/* MatrixSSL miscalculation bug
 * demonstrating incomplete fix for Use CVE-2016-6887
 *
 * by Hanno Böck, license: CC0 / public domain
 */

#include <stdio.h>
#include <stdlib.h>
#include <openssl/bn.h>
#include <crypto/cryptoApi.h>

unsigned char a1[] = {
  0xe7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
  0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff,
  0xff, 0xff, 0xe1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x14, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0xb7, 0xcc, 0x03, 0x00, 0x00
};

unsigned int a1_len = 197;

unsigned char b1[] = {
  0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00
};

unsigned int b1_len = 50;

unsigned char m1[] = {
  0xe7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xcc, 0xb9, 0x6c, 0x00,
  0x00, 0x00, 0x00, 0xff
};

unsigned int m1_len = 64;

/* test bn functions from openssl/libcrypto */
char *bntest(unsigned char *a_raw, int a_len, unsigned char *b_raw, int b_len,
	     unsigned char *m_raw, int m_len)
{
	BN_CTX *bctx = BN_CTX_new();
	BIGNUM *a = BN_new();
	BIGNUM *b = BN_new();
	BIGNUM *m = BN_new();
	BIGNUM *res1 = BN_new();
	char *result;

	BN_bin2bn(a_raw, a_len, a);
	BN_bin2bn(b_raw, b_len, b);
	BN_bin2bn(m_raw, m_len, m);

	BN_mod_exp(res1, a, b, m, bctx);
	result = BN_bn2hex(res1);
	printf("openssl:\n%s\n", result);

	BN_free(a);
	BN_free(b);
	BN_free(m);
	BN_free(res1);
	BN_CTX_free(bctx);

	return result;
}

char *matrixtest(unsigned char *a_raw, int a_len, unsigned char *b_raw,
		 int b_len, unsigned char *m_raw, int m_len)
{
	unsigned char *rr = malloc(4096);
	char *buf, *buf_ptr;
	int i, s;
	pstm_int a, b, m, r;

	if (pstm_init_for_read_unsigned_bin(NULL, &a, a_len) < 0) {
		printf("pstm_init_for_read_unsigned_bin a error\n");
		return 0;
	}
	if (pstm_read_unsigned_bin(&a, a_raw, a_len) != 0) {
		printf("pstm_read_unsigned_bin a error\n");
		return 0;
	}
	if (pstm_init_for_read_unsigned_bin(NULL, &b, b_len) < 0) {
		printf("pstm_init_for_read_unsigned_bin b error\n");
		return 0;
	}
	if (pstm_read_unsigned_bin(&b, b_raw, b_len) != 0) {
		printf("pstm_read_unsigned_bin b error\n");
		return 0;
	}
	if (pstm_init_for_read_unsigned_bin(NULL, &m, m_len) < 0) {
		printf("pstm_init_for_read_unsigned_bin c error\n");
		return 0;
	}
	if (pstm_read_unsigned_bin(&m, m_raw, m_len) != 0) {
		printf("pstm_read_unsigned_bin c error\n");
		return 0;
	}

	if (pstm_init(NULL, &r) != 0) {
		printf("pstm_init r error\n");
		return 0;
	}

	if (pstm_exptmod(NULL, &a, &b, &m, &r) != 0) {
		printf("pstm_exptmod error\n");
		return 0;
	}

	if (pstm_to_unsigned_bin(0, &r, rr) < 0) {
		printf("pstm_to_unsigned_bin error\n");
		return 0;
	}
	s = pstm_unsigned_bin_size(&r);
	buf = buf_ptr = malloc(s * 2 + 1);
	for (i = 0; i < s; i++) {
		buf_ptr += sprintf(buf_ptr, "%02X", rr[i]);
	}

	printf("matrixssl:\n%s\n", buf);
	return buf;
}

int main(int argc, char *argv[])
{
	char *r1, *r2;

	r1 = matrixtest(a1, a1_len, b1, b1_len, m1, m1_len);

	r2 = bntest(a1, a1_len, b1, b1_len, m1, m1_len);

	if (strcmp(r1, r2) != 0)
		printf("Results differ!\n");

	return 0;
}