本文整理匯總了C++中EC_POINT_is_at_infinity函數的典型用法代碼示例。如果您正苦於以下問題:C++ EC_POINT_is_at_infinity函數的具體用法?C++ EC_POINT_is_at_infinity怎麽用?C++ EC_POINT_is_at_infinity使用的例子?那麽, 這裏精選的函數代碼示例或許可以為您提供幫助。
在下文中一共展示了EC_POINT_is_at_infinity函數的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的C++代碼示例。
示例1: compute_password_element
//.........這裏部分代碼省略.........
if (!EC_GROUP_get_cofactor(session->group, cofactor, NULL)) {
REDEBUG("unable to get cofactor for curve");
goto error;
}
prime_bit_len = BN_num_bits(session->prime);
prime_byte_len = BN_num_bytes(session->prime);
MEM(prf_buf = talloc_zero_array(session, uint8_t, prime_byte_len));
MEM(hmac_ctx = HMAC_CTX_new());
ctr = 0;
for (;;) {
if (ctr > 10) {
REDEBUG("Unable to find random point on curve for group %d, something's fishy", grp_num);
goto error;
}
ctr++;
/*
* compute counter-mode password value and stretch to prime
* pwd-seed = H(token | peer-id | server-id | password |
* counter)
*/
HMAC_Init_ex(hmac_ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256(), NULL);
HMAC_Update(hmac_ctx, (uint8_t *)token, sizeof(*token));
HMAC_Update(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
HMAC_Update(hmac_ctx, (uint8_t const *)id_server, id_server_len);
HMAC_Update(hmac_ctx, (uint8_t const *)password, password_len);
HMAC_Update(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
pwd_hmac_final(hmac_ctx, pwe_digest);
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
strlen("EAP-pwd Hunting And Pecking"), prf_buf, prime_bit_len);
BN_bin2bn(prf_buf, prime_byte_len, x_candidate);
/*
* eap_pwd_kdf() returns a string of bits 0..prime_bit_len but
* BN_bin2bn will treat that string of bits as a big endian
* number. If the prime_bit_len is not an even multiple of 8
* then excessive bits-- those _after_ prime_bit_len-- so now
* we have to shift right the amount we masked off.
*/
if (prime_bit_len % 8) BN_rshift(x_candidate, x_candidate, (8 - (prime_bit_len % 8)));
if (BN_ucmp(x_candidate, session->prime) >= 0) continue;
/*
* need to unambiguously identify the solution, if there is
* one...
*/
is_odd = BN_is_odd(rnd) ? 1 : 0;
/*
* solve the quadratic equation, if it's not solvable then we
* don't have a point
*/
if (!EC_POINT_set_compressed_coordinates_GFp(session->group, session->pwe, x_candidate, is_odd, NULL)) {
continue;
}
/*
* If there's a solution to the equation then the point must be
* on the curve so why check again explicitly? OpenSSL code
* says this is required by X9.62. We're not X9.62 but it can't
* hurt just to be sure.
*/
if (!EC_POINT_is_on_curve(session->group, session->pwe, NULL)) {
REDEBUG("Point is not on curve");
continue;
}
if (BN_cmp(cofactor, BN_value_one())) {
/* make sure the point is not in a small sub-group */
if (!EC_POINT_mul(session->group, session->pwe, NULL, session->pwe,
cofactor, NULL)) {
RDEBUG("Cannot multiply generator by order");
continue;
}
if (EC_POINT_is_at_infinity(session->group, session->pwe)) {
REDEBUG("Point is at infinity");
continue;
}
}
/* if we got here then we have a new generator. */
break;
}
session->group_num = grp_num;
finish:
/* cleanliness and order.... */
HMAC_CTX_free(hmac_ctx);
BN_clear_free(cofactor);
BN_clear_free(x_candidate);
BN_clear_free(rnd);
talloc_free(prf_buf);
return ret;
}
示例2: eccDecrypt
// unsigned char *pM 輸出,明文
// unsigned char *pPDKey 私鑰
// unsigned char *pC 密文
// unsigned long Clen 密文長度
unsigned char eccDecrypt(unsigned char *pM, unsigned char *pPDKey, unsigned char *pC, unsigned long Clen)
{
EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1);
EC_GROUP *ec_group = EC_GROUP_new_by_curve_name(NID_sm2p256v1);
KDF_FUNC kdf = KDF_get_x9_63(EVP_sm3());
// 設置私鑰
BIGNUM *pri_key = BN_new();
BN_bin2bn(pPDKey, 32, pri_key);
EC_KEY_set_private_key(ec_key, pri_key);
int ret = 1;
EC_POINT *point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
int nbytes;
size_t size;
size_t i;
if (!ec_group || !pri_key) {
goto end;
}
if (!kdf) {
goto end;
}
EC_POINT *ephem_point = EC_POINT_new(ec_group);
EC_POINT_oct2point(ec_group, ephem_point, pC, 65, NULL);
/* init vars */
point = EC_POINT_new(ec_group);
n = BN_new();
h = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_create();
if (!point || !n || !h || !bn_ctx || !md_ctx) {
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {
goto end;
}
if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {
goto end;
}
nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
/* B2: check [h]C1 != O */
if (!EC_POINT_mul(ec_group, point, NULL, ephem_point, h, bn_ctx)) {
goto end;
}
if (EC_POINT_is_at_infinity(ec_group, point)) {
goto end;
}
/* B3: compute ECDH [d]C1 = (x2, y2) */
if (!EC_POINT_mul(ec_group, point, NULL, ephem_point, pri_key, bn_ctx)) {
goto end;
}
if (!(size = EC_POINT_point2oct(ec_group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
OPENSSL_assert(size == 1 + nbytes * 2);
/* B4: compute t = KDF(x2 || y2, clen) */
size_t len = 0;
size_t *outlen = &len;
*outlen = Clen - 97; //FIXME: duplicated code
unsigned char *out = (unsigned char *)OPENSSL_malloc(*outlen);
kdf(buf + 1, size - 1, out, outlen);
unsigned char *ciphertext = pC + 65;
/* B5: compute M = C2 xor t */
for (i = 0; i < len; i++) {
out[i] ^= ciphertext[i];
}
*outlen = len;
if (1) {
/* B6: check Hash(x2 || M || y2) == C3 */
if (!EVP_DigestInit_ex(md_ctx, EVP_sm3(), NULL)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) {
goto end;
//.........這裏部分代碼省略.........
示例3: process_peer_commit
int process_peer_commit(REQUEST *request, pwd_session_t *session, uint8_t *in, size_t in_len, BN_CTX *bn_ctx)
{
uint8_t *ptr;
size_t data_len;
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int ret = 1;
MEM(session->peer_scalar = BN_new());
MEM(session->k = BN_new());
MEM(session->peer_element = EC_POINT_new(session->group));
MEM(point = EC_POINT_new(session->group));
MEM(K = EC_POINT_new(session->group));
MEM(cofactor = BN_new());
MEM(x = BN_new());
MEM(y = BN_new());
if (!EC_GROUP_get_cofactor(session->group, cofactor, NULL)) {
REDEBUG("Unable to get group co-factor");
goto finish;
}
/* element, x then y, followed by scalar */
ptr = (uint8_t *)in;
data_len = BN_num_bytes(session->prime);
/*
* Did the peer send enough data?
*/
if (in_len < (2 * data_len + BN_num_bytes(session->order))) {
REDEBUG("Invalid commit packet");
goto finish;
}
BN_bin2bn(ptr, data_len, x);
ptr += data_len;
BN_bin2bn(ptr, data_len, y);
ptr += data_len;
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
/* validate received scalar */
if (BN_is_zero(session->peer_scalar) ||
BN_is_one(session->peer_scalar) ||
BN_cmp(session->peer_scalar, session->order) >= 0) {
REDEBUG("Peer's scalar is not within the allowed range");
goto finish;
}
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bn_ctx)) {
REDEBUG("Unable to get coordinates of peer's element");
goto finish;
}
/* validate received element */
if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
EC_POINT_is_at_infinity(session->group, session->peer_element)) {
REDEBUG("Peer's element is not a point on the elliptic curve");
goto finish;
}
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
REDEBUG("Unable to multiply element by co-factor");
goto finish;
}
if (EC_POINT_is_at_infinity(session->group, point)) {
REDEBUG("Peer's element is in small sub-group");
goto finish;
}
}
/* detect reflection attacks */
if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
REDEBUG("Reflection attack detected");
goto finish;
}
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bn_ctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bn_ctx)) ||
(!EC_POINT_mul(session->group, K, NULL, K, session->private_value, bn_ctx))) {
REDEBUG("Unable to compute shared key, k");
goto finish;
}
/* ensure that the shared key isn't in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, K, NULL, K, cofactor, NULL)) {
REDEBUG("Unable to multiply k by co-factor");
goto finish;
}
}
/*
//.........這裏部分代碼省略.........
示例4: ec_GFp_simple_dbl
int
ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_CTX * ctx)
{
int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
const BIGNUM *p;
BN_CTX *new_ctx = NULL;
BIGNUM *n0, *n1, *n2, *n3;
int ret = 0;
if (EC_POINT_is_at_infinity(group, a) > 0) {
BN_zero(&r->Z);
r->Z_is_one = 0;
return 1;
}
field_mul = group->meth->field_mul;
field_sqr = group->meth->field_sqr;
p = &group->field;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return 0;
}
BN_CTX_start(ctx);
if ((n0 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((n1 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((n2 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((n3 = BN_CTX_get(ctx)) == NULL)
goto err;
/*
* Note that in this function we must not read components of 'a' once
* we have written the corresponding components of 'r'. ('r' might
* the same as 'a'.)
*/
/* n1 */
if (a->Z_is_one) {
if (!field_sqr(group, n0, &a->X, ctx))
goto err;
if (!BN_mod_lshift1_quick(n1, n0, p))
goto err;
if (!BN_mod_add_quick(n0, n0, n1, p))
goto err;
if (!BN_mod_add_quick(n1, n0, &group->a, p))
goto err;
/* n1 = 3 * X_a^2 + a_curve */
} else if (group->a_is_minus3) {
if (!field_sqr(group, n1, &a->Z, ctx))
goto err;
if (!BN_mod_add_quick(n0, &a->X, n1, p))
goto err;
if (!BN_mod_sub_quick(n2, &a->X, n1, p))
goto err;
if (!field_mul(group, n1, n0, n2, ctx))
goto err;
if (!BN_mod_lshift1_quick(n0, n1, p))
goto err;
if (!BN_mod_add_quick(n1, n0, n1, p))
goto err;
/*
* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) = 3 * X_a^2 - 3 *
* Z_a^4
*/
} else {
if (!field_sqr(group, n0, &a->X, ctx))
goto err;
if (!BN_mod_lshift1_quick(n1, n0, p))
goto err;
if (!BN_mod_add_quick(n0, n0, n1, p))
goto err;
if (!field_sqr(group, n1, &a->Z, ctx))
goto err;
if (!field_sqr(group, n1, n1, ctx))
goto err;
if (!field_mul(group, n1, n1, &group->a, ctx))
goto err;
if (!BN_mod_add_quick(n1, n1, n0, p))
goto err;
/* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
}
/* Z_r */
if (a->Z_is_one) {
if (!BN_copy(n0, &a->Y))
goto err;
} else {
if (!field_mul(group, n0, &a->Y, &a->Z, ctx))
goto err;
}
if (!BN_mod_lshift1_quick(&r->Z, n0, p))
goto err;
r->Z_is_one = 0;
/* Z_r = 2 * Y_a * Z_a */
/* n2 */
//.........這裏部分代碼省略.........
示例5: eap_pwd_perform_commit_exchange
static struct wpabuf *
eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
struct eap_method_ret *ret,
const struct wpabuf *reqData,
const u8 *payload, size_t payload_len)
{
struct wpabuf *resp = NULL;
EC_POINT *K = NULL, *point = NULL;
BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
u16 offset;
u8 *ptr, *scalar = NULL, *element = NULL;
if (((data->private_value = BN_new()) == NULL) ||
((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
((cofactor = BN_new()) == NULL) ||
((data->my_scalar = BN_new()) == NULL) ||
((mask = BN_new()) == NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
goto fin;
}
if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
"for curve");
goto fin;
}
BN_rand_range(data->private_value, data->grp->order);
BN_rand_range(mask, data->grp->order);
BN_add(data->my_scalar, data->private_value, mask);
BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
data->bnctx);
if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
data->grp->pwe, mask, data->bnctx)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation "
"fail");
eap_pwd_state(data, FAILURE);
goto fin;
}
if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
{
wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail");
goto fin;
}
BN_free(mask);
if (((x = BN_new()) == NULL) ||
((y = BN_new()) == NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail");
goto fin;
}
/* process the request */
if (((data->server_scalar = BN_new()) == NULL) ||
((data->k = BN_new()) == NULL) ||
((K = EC_POINT_new(data->grp->group)) == NULL) ||
((point = EC_POINT_new(data->grp->group)) == NULL) ||
((data->server_element = EC_POINT_new(data->grp->group)) == NULL))
{
wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
"fail");
goto fin;
}
/* element, x then y, followed by scalar */
ptr = (u8 *) payload;
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
ptr += BN_num_bytes(data->grp->prime);
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
ptr += BN_num_bytes(data->grp->prime);
BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar);
if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
data->server_element, x, y,
data->bnctx)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
"fail");
goto fin;
}
/* check to ensure server's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(data->grp->group, point, NULL,
data->server_element, cofactor, NULL)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
"server element by order!\n");
goto fin;
}
if (EC_POINT_is_at_infinity(data->grp->group, point)) {
wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
"is at infinity!\n");
goto fin;
}
}
/* compute the shared key, k */
if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
data->server_scalar, data->bnctx)) ||
(!EC_POINT_add(data->grp->group, K, K, data->server_element,
//.........這裏部分代碼省略.........
示例6: ECDSA_SIG_recover_key_GFp
// Perform ECDSA key recovery (see SEC1 4.1.6) for curves over (mod p)-fields
// recid selects which key is recovered
// if check is nonzero, additional checks are performed
int ECDSA_SIG_recover_key_GFp(EC_KEY *eckey, ECDSA_SIG *ecsig, const unsigned char *msg, int msglen, int recid, int check)
{
if (!eckey) return 0;
int ret = 0;
BN_CTX *ctx = NULL;
BIGNUM *x = NULL;
BIGNUM *e = NULL;
BIGNUM *order = NULL;
BIGNUM *sor = NULL;
BIGNUM *eor = NULL;
BIGNUM *field = NULL;
EC_POINT *R = NULL;
EC_POINT *O = NULL;
EC_POINT *Q = NULL;
BIGNUM *rr = NULL;
BIGNUM *zero = NULL;
int n = 0;
int i = recid / 2;
const EC_GROUP *group = EC_KEY_get0_group(eckey);
if ((ctx = BN_CTX_new()) == NULL) { ret = -1; goto err; }
BN_CTX_start(ctx);
order = BN_CTX_get(ctx);
if (!EC_GROUP_get_order(group, order, ctx)) { ret = -2; goto err; }
x = BN_CTX_get(ctx);
if (!BN_copy(x, order)) { ret=-1; goto err; }
if (!BN_mul_word(x, i)) { ret=-1; goto err; }
if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; }
field = BN_CTX_get(ctx);
if (!EC_GROUP_get_curve_GFp(group, field, NULL, NULL, ctx)) { ret=-2; goto err; }
if (BN_cmp(x, field) >= 0) { ret=0; goto err; }
if ((R = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
if (!EC_POINT_set_compressed_coordinates_GFp(group, R, x, recid % 2, ctx)) { ret=0; goto err; }
if (check)
{
if ((O = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
if (!EC_POINT_mul(group, O, NULL, R, order, ctx)) { ret=-2; goto err; }
if (!EC_POINT_is_at_infinity(group, O)) { ret = 0; goto err; }
}
if ((Q = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
n = EC_GROUP_get_degree(group);
e = BN_CTX_get(ctx);
if (!BN_bin2bn(msg, msglen, e)) { ret=-1; goto err; }
if (8*msglen > n) BN_rshift(e, e, 8-(n & 7));
zero = BN_CTX_get(ctx);
if (!BN_zero(zero)) { ret=-1; goto err; }
if (!BN_mod_sub(e, zero, e, order, ctx)) { ret=-1; goto err; }
rr = BN_CTX_get(ctx);
if (!BN_mod_inverse(rr, ecsig->r, order, ctx)) { ret=-1; goto err; }
sor = BN_CTX_get(ctx);
if (!BN_mod_mul(sor, ecsig->s, rr, order, ctx)) { ret=-1; goto err; }
eor = BN_CTX_get(ctx);
if (!BN_mod_mul(eor, e, rr, order, ctx)) { ret=-1; goto err; }
if (!EC_POINT_mul(group, Q, eor, R, sor, ctx)) { ret=-2; goto err; }
if (!EC_KEY_set_public_key(eckey, Q)) { ret=-2; goto err; }
ret = 1;
err:
if (ctx) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (R != NULL) EC_POINT_free(R);
if (O != NULL) EC_POINT_free(O);
if (Q != NULL) EC_POINT_free(Q);
return ret;
}
示例7: ec_GFp_simple_point_get_affine_coordinates
int
ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POINT * point,
BIGNUM * x, BIGNUM * y, BN_CTX * ctx)
{
BN_CTX *new_ctx = NULL;
BIGNUM *Z, *Z_1, *Z_2, *Z_3;
const BIGNUM *Z_;
int ret = 0;
if (EC_POINT_is_at_infinity(group, point) > 0) {
ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
return 0;
}
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
return 0;
}
BN_CTX_start(ctx);
if ((Z = BN_CTX_get(ctx)) == NULL)
goto err;
if ((Z_1 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((Z_2 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((Z_3 = BN_CTX_get(ctx)) == NULL)
goto err;
/* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, Z, &point->Z, ctx))
goto err;
Z_ = Z;
} else {
Z_ = &point->Z;
}
if (BN_is_one(Z_)) {
if (group->meth->field_decode) {
if (x != NULL) {
if (!group->meth->field_decode(group, x, &point->X, ctx))
goto err;
}
if (y != NULL) {
if (!group->meth->field_decode(group, y, &point->Y, ctx))
goto err;
}
} else {
if (x != NULL) {
if (!BN_copy(x, &point->X))
goto err;
}
if (y != NULL) {
if (!BN_copy(y, &point->Y))
goto err;
}
}
} else {
if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
goto err;
}
if (group->meth->field_encode == 0) {
/* field_sqr works on standard representation */
if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
goto err;
} else {
if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx))
goto err;
}
if (x != NULL) {
/*
* in the Montgomery case, field_mul will cancel out
* Montgomery factor in X:
*/
if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx))
goto err;
}
if (y != NULL) {
if (group->meth->field_encode == 0) {
/* field_mul works on standard representation */
if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
goto err;
} else {
if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx))
goto err;
}
/*
* in the Montgomery case, field_mul will cancel out
* Montgomery factor in Y:
*/
if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx))
goto err;
}
}
ret = 1;
//.........這裏部分代碼省略.........
示例8: SM2_do_decrypt
int SM2_do_decrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md,
const SM2_CIPHERTEXT_VALUE *cv, unsigned char *out, size_t *outlen,
EC_KEY *ec_key)
{
int ret = 0;
const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key);
const BIGNUM *pri_key = EC_KEY_get0_private_key(ec_key);
KDF_FUNC kdf = KDF_get_x9_63(kdf_md);
EC_POINT *point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
int nbytes;
size_t size;
int i;
OPENSSL_assert(kdf_md && mac_md && cv && ec_key);
OPENSSL_assert(cv->ephem_point && cv->ciphertext);
if (!ec_group || !pri_key) {
goto end;
}
if (!kdf) {
goto end;
}
if (!out) {
*outlen = cv->ciphertext_size;
return 1;
}
if (*outlen < cv->ciphertext_size) {
goto end;
}
/* init vars */
point = EC_POINT_new(ec_group);
n = BN_new();
h = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_create();
if (!point || !n || !h || !bn_ctx || !md_ctx) {
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {
goto end;
}
if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {
goto end;
}
nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
//OPENSSL_assert(nbytes == BN_num_bytes(n));
#if 0
/* check sm2 curve and md is 256 bits */
OPENSSL_assert(nbytes == 32);
OPENSSL_assert(EVP_MD_size(kdf_md) == 32);
OPENSSL_assert(EVP_MD_size(mac_md) == 32);
#endif
/* B2: check [h]C1 != O */
if (!EC_POINT_mul(ec_group, point, NULL, cv->ephem_point, h, bn_ctx)) {
goto end;
}
if (EC_POINT_is_at_infinity(ec_group, point)) {
goto end;
}
/* B3: compute ECDH [d]C1 = (x2, y2) */
if (!EC_POINT_mul(ec_group, point, NULL, cv->ephem_point, pri_key, bn_ctx)) {
goto end;
}
if (!(size = EC_POINT_point2oct(ec_group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
OPENSSL_assert(size == 1 + nbytes * 2);
/* B4: compute t = KDF(x2 || y2, clen) */
*outlen = cv->ciphertext_size; //FIXME: duplicated code
kdf(buf + 1, size - 1, out, outlen);
/* B5: compute M = C2 xor t */
for (i = 0; i < cv->ciphertext_size; i++) {
out[i] ^= cv->ciphertext[i];
}
*outlen = cv->ciphertext_size;
/* B6: check Hash(x2 || M || y2) == C3 */
if (!EVP_DigestInit_ex(md_ctx, mac_md, NULL)) {
goto end;
}
if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) {
//.........這裏部分代碼省略.........
示例9: prime_field_tests
void prime_field_tests()
{
BN_CTX *ctx = NULL;
BIGNUM *p, *a, *b;
EC_GROUP *group;
EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
EC_POINT *P, *Q, *R;
BIGNUM *x, *y, *z;
unsigned char buf[100];
size_t i, len;
int k;
#if 1 /* optional */
ctx = BN_CTX_new();
if (!ctx) ABORT;
#endif
p = BN_new();
a = BN_new();
b = BN_new();
if (!p || !a || !b) ABORT;
if (!BN_hex2bn(&p, "17")) ABORT;
if (!BN_hex2bn(&a, "1")) ABORT;
if (!BN_hex2bn(&b, "1")) ABORT;
group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
* so that the library gets to choose the EC_METHOD */
if (!group) ABORT;
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
{
EC_GROUP *tmp;
tmp = EC_GROUP_new(EC_GROUP_method_of(group));
if (!tmp) ABORT;
if (!EC_GROUP_copy(tmp, group)) ABORT;
EC_GROUP_free(group);
group = tmp;
}
if (!EC_GROUP_get_curve_GFp(group, p, a, b, ctx)) ABORT;
fprintf(stdout, "Curve defined by Weierstrass equation\n y^2 = x^3 + a*x + b (mod 0x");
BN_print_fp(stdout, p);
fprintf(stdout, ")\n a = 0x");
BN_print_fp(stdout, a);
fprintf(stdout, "\n b = 0x");
BN_print_fp(stdout, b);
fprintf(stdout, "\n");
P = EC_POINT_new(group);
Q = EC_POINT_new(group);
R = EC_POINT_new(group);
if (!P || !Q || !R) ABORT;
if (!EC_POINT_set_to_infinity(group, P)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
buf[0] = 0;
if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT;
if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
x = BN_new();
y = BN_new();
z = BN_new();
if (!x || !y || !z) ABORT;
if (!BN_hex2bn(&x, "D")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, Q, ctx))
{
if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT;
fprintf(stderr, "Point is not on curve: x = 0x");
BN_print_fp(stderr, x);
fprintf(stderr, ", y = 0x");
BN_print_fp(stderr, y);
fprintf(stderr, "\n");
ABORT;
}
fprintf(stdout, "A cyclic subgroup:\n");
k = 100;
do
{
if (k-- == 0) ABORT;
if (EC_POINT_is_at_infinity(group, P))
fprintf(stdout, " point at infinity\n");
else
{
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
fprintf(stdout, " x = 0x");
BN_print_fp(stdout, x);
fprintf(stdout, ", y = 0x");
BN_print_fp(stdout, y);
fprintf(stdout, "\n");
//.........這裏部分代碼省略.........
示例10: ec_GFp_mont_point_get_affine_coordinates
static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,
const EC_POINT *point,
BIGNUM *x, BIGNUM *y,
BN_CTX *ctx) {
if (EC_POINT_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
return 0;
}
BN_CTX *new_ctx = NULL;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
return 0;
}
}
int ret = 0;
BN_CTX_start(ctx);
if (BN_cmp(&point->Z, &group->one) == 0) {
/* |point| is already affine. */
if (x != NULL && !BN_from_montgomery(x, &point->X, &group->mont, ctx)) {
goto err;
}
if (y != NULL && !BN_from_montgomery(y, &point->Y, &group->mont, ctx)) {
goto err;
}
} else {
/* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
BIGNUM *Z_1 = BN_CTX_get(ctx);
BIGNUM *Z_2 = BN_CTX_get(ctx);
BIGNUM *Z_3 = BN_CTX_get(ctx);
if (Z_1 == NULL ||
Z_2 == NULL ||
Z_3 == NULL) {
goto err;
}
/* The straightforward way to calculate the inverse of a Montgomery-encoded
* value where the result is Montgomery-encoded is:
*
* |BN_from_montgomery| + |BN_mod_inverse| + |BN_to_montgomery|.
*
* This is equivalent, but more efficient, because |BN_from_montgomery|
* is more efficient (at least in theory) than |BN_to_montgomery|, since it
* doesn't have to do the multiplication before the reduction. */
if (!BN_from_montgomery(Z_1, &point->Z, &group->mont, ctx) ||
!BN_from_montgomery(Z_1, Z_1, &group->mont, ctx) ||
!BN_mod_inverse(Z_1, Z_1, &group->field, ctx)) {
goto err;
}
if (!BN_mod_mul_montgomery(Z_2, Z_1, Z_1, &group->mont, ctx)) {
goto err;
}
/* Instead of using |BN_from_montgomery| to convert the |x| coordinate
* and then calling |BN_from_montgomery| again to convert the |y|
* coordinate below, convert the common factor |Z_2| once now, saving one
* reduction. */
if (!BN_from_montgomery(Z_2, Z_2, &group->mont, ctx)) {
goto err;
}
if (x != NULL) {
if (!BN_mod_mul_montgomery(x, &point->X, Z_2, &group->mont, ctx)) {
goto err;
}
}
if (y != NULL) {
if (!BN_mod_mul_montgomery(Z_3, Z_2, Z_1, &group->mont, ctx) ||
!BN_mod_mul_montgomery(y, &point->Y, Z_3, &group->mont, ctx)) {
goto err;
}
}
}
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
示例11: EC_KEY_get0_group
SM2_CIPHERTEXT_VALUE *SM2_do_encrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md,
const unsigned char *in, size_t inlen, EC_KEY *ec_key)
{
int ok = 0;
SM2_CIPHERTEXT_VALUE *cv = NULL;
const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key);
const EC_POINT *pub_key = EC_KEY_get0_public_key(ec_key);
KDF_FUNC kdf = KDF_get_x9_63(kdf_md);
EC_POINT *point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BIGNUM *k = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
int nbytes;
size_t len;
int i;
if (!ec_group || !pub_key) {
goto end;
}
if (!kdf) {
goto end;
}
/* init ciphertext_value */
if (!(cv = OPENSSL_malloc(sizeof(SM2_CIPHERTEXT_VALUE)))) {
goto end;
}
bzero(cv, sizeof(SM2_CIPHERTEXT_VALUE));
cv->ephem_point = EC_POINT_new(ec_group);
cv->ciphertext = OPENSSL_malloc(inlen);
cv->ciphertext_size = inlen;
if (!cv->ephem_point || !cv->ciphertext) {
goto end;
}
point = EC_POINT_new(ec_group);
n = BN_new();
h = BN_new();
k = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_create();
if (!point || !n || !h || !k || !bn_ctx || !md_ctx) {
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {
goto end;
}
if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {
goto end;
}
nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;
//OPENSSL_assert(nbytes == BN_num_bytes(n));
#if 0
/* check sm2 curve and md is 256 bits */
OPENSSL_assert(nbytes == 32);
OPENSSL_assert(EVP_MD_size(kdf_md) == 32);
OPENSSL_assert(EVP_MD_size(mac_md) == 32);
#endif
do
{
/* A1: rand k in [1, n-1] */
do {
BN_rand_range(k, n);
} while (BN_is_zero(k));
/* A2: C1 = [k]G = (x1, y1) */
if (!EC_POINT_mul(ec_group, cv->ephem_point, k, NULL, NULL, bn_ctx)) {
goto end;
}
/* A3: check [h]P_B != O */
if (!EC_POINT_mul(ec_group, point, NULL, pub_key, h, bn_ctx)) {
goto end;
}
if (EC_POINT_is_at_infinity(ec_group, point)) {
goto end;
}
/* A4: compute ECDH [k]P_B = (x2, y2) */
if (!EC_POINT_mul(ec_group, point, NULL, pub_key, k, bn_ctx)) {
goto end;
}
if (!(len = EC_POINT_point2oct(ec_group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
goto end;
}
OPENSSL_assert(len == nbytes * 2 + 1);
/* A5: t = KDF(x2 || y2, klen) */
kdf(buf + 1, len - 1, cv->ciphertext, &cv->ciphertext_size);
//.........這裏部分代碼省略.........
示例12: process_peer_commit
int
process_peer_commit (pwd_session_t *sess, uint8_t *commit, BN_CTX *bnctx)
{
uint8_t *ptr;
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int res = 1;
if (((sess->peer_scalar = BN_new()) == NULL) ||
((sess->k = BN_new()) == NULL) ||
((cofactor = BN_new()) == NULL) ||
((x = BN_new()) == NULL) ||
((y = BN_new()) == NULL) ||
((point = EC_POINT_new(sess->group)) == NULL) ||
((K = EC_POINT_new(sess->group)) == NULL) ||
((sess->peer_element = EC_POINT_new(sess->group)) == NULL)) {
DEBUG2("pwd: failed to allocate room to process peer's commit");
goto fin;
}
if (!EC_GROUP_get_cofactor(sess->group, cofactor, NULL)) {
DEBUG2("pwd: unable to get group co-factor");
goto fin;
}
/* element, x then y, followed by scalar */
ptr = (uint8_t *)commit;
BN_bin2bn(ptr, BN_num_bytes(sess->prime), x);
ptr += BN_num_bytes(sess->prime);
BN_bin2bn(ptr, BN_num_bytes(sess->prime), y);
ptr += BN_num_bytes(sess->prime);
BN_bin2bn(ptr, BN_num_bytes(sess->order), sess->peer_scalar);
if (!EC_POINT_set_affine_coordinates_GFp(sess->group,
sess->peer_element, x, y,
bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto fin;
}
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(sess->group, point, NULL,
sess->peer_element, cofactor, NULL)) {
DEBUG2("pwd: unable to multiply element by co-factor");
goto fin;
}
if (EC_POINT_is_at_infinity(sess->group, point)) {
DEBUG2("pwd: peer's element is in small sub-group");
goto fin;
}
}
/* compute the shared key, k */
if ((!EC_POINT_mul(sess->group, K, NULL, sess->pwe,
sess->peer_scalar, bnctx)) ||
(!EC_POINT_add(sess->group, K, K, sess->peer_element,
bnctx)) ||
(!EC_POINT_mul(sess->group, K, NULL, K, sess->private_value,
bnctx))) {
DEBUG2("pwd: unable to compute shared key, k");
goto fin;
}
/* ensure that the shared key isn't in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(sess->group, K, NULL, K, cofactor,
NULL)) {
DEBUG2("pwd: unable to multiply k by co-factor");
goto fin;
}
}
/*
* This check is strictly speaking just for the case above where
* co-factor > 1 but it was suggested that even though this is probably
* never going to happen it is a simple and safe check "just to be
* sure" so let's be safe.
*/
if (EC_POINT_is_at_infinity(sess->group, K)) {
DEBUG2("pwd: k is point-at-infinity!");
goto fin;
}
if (!EC_POINT_get_affine_coordinates_GFp(sess->group, K, sess->k,
NULL, bnctx)) {
DEBUG2("pwd: unable to get shared secret from K");
goto fin;
}
res = 0;
fin:
EC_POINT_free(K);
EC_POINT_free(point);
BN_free(cofactor);
BN_free(x);
BN_free(y);
return res;
}
示例13: SM2err
SM2CiphertextValue *SM2_do_encrypt(const EVP_MD *md,
const unsigned char *in, size_t inlen, EC_KEY *ec_key)
{
SM2CiphertextValue *ret = NULL;
SM2CiphertextValue *cv = NULL;
const EC_GROUP *group;
const EC_POINT *pub_key;
KDF_FUNC kdf;
EC_POINT *ephem_point = NULL;
EC_POINT *share_point = NULL;
BIGNUM *n = NULL;
BIGNUM *h = NULL;
BIGNUM *k = NULL;
BN_CTX *bn_ctx = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];
int nbytes;
size_t len;
size_t i;
unsigned int hashlen;
/* check arguments */
if (!md || !in || !ec_key) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (inlen < SM2_MIN_PLAINTEXT_LENGTH || inlen > SM2_MAX_PLAINTEXT_LENGTH) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_INVALID_PLAINTEXT_LENGTH);
return 0;
}
if (!(kdf = KDF_get_x9_63(md))) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_INVALID_DIGEST_ALGOR);
return 0;
}
if (!(group = EC_KEY_get0_group(ec_key))
|| !(pub_key = EC_KEY_get0_public_key(ec_key))) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_INVALID_EC_KEY);
return 0;
}
/* malloc */
if (!(cv = SM2CiphertextValue_new())
|| !(ephem_point = EC_POINT_new(group))
|| !(share_point = EC_POINT_new(group))
|| !(n = BN_new())
|| !(h = BN_new())
|| !(k = BN_new())
|| !(bn_ctx = BN_CTX_new())
|| !(md_ctx = EVP_MD_CTX_new())) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto end;
}
if (!ASN1_OCTET_STRING_set(cv->ciphertext, NULL, (int)inlen)
|| !ASN1_OCTET_STRING_set(cv->hash, NULL, EVP_MD_size(md))) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_ASN1_LIB);
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(group, n, bn_ctx)) {
ECerr(EC_F_SM2_DO_ENCRYPT, EC_R_ERROR);
goto end;
}
if (!EC_GROUP_get_cofactor(group, h, bn_ctx)) {
ECerr(EC_F_SM2_DO_ENCRYPT, EC_R_ERROR);
goto end;
}
nbytes = (EC_GROUP_get_degree(group) + 7) / 8;
/* check [h]P_B != O */
if (!EC_POINT_mul(group, share_point, NULL, pub_key, h, bn_ctx)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EC_LIB);
goto end;
}
if (EC_POINT_is_at_infinity(group, share_point)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, SM2_R_INVALID_PUBLIC_KEY);
goto end;
}
do
{
size_t size;
/* rand k in [1, n-1] */
do {
BN_rand_range(k, n);
} while (BN_is_zero(k));
/* compute ephem_point [k]G = (x1, y1) */
if (!EC_POINT_mul(group, ephem_point, k, NULL, NULL, bn_ctx)) {
SM2err(SM2_F_SM2_DO_ENCRYPT, ERR_R_EC_LIB);
goto end;
//.........這裏部分代碼省略.........
示例14: SM2_do_decrypt
//.........這裏部分代碼省略.........
}
/* malloc */
point = EC_POINT_new(group);
tmp_point = EC_POINT_new(group);
n = BN_new();
h = BN_new();
bn_ctx = BN_CTX_new();
md_ctx = EVP_MD_CTX_new();
if (!point || !n || !h || !bn_ctx || !md_ctx) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_MALLOC_FAILURE);
goto end;
}
/* init ec domain parameters */
if (!EC_GROUP_get_order(group, n, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
if (!EC_GROUP_get_cofactor(group, h, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
nbytes = (EC_GROUP_get_degree(group) + 7) / 8;
/* get x/yCoordinates as C1 = (x1, y1) */
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) {
if (!EC_POINT_set_affine_coordinates_GFp(group, point,
cv->xCoordinate, cv->yCoordinate, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
goto end;
}
} else {
if (!EC_POINT_set_affine_coordinates_GF2m(group, point,
cv->xCoordinate, cv->yCoordinate, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
goto end;
}
}
/* check [h]C1 != O */
if (!EC_POINT_mul(group, tmp_point, NULL, point, h, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
if (EC_POINT_is_at_infinity(group, tmp_point)) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
goto end;
}
/* compute ECDH [d]C1 = (x2, y2) */
if (!EC_POINT_mul(group, point, NULL, point, pri_key, bn_ctx)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
if (!(len = EC_POINT_point2oct(group, point,
POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EC_LIB);
goto end;
}
/* compute t = KDF(x2 || y2, clen) */
*outlen = cv->ciphertext->length;
kdf(buf + 1, len - 1, out, outlen);
/* compute M = C2 xor t */
for (i = 0; i < cv->ciphertext->length; i++) {
out[i] ^= cv->ciphertext->data[i];
}
/* check hash == Hash(x2 || M || y2) */
if (!EVP_DigestInit_ex(md_ctx, md, NULL)
|| !EVP_DigestUpdate(md_ctx, buf + 1, nbytes)
|| !EVP_DigestUpdate(md_ctx, out, *outlen)
|| !EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)
|| !EVP_DigestFinal_ex(md_ctx, mac, &maclen)) {
SM2err(SM2_F_SM2_DO_DECRYPT, ERR_R_EVP_LIB);
goto end;
}
if (OPENSSL_memcmp(cv->hash->data, mac, maclen) != 0) {
SM2err(SM2_F_SM2_DO_DECRYPT, SM2_R_INVALID_CIPHERTEXT);
goto end;
}
ret = 1;
end:
EC_POINT_free(point);
EC_POINT_free(tmp_point);
BN_free(n);
BN_free(h);
BN_CTX_free(bn_ctx);
EVP_MD_CTX_free(md_ctx);
return ret;
}
示例15: compute_password_element
//.........這裏部分代碼省略.........
eap_pwd_h_update(hash, id_server, id_server_len);
eap_pwd_h_update(hash, password, password_len);
eap_pwd_h_update(hash, &ctr, sizeof(ctr));
eap_pwd_h_final(hash, pwe_digest);
BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd);
if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
(u8 *) "EAP-pwd Hunting And Pecking",
os_strlen("EAP-pwd Hunting And Pecking"),
prfbuf, primebitlen) < 0)
goto fail;
BN_bin2bn(prfbuf, primebytelen, x_candidate);
/*
* eap_pwd_kdf() returns a string of bits 0..primebitlen but
* BN_bin2bn will treat that string of bits as a big endian
* number. If the primebitlen is not an even multiple of 8
* then excessive bits-- those _after_ primebitlen-- so now
* we have to shift right the amount we masked off.
*/
if (primebitlen % 8)
BN_rshift(x_candidate, x_candidate,
(8 - (primebitlen % 8)));
if (BN_ucmp(x_candidate, grp->prime) >= 0)
continue;
wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
prfbuf, primebytelen);
/*
* need to unambiguously identify the solution, if there is
* one...
*/
if (BN_is_odd(rnd))
is_odd = 1;
else
is_odd = 0;
/*
* solve the quadratic equation, if it's not solvable then we
* don't have a point
*/
if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,
grp->pwe,
x_candidate,
is_odd, NULL))
continue;
/*
* If there's a solution to the equation then the point must be
* on the curve so why check again explicitly? OpenSSL code
* says this is required by X9.62. We're not X9.62 but it can't
* hurt just to be sure.
*/
if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {
wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
continue;
}
if (BN_cmp(cofactor, BN_value_one())) {
/* make sure the point is not in a small sub-group */
if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,
cofactor, NULL)) {
wpa_printf(MSG_INFO, "EAP-pwd: cannot "
"multiply generator by order");
continue;
}
if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {
wpa_printf(MSG_INFO, "EAP-pwd: point is at "
"infinity");
continue;
}
}
/* if we got here then we have a new generator. */
break;
}
wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
grp->group_num = num;
if (0) {
fail:
EC_GROUP_free(grp->group);
grp->group = NULL;
EC_POINT_free(grp->pwe);
grp->pwe = NULL;
BN_free(grp->order);
grp->order = NULL;
BN_free(grp->prime);
grp->prime = NULL;
ret = 1;
}
/* cleanliness and order.... */
BN_free(cofactor);
BN_free(x_candidate);
BN_free(rnd);
os_free(prfbuf);
return ret;
}