自学教程：C++ BN_CTX_new函数代码示例

void Server::handshake(const char *_I, BIGNUM *A, BIGNUM **B, uint32_t *_salt) {  if (I && _I && strcmp(I, _I) == 0) {    BIGNUM *b = NULL;    BIGNUM *kv = NULL;    BIGNUM *u = NULL;    BIGNUM *vu = NULL;    BIGNUM *Avu = NULL;    BIGNUM *S = NULL;    unsigned char uH[SHA256_HASH_LEN];    unsigned char K[SHA256_HASH_LEN];    unsigned char *bn_bin1 = NULL;    unsigned char *bn_bin2 = NULL;    unsigned char *bn_bin3 = NULL;    BN_CTX *ctx = NULL;    SHA256_CTX sha_ctx;    uint32_t md_len = 0;    if (!N || !g || !k || !v || !P || !A)      goto err;    // S->C    // Send salt, B=kv + g**b % N    if (!(b = BN_new()))      goto err;      if (!BN_rand_range(b, N))      goto err;      if (!(*B = BN_new()))      goto err;    if (!(ctx = BN_CTX_new()))      goto err;      if (!BN_mod_exp(*B, g, b, N, ctx))      goto err;    if (!(kv = BN_new()))      goto err;    if (!BN_mul(kv, k, v, ctx))      goto err;    if (!BN_add(*B, kv, *B))      goto err;    // S, C    // Compute string uH = SHA256(A|B), u = integer of uH    bn_bin1 = new unsigned char[BN_num_bytes(A)];    BN_bn2bin(A, bn_bin1);      bn_bin2 = new unsigned char[BN_num_bytes(*B)];    BN_bn2bin(*B, bn_bin2);    if (!SHA256_Init(&sha_ctx))      goto err;    if (!SHA256_Update(&sha_ctx, bn_bin1, BN_num_bytes(A)))      goto err;      if (!SHA256_Update(&sha_ctx, bn_bin2, BN_num_bytes(*B)))      goto err;      if (!SHA256_Final(uH, &sha_ctx))      goto err;    if (!(u = BN_new()))      goto err;      if (!BN_bin2bn(uH, SHA256_HASH_LEN, u))      goto err;    // S    // Generate S = (A * v**u) ** b % N    // Generate K = SHA256(S)    if (!(vu = BN_new()))      goto err;        if (!BN_mod_exp(vu, v, u, N, ctx))      goto err;    if (!(Avu = BN_new()))      goto err;    if (!BN_mul(Avu, A, vu, ctx))      goto err;    if (!(S = BN_new()))      goto err;    if (!BN_mod_exp(S, Avu, b, N, ctx))      goto err;    bn_bin3 = new unsigned char[BN_num_bytes(S)];    BN_bn2bin(S, bn_bin3);    if (!SHA256_Init(&sha_ctx))      goto err;    if (!SHA256_Update(&sha_ctx, bn_bin3, BN_num_bytes(S)))//.........这里部分代码省略.........

int rsa_default_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,                           size_t max_out, const uint8_t *in, size_t in_len,                           int padding) {  const unsigned rsa_size = RSA_size(rsa);  BIGNUM *f, *result;  int ret = 0;  int r = -1;  uint8_t *buf = NULL;  BN_CTX *ctx = NULL;  if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {    OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);    return 0;  }  if (BN_ucmp(rsa->n, rsa->e) <= 0) {    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);    return 0;  }  if (max_out < rsa_size) {    OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);    return 0;  }  /* for large moduli, enforce exponent limit */  if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&      BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);    return 0;  }  ctx = BN_CTX_new();  if (ctx == NULL) {    goto err;  }  BN_CTX_start(ctx);  f = BN_CTX_get(ctx);  result = BN_CTX_get(ctx);  if (padding == RSA_NO_PADDING) {    buf = out;  } else {    /* Allocate a temporary buffer to hold the padded plaintext. */    buf = OPENSSL_malloc(rsa_size);    if (buf == NULL) {      OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);      goto err;    }  }  if (!f || !result) {    OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);    goto err;  }  if (in_len != rsa_size) {    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);    goto err;  }  if (BN_bin2bn(in, in_len, f) == NULL) {    goto err;  }  if (BN_ucmp(f, rsa->n) >= 0) {    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);    goto err;  }  if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {    if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {      goto err;    }  }  if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {    goto err;  }  if (!BN_bn2bin_padded(buf, rsa_size, result)) {    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);    goto err;  }  switch (padding) {    case RSA_PKCS1_PADDING:      r = RSA_padding_check_PKCS1_type_1(out, rsa_size, buf, rsa_size);      break;    case RSA_NO_PADDING:      r = rsa_size;      break;    default:      OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);      goto err;  }  if (r < 0) {    OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);  } else {    *out_len = r;//.........这里部分代码省略.........

int rsa_default_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,                        const uint8_t *in, size_t in_len, int padding) {  const unsigned rsa_size = RSA_size(rsa);  BIGNUM *f, *result;  uint8_t *buf = NULL;  BN_CTX *ctx = NULL;  int i, ret = 0;  if (rsa_size > OPENSSL_RSA_MAX_MODULUS_BITS) {    OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);    return 0;  }  if (max_out < rsa_size) {    OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);    return 0;  }  if (BN_ucmp(rsa->n, rsa->e) <= 0) {    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);    return 0;  }  /* for large moduli, enforce exponent limit */  if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS &&      BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);    return 0;  }  ctx = BN_CTX_new();  if (ctx == NULL) {    goto err;  }  BN_CTX_start(ctx);  f = BN_CTX_get(ctx);  result = BN_CTX_get(ctx);  buf = OPENSSL_malloc(rsa_size);  if (!f || !result || !buf) {    OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);    goto err;  }  switch (padding) {    case RSA_PKCS1_PADDING:      i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);      break;    case RSA_PKCS1_OAEP_PADDING:      /* Use the default parameters: SHA-1 for both hashes and no label. */      i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,                                          NULL, 0, NULL, NULL);      break;    case RSA_NO_PADDING:      i = RSA_padding_add_none(buf, rsa_size, in, in_len);      break;    default:      OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);      goto err;  }  if (i <= 0) {    goto err;  }  if (BN_bin2bn(buf, rsa_size, f) == NULL) {    goto err;  }  if (BN_ucmp(f, rsa->n) >= 0) {    /* usually the padding functions would catch this */    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);    goto err;  }  if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {    if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {      goto err;    }  }  if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {    goto err;  }  /* put in leading 0 bytes if the number is less than the length of the   * modulus */  if (!BN_bn2bin_padded(out, rsa_size, result)) {    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);    goto err;  }  *out_len = rsa_size;  ret = 1;err:  if (ctx != NULL) {    BN_CTX_end(ctx);    BN_CTX_free(ctx);  }//.........这里部分代码省略.........

/* * Generate Schnorr signature to prove knowledge of private value 'x' used * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g' * using the hash function "evp_md". * 'idlen' bytes from 'id' will be included in the signature hash as an anti- * replay salt. *  * On success, 0 is returned. The signature values are returned as *e_p * (g^v mod p) and *r_p (v - xh mod q). The caller must free these values. * On failure, -1 is returned. */intschnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,    const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x,    const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p){	int success = -1;	BIGNUM *h, *tmp, *v, *g_v, *r;	BN_CTX *bn_ctx;	SCHNORR_DEBUG_BN((x, "%s: x = ", __func__));	SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));	/* Avoid degenerate cases: g^0 yields a spoofable signature */	if (BN_cmp(g_x, BN_value_one()) <= 0) {		error("%s: g_x < 1", __func__);		return -1;	}	h = g_v = r = tmp = v = NULL;	if ((bn_ctx = BN_CTX_new()) == NULL) {		error("%s: BN_CTX_new", __func__);		goto out;	}	if ((g_v = BN_new()) == NULL ||	    (r = BN_new()) == NULL ||	    (tmp = BN_new()) == NULL) {		error("%s: BN_new", __func__);		goto out;	}	/*	 * v must be a random element of Zq, so 1 <= v < q	 * we also exclude v = 1, since g^1 looks dangerous	 */	if ((v = bn_rand_range_gt_one(grp_p)) == NULL) {		error("%s: bn_rand_range2", __func__);		goto out;	}	SCHNORR_DEBUG_BN((v, "%s: v = ", __func__));	/* g_v = g^v mod p */	if (BN_mod_exp(g_v, grp_g, v, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_exp (g^v mod p)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));	/* h = H(g || g^v || g^x || id) */	if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, g_v, g_x,	    id, idlen)) == NULL) {		error("%s: schnorr_hash failed", __func__);		goto out;	}	/* r = v - xh mod q */	if (BN_mod_mul(tmp, x, h, grp_q, bn_ctx) == -1) {		error("%s: BN_mod_mul (tmp = xv mod q)", __func__);		goto out;	}	if (BN_mod_sub(r, v, tmp, grp_q, bn_ctx) == -1) {		error("%s: BN_mod_mul (r = v - tmp)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_v, "%s: e = ", __func__));	SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));	*e_p = g_v;	*r_p = r;	success = 0; out:	BN_CTX_free(bn_ctx);	if (h != NULL)		BN_clear_free(h);	if (v != NULL)		BN_clear_free(v);	BN_clear_free(tmp);	return success;}

int main(){    BIGNUM   *x, *y, *exp, *m, *order, *cof;    BIGNUM   t, store[30];    COMPLEX  *a, *b, *r;    EC_POINT *point, *Q;    int      i;    x = BN_new();    y = BN_new();    order = BN_new();    exp = BN_new();    m = BN_new();    a = COMP_new();    b = COMP_new();    r = COMP_new();    for( i = 0; i < 30; i++ )    	BN_init( &(store[i]) );    if ( Context == NULL )    	Context = BN_CTX_new();    bi_init( &malloc );    group = EC_GROUP_new( EC_GFp_simple_method() );    if ( group == NULL )    	goto err;    if(!BN_set_word(m, 43l))    	goto err;    BN_set_word(x, 1l);    BN_set_word(y, 0l);    if ( !EC_GROUP_set_curve_GFp( group, m, x, y, Context) )    	goto err;    BN_set_word(x, 23l);    BN_set_word(y, 8l);    BN_set_word(order, 11l);    point = EC_POINT_new( group );    EC_POINT_set_affine_coordinates_GFp( group, point, x, y, Context );    cof = BN_new();    BN_set_word( cof, 4 );    EC_GROUP_set_generator( group, point, order, cof );    if ( EC_GROUP_check( group, Context ) )    	printf(" group set is ok /n");    TSS_DAA_ISSUER_KEY   issuer_key;    TSS_DAA_ISSUER_PROOF issuer_proof;    TSS_DAA_JOIN_issuer_setup(&issuer_key, &issuer_proof);//    printf("/n");//    BN_set_word(x, 41l);//    BN_mod_inverse(x, x, m, Context);//    BN_print_fp(stdout, x);////    printf("/n");//    BN_set_word(x, 11l);//    BN_mod_inverse(x, x, m, Context);//    BN_print_fp(stdout, x);    char *str = "abcdefghijklmnop";    Q = map_to_point( str );    BN_set_word(x, 23l);    BN_set_word(y, 8l);    BN_set_word(order, 11l);    Q = EC_POINT_new( group );    EC_POINT_set_affine_coordinates_GFp( group, Q, x, y, Context );    Tate( point, Q, order, 0,  store, a );    printf("tate pair  t(p, Q) =:/n a.x: ");    BN_print_fp(stdout, &a->x);    printf("/na.y: ");    BN_print_fp(stdout, &a->y);    EC_POINT_dbl( group, point, point, Context);    EC_POINT_get_affine_coordinates_GFp( group, point, x, y, Context);    printf("2A.x =:/n");    BN_print_fp(stdout, x);    printf("2P.y= :/n");    BN_print_fp(stdout, y);    Tate( point, Q, order, 0,  store, a );    printf("tate pair  t(2p, Q) =:/n a.x: ");    BN_print_fp(stdout, &a->x);    printf("/na.y: ");    BN_print_fp(stdout, &a->y);    BN_free( x );    BN_free( y );    BN_free( exp );    BN_free( m );    BN_free( order );//.........这里部分代码省略.........

int EC_KEY_check_key(const EC_KEY *eckey)	{	int	ok   = 0;	BN_CTX	*ctx = NULL;	const BIGNUM	*order  = NULL;	EC_POINT *point = NULL;	if (!eckey || !eckey->group || !eckey->pub_key)		{		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);		return 0;		}		if ((ctx = BN_CTX_new()) == NULL)		goto err;	if ((point = EC_POINT_new(eckey->group)) == NULL)		goto err;	/* testing whether the pub_key is on the elliptic curve */	if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);		goto err;		}	/* testing whether pub_key * order is the point at infinity */	order = &eckey->group->order;	if (BN_is_zero(order))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER);		goto err;		}	if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);		goto err;		}	if (!EC_POINT_is_at_infinity(eckey->group, point))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);		goto err;		}	/* in case the priv_key is present : 	 * check if generator * priv_key == pub_key 	 */	if (eckey->priv_key)		{		if (BN_cmp(eckey->priv_key, order) >= 0)			{			ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);			goto err;			}		if (!EC_POINT_mul(eckey->group, point, eckey->priv_key,			NULL, NULL, ctx))			{			ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);			goto err;			}		if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, 			ctx) != 0)			{			ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);			goto err;			}		}	ok = 1;err:	if (ctx   != NULL)		BN_CTX_free(ctx);	if (point != NULL)		EC_POINT_free(point);	return(ok);	}

static voidbexp(void){	struct number	*a, *p;	struct number	*r;	bool		neg;	u_int		scale;	p = pop_number();	if (p == NULL) {		return;	}	a = pop_number();	if (a == NULL) {		push_number(p);		return;	}	if (p->scale != 0)		warnx("Runtime warning: non-zero scale in exponent");	normalize(p, 0);	neg = false;	if (BN_cmp(p->number, &zero) < 0) {		neg = true;		negate(p);		scale = bmachine.scale;	} else {		/* Posix bc says min(a.scale * b, max(a.scale, scale) */		u_long	b;		u_int	m;		b = BN_get_word(p->number);		m = max(a->scale, bmachine.scale);		scale = a->scale * (u_int)b;		if (scale > m || (a->scale > 0 && (b == BN_MASK2 ||		    b > UINT_MAX)))			scale = m;	}	if (BN_is_zero(p->number)) {		r = new_number();		bn_check(BN_one(r->number));		normalize(r, scale);	} else {		while (!BN_is_bit_set(p->number, 0)) {			bmul_number(a, a, a);			bn_check(BN_rshift1(p->number, p->number));		}		r = dup_number(a);		normalize(r, scale);		bn_check(BN_rshift1(p->number, p->number));		while (!BN_is_zero(p->number)) {			bmul_number(a, a, a);			if (BN_is_bit_set(p->number, 0))				bmul_number(r, r, a);			bn_check(BN_rshift1(p->number, p->number));		}		if (neg) {			BN_CTX	*ctx;			BIGNUM	*one;			one = BN_new();			bn_checkp(one);			bn_check(BN_one(one));			ctx = BN_CTX_new();			bn_checkp(ctx);			scale_number(one, r->scale + scale);			normalize(r, scale);			bn_check(BN_div(r->number, NULL, one, r->number, ctx));			BN_free(one);			BN_CTX_free(ctx);		} else			normalize(r, scale);	}	push_number(r);	free_number(a);	free_number(p);}

static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)	{	BN_CTX *ctx;	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;	int ret=0;	if (!dsa->p || !dsa->q || !dsa->g)		{		DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);		return 0;		}	BN_init(&k);	BN_init(&kq);	if (ctx_in == NULL)		{		if ((ctx=BN_CTX_new()) == NULL) goto err;		}	else		ctx=ctx_in;	if ((r=BN_new()) == NULL) goto err;	/* Get random k */	do		if (!BN_rand_range(&k, dsa->q)) goto err;	while (BN_is_zero(&k));	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)		{		BN_set_flags(&k, BN_FLG_CONSTTIME);		}	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)		{		if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,						CRYPTO_LOCK_DSA,						dsa->p, ctx))			goto err;		}	/* Compute r = (g^k mod p) mod q */	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)		{		if (!BN_copy(&kq, &k)) goto err;		/* We do not want timing information to leak the length of k,		 * so we compute g^k using an equivalent exponent of fixed length.		 *		 * (This is a kludge that we need because the BN_mod_exp_mont()		 * does not let us specify the desired timing behaviour.) */		if (!BN_add(&kq, &kq, dsa->q)) goto err;		if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))			{			if (!BN_add(&kq, &kq, dsa->q)) goto err;			}		K = &kq;		}	else		{		K = &k;		}	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,			dsa->method_mont_p);	if (!BN_mod(r,r,dsa->q,ctx)) goto err;	/* Compute  part of 's = inv(k) (m + xr) mod q' */	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;	if (*kinvp != NULL) BN_clear_free(*kinvp);	*kinvp=kinv;	kinv=NULL;	if (*rp != NULL) BN_clear_free(*rp);	*rp=r;	ret=1;err:	if (!ret)		{		DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);		if (kinv != NULL) BN_clear_free(kinv);		if (r != NULL) BN_clear_free(r);		}	if (ctx_in == NULL) BN_CTX_free(ctx);	if (kinv != NULL) BN_clear_free(kinv);	BN_clear_free(&k);	BN_clear_free(&kq);	return(ret);	}

static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,		  DSA *dsa)	{	BN_CTX *ctx;	BIGNUM u1,u2,t1;	BN_MONT_CTX *mont=NULL;	int ret = -1;	if (!dsa->p || !dsa->q || !dsa->g)		{		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);		return -1;		}	if (BN_num_bits(dsa->q) != 160)		{		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);		return -1;		}	if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)		{		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);		return -1;		}	BN_init(&u1);	BN_init(&u2);	BN_init(&t1);	if ((ctx=BN_CTX_new()) == NULL) goto err;	if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||	    BN_ucmp(sig->r, dsa->q) >= 0)		{		ret = 0;		goto err;		}	if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||	    BN_ucmp(sig->s, dsa->q) >= 0)		{		ret = 0;		goto err;		}	/* Calculate W = inv(S) mod Q	 * save W in u2 */	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;	/* save M in u1 */	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;	/* u1 = M * w mod q */	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;	/* u2 = r * w mod q */	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)		{		mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,					CRYPTO_LOCK_DSA, dsa->p, ctx);		if (!mont)			goto err;		}	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);	/* BN_copy(&u1,&t1); */	/* let u1 = u1 mod q */	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;	/* V is now in u1.  If the signature is correct, it will be	 * equal to R. */	ret=(BN_ucmp(&u1, sig->r) == 0);	err:	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;	   there is no error in BN. Test should be ret == -1 (Ben) */	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);	if (ctx != NULL) BN_CTX_free(ctx);	BN_free(&u1);	BN_free(&u2);	BN_free(&t1);	return(ret);	}

// Perform ECDSA key recovery (see SEC1 4.1.6) for curves over (mod p)-fields// recid selects which key is recovered// if check is nonzero, additional checks are performedint ECDSA_SIG_recover_key_GFp(EC_KEY *eckey, ECDSA_SIG *ecsig, const unsigned char *msg, int msglen, int recid, int check){    if (!eckey) return 0;    int ret = 0;    BN_CTX *ctx = NULL;    BIGNUM *x = NULL;    BIGNUM *e = NULL;    BIGNUM *order = NULL;    BIGNUM *sor = NULL;    BIGNUM *eor = NULL;    BIGNUM *field = NULL;    EC_POINT *R = NULL;    EC_POINT *O = NULL;    EC_POINT *Q = NULL;    BIGNUM *rr = NULL;    BIGNUM *zero = NULL;    int n = 0;    int i = recid / 2;    const EC_GROUP *group = EC_KEY_get0_group(eckey);    if ((ctx = BN_CTX_new()) == NULL) { ret = -1; goto err; }    BN_CTX_start(ctx);    order = BN_CTX_get(ctx);    if (!EC_GROUP_get_order(group, order, ctx)) { ret = -2; goto err; }    x = BN_CTX_get(ctx);    if (!BN_copy(x, order)) { ret=-1; goto err; }    if (!BN_mul_word(x, i)) { ret=-1; goto err; }    if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; }    field = BN_CTX_get(ctx);    if (!EC_GROUP_get_curve_GFp(group, field, NULL, NULL, ctx)) { ret=-2; goto err; }    if (BN_cmp(x, field) >= 0) { ret=0; goto err; }    if ((R = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }    if (!EC_POINT_set_compressed_coordinates_GFp(group, R, x, recid % 2, ctx)) { ret=0; goto err; }    if (check)    {        if ((O = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }        if (!EC_POINT_mul(group, O, NULL, R, order, ctx)) { ret=-2; goto err; }        if (!EC_POINT_is_at_infinity(group, O)) { ret = 0; goto err; }    }    if ((Q = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }    n = EC_GROUP_get_degree(group);    e = BN_CTX_get(ctx);    if (!BN_bin2bn(msg, msglen, e)) { ret=-1; goto err; }    if (8*msglen > n) BN_rshift(e, e, 8-(n & 7));    zero = BN_CTX_get(ctx);    if (!BN_zero(zero)) { ret=-1; goto err; }    if (!BN_mod_sub(e, zero, e, order, ctx)) { ret=-1; goto err; }    rr = BN_CTX_get(ctx);    if (!BN_mod_inverse(rr, ecsig->r, order, ctx)) { ret=-1; goto err; }    sor = BN_CTX_get(ctx);    if (!BN_mod_mul(sor, ecsig->s, rr, order, ctx)) { ret=-1; goto err; }    eor = BN_CTX_get(ctx);    if (!BN_mod_mul(eor, e, rr, order, ctx)) { ret=-1; goto err; }    if (!EC_POINT_mul(group, Q, eor, R, sor, ctx)) { ret=-2; goto err; }    if (!EC_KEY_set_public_key(eckey, Q)) { ret=-2; goto err; }    ret = 1;err:    if (ctx) {        BN_CTX_end(ctx);        BN_CTX_free(ctx);    }    if (R != NULL) EC_POINT_free(R);    if (O != NULL) EC_POINT_free(O);    if (Q != NULL) EC_POINT_free(Q);    return ret;}

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)	{	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;	BIGNUM m;	BIGNUM xr;	BN_CTX *ctx=NULL;	int i,reason=ERR_R_BN_LIB;	DSA_SIG *ret=NULL;	BN_init(&m);	BN_init(&xr);	if (!dsa->p || !dsa->q || !dsa->g)		{		reason=DSA_R_MISSING_PARAMETERS;		goto err;		}	s=BN_new();	if (s == NULL) goto err;	i=BN_num_bytes(dsa->q); /* should be 20 */	if ((dlen > i) || (dlen > 50))		{		reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;		goto err;		}	ctx=BN_CTX_new();	if (ctx == NULL) goto err;	if ((dsa->kinv == NULL) || (dsa->r == NULL))		{		if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;		}	else		{		kinv=dsa->kinv;		dsa->kinv=NULL;		r=dsa->r;		dsa->r=NULL;		}	if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;	/* Compute  s = inv(k) (m + xr) mod q */	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */	if (BN_cmp(s,dsa->q) > 0)		BN_sub(s,s,dsa->q);	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;	ret=DSA_SIG_new();	if (ret == NULL) goto err;	ret->r = r;	ret->s = s;	err:	if (!ret)		{		DSAerr(DSA_F_DSA_DO_SIGN,reason);		BN_free(r);		BN_free(s);		}	if (ctx != NULL) BN_CTX_free(ctx);	BN_clear_free(&m);	BN_clear_free(&xr);	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */	    BN_clear_free(kinv);	return(ret);	}

/* * rsa_get_params(): - Get the important parameters of an RSA public key */int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp,		   BIGNUM **modulusp, BIGNUM **r_squaredp){	BIGNUM *big1, *big2, *big32, *big2_32;	BIGNUM *n, *r, *r_squared, *tmp;	BN_CTX *bn_ctx = BN_CTX_new();	int ret = 0;	/* Initialize BIGNUMs */	big1 = BN_new();	big2 = BN_new();	big32 = BN_new();	r = BN_new();	r_squared = BN_new();	tmp = BN_new();	big2_32 = BN_new();	n = BN_new();	if (!big1 || !big2 || !big32 || !r || !r_squared || !tmp || !big2_32 ||	    !n) {		fprintf(stderr, "Out of memory (bignum)/n");		return -ENOMEM;	}	if (0 != rsa_get_exponent(key, exponent))		ret = -1;	if (!BN_copy(n, key->n) || !BN_set_word(big1, 1L) ||	    !BN_set_word(big2, 2L) || !BN_set_word(big32, 32L))		ret = -1;	/* big2_32 = 2^32 */	if (!BN_exp(big2_32, big2, big32, bn_ctx))		ret = -1;	/* Calculate n0_inv = -1 / n[0] mod 2^32 */	if (!BN_mod_inverse(tmp, n, big2_32, bn_ctx) ||	    !BN_sub(tmp, big2_32, tmp))		ret = -1;	*n0_invp = BN_get_word(tmp);	/* Calculate R = 2^(# of key bits) */	if (!BN_set_word(tmp, BN_num_bits(n)) ||	    !BN_exp(r, big2, tmp, bn_ctx))		ret = -1;	/* Calculate r_squared = R^2 mod n */	if (!BN_copy(r_squared, r) ||	    !BN_mul(tmp, r_squared, r, bn_ctx) ||	    !BN_mod(r_squared, tmp, n, bn_ctx))		ret = -1;	*modulusp = n;	*r_squaredp = r_squared;	BN_free(big1);	BN_free(big2);	BN_free(big32);	BN_free(r);	BN_free(tmp);	BN_free(big2_32);	if (ret) {		fprintf(stderr, "Bignum operations failed/n");		return -ENOMEM;	}	return ret;}

voidrdssl_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 * modulus,		  uint8 * exponent){#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)	BN_CTX *ctx;	BIGNUM *mod, *exp, *x, *y;	uint8 inr[SEC_MAX_MODULUS_SIZE];	int outlen;	reverse(modulus, modulus_size);	reverse(exponent, SEC_EXPONENT_SIZE);	memcpy(inr, in, len);	reverse(inr, len);	ctx = BN_CTX_new();	mod = BN_new();	exp = BN_new();	x = BN_new();	y = BN_new();	BN_bin2bn(modulus, modulus_size, mod);	BN_bin2bn(exponent, SEC_EXPONENT_SIZE, exp);	BN_bin2bn(inr, len, x);	BN_mod_exp(y, x, exp, mod, ctx);	outlen = BN_bn2bin(y, out);	reverse(out, outlen);	if (outlen < (int) modulus_size)		memset(out + outlen, 0, modulus_size - outlen);	BN_free(y);	BN_clear_free(x);	BN_free(exp);	BN_free(mod);	BN_CTX_free(ctx);#else /* OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) */	BN_CTX *ctx;	BIGNUM mod, exp, x, y;	uint8 inr[SEC_MAX_MODULUS_SIZE];	int outlen;	reverse(modulus, modulus_size);	reverse(exponent, SEC_EXPONENT_SIZE);	memcpy(inr, in, len);	reverse(inr, len);	ctx = BN_CTX_new();	BN_init(&mod);	BN_init(&exp);	BN_init(&x);	BN_init(&y);	BN_bin2bn(modulus, modulus_size, &mod);	BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp);	BN_bin2bn(inr, len, &x);	BN_mod_exp(&y, &x, &exp, &mod, ctx);	outlen = BN_bn2bin(&y, out);	reverse(out, outlen);	if (outlen < (int) modulus_size)		memset(out + outlen, 0, modulus_size - outlen);	BN_free(&y);	BN_clear_free(&x);	BN_free(&exp);	BN_free(&mod);	BN_CTX_free(ctx);#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) */}

int main(int argc, char *argv[]){    BN_CTX *ctx = NULL;    int nid, ret = 1;    EC_builtin_curve *curves = NULL;    size_t crv_len = 0, n = 0;    BIO *out;    CRYPTO_set_mem_debug(1);    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);    RAND_seed(rnd_seed, sizeof rnd_seed);    out = BIO_new(BIO_s_file());    if (out == NULL)        EXIT(1);    BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);    if ((ctx = BN_CTX_new()) == NULL)        goto err;    /* get a list of all internal curves */    crv_len = EC_get_builtin_curves(NULL, 0);    curves = OPENSSL_malloc(sizeof(*curves) * crv_len);    if (curves == NULL) goto err;    if (!EC_get_builtin_curves(curves, crv_len)) goto err;    /* NAMED CURVES TESTS */    for (n = 0; n < crv_len; n++) {        nid = curves[n].nid;        /*         * Skipped for X25519 because affine coordinate operations are not         * supported for this curve.         * Higher level ECDH tests are performed in evptests.txt instead.         */        if (nid == NID_X25519)            continue;        if (!test_ecdh_curve(nid, ctx, out)) goto err;    }    /* KATs */    for (n = 0; n < (sizeof(ecdh_kats)/sizeof(ecdh_kat_t)); n++) {        if (!ecdh_kat(out, &ecdh_kats[n]))            goto err;    }    ret = 0; err:    ERR_print_errors_fp(stderr);    OPENSSL_free(curves);    BN_CTX_free(ctx);    BIO_free(out);#ifndef OPENSSL_NO_CRYPTO_MDEBUG    if (CRYPTO_mem_leaks_fp(stderr) <= 0)        ret = 1;#endif    EXIT(ret);}

static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8){    const unsigned char *p, *pm;    int pklen, pmlen;    int ptype;    void *pval;    ASN1_STRING *pstr;    X509_ALGOR *palg;    ASN1_INTEGER *privkey = NULL;    BN_CTX *ctx = NULL;    STACK_OF(ASN1_TYPE) *ndsa = NULL;    DSA *dsa = NULL;    if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))        return 0;    X509_ALGOR_get0(NULL, &ptype, &pval, palg);    /* Check for broken DSA PKCS#8, UGH! */    if (*p == (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)) {        ASN1_TYPE *t1, *t2;        if ((ndsa = d2i_ASN1_SEQUENCE_ANY(NULL, &p, pklen)) == NULL)            goto decerr;        if (sk_ASN1_TYPE_num(ndsa) != 2)            goto decerr;        /*-         * Handle Two broken types:         * SEQUENCE {parameters, priv_key}         * SEQUENCE {pub_key, priv_key}         */        t1 = sk_ASN1_TYPE_value(ndsa, 0);        t2 = sk_ASN1_TYPE_value(ndsa, 1);        if (t1->type == V_ASN1_SEQUENCE) {            p8->broken = PKCS8_EMBEDDED_PARAM;            pval = t1->value.ptr;        } else if (ptype == V_ASN1_SEQUENCE)            p8->broken = PKCS8_NS_DB;        else            goto decerr;        if (t2->type != V_ASN1_INTEGER)            goto decerr;        privkey = t2->value.integer;    } else {        const unsigned char *q = p;        if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL)            goto decerr;        if (privkey->type == V_ASN1_NEG_INTEGER) {            p8->broken = PKCS8_NEG_PRIVKEY;            ASN1_STRING_clear_free(privkey);            if ((privkey = d2i_ASN1_UINTEGER(NULL, &q, pklen)) == NULL)                goto decerr;        }        if (ptype != V_ASN1_SEQUENCE)            goto decerr;    }    pstr = pval;    pm = pstr->data;    pmlen = pstr->length;    if ((dsa = d2i_DSAparams(NULL, &pm, pmlen)) == NULL)        goto decerr;    /* We have parameters now set private key */    if ((dsa->priv_key = BN_secure_new()) == NULL        || !ASN1_INTEGER_to_BN(privkey, dsa->priv_key)) {        DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);        goto dsaerr;    }    /* Calculate public key */    if ((dsa->pub_key = BN_new()) == NULL) {        DSAerr(DSA_F_DSA_PRIV_DECODE, ERR_R_MALLOC_FAILURE);        goto dsaerr;    }    if ((ctx = BN_CTX_new()) == NULL) {        DSAerr(DSA_F_DSA_PRIV_DECODE, ERR_R_MALLOC_FAILURE);        goto dsaerr;    }    if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {        DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);        goto dsaerr;    }    EVP_PKEY_assign_DSA(pkey, dsa);    BN_CTX_free(ctx);    if (ndsa)        sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);    else        ASN1_STRING_clear_free(privkey);    return 1; decerr:    DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR); dsaerr:    BN_CTX_free(ctx);    ASN1_STRING_clear_free(privkey);    sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);//.........这里部分代码省略.........

int ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx){	/*	 * return values: -1   error 0   equal (in affine coordinates) 1	 * not equal	 */	int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);	int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);	BN_CTX *new_ctx = NULL;	BIGNUM *tmp1, *tmp2, *Za23, *Zb23;	const BIGNUM *tmp1_, *tmp2_;	int ret = -1;	if (EC_POINT_is_at_infinity(group, a) > 0) {		return EC_POINT_is_at_infinity(group, b) > 0 ? 0 : 1;	}	if (EC_POINT_is_at_infinity(group, b) > 0)		return 1;	if (a->Z_is_one && b->Z_is_one) {		return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;	}	field_mul = group->meth->field_mul;	field_sqr = group->meth->field_sqr;	if (ctx == NULL) {		ctx = new_ctx = BN_CTX_new();		if (ctx == NULL)			return -1;	}	BN_CTX_start(ctx);	if ((tmp1 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((tmp2 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((Za23 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((Zb23 = BN_CTX_get(ctx)) == NULL)		goto end;	/*	 * We have to decide whether (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2,	 * Y_b/Z_b^3), or equivalently, whether (X_a*Z_b^2, Y_a*Z_b^3) =	 * (X_b*Z_a^2, Y_b*Z_a^3).	 */	if (!b->Z_is_one) {		if (!field_sqr(group, Zb23, &b->Z, ctx))			goto end;		if (!field_mul(group, tmp1, &a->X, Zb23, ctx))			goto end;		tmp1_ = tmp1;	} else		tmp1_ = &a->X;	if (!a->Z_is_one) {		if (!field_sqr(group, Za23, &a->Z, ctx))			goto end;		if (!field_mul(group, tmp2, &b->X, Za23, ctx))			goto end;		tmp2_ = tmp2;	} else		tmp2_ = &b->X;	/* compare  X_a*Z_b^2  with  X_b*Z_a^2 */	if (BN_cmp(tmp1_, tmp2_) != 0) {		ret = 1;	/* points differ */		goto end;	}	if (!b->Z_is_one) {		if (!field_mul(group, Zb23, Zb23, &b->Z, ctx))			goto end;		if (!field_mul(group, tmp1, &a->Y, Zb23, ctx))			goto end;		/* tmp1_ = tmp1 */	} else		tmp1_ = &a->Y;	if (!a->Z_is_one) {		if (!field_mul(group, Za23, Za23, &a->Z, ctx))			goto end;		if (!field_mul(group, tmp2, &b->Y, Za23, ctx))			goto end;		/* tmp2_ = tmp2 */	} else		tmp2_ = &b->Y;	/* compare  Y_a*Z_b^3  with  Y_b*Z_a^3 */	if (BN_cmp(tmp1_, tmp2_) != 0) {		ret = 1;	/* points differ */		goto end;	}	/* points are equal */	ret = 0;end:	BN_CTX_end(ctx);	BN_CTX_free(new_ctx);	return ret;}

int EC_KEY_generate_key(EC_KEY *eckey)	{		int	ok = 0;	BN_CTX	*ctx = NULL;	BIGNUM	*priv_key = NULL, *order = NULL;	EC_POINT *pub_key = NULL;	if (!eckey || !eckey->group)		{		ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);		return 0;		}	if ((order = BN_new()) == NULL) goto err;	if ((ctx = BN_CTX_new()) == NULL) goto err;	if (eckey->priv_key == NULL)		{		priv_key = BN_new();		if (priv_key == NULL)			goto err;		}	else		priv_key = eckey->priv_key;	if (!EC_GROUP_get_order(eckey->group, order, ctx))		goto err;	do		if (!BN_rand_range(priv_key, order))			goto err;	while (BN_is_zero(priv_key));	if (eckey->pub_key == NULL)		{		pub_key = EC_POINT_new(eckey->group);		if (pub_key == NULL)			goto err;		}	else		pub_key = eckey->pub_key;	if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))		goto err;	eckey->priv_key = priv_key;	eckey->pub_key  = pub_key;	ok=1;err:		if (order)		BN_free(order);	if (pub_key  != NULL && eckey->pub_key  == NULL)		EC_POINT_free(pub_key);	if (priv_key != NULL && eckey->priv_key == NULL)		BN_free(priv_key);	if (ctx != NULL)		BN_CTX_free(ctx);	return(ok);	}

int ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * points[], BN_CTX * ctx){	BN_CTX *new_ctx = NULL;	BIGNUM *tmp0, *tmp1;	size_t pow2 = 0;	BIGNUM **heap = NULL;	size_t i;	int ret = 0;	if (num == 0)		return 1;	if (ctx == NULL) {		ctx = new_ctx = BN_CTX_new();		if (ctx == NULL)			return 0;	}	BN_CTX_start(ctx);	if ((tmp0 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((tmp1 = BN_CTX_get(ctx)) == NULL)		goto err;	/*	 * Before converting the individual points, compute inverses of all Z	 * values. Modular inversion is rather slow, but luckily we can do	 * with a single explicit inversion, plus about 3 multiplications per	 * input value.	 */	pow2 = 1;	while (num > pow2)		pow2 <<= 1;	/*	 * Now pow2 is the smallest power of 2 satifsying pow2 >= num. We	 * need twice that.	 */	pow2 <<= 1;	heap = reallocarray(NULL, pow2, sizeof heap[0]);	if (heap == NULL)		goto err;	/*	 * The array is used as a binary tree, exactly as in heapsort:	 * 	 * heap[1] heap[2]                     heap[3] heap[4]       heap[5]	 * heap[6]       heap[7] heap[8]heap[9] heap[10]heap[11]	 * heap[12]heap[13] heap[14] heap[15]	 * 	 * We put the Z's in the last line; then we set each other node to the	 * product of its two child-nodes (where empty or 0 entries are	 * treated as ones); then we invert heap[1]; then we invert each	 * other node by replacing it by the product of its parent (after	 * inversion) and its sibling (before inversion).	 */	heap[0] = NULL;	for (i = pow2 / 2 - 1; i > 0; i--)		heap[i] = NULL;	for (i = 0; i < num; i++)		heap[pow2 / 2 + i] = &points[i]->Z;	for (i = pow2 / 2 + num; i < pow2; i++)		heap[i] = NULL;	/* set each node to the product of its children */	for (i = pow2 / 2 - 1; i > 0; i--) {		heap[i] = BN_new();		if (heap[i] == NULL)			goto err;		if (heap[2 * i] != NULL) {			if ((heap[2 * i + 1] == NULL) || BN_is_zero(heap[2 * i + 1])) {				if (!BN_copy(heap[i], heap[2 * i]))					goto err;			} else {				if (BN_is_zero(heap[2 * i])) {					if (!BN_copy(heap[i], heap[2 * i + 1]))						goto err;				} else {					if (!group->meth->field_mul(group, heap[i],						heap[2 * i], heap[2 * i + 1], ctx))						goto err;				}			}		}	}	/* invert heap[1] */	if (!BN_is_zero(heap[1])) {		if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx)) {			ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);			goto err;		}	}	if (group->meth->field_encode != 0) {		/*		 * in the Montgomery case, we just turned  R*H  (representing		 * H) into  1/(R*H),  but we need  R*(1/H)  (representing		 * 1/H); i.e. we have need to multiply by the Montgomery//.........这里部分代码省略.........

static int generate_key(DH *dh)	{	int ok=0;	int generate_new_key=0;	unsigned l;	BN_CTX *ctx;	BN_MONT_CTX *mont=NULL;	BIGNUM *pub_key=NULL,*priv_key=NULL;	ctx = BN_CTX_new();	if (ctx == NULL) goto err;	if (dh->priv_key == NULL)		{		priv_key=BN_new();		if (priv_key == NULL) goto err;		generate_new_key=1;		}	else		priv_key=dh->priv_key;	if (dh->pub_key == NULL)		{		pub_key=BN_new();		if (pub_key == NULL) goto err;		}	else		pub_key=dh->pub_key;	if (dh->flags & DH_FLAG_CACHE_MONT_P)		{		mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,				CRYPTO_LOCK_DH, dh->p, ctx);		if (!mont)			goto err;		}	if (generate_new_key)		{		l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */		if (!BN_rand(priv_key, l, 0, 0)) goto err;		}	{		BIGNUM local_prk;		BIGNUM *prk;		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)			{			BN_init(&local_prk);			prk = &local_prk;			BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);			}		else			prk = priv_key;		if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;	}			dh->pub_key=pub_key;	dh->priv_key=priv_key;	ok=1;err:	if (ok != 1)		DHerr(DH_F_GENERATE_KEY,ERR_R_BN_LIB);	if ((pub_key != NULL)  && (dh->pub_key == NULL))  BN_free(pub_key);	if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key);	BN_CTX_free(ctx);	return(ok);	}

int ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx){	int ret = 0;	BIGNUM *a, *b, *order, *tmp_1, *tmp_2;	const BIGNUM *p = &group->field;	BN_CTX *new_ctx = NULL;	if (ctx == NULL) {		ctx = new_ctx = BN_CTX_new();		if (ctx == NULL) {			ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);			goto err;		}	}	BN_CTX_start(ctx);	if ((a = BN_CTX_get(ctx)) == NULL)		goto err;	if ((b = BN_CTX_get(ctx)) == NULL)		goto err;	if ((tmp_1 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((tmp_2 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((order = BN_CTX_get(ctx)) == NULL)		goto err;	if (group->meth->field_decode) {		if (!group->meth->field_decode(group, a, &group->a, ctx))			goto err;		if (!group->meth->field_decode(group, b, &group->b, ctx))			goto err;	} else {		if (!BN_copy(a, &group->a))			goto err;		if (!BN_copy(b, &group->b))			goto err;	}	/*	 * check the discriminant: y^2 = x^3 + a*x + b is an elliptic curve	 * <=> 4*a^3 + 27*b^2 != 0 (mod p) 0 =< a, b < p	 */	if (BN_is_zero(a)) {		if (BN_is_zero(b))			goto err;	} else if (!BN_is_zero(b)) {		if (!BN_mod_sqr(tmp_1, a, p, ctx))			goto err;		if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))			goto err;		if (!BN_lshift(tmp_1, tmp_2, 2))			goto err;		/* tmp_1 = 4*a^3 */		if (!BN_mod_sqr(tmp_2, b, p, ctx))			goto err;		if (!BN_mul_word(tmp_2, 27))			goto err;		/* tmp_2 = 27*b^2 */		if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))			goto err;		if (BN_is_zero(a))			goto err;	}	ret = 1;err:	if (ctx != NULL)		BN_CTX_end(ctx);	BN_CTX_free(new_ctx);	return ret;}

/* * INIT * (NOTE: ordering of methods is the same as in 'man bn') */voidInit_ossl_bn(){#if 0 /* let rdoc know about mOSSL */    mOSSL = rb_define_module("OpenSSL");#endif    if (!(ossl_bn_ctx = BN_CTX_new())) {	ossl_raise(rb_eRuntimeError, "Cannot init BN_CTX");    }    eBNError = rb_define_class_under(mOSSL, "BNError", eOSSLError);    cBN = rb_define_class_under(mOSSL, "BN", rb_cObject);    rb_define_alloc_func(cBN, ossl_bn_alloc);    rb_define_method(cBN, "initialize", ossl_bn_initialize, -1);	    rb_define_copy_func(cBN, ossl_bn_copy);    rb_define_method(cBN, "copy", ossl_bn_copy, 1);    /* swap (=coerce?) */    rb_define_method(cBN, "num_bytes", ossl_bn_num_bytes, 0);    rb_define_method(cBN, "num_bits", ossl_bn_num_bits, 0);    /* num_bits_word */    rb_define_method(cBN, "+", ossl_bn_add, 1);    rb_define_method(cBN, "-", ossl_bn_sub, 1);    rb_define_method(cBN, "*", ossl_bn_mul, 1);    rb_define_method(cBN, "sqr", ossl_bn_sqr, 0);    rb_define_method(cBN, "/", ossl_bn_div, 1);    rb_define_method(cBN, "%", ossl_bn_mod, 1);    /* nnmod */    rb_define_method(cBN, "mod_add", ossl_bn_mod_add, 2);    rb_define_method(cBN, "mod_sub", ossl_bn_mod_sub, 2);    rb_define_method(cBN, "mod_mul", ossl_bn_mod_mul, 2);    rb_define_method(cBN, "mod_sqr", ossl_bn_mod_sqr, 1);    rb_define_method(cBN, "**", ossl_bn_exp, 1);    rb_define_method(cBN, "mod_exp", ossl_bn_mod_exp, 2);    rb_define_method(cBN, "gcd", ossl_bn_gcd, 1);    /* add_word     * sub_word     * mul_word     * div_word     * mod_word */    rb_define_method(cBN, "cmp", ossl_bn_cmp, 1);    rb_define_alias(cBN, "<=>", "cmp");    rb_define_method(cBN, "ucmp", ossl_bn_ucmp, 1);    rb_define_method(cBN, "eql?", ossl_bn_eql, 1);    rb_define_alias(cBN, "==", "eql?");    rb_define_alias(cBN, "===", "eql?");    rb_define_method(cBN, "zero?", ossl_bn_is_zero, 0);    rb_define_method(cBN, "one?", ossl_bn_is_one, 0);    /* is_word */    rb_define_method(cBN, "odd?", ossl_bn_is_odd, 0);    /* zero     * one     * value_one - DON'T IMPL.     * set_word     * get_word */        rb_define_singleton_method(cBN, "rand", ossl_bn_s_rand, -1);    rb_define_singleton_method(cBN, "pseudo_rand", ossl_bn_s_pseudo_rand, -1);    rb_define_singleton_method(cBN, "rand_range", ossl_bn_s_rand_range, 1);    rb_define_singleton_method(cBN, "pseudo_rand_range", ossl_bn_s_pseudo_rand_range, 1);    rb_define_singleton_method(cBN, "generate_prime", ossl_bn_s_generate_prime, -1);    rb_define_method(cBN, "prime?", ossl_bn_is_prime, -1);    rb_define_method(cBN, "set_bit!", ossl_bn_set_bit, 1);    rb_define_method(cBN, "clear_bit!", ossl_bn_clear_bit, 1);    rb_define_method(cBN, "bit_set?", ossl_bn_is_bit_set, 1);    rb_define_method(cBN, "mask_bits!", ossl_bn_mask_bits, 1);    rb_define_method(cBN, "<<", ossl_bn_lshift, 1);    rb_define_method(cBN, ">>", ossl_bn_rshift, 1);    rb_define_method(cBN, "lshift!", ossl_bn_self_lshift, 1);    rb_define_method(cBN, "rshift!", ossl_bn_self_rshift, 1);    /* lshift1 - DON'T IMPL. */    /* rshift1 - DON'T IMPL. */    /*     * bn2bin     * bin2bn     * bn2hex     * bn2dec     * hex2bn     * dec2bn - all these are implemented in ossl_bn_initialize, and ossl_bn_to_s     * print - NOT IMPL.     * print_fp - NOT IMPL.     * bn2mpi     * mpi2bn//.........这里部分代码省略.........

int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POINT * point,    BIGNUM * x, BIGNUM * y, BN_CTX * ctx){	BN_CTX *new_ctx = NULL;	BIGNUM *Z, *Z_1, *Z_2, *Z_3;	const BIGNUM *Z_;	int ret = 0;	if (EC_POINT_is_at_infinity(group, point) > 0) {		ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);		return 0;	}	if (ctx == NULL) {		ctx = new_ctx = BN_CTX_new();		if (ctx == NULL)			return 0;	}	BN_CTX_start(ctx);	if ((Z = BN_CTX_get(ctx)) == NULL)		goto err;	if ((Z_1 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((Z_2 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((Z_3 = BN_CTX_get(ctx)) == NULL)		goto err;	/* transform  (X, Y, Z)  into  (x, y) := (X/Z^2, Y/Z^3) */	if (group->meth->field_decode) {		if (!group->meth->field_decode(group, Z, &point->Z, ctx))			goto err;		Z_ = Z;	} else {		Z_ = &point->Z;	}	if (BN_is_one(Z_)) {		if (group->meth->field_decode) {			if (x != NULL) {				if (!group->meth->field_decode(group, x, &point->X, ctx))					goto err;			}			if (y != NULL) {				if (!group->meth->field_decode(group, y, &point->Y, ctx))					goto err;			}		} else {			if (x != NULL) {				if (!BN_copy(x, &point->X))					goto err;			}			if (y != NULL) {				if (!BN_copy(y, &point->Y))					goto err;			}		}	} else {		if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx)) {			ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);			goto err;		}		if (group->meth->field_encode == 0) {			/* field_sqr works on standard representation */			if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))				goto err;		} else {			if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx))				goto err;		}		if (x != NULL) {			/*			 * in the Montgomery case, field_mul will cancel out			 * Montgomery factor in X:			 */			if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx))				goto err;		}		if (y != NULL) {			if (group->meth->field_encode == 0) {				/* field_mul works on standard representation */				if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))					goto err;			} else {				if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx))					goto err;			}			/*			 * in the Montgomery case, field_mul will cancel out			 * Montgomery factor in Y:			 */			if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx))				goto err;		}	}	ret = 1;//.........这里部分代码省略.........

/* * Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against * public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and * 'grp_g' using hash "evp_md". * Signature hash will be salted with 'idlen' bytes from 'id'. * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature. */intschnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,    const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen,    const BIGNUM *r, const BIGNUM *e){	int success = -1;	BIGNUM *h, *g_xh, *g_r, *expected;	BN_CTX *bn_ctx;	SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));	/* Avoid degenerate cases: g^0 yields a spoofable signature */	if (BN_cmp(g_x, BN_value_one()) <= 0) {		error("%s: g_x < 1", __func__);		return -1;	}	h = g_xh = g_r = expected = NULL;	if ((bn_ctx = BN_CTX_new()) == NULL) {		error("%s: BN_CTX_new", __func__);		goto out;	}	if ((g_xh = BN_new()) == NULL ||	    (g_r = BN_new()) == NULL ||	    (expected = BN_new()) == NULL) {		error("%s: BN_new", __func__);		goto out;	}	SCHNORR_DEBUG_BN((e, "%s: e = ", __func__));	SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));	/* h = H(g || g^v || g^x || id) */	if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, e, g_x,	    id, idlen)) == NULL) {		error("%s: schnorr_hash failed", __func__);		goto out;	}	/* g_xh = (g^x)^h */	if (BN_mod_exp(g_xh, g_x, h, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_exp (g_x^h mod p)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));	/* g_r = g^r */	if (BN_mod_exp(g_r, grp_g, r, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_exp (g_x^h mod p)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_r, "%s: g_r = ", __func__));	/* expected = g^r * g_xh */	if (BN_mod_mul(expected, g_r, g_xh, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_mul (expected = g_r mod p)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));	/* Check e == expected */	success = BN_cmp(expected, e) == 0; out:	BN_CTX_free(bn_ctx);	if (h != NULL)		BN_clear_free(h);	BN_clear_free(g_xh);	BN_clear_free(g_r);	BN_clear_free(expected);	return success;}

int ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx){	int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);	int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);	const BIGNUM *p;	BN_CTX *new_ctx = NULL;	BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;	int ret = 0;	if (a == b)		return EC_POINT_dbl(group, r, a, ctx);	if (EC_POINT_is_at_infinity(group, a) > 0)		return EC_POINT_copy(r, b);	if (EC_POINT_is_at_infinity(group, b) > 0)		return EC_POINT_copy(r, a);	field_mul = group->meth->field_mul;	field_sqr = group->meth->field_sqr;	p = &group->field;	if (ctx == NULL) {		ctx = new_ctx = BN_CTX_new();		if (ctx == NULL)			return 0;	}	BN_CTX_start(ctx);	if ((n0 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((n1 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((n2 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((n3 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((n4 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((n5 = BN_CTX_get(ctx)) == NULL)		goto end;	if ((n6 = BN_CTX_get(ctx)) == NULL)		goto end;	/*	 * Note that in this function we must not read components of 'a' or	 * 'b' once we have written the corresponding components of 'r'. ('r'	 * might be one of 'a' or 'b'.)	 */	/* n1, n2 */	if (b->Z_is_one) {		if (!BN_copy(n1, &a->X))			goto end;		if (!BN_copy(n2, &a->Y))			goto end;		/* n1 = X_a */		/* n2 = Y_a */	} else {		if (!field_sqr(group, n0, &b->Z, ctx))			goto end;		if (!field_mul(group, n1, &a->X, n0, ctx))			goto end;		/* n1 = X_a * Z_b^2 */		if (!field_mul(group, n0, n0, &b->Z, ctx))			goto end;		if (!field_mul(group, n2, &a->Y, n0, ctx))			goto end;		/* n2 = Y_a * Z_b^3 */	}	/* n3, n4 */	if (a->Z_is_one) {		if (!BN_copy(n3, &b->X))			goto end;		if (!BN_copy(n4, &b->Y))			goto end;		/* n3 = X_b */		/* n4 = Y_b */	} else {		if (!field_sqr(group, n0, &a->Z, ctx))			goto end;		if (!field_mul(group, n3, &b->X, n0, ctx))			goto end;		/* n3 = X_b * Z_a^2 */		if (!field_mul(group, n0, n0, &a->Z, ctx))			goto end;		if (!field_mul(group, n4, &b->Y, n0, ctx))			goto end;		/* n4 = Y_b * Z_a^3 */	}	/* n5, n6 */	if (!BN_mod_sub_quick(n5, n1, n3, p))		goto end;	if (!BN_mod_sub_quick(n6, n2, n4, p))		goto end;	/* n5 = n1 - n3 */	/* n6 = n2 - n4 *///.........这里部分代码省略.........

static void hashbn(SHA_CTX *sha, const BIGNUM *bn){    size_t l = BN_num_bytes(bn);    unsigned char *bin = OPENSSL_malloc(l);        hashlength(sha, l);    BN_bn2bin(bn, bin);    SHA1_Update(sha, bin, l);    OPENSSL_free(bin);}static void hashpoint(const *EC_GROUP group, SHA_CTX *sha, const EC_POINT *point){    BIGNUM *bn = BN_new();    BN_CTX *ctx = BN_CTX_new();        //Convert EC_POINT to number    EC_POINT_point2bn(group, point, POINT_CONVERSION_UNCOMPRESSED, bn, ctx)        //Get size of EC_POINT    size_t l = BN_num_bytes(bn);    unsigned char *bin = OPENSSL_malloc(l);        hashlength(sha, l);    BN_bn2bin(bn, bin);    SHA1_Update(sha, bin, l);    OPENSSL_free(bin);}/* h=hash(g, g^r, g^x, name) */

int ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_CTX * ctx){	int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);	int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);	const BIGNUM *p;	BN_CTX *new_ctx = NULL;	BIGNUM *n0, *n1, *n2, *n3;	int ret = 0;	if (EC_POINT_is_at_infinity(group, a) > 0) {		BN_zero(&r->Z);		r->Z_is_one = 0;		return 1;	}	field_mul = group->meth->field_mul;	field_sqr = group->meth->field_sqr;	p = &group->field;	if (ctx == NULL) {		ctx = new_ctx = BN_CTX_new();		if (ctx == NULL)			return 0;	}	BN_CTX_start(ctx);	if ((n0 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((n1 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((n2 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((n3 = BN_CTX_get(ctx)) == NULL)		goto err;	/*	 * Note that in this function we must not read components of 'a' once	 * we have written the corresponding components of 'r'. ('r' might	 * the same as 'a'.)	 */	/* n1 */	if (a->Z_is_one) {		if (!field_sqr(group, n0, &a->X, ctx))			goto err;		if (!BN_mod_lshift1_quick(n1, n0, p))			goto err;		if (!BN_mod_add_quick(n0, n0, n1, p))			goto err;		if (!BN_mod_add_quick(n1, n0, &group->a, p))			goto err;		/* n1 = 3 * X_a^2 + a_curve */	} else if (group->a_is_minus3) {		if (!field_sqr(group, n1, &a->Z, ctx))			goto err;		if (!BN_mod_add_quick(n0, &a->X, n1, p))			goto err;		if (!BN_mod_sub_quick(n2, &a->X, n1, p))			goto err;		if (!field_mul(group, n1, n0, n2, ctx))			goto err;		if (!BN_mod_lshift1_quick(n0, n1, p))			goto err;		if (!BN_mod_add_quick(n1, n0, n1, p))			goto err;		/*		 * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) = 3 * X_a^2 - 3 *		 * Z_a^4		 */	} else {		if (!field_sqr(group, n0, &a->X, ctx))			goto err;		if (!BN_mod_lshift1_quick(n1, n0, p))			goto err;		if (!BN_mod_add_quick(n0, n0, n1, p))			goto err;		if (!field_sqr(group, n1, &a->Z, ctx))			goto err;		if (!field_sqr(group, n1, n1, ctx))			goto err;		if (!field_mul(group, n1, n1, &group->a, ctx))			goto err;		if (!BN_mod_add_quick(n1, n1, n0, p))			goto err;		/* n1 = 3 * X_a^2 + a_curve * Z_a^4 */	}	/* Z_r */	if (a->Z_is_one) {		if (!BN_copy(n0, &a->Y))			goto err;	} else {		if (!field_mul(group, n0, &a->Y, &a->Z, ctx))			goto err;	}	if (!BN_mod_lshift1_quick(&r->Z, n0, p))		goto err;	r->Z_is_one = 0;	/* Z_r = 2 * Y_a * Z_a */	/* n2 *///.........这里部分代码省略.........

int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,                                  size_t len) {  BIGNUM *f, *result;  BN_CTX *ctx = NULL;  unsigned blinding_index = 0;  BN_BLINDING *blinding = NULL;  int ret = 0;  ctx = BN_CTX_new();  if (ctx == NULL) {    goto err;  }  BN_CTX_start(ctx);  f = BN_CTX_get(ctx);  result = BN_CTX_get(ctx);  if (f == NULL || result == NULL) {    OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);    goto err;  }  if (BN_bin2bn(in, len, f) == NULL) {    goto err;  }  if (BN_ucmp(f, rsa->n) >= 0) {    /* Usually the padding functions would catch this. */    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);    goto err;  }  if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {    blinding = rsa_blinding_get(rsa, &blinding_index, ctx);    if (blinding == NULL) {      OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);      goto err;    }    if (!BN_BLINDING_convert_ex(f, NULL, blinding, ctx)) {      goto err;    }  }  if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||      ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) &&       (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {    if (!rsa->meth->mod_exp(result, f, rsa, ctx)) {      goto err;    }  } else {    BIGNUM local_d;    BIGNUM *d = NULL;    BN_init(&local_d);    d = &local_d;    BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);    if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {      if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ==          NULL) {        goto err;      }    }    if (!rsa->meth->bn_mod_exp(result, f, d, rsa->n, ctx, rsa->mont_n)) {      goto err;    }  }  if (blinding) {    if (!BN_BLINDING_invert_ex(result, NULL, blinding, ctx)) {      goto err;    }  }  if (!BN_bn2bin_padded(out, len, result)) {    OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);    goto err;  }  ret = 1;err:  if (ctx != NULL) {    BN_CTX_end(ctx);    BN_CTX_free(ctx);  }  if (blinding != NULL) {    rsa_blinding_release(rsa, blinding, blinding_index);  }  return ret;}

int ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX * ctx){	int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);	int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);	const BIGNUM *p;	BN_CTX *new_ctx = NULL;	BIGNUM *rh, *tmp, *Z4, *Z6;	int ret = -1;	if (EC_POINT_is_at_infinity(group, point) > 0)		return 1;	field_mul = group->meth->field_mul;	field_sqr = group->meth->field_sqr;	p = &group->field;	if (ctx == NULL) {		ctx = new_ctx = BN_CTX_new();		if (ctx == NULL)			return -1;	}	BN_CTX_start(ctx);	if ((rh = BN_CTX_get(ctx)) == NULL)		goto err;	if ((tmp = BN_CTX_get(ctx)) == NULL)		goto err;	if ((Z4 = BN_CTX_get(ctx)) == NULL)		goto err;	if ((Z6 = BN_CTX_get(ctx)) == NULL)		goto err;	/*	 * We have a curve defined by a Weierstrass equation y^2 = x^3 + a*x	 * + b. The point to consider is given in Jacobian projective	 * coordinates where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).	 * Substituting this and multiplying by  Z^6  transforms the above	 * equation into Y^2 = X^3 + a*X*Z^4 + b*Z^6. To test this, we add up	 * the right-hand side in 'rh'.	 */	/* rh := X^2 */	if (!field_sqr(group, rh, &point->X, ctx))		goto err;	if (!point->Z_is_one) {		if (!field_sqr(group, tmp, &point->Z, ctx))			goto err;		if (!field_sqr(group, Z4, tmp, ctx))			goto err;		if (!field_mul(group, Z6, Z4, tmp, ctx))			goto err;		/* rh := (rh + a*Z^4)*X */		if (group->a_is_minus3) {			if (!BN_mod_lshift1_quick(tmp, Z4, p))				goto err;			if (!BN_mod_add_quick(tmp, tmp, Z4, p))				goto err;			if (!BN_mod_sub_quick(rh, rh, tmp, p))				goto err;			if (!field_mul(group, rh, rh, &point->X, ctx))				goto err;		} else {			if (!field_mul(group, tmp, Z4, &group->a, ctx))				goto err;			if (!BN_mod_add_quick(rh, rh, tmp, p))				goto err;			if (!field_mul(group, rh, rh, &point->X, ctx))				goto err;		}		/* rh := rh + b*Z^6 */		if (!field_mul(group, tmp, &group->b, Z6, ctx))			goto err;		if (!BN_mod_add_quick(rh, rh, tmp, p))			goto err;	} else {		/* point->Z_is_one */		/* rh := (rh + a)*X */		if (!BN_mod_add_quick(rh, rh, &group->a, p))			goto err;		if (!field_mul(group, rh, rh, &point->X, ctx))			goto err;		/* rh := rh + b */		if (!BN_mod_add_quick(rh, rh, &group->b, p))			goto err;	}	/* 'lh' := Y^2 */	if (!field_sqr(group, tmp, &point->Y, ctx))		goto err;	ret = (0 == BN_ucmp(tmp, rh));err:	BN_CTX_end(ctx);	BN_CTX_free(new_ctx);	return ret;//.........这里部分代码省略.........

int rsa_default_multi_prime_keygen(RSA *rsa, int bits, int num_primes,                                   BIGNUM *e_value, BN_GENCB *cb) {  BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;  BIGNUM local_r0, local_d, local_p;  BIGNUM *pr0, *d, *p;  int prime_bits, ok = -1, n = 0, i, j;  BN_CTX *ctx = NULL;  STACK_OF(RSA_additional_prime) *additional_primes = NULL;  if (num_primes < 2) {    ok = 0; /* we set our own err */    OPENSSL_PUT_ERROR(RSA, RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES);    goto err;  }  ctx = BN_CTX_new();  if (ctx == NULL) {    goto err;  }  BN_CTX_start(ctx);  r0 = BN_CTX_get(ctx);  r1 = BN_CTX_get(ctx);  r2 = BN_CTX_get(ctx);  r3 = BN_CTX_get(ctx);  if (r0 == NULL || r1 == NULL || r2 == NULL || r3 == NULL) {    goto err;  }  if (num_primes > 2) {    additional_primes = sk_RSA_additional_prime_new_null();    if (additional_primes == NULL) {      goto err;    }  }  for (i = 2; i < num_primes; i++) {    RSA_additional_prime *ap = OPENSSL_malloc(sizeof(RSA_additional_prime));    if (ap == NULL) {      goto err;    }    memset(ap, 0, sizeof(RSA_additional_prime));    ap->prime = BN_new();    ap->exp = BN_new();    ap->coeff = BN_new();    ap->r = BN_new();    if (ap->prime == NULL ||        ap->exp == NULL ||        ap->coeff == NULL ||        ap->r == NULL ||        !sk_RSA_additional_prime_push(additional_primes, ap)) {      RSA_additional_prime_free(ap);      goto err;    }  }  /* We need the RSA components non-NULL */  if (!rsa->n && ((rsa->n = BN_new()) == NULL)) {    goto err;  }  if (!rsa->d && ((rsa->d = BN_new()) == NULL)) {    goto err;  }  if (!rsa->e && ((rsa->e = BN_new()) == NULL)) {    goto err;  }  if (!rsa->p && ((rsa->p = BN_new()) == NULL)) {    goto err;  }  if (!rsa->q && ((rsa->q = BN_new()) == NULL)) {    goto err;  }  if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) {    goto err;  }  if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) {    goto err;  }  if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) {    goto err;  }  if (!BN_copy(rsa->e, e_value)) {    goto err;  }  /* generate p and q */  prime_bits = (bits + (num_primes - 1)) / num_primes;  for (;;) {    if (!BN_generate_prime_ex(rsa->p, prime_bits, 0, NULL, NULL, cb) ||        !BN_sub(r2, rsa->p, BN_value_one()) ||        !BN_gcd(r1, r2, rsa->e, ctx)) {      goto err;    }    if (BN_is_one(r1)) {      break;    }    if (!BN_GENCB_call(cb, 2, n++)) {      goto err;    }  }//.........这里部分代码省略.........

/* signature verification */static intRSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,    RSA *rsa, int padding){	BIGNUM *f, *ret;	int i, num = 0, r = -1;	unsigned char *p;	unsigned char *buf = NULL;	BN_CTX *ctx = NULL;	if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);		return -1;	}	if (BN_ucmp(rsa->n, rsa->e) <= 0) {		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);		return -1;	}	/* for large moduli, enforce exponent limit */	if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {		if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {			RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);			return -1;		}	}	if ((ctx = BN_CTX_new()) == NULL)		goto err;	BN_CTX_start(ctx);	f = BN_CTX_get(ctx);	ret = BN_CTX_get(ctx);	num = BN_num_bytes(rsa->n);	buf = malloc(num);	if (!f || !ret || !buf) {		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);		goto err;	}	/* This check was for equality but PGP does evil things	 * and chops off the top '0' bytes */	if (flen > num) {		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,		    RSA_R_DATA_GREATER_THAN_MOD_LEN);		goto err;	}	if (BN_bin2bn(from, flen, f) == NULL)		goto err;	if (BN_ucmp(f, rsa->n) >= 0) {		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,		    RSA_R_DATA_TOO_LARGE_FOR_MODULUS);		goto err;	}	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,		    CRYPTO_LOCK_RSA, rsa->n, ctx))			goto err;	if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,	    rsa->_method_mod_n))		goto err;	if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)		if (!BN_sub(ret, rsa->n, ret))			goto err;	p = buf;	i = BN_bn2bin(ret, p);	switch (padding) {	case RSA_PKCS1_PADDING:		r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);		break;	case RSA_X931_PADDING:		r = RSA_padding_check_X931(to, num, buf, i, num);		break;	case RSA_NO_PADDING:		r = RSA_padding_check_none(to, num, buf, i, num);		break;	default:		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,		    RSA_R_UNKNOWN_PADDING_TYPE);		goto err;	}	if (r < 0)		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,		    RSA_R_PADDING_CHECK_FAILED);err:	if (ctx != NULL) {		BN_CTX_end(ctx);		BN_CTX_free(ctx);	}//.........这里部分代码省略.........