自学教程：C++ EC_POINT_mul函数代码示例

int verifyRingSignatureAB(data_chunk &keyImage, uint256 &txnHash, int nRingSize, const uint8_t *pPubkeys, const data_chunk &sigC, const uint8_t *pSigS){    // https://bitcointalk.org/index.php?topic=972541.msg10619684    // forall_{i=1..n} compute e_i=s_i*G+c_i*P_i and E_i=s_i*H(P_i)+c_i*I_j and c_{i+1}=h(P_1,...,P_n,e_i,E_i)    // check c_{n+1}=c_1    if (fDebugRingSig)    {        //LogPrintf("%s size %d/n", __func__, nRingSize); // happens often    };    if (sigC.size() != EC_SECRET_SIZE)        return errorN(1, "%s: sigC size !=  EC_SECRET_SIZE.", __func__);    if (keyImage.size() != EC_COMPRESSED_SIZE)        return errorN(1, "%s: keyImage size !=  EC_COMPRESSED_SIZE.", __func__);    int rv = 0;    uint256 tmpPkHash;    uint256 tmpHash;    uint8_t tempData[66]; // hold raw point data to hash    CHashWriter ssPkHash(SER_GETHASH, PROTOCOL_VERSION);    CHashWriter ssCjHash(SER_GETHASH, PROTOCOL_VERSION);    for (int i = 0; i < nRingSize; ++i)    {        ssPkHash.write((const char*)&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE);    };    tmpPkHash = ssPkHash.GetHash();    BN_CTX_start(bnCtx);    BIGNUM   *bnC  = BN_CTX_get(bnCtx);    BIGNUM   *bnC1 = BN_CTX_get(bnCtx);    BIGNUM   *bnT  = BN_CTX_get(bnCtx);    BIGNUM   *bnS  = BN_CTX_get(bnCtx);    EC_POINT *ptKi = NULL;    EC_POINT *ptT1 = NULL;    EC_POINT *ptT2 = NULL;    EC_POINT *ptT3 = NULL;    EC_POINT *ptPk = NULL;    EC_POINT *ptSi = NULL;    if (   !(ptKi = EC_POINT_new(ecGrp))        || !(ptT1 = EC_POINT_new(ecGrp))        || !(ptT2 = EC_POINT_new(ecGrp))        || !(ptT3 = EC_POINT_new(ecGrp))        || !(ptPk = EC_POINT_new(ecGrp))        || !(ptSi = EC_POINT_new(ecGrp)))    {        LogPrintf("%s: EC_POINT_new failed./n", __func__);        rv = 1; goto End;    };    // get keyimage as point    if (!EC_POINT_oct2point(ecGrp, ptKi, &keyImage[0], EC_COMPRESSED_SIZE, bnCtx))    {        LogPrintf("%s: extract ptKi failed./n", __func__);        rv = 1; goto End;    };    if (!bnC1 || !BN_bin2bn(&sigC[0], EC_SECRET_SIZE, bnC1))    {        LogPrintf("%s: BN_bin2bn failed./n", __func__);        rv = 1; goto End;    };    if (!BN_copy(bnC, bnC1))    {        LogPrintf("%s: BN_copy failed./n", __func__);        rv = 1; goto End;    };    for (int i = 0; i < nRingSize; ++i)    {        if (!bnS || !(BN_bin2bn(&pSigS[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnS)))        {            LogPrintf("%s: BN_bin2bn failed./n", __func__);            rv = 1; goto End;        };        // ptT2 <- pk        if (!EC_POINT_oct2point(ecGrp, ptPk, &pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnCtx))        {            LogPrintf("%s: EC_POINT_oct2point failed./n", __func__);            rv = 1; goto End;        };        // ptT1 = e_i=s_i*G+c_i*P_i        if (!EC_POINT_mul(ecGrp, ptT1, bnS, ptPk, bnC, bnCtx))        {            LogPrintf("%s: EC_POINT_mul failed./n", __func__);            rv = 1; goto End;        };        if (!(EC_POINT_point2oct(ecGrp, ptT1, POINT_CONVERSION_COMPRESSED, &tempData[0],  33, bnCtx) == (int) EC_COMPRESSED_SIZE))        {//.........这里部分代码省略.........

//.........这里部分代码省略.........        eap_pwd_h_update(hash, id_server, id_server_len);        eap_pwd_h_update(hash, password, password_len);        eap_pwd_h_update(hash, &ctr, sizeof(ctr));        eap_pwd_h_final(hash, pwe_digest);        BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd);        if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,                        (u8 *) "EAP-pwd Hunting And Pecking",                        os_strlen("EAP-pwd Hunting And Pecking"),                        prfbuf, primebitlen) < 0)            goto fail;        BN_bin2bn(prfbuf, primebytelen, x_candidate);        /*         * eap_pwd_kdf() returns a string of bits 0..primebitlen but         * BN_bin2bn will treat that string of bits as a big endian         * number. If the primebitlen is not an even multiple of 8         * then excessive bits-- those _after_ primebitlen-- so now         * we have to shift right the amount we masked off.         */        if (primebitlen % 8)            BN_rshift(x_candidate, x_candidate,                      (8 - (primebitlen % 8)));        if (BN_ucmp(x_candidate, grp->prime) >= 0)            continue;        wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",                    prfbuf, primebytelen);        /*         * need to unambiguously identify the solution, if there is         * one...         */        if (BN_is_odd(rnd))            is_odd = 1;        else            is_odd = 0;        /*         * solve the quadratic equation, if it's not solvable then we         * don't have a point         */        if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,                grp->pwe,                x_candidate,                is_odd, NULL))            continue;        /*         * If there's a solution to the equation then the point must be         * on the curve so why check again explicitly? OpenSSL code         * says this is required by X9.62. We're not X9.62 but it can't         * hurt just to be sure.         */        if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {            wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");            continue;        }        if (BN_cmp(cofactor, BN_value_one())) {            /* make sure the point is not in a small sub-group */            if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,                              cofactor, NULL)) {                wpa_printf(MSG_INFO, "EAP-pwd: cannot "                           "multiply generator by order");                continue;            }            if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {                wpa_printf(MSG_INFO, "EAP-pwd: point is at "                           "infinity");                continue;            }        }        /* if we got here then we have a new generator. */        break;    }    wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);    grp->group_num = num;    if (0) {fail:        EC_GROUP_free(grp->group);        grp->group = NULL;        EC_POINT_clear_free(grp->pwe);        grp->pwe = NULL;        BN_clear_free(grp->order);        grp->order = NULL;        BN_clear_free(grp->prime);        grp->prime = NULL;        ret = 1;    }    /* cleanliness and order.... */    BN_clear_free(cofactor);    BN_clear_free(x_candidate);    BN_clear_free(rnd);    os_free(prfbuf);    return ret;}

int StealthSecret(ec_secret& secret, ec_point& pubkey, const ec_point& pkSpend, ec_secret& sharedSOut, ec_point& pkOut){    /*        send:        secret = ephem_secret, pubkey = scan_pubkey        receive:        secret = scan_secret, pubkey = ephem_pubkey        c = H(dP)        Q = public scan key (EC point, 33 bytes)    d = private scan key (integer, 32 bytes)    R = public spend key    f = private spend key    Q = dG    R = fG        Sender (has Q and R, not d or f):        P = eG    c = H(eQ) = H(dP)    R' = R + cG            Recipient gets R' and P        test 0 and infinity?    */        int rv = 0;    std::vector<uint8_t> vchOutQ;        BN_CTX* bnCtx   = NULL;    BIGNUM* bnEphem = NULL;    BIGNUM* bnQ     = NULL;    EC_POINT* Q     = NULL;    BIGNUM* bnOutQ  = NULL;    BIGNUM* bnc     = NULL;    EC_POINT* C     = NULL;    BIGNUM* bnR     = NULL;    EC_POINT* R     = NULL;    EC_POINT* Rout  = NULL;    BIGNUM* bnOutR  = NULL;        EC_GROUP* ecgrp = EC_GROUP_new_by_curve_name(NID_secp256k1);        if (!ecgrp)    {        printf("StealthSecret(): EC_GROUP_new_by_curve_name failed./n");        return 1;    };        if (!(bnCtx = BN_CTX_new()))    {        printf("StealthSecret(): BN_CTX_new failed./n");        rv = 1;        goto End;    };        if (!(bnEphem = BN_bin2bn(&secret.e[0], ec_secret_size, BN_new())))    {        printf("StealthSecret(): bnEphem BN_bin2bn failed./n");        rv = 1;        goto End;    };        if (!(bnQ = BN_bin2bn(&pubkey[0], pubkey.size(), BN_new())))    {        printf("StealthSecret(): bnQ BN_bin2bn failed/n");        rv = 1;        goto End;    };        if (!(Q = EC_POINT_bn2point(ecgrp, bnQ, NULL, bnCtx)))    {        printf("StealthSecret(): Q EC_POINT_bn2point failed/n");        rv = 1;        goto End;    };        // -- eQ    // EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx);    // EC_POINT_mul calculates the value generator * n + q * m and stores the result in r. The value n may be NULL in which case the result is just q * m.     if (!EC_POINT_mul(ecgrp, Q, NULL, Q, bnEphem, bnCtx))    {        printf("StealthSecret(): eQ EC_POINT_mul failed/n");        rv = 1;        goto End;    };        if (!(bnOutQ = EC_POINT_point2bn(ecgrp, Q, POINT_CONVERSION_COMPRESSED, BN_new(), bnCtx)))    {        printf("StealthSecret(): Q EC_POINT_bn2point failed/n");        rv = 1;        goto End;    };    //.........这里部分代码省略.........

/*- * This implementation is based on the following primitives in the IEEE 1363 standard: *  - ECKAS-DH1 *  - ECSVDP-DH * Finally an optional KDF is applied. */int ossl_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,                          const EC_KEY *ecdh,                          void *(*KDF) (const void *in, size_t inlen,                                        void *out, size_t *outlen)){    BN_CTX *ctx;    EC_POINT *tmp = NULL;    BIGNUM *x = NULL, *y = NULL;    const BIGNUM *priv_key;    const EC_GROUP *group;    int ret = -1;    size_t buflen, len;    unsigned char *buf = NULL;    if (outlen > INT_MAX) {        ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of,                                                                 * anyway */        return -1;    }    if (ecdh->group->meth->ecdh_compute_key != 0)        return ecdh->group->meth->ecdh_compute_key(out, outlen, pub_key, ecdh,                                                   KDF);    if ((ctx = BN_CTX_new()) == NULL)        goto err;    BN_CTX_start(ctx);    x = BN_CTX_get(ctx);    y = BN_CTX_get(ctx);    priv_key = EC_KEY_get0_private_key(ecdh);    if (priv_key == NULL) {        ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_NO_PRIVATE_VALUE);        goto err;    }    group = EC_KEY_get0_group(ecdh);    if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) {        if (!EC_GROUP_get_cofactor(group, x, NULL) ||            !BN_mul(x, x, priv_key, ctx)) {            ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);            goto err;        }        priv_key = x;    }    if ((tmp = EC_POINT_new(group)) == NULL) {        ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);        goto err;    }    if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx)) {        ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);        goto err;    }    if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==        NID_X9_62_prime_field) {        if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, y, ctx)) {            ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);            goto err;        }    }#ifndef OPENSSL_NO_EC2M    else {        if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, ctx)) {            ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);            goto err;        }    }#endif    buflen = (EC_GROUP_get_degree(group) + 7) / 8;    len = BN_num_bytes(x);    if (len > buflen) {        ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_INTERNAL_ERROR);        goto err;    }    if ((buf = OPENSSL_malloc(buflen)) == NULL) {        ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);        goto err;    }    memset(buf, 0, buflen - len);    if (len != (size_t)BN_bn2bin(x, buf + buflen - len)) {        ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, ERR_R_BN_LIB);        goto err;    }    if (KDF != 0) {        if (KDF(buf, buflen, out, &outlen) == NULL) {            ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_KDF_FAILED);            goto err;//.........这里部分代码省略.........

static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,                            BIGNUM **kinvp, BIGNUM **rp,                            const unsigned char *dgst, int dlen){    BN_CTX *ctx = NULL;    BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL;    EC_POINT *tmp_point = NULL;    const EC_GROUP *group;    int ret = 0;    if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);        return 0;    }    if (ctx_in == NULL) {        if ((ctx = BN_CTX_new()) == NULL) {            ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);            return 0;        }    } else        ctx = ctx_in;    k = BN_new();               /* this value is later returned in *kinvp */    r = BN_new();               /* this value is later returned in *rp */    order = BN_new();    X = BN_new();    if (!k || !r || !order || !X) {        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);        goto err;    }    if ((tmp_point = EC_POINT_new(group)) == NULL) {        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);        goto err;    }    if (!EC_GROUP_get_order(group, order, ctx)) {        ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);        goto err;    }    do {        /* get random k */        do            if (dgst != NULL) {                if (!BN_generate_dsa_nonce                    (k, order, EC_KEY_get0_private_key(eckey), dgst, dlen,                     ctx)) {                    ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,                             ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);                    goto err;                }            } else {                if (!BN_rand_range(k, order)) {                    ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,                             ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);                    goto err;                }            }        while (BN_is_zero(k));        /*         * We do not want timing information to leak the length of k, so we         * compute G*k using an equivalent scalar of fixed bit-length.         */        if (!BN_add(k, k, order))            goto err;        if (BN_num_bits(k) <= BN_num_bits(order))            if (!BN_add(k, k, order))                goto err;        /* compute r the x-coordinate of generator * k */        if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {            ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);            goto err;        }        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==            NID_X9_62_prime_field) {            if (!EC_POINT_get_affine_coordinates_GFp                (group, tmp_point, X, NULL, ctx)) {                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);                goto err;            }        }#ifndef OPENSSL_NO_EC2M        else {                  /* NID_X9_62_characteristic_two_field */            if (!EC_POINT_get_affine_coordinates_GF2m(group,                                                      tmp_point, X, NULL,                                                      ctx)) {                ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);                goto err;            }        }#endif        if (!BN_nnmod(r, X, order, ctx)) {            ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);            goto err;        }    }//.........这里部分代码省略.........

static int ssl_ec_point_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,                               size_t *out_secret_len, uint8_t *out_alert,                               const uint8_t *peer_key, size_t peer_key_len) {  BIGNUM *private_key = (BIGNUM *)ctx->data;  assert(private_key != NULL);  *out_alert = SSL_AD_INTERNAL_ERROR;  /* Set up a shared |BN_CTX| for all operations. */  BN_CTX *bn_ctx = BN_CTX_new();  if (bn_ctx == NULL) {    return 0;  }  BN_CTX_start(bn_ctx);  int ret = 0;  EC_GROUP *group = EC_GROUP_new_by_curve_name(ctx->method->nid);  EC_POINT *peer_point = NULL, *result = NULL;  uint8_t *secret = NULL;  if (group == NULL) {    goto err;  }  /* Compute the x-coordinate of |peer_key| * |private_key|. */  peer_point = EC_POINT_new(group);  result = EC_POINT_new(group);  if (peer_point == NULL || result == NULL) {    goto err;  }  BIGNUM *x = BN_CTX_get(bn_ctx);  if (x == NULL) {    goto err;  }  if (!EC_POINT_oct2point(group, peer_point, peer_key, peer_key_len, bn_ctx)) {    *out_alert = SSL_AD_DECODE_ERROR;    goto err;  }  if (!EC_POINT_mul(group, result, NULL, peer_point, private_key, bn_ctx) ||      !EC_POINT_get_affine_coordinates_GFp(group, result, x, NULL, bn_ctx)) {    goto err;  }  /* Encode the x-coordinate left-padded with zeros. */  size_t secret_len = (EC_GROUP_get_degree(group) + 7) / 8;  secret = OPENSSL_malloc(secret_len);  if (secret == NULL || !BN_bn2bin_padded(secret, secret_len, x)) {    goto err;  }  *out_secret = secret;  *out_secret_len = secret_len;  secret = NULL;  ret = 1;err:  EC_GROUP_free(group);  EC_POINT_free(peer_point);  EC_POINT_free(result);  BN_CTX_end(bn_ctx);  BN_CTX_free(bn_ctx);  OPENSSL_free(secret);  return ret;}

int EC_KEY_generate_key(EC_KEY *eckey)	{		int	ok = 0;	BN_CTX	*ctx = NULL;	BIGNUM	*priv_key = NULL, *order = NULL;	EC_POINT *pub_key = NULL;	if (!eckey || !eckey->group)		{		ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);		return 0;		}	if ((order = BN_new()) == NULL) goto err;	if ((ctx = BN_CTX_new()) == NULL) goto err;	if (eckey->priv_key == NULL)		{		priv_key = BN_new();		if (priv_key == NULL)			goto err;		}	else		priv_key = eckey->priv_key;	if (!EC_GROUP_get_order(eckey->group, order, ctx))		goto err;	do		if (!BN_rand_range(priv_key, order))			goto err;	while (BN_is_zero(priv_key));	if (eckey->pub_key == NULL)		{		pub_key = EC_POINT_new(eckey->group);		if (pub_key == NULL)			goto err;		}	else		pub_key = eckey->pub_key;	if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))		goto err;	eckey->priv_key = priv_key;	eckey->pub_key  = pub_key;	ok=1;err:		if (order)		BN_free(order);	if (pub_key  != NULL && eckey->pub_key  == NULL)		EC_POINT_free(pub_key);	if (priv_key != NULL && eckey->priv_key == NULL)		BN_free(priv_key);	if (ctx != NULL)		BN_CTX_free(ctx);	return(ok);	}

//.........这里部分代码省略.........		{		EC_KEY *ec_key = EC_KEY_new();		EC_KEY_set_group(ec_key, ec_group);		EC_KEY_generate_key(ec_key);		fprintf(stdout, "%s/n", BN_bn2hex(EC_KEY_get0_private_key(ec_key)));		fprintf(stdout, "%s/n", EC_POINT_point2hex(ec_group, EC_KEY_get0_public_key(ec_key), point_form, bn_ctx));		EC_KEY_free(ec_key);		break;		}	case ECC_ADD:		{		if (!rest) {			fprintf(stderr, "%s: short of point/n", prog);			goto exit;		}		if (!rest[0] || !rest[1]) {			fprintf(stderr, "%s: short of point/n", prog);			goto exit;		}					if (!EC_POINT_hex2point(ec_group, rest[1], P, bn_ctx)) {			fprintf(stderr, "%s: first point invalid/n", prog);			goto exit;		}		if (!EC_POINT_hex2point(ec_group, rest[1], Q, bn_ctx)) {			fprintf(stderr, "%s: second point invalid/n", prog);			goto exit;		}		EC_POINT_add(ec_group, R, P, Q, bn_ctx);		fprintf(stdout, "%s/n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));		break;		}	case ECC_DOUBLE:		{		EC_POINT_dbl(ec_group, R, P, bn_ctx);		fprintf(stdout, "%s/n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));		break;		}	case ECC_MUL:		{		BIGNUM *order = NULL;		if (!BN_hex2bn(&k, rest[0])) {			fprintf(stderr, "%s: integer invalid/n", prog);			goto exit;		}				order = BN_new();		EC_GROUP_get_order(ec_group, order, bn_ctx);		if (BN_cmp(k, order) >= 0) {			fprintf(stderr, "%s: integer value invalid/n", prog);			BN_free(order);			goto exit;		}		BN_free(order);		if (!EC_POINT_hex2point(ec_group, rest[1], P, bn_ctx)) {			fprintf(stderr, "%s: point invalid/n", prog);			goto exit;		}		EC_POINT_mul(ec_group, R, k, P, NULL, bn_ctx);		fprintf(stdout, "%s/n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));		break;		}	case ECC_MUL_G:		{		BIGNUM *order = NULL;		if (!BN_hex2bn(&k, rest[0])) {			fprintf(stderr, "%s: integer format invalid/n", prog);			goto exit;		}				order = BN_new();		EC_GROUP_get_order(ec_group, order, bn_ctx);		if (BN_cmp(k, order) >= 0) {			fprintf(stderr, "%s: integer value invalid/n", prog);			BN_free(order);			goto exit;		}		BN_free(order);				EC_POINT_mul(ec_group, R, k, EC_GROUP_get0_generator(ec_group), NULL, bn_ctx);		fprintf(stdout, "%s/n", EC_POINT_point2hex(ec_group, R, point_form, bn_ctx));		break;		}	default:		fprintf(stderr, "%s: command is required/n", prog);		break;	}	ok = 1;exit:	if (ec_group) EC_GROUP_free(ec_group);	if (P) EC_POINT_free(P);	if (k) BN_free(k);	if (bn_ctx) BN_CTX_free(bn_ctx);	return ok ? 0 : -1;}

SM2_CIPHERTEXT_VALUE *SM2_do_encrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md,	const unsigned char *in, size_t inlen, EC_KEY *ec_key){	int ok = 0;	SM2_CIPHERTEXT_VALUE *cv = NULL;	const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key);	const EC_POINT *pub_key = EC_KEY_get0_public_key(ec_key);	KDF_FUNC kdf = KDF_get_x9_63(kdf_md);	EC_POINT *point = NULL;	BIGNUM *n = NULL;	BIGNUM *h = NULL;	BIGNUM *k = NULL;	BN_CTX *bn_ctx = NULL;	EVP_MD_CTX *md_ctx = NULL;	unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];	int nbytes;	size_t len;	int i;	if (!ec_group || !pub_key) {		goto end;	}	if (!kdf) {		goto end;	}	/* init ciphertext_value */	if (!(cv = OPENSSL_malloc(sizeof(SM2_CIPHERTEXT_VALUE)))) {		goto end;	}	bzero(cv, sizeof(SM2_CIPHERTEXT_VALUE));	cv->ephem_point = EC_POINT_new(ec_group);	cv->ciphertext = OPENSSL_malloc(inlen);	cv->ciphertext_size = inlen;	if (!cv->ephem_point || !cv->ciphertext) {		goto end;	}	point = EC_POINT_new(ec_group);	n = BN_new();	h = BN_new();	k = BN_new();	bn_ctx = BN_CTX_new();	md_ctx = EVP_MD_CTX_create();	if (!point || !n || !h || !k || !bn_ctx || !md_ctx) {		goto end;	}	/* init ec domain parameters */	if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {		goto end;	}	if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {		goto end;	}	nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;	//OPENSSL_assert(nbytes == BN_num_bytes(n));#if 0	/* check sm2 curve and md is 256 bits */	OPENSSL_assert(nbytes == 32);	OPENSSL_assert(EVP_MD_size(kdf_md) == 32);	OPENSSL_assert(EVP_MD_size(mac_md) == 32);#endif	do	{		/* A1: rand k in [1, n-1] */		do {			BN_rand_range(k, n);		} while (BN_is_zero(k));			/* A2: C1 = [k]G = (x1, y1) */		if (!EC_POINT_mul(ec_group, cv->ephem_point, k, NULL, NULL, bn_ctx)) {			goto end;		}				/* A3: check [h]P_B != O */		if (!EC_POINT_mul(ec_group, point, NULL, pub_key, h, bn_ctx)) {			goto end;		}		if (EC_POINT_is_at_infinity(ec_group, point)) {			goto end;		}		/* A4: compute ECDH [k]P_B = (x2, y2) */		if (!EC_POINT_mul(ec_group, point, NULL, pub_key, k, bn_ctx)) {			goto end;		}		if (!(len = EC_POINT_point2oct(ec_group, point,			POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {			goto end;		}		OPENSSL_assert(len == nbytes * 2 + 1);				/* A5: t = KDF(x2 || y2, klen) */		kdf(buf + 1, len - 1, cv->ciphertext, &cv->ciphertext_size);//.........这里部分代码省略.........

//.........这里部分代码省略.........    }    ctr = 0;    while (1) {	if (ctr > 10) {	    DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num);	    goto fail;	}	ctr++;	/*	 * compute counter-mode password value and stretch to prime	 *    pwd-seed = H(token | peer-id | server-id | password |	 *		   counter)	 */	H_Init(&ctx);	H_Update(&ctx, (uint8_t *)token, sizeof(*token));	H_Update(&ctx, (uint8_t *)id_peer, id_peer_len);	H_Update(&ctx, (uint8_t *)id_server, id_server_len);	H_Update(&ctx, (uint8_t *)password, password_len);	H_Update(&ctx, (uint8_t *)&ctr, sizeof(ctr));	H_Final(&ctx, pwe_digest);	BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);	eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH,		    "EAP-pwd Hunting And Pecking",		    strlen("EAP-pwd Hunting And Pecking"),		    prfbuf, primebitlen);	BN_bin2bn(prfbuf, primebytelen, x_candidate);	/*	 * eap_pwd_kdf() returns a string of bits 0..primebitlen but	 * BN_bin2bn will treat that string of bits as a big endian	 * number. If the primebitlen is not an even multiple of 8	 * then excessive bits-- those _after_ primebitlen-- so now	 * we have to shift right the amount we masked off.	 */	if (primebitlen % 8) {	    BN_rshift(x_candidate, x_candidate, (8 - (primebitlen % 8)));	}	if (BN_ucmp(x_candidate, sess->prime) >= 0) {	    continue;	}	/*	 * need to unambiguously identify the solution, if there is	 * one...	 */	if (BN_is_odd(rnd)) {	    is_odd = 1;	} else {	    is_odd = 0;	}	/*	 * solve the quadratic equation, if it's not solvable then we	 * don't have a point	 */	if (!EC_POINT_set_compressed_coordinates_GFp(sess->group,						     sess->pwe,						     x_candidate,						     is_odd, NULL)) {	    continue;	}	/*	 * If there's a solution to the equation then the point must be	 * on the curve so why check again explicitly? OpenSSL code	 * says this is required by X9.62. We're not X9.62 but it can't	 * hurt just to be sure.	 */	if (!EC_POINT_is_on_curve(sess->group, sess->pwe, NULL)) {	    DEBUG("EAP-pwd: point is not on curve");	    continue;	}	if (BN_cmp(cofactor, BN_value_one())) {	    /* make sure the point is not in a small sub-group */	    if (!EC_POINT_mul(sess->group, sess->pwe, NULL, sess->pwe,			      cofactor, NULL)) {		DEBUG("EAP-pwd: cannot multiply generator by order");		continue;	    }	    if (EC_POINT_is_at_infinity(sess->group, sess->pwe)) {		DEBUG("EAP-pwd: point is at infinity");		continue;	    }	}	/* if we got here then we have a new generator. */	break;    }    sess->group_num = grp_num;    if (0) {fail:				/* DON'T free sess, it's in handler->opaque */	ret = -1;    }    /* cleanliness and order.... */    BN_free(cofactor);    BN_free(x_candidate);    BN_free(rnd);    talloc_free(prfbuf);    return ret;}

intprocess_peer_commit (pwd_session_t *sess, uint8_t *commit, BN_CTX *bnctx){    uint8_t *ptr;    BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;    EC_POINT *K = NULL, *point = NULL;    int res = 1;    if (((sess->peer_scalar = BN_new()) == NULL) ||	((sess->k = BN_new()) == NULL) ||	((cofactor = BN_new()) == NULL) ||	((x = BN_new()) == NULL) ||	((y = BN_new()) == NULL) ||	((point = EC_POINT_new(sess->group)) == NULL) ||	((K = EC_POINT_new(sess->group)) == NULL) ||	((sess->peer_element = EC_POINT_new(sess->group)) == NULL)) {	DEBUG2("pwd: failed to allocate room to process peer's commit");	goto fin;    }    if (!EC_GROUP_get_cofactor(sess->group, cofactor, NULL)) {	DEBUG2("pwd: unable to get group co-factor");	goto fin;    }    /* element, x then y, followed by scalar */    ptr = (uint8_t *)commit;    BN_bin2bn(ptr, BN_num_bytes(sess->prime), x);    ptr += BN_num_bytes(sess->prime);    BN_bin2bn(ptr, BN_num_bytes(sess->prime), y);    ptr += BN_num_bytes(sess->prime);    BN_bin2bn(ptr, BN_num_bytes(sess->order), sess->peer_scalar);    if (!EC_POINT_set_affine_coordinates_GFp(sess->group,					     sess->peer_element, x, y,					     bnctx)) {	DEBUG2("pwd: unable to get coordinates of peer's element");	goto fin;    }    /* check to ensure peer's element is not in a small sub-group */    if (BN_cmp(cofactor, BN_value_one())) {	if (!EC_POINT_mul(sess->group, point, NULL,			  sess->peer_element, cofactor, NULL)) {	    DEBUG2("pwd: unable to multiply element by co-factor");	    goto fin;	}	if (EC_POINT_is_at_infinity(sess->group, point)) {	    DEBUG2("pwd: peer's element is in small sub-group");	    goto fin;	}    }    /* compute the shared key, k */    if ((!EC_POINT_mul(sess->group, K, NULL, sess->pwe,		       sess->peer_scalar, bnctx)) ||	(!EC_POINT_add(sess->group, K, K, sess->peer_element,		       bnctx)) ||	(!EC_POINT_mul(sess->group, K, NULL, K, sess->private_value,		       bnctx))) {	DEBUG2("pwd: unable to compute shared key, k");	goto fin;    }    /* ensure that the shared key isn't in a small sub-group */    if (BN_cmp(cofactor, BN_value_one())) {	if (!EC_POINT_mul(sess->group, K, NULL, K, cofactor,			  NULL)) {	    DEBUG2("pwd: unable to multiply k by co-factor");	    goto fin;	}    }    /*     * This check is strictly speaking just for the case above where     * co-factor > 1 but it was suggested that even though this is probably     * never going to happen it is a simple and safe check "just to be     * sure" so let's be safe.     */    if (EC_POINT_is_at_infinity(sess->group, K)) {	DEBUG2("pwd: k is point-at-infinity!");	goto fin;    }    if (!EC_POINT_get_affine_coordinates_GFp(sess->group, K, sess->k,					     NULL, bnctx)) {	DEBUG2("pwd: unable to get shared secret from K");	goto fin;    }    res = 0;  fin:    EC_POINT_free(K);    EC_POINT_free(point);    BN_free(cofactor);    BN_free(x);    BN_free(y);    return res;}

int generateRingSignatureAB(data_chunk &keyImage, uint256 &txnHash, int nRingSize, int nSecretOffset, ec_secret secret, const uint8_t *pPubkeys, data_chunk &sigC, uint8_t *pSigS){    // https://bitcointalk.org/index.php?topic=972541.msg10619684    if (fDebugRingSig)        LogPrintf("%s: Ring size %d./n", __func__, nRingSize);    assert(nRingSize < 200);    RandAddSeedPerfmon();    memset(pSigS, 0, EC_SECRET_SIZE * nRingSize);    int rv = 0;    int nBytes;    uint256 tmpPkHash;    uint256 tmpHash;    uint8_t tempData[66]; // hold raw point data to hash    ec_secret sAlpha;    if (0 != GenerateRandomSecret(sAlpha))        return errorN(1, "%s: GenerateRandomSecret failed.", __func__);    CHashWriter ssPkHash(SER_GETHASH, PROTOCOL_VERSION);    CHashWriter ssCjHash(SER_GETHASH, PROTOCOL_VERSION);    uint256 test;    for (int i = 0; i < nRingSize; ++i)    {        ssPkHash.write((const char*)&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE);        if (i == nSecretOffset)            continue;        int k;        // NOTE: necessary to clamp?        for (k = 0; k < 32; ++k)        {            if (1 != RAND_bytes(&pSigS[i * EC_SECRET_SIZE], 32))                return errorN(1, "%s: RAND_bytes ERR_get_error %u.", __func__, ERR_get_error());            memcpy(test.begin(), &pSigS[i * EC_SECRET_SIZE], 32);            if (test > MIN_SECRET && test < MAX_SECRET)                break;        };        if (k > 31)            return errorN(1, "%s: Failed to generate a valid key.", __func__);    };    tmpPkHash = ssPkHash.GetHash();    BN_CTX_start(bnCtx);    BIGNUM   *bnT  = BN_CTX_get(bnCtx);    BIGNUM   *bnT2 = BN_CTX_get(bnCtx);    BIGNUM   *bnS  = BN_CTX_get(bnCtx);    BIGNUM   *bnC  = BN_CTX_get(bnCtx);    BIGNUM   *bnCj = BN_CTX_get(bnCtx);    BIGNUM   *bnA  = BN_CTX_get(bnCtx);    EC_POINT *ptKi = NULL;    EC_POINT *ptPk = NULL;    EC_POINT *ptT1 = NULL;    EC_POINT *ptT2 = NULL;    EC_POINT *ptT3 = NULL;    EC_POINT *ptT4 = NULL;    if (   !(ptKi = EC_POINT_new(ecGrp))        || !(ptPk = EC_POINT_new(ecGrp))        || !(ptT1 = EC_POINT_new(ecGrp))        || !(ptT2 = EC_POINT_new(ecGrp))        || !(ptT3 = EC_POINT_new(ecGrp))        || !(ptT4 = EC_POINT_new(ecGrp)))    {        LogPrintf("%s: EC_POINT_new failed./n", __func__);        rv = 1; goto End;    };    // get keyimage as point    if (!EC_POINT_oct2point(ecGrp, ptKi, &keyImage[0], EC_COMPRESSED_SIZE, bnCtx))    {        LogPrintf("%s: extract ptKi failed./n", __func__);        rv = 1; goto End;    };    // c_{j+1} = h(P_1,...,P_n,alpha*G,alpha*H(P_j))    if (!bnA || !(BN_bin2bn(&sAlpha.e[0], EC_SECRET_SIZE, bnA)))    {        LogPrintf("%s: BN_bin2bn failed./n", __func__);        rv = 1; goto End;    };    // ptT1 = alpha * G    if (!EC_POINT_mul(ecGrp, ptT1, bnA, NULL, NULL, bnCtx))    {        LogPrintf("%s: EC_POINT_mul failed./n", __func__);        rv = 1; goto End;    };//.........这里部分代码省略.........

int verifyRingSignature(data_chunk &keyImage, uint256 &txnHash, int nRingSize, const uint8_t *pPubkeys, const uint8_t *pSigc, const uint8_t *pSigr){    if (fDebugRingSig)    {        // LogPrintf("%s size %d/n", __func__, nRingSize); // happens often    };    int rv = 0;    BN_CTX_start(bnCtx);    BIGNUM   *bnT   = BN_CTX_get(bnCtx);    BIGNUM   *bnH   = BN_CTX_get(bnCtx);    BIGNUM   *bnC   = BN_CTX_get(bnCtx);    BIGNUM   *bnR   = BN_CTX_get(bnCtx);    BIGNUM   *bnSum = BN_CTX_get(bnCtx);    EC_POINT *ptT1  = NULL;    EC_POINT *ptT2  = NULL;    EC_POINT *ptT3  = NULL;    EC_POINT *ptPk  = NULL;    EC_POINT *ptKi  = NULL;    EC_POINT *ptL   = NULL;    EC_POINT *ptR   = NULL;    EC_POINT *ptSi  = NULL;    uint8_t tempData[66]; // hold raw point data to hash    uint256 commitHash;    CHashWriter ssCommitHash(SER_GETHASH, PROTOCOL_VERSION);    ssCommitHash << txnHash;    // zero sum    if (!bnSum || !(BN_zero(bnSum)))    {        LogPrintf("%s: BN_zero failed./n", __func__);        rv = 1; goto End;    };    if (   !(ptT1 = EC_POINT_new(ecGrp))        || !(ptT2 = EC_POINT_new(ecGrp))        || !(ptT3 = EC_POINT_new(ecGrp))        || !(ptPk = EC_POINT_new(ecGrp))        || !(ptKi = EC_POINT_new(ecGrp))        || !(ptL  = EC_POINT_new(ecGrp))        || !(ptSi = EC_POINT_new(ecGrp))        || !(ptR  = EC_POINT_new(ecGrp)))    {        LogPrintf("%s: EC_POINT_new failed./n", __func__);        rv = 1; goto End;    };    // get keyimage as point    if (!(bnT = BN_bin2bn(&keyImage[0], EC_COMPRESSED_SIZE, bnT))        || !(ptKi) || !(ptKi = EC_POINT_bn2point(ecGrp, bnT, ptKi, bnCtx)))    {        LogPrintf("%s: extract ptKi failed./n", __func__);        rv = 1; goto End;    };    for (int i = 0; i < nRingSize; ++i)    {        // Li = ci * Pi + ri * G        // Ri = ci * I + ri * Hp(Pi)        if (   !bnC || !(bnC = BN_bin2bn(&pSigc[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnC))            || !bnR || !(bnR = BN_bin2bn(&pSigr[i * EC_SECRET_SIZE], EC_SECRET_SIZE, bnR)))        {            LogPrintf("%s: extract bnC and bnR failed./n", __func__);            rv = 1; goto End;        };        // get Pk i as point        if (!(bnT = BN_bin2bn(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT))            || !(ptPk) || !(ptPk = EC_POINT_bn2point(ecGrp, bnT, ptPk, bnCtx)))        {            LogPrintf("%s: extract ptPk failed./n", __func__);            rv = 1; goto End;        };        // ptT1 = ci * Pi        if (!EC_POINT_mul(ecGrp, ptT1, NULL, ptPk, bnC, bnCtx))        {            LogPrintf("%s: EC_POINT_mul failed./n", __func__);            rv = 1; goto End;        };        // ptT2 = ri * G        if (!EC_POINT_mul(ecGrp, ptT2, bnR, NULL, NULL, bnCtx))        {            LogPrintf("%s: EC_POINT_mul failed./n", __func__);            rv = 1; goto End;        };        // ptL = ptT1 + ptT2        if (!EC_POINT_add(ecGrp, ptL, ptT1, ptT2, bnCtx))        {            LogPrintf("%s: EC_POINT_add failed./n", __func__);            rv = 1; goto End;        };//.........这里部分代码省略.........

int generateRingSignature(data_chunk &keyImage, uint256 &txnHash, int nRingSize, int nSecretOffset, ec_secret secret, const uint8_t *pPubkeys, uint8_t *pSigc, uint8_t *pSigr){    if (fDebugRingSig)        LogPrintf("%s: Ring size %d./n", __func__, nRingSize);    int rv = 0;    int nBytes;    BN_CTX_start(bnCtx);    BIGNUM   *bnKS  = BN_CTX_get(bnCtx);    BIGNUM   *bnK1  = BN_CTX_get(bnCtx);    BIGNUM   *bnK2  = BN_CTX_get(bnCtx);    BIGNUM   *bnT   = BN_CTX_get(bnCtx);    BIGNUM   *bnH   = BN_CTX_get(bnCtx);    BIGNUM   *bnSum = BN_CTX_get(bnCtx);    EC_POINT *ptT1  = NULL;    EC_POINT *ptT2  = NULL;    EC_POINT *ptT3  = NULL;    EC_POINT *ptPk  = NULL;    EC_POINT *ptKi  = NULL;    EC_POINT *ptL   = NULL;    EC_POINT *ptR   = NULL;    uint8_t tempData[66]; // hold raw point data to hash    uint256 commitHash;    ec_secret scData1, scData2;    CHashWriter ssCommitHash(SER_GETHASH, PROTOCOL_VERSION);    ssCommitHash << txnHash;    // zero signature    memset(pSigc, 0, EC_SECRET_SIZE * nRingSize);    memset(pSigr, 0, EC_SECRET_SIZE * nRingSize);    // ks = random 256 bit int mod P    if (GenerateRandomSecret(scData1)    && (rv = errorN(1, "%s: GenerateRandomSecret failed.", __func__)))        goto End;    if (!bnKS || !(BN_bin2bn(&scData1.e[0], EC_SECRET_SIZE, bnKS)))    {        LogPrintf("%s: BN_bin2bn failed./n", __func__);        rv = 1; goto End;    };    // zero sum    if (!bnSum || !(BN_zero(bnSum)))    {        LogPrintf("%s: BN_zero failed./n", __func__);        rv = 1; goto End;    };    if (   !(ptT1 = EC_POINT_new(ecGrp))        || !(ptT2 = EC_POINT_new(ecGrp))        || !(ptT3 = EC_POINT_new(ecGrp))        || !(ptPk = EC_POINT_new(ecGrp))        || !(ptKi = EC_POINT_new(ecGrp))        || !(ptL  = EC_POINT_new(ecGrp))        || !(ptR  = EC_POINT_new(ecGrp)))    {        LogPrintf("%s: EC_POINT_new failed./n", __func__);        rv = 1; goto End;    };    // get keyimage as point    if (!(bnT = BN_bin2bn(&keyImage[0], EC_COMPRESSED_SIZE, bnT))        || !(ptKi) || !(ptKi = EC_POINT_bn2point(ecGrp, bnT, ptKi, bnCtx)))    {        LogPrintf("%s: extract ptKi failed./n", __func__);        rv = 1; goto End;    };    for (int i = 0; i < nRingSize; ++i)    {        if (i == nSecretOffset)        {            // k = random 256 bit int mod P            // L = k * G            // R = k * HashToEC(PKi)            if (!EC_POINT_mul(ecGrp, ptL, bnKS, NULL, NULL, bnCtx))            {                LogPrintf("%s: EC_POINT_mul failed./n", __func__);                rv = 1; goto End;            };            if (hashToEC(&pPubkeys[i * EC_COMPRESSED_SIZE], EC_COMPRESSED_SIZE, bnT, ptT1) != 0)            {                LogPrintf("%s: hashToEC failed./n", __func__);                rv = 1; goto End;            };            if (!EC_POINT_mul(ecGrp, ptR, NULL, ptT1, bnKS, bnCtx))            {                LogPrintf("%s: EC_POINT_mul failed./n", __func__);                rv = 1; goto End;            };//.........这里部分代码省略.........

static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,                            BIGNUM **kinvp, BIGNUM **rp,                            const unsigned char *dgst, int dlen){    BN_CTX *ctx = NULL;    BIGNUM *k = NULL, *r = NULL, *X = NULL;    const BIGNUM *order;    EC_POINT *tmp_point = NULL;    const EC_GROUP *group;    int ret = 0;    int order_bits;    if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {        ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);        return 0;    }    if (!EC_KEY_can_sign(eckey)) {        ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);        return 0;    }    if (ctx_in == NULL) {        if ((ctx = BN_CTX_new()) == NULL) {            ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);            return 0;        }    } else        ctx = ctx_in;    k = BN_new();               /* this value is later returned in *kinvp */    r = BN_new();               /* this value is later returned in *rp */    X = BN_new();    if (k == NULL || r == NULL || X == NULL) {        ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);        goto err;    }    if ((tmp_point = EC_POINT_new(group)) == NULL) {        ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);        goto err;    }    order = EC_GROUP_get0_order(group);    if (order == NULL) {        ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);        goto err;    }    /* Preallocate space */    order_bits = BN_num_bits(order);    if (!BN_set_bit(k, order_bits)        || !BN_set_bit(r, order_bits)        || !BN_set_bit(X, order_bits))        goto err;    do {        /* get random k */        do            if (dgst != NULL) {                if (!BN_generate_dsa_nonce                    (k, order, EC_KEY_get0_private_key(eckey), dgst, dlen,                     ctx)) {                    ECerr(EC_F_ECDSA_SIGN_SETUP,                             EC_R_RANDOM_NUMBER_GENERATION_FAILED);                    goto err;                }            } else {                if (!BN_priv_rand_range(k, order)) {                    ECerr(EC_F_ECDSA_SIGN_SETUP,                             EC_R_RANDOM_NUMBER_GENERATION_FAILED);                    goto err;                }            }        while (BN_is_zero(k));        /* compute r the x-coordinate of generator * k */        if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {            ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);            goto err;        }        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==            NID_X9_62_prime_field) {            if (!EC_POINT_get_affine_coordinates_GFp                (group, tmp_point, X, NULL, ctx)) {                ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);                goto err;            }        }#ifndef OPENSSL_NO_EC2M        else {                  /* NID_X9_62_characteristic_two_field */            if (!EC_POINT_get_affine_coordinates_GF2m(group,                                                      tmp_point, X, NULL,                                                      ctx)) {                ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);                goto err;            }        }#endif        if (!BN_nnmod(r, X, order, ctx)) {            ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);//.........这里部分代码省略.........

int SM2_do_decrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md,	const SM2_CIPHERTEXT_VALUE *cv, unsigned char *out, size_t *outlen,	EC_KEY *ec_key){	int ret = 0;	const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key);	const BIGNUM *pri_key = EC_KEY_get0_private_key(ec_key);	KDF_FUNC kdf = KDF_get_x9_63(kdf_md);	EC_POINT *point = NULL;	BIGNUM *n = NULL;	BIGNUM *h = NULL;	BN_CTX *bn_ctx = NULL;	EVP_MD_CTX *md_ctx = NULL;	unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1];	unsigned char mac[EVP_MAX_MD_SIZE];	unsigned int maclen;	int nbytes;	size_t size;	int i;	OPENSSL_assert(kdf_md && mac_md && cv && ec_key);	OPENSSL_assert(cv->ephem_point && cv->ciphertext);	if (!ec_group || !pri_key) {		goto end;	}	if (!kdf) {		goto end;	}	if (!out) {		*outlen = cv->ciphertext_size;		return 1;	}	if (*outlen < cv->ciphertext_size) {		goto end;	}	/* init vars */	point = EC_POINT_new(ec_group);	n = BN_new();	h = BN_new();	bn_ctx = BN_CTX_new();	md_ctx = EVP_MD_CTX_create();	if (!point || !n || !h || !bn_ctx || !md_ctx) {		goto end;	}		/* init ec domain parameters */	if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) {		goto end;	}	if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) {		goto end;	}	nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8;	//OPENSSL_assert(nbytes == BN_num_bytes(n));#if 0	/* check sm2 curve and md is 256 bits */	OPENSSL_assert(nbytes == 32);	OPENSSL_assert(EVP_MD_size(kdf_md) == 32);	OPENSSL_assert(EVP_MD_size(mac_md) == 32);#endif	/* B2: check [h]C1 != O */	if (!EC_POINT_mul(ec_group, point, NULL, cv->ephem_point, h, bn_ctx)) {		goto end;	}	if (EC_POINT_is_at_infinity(ec_group, point)) {		goto end;	}	/* B3: compute ECDH [d]C1 = (x2, y2) */		if (!EC_POINT_mul(ec_group, point, NULL, cv->ephem_point, pri_key, bn_ctx)) {		goto end;	}	if (!(size = EC_POINT_point2oct(ec_group, point,		POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) {		goto end;	}	OPENSSL_assert(size == 1 + nbytes * 2);	/* B4: compute t = KDF(x2 || y2, clen) */	*outlen = cv->ciphertext_size; //FIXME: duplicated code	kdf(buf + 1, size - 1, out, outlen);	/* B5: compute M = C2 xor t */	for (i = 0; i < cv->ciphertext_size; i++) {		out[i] ^= cv->ciphertext[i];	}	*outlen = cv->ciphertext_size;	/* B6: check Hash(x2 || M || y2) == C3 */	if (!EVP_DigestInit_ex(md_ctx, mac_md, NULL)) {		goto end;	}	if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) {//.........这里部分代码省略.........

int GOST_KEY_check_key(const GOST_KEY *key){    int ok = 0;    BN_CTX *ctx = NULL;    BIGNUM *order = NULL;    EC_POINT *point = NULL;    if (!key || !key->group || !key->pub_key) {        GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);        return 0;    }    if (EC_POINT_is_at_infinity(key->group, key->pub_key)) {        GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_POINT_AT_INFINITY);        goto err;    }    if ((ctx = BN_CTX_new()) == NULL)        goto err;    if ((point = EC_POINT_new(key->group)) == NULL)        goto err;    /* testing whether the pub_key is on the elliptic curve */    if (EC_POINT_is_on_curve(key->group, key->pub_key, ctx) <= 0) {        GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);        goto err;    }    /* testing whether pub_key * order is the point at infinity */    if ((order = BN_new()) == NULL)        goto err;    if (!EC_GROUP_get_order(key->group, order, ctx)) {        GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER);        goto err;    }    if (!EC_POINT_mul(key->group, point, NULL, key->pub_key, order, ctx)) {        GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, ERR_R_EC_LIB);        goto err;    }    if (!EC_POINT_is_at_infinity(key->group, point)) {        GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_WRONG_ORDER);        goto err;    }    /*     * in case the priv_key is present : check if generator * priv_key ==     * pub_key     */    if (key->priv_key) {        if (BN_cmp(key->priv_key, order) >= 0) {            GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_WRONG_ORDER);            goto err;        }        if (!EC_POINT_mul(key->group, point, key->priv_key, NULL, NULL, ctx)) {            GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, ERR_R_EC_LIB);            goto err;        }        if (EC_POINT_cmp(key->group, point, key->pub_key, ctx) != 0) {            GOSTerr(GOST_F_GOST_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);            goto err;        }    }    ok = 1;err:    BN_free(order);    BN_CTX_free(ctx);    EC_POINT_free(point);    return (ok);}

intecdh_gm_compute_key(PACE_CTX * ctx, const BUF_MEM * s, const BUF_MEM * in,        BN_CTX *bn_ctx){    int ret = 0;    BUF_MEM * mem_h = NULL;    BIGNUM * bn_s = NULL, *order = NULL, *cofactor = NULL;    EC_POINT * ecp_h = NULL, *ecp_g = NULL;    const ECDH_METHOD *default_method;    EC_GROUP *group = NULL;    EC_KEY *static_key = NULL, *ephemeral_key = NULL;    BN_CTX_start(bn_ctx);    check((ctx && ctx->static_key && s && ctx->ka_ctx), "Invalid arguments");    static_key = EVP_PKEY_get1_EC_KEY(ctx->static_key);    check(static_key, "could not get key object");    /* Extract group parameters */    group = EC_GROUP_dup(EC_KEY_get0_group(static_key));    order = BN_CTX_get(bn_ctx);    cofactor = BN_CTX_get(bn_ctx);    check(group && cofactor, "internal error");    if (!EC_GROUP_get_order(group, order, bn_ctx)            || !EC_GROUP_get_cofactor(group, cofactor, bn_ctx))        goto err;    /* Convert nonce to BIGNUM */    bn_s = BN_bin2bn((unsigned char *) s->data, s->length, bn_s);    if (!bn_s)        goto err;    default_method = ECDH_get_default_method();    ECDH_set_default_method(ECDH_OpenSSL_Point());    /* complete the ECDH and get the resulting point h */    mem_h = ecdh_compute_key(ctx->static_key, in, bn_ctx);    ECDH_set_default_method(default_method);    ecp_h = EC_POINT_new(group);    if (!mem_h || !ecp_h || !EC_POINT_oct2point(group, ecp_h,            (unsigned char *) mem_h->data, mem_h->length, bn_ctx))        goto err;    /* map to new generator */    ecp_g = EC_POINT_new(group);    /* g' = g*s + h*1 */    if (!EC_POINT_mul(group, ecp_g, bn_s, ecp_h, BN_value_one(), bn_ctx))        goto err;    /* Initialize ephemeral parameters with parameters from the static key */    ephemeral_key = EC_KEY_dup(static_key);    if (!ephemeral_key)        goto err;    EVP_PKEY_set1_EC_KEY(ctx->ka_ctx->key, ephemeral_key);    /* configure the new EC_KEY */    if (!EC_GROUP_set_generator(group, ecp_g, order, cofactor)            || !EC_GROUP_check(group, bn_ctx)            || !EC_KEY_set_group(ephemeral_key, group))        goto err;    ret = 1;err:    if (ecp_g)        EC_POINT_clear_free(ecp_g);    if (ecp_h)        EC_POINT_clear_free(ecp_h);    if (mem_h)        BUF_MEM_free(mem_h);    if (bn_s)        BN_clear_free(bn_s);    BN_CTX_end(bn_ctx);    /* Decrement reference count, keys are still available via PACE_CTX */    if (static_key)        EC_KEY_free(static_key);    if (ephemeral_key)        EC_KEY_free(ephemeral_key);    if (group)        EC_GROUP_clear_free(group);    return ret;}

// Perform ECDSA key recovery (see SEC1 4.1.6) for curves over (mod p)-fields// recid selects which key is recovered// if check is non-zero, additional checks are performedint ECDSA_SIG_recover_key_GFp(EC_KEY *eckey, ECDSA_SIG *ecsig, const unsigned char *msg, int msglen, int recid, int check){    if (!eckey) return 0;    int ret = 0;    BN_CTX *ctx = NULL;    BIGNUM *x = NULL;    BIGNUM *e = NULL;    BIGNUM *order = NULL;    BIGNUM *sor = NULL;    BIGNUM *eor = NULL;    BIGNUM *field = NULL;    EC_POINT *R = NULL;    EC_POINT *O = NULL;    EC_POINT *Q = NULL;    BIGNUM *rr = NULL;    BIGNUM *zero = NULL;    int n = 0;    int i = recid / 2;    const EC_GROUP *group = EC_KEY_get0_group(eckey);    if ((ctx = BN_CTX_new()) == NULL) { ret = -1; goto err; }    BN_CTX_start(ctx);    order = BN_CTX_get(ctx);    if (!EC_GROUP_get_order(group, order, ctx)) { ret = -2; goto err; }    x = BN_CTX_get(ctx);    if (!BN_copy(x, order)) { ret=-1; goto err; }    if (!BN_mul_word(x, i)) { ret=-1; goto err; }    if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; }    field = BN_CTX_get(ctx);    if (!EC_GROUP_get_curve_GFp(group, field, NULL, NULL, ctx)) { ret=-2; goto err; }    if (BN_cmp(x, field) >= 0) { ret=0; goto err; }    if ((R = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }    if (!EC_POINT_set_compressed_coordinates_GFp(group, R, x, recid % 2, ctx)) { ret=0; goto err; }    if (check)    {        if ((O = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }        if (!EC_POINT_mul(group, O, NULL, R, order, ctx)) { ret=-2; goto err; }        if (!EC_POINT_is_at_infinity(group, O)) { ret = 0; goto err; }    }    if ((Q = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }    n = EC_GROUP_get_degree(group);    e = BN_CTX_get(ctx);    if (!BN_bin2bn(msg, msglen, e)) { ret=-1; goto err; }    if (8*msglen > n) BN_rshift(e, e, 8-(n & 7));    zero = BN_CTX_get(ctx);    if (!BN_zero(zero)) { ret=-1; goto err; }    if (!BN_mod_sub(e, zero, e, order, ctx)) { ret=-1; goto err; }    rr = BN_CTX_get(ctx);    if (!BN_mod_inverse(rr, ecsig->r, order, ctx)) { ret=-1; goto err; }    sor = BN_CTX_get(ctx);    if (!BN_mod_mul(sor, ecsig->s, rr, order, ctx)) { ret=-1; goto err; }    eor = BN_CTX_get(ctx);    if (!BN_mod_mul(eor, e, rr, order, ctx)) { ret=-1; goto err; }    if (!EC_POINT_mul(group, Q, eor, R, sor, ctx)) { ret=-2; goto err; }    if (!EC_KEY_set_public_key(eckey, Q)) { ret=-2; goto err; }    ret = 1;err:    if (ctx) {        BN_CTX_end(ctx);        BN_CTX_free(ctx);    }    if (R != NULL) EC_POINT_free(R);    if (O != NULL) EC_POINT_free(O);    if (Q != NULL) EC_POINT_free(Q);    return ret;}

static void timings(EC_GROUP *group, int type, BN_CTX *ctx)	{	clock_t clck;	int i, j;	BIGNUM *s;	BIGNUM *r[10], *r0[10];	EC_POINT *P;			s = BN_new();	if (s == NULL) ABORT;	fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));	if (!EC_GROUP_get_order(group, s, ctx)) ABORT;	fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));	fflush(stdout);	P = EC_POINT_new(group);	if (P == NULL) ABORT;	EC_POINT_copy(P, EC_GROUP_get0_generator(group));	for (i = 0; i < 10; i++)		{		if ((r[i] = BN_new()) == NULL) ABORT;		if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0)) ABORT;		if (type != TIMING_BASE_PT)			{			if ((r0[i] = BN_new()) == NULL) ABORT;			if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0)) ABORT;			}		}	clck = clock();	for (i = 0; i < 10; i++)		{		for (j = 0; j < 10; j++)			{			if (!EC_POINT_mul(group, P, (type != TIMING_RAND_PT) ? r[i] : NULL, 				(type != TIMING_BASE_PT) ? P : NULL, (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx)) ABORT;			}		}	clck = clock() - clck;	fprintf(stdout, "/n");#ifdef CLOCKS_PER_SEC	/* "To determine the time in seconds, the value returned	 * by the clock function should be divided by the value	 * of the macro CLOCKS_PER_SEC."	 *                                       -- ISO/IEC 9899 */#	define UNIT "s"#else	/* "`CLOCKS_PER_SEC' undeclared (first use this function)"	 *                            -- cc on NeXTstep/OpenStep */#	define UNIT "units"#	define CLOCKS_PER_SEC 1#endif	if (type == TIMING_BASE_PT) {		fprintf(stdout, "%i %s in %.2f " UNIT "/n", i*j,			"base point multiplications", (double)clck/CLOCKS_PER_SEC);	} else if (type == TIMING_RAND_PT) {		fprintf(stdout, "%i %s in %.2f " UNIT "/n", i*j,			"random point multiplications", (double)clck/CLOCKS_PER_SEC);	} else if (type == TIMING_SIMUL) {		fprintf(stdout, "%i %s in %.2f " UNIT "/n", i*j,			"s*P+t*Q operations", (double)clck/CLOCKS_PER_SEC);	}	fprintf(stdout, "average: %.4f " UNIT "/n", (double)clck/(CLOCKS_PER_SEC*i*j));	EC_POINT_free(P);	BN_free(s);	for (i = 0; i < 10; i++)		{		BN_free(r[i]);		if (type != TIMING_BASE_PT) BN_free(r0[i]);		}	}

int EC_KEY_check_key(const EC_KEY *eckey)	{	int	ok   = 0;	BN_CTX	*ctx = NULL;	const BIGNUM	*order  = NULL;	EC_POINT *point = NULL;	if (!eckey || !eckey->group || !eckey->pub_key)		{		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);		return 0;		}		if ((ctx = BN_CTX_new()) == NULL)		goto err;	if ((point = EC_POINT_new(eckey->group)) == NULL)		goto err;	/* testing whether the pub_key is on the elliptic curve */	if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);		goto err;		}	/* testing whether pub_key * order is the point at infinity */	order = &eckey->group->order;	if (BN_is_zero(order))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER);		goto err;		}	if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);		goto err;		}	if (!EC_POINT_is_at_infinity(eckey->group, point))		{		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);		goto err;		}	/* in case the priv_key is present : 	 * check if generator * priv_key == pub_key 	 */	if (eckey->priv_key)		{		if (BN_cmp(eckey->priv_key, order) >= 0)			{			ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);			goto err;			}		if (!EC_POINT_mul(eckey->group, point, eckey->priv_key,			NULL, NULL, ctx))			{			ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);			goto err;			}		if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, 			ctx) != 0)			{			ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);			goto err;			}		}	ok = 1;err:	if (ctx   != NULL)		BN_CTX_free(ctx);	if (point != NULL)		EC_POINT_free(point);	return(ok);	}

//.........这里部分代码省略.........	/* Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, 2000)	 * -- not a NIST curve, but commonly used */		if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) ABORT;	if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;	if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) ABORT;	if (!BN_hex2bn(&b, "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45")) ABORT;	if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;	if (!BN_hex2bn(&x, "4A96B5688EF573284664698968C38BB913CBFC82")) ABORT;	if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;	if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;	if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;	if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) ABORT;	if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;	if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;	fprintf(stdout, "/nSEC2 curve secp160r1 -- Generator:/n     x = 0x");	BN_print_fp(stdout, x);	fprintf(stdout, "/n     y = 0x");	BN_print_fp(stdout, y);	fprintf(stdout, "/n");	/* G_y value taken from the standard: */	if (!BN_hex2bn(&z, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;	if (0 != BN_cmp(y, z)) ABORT;	fprintf(stdout, "verify degree ...");	if (EC_GROUP_get_degree(group) != 160) ABORT;	fprintf(stdout, " ok/n");		fprintf(stdout, "verify group order ...");	fflush(stdout);	if (!EC_GROUP_get_order(group, z, ctx)) ABORT;	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;	fprintf(stdout, ".");	fflush(stdout);	if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;	fprintf(stdout, " ok/n");	if (!(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;	if (!EC_GROUP_copy(P_160, group)) ABORT;	/* Curve P-192 (FIPS PUB 186-2, App. 6) */		if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ABORT;	if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;	if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ABORT;	if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) ABORT;	if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;	if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) ABORT;	if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;	if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;	if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT;	if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;	if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;	fprintf(stdout, "/nNIST curve P-192 -- Generator:/n     x = 0x");	BN_print_fp(stdout, x);	fprintf(stdout, "/n     y = 0x");	BN_print_fp(stdout, y);	fprintf(stdout, "/n");

static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,                           const ECDSA_SIG *sig, EC_KEY *eckey){    int ret = -1, i;    BN_CTX *ctx;    BIGNUM *order, *u1, *u2, *m, *X;    EC_POINT *point = NULL;    const EC_GROUP *group;    const EC_POINT *pub_key;    /* check input values */    if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||        (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);        return -1;    }    ctx = BN_CTX_new();    if (!ctx) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);        return -1;    }    BN_CTX_start(ctx);    order = BN_CTX_get(ctx);    u1 = BN_CTX_get(ctx);    u2 = BN_CTX_get(ctx);    m = BN_CTX_get(ctx);    X = BN_CTX_get(ctx);    if (!X) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);        goto err;    }    if (!EC_GROUP_get_order(group, order, ctx)) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);        goto err;    }    if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||        BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||        BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);        ret = 0;                /* signature is invalid */        goto err;    }    /* calculate tmp1 = inv(S) mod order */    if (!BN_mod_inverse(u2, sig->s, order, ctx)) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);        goto err;    }    /* digest -> m */    i = BN_num_bits(order);    /*     * Need to truncate digest if it is too long: first truncate whole bytes.     */    if (8 * dgst_len > i)        dgst_len = (i + 7) / 8;    if (!BN_bin2bn(dgst, dgst_len, m)) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);        goto err;    }    /* If still too long truncate remaining bits with a shift */    if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);        goto err;    }    /* u1 = m * tmp mod order */    if (!BN_mod_mul(u1, m, u2, order, ctx)) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);        goto err;    }    /* u2 = r * w mod q */    if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);        goto err;    }    if ((point = EC_POINT_new(group)) == NULL) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);        goto err;    }    if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {        ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);        goto err;    }    if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==        NID_X9_62_prime_field) {        if (!EC_POINT_get_affine_coordinates_GFp(group, point, X, NULL, ctx)) {            ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);            goto err;        }    }#ifndef OPENSSL_NO_EC2M    else {                      /* NID_X9_62_characteristic_two_field */        if (!EC_POINT_get_affine_coordinates_GF2m(group, point, X, NULL, ctx)) {            ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);            goto err;        }    }//.........这里部分代码省略.........

static int extract_ec_params(CPK_MASTER_SECRET *master, CPK_PUBLIC_PARAMS *param){	int ret = 0;	EC_KEY *ec_key = NULL;	const EC_GROUP *ec_group;	BIGNUM *bn = BN_new();	BIGNUM *order = BN_new();	BN_CTX *ctx = BN_CTX_new();	EC_POINT *pt = NULL;	int i, bn_size, pt_size, num_factors;	const unsigned char *bn_ptr;	unsigned char *pt_ptr;		if (!bn || !order || !ctx) {		goto err;	}		if (!(ec_key = X509_ALGOR_get1_EC_KEY(master->pkey_algor))) {		goto err;	}	ec_group = EC_KEY_get0_group(ec_key);	if (!(EC_GROUP_get_order(ec_group, order, ctx))) {		goto err;	}	bn_size = BN_num_bytes(order);	pt_size = bn_size + 1;		if ((num_factors = CPK_MAP_num_factors(master->map_algor)) <= 0) {		goto err;	}	if (M_ASN1_STRING_length(master->secret_factors) != bn_size * num_factors) {		goto err;	}	if (!ASN1_STRING_set(param->public_factors, NULL, pt_size * num_factors)) {		goto err;	}		bn_ptr = M_ASN1_STRING_data(master->secret_factors);	pt_ptr = M_ASN1_STRING_data(param->public_factors);	memset(pt_ptr, 0, M_ASN1_STRING_length(param->public_factors));		if (!(pt = EC_POINT_new(ec_group))) {		goto err;				}	for (i = 0; i < num_factors; i++) {		if (!BN_bin2bn(bn_ptr, bn_size, bn)) {			goto err;		}		if (BN_is_zero(bn) || BN_cmp(bn, order) >= 0) {			goto err;		}		if (!EC_POINT_mul(ec_group, pt, bn, NULL, NULL, ctx)) {			goto err;		}				if (!EC_POINT_point2oct(ec_group, pt, 			POINT_CONVERSION_COMPRESSED, pt_ptr, pt_size, ctx)) {			goto err;		}		bn_ptr += bn_size;		pt_ptr += pt_size;	}		ret = 1;err:		if (ec_key) EC_KEY_free(ec_key);	if (bn) BN_free(bn);	if (order) BN_free(order);	if (ctx) BN_CTX_free(ctx);	if (pt) EC_POINT_free(pt);	return ret;}

/* creates a bitcoin address+private key from the SHA256 *  hash of string. converts to base58 if base58 is 'true' *  returns 1 if successful, 0 if not*/int create_address_from_string(const unsigned char *string,		unsigned char *address,		unsigned char *priv_key,		EC_GROUP *precompgroup,		bool base58,		bool debug) {    u_int8_t * hash = malloc(SHA256_DIGEST_LENGTH);    BIGNUM * n = BN_new();    //first we hash the string    SHA256 (string, strlen(string), hash);	//then we convert the hash to the BIGNUM n    n = BN_bin2bn(hash, SHA256_DIGEST_LENGTH, n);    BIGNUM * order = BN_new();    BIGNUM * nmodorder = BN_new();	BN_CTX *bnctx;	bnctx = BN_CTX_new();    //then we create a new EC group with the curve secp256k1	EC_GROUP * pgroup;	pgroup = EC_GROUP_new_by_curve_name(NID_secp256k1);    if (!pgroup) {    	printf("ERROR: Couldn't get new group/n");    	return 0;    }    //now we need to get the order of the group, and make sure that    //the number we use for the private key is less than or equal to    //the group order by using "nmodorder = n % order"    EC_GROUP_get_order(pgroup, order, NULL);    BN_mod(nmodorder, n, order, bnctx);    if (BN_is_zero(nmodorder)) {    	printf("ERROR: SHA256(string) % order == 0. Pick another string./n");    	return 0;    }    if (debug)    	printf ("Secret number: %s/n", BN_bn2dec(nmodorder));    //now we create a new EC point, ecpoint, and place in it the secp256k1    //generator point multiplied by nmodorder. this newly created    //point is the public key    EC_POINT * ecpoint = EC_POINT_new(pgroup);	if (!EC_POINT_mul(pgroup, ecpoint, nmodorder, NULL, NULL, NULL))	{    	printf("ERROR: Couldn't multiply the generator point with n/n");    	return 0;    }    if (debug) {        BIGNUM *x=NULL, *y=NULL;        x=BN_new();        y=BN_new();        if (!EC_POINT_get_affine_coordinates_GFp(pgroup, ecpoint, x, y, NULL)) {        	printf("ERROR: Failed getting coordinates.");        	//don't fail on debug fail        	//return 0;        }    	printf ("Public key coordinates. x: %s, y: %s/n", BN_bn2dec(x), BN_bn2dec(y));        BN_free(x);        BN_free(y);    }    //then we need to convert the public key point to data    //first we get the required size of the buffer in which the data is placed    //by passing NULL as the buffer argument to EC_POINT_point2oct    unsigned int bufsize = EC_POINT_point2oct (pgroup, ecpoint, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);    u_int8_t * buffer = malloc(bufsize);    //then we place the data in the buffer    int len = EC_POINT_point2oct (pgroup, ecpoint, POINT_CONVERSION_UNCOMPRESSED, buffer, bufsize, NULL);    if (len == 0) {    	printf("ERROR: Couldn't convert point to octet string.");    	return 0;    }    if (debug) {    	printf("DER encoded public key: ");    	print_hex(buffer, len);    }    //next we need to hash the public key data. first with SHA256, then with RIPEMD160    SHA256(buffer, len, hash);    if (debug) {    	printf("SHA256 hash of public key: ");    	print_hex(hash, SHA256_DIGEST_LENGTH);    }//.........这里部分代码省略.........

static EC_KEY *extract_ec_priv_key(CPK_MASTER_SECRET *master, const char *id){	int e = 1;	EC_KEY *ec_key = NULL;	const EC_GROUP *ec_group;	EC_POINT *pub_key = NULL;	BIGNUM *priv_key = BN_new();	BIGNUM *order = BN_new();	BIGNUM *bn = BN_new();	BN_CTX *ctx = BN_CTX_new();	int *index = NULL;	int i, num_indexes, bn_size;		if (!priv_key || !bn || !order || !ctx) {		goto err;	}		if (!(ec_key = X509_ALGOR_get1_EC_KEY(master->pkey_algor))) {		goto err;	}	ec_group = EC_KEY_get0_group(ec_key);	if (!(pub_key = EC_POINT_new(ec_group))) {		goto err;	}	if ((num_indexes = CPK_MAP_num_indexes(master->map_algor)) <= 0) {		goto err;	}	if (!(index = OPENSSL_malloc(sizeof(int) * num_indexes))) {		goto err;	}			if (!CPK_MAP_str2index(master->map_algor, id, index)) {		goto err;	}		BN_zero(priv_key);	if (!(EC_GROUP_get_order(EC_KEY_get0_group(ec_key), order, ctx))) {		goto err;	}	bn_size = BN_num_bytes(order);		for (i = 0; i < num_indexes; i++) {		const unsigned char *p = 			M_ASN1_STRING_data(master->secret_factors) + 			bn_size * index[i];				if (!BN_bin2bn(p, bn_size, bn)) {			goto err;		}		if (BN_is_zero(bn) || BN_cmp(bn, order) >= 0) {			goto err;		}				if (!BN_mod_add(priv_key, priv_key, bn, order, ctx)) {			goto err;		}	}	if (!EC_KEY_set_private_key(ec_key, priv_key)) {		goto err;	}	if (!EC_POINT_mul(ec_group, pub_key, priv_key, NULL, NULL, ctx)) {		goto err;	}	if (!EC_KEY_set_public_key(ec_key, pub_key)) {		goto err;	}	e = 0;	err:	if (e && ec_key) {		EC_KEY_free(ec_key);		ec_key = NULL;	}	if (priv_key) BN_free(priv_key);	if (pub_key) EC_POINT_free(pub_key);	if (order) BN_free(order);	if (bn) BN_free(bn);	if (ctx) BN_CTX_free(ctx);	if (index) OPENSSL_free(index);	return ec_key;}

void *vg_thread_loop(void *arg){	unsigned char hash_buf[128];	unsigned char *eckey_buf;	unsigned char hash1[32];	int i, c, len, output_interval;	int hash_len;	const BN_ULONG rekey_max = 10000000;	BN_ULONG npoints, rekey_at, nbatch;	vg_context_t *vcp = (vg_context_t *) arg;	EC_KEY *pkey = NULL;	const EC_GROUP *pgroup;	const EC_POINT *pgen;	const int ptarraysize = 256;	EC_POINT *ppnt[ptarraysize];	EC_POINT *pbatchinc;	vg_test_func_t test_func = vcp->vc_test;	vg_exec_context_t ctx;	vg_exec_context_t *vxcp;	struct timeval tvstart;	memset(&ctx, 0, sizeof(ctx));	vxcp = &ctx;	vg_exec_context_init(vcp, &ctx);	pkey = vxcp->vxc_key;	pgroup = EC_KEY_get0_group(pkey);	pgen = EC_GROUP_get0_generator(pgroup);	for (i = 0; i < ptarraysize; i++) {		ppnt[i] = EC_POINT_new(pgroup);		if (!ppnt[i]) {			fprintf(stderr, "ERROR: out of memory?/n");			exit(1);		}	}	pbatchinc = EC_POINT_new(pgroup);	if (!pbatchinc) {		fprintf(stderr, "ERROR: out of memory?/n");		exit(1);	}	BN_set_word(&vxcp->vxc_bntmp, ptarraysize);	EC_POINT_mul(pgroup, pbatchinc, &vxcp->vxc_bntmp, NULL, NULL,		     vxcp->vxc_bnctx);	EC_POINT_make_affine(pgroup, pbatchinc, vxcp->vxc_bnctx);	npoints = 0;	rekey_at = 0;	nbatch = 0;	vxcp->vxc_key = pkey;	vxcp->vxc_binres[0] = vcp->vc_addrtype;	c = 0;	output_interval = 1000;	gettimeofday(&tvstart, NULL);	if (vcp->vc_format == VCF_SCRIPT) {		hash_buf[ 0] = 0x51;  // OP_1		hash_buf[ 1] = 0x41;  // pubkey length		// gap for pubkey		hash_buf[67] = 0x51;  // OP_1		hash_buf[68] = 0xae;  // OP_CHECKMULTISIG		eckey_buf = hash_buf + 2;		hash_len = 69;	} else {		eckey_buf = hash_buf;		hash_len = 65;	}	while (!vcp->vc_halt) {		if (++npoints >= rekey_at) {			vg_exec_context_upgrade_lock(vxcp);			/* Generate a new random private key */			EC_KEY_generate_key(pkey);			npoints = 0;			/* Determine rekey interval */			EC_GROUP_get_order(pgroup, &vxcp->vxc_bntmp,					   vxcp->vxc_bnctx);			BN_sub(&vxcp->vxc_bntmp2,			       &vxcp->vxc_bntmp,			       EC_KEY_get0_private_key(pkey));			rekey_at = BN_get_word(&vxcp->vxc_bntmp2);			if ((rekey_at == BN_MASK2) || (rekey_at > rekey_max))				rekey_at = rekey_max;			assert(rekey_at > 0);			EC_POINT_copy(ppnt[0], EC_KEY_get0_public_key(pkey));			vg_exec_context_downgrade_lock(vxcp);			npoints++;//.........这里部分代码省略.........

int StealthSecretSpend(ec_secret& scanSecret, ec_point& ephemPubkey, ec_secret& spendSecret, ec_secret& secretOut){    /*        c  = H(dP)    R' = R + cG     [without decrypting wallet]       = (f + c)G   [after decryption of wallet]         Remember: mod curve.order, pad with 0x00s where necessary?    */        int rv = 0;    std::vector<uint8_t> vchOutP;        BN_CTX* bnCtx           = NULL;    BIGNUM* bnScanSecret    = NULL;    BIGNUM* bnP             = NULL;    EC_POINT* P             = NULL;    BIGNUM* bnOutP          = NULL;    BIGNUM* bnc             = NULL;    BIGNUM* bnOrder         = NULL;    BIGNUM* bnSpend         = NULL;        EC_GROUP* ecgrp = EC_GROUP_new_by_curve_name(NID_secp256k1);        if (!ecgrp)    {        printf("StealthSecretSpend(): EC_GROUP_new_by_curve_name failed./n");        return 1;    };        if (!(bnCtx = BN_CTX_new()))    {        printf("StealthSecretSpend(): BN_CTX_new failed./n");        rv = 1;        goto End;    };        if (!(bnScanSecret = BN_bin2bn(&scanSecret.e[0], ec_secret_size, BN_new())))    {        printf("StealthSecretSpend(): bnScanSecret BN_bin2bn failed./n");        rv = 1;        goto End;    };        if (!(bnP = BN_bin2bn(&ephemPubkey[0], ephemPubkey.size(), BN_new())))    {        printf("StealthSecretSpend(): bnP BN_bin2bn failed/n");        rv = 1;        goto End;    };        if (!(P = EC_POINT_bn2point(ecgrp, bnP, NULL, bnCtx)))    {        printf("StealthSecretSpend(): P EC_POINT_bn2point failed/n");        rv = 1;        goto End;    };        // -- dP    if (!EC_POINT_mul(ecgrp, P, NULL, P, bnScanSecret, bnCtx))    {        printf("StealthSecretSpend(): dP EC_POINT_mul failed/n");        rv = 1;        goto End;    };        if (!(bnOutP = EC_POINT_point2bn(ecgrp, P, POINT_CONVERSION_COMPRESSED, BN_new(), bnCtx)))    {        printf("StealthSecretSpend(): P EC_POINT_bn2point failed/n");        rv = 1;        goto End;    };            vchOutP.resize(ec_compressed_size);    if (BN_num_bytes(bnOutP) != (int) ec_compressed_size        || BN_bn2bin(bnOutP, &vchOutP[0]) != (int) ec_compressed_size)    {        printf("StealthSecretSpend(): bnOutP incorrect length./n");        rv = 1;        goto End;    };        uint8_t hash1[32];    SHA256(&vchOutP[0], vchOutP.size(), (uint8_t*)hash1);            if (!(bnc = BN_bin2bn(&hash1[0], 32, BN_new())))    {        printf("StealthSecretSpend(): BN_bin2bn failed/n");        rv = 1;        goto End;    };        if (!(bnOrder = BN_new())        || !EC_GROUP_get_order(ecgrp, bnOrder, bnCtx))    {        printf("StealthSecretSpend(): EC_GROUP_get_order failed/n");        rv = 1;        goto End;//.........这里部分代码省略.........

intMKEM_generate_message_u(const MKEM *kp, const BIGNUM *uraw, uint8_t pad,                        uint8_t *secret, uint8_t *message){  BIGNUM u, x, y;  int use_curve0 = (BN_cmp(uraw, kp->params->n0) < 0);  const EC_GROUP *ca;  const EC_POINT *ga;  const EC_POINT *pa;  EC_POINT *q = 0, *r = 0;  size_t mlen = kp->params->msgsize;  int rv;  BN_init(&u);  BN_init(&x);  BN_init(&y);  if (use_curve0) {    ca = kp->params->c0;    ga = kp->params->g0;    pa = kp->p0;    FAILZ(BN_copy(&u, uraw));  } else {    ca = kp->params->c1;    ga = kp->params->g1;    pa = kp->p1;    FAILZ(BN_sub(&u, uraw, kp->params->n0));    FAILZ(BN_add(&u, &u, BN_value_one()));  }  FAILZ(q = EC_POINT_new(ca));  FAILZ(r = EC_POINT_new(ca));  FAILZ(EC_POINT_mul(ca, q, 0, ga, &u, kp->params->ctx));  FAILZ(EC_POINT_mul(ca, r, 0, pa, &u, kp->params->ctx));  FAILZ(EC_POINT_get_affine_coordinates_GF2m(ca, q, &x, &y, kp->params->ctx));  if (bn2bin_padhi(&x, message, mlen) != mlen)    goto fail;  if (message[0] & (kp->params->pad_mask|kp->params->curve_bit)) /* see below */    goto fail;  memcpy(secret, message, mlen);  FAILZ(EC_POINT_get_affine_coordinates_GF2m(ca, r, &x, &y, kp->params->ctx));  if (bn2bin_padhi(&x, secret + mlen, mlen) != mlen)    goto fail;  /* K high bits of the message will be zero.  Fill in the high K-1     of them with random bits from the pad, and use the lowest bit     to identify the curve in use.  That bit will have a bias on the     order of 2^{-d/2} where d is the bit-degree of the curve; 2^{-81}     for the only curve presently implemented.  This is acceptably     small since an elliptic curve of d bits gives only about d/2 bits     of security anyway, and is much better than allowing a timing     attack via the recipient having to attempt point decompression     twice for curve 1 but only once for curve 0 (or, alternatively,     doubling the time required for all decryptions).  */  pad &= kp->params->pad_mask;  pad |= (use_curve0 ? 0 : kp->params->curve_bit);  message[0] |= pad;  rv = 0; done:  BN_clear(&u);  BN_clear(&x);  BN_clear(&y);  if (q) EC_POINT_clear_free(q);  if (r) EC_POINT_clear_free(r);  return rv; fail:  memset(message, 0, mlen);  memset(secret, 0, mlen * 2);  rv = -1;  goto done;}