1392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom/* crypto/rsa/rsa_lib.c */
2392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * All rights reserved.
4392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *
5392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * This package is an SSL implementation written
6392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * by Eric Young (eay@cryptsoft.com).
7392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * The implementation was written so as to conform with Netscapes SSL.
8392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *
9392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * This library is free for commercial and non-commercial use as long as
10392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * the following conditions are aheared to.  The following conditions
11392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * apply to all code found in this distribution, be it the RC4, RSA,
12392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * included with this distribution is covered by the same copyright terms
14392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *
16392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * Copyright remains Eric Young's, and as such any Copyright notices in
17392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * the code are not to be removed.
18392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * If this package is used in a product, Eric Young should be given attribution
19392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * as the author of the parts of the library used.
20392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * This can be in the form of a textual message at program startup or
21392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * in documentation (online or textual) provided with the package.
22392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *
23392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * Redistribution and use in source and binary forms, with or without
24392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * modification, are permitted provided that the following conditions
25392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * are met:
26392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 1. Redistributions of source code must retain the copyright
27392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    notice, this list of conditions and the following disclaimer.
28392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 2. Redistributions in binary form must reproduce the above copyright
29392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    notice, this list of conditions and the following disclaimer in the
30392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    documentation and/or other materials provided with the distribution.
31392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 3. All advertising materials mentioning features or use of this software
32392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    must display the following acknowledgement:
33392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    "This product includes cryptographic software written by
34392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *     Eric Young (eay@cryptsoft.com)"
35392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    The word 'cryptographic' can be left out if the rouines from the library
36392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    being used are not cryptographic related :-).
37392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 4. If you include any Windows specific code (or a derivative thereof) from
38392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    the apps directory (application code) you must include an acknowledgement:
39392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *
41392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * SUCH DAMAGE.
52392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *
53392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * The licence and distribution terms for any publically available version or
54392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * derivative of this code cannot be changed.  i.e. this code cannot simply be
55392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * copied and put under another distribution licence
56392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * [including the GNU Public Licence.]
57392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom */
58392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
59392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <stdio.h>
60392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/crypto.h>
61392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include "cryptlib.h"
62392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/lhash.h>
63392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/bn.h>
64392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/rsa.h>
65392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/rand.h>
66392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_ENGINE
67392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#include <openssl/engine.h>
68392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif
69392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
70392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_size(const RSA *r)
71392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	{
72392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return(BN_num_bytes(r->n));
73392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	}
74392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
75392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
76392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	     RSA *rsa, int padding)
77392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	{
78392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef OPENSSL_FIPS
79392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
80392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
81392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
82392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
83392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		return -1;
84392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
85392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif
86392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
87392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	}
88392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
89392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
90392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	     RSA *rsa, int padding)
91392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	{
92392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef OPENSSL_FIPS
93392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
94392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
95392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
96392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
97392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		return -1;
98392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
99392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif
100392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
101392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	}
102392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
103392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
104392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	     RSA *rsa, int padding)
105392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	{
106392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef OPENSSL_FIPS
107392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
108392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
109392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
110392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
111392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		return -1;
112392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
113392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif
114392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
115392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	}
116392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
117392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
118392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	     RSA *rsa, int padding)
119392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	{
120392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef OPENSSL_FIPS
121392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
122392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
123392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
124392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
125392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		return -1;
126392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
127392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif
128392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
129392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	}
130392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
131392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_flags(const RSA *r)
132392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	{
133392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return((r == NULL)?0:r->meth->flags);
134392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	}
135392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
136392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromvoid RSA_blinding_off(RSA *rsa)
137392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	{
138392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (rsa->blinding != NULL)
139392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
140392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		BN_BLINDING_free(rsa->blinding);
141392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		rsa->blinding=NULL;
142392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
143392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	rsa->flags &= ~RSA_FLAG_BLINDING;
144392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	rsa->flags |= RSA_FLAG_NO_BLINDING;
145392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	}
146392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
147392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromint RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
148392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	{
149392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	int ret=0;
150392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
151392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (rsa->blinding != NULL)
152392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		RSA_blinding_off(rsa);
153392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
154392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	rsa->blinding = RSA_setup_blinding(rsa, ctx);
155392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (rsa->blinding == NULL)
156392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		goto err;
157392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
158392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	rsa->flags |= RSA_FLAG_BLINDING;
159392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	rsa->flags &= ~RSA_FLAG_NO_BLINDING;
160392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	ret=1;
161392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromerr:
162392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return(ret);
163392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	}
164392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
165392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
166392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	const BIGNUM *q, BN_CTX *ctx)
167392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom{
168392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BIGNUM *ret = NULL, *r0, *r1, *r2;
169392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
170392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (d == NULL || p == NULL || q == NULL)
171392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		return NULL;
172392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
173392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BN_CTX_start(ctx);
174392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	r0 = BN_CTX_get(ctx);
175392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	r1 = BN_CTX_get(ctx);
176392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	r2 = BN_CTX_get(ctx);
177392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (r2 == NULL)
178392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		goto err;
179392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
180392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (!BN_sub(r1, p, BN_value_one())) goto err;
181392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (!BN_sub(r2, q, BN_value_one())) goto err;
182392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (!BN_mul(r0, r1, r2, ctx)) goto err;
183392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
184392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	ret = BN_mod_inverse(NULL, d, r0, ctx);
185392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromerr:
186392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BN_CTX_end(ctx);
187392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return ret;
188392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom}
189392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
190392aa7cc7d2b122614c5393c3e357da07fd07af3Brian CarlstromBN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
191392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom{
192392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BIGNUM local_n;
193392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BIGNUM *e,*n;
194392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BN_CTX *ctx;
195392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BN_BLINDING *ret = NULL;
196392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
197392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (in_ctx == NULL)
198392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
199392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		if ((ctx = BN_CTX_new()) == NULL) return 0;
200392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
201392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	else
202392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		ctx = in_ctx;
203392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
204392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BN_CTX_start(ctx);
205392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	e  = BN_CTX_get(ctx);
206392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (e == NULL)
207392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
208392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
209392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		goto err;
210392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
211392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
212392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (rsa->e == NULL)
213392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
214392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
215392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		if (e == NULL)
216392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			{
217392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
218392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			goto err;
219392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			}
220392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
221392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	else
222392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		e = rsa->e;
223392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
224392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
225392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
226392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
227392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		/* if PRNG is not properly seeded, resort to secret
228392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		 * exponent as unpredictable seed */
229392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
230392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
231392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
232392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
233392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
234392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		/* Set BN_FLG_CONSTTIME flag */
235392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		n = &local_n;
236392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
237392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
238392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	else
239392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		n = rsa->n;
240392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
241392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	ret = BN_BLINDING_create_param(NULL, e, n, ctx,
242392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom			rsa->meth->bn_mod_exp, rsa->_method_mod_n);
243392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (ret == NULL)
244392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		{
245392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
246392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		goto err;
247392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		}
248392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
249392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromerr:
250392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	BN_CTX_end(ctx);
251392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if (in_ctx == NULL)
252392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		BN_CTX_free(ctx);
253392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	if(rsa->e == NULL)
254392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom		BN_free(e);
255392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom
256392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom	return ret;
257392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom}
258