自学教程：C++ BN_mod_add_quick函数代码示例

/*- * Set s := p, r := 2p. * * For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve * multiplication resistant against side channel attacks" appendix, as described * at * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 * * The input point p will be in randomized Jacobian projective coords: *      x = X/Z**2, y=Y/Z**3 * * The output points p, s, and r are converted to standard (homogeneous) * projective coords: *      x = X/Z, y=Y/Z */int ec_GFp_simple_ladder_pre(const EC_GROUP *group,                             EC_POINT *r, EC_POINT *s,                             EC_POINT *p, BN_CTX *ctx){    BIGNUM *t1, *t2, *t3, *t4, *t5, *t6 = NULL;    t1 = r->Z;    t2 = r->Y;    t3 = s->X;    t4 = r->X;    t5 = s->Y;    t6 = s->Z;    /* convert p: (X,Y,Z) -> (XZ,Y,Z**3) */    if (!group->meth->field_mul(group, p->X, p->X, p->Z, ctx)        || !group->meth->field_sqr(group, t1, p->Z, ctx)        || !group->meth->field_mul(group, p->Z, p->Z, t1, ctx)        /* r := 2p */        || !group->meth->field_sqr(group, t2, p->X, ctx)        || !group->meth->field_sqr(group, t3, p->Z, ctx)        || !group->meth->field_mul(group, t4, t3, group->a, ctx)        || !BN_mod_sub_quick(t5, t2, t4, group->field)        || !BN_mod_add_quick(t2, t2, t4, group->field)        || !group->meth->field_sqr(group, t5, t5, ctx)        || !group->meth->field_mul(group, t6, t3, group->b, ctx)        || !group->meth->field_mul(group, t1, p->X, p->Z, ctx)        || !group->meth->field_mul(group, t4, t1, t6, ctx)        || !BN_mod_lshift_quick(t4, t4, 3, group->field)        /* r->X coord output */        || !BN_mod_sub_quick(r->X, t5, t4, group->field)        || !group->meth->field_mul(group, t1, t1, t2, ctx)        || !group->meth->field_mul(group, t2, t3, t6, ctx)        || !BN_mod_add_quick(t1, t1, t2, group->field)        /* r->Z coord output */        || !BN_mod_lshift_quick(r->Z, t1, 2, group->field)        || !EC_POINT_copy(s, p))        return 0;    r->Z_is_one = 0;    s->Z_is_one = 0;    p->Z_is_one = 0;    return 1;}

void CSignerECDSA::SignFast(const uint256 &hash, unsigned char Signature[65]){    CBigNum m;    BN_bin2bn((uint8_t*)&hash, 256/8, &m);    // Spread-FIXME: replace with fixed-size arithmetic.    CBigNum s;    BN_mod_add_quick(&s, &pmr, &m, &order);    BN_mod_mul(&s, &s, &kinv, &order, ctx);    int nBitsS = BN_num_bits(&s);    memset(Signature + 33, 0, 32);    BN_bn2bin(&s, &Signature[65-(nBitsS+7)/8]);}

int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,                                             EC_POINT *point, const BIGNUM *x_,                                             int y_bit, BN_CTX *ctx) {  BN_CTX *new_ctx = NULL;  BIGNUM *tmp1, *tmp2, *x, *y;  int ret = 0;  ERR_clear_error();  if (ctx == NULL) {    ctx = new_ctx = BN_CTX_new();    if (ctx == NULL) {      return 0;    }  }  y_bit = (y_bit != 0);  BN_CTX_start(ctx);  tmp1 = BN_CTX_get(ctx);  tmp2 = BN_CTX_get(ctx);  x = BN_CTX_get(ctx);  y = BN_CTX_get(ctx);  if (y == NULL) {    goto err;  }  /* Recover y.  We have a Weierstrass equation   *     y^2 = x^3 + a*x + b,   * so  y  is one of the square roots of  x^3 + a*x + b. */  /* tmp1 := x^3 */  if (!BN_nnmod(x, x_, &group->field, ctx)) {    goto err;  }  if (group->meth->field_decode == 0) {    /* field_{sqr,mul} work on standard representation */    if (!group->meth->field_sqr(group, tmp2, x_, ctx) ||        !group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) {      goto err;    }  } else {    if (!BN_mod_sqr(tmp2, x_, &group->field, ctx) ||        !BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) {      goto err;    }  }  /* tmp1 := tmp1 + a*x */  if (group->a_is_minus3) {    if (!BN_mod_lshift1_quick(tmp2, x, &group->field) ||        !BN_mod_add_quick(tmp2, tmp2, x, &group->field) ||        !BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) {      goto err;    }  } else {    if (group->meth->field_decode) {      if (!group->meth->field_decode(group, tmp2, &group->a, ctx) ||          !BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) {        goto err;      }    } else {      /* field_mul works on standard representation */      if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) {        goto err;      }    }    if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) {      goto err;    }  }  /* tmp1 := tmp1 + b */  if (group->meth->field_decode) {    if (!group->meth->field_decode(group, tmp2, &group->b, ctx) ||        !BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) {      goto err;    }  } else {    if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) {      goto err;    }  }  if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) {    unsigned long err = ERR_peek_last_error();    if (ERR_GET_LIB(err) == ERR_LIB_BN &&        ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {      ERR_clear_error();      OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates, EC_R_INVALID_COMPRESSED_POINT);    } else {      OPENSSL_PUT_ERROR(EC, ec_GFp_simple_set_compressed_coordinates, ERR_R_BN_LIB);    }    goto err;  }  if (y_bit != BN_is_odd(y)) {//.........这里部分代码省略.........

static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 		const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey){	int     ok = 0, i;	BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;	const BIGNUM *ckinv;	BN_CTX     *ctx = NULL;	const EC_GROUP   *group;	ECDSA_SIG  *ret;	ECDSA_DATA *ecdsa;	const BIGNUM *priv_key;	ecdsa    = ecdsa_check(eckey);	group    = EC_KEY_get0_group(eckey);	priv_key = EC_KEY_get0_private_key(eckey);		if (group == NULL || priv_key == NULL || ecdsa == NULL)	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);		return NULL;	}#ifdef OPENSSL_FIPS	if (!fips_check_ec_prng(eckey))		return NULL;#endif	ret = ECDSA_SIG_new();	if (!ret)	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);		return NULL;	}	s = ret->s;	if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||		(tmp = BN_new()) == NULL || (m = BN_new()) == NULL)	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);		goto err;	}	if (!EC_GROUP_get_order(group, order, ctx))	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);		goto err;	}	i = BN_num_bits(order);	/* Need to truncate digest if it is too long: first truncate whole	 * bytes.	 */	if (8 * dgst_len > i)		dgst_len = (i + 7)/8;	if (!BN_bin2bn(dgst, dgst_len, m))	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);		goto err;	}	/* If still too long truncate remaining bits with a shift */	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);		goto err;	}	do	{		if (in_kinv == NULL || in_r == NULL)		{			if (!ecdsa->meth->ecdsa_sign_setup(eckey, ctx,								&kinv, &ret->r))			{				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);				goto err;			}			ckinv = kinv;		}		else		{			ckinv  = in_kinv;			if (BN_copy(ret->r, in_r) == NULL)			{				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);				goto err;			}		}		if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx))		{			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);			goto err;		}		if (!BN_mod_add_quick(s, tmp, m, order))		{			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);			goto err;		}		if (!BN_mod_mul(s, s, ckinv, order, ctx))		{			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);			goto err;//.........这里部分代码省略.........

static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 		const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey){	int     ok = 0;	BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;	const BIGNUM *ckinv;	BN_CTX     *ctx = NULL;	const EC_GROUP   *group;	ECDSA_SIG  *ret;	ECDSA_DATA *ecdsa;	const BIGNUM *priv_key;	ecdsa    = ecdsa_check(eckey);	group    = EC_KEY_get0_group(eckey);	priv_key = EC_KEY_get0_private_key(eckey);		if (group == NULL || priv_key == NULL || ecdsa == NULL)	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);		return NULL;	}	ret = ECDSA_SIG_new();	if (!ret)	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);		return NULL;	}	s = ret->s;	if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||		(tmp = BN_new()) == NULL || (m = BN_new()) == NULL)	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);		goto err;	}	if (!EC_GROUP_get_order(group, order, ctx))	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);		goto err;	}	if (8 * dgst_len > BN_num_bits(order))	{		/* XXX		 * 		 * Should provide for optional hash truncation:		 * Keep the BN_num_bits(order) leftmost bits of dgst		 * (see March 2006 FIPS 186-3 draft, which has a few		 * confusing errors in this part though)		 */		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,			ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);		goto err;	}	if (!BN_bin2bn(dgst, dgst_len, m))	{		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);		goto err;	}	do	{		if (in_kinv == NULL || in_r == NULL)		{			if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))			{				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);				goto err;			}			ckinv = kinv;		}		else		{			ckinv  = in_kinv;			if (BN_copy(ret->r, in_r) == NULL)			{				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);				goto err;			}		}		if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx))		{			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);			goto err;		}		if (!BN_mod_add_quick(s, tmp, m, order))		{			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);			goto err;		}		if (!BN_mod_mul(s, s, ckinv, order, ctx))		{			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);			goto err;		}		if (BN_is_zero(s))		{//.........这里部分代码省略.........

int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,                              BN_CTX *ctx){    int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,                      const BIGNUM *, BN_CTX *);    int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);    const BIGNUM *p;    BN_CTX *new_ctx = NULL;    BIGNUM *rh, *tmp, *Z4, *Z6;    int ret = -1;    if (EC_POINT_is_at_infinity(group, point))        return 1;    field_mul = group->meth->field_mul;    field_sqr = group->meth->field_sqr;    p = group->field;    if (ctx == NULL) {        ctx = new_ctx = BN_CTX_new();        if (ctx == NULL)            return -1;    }    BN_CTX_start(ctx);    rh = BN_CTX_get(ctx);    tmp = BN_CTX_get(ctx);    Z4 = BN_CTX_get(ctx);    Z6 = BN_CTX_get(ctx);    if (Z6 == NULL)        goto err;    /*-     * We have a curve defined by a Weierstrass equation     *      y^2 = x^3 + a*x + b.     * The point to consider is given in Jacobian projective coordinates     * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).     * Substituting this and multiplying by  Z^6  transforms the above equation into     *      Y^2 = X^3 + a*X*Z^4 + b*Z^6.     * To test this, we add up the right-hand side in 'rh'.     */    /* rh := X^2 */    if (!field_sqr(group, rh, point->X, ctx))        goto err;    if (!point->Z_is_one) {        if (!field_sqr(group, tmp, point->Z, ctx))            goto err;        if (!field_sqr(group, Z4, tmp, ctx))            goto err;        if (!field_mul(group, Z6, Z4, tmp, ctx))            goto err;        /* rh := (rh + a*Z^4)*X */        if (group->a_is_minus3) {            if (!BN_mod_lshift1_quick(tmp, Z4, p))                goto err;            if (!BN_mod_add_quick(tmp, tmp, Z4, p))                goto err;            if (!BN_mod_sub_quick(rh, rh, tmp, p))                goto err;            if (!field_mul(group, rh, rh, point->X, ctx))                goto err;        } else {            if (!field_mul(group, tmp, Z4, group->a, ctx))                goto err;            if (!BN_mod_add_quick(rh, rh, tmp, p))                goto err;            if (!field_mul(group, rh, rh, point->X, ctx))                goto err;        }        /* rh := rh + b*Z^6 */        if (!field_mul(group, tmp, group->b, Z6, ctx))            goto err;        if (!BN_mod_add_quick(rh, rh, tmp, p))            goto err;    } else {        /* point->Z_is_one */        /* rh := (rh + a)*X */        if (!BN_mod_add_quick(rh, rh, group->a, p))            goto err;        if (!field_mul(group, rh, rh, point->X, ctx))            goto err;        /* rh := rh + b */        if (!BN_mod_add_quick(rh, rh, group->b, p))            goto err;    }    /* 'lh' := Y^2 */    if (!field_sqr(group, tmp, point->Y, ctx))        goto err;    ret = (0 == BN_ucmp(tmp, rh)); err:    BN_CTX_end(ctx);    BN_CTX_free(new_ctx);//.........这里部分代码省略.........

int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,                      BN_CTX *ctx){    int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,                      const BIGNUM *, BN_CTX *);    int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);    const BIGNUM *p;    BN_CTX *new_ctx = NULL;    BIGNUM *n0, *n1, *n2, *n3;    int ret = 0;    if (EC_POINT_is_at_infinity(group, a)) {        BN_zero(r->Z);        r->Z_is_one = 0;        return 1;    }    field_mul = group->meth->field_mul;    field_sqr = group->meth->field_sqr;    p = group->field;    if (ctx == NULL) {        ctx = new_ctx = BN_CTX_new();        if (ctx == NULL)            return 0;    }    BN_CTX_start(ctx);    n0 = BN_CTX_get(ctx);    n1 = BN_CTX_get(ctx);    n2 = BN_CTX_get(ctx);    n3 = BN_CTX_get(ctx);    if (n3 == NULL)        goto err;    /*     * Note that in this function we must not read components of 'a' once we     * have written the corresponding components of 'r'. ('r' might the same     * as 'a'.)     */    /* n1 */    if (a->Z_is_one) {        if (!field_sqr(group, n0, a->X, ctx))            goto err;        if (!BN_mod_lshift1_quick(n1, n0, p))            goto err;        if (!BN_mod_add_quick(n0, n0, n1, p))            goto err;        if (!BN_mod_add_quick(n1, n0, group->a, p))            goto err;        /* n1 = 3 * X_a^2 + a_curve */    } else if (group->a_is_minus3) {        if (!field_sqr(group, n1, a->Z, ctx))            goto err;        if (!BN_mod_add_quick(n0, a->X, n1, p))            goto err;        if (!BN_mod_sub_quick(n2, a->X, n1, p))            goto err;        if (!field_mul(group, n1, n0, n2, ctx))            goto err;        if (!BN_mod_lshift1_quick(n0, n1, p))            goto err;        if (!BN_mod_add_quick(n1, n0, n1, p))            goto err;        /*-         * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)         *    = 3 * X_a^2 - 3 * Z_a^4         */    } else {        if (!field_sqr(group, n0, a->X, ctx))            goto err;        if (!BN_mod_lshift1_quick(n1, n0, p))            goto err;        if (!BN_mod_add_quick(n0, n0, n1, p))            goto err;        if (!field_sqr(group, n1, a->Z, ctx))            goto err;        if (!field_sqr(group, n1, n1, ctx))            goto err;        if (!field_mul(group, n1, n1, group->a, ctx))            goto err;        if (!BN_mod_add_quick(n1, n1, n0, p))            goto err;        /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */    }    /* Z_r */    if (a->Z_is_one) {        if (!BN_copy(n0, a->Y))            goto err;    } else {        if (!field_mul(group, n0, a->Y, a->Z, ctx))            goto err;    }    if (!BN_mod_lshift1_quick(r->Z, n0, p))        goto err;    r->Z_is_one = 0;    /* Z_r = 2 * Y_a * Z_a *///.........这里部分代码省略.........

//.........这里部分代码省略.........        if (!field_mul(group, n0, n0, a->Z, ctx))            goto end;        if (!field_mul(group, n4, b->Y, n0, ctx))            goto end;        /* n4 = Y_b * Z_a^3 */    }    /* n5, n6 */    if (!BN_mod_sub_quick(n5, n1, n3, p))        goto end;    if (!BN_mod_sub_quick(n6, n2, n4, p))        goto end;    /* n5 = n1 - n3 */    /* n6 = n2 - n4 */    if (BN_is_zero(n5)) {        if (BN_is_zero(n6)) {            /* a is the same point as b */            BN_CTX_end(ctx);            ret = EC_POINT_dbl(group, r, a, ctx);            ctx = NULL;            goto end;        } else {            /* a is the inverse of b */            BN_zero(r->Z);            r->Z_is_one = 0;            ret = 1;            goto end;        }    }    /* 'n7', 'n8' */    if (!BN_mod_add_quick(n1, n1, n3, p))        goto end;    if (!BN_mod_add_quick(n2, n2, n4, p))        goto end;    /* 'n7' = n1 + n3 */    /* 'n8' = n2 + n4 */    /* Z_r */    if (a->Z_is_one && b->Z_is_one) {        if (!BN_copy(r->Z, n5))            goto end;    } else {        if (a->Z_is_one) {            if (!BN_copy(n0, b->Z))                goto end;        } else if (b->Z_is_one) {            if (!BN_copy(n0, a->Z))                goto end;        } else {            if (!field_mul(group, n0, a->Z, b->Z, ctx))                goto end;        }        if (!field_mul(group, r->Z, n0, n5, ctx))            goto end;    }    r->Z_is_one = 0;    /* Z_r = Z_a * Z_b * n5 */    /* X_r */    if (!field_sqr(group, n0, n6, ctx))        goto end;    if (!field_sqr(group, n4, n5, ctx))        goto end;

/*- * Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass * Elliptic Curves and Side-Channel Attacks", modified to work in projective * coordinates and return r in Jacobian projective coordinates. * * X4 = two*Y1*X2*Z3*Z2*Z1; * Y4 = two*b*Z3*SQR(Z2*Z1) + Z3*(a*Z2*Z1+X1*X2)*(X1*Z2+X2*Z1) - X3*SQR(X1*Z2-X2*Z1); * Z4 = two*Y1*Z3*SQR(Z2)*Z1; * * Z4 != 0 because: *  - Z1==0 implies p is at infinity, which would have caused an early exit in *    the caller; *  - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch); *  - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch); *  - Y1==0 implies p has order 2, so either r or s are infinity and handled by *    one of the BN_is_zero(...) branches. */int ec_GFp_simple_ladder_post(const EC_GROUP *group,                              EC_POINT *r, EC_POINT *s,                              EC_POINT *p, BN_CTX *ctx){    int ret = 0;    BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;    if (BN_is_zero(r->Z))        return EC_POINT_set_to_infinity(group, r);    if (BN_is_zero(s->Z)) {        /* (X,Y,Z) -> (XZ,YZ**2,Z) */        if (!group->meth->field_mul(group, r->X, p->X, p->Z, ctx)            || !group->meth->field_sqr(group, r->Z, p->Z, ctx)            || !group->meth->field_mul(group, r->Y, p->Y, r->Z, ctx)            || !BN_copy(r->Z, p->Z)            || !EC_POINT_invert(group, r, ctx))            return 0;        return 1;    }    BN_CTX_start(ctx);    t0 = BN_CTX_get(ctx);    t1 = BN_CTX_get(ctx);    t2 = BN_CTX_get(ctx);    t3 = BN_CTX_get(ctx);    t4 = BN_CTX_get(ctx);    t5 = BN_CTX_get(ctx);    t6 = BN_CTX_get(ctx);    if (t6 == NULL        || !BN_mod_lshift1_quick(t0, p->Y, group->field)        || !group->meth->field_mul(group, t1, r->X, p->Z, ctx)        || !group->meth->field_mul(group, t2, r->Z, s->Z, ctx)        || !group->meth->field_mul(group, t2, t1, t2, ctx)        || !group->meth->field_mul(group, t3, t2, t0, ctx)        || !group->meth->field_mul(group, t2, r->Z, p->Z, ctx)        || !group->meth->field_sqr(group, t4, t2, ctx)        || !BN_mod_lshift1_quick(t5, group->b, group->field)        || !group->meth->field_mul(group, t4, t4, t5, ctx)        || !group->meth->field_mul(group, t6, t2, group->a, ctx)        || !group->meth->field_mul(group, t5, r->X, p->X, ctx)        || !BN_mod_add_quick(t5, t6, t5, group->field)        || !group->meth->field_mul(group, t6, r->Z, p->X, ctx)        || !BN_mod_add_quick(t2, t6, t1, group->field)        || !group->meth->field_mul(group, t5, t5, t2, ctx)        || !BN_mod_sub_quick(t6, t6, t1, group->field)        || !group->meth->field_sqr(group, t6, t6, ctx)        || !group->meth->field_mul(group, t6, t6, s->X, ctx)        || !BN_mod_add_quick(t4, t5, t4, group->field)        || !group->meth->field_mul(group, t4, t4, s->Z, ctx)        || !BN_mod_sub_quick(t4, t4, t6, group->field)        || !group->meth->field_sqr(group, t5, r->Z, ctx)        || !group->meth->field_mul(group, r->Z, p->Z, s->Z, ctx)        || !group->meth->field_mul(group, r->Z, t5, r->Z, ctx)        || !group->meth->field_mul(group, r->Z, r->Z, t0, ctx)        /* t3 := X, t4 := Y */        /* (X,Y,Z) -> (XZ,YZ**2,Z) */        || !group->meth->field_mul(group, r->X, t3, r->Z, ctx)        || !group->meth->field_sqr(group, t3, r->Z, ctx)        || !group->meth->field_mul(group, r->Y, t4, t3, ctx))        goto err;    ret = 1; err:    BN_CTX_end(ctx);    return ret;}

/*- * Differential addition-and-doubling using  Eq. (9) and (10) from Izu-Takagi * "A fast parallel elliptic curve multiplication resistant against side channel * attacks", as described at * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4 */int ec_GFp_simple_ladder_step(const EC_GROUP *group,                              EC_POINT *r, EC_POINT *s,                              EC_POINT *p, BN_CTX *ctx){    int ret = 0;    BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6, *t7 = NULL;    BN_CTX_start(ctx);    t0 = BN_CTX_get(ctx);    t1 = BN_CTX_get(ctx);    t2 = BN_CTX_get(ctx);    t3 = BN_CTX_get(ctx);    t4 = BN_CTX_get(ctx);    t5 = BN_CTX_get(ctx);    t6 = BN_CTX_get(ctx);    t7 = BN_CTX_get(ctx);    if (t7 == NULL        || !group->meth->field_mul(group, t0, r->X, s->X, ctx)        || !group->meth->field_mul(group, t1, r->Z, s->Z, ctx)        || !group->meth->field_mul(group, t2, r->X, s->Z, ctx)        || !group->meth->field_mul(group, t3, r->Z, s->X, ctx)        || !group->meth->field_mul(group, t4, group->a, t1, ctx)        || !BN_mod_add_quick(t0, t0, t4, group->field)        || !BN_mod_add_quick(t4, t3, t2, group->field)        || !group->meth->field_mul(group, t0, t4, t0, ctx)        || !group->meth->field_sqr(group, t1, t1, ctx)        || !BN_mod_lshift_quick(t7, group->b, 2, group->field)        || !group->meth->field_mul(group, t1, t7, t1, ctx)        || !BN_mod_lshift1_quick(t0, t0, group->field)        || !BN_mod_add_quick(t0, t1, t0, group->field)        || !BN_mod_sub_quick(t1, t2, t3, group->field)        || !group->meth->field_sqr(group, t1, t1, ctx)        || !group->meth->field_mul(group, t3, t1, p->X, ctx)        || !group->meth->field_mul(group, t0, p->Z, t0, ctx)        /* s->X coord output */        || !BN_mod_sub_quick(s->X, t0, t3, group->field)        /* s->Z coord output */        || !group->meth->field_mul(group, s->Z, p->Z, t1, ctx)        || !group->meth->field_sqr(group, t3, r->X, ctx)        || !group->meth->field_sqr(group, t2, r->Z, ctx)        || !group->meth->field_mul(group, t4, t2, group->a, ctx)        || !BN_mod_add_quick(t5, r->X, r->Z, group->field)        || !group->meth->field_sqr(group, t5, t5, ctx)        || !BN_mod_sub_quick(t5, t5, t3, group->field)        || !BN_mod_sub_quick(t5, t5, t2, group->field)        || !BN_mod_sub_quick(t6, t3, t4, group->field)        || !group->meth->field_sqr(group, t6, t6, ctx)        || !group->meth->field_mul(group, t0, t2, t5, ctx)        || !group->meth->field_mul(group, t0, t7, t0, ctx)        /* r->X coord output */        || !BN_mod_sub_quick(r->X, t6, t0, group->field)        || !BN_mod_add_quick(t6, t3, t4, group->field)        || !group->meth->field_sqr(group, t3, t2, ctx)        || !group->meth->field_mul(group, t7, t3, t7, ctx)        || !group->meth->field_mul(group, t5, t5, t6, ctx)        || !BN_mod_lshift1_quick(t5, t5, group->field)        /* r->Z coord output */        || !BN_mod_add_quick(r->Z, t7, t5, group->field))        goto err;    ret = 1; err:    BN_CTX_end(ctx);    return ret;}

ECDSA_SIG *ECDSA_do_sign_ex(const uint8_t *digest, size_t digest_len,                            const BIGNUM *in_kinv, const BIGNUM *in_r,                            const EC_KEY *eckey) {  int ok = 0;  BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL;  const BIGNUM *ckinv;  BN_CTX *ctx = NULL;  const EC_GROUP *group;  ECDSA_SIG *ret;  const BIGNUM *priv_key;  if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {    OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);    return NULL;  }  group = EC_KEY_get0_group(eckey);  priv_key = EC_KEY_get0_private_key(eckey);  if (group == NULL || priv_key == NULL) {    OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);    return NULL;  }  ret = ECDSA_SIG_new();  if (!ret) {    OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);    return NULL;  }  s = ret->s;  if ((ctx = BN_CTX_new()) == NULL ||      (tmp = BN_new()) == NULL ||      (m = BN_new()) == NULL) {    OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);    goto err;  }  const BIGNUM *order = EC_GROUP_get0_order(group);  if (!digest_to_bn(m, digest, digest_len, order)) {    goto err;  }  for (;;) {    if (in_kinv == NULL || in_r == NULL) {      if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, digest, digest_len)) {        OPENSSL_PUT_ERROR(ECDSA, ERR_R_ECDSA_LIB);        goto err;      }      ckinv = kinv;    } else {      ckinv = in_kinv;      if (BN_copy(ret->r, in_r) == NULL) {        OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);        goto err;      }    }    if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {      OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);      goto err;    }    if (!BN_mod_add_quick(s, tmp, m, order)) {      OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);      goto err;    }    if (!BN_mod_mul(s, s, ckinv, order, ctx)) {      OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);      goto err;    }    if (BN_is_zero(s)) {      // if kinv and r have been supplied by the caller      // don't to generate new kinv and r values      if (in_kinv != NULL && in_r != NULL) {        OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NEED_NEW_SETUP_VALUES);        goto err;      }    } else {      // s != 0 => we have a valid signature      break;    }  }  ok = 1;err:  if (!ok) {    ECDSA_SIG_free(ret);    ret = NULL;  }  BN_CTX_free(ctx);  BN_clear_free(m);  BN_clear_free(tmp);  BN_clear_free(kinv);  return ret;}

static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,                                const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey){    int     ok = 0;    BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;    const BIGNUM *ckinv;    BN_CTX     *ctx = NULL;    const EC_GROUP   *group;    ECDSA_SIG  *ret;    ECDSA_DATA *ecdsa;    const BIGNUM *priv_key;    ecdsa    = ecdsa_check(eckey);    group    = EC_KEY_get0_group(eckey);    priv_key = EC_KEY_get0_private_key(eckey);    if (group == NULL || priv_key == NULL || ecdsa == NULL)    {        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);        return NULL;    }    ret = ECDSA_SIG_new();    if (!ret)    {        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);        return NULL;    }    s = ret->s;    if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||            (tmp = BN_new()) == NULL || (m = BN_new()) == NULL)    {        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);        goto err;    }    if (!EC_GROUP_get_order(group, order, ctx))    {        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);        goto err;    }    if (dgst_len > BN_num_bytes(order))    {        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,                 ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);        goto err;    }    if (!BN_bin2bn(dgst, dgst_len, m))    {        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);        goto err;    }    do    {        if (in_kinv == NULL || in_r == NULL)        {            if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))            {                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);                goto err;            }            ckinv = kinv;        }        else        {            ckinv  = in_kinv;            if (BN_copy(ret->r, in_r) == NULL)            {                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);                goto err;            }        }        if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx))        {            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);            goto err;        }        if (!BN_mod_add_quick(s, tmp, m, order))        {            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);            goto err;        }        if (!BN_mod_mul(s, s, ckinv, order, ctx))        {            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);            goto err;        }    }    while (BN_is_zero(s));    ok = 1;err:    if (!ok)    {        ECDSA_SIG_free(ret);        ret = NULL;    }//.........这里部分代码省略.........

int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,                      BN_CTX *ctx) {  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,                   BN_CTX *);  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);  const BIGNUM *p;  BN_CTX *new_ctx = NULL;  BIGNUM *n0, *n1, *n2, *n3;  int ret = 0;  if (EC_POINT_is_at_infinity(group, a)) {    BN_zero(&r->Z);    return 1;  }  field_mul = group->meth->field_mul;  field_sqr = group->meth->field_sqr;  p = &group->field;  if (ctx == NULL) {    ctx = new_ctx = BN_CTX_new();    if (ctx == NULL) {      return 0;    }  }  BN_CTX_start(ctx);  n0 = BN_CTX_get(ctx);  n1 = BN_CTX_get(ctx);  n2 = BN_CTX_get(ctx);  n3 = BN_CTX_get(ctx);  if (n3 == NULL) {    goto err;  }  /* Note that in this function we must not read components of 'a'   * once we have written the corresponding components of 'r'.   * ('r' might the same as 'a'.)   */  /* n1 */  if (BN_cmp(&a->Z, &group->one) == 0) {    if (!field_sqr(group, n0, &a->X, ctx) ||        !BN_mod_lshift1_quick(n1, n0, p) ||        !BN_mod_add_quick(n0, n0, n1, p) ||        !BN_mod_add_quick(n1, n0, &group->a, p)) {      goto err;    }    /* n1 = 3 * X_a^2 + a_curve */  } else {    /* ring: This assumes a == -3. */    if (!field_sqr(group, n1, &a->Z, ctx) ||        !BN_mod_add_quick(n0, &a->X, n1, p) ||        !BN_mod_sub_quick(n2, &a->X, n1, p) ||        !field_mul(group, n1, n0, n2, ctx) ||        !BN_mod_lshift1_quick(n0, n1, p) ||        !BN_mod_add_quick(n1, n0, n1, p)) {      goto err;    }    /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)     *    = 3 * X_a^2 - 3 * Z_a^4 */  }  /* Z_r */  if (BN_cmp(&a->Z, &group->one) == 0) {    if (!BN_copy(n0, &a->Y)) {      goto err;    }  } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {    goto err;  }  if (!BN_mod_lshift1_quick(&r->Z, n0, p)) {    goto err;  }  /* Z_r = 2 * Y_a * Z_a */  /* n2 */  if (!field_sqr(group, n3, &a->Y, ctx) ||      !field_mul(group, n2, &a->X, n3, ctx) ||      !BN_mod_lshift_quick(n2, n2, 2, p)) {    goto err;  }  /* n2 = 4 * X_a * Y_a^2 */  /* X_r */  if (!BN_mod_lshift1_quick(n0, n2, p) ||      !field_sqr(group, &r->X, n1, ctx) ||      !BN_mod_sub_quick(&r->X, &r->X, n0, p)) {    goto err;  }  /* X_r = n1^2 - 2 * n2 */  /* n3 */  if (!field_sqr(group, n0, n3, ctx) ||      !BN_mod_lshift_quick(n3, n0, 3, p)) {    goto err;  }  /* n3 = 8 * Y_a^4 */  /* Y_r *///.........这里部分代码省略.........

ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,                               const BIGNUM *in_kinv, const BIGNUM *in_r,                               EC_KEY *eckey){    int ok = 0, i;    BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL;    const BIGNUM *order, *ckinv;    BN_CTX *ctx = NULL;    const EC_GROUP *group;    ECDSA_SIG *ret;    const BIGNUM *priv_key;    group = EC_KEY_get0_group(eckey);    priv_key = EC_KEY_get0_private_key(eckey);    if (group == NULL || priv_key == NULL) {        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER);        return NULL;    }    if (!EC_KEY_can_sign(eckey)) {        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);        return NULL;    }    ret = ECDSA_SIG_new();    if (ret == NULL) {        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);        return NULL;    }    ret->r = BN_new();    ret->s = BN_new();    if (ret->r == NULL || ret->s == NULL) {        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);        goto err;    }    s = ret->s;    if ((ctx = BN_CTX_new()) == NULL ||        (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);        goto err;    }    order = EC_GROUP_get0_order(group);    if (order == NULL) {        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_EC_LIB);        goto err;    }    i = BN_num_bits(order);    /*     * Need to truncate digest if it is too long: first truncate whole bytes.     */    if (8 * dgst_len > i)        dgst_len = (i + 7) / 8;    if (!BN_bin2bn(dgst, dgst_len, m)) {        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);        goto err;    }    /* If still too long truncate remaining bits with a shift */    if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);        goto err;    }    do {        if (in_kinv == NULL || in_r == NULL) {            if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) {                ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB);                goto err;            }            ckinv = kinv;        } else {            ckinv = in_kinv;            if (BN_copy(ret->r, in_r) == NULL) {                ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);                goto err;            }        }        if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);            goto err;        }        if (!BN_mod_add_quick(s, tmp, m, order)) {            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);            goto err;        }        if (!BN_mod_mul(s, s, ckinv, order, ctx)) {            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);            goto err;        }        if (BN_is_zero(s)) {            /*             * if kinv and r have been supplied by the caller don't to             * generate new kinv and r values             */            if (in_kinv != NULL && in_r != NULL) {                ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);                goto err;            }//.........这里部分代码省略.........