, const bn_t m) {
bn_t tab[2], u;
dig_t mask;
int t;
bn_null(tab[0]);
bn_null(tab[1]);
bn_null(u);
TRY {
bn_new(u);
bn_mod_pre(u, m);
bn_new(tab[0]);
bn_new(tab[1]);
#if BN_MOD == MONTY
bn_set_dig(tab[0], 1);
bn_mod_monty_conv(tab[0], tab[0], m);
bn_mod_monty_conv(tab[1], a, m);
#else
bn_set_dig(tab[0], 1);
bn_copy(tab[1], a);
#endif
for (int i = bn_bits(b) - 1; i >= 0; i--) {
int j = bn_get_bit(b, i);
dv_swap_cond(tab[0]->dp, tab[1]->dp, BN_DIGS, j ^ 1);
mask = -(j ^ 1);
t = (tab[0]->used ^ tab[1]->used) & mask;
tab[0]->used ^= t;
tab[1]->used ^= t;
bn_mul(tab[0], tab[0], tab[1]);
bn_mod(tab[0], tab[0], m, u);
bn_sqr(tab[1], tab[1]);
bn_mod(tab[1], tab[1], m, u);
dv_swap_cond(tab[0]->dp, tab[1]->dp, BN_DIGS, j ^ 1);
mask = -(j ^ 1);
t = (tab[0]->used ^ tab[1]->used) & mask;
tab[0]->used ^= t;
tab[1]->used ^= t;
}
#if BN_MOD == MONTY
bn_mod_monty_back(c, tab[0], m);
#else
bn_copy(c, tab[0]);
#endif
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(tab[1]);
bn_free(tab[0]);
bn_free(u);
}
}
void bn_mxp_basic(bn_t c, const bn_t a, const bn_t b, const bn_t m) {
int i, l;
bn_t t, u, r;
if (bn_is_zero(b)) {
bn_set_dig(c, 1);
return;
}
bn_null(t);
bn_null(u);
bn_null(r);
TRY {
bn_new(t);
bn_new(u);
bn_new(r);
bn_mod_pre(u, m);
l = bn_bits(b);
#if BN_MOD == MONTY
bn_mod_monty_conv(t, a, m);
#else
bn_copy(t, a);
#endif
bn_copy(r, t);
for (i = l - 2; i >= 0; i--) {
bn_sqr(r, r);
bn_mod(r, r, m, u);
if (bn_get_bit(b, i)) {
bn_mul(r, r, t);
bn_mod(r, r, m, u);
}
}
#if BN_MOD == MONTY
bn_mod_monty_back(c, r, m);
#else
bn_copy(c, r);
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t);
bn_free(u);
bn_free(r);
}
}
status_t element_mul_int(element_t c, element_t a, integer_t b)
{
GroupType type = a->type;
// TODO: c (type) = a (type) * b (ZR)
LEAVE_IF(a->isInitialized != TRUE, "invalid argument.");
LEAVE_IF(c->isInitialized != TRUE || c->type != type, "result not initialized or invalid type.");
if(type == ZR) {
bn_mul(c->bn, a->bn, b);
bn_mod(c->bn, c->bn, c->order);
}
else if(type == G1) {
g1_mul(c->g1, a->g1, b);
}
else if(type == G2) {
g2_mul(c->g2, a->g2, b);
}
else if(type == GT) {
gt_exp(c->gt, a->gt, b);
}
else {
return ELEMENT_INVALID_TYPES;
}
return ELEMENT_OK;
}
status_t element_mul(element_t c, element_t a, element_t b)
{
GroupType type = a->type;
EXIT_IF_NOT_SAME(a, b);
LEAVE_IF(a->isInitialized != TRUE || b->isInitialized != TRUE || c->isInitialized != TRUE, "uninitialized arguments.");
LEAVE_IF( c->type != type, "result initialized but invalid type.");
if(type == ZR) {
bn_mul(c->bn, a->bn, b->bn);
bn_mod(c->bn, c->bn, c->order);
}
else if(type == G1) {
g1_add(c->g1, a->g1, b->g1);
g1_norm(c->g1, c->g1);
}
else if(type == G2) {
g2_add(c->g2, a->g2, b->g2);
g2_norm(c->g2, c->g2);
}
else if(type == GT) {
gt_mul(c->gt, a->gt, b->gt);
}
else {
return ELEMENT_INVALID_TYPES;
}
return ELEMENT_OK;
}
status_t element_random(element_t e)
{
if(e->isInitialized == TRUE) {
if(e->type == ZR) {
bn_t n;
bn_inits(n);
g1_get_ord(n);
bn_t t = e->bn;
bn_rand(t, BN_POS, bn_bits(n));
bn_mod(t, t, n);
bn_free(n);
}
else if(e->type == G1) {
g1_rand(e->g1);
}
else if(e->type == G2) {
g2_rand(e->g2);
}
else if(e->type == GT) {
gt_rand(e->gt);
}
return ELEMENT_OK;
}
return ELEMENT_UNINITIALIZED;
}
status_t element_from_hash(element_t e, unsigned char *data, int len)
{
LEAVE_IF(e->isInitialized == FALSE, "uninitialized argument.");
GroupType type = e->type;
status_t result = ELEMENT_OK;
int digest_len = SHA_LEN;
unsigned char digest[digest_len + 1];
memset(digest, 0, digest_len);
SHA_FUNC(digest, data, len);
#ifdef DEBUG
printf("%s: digest: ", __FUNCTION__);
print_as_hex(digest, digest_len);
#endif
switch(type) {
case ZR: bn_read_bin(e->bn, digest, digest_len);
if(bn_cmp(e->bn, e->order) == CMP_GT) bn_mod(e->bn, e->bn, e->order);
// bn_print(e->bn);
break;
case G1: g1_map(e->g1, digest, digest_len);
break;
case G2: g2_map(e->g2, digest, digest_len);
break;
default:
result = ELEMENT_INVALID_TYPES;
break;
}
return result;
}
int cp_ecss_gen(bn_t d, ec_t q) {
bn_t n;
int result = STS_OK;
bn_null(n);
TRY {
bn_new(n);
ec_curve_get_ord(n);
do {
bn_rand(d, BN_POS, bn_bits(n));
bn_mod(d, d, n);
} while (bn_is_zero(d));
ec_mul_gen(q, d);
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(n);
}
return result;
}
int cp_bdpe_enc(uint8_t *out, int *out_len, dig_t in, bdpe_t pub) {
bn_t m, u;
int size, result = STS_OK;
bn_null(m);
bn_null(u);
size = bn_size_bin(pub->n);
if (in > pub->t) {
return STS_ERR;
}
TRY {
bn_new(m);
bn_new(u);
bn_set_dig(m, in);
do {
bn_rand(u, BN_POS, bn_bits(pub->n));
bn_mod(u, u, pub->n);
} while (bn_is_zero(u));
bn_mxp(m, pub->y, m, pub->n);
bn_mxp_dig(u, u, pub->t, pub->n);
bn_mul(m, m, u);
bn_mod(m, m, pub->n);
if (size <= *out_len) {
*out_len = size;
memset(out, 0, *out_len);
bn_write_bin(out, size, m);
} else {
result = STS_ERR;
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(m);
bn_free(u);
}
return result;
}
int cp_pss_ver(g1_t a, g1_t b, uint8_t *msg, int len, g2_t g, g2_t x, g2_t y) {
g1_t p[2];
g2_t r[2];
gt_t e;
bn_t m, n;
int result = 1;
g1_null(p[0]);
g1_null(p[1]);
g2_null(r[0]);
g2_null(r[1]);
gt_null(e);
bn_null(m);
bn_null(n);
TRY {
g1_new(p[0]);
g1_new(p[1]);
g2_new(r[0]);
g2_new(r[1]);
gt_new(e);
bn_new(m);
bn_new(n);
if (g1_is_infty(a)) {
result = 0;
}
g1_copy(p[0], a);
g1_copy(p[1], b);
g2_copy(r[1], g);
g2_neg(r[1], r[1]);
g1_get_ord(n);
bn_read_bin(m, msg, len);
bn_mod(m, m, n);
g2_mul(r[0], y, m);
g2_add(r[0], r[0], x);
g2_norm(r[0], r[0]);
pc_map_sim(e, p, r, 2);
if (!gt_is_unity(e)) {
result = 0;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
g1_free(p[0]);
g1_free(p[1]);
g2_free(r[0]);
g2_free(r[1]);
gt_free(e);
bn_free(m);
bn_free(n);
}
return result;
}
int cp_bgn_dec2(dig_t *out, g2_t in[2], bgn_t prv) {
bn_t r, n;
g2_t s, t, u;
int i, result = STS_ERR;
bn_null(n);
bn_null(r);
g2_null(s);
g2_null(t);
g2_null(u);
TRY {
bn_new(n);
bn_new(r);
g2_new(s);
g2_new(t);
g2_new(u);
g2_get_ord(n);
/* Compute T = x(ym + r)G - (zm + xr)G = m(xy - z)G. */
g2_mul(t, in[0], prv->x);
g2_sub(t, t, in[1]);
g2_norm(t, t);
/* Compute U = (xy - z)G and find m. */
bn_mul(r, prv->x, prv->y);
bn_sub(r, r, prv->z);
bn_mod(r, r, n);
g2_mul_gen(s, r);
g2_copy(u, s);
if (g2_is_infty(t) == 1) {
*out = 0;
result = STS_OK;
} else {
for (i = 0; i < INT_MAX; i++) {
if (g2_cmp(t, u) == CMP_EQ) {
*out = i + 1;
result = STS_OK;
break;
}
g2_add(u, u, s);
g2_norm(u, u);
}
}
} CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(n);
bn_free(r);
g2_free(s);
g2_free(t);
g2_free(u);
}
return result;
}
int cp_phpe_enc(uint8_t *out, int *out_len, uint8_t *in, int in_len, bn_t n) {
bn_t g, m, r, s;
int size, result = STS_OK;
bn_null(g);
bn_null(m);
bn_null(r);
bn_null(s);
size = bn_size_bin(n);
if (n == NULL || in_len <= 0 || in_len > size) {
return STS_ERR;
}
TRY {
bn_new(g);
bn_new(m);
bn_new(r);
bn_new(s);
/* Represent m as a padded element of Z_n. */
bn_read_bin(m, in, in_len);
/* Generate r in Z_n^*. */
bn_rand_mod(r, n);
/* Compute c = (g^m)(r^n) mod n^2. */
bn_add_dig(g, n, 1);
bn_sqr(s, n);
bn_mxp(m, g, m, s);
bn_mxp(r, r, n, s);
bn_mul(m, m, r);
bn_mod(m, m, s);
if (2 * size <= *out_len) {
*out_len = 2 * size;
memset(out, 0, *out_len);
bn_write_bin(out, *out_len, m);
} else {
result = STS_ERR;
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(g);
bn_free(m);
bn_free(r);
bn_free(s);
}
return result;
}
void fp_prime_conv(fp_t c, const bn_t a) {
bn_t t;
bn_null(t);
TRY {
bn_new(t);
#if FP_RDC == MONTY
bn_mod(t, a, &(core_get()->prime));
bn_lsh(t, t, FP_DIGS * FP_DIGIT);
bn_mod(t, t, &(core_get()->prime));
dv_copy(c, t->dp, FP_DIGS);
#else
if (a->used > FP_DIGS) {
THROW(ERR_NO_PRECI);
}
bn_mod(t, a, &(core_get()->prime));
if (bn_is_zero(t)) {
fp_zero(c);
} else {
int i;
for (i = 0; i < t->used; i++) {
c[i] = t->dp[i];
}
for (; i < FP_DIGS; i++) {
c[i] = 0;
}
}
(void)t;
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t);
}
}
int cp_psb_sig(g1_t a, g1_t b, uint8_t *msgs[], int lens[], bn_t r, bn_t s[],
int l) {
bn_t m, n, t;
int i, result = RLC_OK;
bn_null(m);
bn_null(n);
bn_null(t);
TRY {
bn_new(m);
bn_new(n);
bn_new(t);
/* Choose random a in G1. */
g1_rand(a);
/* Compute b = a^x+\sum y_im_i. */
g1_get_ord(n);
bn_copy(t, r);
for (i = 0; i < l; i++) {
bn_read_bin(m, msgs[i], lens[i]);
bn_mod(m, m, n);
bn_mul(m, m, s[i]);
bn_mod(m, m, n);
bn_add(t, t, m);
bn_mod(t, t, n);
}
g1_mul(b, a, t);
}
CATCH_ANY {
result = RLC_ERR;
}
FINALLY {
bn_free(m);
bn_free(n);
bn_free(t);
}
return result;
}
int cp_phpe_dec(uint8_t *out, int out_len, uint8_t *in, int in_len, bn_t n,
bn_t l) {
bn_t c, u, s;
int size, result = STS_OK;
size = bn_size_bin(n);
if (in_len < 0 || in_len != 2 * size) {
return STS_ERR;
}
bn_null(c);
bn_null(u);
bn_null(s);
TRY {
bn_new(c);
bn_new(u);
bn_new(s);
/* Compute (c^l mod n^2) * u mod n. */
bn_sqr(s, n);
bn_read_bin(c, in, in_len);
bn_mxp(c, c, l, s);
bn_sub_dig(c, c, 1);
bn_div(c, c, n);
bn_gcd_ext(s, u, NULL, l, n);
if (bn_sign(u) == BN_NEG) {
bn_add(u, u, n);
}
bn_mul(c, c, u);
bn_mod(c, c, n);
size = bn_size_bin(c);
if (size <= out_len) {
memset(out, 0, out_len);
bn_write_bin(out + (out_len - size), size, c);
} else {
result = STS_ERR;
}
} CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(c);
bn_free(u);
bn_free(s);
}
return result;
}
int cp_bbs_ver(g1_t s, uint8_t *msg, int len, int hash, g2_t q, gt_t z) {
bn_t m, n;
g2_t g;
gt_t e;
uint8_t h[MD_LEN];
int result = 0;
bn_null(m);
bn_null(n);
g2_null(g);
gt_null(e);
TRY {
bn_new(m);
bn_new(n);
g2_new(g);
gt_new(e);
g2_get_ord(n);
/* m = H(msg). */
if (hash) {
bn_read_bin(m, msg, len);
} else {
md_map(h, msg, len);
bn_read_bin(m, h, MD_LEN);
}
bn_mod(m, m, n);
g2_mul_gen(g, m);
g2_add(g, g, q);
g2_norm(g, g);
pc_map(e, s, g);
if (gt_cmp(e, z) == CMP_EQ) {
result = 1;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(m);
bn_free(n);
g2_free(g);
gt_free(e);
}
return result;
}
int cp_bbs_sig(g1_t s, uint8_t *msg, int len, int hash, bn_t d) {
bn_t m, n, r;
uint8_t h[MD_LEN];
int result = STS_OK;
bn_null(m);
bn_null(n);
bn_null(r);
TRY {
bn_new(m);
bn_new(n);
bn_new(r);
g1_get_ord(n);
/* m = H(msg). */
if (hash) {
bn_read_bin(m, msg, len);
} else {
md_map(h, msg, len);
bn_read_bin(m, h, MD_LEN);
}
bn_mod(m, m, n);
/* m = 1/(m + d) mod n. */
bn_add(m, m, d);
bn_gcd_ext(r, m, NULL, m, n);
if (bn_sign(m) == BN_NEG) {
bn_add(m, m, n);
}
/* s = 1/(m+d) * g1. */
g1_mul_gen(s, m);
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(m);
bn_free(n);
bn_free(r);
}
return result;
}
int bn_is_factor(bn_t c, const bn_t a) {
bn_t t;
int result;
bn_null(t);
result = 1;
TRY {
bn_new(t);
bn_mod(t, a, c);
if (!bn_is_zero(t)) {
result = 0;
}
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
bn_free(t);
}
return result;
}
int cp_bbs_gen(bn_t d, g2_t q, gt_t z) {
bn_t n;
g1_t g;
int result = STS_OK;
bn_null(n);
g1_null(g);
TRY {
bn_new(n);
g1_new(g);
g1_get_gen(g);
g2_get_gen(q);
/* z = e(g1, g2). */
pc_map(z, g, q);
g2_get_ord(n);
do {
bn_rand(d, BN_POS, 2 * pc_param_level());
bn_mod(d, d, n);
} while (bn_is_zero(d));
/* q = d * g2. */
g2_mul_gen(q, d);
g2_norm(q, q);
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(n);
g1_free(g);
}
return result;
}
void eb_rand(eb_t p) {
bn_t n, k;
bn_null(n);
bn_null(k);
TRY {
bn_new(k);
bn_new(n);
eb_curve_get_ord(n);
bn_rand(k, BN_POS, bn_bits(n));
bn_mod(k, k, n);
eb_mul_gen(p, k);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
bn_free(k);
bn_free(n);
}
}
void cp_ecss_gen(bn_t d, ec_t q) {
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ec_curve_get_ord(n);
do {
bn_rand(d, BN_POS, bn_bits(n));
bn_mod(d, d, n);
} while (bn_is_zero(d));
ec_mul_gen(q, d);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
void bn_mxp_slide(bn_t c, const bn_t a, const bn_t b, const bn_t m) {
bn_t tab[TABLE_SIZE], t, u, r;
int i, j, l, w = 1;
uint8_t win[BN_BITS];
bn_null(t);
bn_null(u);
bn_null(r);
/* Initialize table. */
for (i = 0; i < TABLE_SIZE; i++) {
bn_null(tab[i]);
}
TRY {
/* Find window size. */
i = bn_bits(b);
if (i <= 21) {
w = 2;
} else if (i <= 32) {
w = 3;
} else if (i <= 128) {
w = 4;
} else if (i <= 256) {
w = 5;
} else {
w = 6;
}
for (i = 1; i < (1 << w); i += 2) {
bn_new(tab[i]);
}
bn_new(t);
bn_new(u);
bn_new(r);
bn_mod_pre(u, m);
#if BN_MOD == MONTY
bn_set_dig(r, 1);
bn_mod_monty_conv(r, r, m);
bn_mod_monty_conv(t, a, m);
#else /* BN_MOD == BARRT || BN_MOD == RADIX */
bn_set_dig(r, 1);
bn_copy(t, a);
#endif
bn_copy(tab[1], t);
bn_sqr(t, tab[1]);
bn_mod(t, t, m, u);
/* Create table. */
for (i = 1; i < 1 << (w - 1); i++) {
bn_mul(tab[2 * i + 1], tab[2 * i - 1], t);
bn_mod(tab[2 * i + 1], tab[2 * i + 1], m, u);
}
l = BN_BITS + 1;
bn_rec_slw(win, &l, b, w);
for (i = 0; i < l; i++) {
if (win[i] == 0) {
bn_sqr(r, r);
bn_mod(r, r, m, u);
} else {
for (j = 0; j < util_bits_dig(win[i]); j++) {
bn_sqr(r, r);
bn_mod(r, r, m, u);
}
bn_mul(r, r, tab[win[i]]);
bn_mod(r, r, m, u);
}
}
bn_trim(r);
#if BN_MOD == MONTY
bn_mod_monty_back(c, r, m);
#else
bn_copy(c, r);
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
for (i = 1; i < (1 << w); i++) {
bn_free(tab[i]);
}
bn_free(u);
bn_free(t);
bn_free(r);
}
}
int cp_rsa_enc(uint8_t *out, int *out_len, uint8_t *in, int in_len, rsa_t pub) {
bn_t m, eb;
int size, pad_len, result = STS_OK;
bn_null(m);
bn_null(eb);
size = bn_size_bin(pub->n);
if (pub == NULL || in_len <= 0 || in_len > (size - RSA_PAD_LEN)) {
return STS_ERR;
}
TRY {
bn_new(m);
bn_new(eb);
bn_zero(m);
bn_zero(eb);
#if CP_RSAPD == BASIC
if (pad_basic(eb, &pad_len, in_len, size, RSA_ENC) == STS_OK) {
#elif CP_RSAPD == PKCS1
if (pad_pkcs1(eb, &pad_len, in_len, size, RSA_ENC) == STS_OK) {
#elif CP_RSAPD == PKCS2
if (pad_pkcs2(eb, &pad_len, in_len, size, RSA_ENC) == STS_OK) {
#endif
bn_read_bin(m, in, in_len);
bn_add(eb, eb, m);
#if CP_RSAPD == PKCS2
pad_pkcs2(eb, &pad_len, in_len, size, RSA_ENC_FIN);
#endif
bn_mxp(eb, eb, pub->e, pub->n);
if (size <= *out_len) {
*out_len = size;
memset(out, 0, *out_len);
bn_write_bin(out, size, eb);
} else {
result = STS_ERR;
}
} else {
result = STS_ERR;
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(m);
bn_free(eb);
}
return result;
}
#if CP_RSA == BASIC || !defined(STRIP)
int cp_rsa_dec_basic(uint8_t *out, int *out_len, uint8_t *in, int in_len, rsa_t prv) {
bn_t m, eb;
int size, pad_len, result = STS_OK;
size = bn_size_bin(prv->n);
if (prv == NULL || in_len != size || in_len < RSA_PAD_LEN) {
return STS_ERR;
}
bn_null(m);
bn_null(eb);
TRY {
bn_new(m);
bn_new(eb);
bn_read_bin(eb, in, in_len);
bn_mxp(eb, eb, prv->d, prv->n);
if (bn_cmp(eb, prv->n) != CMP_LT) {
result = STS_ERR;
}
#if CP_RSAPD == BASIC
if (pad_basic(eb, &pad_len, in_len, size, RSA_DEC) == STS_OK) {
#elif CP_RSAPD == PKCS1
if (pad_pkcs1(eb, &pad_len, in_len, size, RSA_DEC) == STS_OK) {
#elif CP_RSAPD == PKCS2
if (pad_pkcs2(eb, &pad_len, in_len, size, RSA_DEC) == STS_OK) {
#endif
size = size - pad_len;
if (size <= *out_len) {
memset(out, 0, size);
bn_write_bin(out, size, eb);
*out_len = size;
} else {
result = STS_ERR;
}
} else {
result = STS_ERR;
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(m);
bn_free(eb);
}
return result;
}
#endif
#if CP_RSA == QUICK || !defined(STRIP)
int cp_rsa_dec_quick(uint8_t *out, int *out_len, uint8_t *in, int in_len, rsa_t prv) {
bn_t m, eb;
int size, pad_len, result = STS_OK;
bn_null(m);
bn_null(eb);
size = bn_size_bin(prv->n);
if (prv == NULL || in_len != size || in_len < RSA_PAD_LEN) {
return STS_ERR;
}
TRY {
bn_new(m);
bn_new(eb);
bn_read_bin(eb, in, in_len);
bn_copy(m, eb);
/* m1 = c^dP mod p. */
bn_mxp(eb, eb, prv->dp, prv->p);
/* m2 = c^dQ mod q. */
bn_mxp(m, m, prv->dq, prv->q);
/* m1 = m1 - m2 mod p. */
bn_sub(eb, eb, m);
while (bn_sign(eb) == BN_NEG) {
bn_add(eb, eb, prv->p);
}
bn_mod(eb, eb, prv->p);
/* m1 = qInv(m1 - m2) mod p. */
bn_mul(eb, eb, prv->qi);
bn_mod(eb, eb, prv->p);
/* m = m2 + m1 * q. */
bn_mul(eb, eb, prv->q);
bn_add(eb, eb, m);
if (bn_cmp(eb, prv->n) != CMP_LT) {
result = STS_ERR;
}
#if CP_RSAPD == BASIC
if (pad_basic(eb, &pad_len, in_len, size, RSA_DEC) == STS_OK) {
#elif CP_RSAPD == PKCS1
if (pad_pkcs1(eb, &pad_len, in_len, size, RSA_DEC) == STS_OK) {
#elif CP_RSAPD == PKCS2
if (pad_pkcs2(eb, &pad_len, in_len, size, RSA_DEC) == STS_OK) {
#endif
size = size - pad_len;
if (size <= *out_len) {
memset(out, 0, size);
bn_write_bin(out, size, eb);
*out_len = size;
} else {
result = STS_ERR;
}
} else {
result = STS_ERR;
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(m);
bn_free(eb);
}
return result;
}
#endif
#if CP_RSA == BASIC || !defined(STRIP)
int cp_rsa_sig_basic(uint8_t *sig, int *sig_len, uint8_t *msg, int msg_len, int hash, rsa_t prv) {
bn_t m, eb;
int size, pad_len, result = STS_OK;
uint8_t h[MD_LEN];
if (prv == NULL || msg_len < 0) {
return STS_ERR;
}
pad_len = (!hash ? MD_LEN : msg_len);
#if CP_RSAPD == PKCS2
size = bn_bits(prv->n) - 1;
size = (size / 8) + (size % 8 > 0);
if (pad_len > (size - 2)) {
return STS_ERR;
}
#else
size = bn_size_bin(prv->n);
if (pad_len > (size - RSA_PAD_LEN)) {
return STS_ERR;
}
#endif
bn_null(m);
bn_null(eb);
TRY {
bn_new(m);
bn_new(eb);
bn_zero(m);
bn_zero(eb);
int operation = (!hash ? RSA_SIG : RSA_SIG_HASH);
#if CP_RSAPD == BASIC
if (pad_basic(eb, &pad_len, pad_len, size, operation) == STS_OK) {
#elif CP_RSAPD == PKCS1
if (pad_pkcs1(eb, &pad_len, pad_len, size, operation) == STS_OK) {
#elif CP_RSAPD == PKCS2
if (pad_pkcs2(eb, &pad_len, pad_len, size, operation) == STS_OK) {
#endif
if (!hash) {
md_map(h, msg, msg_len);
bn_read_bin(m, h, MD_LEN);
bn_add(eb, eb, m);
} else {
bn_read_bin(m, msg, msg_len);
bn_add(eb, eb, m);
}
#if CP_RSAPD == PKCS2
pad_pkcs2(eb, &pad_len, bn_bits(prv->n), size, RSA_SIG_FIN);
#endif
bn_mxp(eb, eb, prv->d, prv->n);
size = bn_size_bin(prv->n);
if (size <= *sig_len) {
memset(sig, 0, size);
bn_write_bin(sig, size, eb);
*sig_len = size;
} else {
result = STS_ERR;
}
} else {
result = STS_ERR;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(m);
bn_free(eb);
}
return result;
}
#endif
#if CP_RSA == QUICK || !defined(STRIP)
int cp_rsa_sig_quick(uint8_t *sig, int *sig_len, uint8_t *msg, int msg_len, int hash, rsa_t prv) {
bn_t m, eb;
int pad_len, size, result = STS_OK;
uint8_t h[MD_LEN];
if (prv == NULL || msg_len < 0) {
return STS_ERR;
}
pad_len = (!hash ? MD_LEN : msg_len);
#if CP_RSAPD == PKCS2
size = bn_bits(prv->n) - 1;
size = (size / 8) + (size % 8 > 0);
if (pad_len > (size - 2)) {
return STS_ERR;
}
#else
size = bn_size_bin(prv->n);
if (pad_len > (size - RSA_PAD_LEN)) {
return STS_ERR;
}
#endif
bn_null(m);
bn_null(eb);
TRY {
bn_new(m);
bn_new(eb);
bn_zero(m);
bn_zero(eb);
int operation = (!hash ? RSA_SIG : RSA_SIG_HASH);
#if CP_RSAPD == BASIC
if (pad_basic(eb, &pad_len, pad_len, size, operation) == STS_OK) {
#elif CP_RSAPD == PKCS1
if (pad_pkcs1(eb, &pad_len, pad_len, size, operation) == STS_OK) {
#elif CP_RSAPD == PKCS2
if (pad_pkcs2(eb, &pad_len, pad_len, size, operation) == STS_OK) {
#endif
if (!hash) {
md_map(h, msg, msg_len);
bn_read_bin(m, h, MD_LEN);
bn_add(eb, eb, m);
} else {
bn_read_bin(m, msg, msg_len);
bn_add(eb, eb, m);
}
#if CP_RSAPD == PKCS2
pad_pkcs2(eb, &pad_len, bn_bits(prv->n), size, RSA_SIG_FIN);
#endif
bn_copy(m, eb);
/* m1 = c^dP mod p. */
bn_mxp(eb, eb, prv->dp, prv->p);
/* m2 = c^dQ mod q. */
bn_mxp(m, m, prv->dq, prv->q);
/* m1 = m1 - m2 mod p. */
bn_sub(eb, eb, m);
while (bn_sign(eb) == BN_NEG) {
bn_add(eb, eb, prv->p);
}
bn_mod(eb, eb, prv->p);
/* m1 = qInv(m1 - m2) mod p. */
bn_mul(eb, eb, prv->qi);
bn_mod(eb, eb, prv->p);
/* m = m2 + m1 * q. */
bn_mul(eb, eb, prv->q);
bn_add(eb, eb, m);
bn_mod(eb, eb, prv->n);
size = bn_size_bin(prv->n);
if (size <= *sig_len) {
memset(sig, 0, size);
bn_write_bin(sig, size, eb);
*sig_len = size;
} else {
result = STS_ERR;
}
} else {
result = STS_ERR;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(m);
bn_free(eb);
}
return result;
}
#endif
int cp_rsa_ver(uint8_t *sig, int sig_len, uint8_t *msg, int msg_len, int hash, rsa_t pub) {
bn_t m, eb;
int size, pad_len, result;
uint8_t h1[MAX(msg_len, MD_LEN) + 8], h2[MAX(msg_len, MD_LEN)];
/* We suppose that the signature is invalid. */
result = 0;
if (pub == NULL || msg_len < 0) {
return 0;
}
pad_len = (!hash ? MD_LEN : msg_len);
#if CP_RSAPD == PKCS2
size = bn_bits(pub->n) - 1;
if (size % 8 == 0) {
size = size / 8 - 1;
} else {
size = bn_size_bin(pub->n);
}
if (pad_len > (size - 2)) {
return 0;
}
#else
size = bn_size_bin(pub->n);
if (pad_len > (size - RSA_PAD_LEN)) {
return 0;
}
#endif
bn_null(m);
bn_null(eb);
TRY {
bn_new(m);
bn_new(eb);
bn_read_bin(eb, sig, sig_len);
bn_mxp(eb, eb, pub->e, pub->n);
int operation = (!hash ? RSA_VER : RSA_VER_HASH);
#if CP_RSAPD == BASIC
if (pad_basic(eb, &pad_len, MD_LEN, size, operation) == STS_OK) {
#elif CP_RSAPD == PKCS1
if (pad_pkcs1(eb, &pad_len, MD_LEN, size, operation) == STS_OK) {
#elif CP_RSAPD == PKCS2
if (pad_pkcs2(eb, &pad_len, bn_bits(pub->n), size, operation) == STS_OK) {
#endif
#if CP_RSAPD == PKCS2
memset(h1, 0, 8);
if (!hash) {
md_map(h1 + 8, msg, msg_len);
md_map(h2, h1, MD_LEN + 8);
memset(h1, 0, MD_LEN);
bn_write_bin(h1, size - pad_len, eb);
/* Everything went ok, so signature status is changed. */
result = util_cmp_const(h1, h2, MD_LEN);
} else {
memcpy(h1 + 8, msg, msg_len);
md_map(h2, h1, MD_LEN + 8);
memset(h1, 0, msg_len);
bn_write_bin(h1, size - pad_len, eb);
/* Everything went ok, so signature status is changed. */
result = util_cmp_const(h1, h2, msg_len);
}
#else
memset(h1, 0, MAX(msg_len, MD_LEN));
bn_write_bin(h1, size - pad_len, eb);
if (!hash) {
md_map(h2, msg, msg_len);
/* Everything went ok, so signature status is changed. */
result = util_cmp_const(h1, h2, MD_LEN);
} else {
/* Everything went ok, so signature status is changed. */
result = util_cmp_const(h1, msg, msg_len);
}
#endif
result = (result == CMP_EQ ? 1 : 0);
} else {
result = 0;
}
}
CATCH_ANY {
result = 0;
}
FINALLY {
bn_free(m);
bn_free(eb);
}
return result;
}
int cp_rsa_gen_quick(rsa_t pub, rsa_t prv, int bits) {
bn_t t, r;
int result = STS_OK;
if (pub == NULL || prv == NULL || bits == 0) {
return STS_ERR;
}
bn_null(t);
bn_null(r);
TRY {
bn_new(t);
bn_new(r);
/* Generate different primes p and q. */
do {
bn_gen_prime(prv->p, bits / 2);
bn_gen_prime(prv->q, bits / 2);
} while (bn_cmp(prv->p, prv->q) == CMP_EQ);
/* Swap p and q so that p is smaller. */
if (bn_cmp(prv->p, prv->q) == CMP_LT) {
bn_copy(t, prv->p);
bn_copy(prv->p, prv->q);
bn_copy(prv->q, t);
}
/* n = pq. */
bn_mul(pub->n, prv->p, prv->q);
bn_copy(prv->n, pub->n);
bn_sub_dig(prv->p, prv->p, 1);
bn_sub_dig(prv->q, prv->q, 1);
/* phi(n) = (p - 1)(q - 1). */
bn_mul(t, prv->p, prv->q);
bn_set_2b(pub->e, 16);
bn_add_dig(pub->e, pub->e, 1);
/* d = e^(-1) mod phi(n). */
bn_gcd_ext(r, prv->d, NULL, pub->e, t);
if (bn_sign(prv->d) == BN_NEG) {
bn_add(prv->d, prv->d, t);
}
if (bn_cmp_dig(r, 1) == CMP_EQ) {
/* dP = d mod (p - 1). */
bn_mod(prv->dp, prv->d, prv->p);
/* dQ = d mod (q - 1). */
bn_mod(prv->dq, prv->d, prv->q);
bn_add_dig(prv->p, prv->p, 1);
bn_add_dig(prv->q, prv->q, 1);
/* qInv = q^(-1) mod p. */
bn_gcd_ext(r, prv->qi, NULL, prv->q, prv->p);
if (bn_sign(prv->qi) == BN_NEG) {
bn_add(prv->qi, prv->qi, prv->p);
}
result = STS_OK;
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(t);
bn_free(r);
}
return result;
}
int cp_ecss_ver(bn_t e, bn_t s, uint8_t *msg, int len, ec_t q) {
bn_t n, ev, rv;
ec_t p;
uint8_t hash[MD_LEN];
uint8_t m[len + FC_BYTES];
int result = 0;
bn_null(n);
bn_null(ev);
bn_null(rv);
ec_null(p);
TRY {
bn_new(n);
bn_new(ev);
bn_new(rv);
ec_new(p);
ec_curve_get_ord(n);
if (bn_sign(e) == BN_POS && bn_sign(s) == BN_POS && !bn_is_zero(s)) {
if (bn_cmp(e, n) == CMP_LT && bn_cmp(s, n) == CMP_LT) {
ec_mul_sim_gen(p, s, q, e);
ec_get_x(rv, p);
bn_mod(rv, rv, n);
memcpy(m, msg, len);
bn_write_bin(m + len, FC_BYTES, rv);
md_map(hash, m, len + FC_BYTES);
if (8 * MD_LEN > bn_bits(n)) {
len = CEIL(bn_bits(n), 8);
bn_read_bin(ev, hash, len);
bn_rsh(ev, ev, 8 * MD_LEN - bn_bits(n));
} else {
bn_read_bin(ev, hash, MD_LEN);
}
bn_mod(ev, ev, n);
result = dv_cmp_const(ev->dp, e->dp, MIN(ev->used, e->used));
result = (result == CMP_NE ? 0 : 1);
if (ev->used != e->used) {
result = 0;
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
bn_free(ev);
bn_free(rv);
ec_free(p);
}
return result;
}
int bn_is_prime_rabin(const bn_t a) {
bn_t t, n1, y, r;
int i, s, j, result, b, tests = 0;
tests = 0;
result = 1;
bn_null(t);
bn_null(n1);
bn_null(y);
bn_null(r);
if (bn_cmp_dig(a, 1) == CMP_EQ) {
return 0;
}
TRY {
/*
* These values are taken from Table 4.4 inside Handbook of Applied
* Cryptography.
*/
b = bn_bits(a);
if (b >= 1300) {
tests = 2;
} else if (b >= 850) {
tests = 3;
} else if (b >= 650) {
tests = 4;
} else if (b >= 550) {
tests = 5;
} else if (b >= 450) {
tests = 6;
} else if (b >= 400) {
tests = 7;
} else if (b >= 350) {
tests = 8;
} else if (b >= 300) {
tests = 9;
} else if (b >= 250) {
tests = 12;
} else if (b >= 200) {
tests = 15;
} else if (b >= 150) {
tests = 18;
} else {
tests = 27;
}
bn_new(t);
bn_new(n1);
bn_new(y);
bn_new(r);
/* r = (n - 1)/2^s. */
bn_sub_dig(n1, a, 1);
s = 0;
while (bn_is_even(n1)) {
s++;
bn_rsh(n1, n1, 1);
}
bn_lsh(r, n1, s);
for (i = 0; i < tests; i++) {
/* Fix the basis as the first few primes. */
bn_set_dig(t, primes[i]);
/* y = b^r mod a. */
#if BN_MOD != PMERS
bn_mxp(y, t, r, a);
#else
bn_exp(y, t, r, a);
#endif
if (bn_cmp_dig(y, 1) != CMP_EQ && bn_cmp(y, n1) != CMP_EQ) {
j = 1;
while ((j <= (s - 1)) && bn_cmp(y, n1) != CMP_EQ) {
bn_sqr(y, y);
bn_mod(y, y, a);
/* If y == 1 then composite. */
if (bn_cmp_dig(y, 1) == CMP_EQ) {
result = 0;
break;
}
++j;
}
/* If y != n1 then composite. */
if (bn_cmp(y, n1) != CMP_EQ) {
result = 0;
break;
}
}
}
}
CATCH_ANY {
result = 0;
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(r);
bn_free(y);
bn_free(n1);
bn_free(t);
}
return result;
}
int bn_is_prime_solov(const bn_t a) {
bn_t t0, t1, t2;
int i, result;
bn_null(t0);
bn_null(t1);
bn_null(t2);
result = 1;
TRY {
bn_new(t0);
bn_new(t1);
bn_new(t2);
for (i = 0; i < 100; i++) {
/* Generate t0, 2 <= t0, <= a - 2. */
do {
bn_rand(t0, BN_POS, bn_bits(a));
bn_mod(t0, t0, a);
} while (bn_cmp_dig(t0, 2) == CMP_LT);
/* t2 = a - 1. */
bn_copy(t2, a);
bn_sub_dig(t2, t2, 1);
/* t1 = (a - 1)/2. */
bn_rsh(t1, t2, 1);
/* t1 = t0^(a - 1)/2 mod a. */
#if BN_MOD != PMERS
bn_mxp(t1, t0, t1, a);
#else
bn_exp(t1, t0, t1, a);
#endif
/* If t1 != 1 and t1 != n - 1 return 0 */
if (bn_cmp_dig(t1, 1) != CMP_EQ && bn_cmp(t1, t2) != CMP_EQ) {
result = 0;
break;
}
/* t2 = (t0|a). */
bn_smb_jac(t2, t0, a);
if (bn_sign(t2) == BN_NEG) {
bn_add(t2, t2, a);
}
/* If t1 != t2 (mod a) return 0. */
bn_mod(t1, t1, a);
bn_mod(t2, t2, a);
if (bn_cmp(t1, t2) != CMP_EQ) {
result = 0;
break;
}
}
}
CATCH_ANY {
result = 0;
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t0);
bn_free(t1);
bn_free(t2);
}
return result;
}
int cp_psb_ver(g1_t a, g1_t b, uint8_t *msgs[], int lens[], g2_t g, g2_t x,
g2_t y[], int l) {
g1_t p[2];
g2_t q[2];
gt_t e;
bn_t m, n;
int i, result = 1;
g1_null(p[0]);
g1_null(p[1]);
g2_null(q[0]);
g2_null(q[1]);
gt_null(e);
bn_null(m);
bn_null(n);
TRY {
g1_new(p[0]);
g1_new(p[1]);
g2_new(q[0]);
g2_new(q[1]);
gt_new(e);
bn_new(m);
bn_new(n);
if (g1_is_infty(a)) {
result = 0;
}
/* Check that e(a, x \prod y_i^m_i) = e(b, g). */
g1_copy(p[0], a);
g1_copy(p[1], b);
g2_copy(q[0], x);
g1_get_ord(n);
for (i = 0; i < l; i++) {
bn_read_bin(m, msgs[i], lens[i]);
bn_mod(m, m, n);
g2_mul(q[1], y[i], m);
g2_add(q[0], q[0], q[1]);
}
g2_norm(q[0], q[0]);
g2_copy(q[1], g);
g2_neg(q[1], q[1]);
pc_map_sim(e, p, q, 2);
if (!gt_is_unity(e)) {
result = 0;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
g1_free(p[0]);
g1_free(p[1]);
g2_free(q[0]);
g2_free(q[1]);
gt_free(e);
bn_free(m);
bn_free(n);
}
return result;
}
