/src/openssl/crypto/dsa/dsa_ossl.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * DSA low level APIs are deprecated for public use, but still ok for |
12 | | * internal use. |
13 | | */ |
14 | | #include "internal/deprecated.h" |
15 | | |
16 | | #include <stdio.h> |
17 | | #include "internal/cryptlib.h" |
18 | | #include "crypto/bn.h" |
19 | | #include <openssl/bn.h> |
20 | | #include <openssl/sha.h> |
21 | | #include "dsa_local.h" |
22 | | #include <openssl/asn1.h> |
23 | | #include "internal/deterministic_nonce.h" |
24 | | |
25 | 0 | #define MIN_DSA_SIGN_QBITS 128 |
26 | 0 | #define MAX_DSA_SIGN_RETRIES 8 |
27 | | |
28 | | static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); |
29 | | static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, |
30 | | BIGNUM **rp); |
31 | | static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, |
32 | | BIGNUM **rp, const unsigned char *dgst, int dlen, |
33 | | unsigned int nonce_type, const char *digestname, |
34 | | OSSL_LIB_CTX *libctx, const char *propq); |
35 | | static int dsa_do_verify(const unsigned char *dgst, int dgst_len, |
36 | | DSA_SIG *sig, DSA *dsa); |
37 | | static int dsa_init(DSA *dsa); |
38 | | static int dsa_finish(DSA *dsa); |
39 | | static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, |
40 | | BN_CTX *ctx); |
41 | | |
42 | | static DSA_METHOD openssl_dsa_meth = { |
43 | | "OpenSSL DSA method", |
44 | | dsa_do_sign, |
45 | | dsa_sign_setup_no_digest, |
46 | | dsa_do_verify, |
47 | | NULL, /* dsa_mod_exp, */ |
48 | | NULL, /* dsa_bn_mod_exp, */ |
49 | | dsa_init, |
50 | | dsa_finish, |
51 | | DSA_FLAG_FIPS_METHOD, |
52 | | NULL, |
53 | | NULL, |
54 | | NULL |
55 | | }; |
56 | | |
57 | | static const DSA_METHOD *default_DSA_method = &openssl_dsa_meth; |
58 | | |
59 | | #ifndef FIPS_MODULE |
60 | | void DSA_set_default_method(const DSA_METHOD *meth) |
61 | 0 | { |
62 | 0 | default_DSA_method = meth; |
63 | 0 | } |
64 | | #endif /* FIPS_MODULE */ |
65 | | |
66 | | const DSA_METHOD *DSA_get_default_method(void) |
67 | 0 | { |
68 | 0 | return default_DSA_method; |
69 | 0 | } |
70 | | |
71 | | const DSA_METHOD *DSA_OpenSSL(void) |
72 | 0 | { |
73 | 0 | return &openssl_dsa_meth; |
74 | 0 | } |
75 | | |
76 | | DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa, |
77 | | unsigned int nonce_type, const char *digestname, |
78 | | OSSL_LIB_CTX *libctx, const char *propq) |
79 | 0 | { |
80 | 0 | BIGNUM *kinv = NULL; |
81 | 0 | BIGNUM *m, *blind, *blindm, *tmp; |
82 | 0 | BN_CTX *ctx = NULL; |
83 | 0 | int reason = ERR_R_BN_LIB; |
84 | 0 | DSA_SIG *ret = NULL; |
85 | 0 | int rv = 0; |
86 | 0 | int retries = 0; |
87 | |
|
88 | 0 | if (dsa->params.p == NULL |
89 | 0 | || dsa->params.q == NULL |
90 | 0 | || dsa->params.g == NULL) { |
91 | 0 | reason = DSA_R_MISSING_PARAMETERS; |
92 | 0 | goto err; |
93 | 0 | } |
94 | 0 | if (dsa->priv_key == NULL) { |
95 | 0 | reason = DSA_R_MISSING_PRIVATE_KEY; |
96 | 0 | goto err; |
97 | 0 | } |
98 | | |
99 | 0 | ret = DSA_SIG_new(); |
100 | 0 | if (ret == NULL) |
101 | 0 | goto err; |
102 | 0 | ret->r = BN_new(); |
103 | 0 | ret->s = BN_new(); |
104 | 0 | if (ret->r == NULL || ret->s == NULL) |
105 | 0 | goto err; |
106 | | |
107 | 0 | ctx = BN_CTX_new_ex(dsa->libctx); |
108 | 0 | if (ctx == NULL) |
109 | 0 | goto err; |
110 | 0 | m = BN_CTX_get(ctx); |
111 | 0 | blind = BN_CTX_get(ctx); |
112 | 0 | blindm = BN_CTX_get(ctx); |
113 | 0 | tmp = BN_CTX_get(ctx); |
114 | 0 | if (tmp == NULL) |
115 | 0 | goto err; |
116 | | |
117 | 0 | redo: |
118 | 0 | if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen, |
119 | 0 | nonce_type, digestname, libctx, propq)) |
120 | 0 | goto err; |
121 | | |
122 | 0 | if (dlen > BN_num_bytes(dsa->params.q)) |
123 | | /* |
124 | | * if the digest length is greater than the size of q use the |
125 | | * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3, |
126 | | * 4.2 |
127 | | */ |
128 | 0 | dlen = BN_num_bytes(dsa->params.q); |
129 | 0 | if (BN_bin2bn(dgst, dlen, m) == NULL) |
130 | 0 | goto err; |
131 | | |
132 | | /* |
133 | | * The normal signature calculation is: |
134 | | * |
135 | | * s := k^-1 * (m + r * priv_key) mod q |
136 | | * |
137 | | * We will blind this to protect against side channel attacks |
138 | | * |
139 | | * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q |
140 | | */ |
141 | | |
142 | | /* |
143 | | * Generate a blinding value |
144 | | * The size of q is tested in dsa_sign_setup() so there should not be an infinite loop here. |
145 | | */ |
146 | 0 | do { |
147 | 0 | if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1, |
148 | 0 | BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, ctx)) |
149 | 0 | goto err; |
150 | 0 | } while (BN_is_zero(blind)); |
151 | 0 | BN_set_flags(blind, BN_FLG_CONSTTIME); |
152 | 0 | BN_set_flags(blindm, BN_FLG_CONSTTIME); |
153 | 0 | BN_set_flags(tmp, BN_FLG_CONSTTIME); |
154 | | |
155 | | /* tmp := blind * priv_key * r mod q */ |
156 | 0 | if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->params.q, ctx)) |
157 | 0 | goto err; |
158 | 0 | if (!BN_mod_mul(tmp, tmp, ret->r, dsa->params.q, ctx)) |
159 | 0 | goto err; |
160 | | |
161 | | /* blindm := blind * m mod q */ |
162 | 0 | if (!BN_mod_mul(blindm, blind, m, dsa->params.q, ctx)) |
163 | 0 | goto err; |
164 | | |
165 | | /* s : = (blind * priv_key * r) + (blind * m) mod q */ |
166 | 0 | if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->params.q)) |
167 | 0 | goto err; |
168 | | |
169 | | /* s := s * k^-1 mod q */ |
170 | 0 | if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->params.q, ctx)) |
171 | 0 | goto err; |
172 | | |
173 | | /* s:= s * blind^-1 mod q */ |
174 | 0 | if (BN_mod_inverse(blind, blind, dsa->params.q, ctx) == NULL) |
175 | 0 | goto err; |
176 | 0 | if (!BN_mod_mul(ret->s, ret->s, blind, dsa->params.q, ctx)) |
177 | 0 | goto err; |
178 | | |
179 | | /* |
180 | | * Redo if r or s is zero as required by FIPS 186-4: Section 4.6 |
181 | | * This is very unlikely. |
182 | | * Limit the retries so there is no possibility of an infinite |
183 | | * loop for bad domain parameter values. |
184 | | */ |
185 | 0 | if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) { |
186 | 0 | if (retries++ > MAX_DSA_SIGN_RETRIES) { |
187 | 0 | reason = DSA_R_TOO_MANY_RETRIES; |
188 | 0 | goto err; |
189 | 0 | } |
190 | 0 | goto redo; |
191 | 0 | } |
192 | 0 | rv = 1; |
193 | 0 | err: |
194 | 0 | if (rv == 0) { |
195 | 0 | ERR_raise(ERR_LIB_DSA, reason); |
196 | 0 | DSA_SIG_free(ret); |
197 | 0 | ret = NULL; |
198 | 0 | } |
199 | 0 | BN_CTX_free(ctx); |
200 | 0 | BN_clear_free(kinv); |
201 | 0 | return ret; |
202 | 0 | } |
203 | | |
204 | | static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) |
205 | 0 | { |
206 | 0 | return ossl_dsa_do_sign_int(dgst, dlen, dsa, |
207 | 0 | 0, NULL, NULL, NULL); |
208 | 0 | } |
209 | | |
210 | | static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, |
211 | | BIGNUM **kinvp, BIGNUM **rp) |
212 | 0 | { |
213 | 0 | return dsa_sign_setup(dsa, ctx_in, kinvp, rp, NULL, 0, |
214 | 0 | 0, NULL, NULL, NULL); |
215 | 0 | } |
216 | | |
217 | | static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, |
218 | | BIGNUM **kinvp, BIGNUM **rp, |
219 | | const unsigned char *dgst, int dlen, |
220 | | unsigned int nonce_type, const char *digestname, |
221 | | OSSL_LIB_CTX *libctx, const char *propq) |
222 | 0 | { |
223 | 0 | BN_CTX *ctx = NULL; |
224 | 0 | BIGNUM *k, *kinv = NULL, *r = *rp; |
225 | 0 | BIGNUM *l; |
226 | 0 | int ret = 0; |
227 | 0 | int q_bits, q_words; |
228 | |
|
229 | 0 | if (!dsa->params.p || !dsa->params.q || !dsa->params.g) { |
230 | 0 | ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PARAMETERS); |
231 | 0 | return 0; |
232 | 0 | } |
233 | | |
234 | | /* Reject obviously invalid parameters */ |
235 | 0 | if (BN_is_zero(dsa->params.p) |
236 | 0 | || BN_is_zero(dsa->params.q) |
237 | 0 | || BN_is_zero(dsa->params.g) |
238 | 0 | || BN_is_negative(dsa->params.p) |
239 | 0 | || BN_is_negative(dsa->params.q) |
240 | 0 | || BN_is_negative(dsa->params.g)) { |
241 | 0 | ERR_raise(ERR_LIB_DSA, DSA_R_INVALID_PARAMETERS); |
242 | 0 | return 0; |
243 | 0 | } |
244 | 0 | if (dsa->priv_key == NULL) { |
245 | 0 | ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PRIVATE_KEY); |
246 | 0 | return 0; |
247 | 0 | } |
248 | 0 | k = BN_new(); |
249 | 0 | l = BN_new(); |
250 | 0 | if (k == NULL || l == NULL) |
251 | 0 | goto err; |
252 | | |
253 | 0 | if (ctx_in == NULL) { |
254 | | /* if you don't pass in ctx_in you get a default libctx */ |
255 | 0 | if ((ctx = BN_CTX_new_ex(NULL)) == NULL) |
256 | 0 | goto err; |
257 | 0 | } else |
258 | 0 | ctx = ctx_in; |
259 | | |
260 | | /* Preallocate space */ |
261 | 0 | q_bits = BN_num_bits(dsa->params.q); |
262 | 0 | q_words = bn_get_top(dsa->params.q); |
263 | 0 | if (q_bits < MIN_DSA_SIGN_QBITS |
264 | 0 | || !bn_wexpand(k, q_words + 2) |
265 | 0 | || !bn_wexpand(l, q_words + 2)) |
266 | 0 | goto err; |
267 | | |
268 | | /* Get random k */ |
269 | 0 | do { |
270 | 0 | if (dgst != NULL) { |
271 | 0 | if (nonce_type == 1) { |
272 | 0 | #ifndef FIPS_MODULE |
273 | 0 | if (!ossl_gen_deterministic_nonce_rfc6979(k, dsa->params.q, |
274 | 0 | dsa->priv_key, |
275 | 0 | dgst, dlen, |
276 | 0 | digestname, |
277 | 0 | libctx, propq)) |
278 | 0 | #endif |
279 | 0 | goto err; |
280 | 0 | } else { |
281 | | /* |
282 | | * We calculate k from SHA512(private_key + H(message) + random). |
283 | | * This protects the private key from a weak PRNG. |
284 | | */ |
285 | 0 | if (!ossl_bn_gen_dsa_nonce_fixed_top(k, dsa->params.q, |
286 | 0 | dsa->priv_key, dgst, |
287 | 0 | dlen, ctx)) |
288 | 0 | goto err; |
289 | 0 | } |
290 | 0 | } else if (!ossl_bn_priv_rand_range_fixed_top(k, dsa->params.q, 0, ctx)) |
291 | 0 | goto err; |
292 | 0 | } while (ossl_bn_is_word_fixed_top(k, 0)); |
293 | | |
294 | 0 | BN_set_flags(k, BN_FLG_CONSTTIME); |
295 | 0 | BN_set_flags(l, BN_FLG_CONSTTIME); |
296 | |
|
297 | 0 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { |
298 | 0 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, |
299 | 0 | dsa->lock, dsa->params.p, ctx)) |
300 | 0 | goto err; |
301 | 0 | } |
302 | | |
303 | | /* Compute r = (g^k mod p) mod q */ |
304 | | |
305 | | /* |
306 | | * We do not want timing information to leak the length of k, so we |
307 | | * compute G^k using an equivalent scalar of fixed bit-length. |
308 | | * |
309 | | * We unconditionally perform both of these additions to prevent a |
310 | | * small timing information leakage. We then choose the sum that is |
311 | | * one bit longer than the modulus. |
312 | | * |
313 | | * There are some concerns about the efficacy of doing this. More |
314 | | * specifically refer to the discussion starting with: |
315 | | * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 |
316 | | * The fix is to rework BN so these gymnastics aren't required. |
317 | | */ |
318 | 0 | if (!BN_add(l, k, dsa->params.q) |
319 | 0 | || !BN_add(k, l, dsa->params.q)) |
320 | 0 | goto err; |
321 | | |
322 | 0 | BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2); |
323 | |
|
324 | 0 | if ((dsa)->meth->bn_mod_exp != NULL) { |
325 | 0 | if (!dsa->meth->bn_mod_exp(dsa, r, dsa->params.g, k, dsa->params.p, |
326 | 0 | ctx, dsa->method_mont_p)) |
327 | 0 | goto err; |
328 | 0 | } else { |
329 | 0 | if (!BN_mod_exp_mont(r, dsa->params.g, k, dsa->params.p, ctx, |
330 | 0 | dsa->method_mont_p)) |
331 | 0 | goto err; |
332 | 0 | } |
333 | | |
334 | 0 | if (!BN_mod(r, r, dsa->params.q, ctx)) |
335 | 0 | goto err; |
336 | | |
337 | | /* Compute part of 's = inv(k) (m + xr) mod q' */ |
338 | 0 | if ((kinv = dsa_mod_inverse_fermat(k, dsa->params.q, ctx)) == NULL) |
339 | 0 | goto err; |
340 | | |
341 | 0 | BN_clear_free(*kinvp); |
342 | 0 | *kinvp = kinv; |
343 | 0 | kinv = NULL; |
344 | 0 | ret = 1; |
345 | 0 | err: |
346 | 0 | if (!ret) |
347 | 0 | ERR_raise(ERR_LIB_DSA, ERR_R_BN_LIB); |
348 | 0 | if (ctx != ctx_in) |
349 | 0 | BN_CTX_free(ctx); |
350 | 0 | BN_clear_free(k); |
351 | 0 | BN_clear_free(l); |
352 | 0 | return ret; |
353 | 0 | } |
354 | | |
355 | | static int dsa_do_verify(const unsigned char *dgst, int dgst_len, |
356 | | DSA_SIG *sig, DSA *dsa) |
357 | 0 | { |
358 | 0 | BN_CTX *ctx; |
359 | 0 | BIGNUM *u1, *u2, *t1; |
360 | 0 | BN_MONT_CTX *mont = NULL; |
361 | 0 | const BIGNUM *r, *s; |
362 | 0 | int ret = -1, i; |
363 | |
|
364 | 0 | if (dsa->params.p == NULL |
365 | 0 | || dsa->params.q == NULL |
366 | 0 | || dsa->params.g == NULL) { |
367 | 0 | ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PARAMETERS); |
368 | 0 | return -1; |
369 | 0 | } |
370 | | |
371 | 0 | i = BN_num_bits(dsa->params.q); |
372 | | /* fips 186-3 allows only different sizes for q */ |
373 | 0 | if (i != 160 && i != 224 && i != 256) { |
374 | 0 | ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); |
375 | 0 | return -1; |
376 | 0 | } |
377 | | |
378 | 0 | if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { |
379 | 0 | ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); |
380 | 0 | return -1; |
381 | 0 | } |
382 | 0 | u1 = BN_new(); |
383 | 0 | u2 = BN_new(); |
384 | 0 | t1 = BN_new(); |
385 | 0 | ctx = BN_CTX_new_ex(NULL); /* verify does not need a libctx */ |
386 | 0 | if (u1 == NULL || u2 == NULL || t1 == NULL || ctx == NULL) |
387 | 0 | goto err; |
388 | | |
389 | 0 | DSA_SIG_get0(sig, &r, &s); |
390 | |
|
391 | 0 | if (BN_is_zero(r) || BN_is_negative(r) || |
392 | 0 | BN_ucmp(r, dsa->params.q) >= 0) { |
393 | 0 | ret = 0; |
394 | 0 | goto err; |
395 | 0 | } |
396 | 0 | if (BN_is_zero(s) || BN_is_negative(s) || |
397 | 0 | BN_ucmp(s, dsa->params.q) >= 0) { |
398 | 0 | ret = 0; |
399 | 0 | goto err; |
400 | 0 | } |
401 | | |
402 | | /* |
403 | | * Calculate W = inv(S) mod Q save W in u2 |
404 | | */ |
405 | 0 | if ((BN_mod_inverse(u2, s, dsa->params.q, ctx)) == NULL) |
406 | 0 | goto err; |
407 | | |
408 | | /* save M in u1 */ |
409 | 0 | if (dgst_len > (i >> 3)) |
410 | | /* |
411 | | * if the digest length is greater than the size of q use the |
412 | | * BN_num_bits(dsa->q) leftmost bits of the digest, see fips 186-3, |
413 | | * 4.2 |
414 | | */ |
415 | 0 | dgst_len = (i >> 3); |
416 | 0 | if (BN_bin2bn(dgst, dgst_len, u1) == NULL) |
417 | 0 | goto err; |
418 | | |
419 | | /* u1 = M * w mod q */ |
420 | 0 | if (!BN_mod_mul(u1, u1, u2, dsa->params.q, ctx)) |
421 | 0 | goto err; |
422 | | |
423 | | /* u2 = r * w mod q */ |
424 | 0 | if (!BN_mod_mul(u2, r, u2, dsa->params.q, ctx)) |
425 | 0 | goto err; |
426 | | |
427 | 0 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { |
428 | 0 | mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p, |
429 | 0 | dsa->lock, dsa->params.p, ctx); |
430 | 0 | if (!mont) |
431 | 0 | goto err; |
432 | 0 | } |
433 | | |
434 | 0 | if (dsa->meth->dsa_mod_exp != NULL) { |
435 | 0 | if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->params.g, u1, dsa->pub_key, u2, |
436 | 0 | dsa->params.p, ctx, mont)) |
437 | 0 | goto err; |
438 | 0 | } else { |
439 | 0 | if (!BN_mod_exp2_mont(t1, dsa->params.g, u1, dsa->pub_key, u2, |
440 | 0 | dsa->params.p, ctx, mont)) |
441 | 0 | goto err; |
442 | 0 | } |
443 | | |
444 | | /* let u1 = u1 mod q */ |
445 | 0 | if (!BN_mod(u1, t1, dsa->params.q, ctx)) |
446 | 0 | goto err; |
447 | | |
448 | | /* |
449 | | * V is now in u1. If the signature is correct, it will be equal to R. |
450 | | */ |
451 | 0 | ret = (BN_ucmp(u1, r) == 0); |
452 | |
|
453 | 0 | err: |
454 | 0 | if (ret < 0) |
455 | 0 | ERR_raise(ERR_LIB_DSA, ERR_R_BN_LIB); |
456 | 0 | BN_CTX_free(ctx); |
457 | 0 | BN_free(u1); |
458 | 0 | BN_free(u2); |
459 | 0 | BN_free(t1); |
460 | 0 | return ret; |
461 | 0 | } |
462 | | |
463 | | static int dsa_init(DSA *dsa) |
464 | 0 | { |
465 | 0 | dsa->flags |= DSA_FLAG_CACHE_MONT_P; |
466 | 0 | dsa->dirty_cnt++; |
467 | 0 | return 1; |
468 | 0 | } |
469 | | |
470 | | static int dsa_finish(DSA *dsa) |
471 | 0 | { |
472 | 0 | BN_MONT_CTX_free(dsa->method_mont_p); |
473 | 0 | return 1; |
474 | 0 | } |
475 | | |
476 | | /* |
477 | | * Compute the inverse of k modulo q. |
478 | | * Since q is prime, Fermat's Little Theorem applies, which reduces this to |
479 | | * mod-exp operation. Both the exponent and modulus are public information |
480 | | * so a mod-exp that doesn't leak the base is sufficient. A newly allocated |
481 | | * BIGNUM is returned which the caller must free. |
482 | | */ |
483 | | static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, |
484 | | BN_CTX *ctx) |
485 | 0 | { |
486 | 0 | BIGNUM *res = NULL; |
487 | 0 | BIGNUM *r, *e; |
488 | |
|
489 | 0 | if ((r = BN_new()) == NULL) |
490 | 0 | return NULL; |
491 | | |
492 | 0 | BN_CTX_start(ctx); |
493 | 0 | if ((e = BN_CTX_get(ctx)) != NULL |
494 | 0 | && BN_set_word(r, 2) |
495 | 0 | && BN_sub(e, q, r) |
496 | 0 | && BN_mod_exp_mont(r, k, e, q, ctx, NULL)) |
497 | 0 | res = r; |
498 | 0 | else |
499 | 0 | BN_free(r); |
500 | 0 | BN_CTX_end(ctx); |
501 | 0 | return res; |
502 | 0 | } |