自学教程：C++ CHECK_MPI_OK函数代码示例

/*** An attack against RSA CRT was described by Boneh, DeMillo, and Lipton in:** "On the Importance of Eliminating Errors in Cryptographic Computations",** http://theory.stanford.edu/~dabo/papers/faults.ps.gz**** As a defense against the attack, carry out the private key operation, ** followed up with a public key operation to invert the result.  ** Verify that result against the input.*/static SECStatus rsa_PrivateKeyOpCRTCheckedPubKey(RSAPrivateKey *key, mp_int *m, mp_int *c){    mp_int n, e, v;    mp_err   err = MP_OKAY;    SECStatus rv = SECSuccess;    MP_DIGITS(&n) = 0;    MP_DIGITS(&e) = 0;    MP_DIGITS(&v) = 0;    CHECK_MPI_OK( mp_init(&n) );    CHECK_MPI_OK( mp_init(&e) );    CHECK_MPI_OK( mp_init(&v) );    CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, m, c) );    SECITEM_TO_MPINT(key->modulus,        &n);    SECITEM_TO_MPINT(key->publicExponent, &e);    /* Perform a public key operation v = m ** e mod n */    CHECK_MPI_OK( mp_exptmod(m, &e, &n, &v) );    if (mp_cmp(&v, c) != 0) {	rv = SECFailure;    }cleanup:    mp_clear(&n);    mp_clear(&e);    mp_clear(&v);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62, * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the * random number generator. * * Parameters * - order: a buffer that holds the curve's group order * - len: the length in octets of the order buffer * - random: a buffer of 2 * len random bytes * - randomlen: the length in octets of the random buffer * * Return Value * Returns a buffer of len octets that holds the private key. The caller * is responsible for freeing the buffer with PORT_ZFree. */static unsigned char *ec_GenerateRandomPrivateKey(const unsigned char *order, int len,    const unsigned char *random, int randomlen, int kmflag){    SECStatus rv = SECSuccess;    mp_err err;    unsigned char *privKeyBytes = NULL;    mp_int privKeyVal, order_1, one;    MP_DIGITS(&privKeyVal) = 0;    MP_DIGITS(&order_1) = 0;    MP_DIGITS(&one) = 0;    CHECK_MPI_OK( mp_init(&privKeyVal, kmflag) );    CHECK_MPI_OK( mp_init(&order_1, kmflag) );    CHECK_MPI_OK( mp_init(&one, kmflag) );    /*     * Reduces the 2*len buffer of random bytes modulo the group order.     */    if ((privKeyBytes = PORT_Alloc(2*len, kmflag)) == NULL) goto cleanup;    if (randomlen != 2 * len) {        randomlen = 2 * len;    }    /* No need to generate - random bytes are now supplied */    /* CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(privKeyBytes, 2*len) );*/    memcpy(privKeyBytes, random, randomlen);    CHECK_MPI_OK( mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2*len) );    CHECK_MPI_OK( mp_read_unsigned_octets(&order_1, order, len) );    CHECK_MPI_OK( mp_set_int(&one, 1) );    CHECK_MPI_OK( mp_sub(&order_1, &one, &order_1) );    CHECK_MPI_OK( mp_mod(&privKeyVal, &order_1, &privKeyVal) );    CHECK_MPI_OK( mp_add(&privKeyVal, &one, &privKeyVal) );    CHECK_MPI_OK( mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len) );    memset(privKeyBytes+len, 0, len);cleanup:    mp_clear(&privKeyVal);    mp_clear(&order_1);    mp_clear(&one);    if (err < MP_OKAY) {        MP_TO_SEC_ERROR(err);        rv = SECFailure;    }    if (rv != SECSuccess && privKeyBytes) {#ifdef _KERNEL        kmem_free(privKeyBytes, 2*len);#else        free(privKeyBytes);#endif        privKeyBytes = NULL;    }    return privKeyBytes;}

static SECStatusgenerate_prime(mp_int *prime, int primeLen){    mp_err   err = MP_OKAY;    SECStatus rv = SECSuccess;    unsigned long counter = 0;    int piter;    unsigned char *pb = NULL;    pb = PORT_Alloc(primeLen);    if (!pb) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	goto cleanup;    }    for (piter = 0; piter < MAX_PRIME_GEN_ATTEMPTS; piter++) {	CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );	pb[0]          |= 0xC0; /* set two high-order bits */	pb[primeLen-1] |= 0x01; /* set low-order bit       */	CHECK_MPI_OK( mp_read_unsigned_octets(prime, pb, primeLen) );	err = mpp_make_prime(prime, primeLen * 8, PR_FALSE, &counter);	if (err != MP_NO)	    goto cleanup;	/* keep going while err == MP_NO */    }cleanup:    if (pb)	PORT_ZFree(pb, primeLen);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62, * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the * random number generator. * * Parameters * - order: a buffer that holds the curve's group order * - len: the length in octets of the order buffer * * Return Value * Returns a buffer of len octets that holds the private key. The caller * is responsible for freeing the buffer with PORT_ZFree. */static unsigned char *ec_GenerateRandomPrivateKey(const unsigned char *order, int len, int kmflag){    SECStatus rv = SECSuccess;    mp_err err;    unsigned char *privKeyBytes = NULL;    mp_int privKeyVal, order_1, one;    MP_DIGITS(&privKeyVal) = 0;    MP_DIGITS(&order_1) = 0;    MP_DIGITS(&one) = 0;    CHECK_MPI_OK( mp_init(&privKeyVal) );    CHECK_MPI_OK( mp_init(&order_1) );    CHECK_MPI_OK( mp_init(&one) );    /* Generates 2*len random bytes using the global random bit generator     * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then     * reduces modulo the group order.     */    if ((privKeyBytes = PORT_Alloc(2*len, kmflag)) == NULL) goto cleanup;    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(privKeyBytes, 2*len) );    CHECK_MPI_OK( mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2*len) );    CHECK_MPI_OK( mp_read_unsigned_octets(&order_1, order, len) );    CHECK_MPI_OK( mp_set_int(&one, 1) );    CHECK_MPI_OK( mp_sub(&order_1, &one, &order_1) );    CHECK_MPI_OK( mp_mod(&privKeyVal, &order_1, &privKeyVal) );    CHECK_MPI_OK( mp_add(&privKeyVal, &one, &privKeyVal) );    CHECK_MPI_OK( mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len) );    memset(privKeyBytes+len, 0, len);cleanup:    mp_clear(&privKeyVal);    mp_clear(&order_1);    mp_clear(&one);    if (err < MP_OKAY) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    if (rv != SECSuccess && privKeyBytes) {#ifdef _KERNEL	kmem_free(privKeyBytes, 2*len);#else	free(privKeyBytes);#endif	privKeyBytes = NULL;    }    return privKeyBytes;}

/***  RSA Private key operation (no CRT).*/static SECStatus rsa_PrivateKeyOpNoCRT(RSAPrivateKey *key, mp_int *m, mp_int *c, mp_int *n,                      unsigned int modLen){    mp_int d;    mp_err   err = MP_OKAY;    SECStatus rv = SECSuccess;    MP_DIGITS(&d) = 0;    CHECK_MPI_OK( mp_init(&d) );    SECITEM_TO_MPINT(key->privateExponent, &d);    /* 1. m = c**d mod n */    CHECK_MPI_OK( mp_exptmod(c, &d, n, m) );cleanup:    mp_clear(&d);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

static SECStatusinit_blinding_params(struct RSABlindingParamsStr *rsabp, RSAPrivateKey *key,                     mp_int *n, unsigned int modLen){    SECStatus rv = SECSuccess;    mp_err err = MP_OKAY;    MP_DIGITS(&rsabp->f) = 0;    MP_DIGITS(&rsabp->g) = 0;    /* initialize blinding parameters */    CHECK_MPI_OK( mp_init(&rsabp->f) );    CHECK_MPI_OK( mp_init(&rsabp->g) );    /* List elements are keyed using the modulus */    SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);    CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );    return SECSuccess;cleanup:    mp_clear(&rsabp->f);    mp_clear(&rsabp->g);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime){    mp_int p, q, y, r;    mp_err err;    int cmp = 1;  /* default is false */    if (!Y || !prime || !subPrime) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    MP_DIGITS(&p) = 0;    MP_DIGITS(&q) = 0;    MP_DIGITS(&y) = 0;    MP_DIGITS(&r) = 0;    CHECK_MPI_OK( mp_init(&p) );    CHECK_MPI_OK( mp_init(&q) );    CHECK_MPI_OK( mp_init(&y) );    CHECK_MPI_OK( mp_init(&r) );    SECITEM_TO_MPINT(*prime,    &p);    SECITEM_TO_MPINT(*subPrime, &q);    SECITEM_TO_MPINT(*Y,        &y);    /* compute r = y**q mod p */    CHECK_MPI_OK( mp_exptmod(&y, &q, &p, &r) );    /* compare to 1 */    cmp = mp_cmp_d(&r, 1);cleanup:    mp_clear(&p);    mp_clear(&q);    mp_clear(&y);    mp_clear(&r);    if (err) {	MP_TO_SEC_ERROR(err);	return PR_FALSE;    }    return (cmp == 0) ? PR_TRUE : PR_FALSE;}

/* * FIPS 186-2 requires result from random output to be reduced mod q when  * generating random numbers for DSA.  * * Input: w, 2*qLen bytes *        q, qLen bytes * Output: xj, qLen bytes */static SECStatusfips186Change_ReduceModQForDSA(const PRUint8 *w, const PRUint8 *q,                               unsigned int qLen, PRUint8 * xj){    mp_int W, Q, Xj;    mp_err err;    SECStatus rv = SECSuccess;    /* Initialize MPI integers. */    MP_DIGITS(&W) = 0;    MP_DIGITS(&Q) = 0;    MP_DIGITS(&Xj) = 0;    CHECK_MPI_OK( mp_init(&W) );    CHECK_MPI_OK( mp_init(&Q) );    CHECK_MPI_OK( mp_init(&Xj) );    /*     * Convert input arguments into MPI integers.     */    CHECK_MPI_OK( mp_read_unsigned_octets(&W, w, 2*qLen) );    CHECK_MPI_OK( mp_read_unsigned_octets(&Q, q, qLen) );    /*     * Algorithm 1 of FIPS 186-2 Change Notice 1, Step 3.3     *     * xj = (w0 || w1) mod q     */    CHECK_MPI_OK( mp_mod(&W, &Q, &Xj) );    CHECK_MPI_OK( mp_to_fixlen_octets(&Xj, xj, qLen) );cleanup:    mp_clear(&W);    mp_clear(&Q);    mp_clear(&Xj);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

static SECStatusgenerate_blinding_params(struct RSABlindingParamsStr *rsabp,                          RSAPrivateKey *key, mp_int *n, unsigned int modLen){    SECStatus rv = SECSuccess;    mp_int e, k;    mp_err err = MP_OKAY;    unsigned char *kb = NULL;    MP_DIGITS(&e) = 0;    MP_DIGITS(&k) = 0;    CHECK_MPI_OK( mp_init(&e) );    CHECK_MPI_OK( mp_init(&k) );    SECITEM_TO_MPINT(key->publicExponent, &e);    /* generate random k < n */    kb = PORT_Alloc(modLen);    if (!kb) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	goto cleanup;    }    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(kb, modLen) );    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, modLen) );    /* k < n */    CHECK_MPI_OK( mp_mod(&k, n, &k) );    /* f = k**e mod n */    CHECK_MPI_OK( mp_exptmod(&k, &e, n, &rsabp->f) );    /* g = k**-1 mod n */    CHECK_MPI_OK( mp_invmod(&k, n, &rsabp->g) );    /* Initialize the counter for this (f, g) */    rsabp->counter = RSA_BLINDING_PARAMS_MAX_REUSE;cleanup:    if (kb)	PORT_ZFree(kb, modLen);    mp_clear(&k);    mp_clear(&e);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

static SECStatusgenerate_blinding_params(RSAPrivateKey *key, mp_int* f, mp_int* g, mp_int *n,                          unsigned int modLen){    SECStatus rv = SECSuccess;    mp_int e, k;    mp_err err = MP_OKAY;    unsigned char *kb = NULL;    MP_DIGITS(&e) = 0;    MP_DIGITS(&k) = 0;    CHECK_MPI_OK( mp_init(&e) );    CHECK_MPI_OK( mp_init(&k) );    SECITEM_TO_MPINT(key->publicExponent, &e);    /* generate random k < n */    kb = PORT_Alloc(modLen);    if (!kb) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	goto cleanup;    }    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(kb, modLen) );    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, modLen) );    /* k < n */    CHECK_MPI_OK( mp_mod(&k, n, &k) );    /* f = k**e mod n */    CHECK_MPI_OK( mp_exptmod(&k, &e, n, f) );    /* g = k**-1 mod n */    CHECK_MPI_OK( mp_invmod(&k, n, g) );cleanup:    if (kb)	PORT_ZFree(kb, modLen);    mp_clear(&k);    mp_clear(&e);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

SECStatus DH_GenParam(int primeLen, DHParams **params){    PLArenaPool *arena;    DHParams *dhparams;    unsigned char *pb = NULL;    unsigned char *ab = NULL;    unsigned long counter = 0;    mp_int p, q, a, h, psub1, test;    mp_err err = MP_OKAY;    SECStatus rv = SECSuccess;    if (!params || primeLen < 0) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);    if (!arena) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	return SECFailure;    }    dhparams = (DHParams *)PORT_ArenaZAlloc(arena, sizeof(DHParams));    if (!dhparams) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	PORT_FreeArena(arena, PR_TRUE);	return SECFailure;    }    dhparams->arena = arena;    MP_DIGITS(&p) = 0;    MP_DIGITS(&q) = 0;    MP_DIGITS(&a) = 0;    MP_DIGITS(&h) = 0;    MP_DIGITS(&psub1) = 0;    MP_DIGITS(&test) = 0;    CHECK_MPI_OK( mp_init(&p) );    CHECK_MPI_OK( mp_init(&q) );    CHECK_MPI_OK( mp_init(&a) );    CHECK_MPI_OK( mp_init(&h) );    CHECK_MPI_OK( mp_init(&psub1) );    CHECK_MPI_OK( mp_init(&test) );    /* generate prime with MPI, uses Miller-Rabin to generate strong prime. */    pb = PORT_Alloc(primeLen);    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );    pb[0]          |= 0x80; /* set high-order bit */    pb[primeLen-1] |= 0x01; /* set low-order bit  */    CHECK_MPI_OK( mp_read_unsigned_octets(&p, pb, primeLen) );    CHECK_MPI_OK( mpp_make_prime(&p, primeLen * 8, PR_TRUE, &counter) );    /* construct Sophie-Germain prime q = (p-1)/2. */    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );    CHECK_MPI_OK( mp_div_2(&psub1, &q)    );    /* construct a generator from the prime. */    ab = PORT_Alloc(primeLen);    /* generate a candidate number a in p's field */    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(ab, primeLen) );    CHECK_MPI_OK( mp_read_unsigned_octets(&a, ab, primeLen) );    /* force a < p (note that quot(a/p) <= 1) */    if ( mp_cmp(&a, &p) > 0 )	CHECK_MPI_OK( mp_sub(&a, &p, &a) );    do {	/* check that a is in the range [2..p-1] */	if ( mp_cmp_d(&a, 2) < 0 || mp_cmp(&a, &psub1) >= 0) {	    /* a is outside of the allowed range.  Set a=3 and keep going. */            mp_set(&a, 3);	}	/* if a**q mod p != 1 then a is a generator */	CHECK_MPI_OK( mp_exptmod(&a, &q, &p, &test) );	if ( mp_cmp_d(&test, 1) != 0 )	    break;	/* increment the candidate and try again. */	CHECK_MPI_OK( mp_add_d(&a, 1, &a) );    } while (PR_TRUE);    MPINT_TO_SECITEM(&p, &dhparams->prime, arena);    MPINT_TO_SECITEM(&a, &dhparams->base, arena);    *params = dhparams;cleanup:    mp_clear(&p);    mp_clear(&q);    mp_clear(&a);    mp_clear(&h);    mp_clear(&psub1);    mp_clear(&test);    if (pb) PORT_ZFree(pb, primeLen);    if (ab) PORT_ZFree(ab, primeLen);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    if (rv)	PORT_FreeArena(arena, PR_TRUE);    return rv;}

/* signature is caller-supplied buffer of at least 20 bytes.** On input,  signature->len == size of buffer to hold signature.**            digest->len    == size of digest.*/SECStatus DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature,                  const SECItem *digest){    /* FIPS-compliance dictates that digest is a SHA hash. */    mp_int p, q, g;      /* PQG parameters */    mp_int r_, s_;       /* tuple (r', s') is received signature) */    mp_int u1, u2, v, w; /* intermediate values used in verification */    mp_int y;            /* public key */    mp_err err;    int dsa_subprime_len, dsa_signature_len, offset;    SECItem localDigest;    unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];    SECStatus verified = SECFailure;    /* Check args. */    if (!key || !signature || !digest ) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    dsa_subprime_len = PQG_GetLength(&key->params.subPrime);    dsa_signature_len = dsa_subprime_len*2;    if ((signature->len != dsa_signature_len) ||	(digest->len > HASH_LENGTH_MAX)  ||	(digest->len < SHA1_LENGTH)) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    /* DSA accepts digests not equal to dsa_subprime_len, if the      * digests are greater, than they are truncated to the size of      * dsa_subprime_len, using the left most bits. If they are less     * then they are padded on the left.*/    PORT_Memset(localDigestData, 0, dsa_subprime_len);    offset = (digest->len < dsa_subprime_len) ? 			(dsa_subprime_len - digest->len) : 0;    PORT_Memcpy(localDigestData+offset, digest->data, 		dsa_subprime_len - offset);    localDigest.data = localDigestData;    localDigest.len = dsa_subprime_len;    /* Initialize MPI integers. */    MP_DIGITS(&p)  = 0;    MP_DIGITS(&q)  = 0;    MP_DIGITS(&g)  = 0;    MP_DIGITS(&y)  = 0;    MP_DIGITS(&r_) = 0;    MP_DIGITS(&s_) = 0;    MP_DIGITS(&u1) = 0;    MP_DIGITS(&u2) = 0;    MP_DIGITS(&v)  = 0;    MP_DIGITS(&w)  = 0;    CHECK_MPI_OK( mp_init(&p)  );    CHECK_MPI_OK( mp_init(&q)  );    CHECK_MPI_OK( mp_init(&g)  );    CHECK_MPI_OK( mp_init(&y)  );    CHECK_MPI_OK( mp_init(&r_) );    CHECK_MPI_OK( mp_init(&s_) );    CHECK_MPI_OK( mp_init(&u1) );    CHECK_MPI_OK( mp_init(&u2) );    CHECK_MPI_OK( mp_init(&v)  );    CHECK_MPI_OK( mp_init(&w)  );    /*    ** Convert stored PQG and public key into MPI integers.    */    SECITEM_TO_MPINT(key->params.prime,    &p);    SECITEM_TO_MPINT(key->params.subPrime, &q);    SECITEM_TO_MPINT(key->params.base,     &g);    SECITEM_TO_MPINT(key->publicValue,     &y);    /*    ** Convert received signature (r', s') into MPI integers.    */    OCTETS_TO_MPINT(signature->data, &r_, dsa_subprime_len);    OCTETS_TO_MPINT(signature->data + dsa_subprime_len, &s_, dsa_subprime_len);    /*    ** Verify that 0 < r' < q and 0 < s' < q    */    if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||        mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0) {	/* err is zero here. */	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);	goto cleanup; /* will return verified == SECFailure */    }    /*    ** FIPS 186-1, Section 6, Step 1    **    ** w = (s')**-1 mod q    */    CHECK_MPI_OK( mp_invmod(&s_, &q, &w) );      /* w = (s')**-1 mod q */    /*    ** FIPS 186-1, Section 6, Step 2    **    ** u1 = ((Hash(M')) * w) mod q    */    SECITEM_TO_MPINT(localDigest, &u1);              /* u1 = HASH(M')     *///.........这里部分代码省略.........

SECStatus KEA_Derive(SECItem *prime,            SECItem *public1,            SECItem *public2,            SECItem *private1,            SECItem *private2,           SECItem *derivedSecret){    mp_int p, Y, R, r, x, t, u, w;    mp_err err;    unsigned char *secret = NULL;    unsigned int len = 0, offset;    if (!prime || !public1 || !public2 || !private1 || !private2 ||        !derivedSecret) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    memset(derivedSecret, 0, sizeof *derivedSecret);    MP_DIGITS(&p) = 0;    MP_DIGITS(&Y) = 0;    MP_DIGITS(&R) = 0;    MP_DIGITS(&r) = 0;    MP_DIGITS(&x) = 0;    MP_DIGITS(&t) = 0;    MP_DIGITS(&u) = 0;    MP_DIGITS(&w) = 0;    CHECK_MPI_OK( mp_init(&p) );    CHECK_MPI_OK( mp_init(&Y) );    CHECK_MPI_OK( mp_init(&R) );    CHECK_MPI_OK( mp_init(&r) );    CHECK_MPI_OK( mp_init(&x) );    CHECK_MPI_OK( mp_init(&t) );    CHECK_MPI_OK( mp_init(&u) );    CHECK_MPI_OK( mp_init(&w) );    SECITEM_TO_MPINT(*prime,    &p);    SECITEM_TO_MPINT(*public1,  &Y);    SECITEM_TO_MPINT(*public2,  &R);    SECITEM_TO_MPINT(*private1, &r);    SECITEM_TO_MPINT(*private2, &x);    /* t = DH(Y, r, p) = Y ** r mod p */    CHECK_MPI_OK( mp_exptmod(&Y, &r, &p, &t) );    /* u = DH(R, x, p) = R ** x mod p */    CHECK_MPI_OK( mp_exptmod(&R, &x, &p, &u) );    /* w = (t + u) mod p */    CHECK_MPI_OK( mp_addmod(&t, &u, &p, &w) );    /* allocate a buffer for the full derived secret */    len = mp_unsigned_octet_size(&w);    secret = PORT_Alloc(len);    if (secret == NULL) {	err = MP_MEM;	goto cleanup;    }    /* grab the secret */    err = mp_to_unsigned_octets(&w, secret, len);    if (err > 0) err = MP_OKAY;    /* allocate output buffer */    if (SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN)								  == NULL) {	err = MP_MEM;	goto cleanup;    }    memset(derivedSecret->data, 0, derivedSecret->len);    /* copy in the 128 lsb of the secret */    if (len >= KEA_DERIVED_SECRET_LEN) {	memcpy(derivedSecret->data, secret + (len - KEA_DERIVED_SECRET_LEN),	       KEA_DERIVED_SECRET_LEN);    } else {	offset = KEA_DERIVED_SECRET_LEN - len;	memcpy(derivedSecret->data + offset, secret, len);    }cleanup:    mp_clear(&p);    mp_clear(&Y);    mp_clear(&R);    mp_clear(&r);    mp_clear(&x);    mp_clear(&t);    mp_clear(&u);    mp_clear(&w);    if (secret)	PORT_ZFree(secret, len);    if (err) {	MP_TO_SEC_ERROR(err);	if (derivedSecret->data) 	    PORT_ZFree(derivedSecret->data, derivedSecret->len);	return SECFailure;    }    return SECSuccess;}

SECStatus DH_Derive(SECItem *publicValue,           SECItem *prime,           SECItem *privateValue,           SECItem *derivedSecret,           unsigned int outBytes){    mp_int p, Xa, Yb, ZZ, psub1;    mp_err err = MP_OKAY;    unsigned int len = 0;    unsigned int nb;    unsigned char *secret = NULL;    if (!publicValue || !prime || !privateValue || !derivedSecret) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    memset(derivedSecret, 0, sizeof *derivedSecret);    MP_DIGITS(&p)  = 0;    MP_DIGITS(&Xa) = 0;    MP_DIGITS(&Yb) = 0;    MP_DIGITS(&ZZ) = 0;    MP_DIGITS(&psub1) = 0;    CHECK_MPI_OK( mp_init(&p)  );    CHECK_MPI_OK( mp_init(&Xa) );    CHECK_MPI_OK( mp_init(&Yb) );    CHECK_MPI_OK( mp_init(&ZZ) );    CHECK_MPI_OK( mp_init(&psub1) );    SECITEM_TO_MPINT(*publicValue,  &Yb);    SECITEM_TO_MPINT(*privateValue, &Xa);    SECITEM_TO_MPINT(*prime,        &p);    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );    /* We assume that the modulus, p, is a safe prime. That is, p = 2q+1 where     * q is also a prime. Thus the orders of the subgroups are factors of 2q:     * namely 1, 2, q and 2q.     *     * We check that the peer's public value isn't zero (which isn't in the     * group), one (subgroup of order one) or p-1 (subgroup of order 2). We     * also check that the public value is less than p, to avoid being fooled     * by values like p+1 or 2*p-1.     *     * Thus we must be operating in the subgroup of size q or 2q. */    if (mp_cmp_d(&Yb, 1) <= 0 ||	mp_cmp(&Yb, &psub1) >= 0) {	err = MP_BADARG;	goto cleanup;    }    /* ZZ = (Yb)**Xa mod p */    CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );    /* number of bytes in the derived secret */    len = mp_unsigned_octet_size(&ZZ);    if (len <= 0) {        err = MP_BADARG;        goto cleanup;    }    /*     * We check to make sure that ZZ is not equal to 1 or -1 mod p.     * This helps guard against small subgroup attacks, since an attacker     * using a subgroup of size N will produce 1 or -1 with probability 1/N.     * When the protocol is executed within a properly large subgroup, the     * probability of this result will be negligibly small.  For example,     * with a strong prime of the form 2p+1, the probability will be 1/p.     *     * We return MP_BADARG because this is probably the result of a bad     * public value or a bad prime having been provided.     */    if (mp_cmp_d(&ZZ, 1) == 0 ||        mp_cmp(&ZZ, &psub1) == 0) {        err = MP_BADARG;        goto cleanup;    }    /* allocate a buffer which can hold the entire derived secret. */    secret = PORT_Alloc(len);    if (secret == NULL) {	err = MP_MEM;	goto cleanup;    }    /* grab the derived secret */    err = mp_to_unsigned_octets(&ZZ, secret, len);    if (err >= 0) err = MP_OKAY;    /*     ** if outBytes is 0 take all of the bytes from the derived secret.    ** if outBytes is not 0 take exactly outBytes from the derived secret, zero    ** pad at the beginning if necessary, and truncate beginning bytes     ** if necessary.    */    if (outBytes > 0)	nb = outBytes;    else	nb = len;    if (SECITEM_AllocItem(NULL, derivedSecret, nb)  == NULL) {	err = MP_MEM;	goto cleanup;    }    if (len < nb) {	unsigned int offset = nb - len;	memset(derivedSecret->data, 0, offset);//.........这里部分代码省略.........

/*** Perform a raw private-key operation **	Length of input and output buffers are equal to key's modulus len.*/static SECStatus rsa_PrivateKeyOp(RSAPrivateKey *key,                  unsigned char *output,                  const unsigned char *input,                 PRBool check){    unsigned int modLen;    unsigned int offset;    SECStatus rv = SECSuccess;    mp_err err;    mp_int n, c, m;    mp_int f, g;    if (!key || !output || !input) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    /* check input out of range (needs to be in range [0..n-1]) */    modLen = rsa_modulusLen(&key->modulus);    offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */    if (memcmp(input, key->modulus.data + offset, modLen) >= 0) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    MP_DIGITS(&n) = 0;    MP_DIGITS(&c) = 0;    MP_DIGITS(&m) = 0;    MP_DIGITS(&f) = 0;    MP_DIGITS(&g) = 0;    CHECK_MPI_OK( mp_init(&n) );    CHECK_MPI_OK( mp_init(&c) );    CHECK_MPI_OK( mp_init(&m) );    CHECK_MPI_OK( mp_init(&f) );    CHECK_MPI_OK( mp_init(&g) );    SECITEM_TO_MPINT(key->modulus, &n);    OCTETS_TO_MPINT(input, &c, modLen);    /* If blinding, compute pre-image of ciphertext by multiplying by    ** blinding factor    */    if (nssRSAUseBlinding) {	CHECK_SEC_OK( get_blinding_params(key, &n, modLen, &f, &g) );	/* c' = c*f mod n */	CHECK_MPI_OK( mp_mulmod(&c, &f, &n, &c) );    }    /* Do the private key operation m = c**d mod n */    if ( key->prime1.len      == 0 ||         key->prime2.len      == 0 ||         key->exponent1.len   == 0 ||         key->exponent2.len   == 0 ||         key->coefficient.len == 0) {	CHECK_SEC_OK( rsa_PrivateKeyOpNoCRT(key, &m, &c, &n, modLen) );    } else if (check) {	CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedPubKey(key, &m, &c) );    } else {	CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, &m, &c) );    }    /* If blinding, compute post-image of plaintext by multiplying by    ** blinding factor    */    if (nssRSAUseBlinding) {	/* m = m'*g mod n */	CHECK_MPI_OK( mp_mulmod(&m, &g, &n, &m) );    }    err = mp_to_fixlen_octets(&m, output, modLen);    if (err >= 0) err = MP_OKAY;cleanup:    mp_clear(&n);    mp_clear(&c);    mp_clear(&m);    mp_clear(&f);    mp_clear(&g);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

/* Computes the ECDSA signature (a concatenation of two values r and s) * on the digest using the given key and the random value kb (used in * computing s). */SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,     const SECItem *digest, const unsigned char *kb, const int kblen){    SECStatus rv = SECFailure;#ifndef NSS_DISABLE_ECC    mp_int x1;    mp_int d, k;     /* private key, random integer */    mp_int r, s;     /* tuple (r, s) is the signature */    mp_int n;    mp_err err = MP_OKAY;    ECParams *ecParams = NULL;    SECItem kGpoint = { siBuffer, NULL, 0};    int flen = 0;    /* length in bytes of the field size */    unsigned olen;   /* length in bytes of the base point order */    unsigned obits;  /* length in bits  of the base point order */#if EC_DEBUG    char mpstr[256];#endif    /* Initialize MPI integers. */    /* must happen before the first potential call to cleanup */    MP_DIGITS(&x1) = 0;    MP_DIGITS(&d) = 0;    MP_DIGITS(&k) = 0;    MP_DIGITS(&r) = 0;    MP_DIGITS(&s) = 0;    MP_DIGITS(&n) = 0;    /* Check args */    if (!key || !signature || !digest || !kb || (kblen < 0)) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	goto cleanup;    }    ecParams = &(key->ecParams);    flen = (ecParams->fieldID.size + 7) >> 3;    olen = ecParams->order.len;      if (signature->data == NULL) {	/* a call to get the signature length only */	goto finish;    }    if (signature->len < 2*olen) {	PORT_SetError(SEC_ERROR_OUTPUT_LEN);	goto cleanup;    }    CHECK_MPI_OK( mp_init(&x1) );    CHECK_MPI_OK( mp_init(&d) );    CHECK_MPI_OK( mp_init(&k) );    CHECK_MPI_OK( mp_init(&r) );    CHECK_MPI_OK( mp_init(&s) );    CHECK_MPI_OK( mp_init(&n) );    SECITEM_TO_MPINT( ecParams->order, &n );    SECITEM_TO_MPINT( key->privateValue, &d );    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) );    /* Make sure k is in the interval [1, n-1] */    if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) {#if EC_DEBUG        printf("k is outside [1, n-1]/n");        mp_tohex(&k, mpstr);	printf("k : %s /n", mpstr);        mp_tohex(&n, mpstr);	printf("n : %s /n", mpstr);#endif	PORT_SetError(SEC_ERROR_NEED_RANDOM);	goto cleanup;    }    /*    ** We do not want timing information to leak the length of k,    ** so we compute k*G using an equivalent scalar of fixed    ** bit-length.    ** Fix based on patch for ECDSA timing attack in the paper    ** by Billy Bob Brumley and Nicola Tuveri at    **   http://eprint.iacr.org/2011/232    **    ** How do we convert k to a value of a fixed bit-length?    ** k starts off as an integer satisfying 0 <= k < n.  Hence,    ** n <= k+n < 2n, which means k+n has either the same number    ** of bits as n or one more bit than n.  If k+n has the same    ** number of bits as n, the second addition ensures that the    ** final value has exactly one more bit than n.  Thus, we    ** always end up with a value that exactly one more bit than n.    */    CHECK_MPI_OK( mp_add(&k, &n, &k) );    if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {	CHECK_MPI_OK( mp_add(&k, &n, &k) );    }    /*     ** ANSI X9.62, Section 5.3.2, Step 2//.........这里部分代码省略.........

/* Validates an EC public key as described in Section 5.2.2 of * X9.62. The ECDH primitive when used without the cofactor does * not address small subgroup attacks, which may occur when the * public key is not valid. These attacks can be prevented by  * validating the public key before using ECDH. */SECStatus EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue){#ifndef NSS_DISABLE_ECC    mp_int Px, Py;    ECGroup *group = NULL;    SECStatus rv = SECFailure;    mp_err err = MP_OKAY;    int len;    if (!ecParams || !publicValue) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }	    /* NOTE: We only support uncompressed points for now */    len = (ecParams->fieldID.size + 7) >> 3;    if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) {	PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);	return SECFailure;    } else if (publicValue->len != (2 * len + 1)) {	PORT_SetError(SEC_ERROR_BAD_KEY);	return SECFailure;    }    MP_DIGITS(&Px) = 0;    MP_DIGITS(&Py) = 0;    CHECK_MPI_OK( mp_init(&Px) );    CHECK_MPI_OK( mp_init(&Py) );    /* Initialize Px and Py */    CHECK_MPI_OK( mp_read_unsigned_octets(&Px, publicValue->data + 1, (mp_size) len) );    CHECK_MPI_OK( mp_read_unsigned_octets(&Py, publicValue->data + 1 + len, (mp_size) len) );    /* construct from named params */    group = ECGroup_fromName(ecParams->name);    if (group == NULL) {	/*	 * ECGroup_fromName fails if ecParams->name is not a valid	 * ECCurveName value, or if we run out of memory, or perhaps	 * for other reasons.  Unfortunately if ecParams->name is a	 * valid ECCurveName value, we don't know what the right error	 * code should be because ECGroup_fromName doesn't return an	 * error code to the caller.  Set err to MP_UNDEF because	 * that's what ECGroup_fromName uses internally.	 */	if ((ecParams->name <= ECCurve_noName) ||	    (ecParams->name >= ECCurve_pastLastCurve)) {	    err = MP_BADARG;	} else {	    err = MP_UNDEF;	}	goto cleanup;    }    /* validate public point */    if ((err = ECPoint_validate(group, &Px, &Py)) < MP_YES) {	if (err == MP_NO) {	    PORT_SetError(SEC_ERROR_BAD_KEY);	    rv = SECFailure;	    err = MP_OKAY;  /* don't change the error code */	}	goto cleanup;    }    rv = SECSuccess;cleanup:    ECGroup_free(group);    mp_clear(&Px);    mp_clear(&Py);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;#else    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);    return SECFailure;#endif /* NSS_DISABLE_ECC */}

/***  RSA Private key operation using CRT.*/static SECStatus rsa_PrivateKeyOpCRTNoCheck(RSAPrivateKey *key, mp_int *m, mp_int *c){    mp_int p, q, d_p, d_q, qInv;    mp_int m1, m2, h, ctmp;    mp_err   err = MP_OKAY;    SECStatus rv = SECSuccess;    MP_DIGITS(&p)    = 0;    MP_DIGITS(&q)    = 0;    MP_DIGITS(&d_p)  = 0;    MP_DIGITS(&d_q)  = 0;    MP_DIGITS(&qInv) = 0;    MP_DIGITS(&m1)   = 0;    MP_DIGITS(&m2)   = 0;    MP_DIGITS(&h)    = 0;    MP_DIGITS(&ctmp) = 0;    CHECK_MPI_OK( mp_init(&p)    );    CHECK_MPI_OK( mp_init(&q)    );    CHECK_MPI_OK( mp_init(&d_p)  );    CHECK_MPI_OK( mp_init(&d_q)  );    CHECK_MPI_OK( mp_init(&qInv) );    CHECK_MPI_OK( mp_init(&m1)   );    CHECK_MPI_OK( mp_init(&m2)   );    CHECK_MPI_OK( mp_init(&h)    );    CHECK_MPI_OK( mp_init(&ctmp) );    /* copy private key parameters into mp integers */    SECITEM_TO_MPINT(key->prime1,      &p);    /* p */    SECITEM_TO_MPINT(key->prime2,      &q);    /* q */    SECITEM_TO_MPINT(key->exponent1,   &d_p);  /* d_p  = d mod (p-1) */    SECITEM_TO_MPINT(key->exponent2,   &d_q);  /* d_q  = d mod (q-1) */    SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */    /* 1. m1 = c**d_p mod p */    CHECK_MPI_OK( mp_mod(c, &p, &ctmp) );    CHECK_MPI_OK( mp_exptmod(&ctmp, &d_p, &p, &m1) );    /* 2. m2 = c**d_q mod q */    CHECK_MPI_OK( mp_mod(c, &q, &ctmp) );    CHECK_MPI_OK( mp_exptmod(&ctmp, &d_q, &q, &m2) );    /* 3.  h = (m1 - m2) * qInv mod p */    CHECK_MPI_OK( mp_submod(&m1, &m2, &p, &h) );    CHECK_MPI_OK( mp_mulmod(&h, &qInv, &p, &h)  );    /* 4.  m = m2 + h * q */    CHECK_MPI_OK( mp_mul(&h, &q, m) );    CHECK_MPI_OK( mp_add(m, &m2, m) );cleanup:    mp_clear(&p);    mp_clear(&q);    mp_clear(&d_p);    mp_clear(&d_q);    mp_clear(&qInv);    mp_clear(&m1);    mp_clear(&m2);    mp_clear(&h);    mp_clear(&ctmp);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

static SECStatusget_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,                    mp_int *f, mp_int *g){    RSABlindingParams *rsabp           = NULL;    blindingParams    *bpUnlinked      = NULL;    blindingParams    *bp, *prevbp     = NULL;    PRCList           *el;    SECStatus          rv              = SECSuccess;    mp_err             err             = MP_OKAY;    int                cmp             = -1;    PRBool             holdingLock     = PR_FALSE;    do {	if (blindingParamsList.lock == NULL) {	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);	    return SECFailure;	}	/* Acquire the list lock */	PZ_Lock(blindingParamsList.lock);	holdingLock = PR_TRUE;	/* Walk the list looking for the private key */	for (el = PR_NEXT_LINK(&blindingParamsList.head);	     el != &blindingParamsList.head;	     el = PR_NEXT_LINK(el)) {	    rsabp = (RSABlindingParams *)el;	    cmp = SECITEM_CompareItem(&rsabp->modulus, &key->modulus);	    if (cmp >= 0) {		/* The key is found or not in the list. */		break;	    }	}	if (cmp) {	    /* At this point, the key is not in the list.  el should point to 	    ** the list element before which this key should be inserted. 	    */	    rsabp = PORT_ZNew(RSABlindingParams);	    if (!rsabp) {		PORT_SetError(SEC_ERROR_NO_MEMORY);		goto cleanup;	    }	    rv = init_blinding_params(rsabp, key, n, modLen);	    if (rv != SECSuccess) {		PORT_ZFree(rsabp, sizeof(RSABlindingParams));		goto cleanup;	    }	    /* Insert the new element into the list	    ** If inserting in the middle of the list, el points to the link	    ** to insert before.  Otherwise, the link needs to be appended to	    ** the end of the list, which is the same as inserting before the	    ** head (since el would have looped back to the head).	    */	    PR_INSERT_BEFORE(&rsabp->link, el);	}	/* We've found (or created) the RSAblindingParams struct for this key.	 * Now, search its list of ready blinding params for a usable one.	 */	while (0 != (bp = rsabp->bp)) {	    if (--(bp->counter) > 0) {		/* Found a match and there are still remaining uses left */		/* Return the parameters */		CHECK_MPI_OK( mp_copy(&bp->f, f) );		CHECK_MPI_OK( mp_copy(&bp->g, g) );		PZ_Unlock(blindingParamsList.lock); 		return SECSuccess;	    }	    /* exhausted this one, give its values to caller, and	     * then retire it.	     */	    mp_exch(&bp->f, f);	    mp_exch(&bp->g, g);	    mp_clear( &bp->f );	    mp_clear( &bp->g );	    bp->counter = 0;	    /* Move to free list */	    rsabp->bp   = bp->next;	    bp->next    = rsabp->free;	    rsabp->free = bp;	    /* In case there're threads waiting for new blinding	     * value - notify 1 thread the value is ready	     */	    if (blindingParamsList.waitCount > 0) {		PR_NotifyCondVar( blindingParamsList.cVar );		blindingParamsList.waitCount--;	    }	    PZ_Unlock(blindingParamsList.lock); 	    return SECSuccess;	}	/* We did not find a usable set of blinding params.  Can we make one? */	/* Find a free bp struct. */	prevbp = NULL;	if ((bp = rsabp->free) != NULL) {	    /* unlink this bp */	    rsabp->free  = bp->next;//.........这里部分代码省略.........

/*** Perform a raw public-key operation **	Length of input and output buffers are equal to key's modulus len.*/SECStatus RSA_PublicKeyOp(RSAPublicKey  *key,                 unsigned char *output,                 const unsigned char *input){    unsigned int modLen, expLen, offset;    mp_int n, e, m, c;    mp_err err   = MP_OKAY;    SECStatus rv = SECSuccess;    if (!key || !output || !input) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    MP_DIGITS(&n) = 0;    MP_DIGITS(&e) = 0;    MP_DIGITS(&m) = 0;    MP_DIGITS(&c) = 0;    CHECK_MPI_OK( mp_init(&n) );    CHECK_MPI_OK( mp_init(&e) );    CHECK_MPI_OK( mp_init(&m) );    CHECK_MPI_OK( mp_init(&c) );    modLen = rsa_modulusLen(&key->modulus);    expLen = rsa_modulusLen(&key->publicExponent);    /* 1.  Obtain public key (n, e) */    if (BAD_RSA_KEY_SIZE(modLen, expLen)) {    	PORT_SetError(SEC_ERROR_INVALID_KEY);	rv = SECFailure;	goto cleanup;    }    SECITEM_TO_MPINT(key->modulus, &n);    SECITEM_TO_MPINT(key->publicExponent, &e);    if (e.used > n.used) {	/* exponent should not be greater than modulus */    	PORT_SetError(SEC_ERROR_INVALID_KEY);	rv = SECFailure;	goto cleanup;    }    /* 2. check input out of range (needs to be in range [0..n-1]) */    offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */    if (memcmp(input, key->modulus.data + offset, modLen) >= 0) {        PORT_SetError(SEC_ERROR_INPUT_LEN);        rv = SECFailure;        goto cleanup;    }    /* 2 bis.  Represent message as integer in range [0..n-1] */    CHECK_MPI_OK( mp_read_unsigned_octets(&m, input, modLen) );    /* 3.  Compute c = m**e mod n */#ifdef USE_MPI_EXPT_D    /* XXX see which is faster */    if (MP_USED(&e) == 1) {	CHECK_MPI_OK( mp_exptmod_d(&m, MP_DIGIT(&e, 0), &n, &c) );    } else#endif    CHECK_MPI_OK( mp_exptmod(&m, &e, &n, &c) );    /* 4.  result c is ciphertext */    err = mp_to_fixlen_octets(&c, output, modLen);    if (err >= 0) err = MP_OKAY;cleanup:    mp_clear(&n);    mp_clear(&e);    mp_clear(&m);    mp_clear(&c);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

/* * take a private key with only a few elements and fill out the missing pieces. * * All the entries will be overwritten with data allocated out of the arena * If no arena is supplied, one will be created. * * The following fields must be supplied in order for this function * to succeed: *   one of either publicExponent or privateExponent *   two more of the following 5 parameters. *      modulus (n) *      prime1  (p) *      prime2  (q) *      publicExponent (e) *      privateExponent (d) * * NOTE: if only the publicExponent, privateExponent, and one prime is given, * then there may be more than one RSA key that matches that combination. * * All parameters will be replaced in the key structure with new parameters * Allocated out of the arena. There is no attempt to free the old structures. * Prime1 will always be greater than prime2 (even if the caller supplies the * smaller prime as prime1 or the larger prime as prime2). The parameters are * not overwritten on failure. * *  How it works: *     We can generate all the parameters from: *        one of the exponents, plus the two primes. (rsa_build_key_from_primes) * *     If we are given one of the exponents and both primes, we are done. *     If we are given one of the exponents, the modulus and one prime, we  *        caclulate the second prime by dividing the modulus by the given  *        prime, giving us and exponent and 2 primes. *     If we are given 2 exponents and either the modulus or one of the primes *        we calculate k*phi = d*e-1, where k is an integer less than d which  *        divides d*e-1. We find factor k so we can isolate phi. *            phi = (p-1)(q-1) *       If one of the primes are given, we can use phi to find the other prime *        as follows: q = (phi/(p-1)) + 1. We now have 2 primes and an  *        exponent. (NOTE: if more then one prime meets this condition, the *        operation will fail. See comments elsewhere in this file about this). *       If the modulus is given, then we can calculate the sum of the primes *        as follows: s := (p+q), phi = (p-1)(q-1) = pq -p - q +1, pq = n -> *        phi = n - s + 1, s = n - phi +1.  Now that we have s = p+q and n=pq, *	  we can solve our 2 equations and 2 unknowns as follows: q=s-p -> *        n=p*(s-p)= sp -p^2 -> p^2-sp+n = 0. Using the quadratic to solve for *        p, p=1/2*(s+ sqrt(s*s-4*n)) [q=1/2*(s-sqrt(s*s-4*n)]. We again have *        2 primes and an exponent. * */SECStatusRSA_PopulatePrivateKey(RSAPrivateKey *key){    PLArenaPool *arena = NULL;    PRBool needPublicExponent = PR_TRUE;    PRBool needPrivateExponent = PR_TRUE;    PRBool hasModulus = PR_FALSE;    unsigned int keySizeInBits = 0;    int prime_count = 0;    /* standard RSA nominclature */    mp_int p, q, e, d, n;    /* remainder */    mp_int r;    mp_err err = 0;    SECStatus rv = SECFailure;    MP_DIGITS(&p) = 0;    MP_DIGITS(&q) = 0;    MP_DIGITS(&e) = 0;    MP_DIGITS(&d) = 0;    MP_DIGITS(&n) = 0;    MP_DIGITS(&r) = 0;    CHECK_MPI_OK( mp_init(&p) );    CHECK_MPI_OK( mp_init(&q) );    CHECK_MPI_OK( mp_init(&e) );    CHECK_MPI_OK( mp_init(&d) );    CHECK_MPI_OK( mp_init(&n) );    CHECK_MPI_OK( mp_init(&r) );     /* if the key didn't already have an arena, create one. */    if (key->arena == NULL) {	arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);	if (!arena) {	    goto cleanup;	}	key->arena = arena;    }    /* load up the known exponents */    if (key->publicExponent.data) {        SECITEM_TO_MPINT(key->publicExponent, &e);	needPublicExponent = PR_FALSE;    }     if (key->privateExponent.data) {        SECITEM_TO_MPINT(key->privateExponent, &d);	needPrivateExponent = PR_FALSE;    }    if (needPrivateExponent && needPublicExponent) {	/* Not enough information, we need at least one exponent */	err = MP_BADARG;	goto cleanup;//.........这里部分代码省略.........

/* * Try to find the two primes based on 2 exponents plus either a prime *   or a modulus. * * In: e, d and either p or n (depending on the setting of hasModulus). * Out: p,q. *  * Step 1, Since d = e**-1 mod phi, we know that d*e == 1 mod phi, or *	d*e = 1+k*phi, or d*e-1 = k*phi. since d is less than phi and e is *	usually less than d, then k must be an integer between e-1 and 1  *	(probably on the order of e). * Step 1a, If we were passed just a prime, we can divide k*phi by that *      prime-1 and get k*(q-1). This will reduce the size of our division *      through the rest of the loop. * Step 2, Loop through the values k=e-1 to 1 looking for k. k should be on *	the order or e, and e is typically small. This may take a while for *	a large random e. We are looking for a k that divides kphi *	evenly. Once we find a k that divides kphi evenly, we assume it  *	is the true k. It's possible this k is not the 'true' k but has  *	swapped factors of p-1 and/or q-1. Because of this, we  *	tentatively continue Steps 3-6 inside this loop, and may return looking *	for another k on failure. * Step 3, Calculate are tentative phi=kphi/k. Note: real phi is (p-1)*(q-1). * Step 4a, if we have a prime, kphi is already k*(q-1), so phi is or tenative *      q-1. q = phi+1. If k is correct, q should be the right length and  *      prime. * Step 4b, It's possible q-1 and k could have swapped factors. We now have a * 	possible solution that meets our criteria. It may not be the only  *      solution, however, so we keep looking. If we find more than one,  *      we will fail since we cannot determine which is the correct *      solution, and returning the wrong modulus will compromise both *      moduli. If no other solution is found, we return the unique solution. * Step 5a, If we have the modulus (n=pq), then use the following formula to  * 	calculate  s=(p+q): , phi = (p-1)(q-1) = pq  -p-q +1 = n-s+1. so *	s=n-phi+1. * Step 5b, Use n=pq and s=p+q to solve for p and q as follows: *	since q=s-p, then n=p*(s-p)= sp - p^2, rearranging p^2-s*p+n = 0. *	from the quadratic equation we have p=1/2*(s+sqrt(s*s-4*n)) and *	q=1/2*(s-sqrt(s*s-4*n)) if s*s-4*n is a perfect square, we are DONE. *	If it is not, continue in our look looking for another k. NOTE: the *	code actually distributes the 1/2 and results in the equations: *	sqrt = sqrt(s/2*s/2-n), p=s/2+sqrt, q=s/2-sqrt. The algebra saves us *	and extra divide by 2 and a multiply by 4. *  * This will return p & q. q may be larger than p in the case that p was given * and it was the smaller prime. */static mp_errrsa_get_primes_from_exponents(mp_int *e, mp_int *d, mp_int *p, mp_int *q,			      mp_int *n, PRBool hasModulus, 			      unsigned int keySizeInBits){    mp_int kphi; /* k*phi */    mp_int k;    /* current guess at 'k' */    mp_int phi;  /* (p-1)(q-1) */    mp_int s;    /* p+q/2 (s/2 in the algebra) */    mp_int r;    /* remainder */    mp_int tmp; /* p-1 if p is given, n+1 is modulus is given */    mp_int sqrt; /* sqrt(s/2*s/2-n) */    mp_err err = MP_OKAY;    unsigned int order_k;    MP_DIGITS(&kphi) = 0;    MP_DIGITS(&phi) = 0;    MP_DIGITS(&s) = 0;    MP_DIGITS(&k) = 0;    MP_DIGITS(&r) = 0;    MP_DIGITS(&tmp) = 0;    MP_DIGITS(&sqrt) = 0;    CHECK_MPI_OK( mp_init(&kphi) );    CHECK_MPI_OK( mp_init(&phi) );    CHECK_MPI_OK( mp_init(&s) );    CHECK_MPI_OK( mp_init(&k) );    CHECK_MPI_OK( mp_init(&r) );    CHECK_MPI_OK( mp_init(&tmp) );    CHECK_MPI_OK( mp_init(&sqrt) );    /* our algorithm looks for a factor k whose maximum size is dependent     * on the size of our smallest exponent, which had better be the public     * exponent (if it's the private, the key is vulnerable to a brute force     * attack).     *      * since our factor search is linear, we need to limit the maximum     * size of the public key. this should not be a problem normally, since      * public keys are usually small.      *     * if we want to handle larger public key sizes, we should have     * a version which tries to 'completely' factor k*phi (where completely     * means 'factor into primes, or composites with which are products of     * large primes). Once we have all the factors, we can sort them out and     * try different combinations to form our phi. The risk is if (p-1)/2,     * (q-1)/2, and k are all large primes. In any case if the public key     * is small (order of 20 some bits), then a linear search for k is      * manageable.     */    if (mpl_significant_bits(e) > 23) {	err=MP_RANGE;	goto cleanup;    }//.........这里部分代码省略.........

/*** Generate and return a new RSA public and private key.**	Both keys are encoded in a single RSAPrivateKey structure.**	"cx" is the random number generator context**	"keySizeInBits" is the size of the key to be generated, in bits.**	   512, 1024, etc.**	"publicExponent" when not NULL is a pointer to some data that**	   represents the public exponent to use. The data is a byte**	   encoded integer, in "big endian" order.*/RSAPrivateKey *RSA_NewKey(int keySizeInBits, SECItem *publicExponent){    unsigned int primeLen;    mp_int p, q, e, d;    int kiter;    mp_err   err = MP_OKAY;    SECStatus rv = SECSuccess;    int prerr = 0;    RSAPrivateKey *key = NULL;    PLArenaPool *arena = NULL;    /* Require key size to be a multiple of 16 bits. */    if (!publicExponent || keySizeInBits % 16 != 0 ||	    BAD_RSA_KEY_SIZE(keySizeInBits/8, publicExponent->len)) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return NULL;    }    /* 1. Allocate arena & key */    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);    if (!arena) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	return NULL;    }    key = PORT_ArenaZNew(arena, RSAPrivateKey);    if (!key) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	PORT_FreeArena(arena, PR_TRUE);	return NULL;    }    key->arena = arena;    /* length of primes p and q (in bytes) */    primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE);    MP_DIGITS(&p) = 0;    MP_DIGITS(&q) = 0;    MP_DIGITS(&e) = 0;    MP_DIGITS(&d) = 0;    CHECK_MPI_OK( mp_init(&p) );    CHECK_MPI_OK( mp_init(&q) );    CHECK_MPI_OK( mp_init(&e) );    CHECK_MPI_OK( mp_init(&d) );    /* 2.  Set the version number (PKCS1 v1.5 says it should be zero) */    SECITEM_AllocItem(arena, &key->version, 1);    key->version.data[0] = 0;    /* 3.  Set the public exponent */    SECITEM_TO_MPINT(*publicExponent, &e);    kiter = 0;    do {	prerr = 0;	PORT_SetError(0);	CHECK_SEC_OK( generate_prime(&p, primeLen) );	CHECK_SEC_OK( generate_prime(&q, primeLen) );	/* Assure q < p */	if (mp_cmp(&p, &q) < 0)	    mp_exch(&p, &q);	/* Attempt to use these primes to generate a key */	rv = rsa_build_from_primes(&p, &q, 			&e, PR_FALSE,  /* needPublicExponent=false */			&d, PR_TRUE,   /* needPrivateExponent=true */			key, keySizeInBits);	if (rv == SECSuccess)	    break; /* generated two good primes */	prerr = PORT_GetError();	kiter++;	/* loop until have primes */    } while (prerr == SEC_ERROR_NEED_RANDOM && kiter < MAX_KEY_GEN_ATTEMPTS);    if (prerr)	goto cleanup;cleanup:    mp_clear(&p);    mp_clear(&q);    mp_clear(&e);    mp_clear(&d);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    if (rv && arena) {	PORT_FreeArena(arena, PR_TRUE);	key = NULL;    }    return key;}

/* Generates a new EC key pair. The private key is a supplied * value and the public key is the result of performing a scalar  * point multiplication of that value with the curve's base point. */SECStatus ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,     const unsigned char *privKeyBytes, int privKeyLen){    SECStatus rv = SECFailure;#ifndef NSS_DISABLE_ECC    PLArenaPool *arena;    ECPrivateKey *key;    mp_int k;    mp_err err = MP_OKAY;    int len;#if EC_DEBUG    printf("ec_NewKey called/n");#endif    MP_DIGITS(&k) = 0;    if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0)) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    /* Initialize an arena for the EC key. */    if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))	return SECFailure;    key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey));    if (!key) {	PORT_FreeArena(arena, PR_TRUE);	return SECFailure;    }    /* Set the version number (SEC 1 section C.4 says it should be 1) */    SECITEM_AllocItem(arena, &key->version, 1);    key->version.data[0] = 1;    /* Copy all of the fields from the ECParams argument to the     * ECParams structure within the private key.     */    key->ecParams.arena = arena;    key->ecParams.type = ecParams->type;    key->ecParams.fieldID.size = ecParams->fieldID.size;    key->ecParams.fieldID.type = ecParams->fieldID.type;    if (ecParams->fieldID.type == ec_field_GFp) {	CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.prime,	    &ecParams->fieldID.u.prime));    } else {	CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.poly,	    &ecParams->fieldID.u.poly));    }    key->ecParams.fieldID.k1 = ecParams->fieldID.k1;    key->ecParams.fieldID.k2 = ecParams->fieldID.k2;    key->ecParams.fieldID.k3 = ecParams->fieldID.k3;    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.a,	&ecParams->curve.a));    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.b,	&ecParams->curve.b));    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.seed,	&ecParams->curve.seed));    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.base,	&ecParams->base));    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.order,	&ecParams->order));    key->ecParams.cofactor = ecParams->cofactor;    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.DEREncoding,	&ecParams->DEREncoding));    key->ecParams.name = ecParams->name;    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curveOID,	&ecParams->curveOID));    len = (ecParams->fieldID.size + 7) >> 3;    SECITEM_AllocItem(arena, &key->publicValue, 2*len + 1);    len = ecParams->order.len;    SECITEM_AllocItem(arena, &key->privateValue, len);    /* Copy private key */    if (privKeyLen >= len) {	memcpy(key->privateValue.data, privKeyBytes, len);    } else {	memset(key->privateValue.data, 0, (len - privKeyLen));	memcpy(key->privateValue.data + (len - privKeyLen), privKeyBytes, privKeyLen);    }    /* Compute corresponding public key */    CHECK_MPI_OK( mp_init(&k) );    CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data, 	(mp_size) len) );    rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue));    if (rv != SECSuccess) goto cleanup;    *privKey = key;cleanup:    mp_clear(&k);    if (rv)	PORT_FreeArena(arena, PR_TRUE);//.........这里部分代码省略.........

/*  * Computes scalar point multiplication pointQ = k1 * G + k2 * pointP for * the curve whose parameters are encoded in params with base point G. */SECStatus ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2,             const SECItem *pointP, SECItem *pointQ){    mp_int Px, Py, Qx, Qy;    mp_int Gx, Gy, order, irreducible, a, b;#if 0 /* currently don't support non-named curves */    unsigned int irr_arr[5];#endif    ECGroup *group = NULL;    SECStatus rv = SECFailure;    mp_err err = MP_OKAY;    int len;#if EC_DEBUG    int i;    char mpstr[256];    printf("ec_points_mul: params [len=%d]:", params->DEREncoding.len);    for (i = 0; i < params->DEREncoding.len; i++) 	    printf("%02x:", params->DEREncoding.data[i]);    printf("/n");	if (k1 != NULL) {		mp_tohex(k1, mpstr);		printf("ec_points_mul: scalar k1: %s/n", mpstr);		mp_todecimal(k1, mpstr);		printf("ec_points_mul: scalar k1: %s (dec)/n", mpstr);	}	if (k2 != NULL) {		mp_tohex(k2, mpstr);		printf("ec_points_mul: scalar k2: %s/n", mpstr);		mp_todecimal(k2, mpstr);		printf("ec_points_mul: scalar k2: %s (dec)/n", mpstr);	}	if (pointP != NULL) {		printf("ec_points_mul: pointP [len=%d]:", pointP->len);		for (i = 0; i < pointP->len; i++) 			printf("%02x:", pointP->data[i]);		printf("/n");	}#endif	/* NOTE: We only support uncompressed points for now */	len = (params->fieldID.size + 7) >> 3;	if (pointP != NULL) {		if ((pointP->data[0] != EC_POINT_FORM_UNCOMPRESSED) ||			(pointP->len != (2 * len + 1))) {			PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);			return SECFailure;		};	}	MP_DIGITS(&Px) = 0;	MP_DIGITS(&Py) = 0;	MP_DIGITS(&Qx) = 0;	MP_DIGITS(&Qy) = 0;	MP_DIGITS(&Gx) = 0;	MP_DIGITS(&Gy) = 0;	MP_DIGITS(&order) = 0;	MP_DIGITS(&irreducible) = 0;	MP_DIGITS(&a) = 0;	MP_DIGITS(&b) = 0;	CHECK_MPI_OK( mp_init(&Px) );	CHECK_MPI_OK( mp_init(&Py) );	CHECK_MPI_OK( mp_init(&Qx) );	CHECK_MPI_OK( mp_init(&Qy) );	CHECK_MPI_OK( mp_init(&Gx) );	CHECK_MPI_OK( mp_init(&Gy) );	CHECK_MPI_OK( mp_init(&order) );	CHECK_MPI_OK( mp_init(&irreducible) );	CHECK_MPI_OK( mp_init(&a) );	CHECK_MPI_OK( mp_init(&b) );	if ((k2 != NULL) && (pointP != NULL)) {		/* Initialize Px and Py */		CHECK_MPI_OK( mp_read_unsigned_octets(&Px, pointP->data + 1, (mp_size) len) );		CHECK_MPI_OK( mp_read_unsigned_octets(&Py, pointP->data + 1 + len, (mp_size) len) );	}	/* construct from named params, if possible */	if (params->name != ECCurve_noName) {		group = ECGroup_fromName(params->name);	}#if 0 /* currently don't support non-named curves */	if (group == NULL) {		/* Set up mp_ints containing the curve coefficients */		CHECK_MPI_OK( mp_read_unsigned_octets(&Gx, params->base.data + 1, 										  (mp_size) len) );		CHECK_MPI_OK( mp_read_unsigned_octets(&Gy, params->base.data + 1 + len, 										  (mp_size) len) );		SECITEM_TO_MPINT( params->order, &order );		SECITEM_TO_MPINT( params->curve.a, &a );//.........这里部分代码省略.........

static SECStatusrsa_build_from_primes(mp_int *p, mp_int *q, 		mp_int *e, PRBool needPublicExponent, 		mp_int *d, PRBool needPrivateExponent,		RSAPrivateKey *key, unsigned int keySizeInBits){    mp_int n, phi;    mp_int psub1, qsub1, tmp;    mp_err   err = MP_OKAY;    SECStatus rv = SECSuccess;    MP_DIGITS(&n)     = 0;    MP_DIGITS(&phi)   = 0;    MP_DIGITS(&psub1) = 0;    MP_DIGITS(&qsub1) = 0;    MP_DIGITS(&tmp)   = 0;    CHECK_MPI_OK( mp_init(&n)     );    CHECK_MPI_OK( mp_init(&phi)   );    CHECK_MPI_OK( mp_init(&psub1) );    CHECK_MPI_OK( mp_init(&qsub1) );    CHECK_MPI_OK( mp_init(&tmp)   );    /* 1.  Compute n = p*q */    CHECK_MPI_OK( mp_mul(p, q, &n) );    /*     verify that the modulus has the desired number of bits */    if ((unsigned)mpl_significant_bits(&n) != keySizeInBits) {	PORT_SetError(SEC_ERROR_NEED_RANDOM);	rv = SECFailure;	goto cleanup;    }    /* at least one exponent must be given */    PORT_Assert(!(needPublicExponent && needPrivateExponent));    /* 2.  Compute phi = (p-1)*(q-1) */    CHECK_MPI_OK( mp_sub_d(p, 1, &psub1) );    CHECK_MPI_OK( mp_sub_d(q, 1, &qsub1) );    if (needPublicExponent || needPrivateExponent) {	CHECK_MPI_OK( mp_mul(&psub1, &qsub1, &phi) );	/* 3.  Compute d = e**-1 mod(phi) */	/*     or      e = d**-1 mod(phi) as necessary */	if (needPublicExponent) {	    err = mp_invmod(d, &phi, e);	} else {	    err = mp_invmod(e, &phi, d);	}    } else {	err = MP_OKAY;    }    /*     Verify that phi(n) and e have no common divisors */    if (err != MP_OKAY) {	if (err == MP_UNDEF) {	    PORT_SetError(SEC_ERROR_NEED_RANDOM);	    err = MP_OKAY; /* to keep PORT_SetError from being called again */	    rv = SECFailure;	}	goto cleanup;    }    /* 4.  Compute exponent1 = d mod (p-1) */    CHECK_MPI_OK( mp_mod(d, &psub1, &tmp) );    MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);    /* 5.  Compute exponent2 = d mod (q-1) */    CHECK_MPI_OK( mp_mod(d, &qsub1, &tmp) );    MPINT_TO_SECITEM(&tmp, &key->exponent2, key->arena);    /* 6.  Compute coefficient = q**-1 mod p */    CHECK_MPI_OK( mp_invmod(q, p, &tmp) );    MPINT_TO_SECITEM(&tmp, &key->coefficient, key->arena);    /* copy our calculated results, overwrite what is there */    key->modulus.data = NULL;    MPINT_TO_SECITEM(&n, &key->modulus, key->arena);    key->privateExponent.data = NULL;    MPINT_TO_SECITEM(d, &key->privateExponent, key->arena);    key->publicExponent.data = NULL;    MPINT_TO_SECITEM(e, &key->publicExponent, key->arena);    key->prime1.data = NULL;    MPINT_TO_SECITEM(p, &key->prime1, key->arena);    key->prime2.data = NULL;    MPINT_TO_SECITEM(q, &key->prime2, key->arena);cleanup:    mp_clear(&n);    mp_clear(&phi);    mp_clear(&psub1);    mp_clear(&qsub1);    mp_clear(&tmp);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    return rv;}

/* ** Performs an ECDH key derivation by computing the scalar point** multiplication of privateValue and publicValue (with or without the** cofactor) and returns the x-coordinate of the resulting elliptic** curve point in derived secret.  If successful, derivedSecret->data** is set to the address of the newly allocated buffer containing the** derived secret, and derivedSecret->len is the size of the secret** produced. It is the caller's responsibility to free the allocated** buffer containing the derived secret.*/SECStatus ECDH_Derive(SECItem  *publicValue,             ECParams *ecParams,            SECItem  *privateValue,            PRBool    withCofactor,            SECItem  *derivedSecret){    SECStatus rv = SECFailure;#ifndef NSS_DISABLE_ECC    unsigned int len = 0;    SECItem pointQ = {siBuffer, NULL, 0};    mp_int k; /* to hold the private value */    mp_int cofactor;    mp_err err = MP_OKAY;#if EC_DEBUG    int i;#endif    if (!publicValue || !ecParams || !privateValue || 	!derivedSecret) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    MP_DIGITS(&k) = 0;    memset(derivedSecret, 0, sizeof *derivedSecret);    len = (ecParams->fieldID.size + 7) >> 3;      pointQ.len = 2*len + 1;    if ((pointQ.data = PORT_Alloc(2*len + 1)) == NULL) goto cleanup;    CHECK_MPI_OK( mp_init(&k) );    CHECK_MPI_OK( mp_read_unsigned_octets(&k, privateValue->data, 	                                  (mp_size) privateValue->len) );    if (withCofactor && (ecParams->cofactor != 1)) {	    /* multiply k with the cofactor */	    MP_DIGITS(&cofactor) = 0;	    CHECK_MPI_OK( mp_init(&cofactor) );	    mp_set(&cofactor, ecParams->cofactor);	    CHECK_MPI_OK( mp_mul(&k, &cofactor, &k) );    }    /* Multiply our private key and peer's public point */    if (ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ) != SECSuccess)	goto cleanup;    if (ec_point_at_infinity(&pointQ)) {	PORT_SetError(SEC_ERROR_BAD_KEY);  /* XXX better error code? */	goto cleanup;    }    /* Allocate memory for the derived secret and copy     * the x co-ordinate of pointQ into it.     */    SECITEM_AllocItem(NULL, derivedSecret, len);    memcpy(derivedSecret->data, pointQ.data + 1, len);    rv = SECSuccess;#if EC_DEBUG    printf("derived_secret:/n");    for (i = 0; i < derivedSecret->len; i++) 	printf("%02x:", derivedSecret->data[i]);    printf("/n");#endifcleanup:    mp_clear(&k);    if (err) {	MP_TO_SEC_ERROR(err);    }    if (pointQ.data) {	PORT_ZFree(pointQ.data, 2*len + 1);    }#else    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);#endif /* NSS_DISABLE_ECC */    return rv;}

SECStatus DH_NewKey(DHParams *params, DHPrivateKey **privKey){    PLArenaPool *arena;    DHPrivateKey *key;    mp_int g, xa, p, Ya;    mp_err   err = MP_OKAY;    SECStatus rv = SECSuccess;    if (!params || !privKey) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	return SECFailure;    }    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);    if (!arena) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	return SECFailure;    }    key = (DHPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DHPrivateKey));    if (!key) {	PORT_SetError(SEC_ERROR_NO_MEMORY);	PORT_FreeArena(arena, PR_TRUE);	return SECFailure;    }    key->arena = arena;    MP_DIGITS(&g)  = 0;    MP_DIGITS(&xa) = 0;    MP_DIGITS(&p)  = 0;    MP_DIGITS(&Ya) = 0;    CHECK_MPI_OK( mp_init(&g)  );    CHECK_MPI_OK( mp_init(&xa) );    CHECK_MPI_OK( mp_init(&p)  );    CHECK_MPI_OK( mp_init(&Ya) );    /* Set private key's p */    CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->prime, &params->prime) );    SECITEM_TO_MPINT(key->prime, &p);    /* Set private key's g */    CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->base, &params->base) );    SECITEM_TO_MPINT(key->base, &g);    /* Generate private key xa */    SECITEM_AllocItem(arena, &key->privateValue,                      dh_GetSecretKeyLen(params->prime.len));    CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(key->privateValue.data,                                   key->privateValue.len));    SECITEM_TO_MPINT( key->privateValue, &xa );    /* xa < p */    CHECK_MPI_OK( mp_mod(&xa, &p, &xa) );    /* Compute public key Ya = g ** xa mod p */    CHECK_MPI_OK( mp_exptmod(&g, &xa, &p, &Ya) );    MPINT_TO_SECITEM(&Ya, &key->publicValue, key->arena);    *privKey = key;cleanup:    mp_clear(&g);    mp_clear(&xa);    mp_clear(&p);    mp_clear(&Ya);    if (err) {	MP_TO_SEC_ERROR(err);	rv = SECFailure;    }    if (rv) {	*privKey = NULL;	PORT_FreeArena(arena, PR_TRUE);    }    return rv;}

/*** Checks the signature on the given digest using the key provided.*/SECStatus ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,                  const SECItem *digest){    SECStatus rv = SECFailure;#ifndef NSS_DISABLE_ECC    mp_int r_, s_;           /* tuple (r', s') is received signature) */    mp_int c, u1, u2, v;     /* intermediate values used in verification */    mp_int x1;    mp_int n;    mp_err err = MP_OKAY;    ECParams *ecParams = NULL;    SECItem pointC = { siBuffer, NULL, 0 };    int slen;       /* length in bytes of a half signature (r or s) */    int flen;       /* length in bytes of the field size */    unsigned olen;  /* length in bytes of the base point order */    unsigned obits; /* length in bits  of the base point order */#if EC_DEBUG    char mpstr[256];    printf("ECDSA verification called/n");#endif    /* Initialize MPI integers. */    /* must happen before the first potential call to cleanup */    MP_DIGITS(&r_) = 0;    MP_DIGITS(&s_) = 0;    MP_DIGITS(&c) = 0;    MP_DIGITS(&u1) = 0;    MP_DIGITS(&u2) = 0;    MP_DIGITS(&x1) = 0;    MP_DIGITS(&v)  = 0;    MP_DIGITS(&n)  = 0;    /* Check args */    if (!key || !signature || !digest) {	PORT_SetError(SEC_ERROR_INVALID_ARGS);	goto cleanup;    }    ecParams = &(key->ecParams);    flen = (ecParams->fieldID.size + 7) >> 3;      olen = ecParams->order.len;      if (signature->len == 0 || signature->len%2 != 0 ||	signature->len > 2*olen) {	PORT_SetError(SEC_ERROR_INPUT_LEN);	goto cleanup;    }    slen = signature->len/2;    SECITEM_AllocItem(NULL, &pointC, 2*flen + 1);    if (pointC.data == NULL)	goto cleanup;    CHECK_MPI_OK( mp_init(&r_) );    CHECK_MPI_OK( mp_init(&s_) );    CHECK_MPI_OK( mp_init(&c)  );    CHECK_MPI_OK( mp_init(&u1) );    CHECK_MPI_OK( mp_init(&u2) );    CHECK_MPI_OK( mp_init(&x1)  );    CHECK_MPI_OK( mp_init(&v)  );    CHECK_MPI_OK( mp_init(&n)  );    /*    ** Convert received signature (r', s') into MPI integers.    */    CHECK_MPI_OK( mp_read_unsigned_octets(&r_, signature->data, slen) );    CHECK_MPI_OK( mp_read_unsigned_octets(&s_, signature->data + slen, slen) );                                              /*     ** ANSI X9.62, Section 5.4.2, Steps 1 and 2    **    ** Verify that 0 < r' < n and 0 < s' < n    */    SECITEM_TO_MPINT(ecParams->order, &n);    if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||        mp_cmp(&r_, &n) >= 0 || mp_cmp(&s_, &n) >= 0) {	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);	goto cleanup; /* will return rv == SECFailure */    }    /*    ** ANSI X9.62, Section 5.4.2, Step 3    **    ** c = (s')**-1 mod n    */    CHECK_MPI_OK( mp_invmod(&s_, &n, &c) );      /* c = (s')**-1 mod n */    /*    ** ANSI X9.62, Section 5.4.2, Step 4    **    ** u1 = ((HASH(M')) * c) mod n    */    SECITEM_TO_MPINT(*digest, &u1);                  /* u1 = HASH(M)     */    /* In the definition of EC signing, digests are truncated     * to the length of n in bits. //.........这里部分代码省略.........

SECStatusRSA_PrivateKeyCheck(const RSAPrivateKey *key){    mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res;    mp_err   err = MP_OKAY;    SECStatus rv = SECSuccess;    MP_DIGITS(&p)    = 0;    MP_DIGITS(&q)    = 0;    MP_DIGITS(&n)    = 0;    MP_DIGITS(&psub1)= 0;    MP_DIGITS(&qsub1)= 0;    MP_DIGITS(&e)    = 0;    MP_DIGITS(&d)    = 0;    MP_DIGITS(&d_p)  = 0;    MP_DIGITS(&d_q)  = 0;    MP_DIGITS(&qInv) = 0;    MP_DIGITS(&res)  = 0;    CHECK_MPI_OK( mp_init(&p)    );    CHECK_MPI_OK( mp_init(&q)    );    CHECK_MPI_OK( mp_init(&n)    );    CHECK_MPI_OK( mp_init(&psub1));    CHECK_MPI_OK( mp_init(&qsub1));    CHECK_MPI_OK( mp_init(&e)    );    CHECK_MPI_OK( mp_init(&d)    );    CHECK_MPI_OK( mp_init(&d_p)  );    CHECK_MPI_OK( mp_init(&d_q)  );    CHECK_MPI_OK( mp_init(&qInv) );    CHECK_MPI_OK( mp_init(&res)  );    if (!key->modulus.data || !key->prime1.data || !key->prime2.data ||        !key->publicExponent.data || !key->privateExponent.data ||        !key->exponent1.data || !key->exponent2.data ||        !key->coefficient.data) {        /*call RSA_PopulatePrivateKey first, if the application wishes to         * recover these parameters */        err = MP_BADARG;        goto cleanup;    }    SECITEM_TO_MPINT(key->modulus,         &n);    SECITEM_TO_MPINT(key->prime1,          &p);    SECITEM_TO_MPINT(key->prime2,          &q);    SECITEM_TO_MPINT(key->publicExponent,  &e);    SECITEM_TO_MPINT(key->privateExponent, &d);    SECITEM_TO_MPINT(key->exponent1,       &d_p);    SECITEM_TO_MPINT(key->exponent2,       &d_q);    SECITEM_TO_MPINT(key->coefficient,     &qInv);    /* p > q */    if (mp_cmp(&p, &q) <= 0) {	rv = SECFailure;	goto cleanup;    }#define VERIFY_MPI_EQUAL(m1, m2) /    if (mp_cmp(m1, m2) != 0) {   /	rv = SECFailure;         /	goto cleanup;            /    }#define VERIFY_MPI_EQUAL_1(m)    /    if (mp_cmp_d(m, 1) != 0) {   /	rv = SECFailure;         /	goto cleanup;            /    }    /*     * The following errors cannot be recovered from.     */    /* n == p * q */    CHECK_MPI_OK( mp_mul(&p, &q, &res) );    VERIFY_MPI_EQUAL(&res, &n);    /* gcd(e, p-1) == 1 */    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );    CHECK_MPI_OK( mp_gcd(&e, &psub1, &res) );    VERIFY_MPI_EQUAL_1(&res);    /* gcd(e, q-1) == 1 */    CHECK_MPI_OK( mp_sub_d(&q, 1, &qsub1) );    CHECK_MPI_OK( mp_gcd(&e, &qsub1, &res) );    VERIFY_MPI_EQUAL_1(&res);    /* d*e == 1 mod p-1 */    CHECK_MPI_OK( mp_mulmod(&d, &e, &psub1, &res) );    VERIFY_MPI_EQUAL_1(&res);    /* d*e == 1 mod q-1 */    CHECK_MPI_OK( mp_mulmod(&d, &e, &qsub1, &res) );    VERIFY_MPI_EQUAL_1(&res);    /*     * The following errors can be recovered from. However, the purpose of this     * function is to check consistency, so they are not.     */    /* d_p == d mod p-1 */    CHECK_MPI_OK( mp_mod(&d, &psub1, &res) );    VERIFY_MPI_EQUAL(&res, &d_p);    /* d_q == d mod q-1 */    CHECK_MPI_OK( mp_mod(&d, &qsub1, &res) );    VERIFY_MPI_EQUAL(&res, &d_q);    /* q * q**-1 == 1 mod p */    CHECK_MPI_OK( mp_mulmod(&q, &qInv, &p, &res) );    VERIFY_MPI_EQUAL_1(&res);cleanup:    mp_clear(&n);    mp_clear(&p);    mp_clear(&q);//.........这里部分代码省略.........