[thirdparty/openssl.git] / crypto / bn / bn_blind.c

/* crypto/bn/bn_blind.c */
/* ====================================================================
 * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "cryptlib.h"
#include "bn_lcl.h"

#define BN_BLINDING_COUNTER	32

struct bn_blinding_st
	{
	BIGNUM *A;
	BIGNUM *Ai;
	BIGNUM *e;
	BIGNUM *mod; /* just a reference */
	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
				  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
	unsigned int  counter;
	unsigned long flags;
	BN_MONT_CTX *m_ctx;
	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
			  const BIGNUM *m, BN_CTX *ctx,
			  BN_MONT_CTX *m_ctx);
	};

BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
	{
	BN_BLINDING *ret=NULL;

	bn_check_top(mod);

	if ((ret=(BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL)
		{
		BNerr(BN_F_BN_BLINDING_NEW,ERR_R_MALLOC_FAILURE);
		return(NULL);
		}
	memset(ret,0,sizeof(BN_BLINDING));
	if (A != NULL)
		{
		if ((ret->A  = BN_dup(A))  == NULL) goto err;
		}
	if (Ai != NULL)
		{
		if ((ret->Ai = BN_dup(Ai)) == NULL) goto err;
		}
	ret->mod = mod;
	ret->counter = BN_BLINDING_COUNTER;
	return(ret);
err:
	if (ret != NULL) BN_BLINDING_free(ret);
	return(NULL);
	}

void BN_BLINDING_free(BN_BLINDING *r)
	{
	if(r == NULL)
	    return;

	if (r->A  != NULL) BN_free(r->A );
	if (r->Ai != NULL) BN_free(r->Ai);
	if (r->e  != NULL) BN_free(r->e );
	OPENSSL_free(r);
	}

int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
	{
	int ret=0;

	if ((b->A == NULL) || (b->Ai == NULL))
		{
		BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED);
		goto err;
		}

	if (--(b->counter) == 0 && b->e != NULL &&
		!(b->flags & BN_BLINDING_NO_RECREATE))
		{
		/* re-create blinding parameters */
		if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
			goto err;
		}
	else if (!(b->flags & BN_BLINDING_NO_UPDATE))
		{
		if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err;
		if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err;
		}

	ret=1;
err:
	if (b->counter == 0)
		b->counter = BN_BLINDING_COUNTER;
	return(ret);
	}

int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
	{
	return BN_BLINDING_convert_ex(n, NULL, b, ctx);
	}

int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
	{
	bn_check_top(n);

	if ((b->A == NULL) || (b->Ai == NULL))
		{
		BNerr(BN_F_BN_BLINDING_CONVERT_EX,BN_R_NOT_INITIALIZED);
		return(0);
		}

	if (r != NULL)
		BN_copy(r, b->Ai);

	return BN_mod_mul(n,n,b->A,b->mod,ctx);
	}

int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
	{
	return BN_BLINDING_invert_ex(n, NULL, b, ctx);
	}

int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
	{
	int ret;

	bn_check_top(n);
	if ((b->A == NULL) || (b->Ai == NULL))
		{
		BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
		return(0);
		}

	if (r != NULL)
		ret = BN_mod_mul(n, n, r, b->mod, ctx);
	else
		ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);

	if (ret >= 0)
		{
		if (!BN_BLINDING_update(b,ctx))
			return(0);
		}
	bn_check_top(n);
	return(ret);
	}

unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
	{
	return b->thread_id;
	}

void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
	{
	b->thread_id = n;
	}

unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
	{
	return b->flags;
	}

void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
	{
	b->flags = flags;
	}

BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
	BN_MONT_CTX *m_ctx)
{
	int    retry_counter = 32;
	BN_BLINDING *ret = NULL;

	if (b == NULL)
		ret = BN_BLINDING_new(NULL, NULL, m);
	else
		ret = b;

	if (ret == NULL)
		goto err;

	if (ret->A  == NULL && (ret->A  = BN_new()) == NULL)
		goto err;
	if (ret->Ai == NULL && (ret->Ai	= BN_new()) == NULL)
		goto err;

	if (e != NULL)
		{
		if (ret->e != NULL)
			BN_free(ret->e);
		ret->e = BN_dup(e);
		}
	if (ret->e == NULL)
		goto err;

	if (bn_mod_exp != NULL)
		ret->bn_mod_exp = bn_mod_exp;
	if (m_ctx != NULL)
		ret->m_ctx = m_ctx;

	do {
		if (!BN_rand_range(ret->A, ret->mod)) goto err;
		if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL)
			{
			/* this should almost never happen for good RSA keys */
			unsigned long error = ERR_peek_last_error();
			if (ERR_GET_REASON(error) == BN_R_NO_INVERSE)
				{
				if (retry_counter-- == 0)
				{
					BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
						BN_R_TOO_MANY_ITERATIONS);
					goto err;
				}
				ERR_clear_error();
				}
			else
				goto err;
			}
		else
			break;
	} while (1);

	if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL)
		{
		if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
			goto err;
		}
	else
		{
		if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
			goto err;
		}

	return ret;
err:
	if (b == NULL && ret != NULL)
		{
		BN_BLINDING_free(ret);
		ret = NULL;
		}

	return ret;
}
Commit	Line	Data
58964a49	1	/* crypto/bn/bn_blind.c */
800e400d NL	2	/* ====================================================================
	3	* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	*
	9	* 1. Redistributions of source code must retain the above copyright
	10	* notice, this list of conditions and the following disclaimer.
	11	*
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in
	14	* the documentation and/or other materials provided with the
	15	* distribution.
	16	*
	17	* 3. All advertising materials mentioning features or use of this
	18	* software must display the following acknowledgment:
	19	* "This product includes software developed by the OpenSSL Project
	20	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
	21	*
	22	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	23	* endorse or promote products derived from this software without
	24	* prior written permission. For written permission, please contact
	25	* openssl-core@openssl.org.
	26	*
	27	* 5. Products derived from this software may not be called "OpenSSL"
	28	* nor may "OpenSSL" appear in their names without prior written
	29	* permission of the OpenSSL Project.
	30	*
	31	* 6. Redistributions of any form whatsoever must retain the following
	32	* acknowledgment:
	33	* "This product includes software developed by the OpenSSL Project
	34	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
	35	*
	36	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	37	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	38	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	39	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	40	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	41	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	42	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	43	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	44	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	45	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	46	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	47	* OF THE POSSIBILITY OF SUCH DAMAGE.
	48	* ====================================================================
	49	*
	50	* This product includes cryptographic software written by Eric Young
	51	* (eay@cryptsoft.com). This product includes software written by Tim
	52	* Hudson (tjh@cryptsoft.com).
	53	*
	54	*/
58964a49 RE	55	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	56	* All rights reserved.
	57	*
	58	* This package is an SSL implementation written
	59	* by Eric Young (eay@cryptsoft.com).
	60	* The implementation was written so as to conform with Netscapes SSL.
	61	*
	62	* This library is free for commercial and non-commercial use as long as
	63	* the following conditions are aheared to. The following conditions
	64	* apply to all code found in this distribution, be it the RC4, RSA,
	65	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	66	* included with this distribution is covered by the same copyright terms
	67	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	68	*
	69	* Copyright remains Eric Young's, and as such any Copyright notices in
	70	* the code are not to be removed.
	71	* If this package is used in a product, Eric Young should be given attribution
	72	* as the author of the parts of the library used.
	73	* This can be in the form of a textual message at program startup or
	74	* in documentation (online or textual) provided with the package.
	75	*
	76	* Redistribution and use in source and binary forms, with or without
	77	* modification, are permitted provided that the following conditions
	78	* are met:
	79	* 1. Redistributions of source code must retain the copyright
	80	* notice, this list of conditions and the following disclaimer.
	81	* 2. Redistributions in binary form must reproduce the above copyright
	82	* notice, this list of conditions and the following disclaimer in the
	83	* documentation and/or other materials provided with the distribution.
	84	* 3. All advertising materials mentioning features or use of this software
	85	* must display the following acknowledgement:
	86	* "This product includes cryptographic software written by
	87	* Eric Young (eay@cryptsoft.com)"
	88	* The word 'cryptographic' can be left out if the rouines from the library
	89	* being used are not cryptographic related :-).
	90	* 4. If you include any Windows specific code (or a derivative thereof) from
	91	* the apps directory (application code) you must include an acknowledgement:
	92	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	93	*
	94	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	95	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	96	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	97	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	98	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	99	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	100	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	101	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	102	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	103	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	104	* SUCH DAMAGE.
	105	*
	106	* The licence and distribution terms for any publically available version or
	107	* derivative of this code cannot be changed. i.e. this code cannot simply be
	108	* copied and put under another distribution licence
	109	* [including the GNU Public Licence.]
	110	*/
	111
	112	#include <stdio.h>
	113	#include "cryptlib.h"
	114	#include "bn_lcl.h"
	115
800e400d NL	116	#define BN_BLINDING_COUNTER 32
	117
	118	struct bn_blinding_st
	119	{
	120	BIGNUM *A;
	121	BIGNUM *Ai;
	122	BIGNUM *e;
	123	BIGNUM mod; / just a reference */
	124	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
	125	* used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
	126	unsigned int counter;
	127	unsigned long flags;
	128	BN_MONT_CTX *m_ctx;
	129	int (bn_mod_exp)(BIGNUM r, const BIGNUM a, const BIGNUM p,
	130	const BIGNUM m, BN_CTX ctx,
	131	BN_MONT_CTX *m_ctx);
	132	};
	133
	134	BN_BLINDING BN_BLINDING_new(const BIGNUM A, const BIGNUM Ai, BIGNUM mod)
58964a49 RE	135	{
	136	BN_BLINDING *ret=NULL;
	137
dfeab068 RE	138	bn_check_top(mod);
dfeab068 RE	139
26a3a48d	140	if ((ret=(BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL)
dfeab068	141	{
58964a49	142	BNerr(BN_F_BN_BLINDING_NEW,ERR_R_MALLOC_FAILURE);
dfeab068 RE	143	return(NULL);
dfeab068 RE	144	}
58964a49	145	memset(ret,0,sizeof(BN_BLINDING));
800e400d NL	146	if (A != NULL)
	147	{
	148	if ((ret->A = BN_dup(A)) == NULL) goto err;
	149	}
	150	if (Ai != NULL)
	151	{
	152	if ((ret->Ai = BN_dup(Ai)) == NULL) goto err;
	153	}
	154	ret->mod = mod;
	155	ret->counter = BN_BLINDING_COUNTER;
58964a49 RE	156	return(ret);
	157	err:
	158	if (ret != NULL) BN_BLINDING_free(ret);
dfeab068	159	return(NULL);
58964a49 RE	160	}
58964a49 RE	161
6b691a5c	162	void BN_BLINDING_free(BN_BLINDING *r)
58964a49	163	{
e03ddfae BL	164	if(r == NULL)
	165	return;
	166
58964a49 RE	167	if (r->A != NULL) BN_free(r->A );
58964a49 RE	168	if (r->Ai != NULL) BN_free(r->Ai);
800e400d	169	if (r->e != NULL) BN_free(r->e );
26a3a48d	170	OPENSSL_free(r);
58964a49 RE	171	}
58964a49 RE	172
6b691a5c	173	int BN_BLINDING_update(BN_BLINDING b, BN_CTX ctx)
58964a49 RE	174	{
	175	int ret=0;
	176
	177	if ((b->A == NULL) \|\| (b->Ai == NULL))
	178	{
df82f5c8	179	BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED);
58964a49 RE	180	goto err;
58964a49 RE	181	}
800e400d NL	182
	183	if (--(b->counter) == 0 && b->e != NULL &&
	184	!(b->flags & BN_BLINDING_NO_RECREATE))
	185	{
	186	/* re-create blinding parameters */
	187	if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
	188	goto err;
	189	}
	190	else if (!(b->flags & BN_BLINDING_NO_UPDATE))
	191	{
	192	if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err;
	193	if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err;
	194	}
58964a49 RE	195
	196	ret=1;
	197	err:
800e400d NL	198	if (b->counter == 0)
800e400d NL	199	b->counter = BN_BLINDING_COUNTER;
58964a49 RE	200	return(ret);
	201	}
	202
6b691a5c	203	int BN_BLINDING_convert(BIGNUM n, BN_BLINDING b, BN_CTX *ctx)
800e400d NL	204	{
	205	return BN_BLINDING_convert_ex(n, NULL, b, ctx);
	206	}
	207
	208	int BN_BLINDING_convert_ex(BIGNUM n, BIGNUM r, BN_BLINDING b, BN_CTX ctx)
58964a49	209	{
dfeab068 RE	210	bn_check_top(n);
dfeab068 RE	211
58964a49 RE	212	if ((b->A == NULL) \|\| (b->Ai == NULL))
58964a49 RE	213	{
8afca8d9	214	BNerr(BN_F_BN_BLINDING_CONVERT_EX,BN_R_NOT_INITIALIZED);
58964a49 RE	215	return(0);
58964a49 RE	216	}
800e400d NL	217
	218	if (r != NULL)
	219	BN_copy(r, b->Ai);
	220
	221	return BN_mod_mul(n,n,b->A,b->mod,ctx);
58964a49 RE	222	}
58964a49 RE	223
6b691a5c	224	int BN_BLINDING_invert(BIGNUM n, BN_BLINDING b, BN_CTX *ctx)
800e400d NL	225	{
	226	return BN_BLINDING_invert_ex(n, NULL, b, ctx);
	227	}
	228
	229	int BN_BLINDING_invert_ex(BIGNUM n, const BIGNUM r, BN_BLINDING b, BN_CTX ctx)
58964a49 RE	230	{
58964a49 RE	231	int ret;
dfeab068 RE	232
dfeab068 RE	233	bn_check_top(n);
58964a49 RE	234	if ((b->A == NULL) \|\| (b->Ai == NULL))
58964a49 RE	235	{
8afca8d9	236	BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
58964a49 RE	237	return(0);
58964a49 RE	238	}
800e400d NL	239
	240	if (r != NULL)
	241	ret = BN_mod_mul(n, n, r, b->mod, ctx);
	242	else
	243	ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
	244
	245	if (ret >= 0)
58964a49 RE	246	{
	247	if (!BN_BLINDING_update(b,ctx))
	248	return(0);
	249	}
d870740c	250	bn_check_top(n);
58964a49 RE	251	return(ret);
	252	}
	253
800e400d NL	254	unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
	255	{
	256	return b->thread_id;
	257	}
	258
	259	void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
	260	{
	261	b->thread_id = n;
	262	}
	263
	264	unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
	265	{
	266	return b->flags;
	267	}
	268
	269	void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
	270	{
	271	b->flags = flags;
	272	}
	273
	274	BN_BLINDING BN_BLINDING_create_param(BN_BLINDING b,
	275	const BIGNUM e, BIGNUM m, BN_CTX *ctx,
	276	int (bn_mod_exp)(BIGNUM r, const BIGNUM a, const BIGNUM p,
	277	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx),
	278	BN_MONT_CTX *m_ctx)
	279	{
	280	int retry_counter = 32;
800e400d NL	281	BN_BLINDING *ret = NULL;
	282
	283	if (b == NULL)
	284	ret = BN_BLINDING_new(NULL, NULL, m);
	285	else
	286	ret = b;
	287
	288	if (ret == NULL)
	289	goto err;
	290
	291	if (ret->A == NULL && (ret->A = BN_new()) == NULL)
	292	goto err;
	293	if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
	294	goto err;
	295
	296	if (e != NULL)
	297	{
	298	if (ret->e != NULL)
	299	BN_free(ret->e);
	300	ret->e = BN_dup(e);
	301	}
	302	if (ret->e == NULL)
	303	goto err;
	304
	305	if (bn_mod_exp != NULL)
	306	ret->bn_mod_exp = bn_mod_exp;
	307	if (m_ctx != NULL)
	308	ret->m_ctx = m_ctx;
	309
	310	do {
	311	if (!BN_rand_range(ret->A, ret->mod)) goto err;
	312	if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL)
	313	{
	314	/* this should almost never happen for good RSA keys */
	315	unsigned long error = ERR_peek_last_error();
	316	if (ERR_GET_REASON(error) == BN_R_NO_INVERSE)
	317	{
	318	if (retry_counter-- == 0)
	319	{
	320	BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
	321	BN_R_TOO_MANY_ITERATIONS);
	322	goto err;
	323	}
	324	ERR_clear_error();
	325	}
	326	else
	327	goto err;
	328	}
	329	else
	330	break;
	331	} while (1);
	332
	333	if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL)
	334	{
	335	if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
	336	goto err;
	337	}
	338	else
	339	{
	340	if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
	341	goto err;
	342	}
	343
	344	return ret;
345	err:
346	if (b == NULL && ret != NULL)
347	{
348	BN_BLINDING_free(ret);
349	ret = NULL;
350	}
351
352	return ret;
353	}
354