2 * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/opensslconf.h>
11 #include "internal/cryptlib.h"
14 #define BN_BLINDING_COUNTER 32
16 struct bn_blinding_st
{
20 BIGNUM
*mod
; /* just a reference */
25 int (*bn_mod_exp
) (BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
,
26 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*m_ctx
);
30 BN_BLINDING
*BN_BLINDING_new(const BIGNUM
*A
, const BIGNUM
*Ai
, BIGNUM
*mod
)
32 BN_BLINDING
*ret
= NULL
;
36 if ((ret
= OPENSSL_zalloc(sizeof(*ret
))) == NULL
) {
37 BNerr(BN_F_BN_BLINDING_NEW
, ERR_R_MALLOC_FAILURE
);
41 ret
->lock
= CRYPTO_THREAD_lock_new();
42 if (ret
->lock
== NULL
) {
43 BNerr(BN_F_BN_BLINDING_NEW
, ERR_R_MALLOC_FAILURE
);
48 BN_BLINDING_set_current_thread(ret
);
51 if ((ret
->A
= BN_dup(A
)) == NULL
)
56 if ((ret
->Ai
= BN_dup(Ai
)) == NULL
)
60 /* save a copy of mod in the BN_BLINDING structure */
61 if ((ret
->mod
= BN_dup(mod
)) == NULL
)
64 if (BN_get_flags(mod
, BN_FLG_CONSTTIME
) != 0)
65 BN_set_flags(ret
->mod
, BN_FLG_CONSTTIME
);
68 * Set the counter to the special value -1 to indicate that this is
69 * never-used fresh blinding that does not need updating before first
77 BN_BLINDING_free(ret
);
81 void BN_BLINDING_free(BN_BLINDING
*r
)
90 CRYPTO_THREAD_lock_free(r
->lock
);
94 int BN_BLINDING_update(BN_BLINDING
*b
, BN_CTX
*ctx
)
98 if ((b
->A
== NULL
) || (b
->Ai
== NULL
)) {
99 BNerr(BN_F_BN_BLINDING_UPDATE
, BN_R_NOT_INITIALIZED
);
103 if (b
->counter
== -1)
106 if (++b
->counter
== BN_BLINDING_COUNTER
&& b
->e
!= NULL
&&
107 !(b
->flags
& BN_BLINDING_NO_RECREATE
)) {
108 /* re-create blinding parameters */
109 if (!BN_BLINDING_create_param(b
, NULL
, NULL
, ctx
, NULL
, NULL
))
111 } else if (!(b
->flags
& BN_BLINDING_NO_UPDATE
)) {
112 if (!BN_mod_mul(b
->A
, b
->A
, b
->A
, b
->mod
, ctx
))
114 if (!BN_mod_mul(b
->Ai
, b
->Ai
, b
->Ai
, b
->mod
, ctx
))
120 if (b
->counter
== BN_BLINDING_COUNTER
)
125 int BN_BLINDING_convert(BIGNUM
*n
, BN_BLINDING
*b
, BN_CTX
*ctx
)
127 return BN_BLINDING_convert_ex(n
, NULL
, b
, ctx
);
130 int BN_BLINDING_convert_ex(BIGNUM
*n
, BIGNUM
*r
, BN_BLINDING
*b
, BN_CTX
*ctx
)
136 if ((b
->A
== NULL
) || (b
->Ai
== NULL
)) {
137 BNerr(BN_F_BN_BLINDING_CONVERT_EX
, BN_R_NOT_INITIALIZED
);
141 if (b
->counter
== -1)
142 /* Fresh blinding, doesn't need updating. */
144 else if (!BN_BLINDING_update(b
, ctx
))
148 if (!BN_copy(r
, b
->Ai
))
152 if (!BN_mod_mul(n
, n
, b
->A
, b
->mod
, ctx
))
158 int BN_BLINDING_invert(BIGNUM
*n
, BN_BLINDING
*b
, BN_CTX
*ctx
)
160 return BN_BLINDING_invert_ex(n
, NULL
, b
, ctx
);
163 int BN_BLINDING_invert_ex(BIGNUM
*n
, const BIGNUM
*r
, BN_BLINDING
*b
,
171 ret
= BN_mod_mul(n
, n
, r
, b
->mod
, ctx
);
174 BNerr(BN_F_BN_BLINDING_INVERT_EX
, BN_R_NOT_INITIALIZED
);
177 ret
= BN_mod_mul(n
, n
, b
->Ai
, b
->mod
, ctx
);
184 int BN_BLINDING_is_current_thread(BN_BLINDING
*b
)
186 return CRYPTO_THREAD_compare_id(CRYPTO_THREAD_get_current_id(), b
->tid
);
189 void BN_BLINDING_set_current_thread(BN_BLINDING
*b
)
191 b
->tid
= CRYPTO_THREAD_get_current_id();
194 int BN_BLINDING_lock(BN_BLINDING
*b
)
196 return CRYPTO_THREAD_write_lock(b
->lock
);
199 int BN_BLINDING_unlock(BN_BLINDING
*b
)
201 return CRYPTO_THREAD_unlock(b
->lock
);
204 unsigned long BN_BLINDING_get_flags(const BN_BLINDING
*b
)
209 void BN_BLINDING_set_flags(BN_BLINDING
*b
, unsigned long flags
)
214 BN_BLINDING
*BN_BLINDING_create_param(BN_BLINDING
*b
,
215 const BIGNUM
*e
, BIGNUM
*m
, BN_CTX
*ctx
,
216 int (*bn_mod_exp
) (BIGNUM
*r
,
224 int retry_counter
= 32;
225 BN_BLINDING
*ret
= NULL
;
228 ret
= BN_BLINDING_new(NULL
, NULL
, m
);
235 if (ret
->A
== NULL
&& (ret
->A
= BN_new()) == NULL
)
237 if (ret
->Ai
== NULL
&& (ret
->Ai
= BN_new()) == NULL
)
247 if (bn_mod_exp
!= NULL
)
248 ret
->bn_mod_exp
= bn_mod_exp
;
254 if (!BN_rand_range(ret
->A
, ret
->mod
))
256 if (!int_bn_mod_inverse(ret
->Ai
, ret
->A
, ret
->mod
, ctx
, &rv
)) {
258 * this should almost never happen for good RSA keys
261 if (retry_counter
-- == 0) {
262 BNerr(BN_F_BN_BLINDING_CREATE_PARAM
,
263 BN_R_TOO_MANY_ITERATIONS
);
272 if (ret
->bn_mod_exp
!= NULL
&& ret
->m_ctx
!= NULL
) {
274 (ret
->A
, ret
->A
, ret
->e
, ret
->mod
, ctx
, ret
->m_ctx
))
277 if (!BN_mod_exp(ret
->A
, ret
->A
, ret
->e
, ret
->mod
, ctx
))
284 BN_BLINDING_free(ret
);