KNF

author: miod <> 2014-07-09 08:20:08 +0000
committer: miod <> 2014-07-09 08:20:08 +0000
commit: 8cbe58f0d357b14b0ce292d336469d0554a567bc (patch)
tree: 07872a7ef59da8cea3b3b4a101fa3580e4d658c0 /src/lib/libcrypto/rsa/rsa_gen.c
parent: bc1209e388500a20f5e75cab35d1b543ce0bbe74 (diff)
download: openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.tar.gz
openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.tar.bz2
openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.zip
1 files changed, 111 insertions, 93 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 9745b6d6ed..3a6aa1ca7a 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.13 2014/06/12 15:49:30 deraadt Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.14 2014/07/09 08:20:08 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -70,150 +70,168 @@
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
-/* NB: this wrapper would normally be placed in rsa_lib.c and the static
+/*
+ * NB: this wrapper would normally be placed in rsa_lib.c and the static
 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
 * that we don't introduce a new linker dependency. Eg. any application that
 * wasn't previously linking object code related to key-generation won't have to
- * now just because key-generation is part of RSA_METHOD. */
+ * now just because key-generation is part of RSA_METHOD.
-int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+ */
-        {
+int
-        if(rsa->meth->rsa_keygen)
+RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+{
+        if (rsa->meth->rsa_keygen)
                return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
        return rsa_builtin_keygen(rsa, bits, e_value, cb);
-        }
+}
-static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+static int
-        {
+rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
-        BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
+{
-        BIGNUM local_r0,local_d,local_p;
+        BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
-        BIGNUM *pr0,*d,*p;
+        BIGNUM local_r0, local_d, local_p;
-        int bitsp,bitsq,ok= -1,n=0;
+        BIGNUM *pr0, *d, *p;
-        BN_CTX *ctx=NULL;
+        int bitsp, bitsq, ok = -1, n = 0;
+        BN_CTX *ctx = NULL;
-        ctx=BN_CTX_new();
-        if (ctx == NULL) goto err;
+        ctx = BN_CTX_new();
+        if (ctx == NULL)
+                goto err;
        BN_CTX_start(ctx);
        r0 = BN_CTX_get(ctx);
        r1 = BN_CTX_get(ctx);
        r2 = BN_CTX_get(ctx);
        r3 = BN_CTX_get(ctx);
-        if (r3 == NULL) goto err;
+        if (r3 == NULL)
+                goto err;
-        bitsp=(bits+1)/2;
+        bitsp = (bits + 1) / 2;
-        bitsq=bits-bitsp;
+        bitsq = bits - bitsp;
        /* We need the RSA components non-NULL */
-        if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
+        if (!rsa->n && ((rsa->n = BN_new()) == NULL))
-        if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
+                goto err;
-        if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
+        if (!rsa->d && ((rsa->d = BN_new()) == NULL))
-        if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
+                goto err;
-        if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
+        if (!rsa->e && ((rsa->e = BN_new()) == NULL))
-        if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
+                goto err;
-        if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
+        if (!rsa->p && ((rsa->p = BN_new()) == NULL))
-        if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
+                goto err;
+        if (!rsa->q && ((rsa->q = BN_new()) == NULL))
+                goto err;
+        if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
+                goto err;
+        if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
+                goto err;
+        if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
+                goto err;
        BN_copy(rsa->e, e_value);
        /* generate p and q */
-        for (;;)
+        for (;;) {
-                {
+                if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
-                if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
                        goto err;
-                if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
+                if (!BN_sub(r2, rsa->p, BN_value_one()))
-                if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
-                if (BN_is_one(r1)) break;
-                if(!BN_GENCB_call(cb, 2, n++))
                        goto err;
-                }
+                if (!BN_gcd(r1, r2, rsa->e, ctx))
-        if(!BN_GENCB_call(cb, 3, 0))
+                        goto err;
+                if (BN_is_one(r1))
+                        break;
+                if (!BN_GENCB_call(cb, 2, n++))
+                        goto err;
+        }
+        if (!BN_GENCB_call(cb, 3, 0))
                goto err;
-        for (;;)
+        for (;;) {
-                {
+                /*
-                /* When generating ridiculously small keys, we can get stuck
+                 * When generating ridiculously small keys, we can get stuck
                 * continually regenerating the same prime values. Check for
-                 * this and bail if it happens 3 times. */
+                 * this and bail if it happens 3 times.
+                 */
                unsigned int degenerate = 0;
-                do
+                do {
-                        {
+                        if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL,
-                        if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+                            cb))
                                goto err;
-                        } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
+                        } while (BN_cmp(rsa->p, rsa->q) == 0 &&
-                if(degenerate == 3)
+                            ++degenerate < 3);
-                        {
+                if (degenerate == 3) {
                        ok = 0; /* we set our own err */
-                        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
+                        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,
+                            RSA_R_KEY_SIZE_TOO_SMALL);
+                        goto err;
+                }
+                if (!BN_sub(r2, rsa->q, BN_value_one()))
+                        goto err;
+                if (!BN_gcd(r1, r2, rsa->e, ctx))
                        goto err;
-                        }
-                if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
-                if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
                if (BN_is_one(r1))
                        break;
-                if(!BN_GENCB_call(cb, 2, n++))
+                if (!BN_GENCB_call(cb, 2, n++))
                        goto err;
-                }
+        }
-        if(!BN_GENCB_call(cb, 3, 1))
+        if (!BN_GENCB_call(cb, 3, 1))
                goto err;
-        if (BN_cmp(rsa->p,rsa->q) < 0)
+        if (BN_cmp(rsa->p,rsa->q) < 0) {
-                {
+                tmp = rsa->p;
-                tmp=rsa->p;
+                rsa->p = rsa->q;
-                rsa->p=rsa->q;
+                rsa->q = tmp;
-                rsa->q=tmp;
+        }
-                }
        /* calculate n */
-        if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
+        if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
+                goto err;
        /* calculate d */
-        if (!BN_sub(r1,rsa->p,BN_value_one())) goto err;        /* p-1 */
+        if (!BN_sub(r1, rsa->p, BN_value_one()))        /* p-1 */
-        if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;        /* q-1 */
+                goto err;
-        if (!BN_mul(r0,r1,r2,ctx)) goto err;    /* (p-1)(q-1) */
+        if (!BN_sub(r2, rsa->q, BN_value_one()))        /* q-1 */
-        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                goto err;
-                {
+        if (!BN_mul(r0, r1, r2, ctx))                   /* (p-1)(q-1) */
+                goto err;
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
                  pr0 = &local_r0;
                  BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
-                }
+        } else
-        else
+                pr0 = r0;
-          pr0 = r0;
+        if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))  /* d */
-        if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err;   /* d */
+                goto err;
        /* set up d for correct BN_FLG_CONSTTIME flag */
-        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-                {
                d = &local_d;
                BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-                }
+        } else
-        else
                d = rsa->d;
        /* calculate d mod (p-1) */
-        if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
+        if (!BN_mod(rsa->dmp1, d, r1, ctx))
+                goto err;
        /* calculate d mod (q-1) */
-        if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
+        if (!BN_mod(rsa->dmq1, d, r2, ctx))
+                goto err;
        /* calculate inverse of q mod p */
-        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-                {
                p = &local_p;
                BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-                }
+        } else
-        else
                p = rsa->p;
-        if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
+        if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+                goto err;
-        ok=1;
+        ok = 1;
 err:
-        if (ok == -1)
+        if (ok == -1) {
-                {
+                RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
-                RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
+                ok = 0;
-                ok=0;
+        }
-                }
+        if (ctx != NULL) {
-        if (ctx != NULL)
-                {
                BN_CTX_end(ctx);
                BN_CTX_free(ctx);
-                }
-        return ok;
        }
+        return ok;
+}
author	miod <>	2014-07-09 08:20:08 +0000
committer	miod <>	2014-07-09 08:20:08 +0000
commit	8cbe58f0d357b14b0ce292d336469d0554a567bc (patch)
tree	07872a7ef59da8cea3b3b4a101fa3580e4d658c0 /src/lib/libcrypto/rsa/rsa_gen.c
parent	bc1209e388500a20f5e75cab35d1b543ce0bbe74 (diff)
download	openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.tar.gz openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.tar.bz2 openbsd-8cbe58f0d357b14b0ce292d336469d0554a567bc.zip

diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index 9745b6d6ed..3a6aa1ca7a 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_gen.c,v 1.13 2014/06/12 15:49:30 deraadt Exp $ */	1	/* $OpenBSD: rsa_gen.c,v 1.14 2014/07/09 08:20:08 miod Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -70,150 +70,168 @@
70		70
71	static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb);	71	static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb);
72		72
73	/* NB: this wrapper would normally be placed in rsa_lib.c and the static	73	/*
		74	* NB: this wrapper would normally be placed in rsa_lib.c and the static
74	* implementation would probably be in rsa_eay.c. Nonetheless, is kept here so	75	* implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
75	* that we don't introduce a new linker dependency. Eg. any application that	76	* that we don't introduce a new linker dependency. Eg. any application that
76	* wasn't previously linking object code related to key-generation won't have to	77	* wasn't previously linking object code related to key-generation won't have to
77	* now just because key-generation is part of RSA_METHOD. */	78	* now just because key-generation is part of RSA_METHOD.
78	int RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)	79	*/
79	{	80	int
80	if(rsa->meth->rsa_keygen)	81	RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
		82	{
		83	if (rsa->meth->rsa_keygen)
81	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);	84	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
82	return rsa_builtin_keygen(rsa, bits, e_value, cb);	85	return rsa_builtin_keygen(rsa, bits, e_value, cb);
83	}	86	}
84		87
85	static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)	88	static int
86	{	89	rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
87	BIGNUM r0=NULL,r1=NULL,r2=NULL,r3=NULL,*tmp;	90	{
88	BIGNUM local_r0,local_d,local_p;	91	BIGNUM r0 = NULL, r1 = NULL, r2 = NULL, r3 = NULL, *tmp;
89	BIGNUM pr0,d,*p;	92	BIGNUM local_r0, local_d, local_p;
90	int bitsp,bitsq,ok= -1,n=0;	93	BIGNUM pr0, d, *p;
91	BN_CTX *ctx=NULL;	94	int bitsp, bitsq, ok = -1, n = 0;
92		95	BN_CTX *ctx = NULL;
93	ctx=BN_CTX_new();	96
94	if (ctx == NULL) goto err;	97	ctx = BN_CTX_new();
		98	if (ctx == NULL)
		99	goto err;
95	BN_CTX_start(ctx);	100	BN_CTX_start(ctx);
96	r0 = BN_CTX_get(ctx);	101	r0 = BN_CTX_get(ctx);
97	r1 = BN_CTX_get(ctx);	102	r1 = BN_CTX_get(ctx);
98	r2 = BN_CTX_get(ctx);	103	r2 = BN_CTX_get(ctx);
99	r3 = BN_CTX_get(ctx);	104	r3 = BN_CTX_get(ctx);
100	if (r3 == NULL) goto err;	105	if (r3 == NULL)
		106	goto err;
101		107
102	bitsp=(bits+1)/2;	108	bitsp = (bits + 1) / 2;
103	bitsq=bits-bitsp;	109	bitsq = bits - bitsp;
104		110
105	/* We need the RSA components non-NULL */	111	/* We need the RSA components non-NULL */
106	if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;	112	if (!rsa->n && ((rsa->n = BN_new()) == NULL))
107	if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;	113	goto err;
108	if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;	114	if (!rsa->d && ((rsa->d = BN_new()) == NULL))
109	if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;	115	goto err;
110	if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;	116	if (!rsa->e && ((rsa->e = BN_new()) == NULL))
111	if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;	117	goto err;
112	if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;	118	if (!rsa->p && ((rsa->p = BN_new()) == NULL))
113	if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;	119	goto err;
		120	if (!rsa->q && ((rsa->q = BN_new()) == NULL))
		121	goto err;
		122	if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
		123	goto err;
		124	if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
		125	goto err;
		126	if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
		127	goto err;
114		128
115	BN_copy(rsa->e, e_value);	129	BN_copy(rsa->e, e_value);
116		130
117	/* generate p and q */	131	/* generate p and q */
118	for (;;)	132	for (;;) {
119	{	133	if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
120	if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
121	goto err;	134	goto err;
122	if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;	135	if (!BN_sub(r2, rsa->p, BN_value_one()))
123	if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
124	if (BN_is_one(r1)) break;
125	if(!BN_GENCB_call(cb, 2, n++))
126	goto err;	136	goto err;
127	}	137	if (!BN_gcd(r1, r2, rsa->e, ctx))
128	if(!BN_GENCB_call(cb, 3, 0))	138	goto err;
		139	if (BN_is_one(r1))
		140	break;
		141	if (!BN_GENCB_call(cb, 2, n++))
		142	goto err;
		143	}
		144	if (!BN_GENCB_call(cb, 3, 0))
129	goto err;	145	goto err;
130	for (;;)	146	for (;;) {
131	{	147	/*
132	/* When generating ridiculously small keys, we can get stuck	148	* When generating ridiculously small keys, we can get stuck
133	* continually regenerating the same prime values. Check for	149	* continually regenerating the same prime values. Check for
134	* this and bail if it happens 3 times. */	150	* this and bail if it happens 3 times.
		151	*/
135	unsigned int degenerate = 0;	152	unsigned int degenerate = 0;
136	do	153	do {
137	{	154	if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL,
138	if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))	155	cb))
139	goto err;	156	goto err;
140	} while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));	157	} while (BN_cmp(rsa->p, rsa->q) == 0 &&
141	if(degenerate == 3)	158	++degenerate < 3);
142	{	159	if (degenerate == 3) {
143	ok = 0; /* we set our own err */	160	ok = 0; /* we set our own err */
144	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);	161	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,
		162	RSA_R_KEY_SIZE_TOO_SMALL);
		163	goto err;
		164	}
		165	if (!BN_sub(r2, rsa->q, BN_value_one()))
		166	goto err;
		167	if (!BN_gcd(r1, r2, rsa->e, ctx))
145	goto err;	168	goto err;
146	}
147	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
148	if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
149	if (BN_is_one(r1))	169	if (BN_is_one(r1))
150	break;	170	break;
151	if(!BN_GENCB_call(cb, 2, n++))	171	if (!BN_GENCB_call(cb, 2, n++))
152	goto err;	172	goto err;
153	}	173	}
154	if(!BN_GENCB_call(cb, 3, 1))	174	if (!BN_GENCB_call(cb, 3, 1))
155	goto err;	175	goto err;
156	if (BN_cmp(rsa->p,rsa->q) < 0)	176	if (BN_cmp(rsa->p,rsa->q) < 0) {
157	{	177	tmp = rsa->p;
158	tmp=rsa->p;	178	rsa->p = rsa->q;
159	rsa->p=rsa->q;	179	rsa->q = tmp;
160	rsa->q=tmp;	180	}
161	}
162		181
163	/* calculate n */	182	/* calculate n */
164	if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;	183	if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
		184	goto err;
165		185
166	/* calculate d */	186	/* calculate d */
167	if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */	187	if (!BN_sub(r1, rsa->p, BN_value_one())) /* p-1 */
168	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */	188	goto err;
169	if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */	189	if (!BN_sub(r2, rsa->q, BN_value_one())) /* q-1 */
170	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))	190	goto err;
171	{	191	if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
		192	goto err;
		193	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
172	pr0 = &local_r0;	194	pr0 = &local_r0;
173	BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);	195	BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
174	}	196	} else
175	else	197	pr0 = r0;
176	pr0 = r0;	198	if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
177	if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */	199	goto err;
178		200
179	/* set up d for correct BN_FLG_CONSTTIME flag */	201	/* set up d for correct BN_FLG_CONSTTIME flag */
180	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))	202	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
181	{
182	d = &local_d;	203	d = &local_d;
183	BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);	204	BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
184	}	205	} else
185	else
186	d = rsa->d;	206	d = rsa->d;
187		207
188	/* calculate d mod (p-1) */	208	/* calculate d mod (p-1) */
189	if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;	209	if (!BN_mod(rsa->dmp1, d, r1, ctx))
		210	goto err;
190		211
191	/* calculate d mod (q-1) */	212	/* calculate d mod (q-1) */
192	if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;	213	if (!BN_mod(rsa->dmq1, d, r2, ctx))
		214	goto err;
193		215
194	/* calculate inverse of q mod p */	216	/* calculate inverse of q mod p */
195	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))	217	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
196	{
197	p = &local_p;	218	p = &local_p;
198	BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);	219	BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
199	}	220	} else
200	else
201	p = rsa->p;	221	p = rsa->p;
202	if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;	222	if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
		223	goto err;
203		224
204	ok=1;	225	ok = 1;
205	err:	226	err:
206	if (ok == -1)	227	if (ok == -1) {
207	{	228	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
208	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);	229	ok = 0;
209	ok=0;	230	}
210	}	231	if (ctx != NULL) {
211	if (ctx != NULL)
212	{
213	BN_CTX_end(ctx);	232	BN_CTX_end(ctx);
214	BN_CTX_free(ctx);	233	BN_CTX_free(ctx);
215	}
216
217	return ok;
218	}	234	}
219		235
		236	return ok;
		237	}