ret->_method_mod_p=NULL;
ret->_method_mod_q=NULL;
ret->blinding=NULL;
+ ret->mt_blinding=NULL;
ret->bignum_data=NULL;
ret->flags=ret->meth->flags;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
if (r->iqmp != NULL) BN_clear_free(r->iqmp);
if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
+ if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
OPENSSL_free(r);
}
rsa->flags |= RSA_FLAG_NO_BLINDING;
}
-int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
+int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
{
- BIGNUM *A,*Ai = NULL;
- BN_CTX *ctx;
int ret=0;
- if (p_ctx == NULL)
+ if (rsa->blinding != NULL)
+ RSA_blinding_off(rsa);
+
+ rsa->blinding = RSA_setup_blinding(rsa, ctx);
+ if (rsa->blinding == NULL)
+ goto err;
+
+ rsa->flags |= RSA_FLAG_BLINDING;
+ rsa->flags &= ~RSA_FLAG_NO_BLINDING;
+ ret=1;
+err:
+ return(ret);
+ }
+
+static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
+ const BIGNUM *q, BN_CTX *ctx)
+{
+ BIGNUM *ret = NULL, *r0, *r1, *r2;
+
+ if (d == NULL || p == NULL || q == NULL)
+ return NULL;
+
+ BN_CTX_start(ctx);
+ r0 = BN_CTX_get(ctx);
+ r1 = BN_CTX_get(ctx);
+ r2 = BN_CTX_get(ctx);
+ if (r2 == NULL)
+ goto err;
+
+ if (!BN_sub(r1, p, BN_value_one())) goto err;
+ if (!BN_sub(r2, q, BN_value_one())) goto err;
+ if (!BN_mul(r0, r1, r2, ctx)) goto err;
+
+ ret = BN_mod_inverse(NULL, d, r0, ctx);
+err:
+ BN_CTX_end(ctx);
+ return ret;
+}
+
+BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
+{
+ BIGNUM *e;
+ BN_CTX *ctx;
+ BN_BLINDING *ret = NULL;
+
+ if (in_ctx == NULL)
{
- if ((ctx=BN_CTX_new()) == NULL) goto err;
+ if ((ctx = BN_CTX_new()) == NULL) return 0;
}
else
- ctx=p_ctx;
+ ctx = in_ctx;
- /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */
- if (rsa->blinding != NULL)
+ BN_CTX_start(ctx);
+ e = BN_CTX_get(ctx);
+ if (e == NULL)
{
- BN_BLINDING_free(rsa->blinding);
- rsa->blinding = NULL;
+ RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
+ goto err;
}
- /* NB: similar code appears in setup_blinding (rsa_eay.c);
- * this should be placed in a new function of its own, but for reasons
- * of binary compatibility can't */
-
- BN_CTX_start(ctx);
- A = BN_CTX_get(ctx);
- if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+ if (rsa->e == NULL)
{
- /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
- RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
- if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+ e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
+ if (e == NULL)
+ {
+ RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
+ goto err;
+ }
}
else
+ e = rsa->e;
+
+
+ if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
{
- if (!BN_rand_range(A,rsa->n)) goto err;
+ /* if PRNG is not properly seeded, resort to secret
+ * exponent as unpredictable seed */
+ RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
}
- if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
- if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
- goto err;
- if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
- /* to make things thread-safe without excessive locking,
- * rsa->blinding will be used just by the current thread: */
- rsa->blinding->thread_id = CRYPTO_thread_id();
- rsa->flags |= RSA_FLAG_BLINDING;
- rsa->flags &= ~RSA_FLAG_NO_BLINDING;
- ret=1;
+ ret = BN_BLINDING_create_param(NULL, e, rsa->n, ctx,
+ rsa->meth->bn_mod_exp, rsa->_method_mod_n);
+ BN_BLINDING_set_thread_id(ret, CRYPTO_thread_id());
err:
- if (Ai != NULL) BN_free(Ai);
BN_CTX_end(ctx);
- if (ctx != p_ctx) BN_CTX_free(ctx);
- return(ret);
- }
+ if (in_ctx == NULL)
+ BN_CTX_free(ctx);
+
+ return ret;
+}
int RSA_memory_lock(RSA *r)
{