自学教程：C++ BN_mod_exp函数代码示例

static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,						unsigned int bitlen, int ispub)	{	const unsigned char *p = *in;	EVP_PKEY *ret = NULL;	DSA *dsa = NULL;	BN_CTX *ctx = NULL;	unsigned int nbyte;	nbyte = (bitlen + 7) >> 3;	dsa = DSA_new();	ret = EVP_PKEY_new();	if (!dsa || !ret)		goto memerr;	if (!read_lebn(&p, nbyte, &dsa->p))		goto memerr;	if (!read_lebn(&p, 20, &dsa->q))		goto memerr;	if (!read_lebn(&p, nbyte, &dsa->g))		goto memerr;	if (ispub)		{		if (!read_lebn(&p, nbyte, &dsa->pub_key))			goto memerr;		}	else		{		if (!read_lebn(&p, 20, &dsa->priv_key))			goto memerr;		/* Calculate public key */		if (!(dsa->pub_key = BN_new()))			goto memerr;		if (!(ctx = BN_CTX_new()))			goto memerr;					if (!BN_mod_exp(dsa->pub_key, dsa->g,						 dsa->priv_key, dsa->p, ctx))						goto memerr;		BN_CTX_free(ctx);		}	EVP_PKEY_set1_DSA(ret, dsa);	DSA_free(dsa);	*in = p;	return ret;	memerr:	PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE);	if (dsa)		DSA_free(dsa);	if (ret)		EVP_PKEY_free(ret);	if (ctx)		BN_CTX_free(ctx);	return NULL;	}

void rsaEXP(BIGNUM *message , rsaKey * key){	BN_CTX * t = BN_CTX_new();	BN_mod_exp(message , message, key->exponent , key->modulo , t);		BN_CTX_free(t);}

void Person::set_keys() {  a = BN_new();  BN_rand_range(a, p);  A = BN_new();  BN_CTX *ctx = BN_CTX_new();  BN_mod_exp(A, g, a, p, ctx);  if (ctx) BN_CTX_free(ctx);}

static int dsa_builtin_keygen(DSA *dsa){    int ok = 0;    BN_CTX *ctx = NULL;    BIGNUM *pub_key = NULL, *priv_key = NULL;    if ((ctx = BN_CTX_new()) == NULL)        goto err;    if (dsa->priv_key == NULL) {        if ((priv_key = BN_secure_new()) == NULL)            goto err;    } else        priv_key = dsa->priv_key;    do        if (!BN_rand_range(priv_key, dsa->q))            goto err;    while (BN_is_zero(priv_key)) ;    if (dsa->pub_key == NULL) {        if ((pub_key = BN_new()) == NULL)            goto err;    } else        pub_key = dsa->pub_key;    {        BIGNUM *local_prk = NULL;        BIGNUM *prk;        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {            local_prk = prk = BN_new();            if (!local_prk)                goto err;            BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);        } else            prk = priv_key;        if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {            BN_free(local_prk);            goto err;        }        BN_free(local_prk);    }    dsa->priv_key = priv_key;    dsa->pub_key = pub_key;    ok = 1; err:    if (pub_key != dsa->pub_key)        BN_free(pub_key);    if (priv_key != dsa->priv_key)        BN_free(priv_key);    BN_CTX_free(ctx);    return (ok);}

static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,                         const BIGNUM *m, BN_CTX *ctx){    int y_len = 0;    int fd;    if (ubsec_dso == NULL) {        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_NOT_LOADED);        return 0;    }    /* Check if hardware can't handle this argument. */    y_len = BN_num_bits(m);    if (y_len > max_key_len) {        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);        return BN_mod_exp(r, a, p, m, ctx);    }    if (!bn_wexpand(r, m->top)) {        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);        return 0;    }    if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {        fd = 0;        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_UNIT_FAILURE);        return BN_mod_exp(r, a, p, m, ctx);    }    if (p_UBSEC_rsa_mod_exp_ioctl(fd, (unsigned char *)a->d, BN_num_bits(a),                                  (unsigned char *)m->d, BN_num_bits(m),                                  (unsigned char *)p->d, BN_num_bits(p),                                  (unsigned char *)r->d, &y_len) != 0) {        UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);        p_UBSEC_ubsec_close(fd);        return BN_mod_exp(r, a, p, m, ctx);    }    p_UBSEC_ubsec_close(fd);    r->top = (BN_num_bits(m) + BN_BITS2 - 1) / BN_BITS2;    return 1;}

int AO_vrfy(void *inner){    assert(inner!=NULL);    AOInner *self = (AOInner*)inner;        int ret;    BIGNUM *rbn;        /* e_bytes~ := H(n) */    VHash(self->n, self->bytelen_rec+self->bytelen_red, self->v_e_bytes, self->bytelen_q);    /* e~ := int(e_bytes) */    rbn = BN_bin2bn(self->v_e_bytes, self->bytelen_q, self->v_e);    assert(rbn!=NULL);    /* a~ := g^z * h^e~ */    ret = BN_mod_exp(self->gz, self->g, self->z, self->p, self->bnctx);    assert(ret==1);    ret = BN_mod_exp(self->he, self->h, self->v_e, self->p, self->bnctx);    assert(ret==1);    ret = BN_mod_mul(self->v_a, self->gz, self->he, self->p, self->bnctx);    assert(ret==1);    /* a_bytes~ := bytes(a~) */    BN2LenBin(self->v_a, self->v_am_bytes, self->bytelen_p);    /* h2m~ := H2(a_bytes~ || h1~) */    memcpy(&self->v_am_bytes[self->bytelen_p], self->n, self->bytelen_red);    VHash(self->v_am_bytes, self->bytelen_p+self->bytelen_red, self->v_mh2, self->bytelen_rec);        /* msg~ := mh2~ xor h2 */    BinXor(self->v_mh2, &self->n[self->bytelen_red], self->v_mh2, self->bytelen_rec);    /* h1~ := H1(a_bytes~||msg~) */    memcpy(&self->v_am_bytes[self->bytelen_p], self->v_mh2, self->bytelen_rec);    VHash(self->v_am_bytes, self->bytelen_p+self->bytelen_rec, self->v_h1, self->bytelen_red);    /* Check if h1~ == h1 */    ret = memcmp(self->v_h1, self->n, self->bytelen_red);    assert(ret==0);    return 0;}

/* key = (y_ * (h^(-1))^secret) ^ r */void PSPAKE_compute_key(PSPAKE_CTX *ctx){    BIGNUM *t1 = BN_new();    BIGNUM *t2 = BN_new();    BIGNUM *inv_h = BN_new();    /* inv_h = h ^ (-1) */    BN_mod_inverse(inv_h, ctx->h, ctx->q, ctx->ctx);    /* t1 = inv_h ^ secret */    BN_mod_exp(t1, inv_h, ctx->secret, ctx->q, ctx->ctx);    /* t2 = y_ * t1 */    BN_mod_mul(t2, ctx->y_, t1, ctx->q, ctx->ctx);    /* key = t2 ^ r */    ctx->key = BN_new();    BN_mod_exp(ctx->key, t2, ctx->r, ctx->q, ctx->ctx);}

/*const*/ BIGNUM *Bank::SignRequest(PublicCoinRequest &req)    {    InitCTX();    BIGNUM *BtoA=BN_new();    BN_mod_exp(BtoA,req.Request(),priv_key(),p(),m_ctx);    DumpNumber("B->A=     ",BtoA);    return BtoA;    }

int APP_CCssl_mod_exp(char* out, int out_len, char* in, int in_len,            char* mod, int mod_len, char* exp, int exp_len){  BN_CTX* ctx;  BIGNUM lmod;  BIGNUM lexp;  BIGNUM lin;  BIGNUM lout;  int rv;  char* l_out;  char* l_in;  char* l_mod;  char* l_exp;  l_out = (char*)g_malloc(out_len, 1);  l_in = (char*)g_malloc(in_len, 1);  l_mod = (char*)g_malloc(mod_len, 1);  l_exp = (char*)g_malloc(exp_len, 1);  g_memcpy(l_in, in, in_len);  g_memcpy(l_mod, mod, mod_len);  g_memcpy(l_exp, exp, exp_len);  ssl_reverse_it(l_in, in_len);  ssl_reverse_it(l_mod, mod_len);  ssl_reverse_it(l_exp, exp_len);  ctx = BN_CTX_new();  BN_init(&lmod);  BN_init(&lexp);  BN_init(&lin);  BN_init(&lout);  BN_bin2bn((tui8*)l_mod, mod_len, &lmod);  BN_bin2bn((tui8*)l_exp, exp_len, &lexp);  BN_bin2bn((tui8*)l_in, in_len, &lin);  BN_mod_exp(&lout, &lin, &lexp, &lmod, ctx);  rv = BN_bn2bin(&lout, (tui8*)l_out);  if (rv <= out_len)  {    ssl_reverse_it(l_out, rv);    g_memcpy(out, l_out, out_len);  }  else  {    rv = 0;  }  BN_free(&lin);  BN_free(&lout);  BN_free(&lexp);  BN_free(&lmod);  BN_CTX_free(ctx);  g_free(l_out);  g_free(l_in);  g_free(l_mod);  g_free(l_exp);  return rv;}

static void sendstep1_substep(JPakeStep1 * s1, const BIGNUM *x,                              const JPakeUser * us,                              const JPakeParameters * params, int n){    s1->gx = BN_new();    BN_mod_exp(s1->gx, params->g, x, params->p, params->ctx);    printf("  g^{x%d}", n);    showbn("", s1->gx);    CreateZKP(&s1->zkpx, x, us, params->g, params, n, "");}

BigNumber BigNumber::modExp(const BigNumber &bn1, const BigNumber &bn2){	BigNumber ret;	BN_CTX *bnctx;	bnctx = BN_CTX_new();	BN_mod_exp(ret.m_bn, m_bn, bn1.m_bn, bn2.m_bn, bnctx);	BN_CTX_free(bnctx);	return ret;}

static int VerifyZKP(const JPakeZKP * zkp, BIGNUM *gx,                     const JPakeUserPublic * them, const BIGNUM *zkpg,                     const JPakeParameters * params, int n,                     const char *suffix){    BIGNUM *h = BN_new();    BIGNUM *t1 = BN_new();    BIGNUM *t2 = BN_new();    BIGNUM *t3 = BN_new();    int ret = 0;    zkpHash(h, zkp, gx, them, params);    // t1 = g^b    BN_mod_exp(t1, zkpg, zkp->b, params->p, params->ctx);    // t2 = (g^x)^h = g^{hx}    BN_mod_exp(t2, gx, h, params->p, params->ctx);    // t3 = t1 * t2 = g^{hx} * g^b = g^{hx+b} = g^r (allegedly)    BN_mod_mul(t3, t1, t2, params->p, params->ctx);    printf("  ZKP(x%d%s)/n", n, suffix);    showbn("    zkpg", zkpg);    showbn("    g^r'", t3);    // verify t3 == g^r    if (BN_cmp(t3, zkp->gr) == 0)        ret = 1;    // cleanup    BN_free(t3);    BN_free(t2);    BN_free(t1);    BN_free(h);    if (ret)        puts("    OK");    else        puts("    FAIL");    return ret;}

// Check Fermat probable primality test (2-PRP): 2 ** (n-1) = 1 (mod n)// true: n is probable prime// false: n is composite; set fractional length in the nLength outputstatic bool FermatProbablePrimalityTest(const CBigNum& n, unsigned int& nLength) {   //CBigNum a = 2; // base; Fermat witness   CBigNum e = n - 1;CBigNum r;   BN_mod_exp(&r, &bnTwo, &e, &n, pctx);   if (r == 1) { return true; }   // Failed Fermat test, calculate fractional length   unsigned int nFractionalLength = (((n-r) << nFractionalBits) / n).getuint();   if (nFractionalLength >= (1 << nFractionalBits))      return error("FermatProbablePrimalityTest() : fractional assert");   nLength = (nLength & TARGET_LENGTH_MASK) | nFractionalLength;   return false;}

bool ProductEvidence_Verify(const_ProductEvidence ev, const_ProductStatement st){  const BIGNUM* g = IntegerGroup_GetG(st->group);  const BIGNUM* h = IntegerGroup_GetH(st->group);  const BIGNUM* p = IntegerGroup_GetP(st->group);  BN_CTX* ctx = IntegerGroup_GetCtx(st->group);  BIGNUM *tmp = BN_new();  // Recompute commitments  // m1' = (g^z h^w1) / A^c  BIGNUM* m1 = IntegerGroup_CascadeExponentiate(st->group, g, ev->z, h, ev->w1);  CHECK_CALL(m1);  CHECK_CALL(BN_copy(tmp, st->commit_a));  CHECK_CALL(BN_mod_exp(tmp, tmp, ev->c, p, ctx));  CHECK_CALL(BN_mod_inverse(tmp, tmp, p, ctx));  CHECK_CALL(BN_mod_mul(m1, m1, tmp, p, ctx));  // m2' = (B^z h^w2) / C^c  BIGNUM* m2 = IntegerGroup_CascadeExponentiate(st->group, st->commit_b, ev->z, h, ev->w2);  CHECK_CALL(m2);  CHECK_CALL(BN_copy(tmp, st->commit_c));  CHECK_CALL(BN_mod_exp(tmp, tmp, ev->c, p, ctx));  CHECK_CALL(BN_mod_inverse(tmp, tmp, p, ctx));  CHECK_CALL(BN_mod_mul(m2, m2, tmp, p, ctx));  BN_clear_free(tmp);  // Check challenge   // c =? H(g, h, q, p, A, B, C, m1', m2')  BIGNUM *c_prime = Commit(st, m1, m2);  BN_free(m1);  BN_free(m2);  bool retval = !BN_cmp(ev->c, c_prime);  BN_clear_free(c_prime);  return retval;}

static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* exponent, int exponent_size, BYTE* output){	BN_CTX* ctx;	int output_length = -1;	BYTE* input_reverse;	BYTE* modulus_reverse;	BYTE* exponent_reverse;	BIGNUM mod, exp, x, y;	input_reverse = (BYTE*) malloc(2 * key_length + exponent_size);	if (!input_reverse)		return -1;	modulus_reverse = input_reverse + key_length;	exponent_reverse = modulus_reverse + key_length;	memcpy(modulus_reverse, modulus, key_length);	crypto_reverse(modulus_reverse, key_length);	memcpy(exponent_reverse, exponent, exponent_size);	crypto_reverse(exponent_reverse, exponent_size);	memcpy(input_reverse, input, length);	crypto_reverse(input_reverse, length);	ctx = BN_CTX_new();	if (!ctx)		goto out_free_input_reverse;	BN_init(&mod);	BN_init(&exp);	BN_init(&x);	BN_init(&y);	BN_bin2bn(modulus_reverse, key_length, &mod);	BN_bin2bn(exponent_reverse, exponent_size, &exp);	BN_bin2bn(input_reverse, length, &x);	BN_mod_exp(&y, &x, &exp, &mod, ctx);	output_length = BN_bn2bin(&y, output);	crypto_reverse(output, output_length);	if (output_length < (int) key_length)		memset(output + output_length, 0, key_length - output_length);	BN_free(&y);	BN_clear_free(&x);	BN_free(&exp);	BN_free(&mod);	BN_CTX_free(ctx);out_free_input_reverse:	free(input_reverse);	return output_length;}

/* * Computes signature and returns it as DSA_SIG structure */DSA_SIG *gost_do_sign (const unsigned char *dgst, int dlen, DSA * dsa){    BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL;    DSA_SIG *newsig = DSA_SIG_new ();    BIGNUM *md = hashsum2bn (dgst);    /* check if H(M) mod q is zero */    BN_CTX *ctx = BN_CTX_new ();    BN_CTX_start (ctx);    if (!newsig)    {        GOSTerr (GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY);        goto err;    }    tmp = BN_CTX_get (ctx);    k = BN_CTX_get (ctx);    tmp2 = BN_CTX_get (ctx);    BN_mod (tmp, md, dsa->q, ctx);    if (BN_is_zero (tmp))    {        BN_one (md);    }    do    {        do        {            /*Generate random number k less than q */            BN_rand_range (k, dsa->q);            /* generate r = (a^x mod p) mod q */            BN_mod_exp (tmp, dsa->g, k, dsa->p, ctx);            if (!(newsig->r))                newsig->r = BN_new ();            BN_mod (newsig->r, tmp, dsa->q, ctx);        }        while (BN_is_zero (newsig->r));        /* generate s = (xr + k(Hm)) mod q */        BN_mod_mul (tmp, dsa->priv_key, newsig->r, dsa->q, ctx);        BN_mod_mul (tmp2, k, md, dsa->q, ctx);        if (!newsig->s)            newsig->s = BN_new ();        BN_mod_add (newsig->s, tmp, tmp2, dsa->q, ctx);    }    while (BN_is_zero (newsig->s));  err:    BN_free (md);    BN_CTX_end (ctx);    BN_CTX_free (ctx);    return newsig;}

// Prove knowledge of x// Note that we don't send g^x because, as it happens, we've always// sent it elsewhere. Also note that because of that, we could avoid// calculating it here, but we don't, for clarity...static void CreateZKP(JPakeZKP * zkp, const BIGNUM *x, const JPakeUser * us,                      const BIGNUM *zkpg, const JPakeParameters * params,                      int n, const char *suffix){    BIGNUM *r = BN_new();    BIGNUM *gx = BN_new();    BIGNUM *h = BN_new();    BIGNUM *t = BN_new();    // r in [0,q)    // XXX: Java chooses r in [0, 2^160) - i.e. distribution not uniform    BN_rand_range(r, params->q);    // g^r    zkp->gr = BN_new();    BN_mod_exp(zkp->gr, zkpg, r, params->p, params->ctx);    // g^x    BN_mod_exp(gx, zkpg, x, params->p, params->ctx);    // h=hash...    zkpHash(h, zkp, gx, &us->p, params);    // b = r - x*h    BN_mod_mul(t, x, h, params->q, params->ctx);    zkp->b = BN_new();    BN_mod_sub(zkp->b, r, t, params->q, params->ctx);    // show    printf("  ZKP(x%d%s)/n", n, suffix);    showbn("   zkpg", zkpg);    showbn("    g^x", gx);    showbn("    g^r", zkp->gr);    showbn("      b", zkp->b);    // cleanup    BN_free(t);    BN_free(h);    BN_free(gx);    BN_free(r);}

void meteor_user_generate_kgx(SRPUser *usr,                              BN_CTX *ctx,                              BIGNUM *x,                              BIGNUM *k,                              BIGNUM **kgx) {    BN_CTX *lctx = BN_CTX_new();    BIGNUM *inner_kgx = BN_new();    BN_mod_exp(inner_kgx, usr->ng->g, x, usr->ng->N, lctx);    BN_mul(*kgx, inner_kgx, k, lctx);        BN_free(inner_kgx);    BN_CTX_free(lctx);}

BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM *g, BIGNUM *x,                            BIGNUM *a, BIGNUM *u){    BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL;    BN_CTX *bn_ctx;    if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL        || a == NULL || (bn_ctx = BN_CTX_new()) == NULL)        return NULL;    if ((tmp = BN_new()) == NULL ||        (tmp2 = BN_new()) == NULL ||        (tmp3 = BN_new()) == NULL ||        (K = BN_new()) == NULL)        goto err;    if (!BN_mod_exp(tmp, g, x, N, bn_ctx))        goto err;    if ((k = srp_Calc_k(N, g)) == NULL)        goto err;    if (!BN_mod_mul(tmp2, tmp, k, N, bn_ctx))        goto err;    if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx))        goto err;    if (!BN_mod_mul(tmp3, u, x, N, bn_ctx))        goto err;    if (!BN_mod_add(tmp2, a, tmp3, N, bn_ctx))        goto err;    if (!BN_mod_exp(K, tmp, tmp2, N, bn_ctx))        goto err; err:    BN_CTX_free(bn_ctx);    BN_clear_free(tmp);    BN_clear_free(tmp2);    BN_clear_free(tmp3);    BN_free(k);    return K;}

/* pollard p-1, algorithm from Jim Gillogly, May 2000 */static voidpollard_pminus1(BIGNUM *val){	BIGNUM *base, *rbase, *num, *i, *x;	base = BN_new();	rbase = BN_new();	num = BN_new();	i = BN_new();	x = BN_new();	BN_set_word(rbase, 1);newbase:	if (!BN_add_word(rbase, 1))		errx(1, "error in BN_add_word()");	BN_set_word(i, 2);	BN_copy(base, rbase);	for (;;) {		BN_mod_exp(base, base, i, val, ctx);		if (BN_is_one(base))			goto newbase;		BN_copy(x, base);		BN_sub_word(x, 1);		if (!BN_gcd(x, x, val, ctx))			errx(1, "error in BN_gcd()");		if (!BN_is_one(x)) {			if (BN_is_prime(x, PRIME_CHECKS, NULL, NULL,			    NULL) == 1)				pr_print(x);			else				pollard_pminus1(x);			fflush(stdout);			BN_div(num, NULL, val, x, ctx);			if (BN_is_one(num))				return;			if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL,			    NULL) == 1) {				pr_print(num);				fflush(stdout);				return;			}			BN_copy(val, num);		}		if (!BN_add_word(i, 1))			errx(1, "error in BN_add_word()");	}}

static void sendstep2(const JPakeUser * us, JPakeUserPublic * them,                      const JPakeParameters * params){    BIGNUM *t1 = BN_new();    BIGNUM *t2 = BN_new();    printf("/n%s sends %s:/n/n", us->p.name, them->name);    // X = g^{(xa + xc + xd) * xb * s}    // t1 = g^xa    BN_mod_exp(t1, params->g, us->xa, params->p, params->ctx);    // t2 = t1 * g^{xc} = g^{xa} * g^{xc} = g^{xa + xc}    BN_mod_mul(t2, t1, us->p.s1c.gx, params->p, params->ctx);    // t1 = t2 * g^{xd} = g^{xa + xc + xd}    BN_mod_mul(t1, t2, us->p.s1d.gx, params->p, params->ctx);    // t2 = xb * s    BN_mod_mul(t2, us->xb, us->secret, params->q, params->ctx);    // X = t1^{t2} = t1^{xb * s} = g^{(xa + xc + xd) * xb * s}    them->s2.X = BN_new();    BN_mod_exp(them->s2.X, t1, t2, params->p, params->ctx);    // Show    printf("  g^{(x%d + x%d + x%d) * x%d * s)", us->p.base, them->base,           them->base + 1, us->p.base + 1);    showbn("", them->s2.X);    // ZKP(xb * s)    // XXX: this is kinda funky, because we're using    //    // g' = g^{xa + xc + xd}    //    // as the generator, which means X is g'^{xb * s}    CreateZKP(&them->s2.zkpxbs, t2, us, t1, params, us->p.base + 1, " * s");    // cleanup    BN_free(t1);    BN_free(t2);}

intpgp_elgamal_decrypt(PGP_PubKey * pk, PGP_MPI * _c1, PGP_MPI * _c2,					PGP_MPI ** msg_p){	int			res = PXE_PGP_MATH_FAILED;	BIGNUM	   *c1 = mpi_to_bn(_c1);	BIGNUM	   *c2 = mpi_to_bn(_c2);	BIGNUM	   *p = mpi_to_bn(pk->pub.elg.p);	BIGNUM	   *x = mpi_to_bn(pk->sec.elg.x);	BIGNUM	   *c1x = BN_new();	BIGNUM	   *div = BN_new();	BIGNUM	   *m = BN_new();	BN_CTX	   *tmp = BN_CTX_new();	if (!c1 || !c2 || !p || !x || !c1x || !div || !m || !tmp)		goto err;	/*	 * m = c2 / (c1^x)	 */	if (!BN_mod_exp(c1x, c1, x, p, tmp))		goto err;	if (!BN_mod_inverse(div, c1x, p, tmp))		goto err;	if (!BN_mod_mul(m, c2, div, p, tmp))		goto err;	/* result */	*msg_p = bn_to_mpi(m);	if (*msg_p)		res = 0;err:	if (tmp)		BN_CTX_free(tmp);	if (m)		BN_clear_free(m);	if (div)		BN_clear_free(div);	if (c1x)		BN_clear_free(c1x);	if (x)		BN_clear_free(x);	if (p)		BN_clear_free(p);	if (c2)		BN_clear_free(c2);	if (c1)		BN_clear_free(c1);	return res;}

int test_mod_exp(BIO *bp, BN_CTX *ctx)	{	BIGNUM *a,*b,*c,*d,*e;	int i;	a=BN_new();	b=BN_new();	c=BN_new();	d=BN_new();	e=BN_new();	BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */	for (i=0; i<num2; i++)		{		BN_bntest_rand(a,20+i*5,0,0); /**/		BN_bntest_rand(b,2+i,0,0); /**/		if (!BN_mod_exp(d,a,b,c,ctx))			return(00);		if (bp != NULL)			{			if (!results)				{				BN_print(bp,a);				BIO_puts(bp," ^ ");				BN_print(bp,b);				BIO_puts(bp," % ");				BN_print(bp,c);				BIO_puts(bp," - ");				}			BN_print(bp,d);			BIO_puts(bp,"/n");			}		BN_exp(e,a,b,ctx);		BN_sub(e,e,d);		BN_div(a,b,e,c,ctx);		if(!BN_is_zero(b))		    {		    fprintf(stderr,"Modulo exponentiation test failed!/n");		    return 0;		    }		}	BN_free(a);	BN_free(b);	BN_free(c);	BN_free(d);	BN_free(e);	return(1);	}

int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) {  *ret = 0;  BN_CTX *ctx = BN_CTX_new();  if (ctx == NULL) {    return 0;  }  BN_CTX_start(ctx);  int ok = 0;  /* Check |pub_key| is greater than 1. */  BIGNUM *tmp = BN_CTX_get(ctx);  if (tmp == NULL ||      !BN_set_word(tmp, 1)) {    goto err;  }  if (BN_cmp(pub_key, tmp) <= 0) {    *ret |= DH_CHECK_PUBKEY_TOO_SMALL;  }  /* Check |pub_key| is less than |dh->p| - 1. */  if (!BN_copy(tmp, dh->p) ||      !BN_sub_word(tmp, 1)) {    goto err;  }  if (BN_cmp(pub_key, tmp) >= 0) {    *ret |= DH_CHECK_PUBKEY_TOO_LARGE;  }  if (dh->q != NULL) {    /* Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114     * groups which are not safe primes but pick a generator on a prime-order     * subgroup of size |dh->q|. */    if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) {      goto err;    }    if (!BN_is_one(tmp)) {      *ret |= DH_CHECK_PUBKEY_INVALID;    }  }  ok = 1;err:  BN_CTX_end(ctx);  BN_CTX_free(ctx);  return ok;}

/* g^x is a legal value */static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx)    {    BIGNUM *t;    int res;        if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0)	return 0;    t = BN_new();    BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx);    res = BN_is_one(t);    BN_free(t);    return res;    }

/* * Computes public keys for GOST R 34.10-94 algorithm * */int gost94_compute_public(DSA *dsa)	{	/* Now fill algorithm parameters with correct values */	BN_CTX *ctx = BN_CTX_new();	if (!dsa->g)		{		GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC,GOST_R_KEY_IS_NOT_INITALIZED);		return 0;		}		/* Compute public key  y = a^x mod p */	dsa->pub_key=BN_new();	BN_mod_exp(dsa->pub_key, dsa->g,dsa->priv_key,dsa->p,ctx);	BN_CTX_free(ctx);	return 1;	}

BIGNUM *SRP_Calc_A(BIGNUM *a, BIGNUM *N, BIGNUM *g){    BN_CTX *bn_ctx;    BIGNUM *A = NULL;    if (a == NULL || N == NULL || g == NULL || (bn_ctx = BN_CTX_new()) == NULL)        return NULL;    if ((A = BN_new()) != NULL && !BN_mod_exp(A, g, a, N, bn_ctx)) {        BN_free(A);        A = NULL;    }    BN_CTX_free(bn_ctx);    return A;}

/*  Operates in-place, the result is stored over m */void rsa_encrypt(BIGNUM* m, const BIGNUM* e, const BIGNUM* n) {  BIGNUM* tmp;  BN_CTX *ctx;  assert(BN_cmp(m, n) < 0); /* assert m < n */  ctx = BN_CTX_new();  tmp = BN_new();  BN_copy(tmp, m);  /* tmp = m */  BN_mod_exp(m, tmp, e, n, ctx); /* m = tmp ^ e (mod n) */  BN_free(tmp);  BN_CTX_free(ctx);}

/* encrypts (or decrypts) with private key, not sensitive to   timing attacks (blind encryption)*/void rsa_encrypt_secure(BIGNUM* m, const BIGNUM* d,                        const BIGNUM* e, const BIGNUM* n,                        const unsigned char * r_bin, int r_len) {  BN_CTX *ctx;  BIGNUM *tmp = BN_new();  BIGNUM *r = BN_new();  BIGNUM *r_inv = BN_new();  ctx = BN_CTX_new();  BN_bin2bn(r_bin, r_len, r);  BN_mod(r, r, n, ctx); /* r = r % n */  /*  printf(" r input: ");BN_print_fp(stdout, r);  printf(" n: ");BN_print_fp(stdout, n);  printf("/n");  */  BN_mod(tmp, n, r, ctx);  /*printf("r=");BN_print_fp(stdout, r); printf("; tmp=");BN_print_fp(stdout, tmp);*/  while (BN_is_zero(tmp)) { /*  */    BN_mod_add(r, r, BN_value_one(), n, ctx);    BN_mod(tmp, n, r, ctx);    /*printf("r=");BN_print_fp(stdout, r); printf("; tmp=");BN_print_fp(stdout, tmp);*/  }  /*printf("/n");*/  BN_mod_inverse(r_inv, r, n, ctx);  /*  printf(" r = ");BN_print_fp(stdout, r);  printf(" r_inv = ");BN_print_fp(stdout, r_inv);  printf(" n = ");BN_print_fp(stdout, n);  printf("/n");  */  BN_mod_exp(r, r, e, n, ctx);  /* r = r^e % n */  BN_mod_mul(m, m, r, n, ctx);  /* m = m * r % n */  rsa_encrypt(m, d, n);  BN_mod_mul(m, m, r_inv, n, ctx);  BN_free(r);  BN_free(r_inv);  BN_free(tmp);  BN_CTX_free(ctx);}