[thirdparty/openssl.git] / crypto / bn / bn_blind.c

/* crypto/bn/bn_blind.c */
/* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#define OPENSSL_FIPSAPI

#include <stdio.h>
#include "cryptlib.h"
#include "bn_lcl.h"

#define BN_BLINDING_COUNTER	32

struct bn_blinding_st
	{
	BIGNUM *A;
	BIGNUM *Ai;
	BIGNUM *e;
	BIGNUM *mod; /* just a reference */
#ifndef OPENSSL_NO_DEPRECATED
	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
				  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
#endif
	CRYPTO_THREADID tid;
	int counter;
	unsigned long flags;
	BN_MONT_CTX *m_ctx;
	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
			  const BIGNUM *m, BN_CTX *ctx,
			  BN_MONT_CTX *m_ctx);
	};

BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
	{
	BN_BLINDING *ret=NULL;

	bn_check_top(mod);

	if ((ret=(BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL)
		{
		BNerr(BN_F_BN_BLINDING_NEW,ERR_R_MALLOC_FAILURE);
		return(NULL);
		}
	memset(ret,0,sizeof(BN_BLINDING));
	if (A != NULL)
		{
		if ((ret->A  = BN_dup(A))  == NULL) goto err;
		}
	if (Ai != NULL)
		{
		if ((ret->Ai = BN_dup(Ai)) == NULL) goto err;
		}

	/* save a copy of mod in the BN_BLINDING structure */
	if ((ret->mod = BN_dup(mod)) == NULL) goto err;
	if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
		BN_set_flags(ret->mod, BN_FLG_CONSTTIME);

	/* Set the counter to the special value -1
	 * to indicate that this is never-used fresh blinding
	 * that does not need updating before first use. */
	ret->counter = -1;
	CRYPTO_THREADID_current(&ret->tid);
	return(ret);
err:
	if (ret != NULL) BN_BLINDING_free(ret);
	return(NULL);
	}

void BN_BLINDING_free(BN_BLINDING *r)
	{
	if(r == NULL)
	    return;

	if (r->A  != NULL) BN_free(r->A );
	if (r->Ai != NULL) BN_free(r->Ai);
	if (r->e  != NULL) BN_free(r->e );
	if (r->mod != NULL) BN_free(r->mod); 
	OPENSSL_free(r);
	}

int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
	{
	int ret=0;

	if ((b->A == NULL) || (b->Ai == NULL))
		{
		BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED);
		goto err;
		}

	if (b->counter == -1)
		b->counter = 0;

	if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
		!(b->flags & BN_BLINDING_NO_RECREATE))
		{
		/* re-create blinding parameters */
		if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
			goto err;
		}
	else if (!(b->flags & BN_BLINDING_NO_UPDATE))
		{
		if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err;
		if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err;
		}

	ret=1;
err:
	if (b->counter == BN_BLINDING_COUNTER)
		b->counter = 0;
	return(ret);
	}

int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
	{
	return BN_BLINDING_convert_ex(n, NULL, b, ctx);
	}

int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
	{
	int ret = 1;

	bn_check_top(n);

	if ((b->A == NULL) || (b->Ai == NULL))
		{
		BNerr(BN_F_BN_BLINDING_CONVERT_EX,BN_R_NOT_INITIALIZED);
		return(0);
		}

	if (b->counter == -1)
		/* Fresh blinding, doesn't need updating. */
		b->counter = 0;
	else if (!BN_BLINDING_update(b,ctx))
		return(0);

	if (r != NULL)
		{
		if (!BN_copy(r, b->Ai)) ret=0;
		}

	if (!BN_mod_mul(n,n,b->A,b->mod,ctx)) ret=0;
	
	return ret;
	}

int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
	{
	return BN_BLINDING_invert_ex(n, NULL, b, ctx);
	}

int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
	{
	int ret;

	bn_check_top(n);

	if (r != NULL)
		ret = BN_mod_mul(n, n, r, b->mod, ctx);
	else
		{
		if (b->Ai == NULL)
			{
			BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
			return(0);
			}
		ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
		}

	bn_check_top(n);
	return(ret);
	}

#ifndef OPENSSL_NO_DEPRECATED
unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
	{
	return b->thread_id;
	}

void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
	{
	b->thread_id = n;
	}
#endif

CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *b)
	{
	return &b->tid;
	}

unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
	{
	return b->flags;
	}

void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
	{
	b->flags = flags;
	}

BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
	BN_MONT_CTX *m_ctx)
{
	int    retry_counter = 32;
	BN_BLINDING *ret = NULL;

	if (b == NULL)
		ret = BN_BLINDING_new(NULL, NULL, m);
	else
		ret = b;

	if (ret == NULL)
		goto err;

	if (ret->A  == NULL && (ret->A  = BN_new()) == NULL)
		goto err;
	if (ret->Ai == NULL && (ret->Ai	= BN_new()) == NULL)
		goto err;

	if (e != NULL)
		{
		if (ret->e != NULL)
			BN_free(ret->e);
		ret->e = BN_dup(e);
		}
	if (ret->e == NULL)
		goto err;

	if (bn_mod_exp != NULL)
		ret->bn_mod_exp = bn_mod_exp;
	if (m_ctx != NULL)
		ret->m_ctx = m_ctx;

	do {
		int rv;
		if (!BN_rand_range(ret->A, ret->mod)) goto err;
		if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv))
			{
			/* this should almost never happen for good RSA keys */
			if (rv)
				{
				if (retry_counter-- == 0)
				{
					BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
						BN_R_TOO_MANY_ITERATIONS);
					goto err;
				}
				}
			else
				goto err;
			}
		else
			break;
	} while (1);

	if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL)
		{
		if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
			goto err;
		}
	else
		{
		if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
			goto err;
		}

	return ret;
err:
	if (b == NULL && ret != NULL)
		{
		BN_BLINDING_free(ret);
		ret = NULL;
		}

	return ret;
}
Commit	Line	Data
58964a49	1	/* crypto/bn/bn_blind.c */
800e400d	2	/* ====================================================================
48fc582f	3	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
800e400d NL	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	*
	9	* 1. Redistributions of source code must retain the above copyright
	10	* notice, this list of conditions and the following disclaimer.
	11	*
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in
	14	* the documentation and/or other materials provided with the
	15	* distribution.
	16	*
	17	* 3. All advertising materials mentioning features or use of this
	18	* software must display the following acknowledgment:
	19	* "This product includes software developed by the OpenSSL Project
	20	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
	21	*
	22	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	23	* endorse or promote products derived from this software without
	24	* prior written permission. For written permission, please contact
	25	* openssl-core@openssl.org.
	26	*
	27	* 5. Products derived from this software may not be called "OpenSSL"
	28	* nor may "OpenSSL" appear in their names without prior written
	29	* permission of the OpenSSL Project.
	30	*
	31	* 6. Redistributions of any form whatsoever must retain the following
	32	* acknowledgment:
	33	* "This product includes software developed by the OpenSSL Project
	34	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
	35	*
	36	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	37	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	38	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	39	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	40	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	41	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	42	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	43	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	44	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	45	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	46	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	47	* OF THE POSSIBILITY OF SUCH DAMAGE.
	48	* ====================================================================
	49	*
	50	* This product includes cryptographic software written by Eric Young
	51	* (eay@cryptsoft.com). This product includes software written by Tim
	52	* Hudson (tjh@cryptsoft.com).
	53	*
	54	*/
58964a49 RE	55	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	56	* All rights reserved.
	57	*
	58	* This package is an SSL implementation written
	59	* by Eric Young (eay@cryptsoft.com).
	60	* The implementation was written so as to conform with Netscapes SSL.
	61	*
	62	* This library is free for commercial and non-commercial use as long as
	63	* the following conditions are aheared to. The following conditions
	64	* apply to all code found in this distribution, be it the RC4, RSA,
	65	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	66	* included with this distribution is covered by the same copyright terms
	67	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	68	*
	69	* Copyright remains Eric Young's, and as such any Copyright notices in
	70	* the code are not to be removed.
	71	* If this package is used in a product, Eric Young should be given attribution
	72	* as the author of the parts of the library used.
	73	* This can be in the form of a textual message at program startup or
	74	* in documentation (online or textual) provided with the package.
	75	*
	76	* Redistribution and use in source and binary forms, with or without
	77	* modification, are permitted provided that the following conditions
	78	* are met:
	79	* 1. Redistributions of source code must retain the copyright
	80	* notice, this list of conditions and the following disclaimer.
	81	* 2. Redistributions in binary form must reproduce the above copyright
	82	* notice, this list of conditions and the following disclaimer in the
	83	* documentation and/or other materials provided with the distribution.
	84	* 3. All advertising materials mentioning features or use of this software
	85	* must display the following acknowledgement:
	86	* "This product includes cryptographic software written by
	87	* Eric Young (eay@cryptsoft.com)"
	88	* The word 'cryptographic' can be left out if the rouines from the library
	89	* being used are not cryptographic related :-).
	90	* 4. If you include any Windows specific code (or a derivative thereof) from
	91	* the apps directory (application code) you must include an acknowledgement:
	92	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	93	*
	94	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	95	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	96	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	97	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	98	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	99	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	100	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	101	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	102	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	103	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	104	* SUCH DAMAGE.
	105	*
	106	* The licence and distribution terms for any publically available version or
	107	* derivative of this code cannot be changed. i.e. this code cannot simply be
	108	* copied and put under another distribution licence
	109	* [including the GNU Public Licence.]
	110	*/
	111
7edfe674 DSH	112	#define OPENSSL_FIPSAPI
7edfe674 DSH	113
58964a49 RE	114	#include <stdio.h>
	115	#include "cryptlib.h"
	116	#include "bn_lcl.h"
	117
800e400d NL	118	#define BN_BLINDING_COUNTER 32
	119
	120	struct bn_blinding_st
	121	{
	122	BIGNUM *A;
	123	BIGNUM *Ai;
	124	BIGNUM *e;
	125	BIGNUM mod; / just a reference */
4c329696	126	#ifndef OPENSSL_NO_DEPRECATED
800e400d NL	127	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
800e400d NL	128	* used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
4c329696 GT	129	#endif
4c329696 GT	130	CRYPTO_THREADID tid;
e5641d7f	131	int counter;
800e400d NL	132	unsigned long flags;
	133	BN_MONT_CTX *m_ctx;
	134	int (bn_mod_exp)(BIGNUM r, const BIGNUM a, const BIGNUM p,
	135	const BIGNUM m, BN_CTX ctx,
	136	BN_MONT_CTX *m_ctx);
	137	};
	138
	139	BN_BLINDING BN_BLINDING_new(const BIGNUM A, const BIGNUM Ai, BIGNUM mod)
58964a49 RE	140	{
	141	BN_BLINDING *ret=NULL;
	142
dfeab068 RE	143	bn_check_top(mod);
dfeab068 RE	144
26a3a48d	145	if ((ret=(BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL)
dfeab068	146	{
58964a49	147	BNerr(BN_F_BN_BLINDING_NEW,ERR_R_MALLOC_FAILURE);
dfeab068 RE	148	return(NULL);
dfeab068 RE	149	}
58964a49	150	memset(ret,0,sizeof(BN_BLINDING));
800e400d NL	151	if (A != NULL)
	152	{
	153	if ((ret->A = BN_dup(A)) == NULL) goto err;
	154	}
	155	if (Ai != NULL)
	156	{
	157	if ((ret->Ai = BN_dup(Ai)) == NULL) goto err;
	158	}
bd31fb21 BM	159
	160	/* save a copy of mod in the BN_BLINDING structure */
	161	if ((ret->mod = BN_dup(mod)) == NULL) goto err;
	162	if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
	163	BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
	164
e5641d7f BM	165	/* Set the counter to the special value -1
	166	* to indicate that this is never-used fresh blinding
	167	* that does not need updating before first use. */
	168	ret->counter = -1;
4c329696	169	CRYPTO_THREADID_current(&ret->tid);
58964a49 RE	170	return(ret);
	171	err:
	172	if (ret != NULL) BN_BLINDING_free(ret);
dfeab068	173	return(NULL);
58964a49 RE	174	}
58964a49 RE	175
6b691a5c	176	void BN_BLINDING_free(BN_BLINDING *r)
58964a49	177	{
e03ddfae BL	178	if(r == NULL)
	179	return;
	180
58964a49 RE	181	if (r->A != NULL) BN_free(r->A );
58964a49 RE	182	if (r->Ai != NULL) BN_free(r->Ai);
800e400d	183	if (r->e != NULL) BN_free(r->e );
bd31fb21	184	if (r->mod != NULL) BN_free(r->mod);
26a3a48d	185	OPENSSL_free(r);
58964a49 RE	186	}
58964a49 RE	187
6b691a5c	188	int BN_BLINDING_update(BN_BLINDING b, BN_CTX ctx)
58964a49 RE	189	{
	190	int ret=0;
	191
	192	if ((b->A == NULL) \|\| (b->Ai == NULL))
	193	{
df82f5c8	194	BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED);
58964a49 RE	195	goto err;
58964a49 RE	196	}
800e400d	197
e5641d7f BM	198	if (b->counter == -1)
	199	b->counter = 0;
	200
	201	if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
800e400d NL	202	!(b->flags & BN_BLINDING_NO_RECREATE))
	203	{
	204	/* re-create blinding parameters */
	205	if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
	206	goto err;
	207	}
	208	else if (!(b->flags & BN_BLINDING_NO_UPDATE))
	209	{
	210	if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err;
	211	if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err;
	212	}
58964a49 RE	213
	214	ret=1;
	215	err:
e5641d7f BM	216	if (b->counter == BN_BLINDING_COUNTER)
e5641d7f BM	217	b->counter = 0;
58964a49 RE	218	return(ret);
	219	}
	220
6b691a5c	221	int BN_BLINDING_convert(BIGNUM n, BN_BLINDING b, BN_CTX *ctx)
800e400d NL	222	{
	223	return BN_BLINDING_convert_ex(n, NULL, b, ctx);
	224	}
	225
	226	int BN_BLINDING_convert_ex(BIGNUM n, BIGNUM r, BN_BLINDING b, BN_CTX ctx)
58964a49	227	{
c61f571c BM	228	int ret = 1;
c61f571c BM	229
dfeab068 RE	230	bn_check_top(n);
dfeab068 RE	231
58964a49 RE	232	if ((b->A == NULL) \|\| (b->Ai == NULL))
58964a49 RE	233	{
8afca8d9	234	BNerr(BN_F_BN_BLINDING_CONVERT_EX,BN_R_NOT_INITIALIZED);
58964a49 RE	235	return(0);
58964a49 RE	236	}
800e400d	237
e5641d7f BM	238	if (b->counter == -1)
	239	/* Fresh blinding, doesn't need updating. */
	240	b->counter = 0;
	241	else if (!BN_BLINDING_update(b,ctx))
	242	return(0);
	243
800e400d	244	if (r != NULL)
c61f571c BM	245	{
	246	if (!BN_copy(r, b->Ai)) ret=0;
	247	}
800e400d	248
c61f571c BM	249	if (!BN_mod_mul(n,n,b->A,b->mod,ctx)) ret=0;
	250
	251	return ret;
58964a49 RE	252	}
58964a49 RE	253
6b691a5c	254	int BN_BLINDING_invert(BIGNUM n, BN_BLINDING b, BN_CTX *ctx)
800e400d NL	255	{
	256	return BN_BLINDING_invert_ex(n, NULL, b, ctx);
	257	}
	258
	259	int BN_BLINDING_invert_ex(BIGNUM n, const BIGNUM r, BN_BLINDING b, BN_CTX ctx)
58964a49 RE	260	{
58964a49 RE	261	int ret;
dfeab068 RE	262
dfeab068 RE	263	bn_check_top(n);
800e400d NL	264
	265	if (r != NULL)
	266	ret = BN_mod_mul(n, n, r, b->mod, ctx);
	267	else
58964a49	268	{
e5641d7f BM	269	if (b->Ai == NULL)
	270	{
	271	BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
58964a49	272	return(0);
e5641d7f BM	273	}
e5641d7f BM	274	ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
58964a49	275	}
e5641d7f	276
d870740c	277	bn_check_top(n);
58964a49 RE	278	return(ret);
	279	}
	280
4c329696	281	#ifndef OPENSSL_NO_DEPRECATED
800e400d NL	282	unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
	283	{
	284	return b->thread_id;
	285	}
	286
	287	void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
	288	{
	289	b->thread_id = n;
	290	}
4c329696	291	#endif
800e400d	292
4c329696	293	CRYPTO_THREADID BN_BLINDING_thread_id(BN_BLINDING b)
48fc582f	294	{
4c329696	295	return &b->tid;
48fc582f BM	296	}
48fc582f BM	297
800e400d NL	298	unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
	299	{
	300	return b->flags;
	301	}
	302
	303	void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
	304	{
	305	b->flags = flags;
	306	}
	307
	308	BN_BLINDING BN_BLINDING_create_param(BN_BLINDING b,
	309	const BIGNUM e, BIGNUM m, BN_CTX *ctx,
	310	int (bn_mod_exp)(BIGNUM r, const BIGNUM a, const BIGNUM p,
	311	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx),
	312	BN_MONT_CTX *m_ctx)
	313	{
	314	int retry_counter = 32;
800e400d NL	315	BN_BLINDING *ret = NULL;
	316
	317	if (b == NULL)
	318	ret = BN_BLINDING_new(NULL, NULL, m);
	319	else
	320	ret = b;
	321
	322	if (ret == NULL)
	323	goto err;
	324
	325	if (ret->A == NULL && (ret->A = BN_new()) == NULL)
	326	goto err;
	327	if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
	328	goto err;
	329
	330	if (e != NULL)
	331	{
	332	if (ret->e != NULL)
	333	BN_free(ret->e);
	334	ret->e = BN_dup(e);
	335	}
	336	if (ret->e == NULL)
	337	goto err;
	338
	339	if (bn_mod_exp != NULL)
	340	ret->bn_mod_exp = bn_mod_exp;
	341	if (m_ctx != NULL)
	342	ret->m_ctx = m_ctx;
	343
	344	do {
879bd6e3	345	int rv;
800e400d	346	if (!BN_rand_range(ret->A, ret->mod)) goto err;
879bd6e3	347	if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv))
800e400d NL	348	{
800e400d NL	349	/* this should almost never happen for good RSA keys */
879bd6e3	350	if (rv)
800e400d NL	351	{
	352	if (retry_counter-- == 0)
	353	{
	354	BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
	355	BN_R_TOO_MANY_ITERATIONS);
	356	goto err;
	357	}
800e400d NL	358	}
	359	else
	360	goto err;
	361	}
	362	else
	363	break;
	364	} while (1);
	365
	366	if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL)
	367	{
	368	if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
	369	goto err;
	370	}
	371	else
	372	{
	373	if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
	374	goto err;
	375	}
	376
	377	return ret;
	378	err:
	379	if (b == NULL && ret != NULL)
	380	{
	381	BN_BLINDING_free(ret);
	382	ret = NULL;
	383	}
	384
	385	return ret;
	386	}