本文整理汇总了C++中MP_TO_SEC_ERROR函数的典型用法代码示例。如果您正苦于以下问题:C++ MP_TO_SEC_ERROR函数的具体用法?C++ MP_TO_SEC_ERROR怎么用?C++ MP_TO_SEC_ERROR使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了MP_TO_SEC_ERROR函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: rsa_PrivateKeyOpCRTCheckedPubKey
/*
** An attack against RSA CRT was described by Boneh, DeMillo, and Lipton in:
** "On the Importance of Eliminating Errors in Cryptographic Computations",
** http://theory.stanford.edu/~dabo/papers/faults.ps.gz
**
** As a defense against the attack, carry out the private key operation,
** followed up with a public key operation to invert the result.
** Verify that result against the input.
*/
static SECStatus
rsa_PrivateKeyOpCRTCheckedPubKey(RSAPrivateKey *key, mp_int *m, mp_int *c)
{
mp_int n, e, v;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
MP_DIGITS(&n) = 0;
MP_DIGITS(&e) = 0;
MP_DIGITS(&v) = 0;
CHECK_MPI_OK( mp_init(&n) );
CHECK_MPI_OK( mp_init(&e) );
CHECK_MPI_OK( mp_init(&v) );
CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, m, c) );
SECITEM_TO_MPINT(key->modulus, &n);
SECITEM_TO_MPINT(key->publicExponent, &e);
/* Perform a public key operation v = m ** e mod n */
CHECK_MPI_OK( mp_exptmod(m, &e, &n, &v) );
if (mp_cmp(&v, c) != 0) {
rv = SECFailure;
}
cleanup:
mp_clear(&n);
mp_clear(&e);
mp_clear(&v);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例2: generate_prime
static SECStatus
generate_prime(mp_int *prime, int primeLen)
{
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
unsigned long counter = 0;
int piter;
unsigned char *pb = NULL;
pb = PORT_Alloc(primeLen);
if (!pb) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto cleanup;
}
for (piter = 0; piter < MAX_PRIME_GEN_ATTEMPTS; piter++) {
CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );
pb[0] |= 0xC0; /* set two high-order bits */
pb[primeLen-1] |= 0x01; /* set low-order bit */
CHECK_MPI_OK( mp_read_unsigned_octets(prime, pb, primeLen) );
err = mpp_make_prime(prime, primeLen * 8, PR_FALSE, &counter);
if (err != MP_NO)
goto cleanup;
/* keep going while err == MP_NO */
}
cleanup:
if (pb)
PORT_ZFree(pb, primeLen);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例3: rsa_PrivateKeyOpCRTNoCheck
/*
** RSA Private key operation using CRT.
*/
static SECStatus
rsa_PrivateKeyOpCRTNoCheck(RSAPrivateKey *key, mp_int *m, mp_int *c)
{
mp_int p, q, d_p, d_q, qInv;
mp_int m1, m2, h, ctmp;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
MP_DIGITS(&p) = 0;
MP_DIGITS(&q) = 0;
MP_DIGITS(&d_p) = 0;
MP_DIGITS(&d_q) = 0;
MP_DIGITS(&qInv) = 0;
MP_DIGITS(&m1) = 0;
MP_DIGITS(&m2) = 0;
MP_DIGITS(&h) = 0;
MP_DIGITS(&ctmp) = 0;
CHECK_MPI_OK( mp_init(&p) );
CHECK_MPI_OK( mp_init(&q) );
CHECK_MPI_OK( mp_init(&d_p) );
CHECK_MPI_OK( mp_init(&d_q) );
CHECK_MPI_OK( mp_init(&qInv) );
CHECK_MPI_OK( mp_init(&m1) );
CHECK_MPI_OK( mp_init(&m2) );
CHECK_MPI_OK( mp_init(&h) );
CHECK_MPI_OK( mp_init(&ctmp) );
/* copy private key parameters into mp integers */
SECITEM_TO_MPINT(key->prime1, &p); /* p */
SECITEM_TO_MPINT(key->prime2, &q); /* q */
SECITEM_TO_MPINT(key->exponent1, &d_p); /* d_p = d mod (p-1) */
SECITEM_TO_MPINT(key->exponent2, &d_q); /* d_q = d mod (q-1) */
SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */
/* 1. m1 = c**d_p mod p */
CHECK_MPI_OK( mp_mod(c, &p, &ctmp) );
CHECK_MPI_OK( mp_exptmod(&ctmp, &d_p, &p, &m1) );
/* 2. m2 = c**d_q mod q */
CHECK_MPI_OK( mp_mod(c, &q, &ctmp) );
CHECK_MPI_OK( mp_exptmod(&ctmp, &d_q, &q, &m2) );
/* 3. h = (m1 - m2) * qInv mod p */
CHECK_MPI_OK( mp_submod(&m1, &m2, &p, &h) );
CHECK_MPI_OK( mp_mulmod(&h, &qInv, &p, &h) );
/* 4. m = m2 + h * q */
CHECK_MPI_OK( mp_mul(&h, &q, m) );
CHECK_MPI_OK( mp_add(m, &m2, m) );
cleanup:
mp_clear(&p);
mp_clear(&q);
mp_clear(&d_p);
mp_clear(&d_q);
mp_clear(&qInv);
mp_clear(&m1);
mp_clear(&m2);
mp_clear(&h);
mp_clear(&ctmp);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例4: ec_GenerateRandomPrivateKey
/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62,
* modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
* random number generator.
*
* Parameters
* - order: a buffer that holds the curve's group order
* - len: the length in octets of the order buffer
* - random: a buffer of 2 * len random bytes
* - randomlen: the length in octets of the random buffer
*
* Return Value
* Returns a buffer of len octets that holds the private key. The caller
* is responsible for freeing the buffer with PORT_ZFree.
*/
static unsigned char *
ec_GenerateRandomPrivateKey(const unsigned char *order, int len,
const unsigned char *random, int randomlen, int kmflag)
{
SECStatus rv = SECSuccess;
mp_err err;
unsigned char *privKeyBytes = NULL;
mp_int privKeyVal, order_1, one;
MP_DIGITS(&privKeyVal) = 0;
MP_DIGITS(&order_1) = 0;
MP_DIGITS(&one) = 0;
CHECK_MPI_OK( mp_init(&privKeyVal, kmflag) );
CHECK_MPI_OK( mp_init(&order_1, kmflag) );
CHECK_MPI_OK( mp_init(&one, kmflag) );
/*
* Reduces the 2*len buffer of random bytes modulo the group order.
*/
if ((privKeyBytes = PORT_Alloc(2*len, kmflag)) == NULL) goto cleanup;
if (randomlen != 2 * len) {
randomlen = 2 * len;
}
/* No need to generate - random bytes are now supplied */
/* CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(privKeyBytes, 2*len) );*/
memcpy(privKeyBytes, random, randomlen);
CHECK_MPI_OK( mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2*len) );
CHECK_MPI_OK( mp_read_unsigned_octets(&order_1, order, len) );
CHECK_MPI_OK( mp_set_int(&one, 1) );
CHECK_MPI_OK( mp_sub(&order_1, &one, &order_1) );
CHECK_MPI_OK( mp_mod(&privKeyVal, &order_1, &privKeyVal) );
CHECK_MPI_OK( mp_add(&privKeyVal, &one, &privKeyVal) );
CHECK_MPI_OK( mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len) );
memset(privKeyBytes+len, 0, len);
cleanup:
mp_clear(&privKeyVal);
mp_clear(&order_1);
mp_clear(&one);
if (err < MP_OKAY) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
if (rv != SECSuccess && privKeyBytes) {
#ifdef _KERNEL
kmem_free(privKeyBytes, 2*len);
#else
free(privKeyBytes);
#endif
privKeyBytes = NULL;
}
return privKeyBytes;
}示例5: ec_GenerateRandomPrivateKey
/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62,
* modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
* random number generator.
*
* Parameters
* - order: a buffer that holds the curve's group order
* - len: the length in octets of the order buffer
*
* Return Value
* Returns a buffer of len octets that holds the private key. The caller
* is responsible for freeing the buffer with PORT_ZFree.
*/
static unsigned char *
ec_GenerateRandomPrivateKey(const unsigned char *order, int len, int kmflag)
{
SECStatus rv = SECSuccess;
mp_err err;
unsigned char *privKeyBytes = NULL;
mp_int privKeyVal, order_1, one;
MP_DIGITS(&privKeyVal) = 0;
MP_DIGITS(&order_1) = 0;
MP_DIGITS(&one) = 0;
CHECK_MPI_OK( mp_init(&privKeyVal) );
CHECK_MPI_OK( mp_init(&order_1) );
CHECK_MPI_OK( mp_init(&one) );
/* Generates 2*len random bytes using the global random bit generator
* (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
* reduces modulo the group order.
*/
if ((privKeyBytes = PORT_Alloc(2*len, kmflag)) == NULL) goto cleanup;
CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(privKeyBytes, 2*len) );
CHECK_MPI_OK( mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2*len) );
CHECK_MPI_OK( mp_read_unsigned_octets(&order_1, order, len) );
CHECK_MPI_OK( mp_set_int(&one, 1) );
CHECK_MPI_OK( mp_sub(&order_1, &one, &order_1) );
CHECK_MPI_OK( mp_mod(&privKeyVal, &order_1, &privKeyVal) );
CHECK_MPI_OK( mp_add(&privKeyVal, &one, &privKeyVal) );
CHECK_MPI_OK( mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len) );
memset(privKeyBytes+len, 0, len);
cleanup:
mp_clear(&privKeyVal);
mp_clear(&order_1);
mp_clear(&one);
if (err < MP_OKAY) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
if (rv != SECSuccess && privKeyBytes) {
#ifdef _KERNEL
kmem_free(privKeyBytes, 2*len);
#else
free(privKeyBytes);
#endif
privKeyBytes = NULL;
}
return privKeyBytes;
}示例6: rsa_PrivateKeyOpNoCRT
/*
** RSA Private key operation (no CRT).
*/
static SECStatus
rsa_PrivateKeyOpNoCRT(RSAPrivateKey *key, mp_int *m, mp_int *c, mp_int *n,
unsigned int modLen)
{
mp_int d;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
MP_DIGITS(&d) = 0;
CHECK_MPI_OK( mp_init(&d) );
SECITEM_TO_MPINT(key->privateExponent, &d);
/* 1. m = c**d mod n */
CHECK_MPI_OK( mp_exptmod(c, &d, n, m) );
cleanup:
mp_clear(&d);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例7: generate_blinding_params
static SECStatus
generate_blinding_params(struct RSABlindingParamsStr *rsabp,
RSAPrivateKey *key, mp_int *n, unsigned int modLen)
{
SECStatus rv = SECSuccess;
mp_int e, k;
mp_err err = MP_OKAY;
unsigned char *kb = NULL;
MP_DIGITS(&e) = 0;
MP_DIGITS(&k) = 0;
CHECK_MPI_OK( mp_init(&e) );
CHECK_MPI_OK( mp_init(&k) );
SECITEM_TO_MPINT(key->publicExponent, &e);
/* generate random k < n */
kb = PORT_Alloc(modLen);
if (!kb) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto cleanup;
}
CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(kb, modLen) );
CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, modLen) );
/* k < n */
CHECK_MPI_OK( mp_mod(&k, n, &k) );
/* f = k**e mod n */
CHECK_MPI_OK( mp_exptmod(&k, &e, n, &rsabp->f) );
/* g = k**-1 mod n */
CHECK_MPI_OK( mp_invmod(&k, n, &rsabp->g) );
/* Initialize the counter for this (f, g) */
rsabp->counter = RSA_BLINDING_PARAMS_MAX_REUSE;
cleanup:
if (kb)
PORT_ZFree(kb, modLen);
mp_clear(&k);
mp_clear(&e);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例8: generate_blinding_params
static SECStatus
generate_blinding_params(RSAPrivateKey *key, mp_int* f, mp_int* g, mp_int *n,
unsigned int modLen)
{
SECStatus rv = SECSuccess;
mp_int e, k;
mp_err err = MP_OKAY;
unsigned char *kb = NULL;
MP_DIGITS(&e) = 0;
MP_DIGITS(&k) = 0;
CHECK_MPI_OK( mp_init(&e) );
CHECK_MPI_OK( mp_init(&k) );
SECITEM_TO_MPINT(key->publicExponent, &e);
/* generate random k < n */
kb = PORT_Alloc(modLen);
if (!kb) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto cleanup;
}
CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(kb, modLen) );
CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, modLen) );
/* k < n */
CHECK_MPI_OK( mp_mod(&k, n, &k) );
/* f = k**e mod n */
CHECK_MPI_OK( mp_exptmod(&k, &e, n, f) );
/* g = k**-1 mod n */
CHECK_MPI_OK( mp_invmod(&k, n, g) );
cleanup:
if (kb)
PORT_ZFree(kb, modLen);
mp_clear(&k);
mp_clear(&e);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例9: fips186Change_ReduceModQForDSA
/*
* FIPS 186-2 requires result from random output to be reduced mod q when
* generating random numbers for DSA.
*
* Input: w, 2*qLen bytes
* q, qLen bytes
* Output: xj, qLen bytes
*/
static SECStatus
fips186Change_ReduceModQForDSA(const PRUint8 *w, const PRUint8 *q,
unsigned int qLen, PRUint8 * xj)
{
mp_int W, Q, Xj;
mp_err err;
SECStatus rv = SECSuccess;
/* Initialize MPI integers. */
MP_DIGITS(&W) = 0;
MP_DIGITS(&Q) = 0;
MP_DIGITS(&Xj) = 0;
CHECK_MPI_OK( mp_init(&W) );
CHECK_MPI_OK( mp_init(&Q) );
CHECK_MPI_OK( mp_init(&Xj) );
/*
* Convert input arguments into MPI integers.
*/
CHECK_MPI_OK( mp_read_unsigned_octets(&W, w, 2*qLen) );
CHECK_MPI_OK( mp_read_unsigned_octets(&Q, q, qLen) );
/*
* Algorithm 1 of FIPS 186-2 Change Notice 1, Step 3.3
*
* xj = (w0 || w1) mod q
*/
CHECK_MPI_OK( mp_mod(&W, &Q, &Xj) );
CHECK_MPI_OK( mp_to_fixlen_octets(&Xj, xj, qLen) );
cleanup:
mp_clear(&W);
mp_clear(&Q);
mp_clear(&Xj);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例10: KEA_Verify
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
{
mp_int p, q, y, r;
mp_err err;
int cmp = 1; /* default is false */
if (!Y || !prime || !subPrime) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
MP_DIGITS(&p) = 0;
MP_DIGITS(&q) = 0;
MP_DIGITS(&y) = 0;
MP_DIGITS(&r) = 0;
CHECK_MPI_OK( mp_init(&p) );
CHECK_MPI_OK( mp_init(&q) );
CHECK_MPI_OK( mp_init(&y) );
CHECK_MPI_OK( mp_init(&r) );
SECITEM_TO_MPINT(*prime, &p);
SECITEM_TO_MPINT(*subPrime, &q);
SECITEM_TO_MPINT(*Y, &y);
/* compute r = y**q mod p */
CHECK_MPI_OK( mp_exptmod(&y, &q, &p, &r) );
/* compare to 1 */
cmp = mp_cmp_d(&r, 1);
cleanup:
mp_clear(&p);
mp_clear(&q);
mp_clear(&y);
mp_clear(&r);
if (err) {
MP_TO_SEC_ERROR(err);
return PR_FALSE;
}
return (cmp == 0) ? PR_TRUE : PR_FALSE;
}示例11: init_blinding_params
static SECStatus
init_blinding_params(struct RSABlindingParamsStr *rsabp, RSAPrivateKey *key,
mp_int *n, unsigned int modLen)
{
SECStatus rv = SECSuccess;
mp_err err = MP_OKAY;
MP_DIGITS(&rsabp->f) = 0;
MP_DIGITS(&rsabp->g) = 0;
/* initialize blinding parameters */
CHECK_MPI_OK( mp_init(&rsabp->f) );
CHECK_MPI_OK( mp_init(&rsabp->g) );
/* List elements are keyed using the modulus */
SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
return SECSuccess;
cleanup:
mp_clear(&rsabp->f);
mp_clear(&rsabp->g);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例12: DH_Derive
//.........这里部分代码省略.........
CHECK_MPI_OK( mp_init(&p) );
CHECK_MPI_OK( mp_init(&Xa) );
CHECK_MPI_OK( mp_init(&Yb) );
CHECK_MPI_OK( mp_init(&ZZ) );
CHECK_MPI_OK( mp_init(&psub1) );
SECITEM_TO_MPINT(*publicValue, &Yb);
SECITEM_TO_MPINT(*privateValue, &Xa);
SECITEM_TO_MPINT(*prime, &p);
CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
/* We assume that the modulus, p, is a safe prime. That is, p = 2q+1 where
* q is also a prime. Thus the orders of the subgroups are factors of 2q:
* namely 1, 2, q and 2q.
*
* We check that the peer's public value isn't zero (which isn't in the
* group), one (subgroup of order one) or p-1 (subgroup of order 2). We
* also check that the public value is less than p, to avoid being fooled
* by values like p+1 or 2*p-1.
*
* Thus we must be operating in the subgroup of size q or 2q. */
if (mp_cmp_d(&Yb, 1) <= 0 ||
mp_cmp(&Yb, &psub1) >= 0) {
err = MP_BADARG;
goto cleanup;
}
/* ZZ = (Yb)**Xa mod p */
CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
/* number of bytes in the derived secret */
len = mp_unsigned_octet_size(&ZZ);
if (len <= 0) {
err = MP_BADARG;
goto cleanup;
}
/*
* We check to make sure that ZZ is not equal to 1 or -1 mod p.
* This helps guard against small subgroup attacks, since an attacker
* using a subgroup of size N will produce 1 or -1 with probability 1/N.
* When the protocol is executed within a properly large subgroup, the
* probability of this result will be negligibly small. For example,
* with a strong prime of the form 2p+1, the probability will be 1/p.
*
* We return MP_BADARG because this is probably the result of a bad
* public value or a bad prime having been provided.
*/
if (mp_cmp_d(&ZZ, 1) == 0 ||
mp_cmp(&ZZ, &psub1) == 0) {
err = MP_BADARG;
goto cleanup;
}
/* allocate a buffer which can hold the entire derived secret. */
secret = PORT_Alloc(len);
if (secret == NULL) {
err = MP_MEM;
goto cleanup;
}
/* grab the derived secret */
err = mp_to_unsigned_octets(&ZZ, secret, len);
if (err >= 0) err = MP_OKAY;
/*
** if outBytes is 0 take all of the bytes from the derived secret.
** if outBytes is not 0 take exactly outBytes from the derived secret, zero
** pad at the beginning if necessary, and truncate beginning bytes
** if necessary.
*/
if (outBytes > 0)
nb = outBytes;
else
nb = len;
if (SECITEM_AllocItem(NULL, derivedSecret, nb) == NULL) {
err = MP_MEM;
goto cleanup;
}
if (len < nb) {
unsigned int offset = nb - len;
memset(derivedSecret->data, 0, offset);
memcpy(derivedSecret->data + offset, secret, len);
} else {
memcpy(derivedSecret->data, secret + len - nb, nb);
}
cleanup:
mp_clear(&p);
mp_clear(&Xa);
mp_clear(&Yb);
mp_clear(&ZZ);
mp_clear(&psub1);
if (secret) {
/* free the buffer allocated for the full secret. */
PORT_ZFree(secret, len);
}
if (err) {
MP_TO_SEC_ERROR(err);
if (derivedSecret->data)
PORT_ZFree(derivedSecret->data, derivedSecret->len);
return SECFailure;
}
return SECSuccess;
}示例13: KEA_Derive
SECStatus
KEA_Derive(SECItem *prime,
SECItem *public1,
SECItem *public2,
SECItem *private1,
SECItem *private2,
SECItem *derivedSecret)
{
mp_int p, Y, R, r, x, t, u, w;
mp_err err;
unsigned char *secret = NULL;
unsigned int len = 0, offset;
if (!prime || !public1 || !public2 || !private1 || !private2 ||
!derivedSecret) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
memset(derivedSecret, 0, sizeof *derivedSecret);
MP_DIGITS(&p) = 0;
MP_DIGITS(&Y) = 0;
MP_DIGITS(&R) = 0;
MP_DIGITS(&r) = 0;
MP_DIGITS(&x) = 0;
MP_DIGITS(&t) = 0;
MP_DIGITS(&u) = 0;
MP_DIGITS(&w) = 0;
CHECK_MPI_OK( mp_init(&p) );
CHECK_MPI_OK( mp_init(&Y) );
CHECK_MPI_OK( mp_init(&R) );
CHECK_MPI_OK( mp_init(&r) );
CHECK_MPI_OK( mp_init(&x) );
CHECK_MPI_OK( mp_init(&t) );
CHECK_MPI_OK( mp_init(&u) );
CHECK_MPI_OK( mp_init(&w) );
SECITEM_TO_MPINT(*prime, &p);
SECITEM_TO_MPINT(*public1, &Y);
SECITEM_TO_MPINT(*public2, &R);
SECITEM_TO_MPINT(*private1, &r);
SECITEM_TO_MPINT(*private2, &x);
/* t = DH(Y, r, p) = Y ** r mod p */
CHECK_MPI_OK( mp_exptmod(&Y, &r, &p, &t) );
/* u = DH(R, x, p) = R ** x mod p */
CHECK_MPI_OK( mp_exptmod(&R, &x, &p, &u) );
/* w = (t + u) mod p */
CHECK_MPI_OK( mp_addmod(&t, &u, &p, &w) );
/* allocate a buffer for the full derived secret */
len = mp_unsigned_octet_size(&w);
secret = PORT_Alloc(len);
if (secret == NULL) {
err = MP_MEM;
goto cleanup;
}
/* grab the secret */
err = mp_to_unsigned_octets(&w, secret, len);
if (err > 0) err = MP_OKAY;
/* allocate output buffer */
if (SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN)
== NULL) {
err = MP_MEM;
goto cleanup;
}
memset(derivedSecret->data, 0, derivedSecret->len);
/* copy in the 128 lsb of the secret */
if (len >= KEA_DERIVED_SECRET_LEN) {
memcpy(derivedSecret->data, secret + (len - KEA_DERIVED_SECRET_LEN),
KEA_DERIVED_SECRET_LEN);
} else {
offset = KEA_DERIVED_SECRET_LEN - len;
memcpy(derivedSecret->data + offset, secret, len);
}
cleanup:
mp_clear(&p);
mp_clear(&Y);
mp_clear(&R);
mp_clear(&r);
mp_clear(&x);
mp_clear(&t);
mp_clear(&u);
mp_clear(&w);
if (secret)
PORT_ZFree(secret, len);
if (err) {
MP_TO_SEC_ERROR(err);
if (derivedSecret->data)
PORT_ZFree(derivedSecret->data, derivedSecret->len);
return SECFailure;
}
return SECSuccess;
}示例14: rsa_build_from_primes
static SECStatus
rsa_build_from_primes(mp_int *p, mp_int *q,
mp_int *e, PRBool needPublicExponent,
mp_int *d, PRBool needPrivateExponent,
RSAPrivateKey *key, unsigned int keySizeInBits)
{
mp_int n, phi;
mp_int psub1, qsub1, tmp;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
MP_DIGITS(&n) = 0;
MP_DIGITS(&phi) = 0;
MP_DIGITS(&psub1) = 0;
MP_DIGITS(&qsub1) = 0;
MP_DIGITS(&tmp) = 0;
CHECK_MPI_OK( mp_init(&n) );
CHECK_MPI_OK( mp_init(&phi) );
CHECK_MPI_OK( mp_init(&psub1) );
CHECK_MPI_OK( mp_init(&qsub1) );
CHECK_MPI_OK( mp_init(&tmp) );
/* 1. Compute n = p*q */
CHECK_MPI_OK( mp_mul(p, q, &n) );
/* verify that the modulus has the desired number of bits */
if ((unsigned)mpl_significant_bits(&n) != keySizeInBits) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
rv = SECFailure;
goto cleanup;
}
/* at least one exponent must be given */
PORT_Assert(!(needPublicExponent && needPrivateExponent));
/* 2. Compute phi = (p-1)*(q-1) */
CHECK_MPI_OK( mp_sub_d(p, 1, &psub1) );
CHECK_MPI_OK( mp_sub_d(q, 1, &qsub1) );
if (needPublicExponent || needPrivateExponent) {
CHECK_MPI_OK( mp_mul(&psub1, &qsub1, &phi) );
/* 3. Compute d = e**-1 mod(phi) */
/* or e = d**-1 mod(phi) as necessary */
if (needPublicExponent) {
err = mp_invmod(d, &phi, e);
} else {
err = mp_invmod(e, &phi, d);
}
} else {
err = MP_OKAY;
}
/* Verify that phi(n) and e have no common divisors */
if (err != MP_OKAY) {
if (err == MP_UNDEF) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
err = MP_OKAY; /* to keep PORT_SetError from being called again */
rv = SECFailure;
}
goto cleanup;
}
/* 4. Compute exponent1 = d mod (p-1) */
CHECK_MPI_OK( mp_mod(d, &psub1, &tmp) );
MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
/* 5. Compute exponent2 = d mod (q-1) */
CHECK_MPI_OK( mp_mod(d, &qsub1, &tmp) );
MPINT_TO_SECITEM(&tmp, &key->exponent2, key->arena);
/* 6. Compute coefficient = q**-1 mod p */
CHECK_MPI_OK( mp_invmod(q, p, &tmp) );
MPINT_TO_SECITEM(&tmp, &key->coefficient, key->arena);
/* copy our calculated results, overwrite what is there */
key->modulus.data = NULL;
MPINT_TO_SECITEM(&n, &key->modulus, key->arena);
key->privateExponent.data = NULL;
MPINT_TO_SECITEM(d, &key->privateExponent, key->arena);
key->publicExponent.data = NULL;
MPINT_TO_SECITEM(e, &key->publicExponent, key->arena);
key->prime1.data = NULL;
MPINT_TO_SECITEM(p, &key->prime1, key->arena);
key->prime2.data = NULL;
MPINT_TO_SECITEM(q, &key->prime2, key->arena);
cleanup:
mp_clear(&n);
mp_clear(&phi);
mp_clear(&psub1);
mp_clear(&qsub1);
mp_clear(&tmp);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}示例15: DH_NewKey
SECStatus
DH_NewKey(DHParams *params, DHPrivateKey **privKey)
{
PLArenaPool *arena;
DHPrivateKey *key;
mp_int g, xa, p, Ya;
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
if (!params || !privKey) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
if (!arena) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
key = (DHPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DHPrivateKey));
if (!key) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
PORT_FreeArena(arena, PR_TRUE);
return SECFailure;
}
key->arena = arena;
MP_DIGITS(&g) = 0;
MP_DIGITS(&xa) = 0;
MP_DIGITS(&p) = 0;
MP_DIGITS(&Ya) = 0;
CHECK_MPI_OK( mp_init(&g) );
CHECK_MPI_OK( mp_init(&xa) );
CHECK_MPI_OK( mp_init(&p) );
CHECK_MPI_OK( mp_init(&Ya) );
/* Set private key's p */
CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->prime, ¶ms->prime) );
SECITEM_TO_MPINT(key->prime, &p);
/* Set private key's g */
CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->base, ¶ms->base) );
SECITEM_TO_MPINT(key->base, &g);
/* Generate private key xa */
SECITEM_AllocItem(arena, &key->privateValue,
dh_GetSecretKeyLen(params->prime.len));
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(key->privateValue.data,
key->privateValue.len));
SECITEM_TO_MPINT( key->privateValue, &xa );
/* xa < p */
CHECK_MPI_OK( mp_mod(&xa, &p, &xa) );
/* Compute public key Ya = g ** xa mod p */
CHECK_MPI_OK( mp_exptmod(&g, &xa, &p, &Ya) );
MPINT_TO_SECITEM(&Ya, &key->publicValue, key->arena);
*privKey = key;
cleanup:
mp_clear(&g);
mp_clear(&xa);
mp_clear(&p);
mp_clear(&Ya);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
if (rv) {
*privKey = NULL;
PORT_FreeArena(arena, PR_TRUE);
}
return rv;
}