155099Skris/* crypto/rsa/rsa_eay.c */ 255099Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355099Skris * All rights reserved. 455099Skris * 555099Skris * This package is an SSL implementation written 655099Skris * by Eric Young (eay@cryptsoft.com). 755099Skris * The implementation was written so as to conform with Netscapes SSL. 8280304Sjkim * 955099Skris * This library is free for commercial and non-commercial use as long as 1055099Skris * the following conditions are aheared to. The following conditions 1155099Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255099Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355099Skris * included with this distribution is covered by the same copyright terms 1455099Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280304Sjkim * 1655099Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755099Skris * the code are not to be removed. 1855099Skris * If this package is used in a product, Eric Young should be given attribution 1955099Skris * as the author of the parts of the library used. 2055099Skris * This can be in the form of a textual message at program startup or 2155099Skris * in documentation (online or textual) provided with the package. 22280304Sjkim * 2355099Skris * Redistribution and use in source and binary forms, with or without 2455099Skris * modification, are permitted provided that the following conditions 2555099Skris * are met: 2655099Skris * 1. Redistributions of source code must retain the copyright 2755099Skris * notice, this list of conditions and the following disclaimer. 2855099Skris * 2. Redistributions in binary form must reproduce the above copyright 2955099Skris * notice, this list of conditions and the following disclaimer in the 3055099Skris * documentation and/or other materials provided with the distribution. 3155099Skris * 3. All advertising materials mentioning features or use of this software 3255099Skris * must display the following acknowledgement: 3355099Skris * "This product includes cryptographic software written by 3455099Skris * Eric Young (eay@cryptsoft.com)" 3555099Skris * The word 'cryptographic' can be left out if the rouines from the library 3655099Skris * being used are not cryptographic related :-). 37280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855099Skris * the apps directory (application code) you must include an acknowledgement: 3955099Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280304Sjkim * 4155099Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255099Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355099Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455099Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555099Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655099Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755099Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855099Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955099Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055099Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155099Skris * SUCH DAMAGE. 52280304Sjkim * 5355099Skris * The licence and distribution terms for any publically available version or 5455099Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555099Skris * copied and put under another distribution licence 5655099Skris * [including the GNU Public Licence.] 5755099Skris */ 58160817Ssimon/* ==================================================================== 59162914Ssimon * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60160817Ssimon * 61160817Ssimon * Redistribution and use in source and binary forms, with or without 62160817Ssimon * modification, are permitted provided that the following conditions 63160817Ssimon * are met: 64160817Ssimon * 65160817Ssimon * 1. Redistributions of source code must retain the above copyright 66280304Sjkim * notice, this list of conditions and the following disclaimer. 67160817Ssimon * 68160817Ssimon * 2. Redistributions in binary form must reproduce the above copyright 69160817Ssimon * notice, this list of conditions and the following disclaimer in 70160817Ssimon * the documentation and/or other materials provided with the 71160817Ssimon * distribution. 72160817Ssimon * 73160817Ssimon * 3. All advertising materials mentioning features or use of this 74160817Ssimon * software must display the following acknowledgment: 75160817Ssimon * "This product includes software developed by the OpenSSL Project 76160817Ssimon * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77160817Ssimon * 78160817Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79160817Ssimon * endorse or promote products derived from this software without 80160817Ssimon * prior written permission. For written permission, please contact 81160817Ssimon * openssl-core@openssl.org. 82160817Ssimon * 83160817Ssimon * 5. Products derived from this software may not be called "OpenSSL" 84160817Ssimon * nor may "OpenSSL" appear in their names without prior written 85160817Ssimon * permission of the OpenSSL Project. 86160817Ssimon * 87160817Ssimon * 6. Redistributions of any form whatsoever must retain the following 88160817Ssimon * acknowledgment: 89160817Ssimon * "This product includes software developed by the OpenSSL Project 90160817Ssimon * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91160817Ssimon * 92160817Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93160817Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94160817Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95160817Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96160817Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97160817Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98160817Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99160817Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100160817Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101160817Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102160817Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103160817Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 104160817Ssimon * ==================================================================== 105160817Ssimon * 106160817Ssimon * This product includes cryptographic software written by Eric Young 107160817Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 108160817Ssimon * Hudson (tjh@cryptsoft.com). 109160817Ssimon * 110160817Ssimon */ 11155099Skris 11255099Skris#include <stdio.h> 11355099Skris#include "cryptlib.h" 11455099Skris#include <openssl/bn.h> 11555099Skris#include <openssl/rsa.h> 11655099Skris#include <openssl/rand.h> 11755099Skris 118238405Sjkim#ifndef RSA_NULL 11968654Skris 120110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121280304Sjkim unsigned char *to, RSA *rsa, int padding); 122110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123280304Sjkim unsigned char *to, RSA *rsa, int padding); 124110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125280304Sjkim unsigned char *to, RSA *rsa, int padding); 126110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127280304Sjkim unsigned char *to, RSA *rsa, int padding); 128280304Sjkimstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, 129280304Sjkim BN_CTX *ctx); 13055099Skrisstatic int RSA_eay_init(RSA *rsa); 13155099Skrisstatic int RSA_eay_finish(RSA *rsa); 132280304Sjkimstatic RSA_METHOD rsa_pkcs1_eay_meth = { 133280304Sjkim "Eric Young's PKCS#1 RSA", 134280304Sjkim RSA_eay_public_encrypt, 135280304Sjkim RSA_eay_public_decrypt, /* signature verification */ 136280304Sjkim RSA_eay_private_encrypt, /* signing */ 137280304Sjkim RSA_eay_private_decrypt, 138280304Sjkim RSA_eay_mod_exp, 139280304Sjkim BN_mod_exp_mont, /* XXX probably we should not use Montgomery 140280304Sjkim * if e == 3 */ 141280304Sjkim RSA_eay_init, 142280304Sjkim RSA_eay_finish, 143280304Sjkim 0, /* flags */ 144280304Sjkim NULL, 145280304Sjkim 0, /* rsa_sign */ 146280304Sjkim 0, /* rsa_verify */ 147280304Sjkim NULL /* rsa_keygen */ 148280304Sjkim}; 14955099Skris 150110007Smarkmconst RSA_METHOD *RSA_PKCS1_SSLeay(void) 151280304Sjkim{ 152280304Sjkim return (&rsa_pkcs1_eay_meth); 153280304Sjkim} 15455099Skris 155110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 156280304Sjkim unsigned char *to, RSA *rsa, int padding) 157280304Sjkim{ 158280304Sjkim BIGNUM *f, *ret; 159280304Sjkim int i, j, k, num = 0, r = -1; 160280304Sjkim unsigned char *buf = NULL; 161280304Sjkim BN_CTX *ctx = NULL; 16255099Skris 163280304Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 164280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 165280304Sjkim return -1; 166280304Sjkim } 167162914Ssimon 168280304Sjkim if (BN_ucmp(rsa->n, rsa->e) <= 0) { 169280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 170280304Sjkim return -1; 171280304Sjkim } 172162914Ssimon 173280304Sjkim /* for large moduli, enforce exponent limit */ 174280304Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 175280304Sjkim if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 176280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 177280304Sjkim return -1; 178280304Sjkim } 179280304Sjkim } 18055099Skris 181280304Sjkim if ((ctx = BN_CTX_new()) == NULL) 182280304Sjkim goto err; 183280304Sjkim BN_CTX_start(ctx); 184280304Sjkim f = BN_CTX_get(ctx); 185280304Sjkim ret = BN_CTX_get(ctx); 186280304Sjkim num = BN_num_bytes(rsa->n); 187280304Sjkim buf = OPENSSL_malloc(num); 188280304Sjkim if (!f || !ret || !buf) { 189280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 190280304Sjkim goto err; 191280304Sjkim } 19255099Skris 193280304Sjkim switch (padding) { 194280304Sjkim case RSA_PKCS1_PADDING: 195280304Sjkim i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 196280304Sjkim break; 197280304Sjkim# ifndef OPENSSL_NO_SHA 198280304Sjkim case RSA_PKCS1_OAEP_PADDING: 199280304Sjkim i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 200280304Sjkim break; 201280304Sjkim# endif 202280304Sjkim case RSA_SSLV23_PADDING: 203280304Sjkim i = RSA_padding_add_SSLv23(buf, num, from, flen); 204280304Sjkim break; 205280304Sjkim case RSA_NO_PADDING: 206280304Sjkim i = RSA_padding_add_none(buf, num, from, flen); 207280304Sjkim break; 208280304Sjkim default: 209280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 210280304Sjkim goto err; 211280304Sjkim } 212280304Sjkim if (i <= 0) 213280304Sjkim goto err; 21489840Skris 215280304Sjkim if (BN_bin2bn(buf, num, f) == NULL) 216280304Sjkim goto err; 217160817Ssimon 218280304Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 219280304Sjkim /* usually the padding functions would catch this */ 220280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 221280304Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 222280304Sjkim goto err; 223280304Sjkim } 22455099Skris 225280304Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 226280304Sjkim if (!BN_MONT_CTX_set_locked 227280304Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 228280304Sjkim goto err; 22955099Skris 230280304Sjkim if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 231280304Sjkim rsa->_method_mod_n)) 232280304Sjkim goto err; 23355099Skris 234280304Sjkim /* 235280304Sjkim * put in leading 0 bytes if the number is less than the length of the 236280304Sjkim * modulus 237280304Sjkim */ 238280304Sjkim j = BN_num_bytes(ret); 239280304Sjkim i = BN_bn2bin(ret, &(to[num - j])); 240280304Sjkim for (k = 0; k < (num - i); k++) 241280304Sjkim to[k] = 0; 242280304Sjkim 243280304Sjkim r = num; 244280304Sjkim err: 245280304Sjkim if (ctx != NULL) { 246280304Sjkim BN_CTX_end(ctx); 247280304Sjkim BN_CTX_free(ctx); 248280304Sjkim } 249280304Sjkim if (buf != NULL) { 250280304Sjkim OPENSSL_cleanse(buf, num); 251280304Sjkim OPENSSL_free(buf); 252280304Sjkim } 253280304Sjkim return (r); 254280304Sjkim} 255280304Sjkim 256162914Ssimonstatic BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 257160817Ssimon{ 258280304Sjkim BN_BLINDING *ret; 259280304Sjkim int got_write_lock = 0; 260280304Sjkim CRYPTO_THREADID cur; 261112446Sjedgar 262280304Sjkim CRYPTO_r_lock(CRYPTO_LOCK_RSA); 263162914Ssimon 264280304Sjkim if (rsa->blinding == NULL) { 265280304Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266280304Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267280304Sjkim got_write_lock = 1; 268162914Ssimon 269280304Sjkim if (rsa->blinding == NULL) 270280304Sjkim rsa->blinding = RSA_setup_blinding(rsa, ctx); 271280304Sjkim } 272112446Sjedgar 273280304Sjkim ret = rsa->blinding; 274280304Sjkim if (ret == NULL) 275280304Sjkim goto err; 276120635Snectar 277280304Sjkim CRYPTO_THREADID_current(&cur); 278280304Sjkim if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 279280304Sjkim /* rsa->blinding is ours! */ 280162914Ssimon 281280304Sjkim *local = 1; 282280304Sjkim } else { 283280304Sjkim /* resort to rsa->mt_blinding instead */ 284162914Ssimon 285280304Sjkim /* 286280304Sjkim * instructs rsa_blinding_convert(), rsa_blinding_invert() that the 287280304Sjkim * BN_BLINDING is shared, meaning that accesses require locks, and 288280304Sjkim * that the blinding factor must be stored outside the BN_BLINDING 289280304Sjkim */ 290280304Sjkim *local = 0; 291162914Ssimon 292280304Sjkim if (rsa->mt_blinding == NULL) { 293280304Sjkim if (!got_write_lock) { 294280304Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 295280304Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA); 296280304Sjkim got_write_lock = 1; 297280304Sjkim } 298162914Ssimon 299280304Sjkim if (rsa->mt_blinding == NULL) 300280304Sjkim rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 301280304Sjkim } 302280304Sjkim ret = rsa->mt_blinding; 303280304Sjkim } 304280304Sjkim 305162914Ssimon err: 306280304Sjkim if (got_write_lock) 307280304Sjkim CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 308280304Sjkim else 309280304Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 310280304Sjkim return ret; 311160817Ssimon} 312120635Snectar 313237657Sjkimstatic int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 314280304Sjkim BN_CTX *ctx) 315280304Sjkim{ 316280304Sjkim if (unblind == NULL) 317280304Sjkim /* 318280304Sjkim * Local blinding: store the unblinding factor in BN_BLINDING. 319280304Sjkim */ 320280304Sjkim return BN_BLINDING_convert_ex(f, NULL, b, ctx); 321280304Sjkim else { 322280304Sjkim /* 323280304Sjkim * Shared blinding: store the unblinding factor outside BN_BLINDING. 324280304Sjkim */ 325280304Sjkim int ret; 326280304Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 327280304Sjkim ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 328280304Sjkim CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 329280304Sjkim return ret; 330280304Sjkim } 331280304Sjkim} 332120635Snectar 333237657Sjkimstatic int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 334280304Sjkim BN_CTX *ctx) 335280304Sjkim{ 336280304Sjkim /* 337280304Sjkim * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 338280304Sjkim * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING 339280304Sjkim * is shared between threads, unblind must be non-null: 340280304Sjkim * BN_BLINDING_invert_ex will then use the local unblinding factor, and 341280304Sjkim * will only read the modulus from BN_BLINDING. In both cases it's safe 342280304Sjkim * to access the blinding without a lock. 343280304Sjkim */ 344280304Sjkim return BN_BLINDING_invert_ex(f, unblind, b, ctx); 345280304Sjkim} 346237657Sjkim 34789840Skris/* signing */ 348110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 349280304Sjkim unsigned char *to, RSA *rsa, int padding) 350280304Sjkim{ 351280304Sjkim BIGNUM *f, *ret, *res; 352280304Sjkim int i, j, k, num = 0, r = -1; 353280304Sjkim unsigned char *buf = NULL; 354280304Sjkim BN_CTX *ctx = NULL; 355280304Sjkim int local_blinding = 0; 356280304Sjkim /* 357280304Sjkim * Used only if the blinding structure is shared. A non-NULL unblind 358280304Sjkim * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 359280304Sjkim * the unblinding factor outside the blinding structure. 360280304Sjkim */ 361280304Sjkim BIGNUM *unblind = NULL; 362280304Sjkim BN_BLINDING *blinding = NULL; 36355099Skris 364280304Sjkim if ((ctx = BN_CTX_new()) == NULL) 365280304Sjkim goto err; 366280304Sjkim BN_CTX_start(ctx); 367280304Sjkim f = BN_CTX_get(ctx); 368280304Sjkim ret = BN_CTX_get(ctx); 369280304Sjkim num = BN_num_bytes(rsa->n); 370280304Sjkim buf = OPENSSL_malloc(num); 371280304Sjkim if (!f || !ret || !buf) { 372280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 373280304Sjkim goto err; 374280304Sjkim } 37555099Skris 376280304Sjkim switch (padding) { 377280304Sjkim case RSA_PKCS1_PADDING: 378280304Sjkim i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 379280304Sjkim break; 380280304Sjkim case RSA_X931_PADDING: 381280304Sjkim i = RSA_padding_add_X931(buf, num, from, flen); 382280304Sjkim break; 383280304Sjkim case RSA_NO_PADDING: 384280304Sjkim i = RSA_padding_add_none(buf, num, from, flen); 385280304Sjkim break; 386280304Sjkim case RSA_SSLV23_PADDING: 387280304Sjkim default: 388280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 389280304Sjkim goto err; 390280304Sjkim } 391280304Sjkim if (i <= 0) 392280304Sjkim goto err; 39355099Skris 394280304Sjkim if (BN_bin2bn(buf, num, f) == NULL) 395280304Sjkim goto err; 39655099Skris 397280304Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 398280304Sjkim /* usually the padding functions would catch this */ 399280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 400280304Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 401280304Sjkim goto err; 402280304Sjkim } 403112446Sjedgar 404280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 405280304Sjkim blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 406280304Sjkim if (blinding == NULL) { 407280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 408280304Sjkim goto err; 409280304Sjkim } 410280304Sjkim } 411160817Ssimon 412280304Sjkim if (blinding != NULL) { 413280304Sjkim if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 414280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 415280304Sjkim goto err; 416280304Sjkim } 417280304Sjkim if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 418280304Sjkim goto err; 419280304Sjkim } 420160817Ssimon 421280304Sjkim if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 422280304Sjkim ((rsa->p != NULL) && 423280304Sjkim (rsa->q != NULL) && 424280304Sjkim (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 425280304Sjkim if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 426280304Sjkim goto err; 427280304Sjkim } else { 428280304Sjkim BIGNUM local_d; 429280304Sjkim BIGNUM *d = NULL; 43055099Skris 431280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 432280304Sjkim BN_init(&local_d); 433280304Sjkim d = &local_d; 434280304Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 435280304Sjkim } else 436280304Sjkim d = rsa->d; 43755099Skris 438280304Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 439280304Sjkim if (!BN_MONT_CTX_set_locked 440280304Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 441280304Sjkim goto err; 442160817Ssimon 443280304Sjkim if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 444280304Sjkim rsa->_method_mod_n)) 445280304Sjkim goto err; 446280304Sjkim } 44755099Skris 448280304Sjkim if (blinding) 449280304Sjkim if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 450280304Sjkim goto err; 45155099Skris 452280304Sjkim if (padding == RSA_X931_PADDING) { 453280304Sjkim BN_sub(f, rsa->n, ret); 454280304Sjkim if (BN_cmp(ret, f) > 0) 455280304Sjkim res = f; 456280304Sjkim else 457280304Sjkim res = ret; 458280304Sjkim } else 459280304Sjkim res = ret; 460280304Sjkim 461280304Sjkim /* 462280304Sjkim * put in leading 0 bytes if the number is less than the length of the 463280304Sjkim * modulus 464280304Sjkim */ 465280304Sjkim j = BN_num_bytes(res); 466280304Sjkim i = BN_bn2bin(res, &(to[num - j])); 467280304Sjkim for (k = 0; k < (num - i); k++) 468280304Sjkim to[k] = 0; 469280304Sjkim 470280304Sjkim r = num; 471280304Sjkim err: 472280304Sjkim if (ctx != NULL) { 473280304Sjkim BN_CTX_end(ctx); 474280304Sjkim BN_CTX_free(ctx); 475280304Sjkim } 476280304Sjkim if (buf != NULL) { 477280304Sjkim OPENSSL_cleanse(buf, num); 478280304Sjkim OPENSSL_free(buf); 479280304Sjkim } 480280304Sjkim return (r); 481280304Sjkim} 482280304Sjkim 483110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 484280304Sjkim unsigned char *to, RSA *rsa, int padding) 485280304Sjkim{ 486280304Sjkim BIGNUM *f, *ret; 487280304Sjkim int j, num = 0, r = -1; 488280304Sjkim unsigned char *p; 489280304Sjkim unsigned char *buf = NULL; 490280304Sjkim BN_CTX *ctx = NULL; 491280304Sjkim int local_blinding = 0; 492280304Sjkim /* 493280304Sjkim * Used only if the blinding structure is shared. A non-NULL unblind 494280304Sjkim * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 495280304Sjkim * the unblinding factor outside the blinding structure. 496280304Sjkim */ 497280304Sjkim BIGNUM *unblind = NULL; 498280304Sjkim BN_BLINDING *blinding = NULL; 49955099Skris 500280304Sjkim if ((ctx = BN_CTX_new()) == NULL) 501280304Sjkim goto err; 502280304Sjkim BN_CTX_start(ctx); 503280304Sjkim f = BN_CTX_get(ctx); 504280304Sjkim ret = BN_CTX_get(ctx); 505280304Sjkim num = BN_num_bytes(rsa->n); 506280304Sjkim buf = OPENSSL_malloc(num); 507280304Sjkim if (!f || !ret || !buf) { 508280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 509280304Sjkim goto err; 510280304Sjkim } 51155099Skris 512280304Sjkim /* 513280304Sjkim * This check was for equality but PGP does evil things and chops off the 514280304Sjkim * top '0' bytes 515280304Sjkim */ 516280304Sjkim if (flen > num) { 517280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 518280304Sjkim RSA_R_DATA_GREATER_THAN_MOD_LEN); 519280304Sjkim goto err; 520280304Sjkim } 52155099Skris 522280304Sjkim /* make data into a big number */ 523280304Sjkim if (BN_bin2bn(from, (int)flen, f) == NULL) 524280304Sjkim goto err; 52555099Skris 526280304Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 527280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 528280304Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 529280304Sjkim goto err; 530280304Sjkim } 53189840Skris 532280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 533280304Sjkim blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 534280304Sjkim if (blinding == NULL) { 535280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 536280304Sjkim goto err; 537280304Sjkim } 538280304Sjkim } 539112446Sjedgar 540280304Sjkim if (blinding != NULL) { 541280304Sjkim if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 542280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 543280304Sjkim goto err; 544280304Sjkim } 545280304Sjkim if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 546280304Sjkim goto err; 547280304Sjkim } 548160817Ssimon 549280304Sjkim /* do the decrypt */ 550280304Sjkim if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 551280304Sjkim ((rsa->p != NULL) && 552280304Sjkim (rsa->q != NULL) && 553280304Sjkim (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 554280304Sjkim if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 555280304Sjkim goto err; 556280304Sjkim } else { 557280304Sjkim BIGNUM local_d; 558280304Sjkim BIGNUM *d = NULL; 55955099Skris 560280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 561280304Sjkim d = &local_d; 562280304Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 563280304Sjkim } else 564280304Sjkim d = rsa->d; 56555099Skris 566280304Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 567280304Sjkim if (!BN_MONT_CTX_set_locked 568280304Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 569280304Sjkim goto err; 570280304Sjkim if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 571280304Sjkim rsa->_method_mod_n)) 572280304Sjkim goto err; 573280304Sjkim } 57455099Skris 575280304Sjkim if (blinding) 576280304Sjkim if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 577280304Sjkim goto err; 57855099Skris 579280304Sjkim p = buf; 580280304Sjkim j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 58155099Skris 582280304Sjkim switch (padding) { 583280304Sjkim case RSA_PKCS1_PADDING: 584280304Sjkim r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 585280304Sjkim break; 586280304Sjkim# ifndef OPENSSL_NO_SHA 587280304Sjkim case RSA_PKCS1_OAEP_PADDING: 588280304Sjkim r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 589280304Sjkim break; 590280304Sjkim# endif 591280304Sjkim case RSA_SSLV23_PADDING: 592280304Sjkim r = RSA_padding_check_SSLv23(to, num, buf, j, num); 593280304Sjkim break; 594280304Sjkim case RSA_NO_PADDING: 595280304Sjkim r = RSA_padding_check_none(to, num, buf, j, num); 596280304Sjkim break; 597280304Sjkim default: 598280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 599280304Sjkim goto err; 600280304Sjkim } 601280304Sjkim if (r < 0) 602280304Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 603280304Sjkim 604280304Sjkim err: 605280304Sjkim if (ctx != NULL) { 606280304Sjkim BN_CTX_end(ctx); 607280304Sjkim BN_CTX_free(ctx); 608280304Sjkim } 609280304Sjkim if (buf != NULL) { 610280304Sjkim OPENSSL_cleanse(buf, num); 611280304Sjkim OPENSSL_free(buf); 612280304Sjkim } 613280304Sjkim return (r); 614280304Sjkim} 615280304Sjkim 61689840Skris/* signature verification */ 617110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 618280304Sjkim unsigned char *to, RSA *rsa, int padding) 619280304Sjkim{ 620280304Sjkim BIGNUM *f, *ret; 621280304Sjkim int i, num = 0, r = -1; 622280304Sjkim unsigned char *p; 623280304Sjkim unsigned char *buf = NULL; 624280304Sjkim BN_CTX *ctx = NULL; 62555099Skris 626280304Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 627280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 628280304Sjkim return -1; 629280304Sjkim } 630162914Ssimon 631280304Sjkim if (BN_ucmp(rsa->n, rsa->e) <= 0) { 632280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 633280304Sjkim return -1; 634280304Sjkim } 635162914Ssimon 636280304Sjkim /* for large moduli, enforce exponent limit */ 637280304Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 638280304Sjkim if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 639280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 640280304Sjkim return -1; 641280304Sjkim } 642280304Sjkim } 64355099Skris 644280304Sjkim if ((ctx = BN_CTX_new()) == NULL) 645280304Sjkim goto err; 646280304Sjkim BN_CTX_start(ctx); 647280304Sjkim f = BN_CTX_get(ctx); 648280304Sjkim ret = BN_CTX_get(ctx); 649280304Sjkim num = BN_num_bytes(rsa->n); 650280304Sjkim buf = OPENSSL_malloc(num); 651280304Sjkim if (!f || !ret || !buf) { 652280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 653280304Sjkim goto err; 654280304Sjkim } 65555099Skris 656280304Sjkim /* 657280304Sjkim * This check was for equality but PGP does evil things and chops off the 658280304Sjkim * top '0' bytes 659280304Sjkim */ 660280304Sjkim if (flen > num) { 661280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); 662280304Sjkim goto err; 663280304Sjkim } 66489840Skris 665280304Sjkim if (BN_bin2bn(from, flen, f) == NULL) 666280304Sjkim goto err; 66789840Skris 668280304Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 669280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 670280304Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 671280304Sjkim goto err; 672280304Sjkim } 673160817Ssimon 674280304Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 675280304Sjkim if (!BN_MONT_CTX_set_locked 676280304Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 677280304Sjkim goto err; 67855099Skris 679280304Sjkim if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 680280304Sjkim rsa->_method_mod_n)) 681280304Sjkim goto err; 682160817Ssimon 683280304Sjkim if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 684280304Sjkim if (!BN_sub(ret, rsa->n, ret)) 685280304Sjkim goto err; 68655099Skris 687280304Sjkim p = buf; 688280304Sjkim i = BN_bn2bin(ret, p); 68955099Skris 690280304Sjkim switch (padding) { 691280304Sjkim case RSA_PKCS1_PADDING: 692280304Sjkim r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 693280304Sjkim break; 694280304Sjkim case RSA_X931_PADDING: 695280304Sjkim r = RSA_padding_check_X931(to, num, buf, i, num); 696280304Sjkim break; 697280304Sjkim case RSA_NO_PADDING: 698280304Sjkim r = RSA_padding_check_none(to, num, buf, i, num); 699280304Sjkim break; 700280304Sjkim default: 701280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 702280304Sjkim goto err; 703280304Sjkim } 704280304Sjkim if (r < 0) 705280304Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 70655099Skris 707280304Sjkim err: 708280304Sjkim if (ctx != NULL) { 709280304Sjkim BN_CTX_end(ctx); 710280304Sjkim BN_CTX_free(ctx); 711280304Sjkim } 712280304Sjkim if (buf != NULL) { 713280304Sjkim OPENSSL_cleanse(buf, num); 714280304Sjkim OPENSSL_free(buf); 715280304Sjkim } 716280304Sjkim return (r); 717280304Sjkim} 718280304Sjkim 719160817Ssimonstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 720280304Sjkim{ 721280304Sjkim BIGNUM *r1, *m1, *vrfy; 722280304Sjkim BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 723280304Sjkim BIGNUM *dmp1, *dmq1, *c, *pr1; 724280304Sjkim int ret = 0; 72555099Skris 726280304Sjkim BN_CTX_start(ctx); 727280304Sjkim r1 = BN_CTX_get(ctx); 728280304Sjkim m1 = BN_CTX_get(ctx); 729280304Sjkim vrfy = BN_CTX_get(ctx); 73055099Skris 731280304Sjkim { 732280304Sjkim BIGNUM local_p, local_q; 733280304Sjkim BIGNUM *p = NULL, *q = NULL; 734160817Ssimon 735280304Sjkim /* 736280304Sjkim * Make sure BN_mod_inverse in Montgomery intialization uses the 737280304Sjkim * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 738280304Sjkim */ 739280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 740280304Sjkim BN_init(&local_p); 741280304Sjkim p = &local_p; 742280304Sjkim BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 743194206Ssimon 744280304Sjkim BN_init(&local_q); 745280304Sjkim q = &local_q; 746280304Sjkim BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 747280304Sjkim } else { 748280304Sjkim p = rsa->p; 749280304Sjkim q = rsa->q; 750280304Sjkim } 751194206Ssimon 752280304Sjkim if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 753280304Sjkim if (!BN_MONT_CTX_set_locked 754280304Sjkim (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 755280304Sjkim goto err; 756280304Sjkim if (!BN_MONT_CTX_set_locked 757280304Sjkim (&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 758280304Sjkim goto err; 759280304Sjkim } 760280304Sjkim } 761194206Ssimon 762280304Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 763280304Sjkim if (!BN_MONT_CTX_set_locked 764280304Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 765280304Sjkim goto err; 766194206Ssimon 767280304Sjkim /* compute I mod q */ 768280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 769280304Sjkim c = &local_c; 770280304Sjkim BN_with_flags(c, I, BN_FLG_CONSTTIME); 771280304Sjkim if (!BN_mod(r1, c, rsa->q, ctx)) 772280304Sjkim goto err; 773280304Sjkim } else { 774280304Sjkim if (!BN_mod(r1, I, rsa->q, ctx)) 775280304Sjkim goto err; 776280304Sjkim } 777194206Ssimon 778280304Sjkim /* compute r1^dmq1 mod q */ 779280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 780280304Sjkim dmq1 = &local_dmq1; 781280304Sjkim BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 782280304Sjkim } else 783280304Sjkim dmq1 = rsa->dmq1; 784280304Sjkim if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) 785280304Sjkim goto err; 78655099Skris 787280304Sjkim /* compute I mod p */ 788280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 789280304Sjkim c = &local_c; 790280304Sjkim BN_with_flags(c, I, BN_FLG_CONSTTIME); 791280304Sjkim if (!BN_mod(r1, c, rsa->p, ctx)) 792280304Sjkim goto err; 793280304Sjkim } else { 794280304Sjkim if (!BN_mod(r1, I, rsa->p, ctx)) 795280304Sjkim goto err; 796280304Sjkim } 797194206Ssimon 798280304Sjkim /* compute r1^dmp1 mod p */ 799280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 800280304Sjkim dmp1 = &local_dmp1; 801280304Sjkim BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 802280304Sjkim } else 803280304Sjkim dmp1 = rsa->dmp1; 804280304Sjkim if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) 805280304Sjkim goto err; 80655099Skris 807280304Sjkim if (!BN_sub(r0, r0, m1)) 808280304Sjkim goto err; 809280304Sjkim /* 810280304Sjkim * This will help stop the size of r0 increasing, which does affect the 811280304Sjkim * multiply if it optimised for a power of 2 size 812280304Sjkim */ 813280304Sjkim if (BN_is_negative(r0)) 814280304Sjkim if (!BN_add(r0, r0, rsa->p)) 815280304Sjkim goto err; 81655099Skris 817280304Sjkim if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 818280304Sjkim goto err; 819194206Ssimon 820280304Sjkim /* Turn BN_FLG_CONSTTIME flag on before division operation */ 821280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 822280304Sjkim pr1 = &local_r1; 823280304Sjkim BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 824280304Sjkim } else 825280304Sjkim pr1 = r1; 826280304Sjkim if (!BN_mod(r0, pr1, rsa->p, ctx)) 827280304Sjkim goto err; 828194206Ssimon 829280304Sjkim /* 830280304Sjkim * If p < q it is occasionally possible for the correction of adding 'p' 831280304Sjkim * if r0 is negative above to leave the result still negative. This can 832280304Sjkim * break the private key operations: the following second correction 833280304Sjkim * should *always* correct this rare occurrence. This will *never* happen 834280304Sjkim * with OpenSSL generated keys because they ensure p > q [steve] 835280304Sjkim */ 836280304Sjkim if (BN_is_negative(r0)) 837280304Sjkim if (!BN_add(r0, r0, rsa->p)) 838280304Sjkim goto err; 839280304Sjkim if (!BN_mul(r1, r0, rsa->q, ctx)) 840280304Sjkim goto err; 841280304Sjkim if (!BN_add(r0, r1, m1)) 842280304Sjkim goto err; 84355099Skris 844280304Sjkim if (rsa->e && rsa->n) { 845280304Sjkim if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 846280304Sjkim rsa->_method_mod_n)) 847280304Sjkim goto err; 848280304Sjkim /* 849280304Sjkim * If 'I' was greater than (or equal to) rsa->n, the operation will 850280304Sjkim * be equivalent to using 'I mod n'. However, the result of the 851280304Sjkim * verify will *always* be less than 'n' so we don't check for 852280304Sjkim * absolute equality, just congruency. 853280304Sjkim */ 854280304Sjkim if (!BN_sub(vrfy, vrfy, I)) 855280304Sjkim goto err; 856280304Sjkim if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 857280304Sjkim goto err; 858280304Sjkim if (BN_is_negative(vrfy)) 859280304Sjkim if (!BN_add(vrfy, vrfy, rsa->n)) 860280304Sjkim goto err; 861280304Sjkim if (!BN_is_zero(vrfy)) { 862280304Sjkim /* 863280304Sjkim * 'I' and 'vrfy' aren't congruent mod n. Don't leak 864280304Sjkim * miscalculated CRT output, just do a raw (slower) mod_exp and 865280304Sjkim * return that instead. 866280304Sjkim */ 867160817Ssimon 868280304Sjkim BIGNUM local_d; 869280304Sjkim BIGNUM *d = NULL; 87055099Skris 871280304Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 872280304Sjkim d = &local_d; 873280304Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 874280304Sjkim } else 875280304Sjkim d = rsa->d; 876280304Sjkim if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 877280304Sjkim rsa->_method_mod_n)) 878280304Sjkim goto err; 879280304Sjkim } 880280304Sjkim } 881280304Sjkim ret = 1; 882280304Sjkim err: 883280304Sjkim BN_CTX_end(ctx); 884280304Sjkim return (ret); 885280304Sjkim} 886280304Sjkim 88755099Skrisstatic int RSA_eay_init(RSA *rsa) 888280304Sjkim{ 889280304Sjkim rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 890280304Sjkim return (1); 891280304Sjkim} 89255099Skris 89355099Skrisstatic int RSA_eay_finish(RSA *rsa) 894280304Sjkim{ 895280304Sjkim if (rsa->_method_mod_n != NULL) 896280304Sjkim BN_MONT_CTX_free(rsa->_method_mod_n); 897280304Sjkim if (rsa->_method_mod_p != NULL) 898280304Sjkim BN_MONT_CTX_free(rsa->_method_mod_p); 899280304Sjkim if (rsa->_method_mod_q != NULL) 900280304Sjkim BN_MONT_CTX_free(rsa->_method_mod_q); 901280304Sjkim return (1); 902280304Sjkim} 90355099Skris 90468654Skris#endif 905