自学教程：C++ BN_cmp函数代码示例

RSA *RSA_generate_key(int bits, unsigned long e_value,	     void (*callback)(int,int,void *), void *cb_arg)	{	RSA *rsa=NULL;	BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;	int bitsp,bitsq,ok= -1,n=0;	unsigned i;	BN_CTX *ctx=NULL,*ctx2=NULL;	ctx=BN_CTX_new();	if (ctx == NULL) goto err;	ctx2=BN_CTX_new();	if (ctx2 == NULL) goto err;	BN_CTX_start(ctx);	r0 = BN_CTX_get(ctx);	r1 = BN_CTX_get(ctx);	r2 = BN_CTX_get(ctx);	r3 = BN_CTX_get(ctx);	if (r3 == NULL) goto err;	bitsp=(bits+1)/2;	bitsq=bits-bitsp;	rsa=RSA_new();	if (rsa == NULL) goto err;	/* set e */ 	rsa->e=BN_new();	if (rsa->e == NULL) goto err;#if 1	/* The problem is when building with 8, 16, or 32 BN_ULONG,	 * unsigned long can be larger */	for (i=0; i<sizeof(unsigned long)*8; i++)		{		if (e_value & (((unsigned long)1)<<i))			BN_set_bit(rsa->e,i);		}#else	if (!BN_set_word(rsa->e,e_value)) goto err;#endif	/* generate p and q */	for (;;)		{		rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);		if (rsa->p == NULL) goto err;		if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;		if (BN_is_one(r1)) break;		if (callback != NULL) callback(2,n++,cb_arg);		BN_free(rsa->p);		}	if (callback != NULL) callback(3,0,cb_arg);	for (;;)		{		rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);		if (rsa->q == NULL) goto err;		if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;		if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))			break;		if (callback != NULL) callback(2,n++,cb_arg);		BN_free(rsa->q);		}	if (callback != NULL) callback(3,1,cb_arg);	if (BN_cmp(rsa->p,rsa->q) < 0)		{		tmp=rsa->p;		rsa->p=rsa->q;		rsa->q=tmp;		}	/* calculate n */	rsa->n=BN_new();	if (rsa->n == NULL) goto err;	if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;	/* calculate d */	if (!BN_sub(r1,rsa->p,BN_value_one())) goto err;	/* p-1 */	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;	/* q-1 */	if (!BN_mul(r0,r1,r2,ctx)) goto err;	/* (p-1)(q-1) *//* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 *//*	for (;;)		{		if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;		if (BN_is_one(r3)) break;		if (1)			{			if (!BN_add_word(rsa->e,2L)) goto err;			continue;			}		RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);		goto err;		}*/	rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2);	/* d */	if (rsa->d == NULL) goto err;//.........这里部分代码省略.........

int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,                      const EC_POINT *b, BN_CTX *ctx) {  /* return values:   *  -1   error   *   0   equal (in affine coordinates)   *   1   not equal   */  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,                   BN_CTX *);  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);  BN_CTX *new_ctx = NULL;  BIGNUM *tmp1, *tmp2, *Za23, *Zb23;  const BIGNUM *tmp1_, *tmp2_;  int ret = -1;  if (EC_POINT_is_at_infinity(group, a)) {    return EC_POINT_is_at_infinity(group, b) ? 0 : 1;  }  if (EC_POINT_is_at_infinity(group, b)) {    return 1;  }  int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;  int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;  if (a_Z_is_one && b_Z_is_one) {    return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;  }  field_mul = group->meth->field_mul;  field_sqr = group->meth->field_sqr;  if (ctx == NULL) {    ctx = new_ctx = BN_CTX_new();    if (ctx == NULL) {      return -1;    }  }  BN_CTX_start(ctx);  tmp1 = BN_CTX_get(ctx);  tmp2 = BN_CTX_get(ctx);  Za23 = BN_CTX_get(ctx);  Zb23 = BN_CTX_get(ctx);  if (Zb23 == NULL) {    goto end;  }  /* We have to decide whether   *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),   * or equivalently, whether   *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).   */  if (!b_Z_is_one) {    if (!field_sqr(group, Zb23, &b->Z, ctx) ||        !field_mul(group, tmp1, &a->X, Zb23, ctx)) {      goto end;    }    tmp1_ = tmp1;  } else {    tmp1_ = &a->X;  }  if (!a_Z_is_one) {    if (!field_sqr(group, Za23, &a->Z, ctx) ||        !field_mul(group, tmp2, &b->X, Za23, ctx)) {      goto end;    }    tmp2_ = tmp2;  } else {    tmp2_ = &b->X;  }  /* compare  X_a*Z_b^2  with  X_b*Z_a^2 */  if (BN_cmp(tmp1_, tmp2_) != 0) {    ret = 1; /* points differ */    goto end;  }  if (!b_Z_is_one) {    if (!field_mul(group, Zb23, Zb23, &b->Z, ctx) ||        !field_mul(group, tmp1, &a->Y, Zb23, ctx)) {      goto end;    }    /* tmp1_ = tmp1 */  } else {    tmp1_ = &a->Y;  }  if (!a_Z_is_one) {    if (!field_mul(group, Za23, Za23, &a->Z, ctx) ||        !field_mul(group, tmp2, &b->Y, Za23, ctx)) {      goto end;    }    /* tmp2_ = tmp2 */  } else {    tmp2_ = &b->Y;  }//.........这里部分代码省略.........

//.........这里部分代码省略.........			/* step 7 */			if (!BN_zero(W)) goto err;			/* now 'buf' contains "SEED + offset - 1" */			for (k=0; k<=n; k++)				{				/* obtain "SEED + offset + k" by incrementing: */				for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)					{					buf[i]++;					if (buf[i] != 0) break;					}				EVP_Digest(buf,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);				/* step 8 */				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))					goto err;				if (!BN_lshift(r0,r0,160*k)) goto err;				if (!BN_add(W,W,r0)) goto err;				}			/* more of step 8 */			if (!BN_mask_bits(W,bits-1)) goto err;			if (!BN_copy(X,W)) goto err;			if (!BN_add(X,X,test)) goto err;			/* step 9 */			if (!BN_lshift1(r0,q)) goto err;			if (!BN_mod(c,X,r0,ctx)) goto err;			if (!BN_sub(r0,c,BN_value_one())) goto err;			if (!BN_sub(p,X,r0)) goto err;			/* step 10 */			if (BN_cmp(p,test) >= 0)				{				/* step 11 */				r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1);				if (r > 0)						goto end; /* found it */				if (r != 0)					goto err;				}			/* step 13 */			counter++;			/* "offset = offset + n + 1" */			/* step 14 */			if (counter >= 4096) break;			}		}end:	if (callback != NULL) callback(2,1,cb_arg);	/* We now need to generate g */	/* Set r0=(p-1)/q */	if (!BN_sub(test,p,BN_value_one())) goto err;	if (!BN_div(r0,NULL,test,q,ctx)) goto err;	if (!BN_set_word(test,h)) goto err;	if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;	for (;;)		{		/* g=test^r0%p */		if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;

int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,                                  const BIGNUM *a, const BIGNUM *b,                                  BN_CTX *ctx) {  int ret = 0;  BN_CTX *new_ctx = NULL;  BIGNUM *tmp_a;  /* p must be a prime > 3 */  if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {    OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);    return 0;  }  if (ctx == NULL) {    ctx = new_ctx = BN_CTX_new();    if (ctx == NULL) {      return 0;    }  }  BN_CTX_start(ctx);  tmp_a = BN_CTX_get(ctx);  if (tmp_a == NULL) {    goto err;  }  /* group->field */  if (!BN_copy(&group->field, p)) {    goto err;  }  BN_set_negative(&group->field, 0);  /* group->a */  if (!BN_nnmod(tmp_a, a, p, ctx)) {    goto err;  }  if (group->meth->field_encode) {    if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {      goto err;    }  } else if (!BN_copy(&group->a, tmp_a)) {    goto err;  }  /* group->b */  if (!BN_nnmod(&group->b, b, p, ctx)) {    goto err;  }  if (group->meth->field_encode &&      !group->meth->field_encode(group, &group->b, &group->b, ctx)) {    goto err;  }  /* group->a_is_minus3 */  if (!BN_add_word(tmp_a, 3)) {    goto err;  }  group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));  if (group->meth->field_encode != NULL) {    if (!group->meth->field_encode(group, &group->one, BN_value_one(), ctx)) {      goto err;    }  } else if (!BN_copy(&group->one, BN_value_one())) {    goto err;  }  ret = 1;err:  BN_CTX_end(ctx);  BN_CTX_free(new_ctx);  return ret;}

int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,                      BN_CTX *ctx) {  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,                   BN_CTX *);  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);  const BIGNUM *p;  BN_CTX *new_ctx = NULL;  BIGNUM *n0, *n1, *n2, *n3;  int ret = 0;  if (EC_POINT_is_at_infinity(group, a)) {    BN_zero(&r->Z);    return 1;  }  field_mul = group->meth->field_mul;  field_sqr = group->meth->field_sqr;  p = &group->field;  if (ctx == NULL) {    ctx = new_ctx = BN_CTX_new();    if (ctx == NULL) {      return 0;    }  }  BN_CTX_start(ctx);  n0 = BN_CTX_get(ctx);  n1 = BN_CTX_get(ctx);  n2 = BN_CTX_get(ctx);  n3 = BN_CTX_get(ctx);  if (n3 == NULL) {    goto err;  }  /* Note that in this function we must not read components of 'a'   * once we have written the corresponding components of 'r'.   * ('r' might the same as 'a'.)   */  /* n1 */  if (BN_cmp(&a->Z, &group->one) == 0) {    if (!field_sqr(group, n0, &a->X, ctx) ||        !BN_mod_lshift1_quick(n1, n0, p) ||        !BN_mod_add_quick(n0, n0, n1, p) ||        !BN_mod_add_quick(n1, n0, &group->a, p)) {      goto err;    }    /* n1 = 3 * X_a^2 + a_curve */  } else if (group->a_is_minus3) {    if (!field_sqr(group, n1, &a->Z, ctx) ||        !BN_mod_add_quick(n0, &a->X, n1, p) ||        !BN_mod_sub_quick(n2, &a->X, n1, p) ||        !field_mul(group, n1, n0, n2, ctx) ||        !BN_mod_lshift1_quick(n0, n1, p) ||        !BN_mod_add_quick(n1, n0, n1, p)) {      goto err;    }    /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)     *    = 3 * X_a^2 - 3 * Z_a^4 */  } else {    if (!field_sqr(group, n0, &a->X, ctx) ||        !BN_mod_lshift1_quick(n1, n0, p) ||        !BN_mod_add_quick(n0, n0, n1, p) ||        !field_sqr(group, n1, &a->Z, ctx) ||        !field_sqr(group, n1, n1, ctx) ||        !field_mul(group, n1, n1, &group->a, ctx) ||        !BN_mod_add_quick(n1, n1, n0, p)) {      goto err;    }    /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */  }  /* Z_r */  if (BN_cmp(&a->Z, &group->one) == 0) {    if (!BN_copy(n0, &a->Y)) {      goto err;    }  } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {    goto err;  }  if (!BN_mod_lshift1_quick(&r->Z, n0, p)) {    goto err;  }  /* Z_r = 2 * Y_a * Z_a */  /* n2 */  if (!field_sqr(group, n3, &a->Y, ctx) ||      !field_mul(group, n2, &a->X, n3, ctx) ||      !BN_mod_lshift_quick(n2, n2, 2, p)) {    goto err;  }  /* n2 = 4 * X_a * Y_a^2 */  /* X_r */  if (!BN_mod_lshift1_quick(n0, n2, p) ||      !field_sqr(group, &r->X, n1, ctx) ||      !BN_mod_sub_quick(&r->X, &r->X, n0, p)) {    goto err;  }//.........这里部分代码省略.........

/* some tests from the X9.62 draft */int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in){    int ret = 0;    const char message[] = "abc";    unsigned char digest[20];    unsigned int dgst_len = 0;    EVP_MD_CTX md_ctx;    EC_KEY *key = NULL;    ECDSA_SIG *signature = NULL;    BIGNUM *r = NULL, *s = NULL;    BIGNUM *kinv = NULL, *rp = NULL;    EVP_MD_CTX_init(&md_ctx);    /* get the message digest */    if (!EVP_DigestInit(&md_ctx, EVP_ecdsa())        || !EVP_DigestUpdate(&md_ctx, (const void *)message, 3)        || !EVP_DigestFinal(&md_ctx, digest, &dgst_len))        goto x962_int_err;    BIO_printf(out, "testing %s: ", OBJ_nid2sn(nid));    /* create the key */    if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)        goto x962_int_err;    use_fake = 1;    if (!EC_KEY_generate_key(key))        goto x962_int_err;    BIO_printf(out, ".");    (void)BIO_flush(out);    /* create the signature */    use_fake = 1;    /* Use ECDSA_sign_setup to avoid use of ECDSA nonces */    if (!ECDSA_sign_setup(key, NULL, &kinv, &rp))        goto x962_int_err;    signature = ECDSA_do_sign_ex(digest, 20, kinv, rp, key);    if (signature == NULL)        goto x962_int_err;    BIO_printf(out, ".");    (void)BIO_flush(out);    /* compare the created signature with the expected signature */    if ((r = BN_new()) == NULL || (s = BN_new()) == NULL)        goto x962_int_err;    if (!BN_dec2bn(&r, r_in) || !BN_dec2bn(&s, s_in))        goto x962_int_err;    if (BN_cmp(signature->r, r) || BN_cmp(signature->s, s))        goto x962_int_err;    BIO_printf(out, ".");    (void)BIO_flush(out);    /* verify the signature */    if (ECDSA_do_verify(digest, 20, signature, key) != 1)        goto x962_int_err;    BIO_printf(out, ".");    (void)BIO_flush(out);    BIO_printf(out, " ok/n");    ret = 1; x962_int_err:    if (!ret)        BIO_printf(out, " failed/n");    EC_KEY_free(key);    ECDSA_SIG_free(signature);    BN_free(r);    BN_free(s);    EVP_MD_CTX_cleanup(&md_ctx);    BN_clear_free(kinv);    BN_clear_free(rp);    return ret;}

static int run_srp(const char *username, const char *client_pass,                   const char *server_pass){    int ret = -1;    BIGNUM *s = NULL;    BIGNUM *v = NULL;    BIGNUM *a = NULL;    BIGNUM *b = NULL;    BIGNUM *u = NULL;    BIGNUM *x = NULL;    BIGNUM *Apub = NULL;    BIGNUM *Bpub = NULL;    BIGNUM *Kclient = NULL;    BIGNUM *Kserver = NULL;    unsigned char rand_tmp[RANDOM_SIZE];    /* use builtin 1024-bit params */    const SRP_gN *GN = SRP_get_default_gN("1024");    if (GN == NULL) {        fprintf(stderr, "Failed to get SRP parameters/n");        return -1;    }    /* Set up server's password entry */    if (!SRP_create_verifier_BN(username, server_pass, &s, &v, GN->N, GN->g)) {        fprintf(stderr, "Failed to create SRP verifier/n");        return -1;    }    showbn("N", GN->N);    showbn("g", GN->g);    showbn("Salt", s);    showbn("Verifier", v);    /* Server random */    RAND_bytes(rand_tmp, sizeof(rand_tmp));    b = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL);    /* TODO - check b != 0 */    showbn("b", b);    /* Server's first message */    Bpub = SRP_Calc_B(b, GN->N, GN->g, v);    showbn("B", Bpub);    if (!SRP_Verify_B_mod_N(Bpub, GN->N)) {        fprintf(stderr, "Invalid B/n");        return -1;    }    /* Client random */    RAND_bytes(rand_tmp, sizeof(rand_tmp));    a = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL);    /* TODO - check a != 0 */    showbn("a", a);    /* Client's response */    Apub = SRP_Calc_A(a, GN->N, GN->g);    showbn("A", Apub);    if (!SRP_Verify_A_mod_N(Apub, GN->N)) {        fprintf(stderr, "Invalid A/n");        return -1;    }    /* Both sides calculate u */    u = SRP_Calc_u(Apub, Bpub, GN->N);    /* Client's key */    x = SRP_Calc_x(s, username, client_pass);    Kclient = SRP_Calc_client_key(GN->N, Bpub, GN->g, x, a, u);    showbn("Client's key", Kclient);    /* Server's key */    Kserver = SRP_Calc_server_key(Apub, v, u, b, GN->N);    showbn("Server's key", Kserver);    if (BN_cmp(Kclient, Kserver) == 0) {        ret = 0;    } else {        fprintf(stderr, "Keys mismatch/n");        ret = 1;    }    BN_clear_free(Kclient);    BN_clear_free(Kserver);    BN_clear_free(x);    BN_free(u);    BN_free(Apub);    BN_clear_free(a);    BN_free(Bpub);    BN_clear_free(b);    BN_free(s);    BN_clear_free(v);    return ret;}

int main(int argc, char *argv[]){    BN_CTX *ctx;    BIO *out = NULL;    int i, ret;    unsigned char c;    BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple, *a, *b, *m;    RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we                                           * don't even check its return                                           * value (which we should) */    ERR_load_BN_strings();    ctx = BN_CTX_new();    if (ctx == NULL)        EXIT(1);    r_mont = BN_new();    r_mont_const = BN_new();    r_recp = BN_new();    r_simple = BN_new();    a = BN_new();    b = BN_new();    m = BN_new();    if ((r_mont == NULL) || (r_recp == NULL) || (a == NULL) || (b == NULL))        goto err;    out = BIO_new(BIO_s_file());    if (out == NULL)        EXIT(1);    BIO_set_fp(out, stdout, BIO_NOCLOSE);    for (i = 0; i < 200; i++) {        RAND_bytes(&c, 1);        c = (c % BN_BITS) - BN_BITS2;        BN_rand(a, NUM_BITS + c, 0, 0);        RAND_bytes(&c, 1);        c = (c % BN_BITS) - BN_BITS2;        BN_rand(b, NUM_BITS + c, 0, 0);        RAND_bytes(&c, 1);        c = (c % BN_BITS) - BN_BITS2;        BN_rand(m, NUM_BITS + c, 0, 1);        BN_mod(a, a, m, ctx);        BN_mod(b, b, m, ctx);        ret = BN_mod_exp_mont(r_mont, a, b, m, ctx, NULL);        if (ret <= 0) {            printf("BN_mod_exp_mont() problems/n");            ERR_print_errors(out);            EXIT(1);        }        ret = BN_mod_exp_recp(r_recp, a, b, m, ctx);        if (ret <= 0) {            printf("BN_mod_exp_recp() problems/n");            ERR_print_errors(out);            EXIT(1);        }        ret = BN_mod_exp_simple(r_simple, a, b, m, ctx);        if (ret <= 0) {            printf("BN_mod_exp_simple() problems/n");            ERR_print_errors(out);            EXIT(1);        }        ret = BN_mod_exp_mont_consttime(r_mont_const, a, b, m, ctx, NULL);        if (ret <= 0) {            printf("BN_mod_exp_mont_consttime() problems/n");            ERR_print_errors(out);            EXIT(1);        }        if (BN_cmp(r_simple, r_mont) == 0            && BN_cmp(r_simple, r_recp) == 0            && BN_cmp(r_simple, r_mont_const) == 0) {            printf(".");            fflush(stdout);        } else {            if (BN_cmp(r_simple, r_mont) != 0)                printf("/nsimple and mont results differ/n");            if (BN_cmp(r_simple, r_mont_const) != 0)                printf("/nsimple and mont const time results differ/n");            if (BN_cmp(r_simple, r_recp) != 0)                printf("/nsimple and recp results differ/n");            printf("a (%3d) = ", BN_num_bits(a));            BN_print(out, a);            printf("/nb (%3d) = ", BN_num_bits(b));            BN_print(out, b);            printf("/nm (%3d) = ", BN_num_bits(m));            BN_print(out, m);            printf("/nsimple   =");            BN_print(out, r_simple);            printf("/nrecp     =");            BN_print(out, r_recp);//.........这里部分代码省略.........

/* * Generate Schnorr signature to prove knowledge of private value 'x' used * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g' * using the hash function "hash_alg". * 'idlen' bytes from 'id' will be included in the signature hash as an anti- * replay salt. *  * On success, 0 is returned. The signature values are returned as *e_p * (g^v mod p) and *r_p (v - xh mod q). The caller must free these values. * On failure, -1 is returned. */intschnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,    int hash_alg, const BIGNUM *x, const BIGNUM *g_x,    const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p){	int success = -1;	BIGNUM *h, *tmp, *v, *g_v, *r;	BN_CTX *bn_ctx;	SCHNORR_DEBUG_BN((x, "%s: x = ", __func__));	SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));	/* Avoid degenerate cases: g^0 yields a spoofable signature */	if (BN_cmp(g_x, BN_value_one()) <= 0) {		error("%s: g_x < 1", __func__);		return -1;	}	if (BN_cmp(g_x, grp_p) >= 0) {		error("%s: g_x > g", __func__);		return -1;	}	h = g_v = r = tmp = v = NULL;	if ((bn_ctx = BN_CTX_new()) == NULL) {		error("%s: BN_CTX_new", __func__);		goto out;	}	if ((g_v = BN_new()) == NULL ||	    (r = BN_new()) == NULL ||	    (tmp = BN_new()) == NULL) {		error("%s: BN_new", __func__);		goto out;	}	/*	 * v must be a random element of Zq, so 1 <= v < q	 * we also exclude v = 1, since g^1 looks dangerous	 */	if ((v = bn_rand_range_gt_one(grp_p)) == NULL) {		error("%s: bn_rand_range2", __func__);		goto out;	}	SCHNORR_DEBUG_BN((v, "%s: v = ", __func__));	/* g_v = g^v mod p */	if (BN_mod_exp(g_v, grp_g, v, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_exp (g^v mod p)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));	/* h = H(g || g^v || g^x || id) */	if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, g_v, g_x,	    id, idlen)) == NULL) {		error("%s: schnorr_hash failed", __func__);		goto out;	}	/* r = v - xh mod q */	if (BN_mod_mul(tmp, x, h, grp_q, bn_ctx) == -1) {		error("%s: BN_mod_mul (tmp = xv mod q)", __func__);		goto out;	}	if (BN_mod_sub(r, v, tmp, grp_q, bn_ctx) == -1) {		error("%s: BN_mod_mul (r = v - tmp)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_v, "%s: e = ", __func__));	SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));	*e_p = g_v;	*r_p = r;	success = 0; out:	BN_CTX_free(bn_ctx);	if (h != NULL)		BN_clear_free(h);	if (v != NULL)		BN_clear_free(v);	BN_clear_free(tmp);	return success;}

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)	{	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;	BIGNUM m;	BIGNUM xr;	BN_CTX *ctx=NULL;	int i,reason=ERR_R_BN_LIB;	DSA_SIG *ret=NULL;	BN_init(&m);	BN_init(&xr);	if (!dsa->p || !dsa->q || !dsa->g)		{		reason=DSA_R_MISSING_PARAMETERS;		goto err;		}	s=BN_new();	if (s == NULL) goto err;	i=BN_num_bytes(dsa->q); /* should be 20 */	if ((dlen > i) || (dlen > 50))		{		reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;		goto err;		}	ctx=BN_CTX_new();	if (ctx == NULL) goto err;	if ((dsa->kinv == NULL) || (dsa->r == NULL))		{		if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;		}	else		{		kinv=dsa->kinv;		dsa->kinv=NULL;		r=dsa->r;		dsa->r=NULL;		}	if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;	/* Compute  s = inv(k) (m + xr) mod q */	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */	if (BN_cmp(s,dsa->q) > 0)		BN_sub(s,s,dsa->q);	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;	ret=DSA_SIG_new();	if (ret == NULL) goto err;	ret->r = r;	ret->s = s;	err:	if (!ret)		{		DSAerr(DSA_F_DSA_DO_SIGN,reason);		BN_free(r);		BN_free(s);		}	if (ctx != NULL) BN_CTX_free(ctx);	BN_clear_free(&m);	BN_clear_free(&xr);	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */	    BN_clear_free(kinv);	return(ret);	}

int DH_check(const DH *dh, int *ret)	{	int ok=0;	BN_CTX *ctx=NULL;	BN_ULONG l;	BIGNUM *t1=NULL, *t2 = NULL;	*ret=0;	ctx=BN_CTX_new();	if (ctx == NULL) goto err;	BN_CTX_start(ctx);	t1=BN_CTX_get(ctx);	if (t1 == NULL) goto err;	t2=BN_CTX_get(ctx);	if (t2 == NULL) goto err;	if (dh->q)		{		if (BN_cmp(dh->g, BN_value_one()) <= 0)			*ret|=DH_NOT_SUITABLE_GENERATOR;		else if (BN_cmp(dh->g, dh->p) >= 0)			*ret|=DH_NOT_SUITABLE_GENERATOR;		else			{			/* Check g^q == 1 mod p */			if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))				goto err;			if (!BN_is_one(t1))				*ret|=DH_NOT_SUITABLE_GENERATOR;			}		if (!BN_is_prime_ex(dh->q,BN_prime_checks,ctx,NULL))			*ret|=DH_CHECK_Q_NOT_PRIME;		/* Check p == 1 mod q  i.e. q divides p - 1 */		if (!BN_div(t1, t2, dh->p, dh->q, ctx))			goto err;		if (!BN_is_one(t2))			*ret|=DH_CHECK_INVALID_Q_VALUE;		if (dh->j && BN_cmp(dh->j, t1))			*ret|=DH_CHECK_INVALID_J_VALUE;					}	else if (BN_is_word(dh->g,DH_GENERATOR_2))		{		l=BN_mod_word(dh->p,24);		if (l != 11) *ret|=DH_NOT_SUITABLE_GENERATOR;		}#if 0	else if (BN_is_word(dh->g,DH_GENERATOR_3))		{		l=BN_mod_word(dh->p,12);		if (l != 5) *ret|=DH_NOT_SUITABLE_GENERATOR;		}#endif	else if (BN_is_word(dh->g,DH_GENERATOR_5))		{		l=BN_mod_word(dh->p,10);		if ((l != 3) && (l != 7))			*ret|=DH_NOT_SUITABLE_GENERATOR;		}	else		*ret|=DH_UNABLE_TO_CHECK_GENERATOR;	if (!BN_is_prime_ex(dh->p,BN_prime_checks,ctx,NULL))		*ret|=DH_CHECK_P_NOT_PRIME;	else if (!dh->q)		{		if (!BN_rshift1(t1,dh->p)) goto err;		if (!BN_is_prime_ex(t1,BN_prime_checks,ctx,NULL))			*ret|=DH_CHECK_P_NOT_SAFE_PRIME;		}	ok=1;err:	if (ctx != NULL)		{		BN_CTX_end(ctx);		BN_CTX_free(ctx);		}	return(ok);	}

//.........这里部分代码省略.........			BN_zero(ret);			err = 0;			goto end;		} else if (!BN_one(x))			goto end;	} else {		if (!BN_mod_exp(x, A, t, p, ctx))			goto end;		if (BN_is_zero(x)) {			/* special case: a == 0  (mod p) */			BN_zero(ret);			err = 0;			goto end;		}	}	/* b := a*x^2  (= a^q) */	if (!BN_mod_sqr(b, x, p, ctx))		goto end;	if (!BN_mod_mul(b, b, A, p, ctx))		goto end;	/* x := a*x    (= a^((q+1)/2)) */	if (!BN_mod_mul(x, x, A, p, ctx))		goto end;	while (1) {		/* Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E		 * where  E  refers to the original value of  e,  which we		 * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).		 *		 * We have  a*b = x^2,		 *    y^2^(e-1) = -1,		 *    b^2^(e-1) = 1.		 */		if (BN_is_one(b)) {			if (!BN_copy(ret, x))				goto end;			err = 0;			goto vrfy;		}		/* find smallest  i  such that  b^(2^i) = 1 */		i = 1;		if (!BN_mod_sqr(t, b, p, ctx))			goto end;		while (!BN_is_one(t)) {			i++;			if (i == e) {				BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);				goto end;			}			if (!BN_mod_mul(t, t, t, p, ctx))				goto end;		}		/* t := y^2^(e - i - 1) */		if (!BN_copy(t, y))			goto end;		for (j = e - i - 1; j > 0; j--) {			if (!BN_mod_sqr(t, t, p, ctx))				goto end;		}		if (!BN_mod_mul(y, t, t, p, ctx))			goto end;		if (!BN_mod_mul(x, x, t, p, ctx))			goto end;		if (!BN_mod_mul(b, b, y, p, ctx))			goto end;		e = i;	}vrfy:	if (!err) {		/* verify the result -- the input might have been not a square		 * (test added in 0.9.8) */		if (!BN_mod_sqr(x, ret, p, ctx))			err = 1;		if (!err && 0 != BN_cmp(x, A)) {			BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);			err = 1;		}	}end:	if (err) {		if (ret != NULL && ret != in) {			BN_clear_free(ret);		}		ret = NULL;	}	BN_CTX_end(ctx);	bn_check_top(ret);	return ret;}

//.........这里部分代码省略.........  } else {    if (!BN_mod_exp_mont(x, A, t, p, ctx, NULL)) {      goto end;    }    if (BN_is_zero(x)) {      // special case: a == 0  (mod p)      BN_zero(ret);      err = 0;      goto end;    }  }  // b := a*x^2  (= a^q)  if (!BN_mod_sqr(b, x, p, ctx) ||      !BN_mod_mul(b, b, A, p, ctx)) {    goto end;  }  // x := a*x    (= a^((q+1)/2))  if (!BN_mod_mul(x, x, A, p, ctx)) {    goto end;  }  while (1) {    // Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E    // where  E  refers to the original value of  e,  which we    // don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).    //    // We have  a*b = x^2,    //    y^2^(e-1) = -1,    //    b^2^(e-1) = 1.    if (BN_is_one(b)) {      if (!BN_copy(ret, x)) {        goto end;      }      err = 0;      goto vrfy;    }    // find smallest  i  such that  b^(2^i) = 1    i = 1;    if (!BN_mod_sqr(t, b, p, ctx)) {      goto end;    }    while (!BN_is_one(t)) {      i++;      if (i == e) {        OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);        goto end;      }      if (!BN_mod_mul(t, t, t, p, ctx)) {        goto end;      }    }    // t := y^2^(e - i - 1)    if (!BN_copy(t, y)) {      goto end;    }    for (j = e - i - 1; j > 0; j--) {      if (!BN_mod_sqr(t, t, p, ctx)) {        goto end;      }    }    if (!BN_mod_mul(y, t, t, p, ctx) ||        !BN_mod_mul(x, x, t, p, ctx) ||        !BN_mod_mul(b, b, y, p, ctx)) {      goto end;    }    e = i;  }vrfy:  if (!err) {    // verify the result -- the input might have been not a square    // (test added in 0.9.8)    if (!BN_mod_sqr(x, ret, p, ctx)) {      err = 1;    }    if (!err && 0 != BN_cmp(x, A)) {      OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);      err = 1;    }  }end:  if (err) {    if (ret != in) {      BN_clear_free(ret);    }    ret = NULL;  }  BN_CTX_end(ctx);  return ret;}

int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {  BIGNUM *estimate, *tmp, *delta, *last_delta, *tmp2;  int ok = 0, last_delta_valid = 0;  if (in->neg) {    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);    return 0;  }  if (BN_is_zero(in)) {    BN_zero(out_sqrt);    return 1;  }  BN_CTX_start(ctx);  if (out_sqrt == in) {    estimate = BN_CTX_get(ctx);  } else {    estimate = out_sqrt;  }  tmp = BN_CTX_get(ctx);  last_delta = BN_CTX_get(ctx);  delta = BN_CTX_get(ctx);  if (estimate == NULL || tmp == NULL || last_delta == NULL || delta == NULL) {    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);    goto err;  }  // We estimate that the square root of an n-bit number is 2^{n/2}.  if (!BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2)) {    goto err;  }  // This is Newton's method for finding a root of the equation |estimate|^2 -  // |in| = 0.  for (;;) {    // |estimate| = 1/2 * (|estimate| + |in|/|estimate|)    if (!BN_div(tmp, NULL, in, estimate, ctx) ||        !BN_add(tmp, tmp, estimate) ||        !BN_rshift1(estimate, tmp) ||        // |tmp| = |estimate|^2        !BN_sqr(tmp, estimate, ctx) ||        // |delta| = |in| - |tmp|        !BN_sub(delta, in, tmp)) {      OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);      goto err;    }    delta->neg = 0;    // The difference between |in| and |estimate| squared is required to always    // decrease. This ensures that the loop always terminates, but I don't have    // a proof that it always finds the square root for a given square.    if (last_delta_valid && BN_cmp(delta, last_delta) >= 0) {      break;    }    last_delta_valid = 1;    tmp2 = last_delta;    last_delta = delta;    delta = tmp2;  }  if (BN_cmp(tmp, in) != 0) {    OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);    goto err;  }  ok = 1;err:  if (ok && out_sqrt == in && !BN_copy(out_sqrt, estimate)) {    ok = 0;  }  BN_CTX_end(ctx);  return ok;}

static DSA_SIG *dsa_do_sign(const unsigned char *dgst, FIPS_DSA_SIZE_T dlen, DSA *dsa)	{	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;	BIGNUM m;	BIGNUM xr;	BN_CTX *ctx=NULL;	int i,reason=ERR_R_BN_LIB;	DSA_SIG *ret=NULL;	if(FIPS_selftest_failed())	    {	    FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);	    return NULL;	    }	if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))		{		DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);		return NULL;		}	BN_init(&m);	BN_init(&xr);	if (!dsa->p || !dsa->q || !dsa->g)		{		reason=DSA_R_MISSING_PARAMETERS;		goto err;		}	s=BN_new();	if (s == NULL) goto err;	i=BN_num_bytes(dsa->q); /* should be 20 */	if ((dlen > i) || (dlen > 50))		{		reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;		goto err;		}	ctx=BN_CTX_new();	if (ctx == NULL) goto err;	if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r)) goto err;	if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;	/* Compute  s = inv(k) (m + xr) mod q */	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */	if (BN_cmp(s,dsa->q) > 0)		BN_sub(s,s,dsa->q);	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;	ret= DSA_SIG_new();	if (ret == NULL) goto err;	ret->r = r;	ret->s = s;	err:	if (!ret)		{		DSAerr(DSA_F_DSA_DO_SIGN,reason);		BN_free(r);		BN_free(s);		}	if (ctx != NULL) BN_CTX_free(ctx);	BN_clear_free(&m);	BN_clear_free(&xr);	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */	    BN_clear_free(kinv);	return(ret);	}

/* * Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against * public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and * 'grp_g' using hash "hash_alg". * Signature hash will be salted with 'idlen' bytes from 'id'. * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature. */intschnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,    int hash_alg, const BIGNUM *g_x, const u_char *id, u_int idlen,    const BIGNUM *r, const BIGNUM *e){	int success = -1;	BIGNUM *h = NULL, *g_xh = NULL, *g_r = NULL, *gx_q = NULL;	BIGNUM *expected = NULL;	BN_CTX *bn_ctx;	SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));	/* Avoid degenerate cases: g^0 yields a spoofable signature */	if (BN_cmp(g_x, BN_value_one()) <= 0) {		error("%s: g_x <= 1", __func__);		return -1;	}	if (BN_cmp(g_x, grp_p) >= 0) {		error("%s: g_x >= p", __func__);		return -1;	}	h = g_xh = g_r = expected = NULL;	if ((bn_ctx = BN_CTX_new()) == NULL) {		error("%s: BN_CTX_new", __func__);		goto out;	}	if ((g_xh = BN_new()) == NULL ||	    (g_r = BN_new()) == NULL ||	    (gx_q = BN_new()) == NULL ||	    (expected = BN_new()) == NULL) {		error("%s: BN_new", __func__);		goto out;	}	SCHNORR_DEBUG_BN((e, "%s: e = ", __func__));	SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));	/* gx_q = (g^x)^q must === 1 mod p */	if (BN_mod_exp(gx_q, g_x, grp_q, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_exp (g_x^q mod p)", __func__);		goto out;	}	if (BN_cmp(gx_q, BN_value_one()) != 0) {		error("%s: Invalid signature (g^x)^q != 1 mod p", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));	/* h = H(g || g^v || g^x || id) */	if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, e, g_x,	    id, idlen)) == NULL) {		error("%s: schnorr_hash failed", __func__);		goto out;	}	/* g_xh = (g^x)^h */	if (BN_mod_exp(g_xh, g_x, h, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_exp (g_x^h mod p)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));	/* g_r = g^r */	if (BN_mod_exp(g_r, grp_g, r, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_exp (g_x^h mod p)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((g_r, "%s: g_r = ", __func__));	/* expected = g^r * g_xh */	if (BN_mod_mul(expected, g_r, g_xh, grp_p, bn_ctx) == -1) {		error("%s: BN_mod_mul (expected = g_r mod p)", __func__);		goto out;	}	SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));	/* Check e == expected */	success = BN_cmp(expected, e) == 0; out:	BN_CTX_free(bn_ctx);	if (h != NULL)		BN_clear_free(h);	if (gx_q != NULL)		BN_clear_free(gx_q);	if (g_xh != NULL)		BN_clear_free(g_xh);	if (g_r != NULL)		BN_clear_free(g_r);	if (expected != NULL)		BN_clear_free(expected);	return success;}

/* * Compare two keys for equality. Return RESULT_TRUE if equal, * RESULT_FALSE otherwise. */intkn_keycompare(void *key1, void *key2, int algorithm){    DSA *p1, *p2;    RSA *p3, *p4;    struct keynote_binary *bn1, *bn2;    if ((key1 == (void *) NULL) ||	(key2 == (void *) NULL))      return RESULT_FALSE;    switch (algorithm)    {	case KEYNOTE_ALGORITHM_NONE:	    if  (!strcmp((char *) key1, (char *) key2))	      return RESULT_TRUE;	    else	      return RESULT_FALSE;	    	case KEYNOTE_ALGORITHM_DSA:	    p1 = (DSA *) key1;	    p2 = (DSA *) key2;	    if (!BN_cmp(p1->p, p2->p) &&		!BN_cmp(p1->q, p2->q) &&		!BN_cmp(p1->g, p2->g) &&		!BN_cmp(p1->pub_key, p2->pub_key))	      return RESULT_TRUE;	    else	      return RESULT_FALSE;	case KEYNOTE_ALGORITHM_X509:            p3 = (RSA *) key1;            p4 = (RSA *) key2;            if (!BN_cmp(p3->n, p4->n) &&                !BN_cmp(p3->e, p4->e))              return RESULT_TRUE;            else	      return RESULT_FALSE;	case KEYNOTE_ALGORITHM_RSA:            p3 = (RSA *) key1;            p4 = (RSA *) key2;            if (!BN_cmp(p3->n, p4->n) &&                !BN_cmp(p3->e, p4->e))              return RESULT_TRUE;            else	      return RESULT_FALSE;	case KEYNOTE_ALGORITHM_ELGAMAL:	    /* Not supported yet */	    return RESULT_FALSE;	case KEYNOTE_ALGORITHM_PGP:	    /* Not supported yet */	    return RESULT_FALSE;	case KEYNOTE_ALGORITHM_BINARY:	    bn1 = (struct keynote_binary *) key1;	    bn2 = (struct keynote_binary *) key2;	    if ((bn1->bn_len == bn2->bn_len) &&		!memcmp(bn1->bn_key, bn2->bn_key, bn1->bn_len))	      return RESULT_TRUE;	    else	      return RESULT_FALSE;	default:	    return RESULT_FALSE;    }}

intauth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey){	char *file;	u_int i, allowed = 0; 	temporarily_use_uid(pw);#ifdef WITH_LDAP_PUBKEY	if (options.lpk.on) {	    u_int bits;	    ldap_key_t *k;	    /* here is the job */	    Key *key = key_new(KEY_RSA1);	    debug("[LDAP] trying LDAP first uid=%s", pw->pw_name);	    if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) {		if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {		    for (i = 0 ; i < k->num ; i++) {			char *cp, *xoptions = NULL;			for (cp = k->keys[i]->bv_val; *cp == ' ' || *cp == '/t'; cp++)			    ;			if (!*cp || *cp == '/n' || *cp == '#')			    continue;			/*			* Check if there are options for this key, and if so,			* save their starting address and skip the option part			* for now.  If there are no options, set the starting			* address to NULL.			 */			if (*cp < '0' || *cp > '9') {			    int quoted = 0;			    xoptions = cp;			    for (; *cp && (quoted || (*cp != ' ' && *cp != '/t')); cp++) {				if (*cp == '//' && cp[1] == '"')				    cp++;	/* Skip both */				else if (*cp == '"')				    quoted = !quoted;			    }			} else			    xoptions = NULL;			/* Parse the key from the line. */			if (hostfile_read_key(&cp, &bits, key) == 0) {			    debug("[LDAP] line %d: non ssh1 key syntax", i);			    continue;			}			/* cp now points to the comment part. */			/* Check if the we have found the desired key (identified by its modulus). */			if (BN_cmp(key->rsa->n, client_n) != 0)			    continue;			/* check the real bits  */			if (bits != (unsigned int)BN_num_bits(key->rsa->n))			    logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: "				    "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits);			/* We have found the desired key. */			/*			* If our options do not allow this key to be used,			* do not send challenge.			 */			if (!auth_parse_options(pw, xoptions, "[LDAP]", (unsigned long) i))			    continue;			/* break out, this key is allowed */			allowed = 1;			/* add the return stuff etc... */			/* Restore the privileged uid. */			restore_uid();			/* return key if allowed */			if (allowed && rkey != NULL)			    *rkey = key;			else			    key_free(key);			ldap_keys_free(k);			return (allowed);		    }		} else {		    logit("[LDAP] no keys found for '%s'!", pw->pw_name);		}	    } else {		logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);	    }	}#endif	for (i = 0; !allowed && i < options.num_authkeys_files; i++) {		file = expand_authorized_keys(		    options.authorized_keys_files[i], pw);		allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);		xfree(file);	}//.........这里部分代码省略.........

intauth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey){	char line[SSH_MAX_PUBKEY_BYTES], *file;	int allowed = 0;	u_int bits;	FILE *f;	u_long linenum = 0;	Key *key;	/* Temporarily use the user's uid. */	temporarily_use_uid(pw);	/* The authorized keys. */	file = authorized_keys_file(pw);	debug("trying public RSA key file %s", file);	f = auth_openkeyfile(file, pw, options.strict_modes);	if (!f) {		xfree(file);		restore_uid();		return (0);	}	/* Flag indicating whether the key is allowed. */	allowed = 0;	key = key_new(KEY_RSA1);	/*	 * Go though the accepted keys, looking for the current key.  If	 * found, perform a challenge-response dialog to verify that the	 * user really has the corresponding private key.	 */	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {		char *cp;		char *key_options;		int keybits;		/* Skip leading whitespace, empty and comment lines. */		for (cp = line; *cp == ' ' || *cp == '/t'; cp++)			;		if (!*cp || *cp == '/n' || *cp == '#')			continue;		/*		 * Check if there are options for this key, and if so,		 * save their starting address and skip the option part		 * for now.  If there are no options, set the starting		 * address to NULL.		 */		if (*cp < '0' || *cp > '9') {			int quoted = 0;			key_options = cp;			for (; *cp && (quoted || (*cp != ' ' && *cp != '/t')); cp++) {				if (*cp == '//' && cp[1] == '"')					cp++;	/* Skip both */				else if (*cp == '"')					quoted = !quoted;			}		} else			key_options = NULL;		/* Parse the key from the line. */		if (hostfile_read_key(&cp, &bits, key) == 0) {			debug("%.100s, line %lu: non ssh1 key syntax",			    file, linenum);			continue;		}		/* cp now points to the comment part. */		/* Check if the we have found the desired key (identified by its modulus). */		if (BN_cmp(key->rsa->n, client_n) != 0)			continue;		/* check the real bits  */		keybits = BN_num_bits(key->rsa->n);		if (keybits < 0 || bits != (u_int)keybits)			logit("Warning: %s, line %lu: keysize mismatch: "			    "actual %d vs. announced %d.",			    file, linenum, BN_num_bits(key->rsa->n), bits);		/* We have found the desired key. */		/*		 * If our options do not allow this key to be used,		 * do not send challenge.		 */		if (!auth_parse_options(pw, key_options, file, linenum))			continue;		/* break out, this key is allowed */		allowed = 1;		break;	}	/* Restore the privileged uid. */	restore_uid();	/* Close the file. */	xfree(file);	fclose(f);//.........这里部分代码省略.........

/** * public static native int BN_cmp(int, int) */static int NativeBN_BN_cmp(JNIEnv* env, jclass cls, BIGNUM* a, BIGNUM* b) {    if (!twoValidHandles(env, a, b)) return 1;    return BN_cmp(a, b);}

static isc_boolean_topensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {	int status;	RSA *rsa1 = NULL, *rsa2 = NULL;#if USE_EVP	EVP_PKEY *pkey1, *pkey2;#endif#if USE_EVP	pkey1 = key1->keydata.pkey;	pkey2 = key2->keydata.pkey;	/*	 * The pkey reference will keep these around after	 * the RSA_free() call.	 */	if (pkey1 != NULL) {		rsa1 = EVP_PKEY_get1_RSA(pkey1);		RSA_free(rsa1);	}	if (pkey2 != NULL) {		rsa2 = EVP_PKEY_get1_RSA(pkey2);		RSA_free(rsa2);	}#else	rsa1 = key1->keydata.rsa;	rsa2 = key2->keydata.rsa;#endif	if (rsa1 == NULL && rsa2 == NULL)		return (ISC_TRUE);	else if (rsa1 == NULL || rsa2 == NULL)		return (ISC_FALSE);	status = BN_cmp(rsa1->n, rsa2->n) ||		 BN_cmp(rsa1->e, rsa2->e);	if (status != 0)		return (ISC_FALSE);#if USE_EVP	if ((rsa1->flags & RSA_FLAG_EXT_PKEY) != 0 ||	    (rsa2->flags & RSA_FLAG_EXT_PKEY) != 0) {		if ((rsa1->flags & RSA_FLAG_EXT_PKEY) == 0 ||		    (rsa2->flags & RSA_FLAG_EXT_PKEY) == 0)			return (ISC_FALSE);		/*		 * Can't compare private parameters, BTW does it make sense?		 */		return (ISC_TRUE);	}#endif	if (rsa1->d != NULL || rsa2->d != NULL) {		if (rsa1->d == NULL || rsa2->d == NULL)			return (ISC_FALSE);		status = BN_cmp(rsa1->d, rsa2->d) ||			 BN_cmp(rsa1->p, rsa2->p) ||			 BN_cmp(rsa1->q, rsa2->q);		if (status != 0)			return (ISC_FALSE);	}	return (ISC_TRUE);}

//.........这里部分代码省略.........        eap_pwd_h_update(hash, id_server, id_server_len);        eap_pwd_h_update(hash, password, password_len);        eap_pwd_h_update(hash, &ctr, sizeof(ctr));        eap_pwd_h_final(hash, pwe_digest);        BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd);        if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,                        (u8 *) "EAP-pwd Hunting And Pecking",                        os_strlen("EAP-pwd Hunting And Pecking"),                        prfbuf, primebitlen) < 0)            goto fail;        BN_bin2bn(prfbuf, primebytelen, x_candidate);        /*         * eap_pwd_kdf() returns a string of bits 0..primebitlen but         * BN_bin2bn will treat that string of bits as a big endian         * number. If the primebitlen is not an even multiple of 8         * then excessive bits-- those _after_ primebitlen-- so now         * we have to shift right the amount we masked off.         */        if (primebitlen % 8)            BN_rshift(x_candidate, x_candidate,                      (8 - (primebitlen % 8)));        if (BN_ucmp(x_candidate, grp->prime) >= 0)            continue;        wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",                    prfbuf, primebytelen);        /*         * need to unambiguously identify the solution, if there is         * one...         */        if (BN_is_odd(rnd))            is_odd = 1;        else            is_odd = 0;        /*         * solve the quadratic equation, if it's not solvable then we         * don't have a point         */        if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,                grp->pwe,                x_candidate,                is_odd, NULL))            continue;        /*         * If there's a solution to the equation then the point must be         * on the curve so why check again explicitly? OpenSSL code         * says this is required by X9.62. We're not X9.62 but it can't         * hurt just to be sure.         */        if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {            wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");            continue;        }        if (BN_cmp(cofactor, BN_value_one())) {            /* make sure the point is not in a small sub-group */            if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,                              cofactor, NULL)) {                wpa_printf(MSG_INFO, "EAP-pwd: cannot "                           "multiply generator by order");                continue;            }            if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {                wpa_printf(MSG_INFO, "EAP-pwd: point is at "                           "infinity");                continue;            }        }        /* if we got here then we have a new generator. */        break;    }    wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);    grp->group_num = num;    if (0) {fail:        EC_GROUP_free(grp->group);        grp->group = NULL;        EC_POINT_clear_free(grp->pwe);        grp->pwe = NULL;        BN_clear_free(grp->order);        grp->order = NULL;        BN_clear_free(grp->prime);        grp->prime = NULL;        ret = 1;    }    /* cleanliness and order.... */    BN_clear_free(cofactor);    BN_clear_free(x_candidate);    BN_clear_free(rnd);    os_free(prfbuf);    return ret;}

int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,                      const EC_POINT *b, BN_CTX *ctx) {  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,                   BN_CTX *);  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);  const BIGNUM *p;  BN_CTX *new_ctx = NULL;  BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;  int ret = 0;  if (a == b) {    return EC_POINT_dbl(group, r, a, ctx);  }  if (EC_POINT_is_at_infinity(group, a)) {    return EC_POINT_copy(r, b);  }  if (EC_POINT_is_at_infinity(group, b)) {    return EC_POINT_copy(r, a);  }  field_mul = group->meth->field_mul;  field_sqr = group->meth->field_sqr;  p = &group->field;  if (ctx == NULL) {    ctx = new_ctx = BN_CTX_new();    if (ctx == NULL) {      return 0;    }  }  BN_CTX_start(ctx);  n0 = BN_CTX_get(ctx);  n1 = BN_CTX_get(ctx);  n2 = BN_CTX_get(ctx);  n3 = BN_CTX_get(ctx);  n4 = BN_CTX_get(ctx);  n5 = BN_CTX_get(ctx);  n6 = BN_CTX_get(ctx);  if (n6 == NULL) {    goto end;  }  /* Note that in this function we must not read components of 'a' or 'b'   * once we have written the corresponding components of 'r'.   * ('r' might be one of 'a' or 'b'.)   */  /* n1, n2 */  int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;  if (b_Z_is_one) {    if (!BN_copy(n1, &a->X) || !BN_copy(n2, &a->Y)) {      goto end;    }    /* n1 = X_a */    /* n2 = Y_a */  } else {    if (!field_sqr(group, n0, &b->Z, ctx) ||        !field_mul(group, n1, &a->X, n0, ctx)) {      goto end;    }    /* n1 = X_a * Z_b^2 */    if (!field_mul(group, n0, n0, &b->Z, ctx) ||        !field_mul(group, n2, &a->Y, n0, ctx)) {      goto end;    }    /* n2 = Y_a * Z_b^3 */  }  /* n3, n4 */  int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;  if (a_Z_is_one) {    if (!BN_copy(n3, &b->X) || !BN_copy(n4, &b->Y)) {      goto end;    }    /* n3 = X_b */    /* n4 = Y_b */  } else {    if (!field_sqr(group, n0, &a->Z, ctx) ||        !field_mul(group, n3, &b->X, n0, ctx)) {      goto end;    }    /* n3 = X_b * Z_a^2 */    if (!field_mul(group, n0, n0, &a->Z, ctx) ||        !field_mul(group, n4, &b->Y, n0, ctx)) {      goto end;    }    /* n4 = Y_b * Z_a^3 */  }  /* n5, n6 */  if (!BN_mod_sub_quick(n5, n1, n3, p) ||      !BN_mod_sub_quick(n6, n2, n4, p)) {    goto end;  }  /* n5 = n1 - n3 */  /* n6 = n2 - n4 *///.........这里部分代码省略.........

static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)	{	BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;	BIGNUM local_r0,local_d,local_p;	BIGNUM *pr0,*d,*p;	int bitsp,bitsq,ok= -1,n=0;	BN_CTX *ctx=NULL;	ctx=BN_CTX_new();	if (ctx == NULL) goto err;	BN_CTX_start(ctx);	r0 = BN_CTX_get(ctx);	r1 = BN_CTX_get(ctx);	r2 = BN_CTX_get(ctx);	r3 = BN_CTX_get(ctx);	if (r3 == NULL) goto err;	bitsp=(bits+1)/2;	bitsq=bits-bitsp;	/* We need the RSA components non-NULL */	if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;	if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;	if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;	if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;	if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;	if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;	if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;	if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;	BN_copy(rsa->e, e_value);	/* generate p and q */	for (;;)		{		if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))			goto err;		if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;		if (BN_is_one(r1)) break;		if(!BN_GENCB_call(cb, 2, n++))			goto err;		}	if(!BN_GENCB_call(cb, 3, 0))		goto err;	for (;;)		{		/* When generating ridiculously small keys, we can get stuck		 * continually regenerating the same prime values. Check for		 * this and bail if it happens 3 times. */		unsigned int degenerate = 0;		do			{			if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))				goto err;			} while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));		if(degenerate == 3)			{			ok = 0; /* we set our own err */			RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);			goto err;			}		if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;		if (BN_is_one(r1))			break;		if(!BN_GENCB_call(cb, 2, n++))			goto err;		}	if(!BN_GENCB_call(cb, 3, 1))		goto err;	if (BN_cmp(rsa->p,rsa->q) < 0)		{		tmp=rsa->p;		rsa->p=rsa->q;		rsa->q=tmp;		}	/* calculate n */	if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;	/* calculate d */	if (!BN_sub(r1,rsa->p,BN_value_one())) goto err;	/* p-1 */	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;	/* q-1 */	if (!BN_mul(r0,r1,r2,ctx)) goto err;	/* (p-1)(q-1) */	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))		{		  pr0 = &local_r0;		  BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);		}	else	  pr0 = r0;	if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err;	/* d */	/* set up d for correct BN_FLG_CONSTTIME flag */	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))		{		d = &local_d;		BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);		}//.........这里部分代码省略.........

int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,                              BN_CTX *ctx) {  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,                   BN_CTX *);  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);  const BIGNUM *p;  BN_CTX *new_ctx = NULL;  BIGNUM *rh, *tmp, *Z4, *Z6;  int ret = 0;  if (EC_POINT_is_at_infinity(group, point)) {    return 1;  }  field_mul = group->meth->field_mul;  field_sqr = group->meth->field_sqr;  p = &group->field;  if (ctx == NULL) {    ctx = new_ctx = BN_CTX_new();    if (ctx == NULL) {      return 0;    }  }  BN_CTX_start(ctx);  rh = BN_CTX_get(ctx);  tmp = BN_CTX_get(ctx);  Z4 = BN_CTX_get(ctx);  Z6 = BN_CTX_get(ctx);  if (Z6 == NULL) {    goto err;  }  /* We have a curve defined by a Weierstrass equation   *      y^2 = x^3 + a*x + b.   * The point to consider is given in Jacobian projective coordinates   * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).   * Substituting this and multiplying by  Z^6  transforms the above equation   * into   *      Y^2 = X^3 + a*X*Z^4 + b*Z^6.   * To test this, we add up the right-hand side in 'rh'.   */  /* rh := X^2 */  if (!field_sqr(group, rh, &point->X, ctx)) {    goto err;  }  if (BN_cmp(&point->Z, &group->one) != 0) {    if (!field_sqr(group, tmp, &point->Z, ctx) ||        !field_sqr(group, Z4, tmp, ctx) ||        !field_mul(group, Z6, Z4, tmp, ctx)) {      goto err;    }    /* rh := (rh + a*Z^4)*X */    if (group->a_is_minus3) {      if (!BN_mod_lshift1_quick(tmp, Z4, p) ||          !BN_mod_add_quick(tmp, tmp, Z4, p) ||          !BN_mod_sub_quick(rh, rh, tmp, p) ||          !field_mul(group, rh, rh, &point->X, ctx)) {        goto err;      }    } else {      if (!field_mul(group, tmp, Z4, &group->a, ctx) ||          !BN_mod_add_quick(rh, rh, tmp, p) ||          !field_mul(group, rh, rh, &point->X, ctx)) {        goto err;      }    }    /* rh := rh + b*Z^6 */    if (!field_mul(group, tmp, &group->b, Z6, ctx) ||        !BN_mod_add_quick(rh, rh, tmp, p)) {      goto err;    }  } else {    /* rh := (rh + a)*X */    if (!BN_mod_add_quick(rh, rh, &group->a, p) ||        !field_mul(group, rh, rh, &point->X, ctx)) {      goto err;    }    /* rh := rh + b */    if (!BN_mod_add_quick(rh, rh, &group->b, p)) {      goto err;    }  }  /* 'lh' := Y^2 */  if (!field_sqr(group, tmp, &point->Y, ctx)) {    goto err;  }  ret = (0 == BN_ucmp(tmp, rh));err:  BN_CTX_end(ctx);  BN_CTX_free(new_ctx);  return ret;//.........这里部分代码省略.........

//.........这里部分代码省略.........				goto out;			BIGNUM bn1, bn2;			BN_init(&bn1);			BN_init(&bn2);			if (!CastToBigNum(&bn1, stacktop(stack, -2)) ||			    !CastToBigNum(&bn2, stacktop(stack, -1))) {				BN_clear_free(&bn1);				BN_clear_free(&bn2);				goto out;			}			switch (opcode)			{			case OP_ADD:				BN_add(&bn, &bn1, &bn2);				break;			case OP_SUB:				BN_sub(&bn, &bn1, &bn2);				break;			case OP_BOOLAND:				BN_set_word(&bn,				    (!BN_is_zero(&bn1) && !BN_is_zero(&bn2)) ?				    1 : 0);				break;			case OP_BOOLOR:				BN_set_word(&bn,				    (!BN_is_zero(&bn1) || !BN_is_zero(&bn2)) ?				    1 : 0);				break;			case OP_NUMEQUAL:			case OP_NUMEQUALVERIFY:				BN_set_word(&bn,				    (BN_cmp(&bn1, &bn2) == 0) ?  1 : 0);				break;			case OP_NUMNOTEQUAL:				BN_set_word(&bn,				    (BN_cmp(&bn1, &bn2) != 0) ?  1 : 0);				break;			case OP_LESSTHAN:				BN_set_word(&bn,				    (BN_cmp(&bn1, &bn2) < 0) ?  1 : 0);				break;			case OP_GREATERTHAN:				BN_set_word(&bn,				    (BN_cmp(&bn1, &bn2) > 0) ?  1 : 0);				break;			case OP_LESSTHANOREQUAL:				BN_set_word(&bn,				    (BN_cmp(&bn1, &bn2) <= 0) ?  1 : 0);				break;			case OP_GREATERTHANOREQUAL:				BN_set_word(&bn,				    (BN_cmp(&bn1, &bn2) >= 0) ?  1 : 0);				break;			case OP_MIN:				if (BN_cmp(&bn1, &bn2) < 0)					BN_copy(&bn, &bn1);				else					BN_copy(&bn, &bn2);				break;			case OP_MAX:				if (BN_cmp(&bn1, &bn2) > 0)					BN_copy(&bn, &bn1);				else					BN_copy(&bn, &bn2);

/* * Verifies gost 2001 signature * */int gost2001_do_verify(const unsigned char *dgst,int dgst_len,                       DSA_SIG *sig, EC_KEY *ec){    BN_CTX *ctx=BN_CTX_new();    const EC_GROUP *group = EC_KEY_get0_group(ec);    BIGNUM *order;    BIGNUM *md = NULL,*e=NULL,*R=NULL,*v=NULL,*z1=NULL,*z2=NULL;    BIGNUM *X=NULL,*tmp=NULL;    EC_POINT *C = NULL;    const EC_POINT *pub_key=NULL;    int ok=0;    BN_CTX_start(ctx);    order = BN_CTX_get(ctx);    e = BN_CTX_get(ctx);    z1 = BN_CTX_get(ctx);    z2 = BN_CTX_get(ctx);    tmp = BN_CTX_get(ctx);    X= BN_CTX_get(ctx);    R=BN_CTX_get(ctx);    v=BN_CTX_get(ctx);    EC_GROUP_get_order(group,order,ctx);    pub_key = EC_KEY_get0_public_key(ec);    if (BN_is_zero(sig->s) || BN_is_zero(sig->r) ||            (BN_cmp(sig->s,order)>=1) || (BN_cmp(sig->r,order)>=1))    {        GOSTerr(GOST_F_GOST2001_DO_VERIFY,GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);        goto err;    }    md = hashsum2bn(dgst);    BN_mod(e,md,order,ctx);#ifdef DEBUG_SIGN    fprintf(stderr,"digest as bignum: ");    BN_print_fp(stderr,md);    fprintf(stderr,"/ndigest mod q: ");    BN_print_fp(stderr,e);#endif    if (BN_is_zero(e)) BN_one(e);    v=BN_mod_inverse(v,e,order,ctx);    BN_mod_mul(z1,sig->s,v,order,ctx);    BN_sub(tmp,order,sig->r);    BN_mod_mul(z2,tmp,v,order,ctx);#ifdef DEBUG_SIGN    fprintf(stderr,"/nInverted digest value: ");    BN_print_fp(stderr,v);    fprintf(stderr,"/nz1: ");    BN_print_fp(stderr,z1);    fprintf(stderr,"/nz2: ");    BN_print_fp(stderr,z2);#endif    C = EC_POINT_new(group);    if (!EC_POINT_mul(group,C,z1,pub_key,z2,ctx))    {        GOSTerr(GOST_F_GOST2001_DO_VERIFY,ERR_R_EC_LIB);        goto err;    }    if (!EC_POINT_get_affine_coordinates_GFp(group,C,X,NULL,ctx))    {        GOSTerr(GOST_F_GOST2001_DO_VERIFY,ERR_R_EC_LIB);        goto err;    }    BN_mod(R,X,order,ctx);#ifdef DEBUG_SIGN    fprintf(stderr,"/nX=");    BN_print_fp(stderr,X);    fprintf(stderr,"/nX mod q=");    BN_print_fp(stderr,R);    fprintf(stderr,"/n");#endif    if (BN_cmp(R,sig->r)!=0)    {        GOSTerr(GOST_F_GOST2001_DO_VERIFY,GOST_R_SIGNATURE_MISMATCH);    }    else    {        ok = 1;    }err:    EC_POINT_free(C);    BN_CTX_end(ctx);    BN_CTX_free(ctx);    BN_free(md);    return ok;}

/* * Find the bignum ranges that produce a given prefix. */static intget_prefix_ranges(int addrtype, const char *pfx, BIGNUM **result,		  BN_CTX *bnctx){	int i, p, c;	int zero_prefix = 0;	int check_upper = 0;	int b58pow, b58ceil, b58top = 0;	int ret = -1;	BIGNUM bntarg, bnceil, bnfloor;	BIGNUM bnbase;	BIGNUM *bnap, *bnbp, *bntp;	BIGNUM *bnhigh = NULL, *bnlow = NULL, *bnhigh2 = NULL, *bnlow2 = NULL;	BIGNUM bntmp, bntmp2;	BN_init(&bntarg);	BN_init(&bnceil);	BN_init(&bnfloor);	BN_init(&bnbase);	BN_init(&bntmp);	BN_init(&bntmp2);	BN_set_word(&bnbase, 58);	p = strlen(pfx);	for (i = 0; i < p; i++) {		c = vg_b58_reverse_map[(int)pfx[i]];		if (c == -1) {			fprintf(stderr,				"Invalid character '%c' in prefix '%s'/n",				pfx[i], pfx);			goto out;		}		if (i == zero_prefix) {			if (c == 0) {				/* Add another zero prefix */				zero_prefix++;				if (zero_prefix > 19) {					fprintf(stderr,						"Prefix '%s' is too long/n",						pfx);					goto out;				}				continue;			}			/* First non-zero character */			b58top = c;			BN_set_word(&bntarg, c);		} else {			BN_set_word(&bntmp2, c);			BN_mul(&bntmp, &bntarg, &bnbase, bnctx);			BN_add(&bntarg, &bntmp, &bntmp2);		}	}	/* Power-of-two ceiling and floor values based on leading 1s */	BN_clear(&bntmp);	BN_set_bit(&bntmp, 200 - (zero_prefix * 8));	BN_sub(&bnceil, &bntmp, BN_value_one());	BN_set_bit(&bnfloor, 192 - (zero_prefix * 8));	bnlow = BN_new();	bnhigh = BN_new();	if (b58top) {		/*		 * If a non-zero was given in the prefix, find the		 * numeric boundaries of the prefix.		 */		BN_copy(&bntmp, &bnceil);		bnap = &bntmp;		bnbp = &bntmp2;		b58pow = 0;		while (BN_cmp(bnap, &bnbase) > 0) {			b58pow++;			BN_div(bnbp, NULL, bnap, &bnbase, bnctx);			bntp = bnap;			bnap = bnbp;			bnbp = bntp;		}		b58ceil = BN_get_word(bnap);		if ((b58pow - (p - zero_prefix)) <= 0) {			/*			 * Do not allow the prefix to constrain the			 * check value, this is ridiculous.			 */			fprintf(stderr, "Prefix '%s' is too long/n", pfx);			goto out;		}		BN_set_word(&bntmp2, b58pow - (p - zero_prefix));//.........这里部分代码省略.........

// Perform ECDSA key recovery (see SEC1 4.1.6) for curves over (mod p)-fields// recid selects which key is recovered// if check is non-zero, additional checks are performedint ECDSA_SIG_recover_key_GFp(EC_KEY *eckey, ECDSA_SIG *ecsig, const unsigned char *msg, int msglen, int recid, int check){    if (!eckey) return 0;    int ret = 0;    BN_CTX *ctx = NULL;    BIGNUM *x = NULL;    BIGNUM *e = NULL;    BIGNUM *order = NULL;    BIGNUM *sor = NULL;    BIGNUM *eor = NULL;    BIGNUM *field = NULL;    EC_POINT *R = NULL;    EC_POINT *O = NULL;    EC_POINT *Q = NULL;    BIGNUM *rr = NULL;    BIGNUM *zero = NULL;    int n = 0;    int i = recid / 2;    const EC_GROUP *group = EC_KEY_get0_group(eckey);    if ((ctx = BN_CTX_new()) == NULL) {        ret = -1;        goto err;    }    BN_CTX_start(ctx);    order = BN_CTX_get(ctx);    if (!EC_GROUP_get_order(group, order, ctx)) {        ret = -2;        goto err;    }    x = BN_CTX_get(ctx);    if (!BN_copy(x, order)) {        ret=-1;        goto err;    }    if (!BN_mul_word(x, i)) {        ret=-1;        goto err;    }    if (!BN_add(x, x, ecsig->r)) {        ret=-1;        goto err;    }    field = BN_CTX_get(ctx);    if (!EC_GROUP_get_curve_GFp(group, field, NULL, NULL, ctx)) {        ret=-2;        goto err;    }    if (BN_cmp(x, field) >= 0) {        ret=0;        goto err;    }    if ((R = EC_POINT_new(group)) == NULL) {        ret = -2;        goto err;    }    if (!EC_POINT_set_compressed_coordinates_GFp(group, R, x, recid % 2, ctx)) {        ret=0;        goto err;    }    if (check)    {        if ((O = EC_POINT_new(group)) == NULL) {            ret = -2;            goto err;        }        if (!EC_POINT_mul(group, O, NULL, R, order, ctx)) {            ret=-2;            goto err;        }        if (!EC_POINT_is_at_infinity(group, O)) {            ret = 0;            goto err;        }    }    if ((Q = EC_POINT_new(group)) == NULL) {        ret = -2;        goto err;    }    n = EC_GROUP_get_degree(group);    e = BN_CTX_get(ctx);    if (!BN_bin2bn(msg, msglen, e)) {        ret=-1;        goto err;    }    if (8*msglen > n) BN_rshift(e, e, 8-(n & 7));    zero = BN_CTX_get(ctx);    if (!BN_zero(zero)) {        ret=-1;        goto err;    }    if (!BN_mod_sub(e, zero, e, order, ctx)) {        ret=-1;        goto err;    }//.........这里部分代码省略.........

int EC_KEY_check_key(const EC_KEY *eckey)	{	int	ok   = 0;	BN_CTX	*ctx = NULL;	const BIGNUM	*order  = NULL;	EC_POINT *point = NULL;	if (!eckey || !eckey->group || !eckey->pub_key)		{		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);		return 0;		}		if ((ctx = BN_CTX_new()) == NULL)		goto err;	if ((point = EC_POINT_new(eckey->group)) == NULL)		goto err;	/* testing whether the pub_key is on the elliptic curve */	if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);		goto err;		}	/* testing whether pub_key * order is the point at infinity */	order = &eckey->group->order;	if (BN_is_zero(order))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER);		goto err;		}	if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);		goto err;		}	if (!EC_POINT_is_at_infinity(eckey->group, point))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);		goto err;		}	/* in case the priv_key is present : 	 * check if generator * priv_key == pub_key 	 */	if (eckey->priv_key)		{		if (BN_cmp(eckey->priv_key, order) >= 0)			{			ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);			goto err;			}		if (!EC_POINT_mul(eckey->group, point, eckey->priv_key,			NULL, NULL, ctx))			{			ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);			goto err;			}		if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, 			ctx) != 0)			{			ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);			goto err;			}		}	ok = 1;err:	if (ctx   != NULL)		BN_CTX_free(ctx);	if (point != NULL)		EC_POINT_free(point);	return(ok);	}