本文整理汇总了C++中EC_POINT_mul函数的典型用法代码示例。如果您正苦于以下问题:C++ EC_POINT_mul函数的具体用法?C++ EC_POINT_mul怎么用?C++ EC_POINT_mul使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了EC_POINT_mul函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: verifyRingSignatureAB
int verifyRingSignatureAB(data_chunk &keyImage, uint256 &txnHash, int nRingSize, const uint8_t *pPubkeys, const data_chunk &sigC, const uint8_t *pSigS)
{
// https://bitcointalk.org/index.php?topic=972541.msg10619684
// forall_{i=1..n} compute e_i=s_i*G+c_i*P_i and E_i=s_i*H(P_i)+c_i*I_j and c_{i+1}=h(P_1,...,P_n,e_i,E_i)
// check c_{n+1}=c_1
if (fDebugRingSig)
{
//LogPrintf("%s size %d\n", __func__, nRingSize); // happens often
};
if (sigC.size() != EC_SECRET_SIZE)
return errorN(1, "%s: sigC size != EC_SECRET_SIZE.", __func__);
if (keyImage.size() != EC_COMPRESSED_SIZE)
return errorN(1, "%s: keyImage size != EC_COMPRESSED_SIZE.", __func__);
int rv = 0;
uint256 tmpPkHash;
uint256 tmpHash;
uint8_t tempData[66]; // hold raw point data to hash
CHashWriter ssPkHash(SER_GETHASH, PROTOCOL_VERSION);
CHashWriter ssCjHash(SER_GETHASH, PROTOCOL_VERSION);
for (int i = 0; i < nRingSize; ++i)
{
ssPkHash.write((const char*)&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE);
};
tmpPkHash = ssPkHash.GetHash();
BN_CTX_start(bnCtx);
BIGNUM *bnC = BN_CTX_get(bnCtx);
BIGNUM *bnC1 = BN_CTX_get(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnS = BN_CTX_get(bnCtx);
EC_POINT *ptKi = NULL;
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptSi = NULL;
if ( !(ptKi = EC_POINT_new(ecGrp))
|| !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptSi = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!EC_POINT_oct2point(ecGrp, ptKi, &keyImage[0], EC_COMPRESSED_SIZE, bnCtx))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
if (!bnC1 || !BN_bin2bn(&sigC[0], EC_SECRET_SIZE, bnC1))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
if (!BN_copy(bnC, bnC1))
{
LogPrintf("%s: BN_copy failed.\n", __func__);
rv = 1; goto End;
};
for (int i = 0; i < nRingSize; ++i)
{
if (!bnS || !(BN_bin2bn(&pSigS[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnS)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 <- pk
if (!EC_POINT_oct2point(ecGrp, ptPk, &pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnCtx))
{
LogPrintf("%s: EC_POINT_oct2point failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = e_i=s_i*G+c_i*P_i
if (!EC_POINT_mul(ecGrp, ptT1, bnS, ptPk, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
if (!(EC_POINT_point2oct(ecGrp, ptT1, POINT_CONVERSION_COMPRESSED, &tempData[0], 33, bnCtx) == (int) EC_COMPRESSED_SIZE))
{
//.........这里部分代码省略.........
示例2: compute_password_element
//.........这里部分代码省略.........
eap_pwd_h_update(hash, id_server, id_server_len);
eap_pwd_h_update(hash, password, password_len);
eap_pwd_h_update(hash, &ctr, sizeof(ctr));
eap_pwd_h_final(hash, pwe_digest);
BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd);
if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
(u8 *) "EAP-pwd Hunting And Pecking",
os_strlen("EAP-pwd Hunting And Pecking"),
prfbuf, primebitlen) < 0)
goto fail;
BN_bin2bn(prfbuf, primebytelen, x_candidate);
/*
* eap_pwd_kdf() returns a string of bits 0..primebitlen but
* BN_bin2bn will treat that string of bits as a big endian
* number. If the primebitlen is not an even multiple of 8
* then excessive bits-- those _after_ primebitlen-- so now
* we have to shift right the amount we masked off.
*/
if (primebitlen % 8)
BN_rshift(x_candidate, x_candidate,
(8 - (primebitlen % 8)));
if (BN_ucmp(x_candidate, grp->prime) >= 0)
continue;
wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
prfbuf, primebytelen);
/*
* need to unambiguously identify the solution, if there is
* one...
*/
if (BN_is_odd(rnd))
is_odd = 1;
else
is_odd = 0;
/*
* solve the quadratic equation, if it's not solvable then we
* don't have a point
*/
if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,
grp->pwe,
x_candidate,
is_odd, NULL))
continue;
/*
* If there's a solution to the equation then the point must be
* on the curve so why check again explicitly? OpenSSL code
* says this is required by X9.62. We're not X9.62 but it can't
* hurt just to be sure.
*/
if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {
wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
continue;
}
if (BN_cmp(cofactor, BN_value_one())) {
/* make sure the point is not in a small sub-group */
if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,
cofactor, NULL)) {
wpa_printf(MSG_INFO, "EAP-pwd: cannot "
"multiply generator by order");
continue;
}
if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {
wpa_printf(MSG_INFO, "EAP-pwd: point is at "
"infinity");
continue;
}
}
/* if we got here then we have a new generator. */
break;
}
wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
grp->group_num = num;
if (0) {
fail:
EC_GROUP_free(grp->group);
grp->group = NULL;
EC_POINT_clear_free(grp->pwe);
grp->pwe = NULL;
BN_clear_free(grp->order);
grp->order = NULL;
BN_clear_free(grp->prime);
grp->prime = NULL;
ret = 1;
}
/* cleanliness and order.... */
BN_clear_free(cofactor);
BN_clear_free(x_candidate);
BN_clear_free(rnd);
os_free(prfbuf);
return ret;
}示例3: StealthSecret
int StealthSecret(ec_secret& secret, ec_point& pubkey, const ec_point& pkSpend, ec_secret& sharedSOut, ec_point& pkOut)
{
/*
send:
secret = ephem_secret, pubkey = scan_pubkey
receive:
secret = scan_secret, pubkey = ephem_pubkey
c = H(dP)
Q = public scan key (EC point, 33 bytes)
d = private scan key (integer, 32 bytes)
R = public spend key
f = private spend key
Q = dG
R = fG
Sender (has Q and R, not d or f):
P = eG
c = H(eQ) = H(dP)
R' = R + cG
Recipient gets R' and P
test 0 and infinity?
*/
int rv = 0;
std::vector<uint8_t> vchOutQ;
BN_CTX* bnCtx = NULL;
BIGNUM* bnEphem = NULL;
BIGNUM* bnQ = NULL;
EC_POINT* Q = NULL;
BIGNUM* bnOutQ = NULL;
BIGNUM* bnc = NULL;
EC_POINT* C = NULL;
BIGNUM* bnR = NULL;
EC_POINT* R = NULL;
EC_POINT* Rout = NULL;
BIGNUM* bnOutR = NULL;
EC_GROUP* ecgrp = EC_GROUP_new_by_curve_name(NID_secp256k1);
if (!ecgrp)
{
printf("StealthSecret(): EC_GROUP_new_by_curve_name failed.\n");
return 1;
};
if (!(bnCtx = BN_CTX_new()))
{
printf("StealthSecret(): BN_CTX_new failed.\n");
rv = 1;
goto End;
};
if (!(bnEphem = BN_bin2bn(&secret.e[0], ec_secret_size, BN_new())))
{
printf("StealthSecret(): bnEphem BN_bin2bn failed.\n");
rv = 1;
goto End;
};
if (!(bnQ = BN_bin2bn(&pubkey[0], pubkey.size(), BN_new())))
{
printf("StealthSecret(): bnQ BN_bin2bn failed\n");
rv = 1;
goto End;
};
if (!(Q = EC_POINT_bn2point(ecgrp, bnQ, NULL, bnCtx)))
{
printf("StealthSecret(): Q EC_POINT_bn2point failed\n");
rv = 1;
goto End;
};
// -- eQ
// EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx);
// EC_POINT_mul calculates the value generator * n + q * m and stores the result in r. The value n may be NULL in which case the result is just q * m.
if (!EC_POINT_mul(ecgrp, Q, NULL, Q, bnEphem, bnCtx))
{
printf("StealthSecret(): eQ EC_POINT_mul failed\n");
rv = 1;
goto End;
};
if (!(bnOutQ = EC_POINT_point2bn(ecgrp, Q, POINT_CONVERSION_COMPRESSED, BN_new(), bnCtx)))
{
printf("StealthSecret(): Q EC_POINT_bn2point failed\n");
rv = 1;
goto End;
};
//.........这里部分代码省略.........
示例4: ossl_ecdh_compute_key
/*-
* This implementation is based on the following primitives in the IEEE 1363 standard:
* - ECKAS-DH1
* - ECSVDP-DH
* Finally an optional KDF is applied.
*/
int ossl_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
const EC_KEY *ecdh,
void *(*KDF) (const void *in, size_t inlen,
void *out, size_t *outlen))
{
BN_CTX *ctx;
EC_POINT *tmp = NULL;
BIGNUM *x = NULL, *y = NULL;
const BIGNUM *priv_key;
const EC_GROUP *group;
int ret = -1;
size_t buflen, len;
unsigned char *buf = NULL;
if (outlen > INT_MAX) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of,
* anyway */
return -1;
}
if (ecdh->group->meth->ecdh_compute_key != 0)
return ecdh->group->meth->ecdh_compute_key(out, outlen, pub_key, ecdh,
KDF);
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
priv_key = EC_KEY_get0_private_key(ecdh);
if (priv_key == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_NO_PRIVATE_VALUE);
goto err;
}
group = EC_KEY_get0_group(ecdh);
if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) {
if (!EC_GROUP_get_cofactor(group, x, NULL) ||
!BN_mul(x, x, priv_key, ctx)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
priv_key = x;
}
if ((tmp = EC_POINT_new(group)) == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, y, ctx)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else {
if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, ctx)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);
goto err;
}
}
#endif
buflen = (EC_GROUP_get_degree(group) + 7) / 8;
len = BN_num_bytes(x);
if (len > buflen) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_INTERNAL_ERROR);
goto err;
}
if ((buf = OPENSSL_malloc(buflen)) == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
memset(buf, 0, buflen - len);
if (len != (size_t)BN_bn2bin(x, buf + buflen - len)) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_BN_LIB);
goto err;
}
if (KDF != 0) {
if (KDF(buf, buflen, out, &outlen) == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_KDF_FAILED);
goto err;
//.........这里部分代码省略.........
示例5: ecdsa_sign_setup
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp,
const unsigned char *dgst, int dlen)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL;
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (ctx_in == NULL) {
if ((ctx = BN_CTX_new()) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
return 0;
}
} else
ctx = ctx_in;
k = BN_new(); /* this value is later returned in *kinvp */
r = BN_new(); /* this value is later returned in *rp */
order = BN_new();
X = BN_new();
if (!k || !r || !order || !X) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((tmp_point = EC_POINT_new(group)) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
do {
/* get random k */
do
if (dgst != NULL) {
if (!BN_generate_dsa_nonce
(k, order, EC_KEY_get0_private_key(eckey), dgst, dlen,
ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
} else {
if (!BN_rand_range(k, order)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
}
while (BN_is_zero(k));
/*
* We do not want timing information to leak the length of k, so we
* compute G*k using an equivalent scalar of fixed bit-length.
*/
if (!BN_add(k, k, order))
goto err;
if (BN_num_bits(k) <= BN_num_bits(order))
if (!BN_add(k, k, order))
goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp
(group, tmp_point, X, NULL, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else { /* NID_X9_62_characteristic_two_field */
if (!EC_POINT_get_affine_coordinates_GF2m(group,
tmp_point, X, NULL,
ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#endif
if (!BN_nnmod(r, X, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
goto err;
}
}
//.........这里部分代码省略.........
示例6: ssl_ec_point_finish
static int ssl_ec_point_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
size_t *out_secret_len, uint8_t *out_alert,
const uint8_t *peer_key, size_t peer_key_len) {
BIGNUM *private_key = (BIGNUM *)ctx->data;
assert(private_key != NULL);
*out_alert = SSL_AD_INTERNAL_ERROR;
/* Set up a shared |BN_CTX| for all operations. */
BN_CTX *bn_ctx = BN_CTX_new();
if (bn_ctx == NULL) {
return 0;
}
BN_CTX_start(bn_ctx);
int ret = 0;
EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);
EC_POINT *peer_point = NULL, *result = NULL;
uint8_t *secret = NULL;
if (group == NULL) {
goto err;
}
/* Compute the x-coordinate of |peer_key| * |private_key|. */
peer_point = EC_POINT_new(group);
result = EC_POINT_new(group);
if (peer_point == NULL || result == NULL) {
goto err;
}
BIGNUM *x = BN_CTX_get(bn_ctx);
if (x == NULL) {
goto err;
}
if (!EC_POINT_oct2point(group, peer_point, peer_key, peer_key_len, bn_ctx)) {
*out_alert = SSL_AD_DECODE_ERROR;
goto err;
}
if (!EC_POINT_mul(group, result, NULL, peer_point, private_key, bn_ctx) ||
!EC_POINT_get_affine_coordinates_GFp(group, result, x, NULL, bn_ctx)) {
goto err;
}
/* Encode the x-coordinate left-padded with zeros. */
size_t secret_len = (EC_GROUP_get_degree(group) + 7) / 8;
secret = OPENSSL_malloc(secret_len);
if (secret == NULL || !BN_bn2bin_padded(secret, secret_len, x)) {
goto err;
}
*out_secret = secret;
*out_secret_len = secret_len;
secret = NULL;
ret = 1;
err:
EC_GROUP_free(group);
EC_POINT_free(peer_point);
EC_POINT_free(result);
BN_CTX_end(bn_ctx);
BN_CTX_free(bn_ctx);
OPENSSL_free(secret);
return ret;
}示例7: EC_KEY_generate_key
int EC_KEY_generate_key(EC_KEY *eckey)
{
int ok = 0;
BN_CTX *ctx = NULL;
BIGNUM *priv_key = NULL, *order = NULL;
EC_POINT *pub_key = NULL;
if (!eckey || !eckey->group)
{
ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if ((order = BN_new()) == NULL) goto err;
if ((ctx = BN_CTX_new()) == NULL) goto err;
if (eckey->priv_key == NULL)
{
priv_key = BN_new();
if (priv_key == NULL)
goto err;
}
else
priv_key = eckey->priv_key;
if (!EC_GROUP_get_order(eckey->group, order, ctx))
goto err;
do
if (!BN_rand_range(priv_key, order))
goto err;
while (BN_is_zero(priv_key));
if (eckey->pub_key == NULL)
{
pub_key = EC_POINT_new(eckey->group);
if (pub_key == NULL)
goto err;
}
else
pub_key = eckey->pub_key;
if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
goto err;
eckey->priv_key = priv_key;
eckey->pub_key = pub_key;
ok=1;
err:
if (order)
BN_free(order);
if (pub_key != NULL && eckey->pub_key == NULL)
EC_POINT_free(pub_key);
if (priv_key != NULL && eckey->priv_key == NULL)
BN_free(priv_key);
if (ctx != NULL)
BN_CTX_free(ctx);
return(ok);
}示例8: main
//.........这里部分代码省略.........
{
EC_KEY *ec_key = EC_KEY_new();
EC_KEY_set_group(ec_key, ec_group);
EC_KEY_generate_key(ec_key);
fprintf(stdout, "%s\n", BN_bn2hex(EC_KEY_get0_private_key(ec_key)));
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, EC_KEY_get0_public_key(ec_key), point_form, bn_ctx));
EC_KEY_free(ec_key);
break;
}
case ECC_ADD:
{
if (!rest) {
fprintf(stderr, "%s: short of point\n", prog);
goto exit;
}
if (!rest[0] || !rest[1]) {
fprintf(stderr, "%s: short of point\n", prog);
goto exit;
}
if (!EC_POINT_hex2point(ec_group, rest[1], P, bn_ctx)) {
fprintf(stderr, "%s: first point invalid\n", prog);
goto exit;
}
if (!EC_POINT_hex2point(ec_group, rest[1], Q, bn_ctx)) {
fprintf(stderr, "%s: second point invalid\n", prog);
goto exit;
}
EC_POINT_add(ec_group, R, P, Q, bn_ctx);
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));
break;
}
case ECC_DOUBLE:
{
EC_POINT_dbl(ec_group, R, P, bn_ctx);
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));
break;
}
case ECC_MUL:
{
BIGNUM *order = NULL;
if (!BN_hex2bn(&k, rest[0])) {
fprintf(stderr, "%s: integer invalid\n", prog);
goto exit;
}
order = BN_new();
EC_GROUP_get_order(ec_group, order, bn_ctx);
if (BN_cmp(k, order) >= 0) {
fprintf(stderr, "%s: integer value invalid\n", prog);
BN_free(order);
goto exit;
}
BN_free(order);
if (!EC_POINT_hex2point(ec_group, rest[1], P, bn_ctx)) {
fprintf(stderr, "%s: point invalid\n", prog);
goto exit;
}
EC_POINT_mul(ec_group, R, k, P, NULL, bn_ctx);
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));
break;
}
case ECC_MUL_G:
{
BIGNUM *order = NULL;
if (!BN_hex2bn(&k, rest[0])) {
fprintf(stderr, "%s: integer format invalid\n", prog);
goto exit;
}
order = BN_new();
EC_GROUP_get_order(ec_group, order, bn_ctx);
if (BN_cmp(k, order) >= 0) {
fprintf(stderr, "%s: integer value invalid\n", prog);
BN_free(order);
goto exit;
}
BN_free(order);
EC_POINT_mul(ec_group, R, k, EC_GROUP_get0_generator(ec_group), NULL, bn_ctx);
fprintf(stdout, "%s\n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));
break;
}
default:
fprintf(stderr, "%s: command is required\n", prog);
break;
}
ok = 1;
exit:
if (ec_group) EC_GROUP_free(ec_group);
if (P) EC_POINT_free(P);
if (k) BN_free(k);
if (bn_ctx) BN_CTX_free(bn_ctx);
return ok ? 0 : -1;
}示例9: EC_KEY_get0_group
SM2_CIPHERTEXT_VALUE *SM2_do_encrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md,
const unsigned char *in, size_t inlen, EC_KEY *ec_key)
{
int ok = 0;
SM2_CIPHERTEXT_VALUE *cv = NULL;
const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key);
const EC_POINT *pub_key = EC_KEY_get0_public_key(ec_key);
KDF_FUNC kdf = KDF_get_x9_63(kdf_md);
EC_POINT *point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BIGNUM *k = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
int nbytes;
size_t len;
int i;
if (!ec_group || !pub_key) {
goto end;
}
if (!kdf) {
goto end;
}
/* init ciphertext_value */
if (!(cv = OPENSSL_malloc(sizeof(SM2_CIPHERTEXT_VALUE)))) {
goto end;
}
bzero(cv, sizeof(SM2_CIPHERTEXT_VALUE));
cv->ephem_point = EC_POINT_new(ec_group);
cv->ciphertext = OPENSSL_malloc(inlen);
cv->ciphertext_size = inlen;
if (!cv->ephem_point || !cv->ciphertext) {
goto end;
}
point = EC_POINT_new(ec_group);
n = BN_new();
h = BN_new();
k = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_create();
if (!point || !n || !h || !k || !bn_ctx || !md_ctx) {
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {
goto end;
}
if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {
goto end;
}
nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
//OPENSSL_assert(nbytes == BN_num_bytes(n));
#if 0
/* check sm2 curve and md is 256 bits */
OPENSSL_assert(nbytes == 32);
OPENSSL_assert(EVP_MD_size(kdf_md) == 32);
OPENSSL_assert(EVP_MD_size(mac_md) == 32);
#endif
do
{
/* A1: rand k in [1, n-1] */
do {
BN_rand_range(k, n);
} while (BN_is_zero(k));
/* A2: C1 = [k]G = (x1, y1) */
if (!EC_POINT_mul(ec_group, cv->ephem_point, k, NULL, NULL, bn_ctx)) {
goto end;
}
/* A3: check [h]P_B != O */
if (!EC_POINT_mul(ec_group, point, NULL, pub_key, h, bn_ctx)) {
goto end;
}
if (EC_POINT_is_at_infinity(ec_group, point)) {
goto end;
}
/* A4: compute ECDH [k]P_B = (x2, y2) */
if (!EC_POINT_mul(ec_group, point, NULL, pub_key, k, bn_ctx)) {
goto end;
}
if (!(len = EC_POINT_point2oct(ec_group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
OPENSSL_assert(len == nbytes * 2 + 1);
/* A5: t = KDF(x2 || y2, klen) */
kdf(buf + 1, len - 1, cv->ciphertext, &cv->ciphertext_size);
//.........这里部分代码省略.........
示例10: compute_password_element
//.........这里部分代码省略.........
}
ctr = 0;
while (1) {
if (ctr > 10) {
DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num);
goto fail;
}
ctr++;
/*
* compute counter-mode password value and stretch to prime
* pwd-seed = H(token | peer-id | server-id | password |
* counter)
*/
H_Init(&ctx);
H_Update(&ctx, (uint8_t *)token, sizeof(*token));
H_Update(&ctx, (uint8_t *)id_peer, id_peer_len);
H_Update(&ctx, (uint8_t *)id_server, id_server_len);
H_Update(&ctx, (uint8_t *)password, password_len);
H_Update(&ctx, (uint8_t *)&ctr, sizeof(ctr));
H_Final(&ctx, pwe_digest);
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH,
"EAP-pwd Hunting And Pecking",
strlen("EAP-pwd Hunting And Pecking"),
prfbuf, primebitlen);
BN_bin2bn(prfbuf, primebytelen, x_candidate);
/*
* eap_pwd_kdf() returns a string of bits 0..primebitlen but
* BN_bin2bn will treat that string of bits as a big endian
* number. If the primebitlen is not an even multiple of 8
* then excessive bits-- those _after_ primebitlen-- so now
* we have to shift right the amount we masked off.
*/
if (primebitlen % 8) {
BN_rshift(x_candidate, x_candidate, (8 - (primebitlen % 8)));
}
if (BN_ucmp(x_candidate, sess->prime) >= 0) {
continue;
}
/*
* need to unambiguously identify the solution, if there is
* one...
*/
if (BN_is_odd(rnd)) {
is_odd = 1;
} else {
is_odd = 0;
}
/*
* solve the quadratic equation, if it's not solvable then we
* don't have a point
*/
if (!EC_POINT_set_compressed_coordinates_GFp(sess->group,
sess->pwe,
x_candidate,
is_odd, NULL)) {
continue;
}
/*
* If there's a solution to the equation then the point must be
* on the curve so why check again explicitly? OpenSSL code
* says this is required by X9.62. We're not X9.62 but it can't
* hurt just to be sure.
*/
if (!EC_POINT_is_on_curve(sess->group, sess->pwe, NULL)) {
DEBUG("EAP-pwd: point is not on curve");
continue;
}
if (BN_cmp(cofactor, BN_value_one())) {
/* make sure the point is not in a small sub-group */
if (!EC_POINT_mul(sess->group, sess->pwe, NULL, sess->pwe,
cofactor, NULL)) {
DEBUG("EAP-pwd: cannot multiply generator by order");
continue;
}
if (EC_POINT_is_at_infinity(sess->group, sess->pwe)) {
DEBUG("EAP-pwd: point is at infinity");
continue;
}
}
/* if we got here then we have a new generator. */
break;
}
sess->group_num = grp_num;
if (0) {
fail: /* DON'T free sess, it's in handler->opaque */
ret = -1;
}
/* cleanliness and order.... */
BN_free(cofactor);
BN_free(x_candidate);
BN_free(rnd);
talloc_free(prfbuf);
return ret;
}示例11: process_peer_commit
int
process_peer_commit (pwd_session_t *sess, uint8_t *commit, BN_CTX *bnctx)
{
uint8_t *ptr;
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int res = 1;
if (((sess->peer_scalar = BN_new()) == NULL) ||
((sess->k = BN_new()) == NULL) ||
((cofactor = BN_new()) == NULL) ||
((x = BN_new()) == NULL) ||
((y = BN_new()) == NULL) ||
((point = EC_POINT_new(sess->group)) == NULL) ||
((K = EC_POINT_new(sess->group)) == NULL) ||
((sess->peer_element = EC_POINT_new(sess->group)) == NULL)) {
DEBUG2("pwd: failed to allocate room to process peer's commit");
goto fin;
}
if (!EC_GROUP_get_cofactor(sess->group, cofactor, NULL)) {
DEBUG2("pwd: unable to get group co-factor");
goto fin;
}
/* element, x then y, followed by scalar */
ptr = (uint8_t *)commit;
BN_bin2bn(ptr, BN_num_bytes(sess->prime), x);
ptr += BN_num_bytes(sess->prime);
BN_bin2bn(ptr, BN_num_bytes(sess->prime), y);
ptr += BN_num_bytes(sess->prime);
BN_bin2bn(ptr, BN_num_bytes(sess->order), sess->peer_scalar);
if (!EC_POINT_set_affine_coordinates_GFp(sess->group,
sess->peer_element, x, y,
bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto fin;
}
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(sess->group, point, NULL,
sess->peer_element, cofactor, NULL)) {
DEBUG2("pwd: unable to multiply element by co-factor");
goto fin;
}
if (EC_POINT_is_at_infinity(sess->group, point)) {
DEBUG2("pwd: peer's element is in small sub-group");
goto fin;
}
}
/* compute the shared key, k */
if ((!EC_POINT_mul(sess->group, K, NULL, sess->pwe,
sess->peer_scalar, bnctx)) ||
(!EC_POINT_add(sess->group, K, K, sess->peer_element,
bnctx)) ||
(!EC_POINT_mul(sess->group, K, NULL, K, sess->private_value,
bnctx))) {
DEBUG2("pwd: unable to compute shared key, k");
goto fin;
}
/* ensure that the shared key isn't in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(sess->group, K, NULL, K, cofactor,
NULL)) {
DEBUG2("pwd: unable to multiply k by co-factor");
goto fin;
}
}
/*
* This check is strictly speaking just for the case above where
* co-factor > 1 but it was suggested that even though this is probably
* never going to happen it is a simple and safe check "just to be
* sure" so let's be safe.
*/
if (EC_POINT_is_at_infinity(sess->group, K)) {
DEBUG2("pwd: k is point-at-infinity!");
goto fin;
}
if (!EC_POINT_get_affine_coordinates_GFp(sess->group, K, sess->k,
NULL, bnctx)) {
DEBUG2("pwd: unable to get shared secret from K");
goto fin;
}
res = 0;
fin:
EC_POINT_free(K);
EC_POINT_free(point);
BN_free(cofactor);
BN_free(x);
BN_free(y);
return res;
}示例12: generateRingSignatureAB
int generateRingSignatureAB(data_chunk &keyImage, uint256 &txnHash, int nRingSize, int nSecretOffset, ec_secret secret, const uint8_t *pPubkeys, data_chunk &sigC, uint8_t *pSigS)
{
// https://bitcointalk.org/index.php?topic=972541.msg10619684
if (fDebugRingSig)
LogPrintf("%s: Ring size %d.\n", __func__, nRingSize);
assert(nRingSize < 200);
RandAddSeedPerfmon();
memset(pSigS, 0, EC_SECRET_SIZE * nRingSize);
int rv = 0;
int nBytes;
uint256 tmpPkHash;
uint256 tmpHash;
uint8_t tempData[66]; // hold raw point data to hash
ec_secret sAlpha;
if (0 != GenerateRandomSecret(sAlpha))
return errorN(1, "%s: GenerateRandomSecret failed.", __func__);
CHashWriter ssPkHash(SER_GETHASH, PROTOCOL_VERSION);
CHashWriter ssCjHash(SER_GETHASH, PROTOCOL_VERSION);
uint256 test;
for (int i = 0; i < nRingSize; ++i)
{
ssPkHash.write((const char*)&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE);
if (i == nSecretOffset)
continue;
int k;
// NOTE: necessary to clamp?
for (k = 0; k < 32; ++k)
{
if (1 != RAND_bytes(&pSigS[i * EC_SECRET_SIZE], 32))
return errorN(1, "%s: RAND_bytes ERR_get_error %u.", __func__, ERR_get_error());
memcpy(test.begin(), &pSigS[i * EC_SECRET_SIZE], 32);
if (test > MIN_SECRET && test < MAX_SECRET)
break;
};
if (k > 31)
return errorN(1, "%s: Failed to generate a valid key.", __func__);
};
tmpPkHash = ssPkHash.GetHash();
BN_CTX_start(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnT2 = BN_CTX_get(bnCtx);
BIGNUM *bnS = BN_CTX_get(bnCtx);
BIGNUM *bnC = BN_CTX_get(bnCtx);
BIGNUM *bnCj = BN_CTX_get(bnCtx);
BIGNUM *bnA = BN_CTX_get(bnCtx);
EC_POINT *ptKi = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptT4 = NULL;
if ( !(ptKi = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptT4 = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!EC_POINT_oct2point(ecGrp, ptKi, &keyImage[0], EC_COMPRESSED_SIZE, bnCtx))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
// c_{j+1} = h(P_1,...,P_n,alpha*G,alpha*H(P_j))
if (!bnA || !(BN_bin2bn(&sAlpha.e[0], EC_SECRET_SIZE, bnA)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = alpha * G
if (!EC_POINT_mul(ecGrp, ptT1, bnA, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
//.........这里部分代码省略.........
示例13: verifyRingSignature
int verifyRingSignature(data_chunk &keyImage, uint256 &txnHash, int nRingSize, const uint8_t *pPubkeys, const uint8_t *pSigc, const uint8_t *pSigr)
{
if (fDebugRingSig)
{
// LogPrintf("%s size %d\n", __func__, nRingSize); // happens often
};
int rv = 0;
BN_CTX_start(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnH = BN_CTX_get(bnCtx);
BIGNUM *bnC = BN_CTX_get(bnCtx);
BIGNUM *bnR = BN_CTX_get(bnCtx);
BIGNUM *bnSum = BN_CTX_get(bnCtx);
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptKi = NULL;
EC_POINT *ptL = NULL;
EC_POINT *ptR = NULL;
EC_POINT *ptSi = NULL;
uint8_t tempData[66]; // hold raw point data to hash
uint256 commitHash;
CHashWriter ssCommitHash(SER_GETHASH, PROTOCOL_VERSION);
ssCommitHash << txnHash;
// zero sum
if (!bnSum || !(BN_zero(bnSum)))
{
LogPrintf("%s: BN_zero failed.\n", __func__);
rv = 1; goto End;
};
if ( !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptKi = EC_POINT_new(ecGrp))
|| !(ptL = EC_POINT_new(ecGrp))
|| !(ptSi = EC_POINT_new(ecGrp))
|| !(ptR = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!(bnT = BN_bin2bn(&keyImage[0], EC_COMPRESSED_SIZE, bnT))
|| !(ptKi) || !(ptKi = EC_POINT_bn2point(ecGrp, bnT, ptKi, bnCtx)))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
for (int i = 0; i < nRingSize; ++i)
{
// Li = ci * Pi + ri * G
// Ri = ci * I + ri * Hp(Pi)
if ( !bnC || !(bnC = BN_bin2bn(&pSigc[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnC))
|| !bnR || !(bnR = BN_bin2bn(&pSigr[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnR)))
{
LogPrintf("%s: extract bnC and bnR failed.\n", __func__);
rv = 1; goto End;
};
// get Pk i as point
if (!(bnT = BN_bin2bn(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT))
|| !(ptPk) || !(ptPk = EC_POINT_bn2point(ecGrp, bnT, ptPk, bnCtx)))
{
LogPrintf("%s: extract ptPk failed.\n", __func__);
rv = 1; goto End;
};
// ptT1 = ci * Pi
if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptPk, bnC, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptT2 = ri * G
if (!EC_POINT_mul(ecGrp, ptT2, bnR, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
// ptL = ptT1 + ptT2
if (!EC_POINT_add(ecGrp, ptL, ptT1, ptT2, bnCtx))
{
LogPrintf("%s: EC_POINT_add failed.\n", __func__);
rv = 1; goto End;
};
//.........这里部分代码省略.........
示例14: generateRingSignature
int generateRingSignature(data_chunk &keyImage, uint256 &txnHash, int nRingSize, int nSecretOffset, ec_secret secret, const uint8_t *pPubkeys, uint8_t *pSigc, uint8_t *pSigr)
{
if (fDebugRingSig)
LogPrintf("%s: Ring size %d.\n", __func__, nRingSize);
int rv = 0;
int nBytes;
BN_CTX_start(bnCtx);
BIGNUM *bnKS = BN_CTX_get(bnCtx);
BIGNUM *bnK1 = BN_CTX_get(bnCtx);
BIGNUM *bnK2 = BN_CTX_get(bnCtx);
BIGNUM *bnT = BN_CTX_get(bnCtx);
BIGNUM *bnH = BN_CTX_get(bnCtx);
BIGNUM *bnSum = BN_CTX_get(bnCtx);
EC_POINT *ptT1 = NULL;
EC_POINT *ptT2 = NULL;
EC_POINT *ptT3 = NULL;
EC_POINT *ptPk = NULL;
EC_POINT *ptKi = NULL;
EC_POINT *ptL = NULL;
EC_POINT *ptR = NULL;
uint8_t tempData[66]; // hold raw point data to hash
uint256 commitHash;
ec_secret scData1, scData2;
CHashWriter ssCommitHash(SER_GETHASH, PROTOCOL_VERSION);
ssCommitHash << txnHash;
// zero signature
memset(pSigc, 0, EC_SECRET_SIZE * nRingSize);
memset(pSigr, 0, EC_SECRET_SIZE * nRingSize);
// ks = random 256 bit int mod P
if (GenerateRandomSecret(scData1)
&& (rv = errorN(1, "%s: GenerateRandomSecret failed.", __func__)))
goto End;
if (!bnKS || !(BN_bin2bn(&scData1.e[0], EC_SECRET_SIZE, bnKS)))
{
LogPrintf("%s: BN_bin2bn failed.\n", __func__);
rv = 1; goto End;
};
// zero sum
if (!bnSum || !(BN_zero(bnSum)))
{
LogPrintf("%s: BN_zero failed.\n", __func__);
rv = 1; goto End;
};
if ( !(ptT1 = EC_POINT_new(ecGrp))
|| !(ptT2 = EC_POINT_new(ecGrp))
|| !(ptT3 = EC_POINT_new(ecGrp))
|| !(ptPk = EC_POINT_new(ecGrp))
|| !(ptKi = EC_POINT_new(ecGrp))
|| !(ptL = EC_POINT_new(ecGrp))
|| !(ptR = EC_POINT_new(ecGrp)))
{
LogPrintf("%s: EC_POINT_new failed.\n", __func__);
rv = 1; goto End;
};
// get keyimage as point
if (!(bnT = BN_bin2bn(&keyImage[0], EC_COMPRESSED_SIZE, bnT))
|| !(ptKi) || !(ptKi = EC_POINT_bn2point(ecGrp, bnT, ptKi, bnCtx)))
{
LogPrintf("%s: extract ptKi failed.\n", __func__);
rv = 1; goto End;
};
for (int i = 0; i < nRingSize; ++i)
{
if (i == nSecretOffset)
{
// k = random 256 bit int mod P
// L = k * G
// R = k * HashToEC(PKi)
if (!EC_POINT_mul(ecGrp, ptL, bnKS, NULL, NULL, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT1) != 0)
{
LogPrintf("%s: hashToEC failed.\n", __func__);
rv = 1; goto End;
};
if (!EC_POINT_mul(ecGrp, ptR, NULL, ptT1, bnKS, bnCtx))
{
LogPrintf("%s: EC_POINT_mul failed.\n", __func__);
rv = 1; goto End;
};
//.........这里部分代码省略.........
示例15: ecdsa_sign_setup
static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp,
const unsigned char *dgst, int dlen)
{
BN_CTX *ctx = NULL;
BIGNUM *k = NULL, *r = NULL, *X = NULL;
const BIGNUM *order;
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (!EC_KEY_can_sign(eckey)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
return 0;
}
if (ctx_in == NULL) {
if ((ctx = BN_CTX_new()) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
return 0;
}
} else
ctx = ctx_in;
k = BN_new(); /* this value is later returned in *kinvp */
r = BN_new(); /* this value is later returned in *rp */
X = BN_new();
if (k == NULL || r == NULL || X == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((tmp_point = EC_POINT_new(group)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
order = EC_GROUP_get0_order(group);
if (order == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
/* Preallocate space */
order_bits = BN_num_bits(order);
if (!BN_set_bit(k, order_bits)
|| !BN_set_bit(r, order_bits)
|| !BN_set_bit(X, order_bits))
goto err;
do {
/* get random k */
do
if (dgst != NULL) {
if (!BN_generate_dsa_nonce
(k, order, EC_KEY_get0_private_key(eckey), dgst, dlen,
ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
} else {
if (!BN_priv_rand_range(k, order)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
}
while (BN_is_zero(k));
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
NID_X9_62_prime_field) {
if (!EC_POINT_get_affine_coordinates_GFp
(group, tmp_point, X, NULL, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else { /* NID_X9_62_characteristic_two_field */
if (!EC_POINT_get_affine_coordinates_GF2m(group,
tmp_point, X, NULL,
ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
goto err;
}
}
#endif
if (!BN_nnmod(r, X, order, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
//.........这里部分代码省略.........