1392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom/* crypto/rsa/rsa_lib.c */ 2392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * All rights reserved. 4392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 5392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * This package is an SSL implementation written 6392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * by Eric Young (eay@cryptsoft.com). 7392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * The implementation was written so as to conform with Netscapes SSL. 8392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 9392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * This library is free for commercial and non-commercial use as long as 10392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * the following conditions are aheared to. The following conditions 11392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * apply to all code found in this distribution, be it the RC4, RSA, 12392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * included with this distribution is covered by the same copyright terms 14392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 16392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * Copyright remains Eric Young's, and as such any Copyright notices in 17392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * the code are not to be removed. 18392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * If this package is used in a product, Eric Young should be given attribution 19392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * as the author of the parts of the library used. 20392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * This can be in the form of a textual message at program startup or 21392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * in documentation (online or textual) provided with the package. 22392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 23392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * Redistribution and use in source and binary forms, with or without 24392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * modification, are permitted provided that the following conditions 25392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * are met: 26392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 1. Redistributions of source code must retain the copyright 27392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * notice, this list of conditions and the following disclaimer. 28392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 2. Redistributions in binary form must reproduce the above copyright 29392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * notice, this list of conditions and the following disclaimer in the 30392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * documentation and/or other materials provided with the distribution. 31392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 3. All advertising materials mentioning features or use of this software 32392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * must display the following acknowledgement: 33392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * "This product includes cryptographic software written by 34392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * Eric Young (eay@cryptsoft.com)" 35392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * The word 'cryptographic' can be left out if the rouines from the library 36392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * being used are not cryptographic related :-). 37392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 4. If you include any Windows specific code (or a derivative thereof) from 38392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * the apps directory (application code) you must include an acknowledgement: 39392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 41392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * SUCH DAMAGE. 52392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 53392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * The licence and distribution terms for any publically available version or 54392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * derivative of this code cannot be changed. i.e. this code cannot simply be 55392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * copied and put under another distribution licence 56392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * [including the GNU Public Licence.] 57392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom */ 58392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 59392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <stdio.h> 60392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/crypto.h> 61392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include "cryptlib.h" 62392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/lhash.h> 63392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/bn.h> 64392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/rsa.h> 65392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/rand.h> 66392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_ENGINE 67392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/engine.h> 68392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 69392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 70392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_size(const RSA *r) 71392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 72392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(BN_num_bytes(r->n)); 73392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 74392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 75392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, 76392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSA *rsa, int padding) 77392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 78392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef OPENSSL_FIPS 79392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 80392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) 81392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 82392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); 83392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 84392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 85392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 86392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); 87392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 88392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 89392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, 90392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSA *rsa, int padding) 91392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 92392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef OPENSSL_FIPS 93392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 94392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) 95392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 96392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); 97392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 98392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 99392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 100392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); 101392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 102392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 103392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, 104392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSA *rsa, int padding) 105392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 106392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef OPENSSL_FIPS 107392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 108392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) 109392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 110392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); 111392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 112392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 113392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 114392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); 115392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 116392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 117392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, 118392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSA *rsa, int padding) 119392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 120392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef OPENSSL_FIPS 121392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) 122392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) 123392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 124392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); 125392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 126392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 127392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 128392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); 129392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 130392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 131392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_flags(const RSA *r) 132392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 133392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return((r == NULL)?0:r->meth->flags); 134392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 135392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 136392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromvoid RSA_blinding_off(RSA *rsa) 137392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 138392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (rsa->blinding != NULL) 139392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 140392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_BLINDING_free(rsa->blinding); 141392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom rsa->blinding=NULL; 142392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 143392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom rsa->flags &= ~RSA_FLAG_BLINDING; 144392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom rsa->flags |= RSA_FLAG_NO_BLINDING; 145392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 146392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 147392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_blinding_on(RSA *rsa, BN_CTX *ctx) 148392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 149392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom int ret=0; 150392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 151392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (rsa->blinding != NULL) 152392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSA_blinding_off(rsa); 153392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 154392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom rsa->blinding = RSA_setup_blinding(rsa, ctx); 155392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (rsa->blinding == NULL) 156392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto err; 157392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 158392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom rsa->flags |= RSA_FLAG_BLINDING; 159392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom rsa->flags &= ~RSA_FLAG_NO_BLINDING; 160392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret=1; 161392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromerr: 162392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return(ret); 163392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 164392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 165392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, 166392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const BIGNUM *q, BN_CTX *ctx) 167392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom{ 168392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BIGNUM *ret = NULL, *r0, *r1, *r2; 169392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 170392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (d == NULL || p == NULL || q == NULL) 171392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return NULL; 172392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 173392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_CTX_start(ctx); 174392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom r0 = BN_CTX_get(ctx); 175392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom r1 = BN_CTX_get(ctx); 176392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom r2 = BN_CTX_get(ctx); 177392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (r2 == NULL) 178392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto err; 179392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 180392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!BN_sub(r1, p, BN_value_one())) goto err; 181392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!BN_sub(r2, q, BN_value_one())) goto err; 182392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!BN_mul(r0, r1, r2, ctx)) goto err; 183392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 184392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret = BN_mod_inverse(NULL, d, r0, ctx); 185392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromerr: 186392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_CTX_end(ctx); 187392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return ret; 188392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom} 189392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 190392aa7cc7d2b122614c5393c3e357da07fd07af3Brian CarlstromBN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) 191392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom{ 192392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BIGNUM local_n; 193392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BIGNUM *e,*n; 194392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_CTX *ctx; 195392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_BLINDING *ret = NULL; 196392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 197392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (in_ctx == NULL) 198392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 199392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((ctx = BN_CTX_new()) == NULL) return 0; 200392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 201392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 202392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ctx = in_ctx; 203392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 204392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_CTX_start(ctx); 205392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom e = BN_CTX_get(ctx); 206392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (e == NULL) 207392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 208392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); 209392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto err; 210392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 211392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 212392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (rsa->e == NULL) 213392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 214392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx); 215392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (e == NULL) 216392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 217392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT); 218392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto err; 219392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 220392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 221392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 222392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom e = rsa->e; 223392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 224392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 225392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) 226392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 227392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* if PRNG is not properly seeded, resort to secret 228392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * exponent as unpredictable seed */ 229392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0); 230392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 231392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 232392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 233392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 234392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* Set BN_FLG_CONSTTIME flag */ 235392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom n = &local_n; 236392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); 237392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 238392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 239392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom n = rsa->n; 240392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 241392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret = BN_BLINDING_create_param(NULL, e, n, ctx, 242392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom rsa->meth->bn_mod_exp, rsa->_method_mod_n); 243392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (ret == NULL) 244392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 245392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); 246392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto err; 247392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 248392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret)); 249392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromerr: 250392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_CTX_end(ctx); 251392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (in_ctx == NULL) 252392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_CTX_free(ctx); 253392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if(rsa->e == NULL) 254392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BN_free(e); 255392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 256392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return ret; 257392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom} 258