rsa_eay.c revision 238405
155099Skris/* crypto/rsa/rsa_eay.c */ 255099Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355099Skris * All rights reserved. 455099Skris * 555099Skris * This package is an SSL implementation written 655099Skris * by Eric Young (eay@cryptsoft.com). 755099Skris * The implementation was written so as to conform with Netscapes SSL. 855099Skris * 955099Skris * This library is free for commercial and non-commercial use as long as 1055099Skris * the following conditions are aheared to. The following conditions 1155099Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255099Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355099Skris * included with this distribution is covered by the same copyright terms 1455099Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555099Skris * 1655099Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755099Skris * the code are not to be removed. 1855099Skris * If this package is used in a product, Eric Young should be given attribution 1955099Skris * as the author of the parts of the library used. 2055099Skris * This can be in the form of a textual message at program startup or 2155099Skris * in documentation (online or textual) provided with the package. 2255099Skris * 2355099Skris * Redistribution and use in source and binary forms, with or without 2455099Skris * modification, are permitted provided that the following conditions 2555099Skris * are met: 2655099Skris * 1. Redistributions of source code must retain the copyright 2755099Skris * notice, this list of conditions and the following disclaimer. 2855099Skris * 2. Redistributions in binary form must reproduce the above copyright 2955099Skris * notice, this list of conditions and the following disclaimer in the 3055099Skris * documentation and/or other materials provided with the distribution. 3155099Skris * 3. All advertising materials mentioning features or use of this software 3255099Skris * must display the following acknowledgement: 3355099Skris * "This product includes cryptographic software written by 3455099Skris * Eric Young (eay@cryptsoft.com)" 3555099Skris * The word 'cryptographic' can be left out if the rouines from the library 3655099Skris * being used are not cryptographic related :-). 3755099Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855099Skris * the apps directory (application code) you must include an acknowledgement: 3955099Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055099Skris * 4155099Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255099Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355099Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455099Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555099Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655099Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755099Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855099Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955099Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055099Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155099Skris * SUCH DAMAGE. 5255099Skris * 5355099Skris * The licence and distribution terms for any publically available version or 5455099Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555099Skris * copied and put under another distribution licence 5655099Skris * [including the GNU Public Licence.] 5755099Skris */ 58160817Ssimon/* ==================================================================== 59162914Ssimon * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60160817Ssimon * 61160817Ssimon * Redistribution and use in source and binary forms, with or without 62160817Ssimon * modification, are permitted provided that the following conditions 63160817Ssimon * are met: 64160817Ssimon * 65160817Ssimon * 1. Redistributions of source code must retain the above copyright 66160817Ssimon * notice, this list of conditions and the following disclaimer. 67160817Ssimon * 68160817Ssimon * 2. Redistributions in binary form must reproduce the above copyright 69160817Ssimon * notice, this list of conditions and the following disclaimer in 70160817Ssimon * the documentation and/or other materials provided with the 71160817Ssimon * distribution. 72160817Ssimon * 73160817Ssimon * 3. All advertising materials mentioning features or use of this 74160817Ssimon * software must display the following acknowledgment: 75160817Ssimon * "This product includes software developed by the OpenSSL Project 76160817Ssimon * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77160817Ssimon * 78160817Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79160817Ssimon * endorse or promote products derived from this software without 80160817Ssimon * prior written permission. For written permission, please contact 81160817Ssimon * openssl-core@openssl.org. 82160817Ssimon * 83160817Ssimon * 5. Products derived from this software may not be called "OpenSSL" 84160817Ssimon * nor may "OpenSSL" appear in their names without prior written 85160817Ssimon * permission of the OpenSSL Project. 86160817Ssimon * 87160817Ssimon * 6. Redistributions of any form whatsoever must retain the following 88160817Ssimon * acknowledgment: 89160817Ssimon * "This product includes software developed by the OpenSSL Project 90160817Ssimon * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91160817Ssimon * 92160817Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93160817Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94160817Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95160817Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96160817Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97160817Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98160817Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99160817Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100160817Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101160817Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102160817Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103160817Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 104160817Ssimon * ==================================================================== 105160817Ssimon * 106160817Ssimon * This product includes cryptographic software written by Eric Young 107160817Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 108160817Ssimon * Hudson (tjh@cryptsoft.com). 109160817Ssimon * 110160817Ssimon */ 11155099Skris 11255099Skris#include <stdio.h> 11355099Skris#include "cryptlib.h" 11455099Skris#include <openssl/bn.h> 11555099Skris#include <openssl/rsa.h> 11655099Skris#include <openssl/rand.h> 11755099Skris 118238405Sjkim#ifndef RSA_NULL 11968654Skris 120110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 12155099Skris unsigned char *to, RSA *rsa,int padding); 122110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 12355099Skris unsigned char *to, RSA *rsa,int padding); 124110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 12555099Skris unsigned char *to, RSA *rsa,int padding); 126110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 12755099Skris unsigned char *to, RSA *rsa,int padding); 128160817Ssimonstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 12955099Skrisstatic int RSA_eay_init(RSA *rsa); 13055099Skrisstatic int RSA_eay_finish(RSA *rsa); 13155099Skrisstatic RSA_METHOD rsa_pkcs1_eay_meth={ 13255099Skris "Eric Young's PKCS#1 RSA", 13355099Skris RSA_eay_public_encrypt, 13489840Skris RSA_eay_public_decrypt, /* signature verification */ 13589840Skris RSA_eay_private_encrypt, /* signing */ 13655099Skris RSA_eay_private_decrypt, 13755099Skris RSA_eay_mod_exp, 138110007Smarkm BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ 13955099Skris RSA_eay_init, 14055099Skris RSA_eay_finish, 141110007Smarkm 0, /* flags */ 14255099Skris NULL, 143110007Smarkm 0, /* rsa_sign */ 144160817Ssimon 0, /* rsa_verify */ 145160817Ssimon NULL /* rsa_keygen */ 14655099Skris }; 14755099Skris 148110007Smarkmconst RSA_METHOD *RSA_PKCS1_SSLeay(void) 14955099Skris { 15055099Skris return(&rsa_pkcs1_eay_meth); 15155099Skris } 15255099Skris 153110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 15455099Skris unsigned char *to, RSA *rsa, int padding) 15555099Skris { 156160817Ssimon BIGNUM *f,*ret; 15755099Skris int i,j,k,num=0,r= -1; 15855099Skris unsigned char *buf=NULL; 15955099Skris BN_CTX *ctx=NULL; 16055099Skris 161162914Ssimon if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 162162914Ssimon { 163162914Ssimon RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 164162914Ssimon return -1; 165162914Ssimon } 166162914Ssimon 167162914Ssimon if (BN_ucmp(rsa->n, rsa->e) <= 0) 168162914Ssimon { 169162914Ssimon RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 170162914Ssimon return -1; 171162914Ssimon } 172162914Ssimon 173162914Ssimon /* for large moduli, enforce exponent limit */ 174162914Ssimon if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 175162914Ssimon { 176162914Ssimon if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 177162914Ssimon { 178162914Ssimon RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 179162914Ssimon return -1; 180162914Ssimon } 181162914Ssimon } 182162914Ssimon 18355099Skris if ((ctx=BN_CTX_new()) == NULL) goto err; 184160817Ssimon BN_CTX_start(ctx); 185160817Ssimon f = BN_CTX_get(ctx); 186160817Ssimon ret = BN_CTX_get(ctx); 18755099Skris num=BN_num_bytes(rsa->n); 188160817Ssimon buf = OPENSSL_malloc(num); 189160817Ssimon if (!f || !ret || !buf) 19055099Skris { 19155099Skris RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 19255099Skris goto err; 19355099Skris } 19455099Skris 19555099Skris switch (padding) 19655099Skris { 19755099Skris case RSA_PKCS1_PADDING: 19855099Skris i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); 19955099Skris break; 200110007Smarkm#ifndef OPENSSL_NO_SHA 20155099Skris case RSA_PKCS1_OAEP_PADDING: 20255099Skris i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); 20355099Skris break; 20455099Skris#endif 20555099Skris case RSA_SSLV23_PADDING: 20655099Skris i=RSA_padding_add_SSLv23(buf,num,from,flen); 20755099Skris break; 20855099Skris case RSA_NO_PADDING: 20955099Skris i=RSA_padding_add_none(buf,num,from,flen); 21055099Skris break; 21155099Skris default: 21255099Skris RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 21355099Skris goto err; 21455099Skris } 21555099Skris if (i <= 0) goto err; 21655099Skris 217160817Ssimon if (BN_bin2bn(buf,num,f) == NULL) goto err; 21855099Skris 219160817Ssimon if (BN_ucmp(f, rsa->n) >= 0) 220194206Ssimon { 22189840Skris /* usually the padding functions would catch this */ 22289840Skris RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 22389840Skris goto err; 22489840Skris } 22589840Skris 226194206Ssimon if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 227194206Ssimon if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 228194206Ssimon goto err; 229160817Ssimon 230160817Ssimon if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 23155099Skris rsa->_method_mod_n)) goto err; 23255099Skris 23355099Skris /* put in leading 0 bytes if the number is less than the 23455099Skris * length of the modulus */ 235160817Ssimon j=BN_num_bytes(ret); 236160817Ssimon i=BN_bn2bin(ret,&(to[num-j])); 23755099Skris for (k=0; k<(num-i); k++) 23855099Skris to[k]=0; 23955099Skris 24055099Skris r=num; 24155099Skriserr: 242160817Ssimon if (ctx != NULL) 243160817Ssimon { 244160817Ssimon BN_CTX_end(ctx); 245160817Ssimon BN_CTX_free(ctx); 246160817Ssimon } 24755099Skris if (buf != NULL) 24855099Skris { 249110007Smarkm OPENSSL_cleanse(buf,num); 25068654Skris OPENSSL_free(buf); 25155099Skris } 25255099Skris return(r); 25355099Skris } 25455099Skris 255162914Ssimonstatic BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 256160817Ssimon{ 257160817Ssimon BN_BLINDING *ret; 258162914Ssimon int got_write_lock = 0; 259238405Sjkim CRYPTO_THREADID cur; 260112446Sjedgar 261162914Ssimon CRYPTO_r_lock(CRYPTO_LOCK_RSA); 262162914Ssimon 263160817Ssimon if (rsa->blinding == NULL) 264160817Ssimon { 265162914Ssimon CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266162914Ssimon CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267162914Ssimon got_write_lock = 1; 268162914Ssimon 269160817Ssimon if (rsa->blinding == NULL) 270162914Ssimon rsa->blinding = RSA_setup_blinding(rsa, ctx); 271160817Ssimon } 272112446Sjedgar 273160817Ssimon ret = rsa->blinding; 274160817Ssimon if (ret == NULL) 275162914Ssimon goto err; 276120635Snectar 277238405Sjkim CRYPTO_THREADID_current(&cur); 278238405Sjkim if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) 279160817Ssimon { 280162914Ssimon /* rsa->blinding is ours! */ 281162914Ssimon 282162914Ssimon *local = 1; 283162914Ssimon } 284162914Ssimon else 285162914Ssimon { 286162914Ssimon /* resort to rsa->mt_blinding instead */ 287162914Ssimon 288162914Ssimon *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() 289162914Ssimon * that the BN_BLINDING is shared, meaning that accesses 290162914Ssimon * require locks, and that the blinding factor must be 291162914Ssimon * stored outside the BN_BLINDING 292162914Ssimon */ 293162914Ssimon 294160817Ssimon if (rsa->mt_blinding == NULL) 295160817Ssimon { 296162914Ssimon if (!got_write_lock) 297162914Ssimon { 298162914Ssimon CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 299162914Ssimon CRYPTO_w_lock(CRYPTO_LOCK_RSA); 300162914Ssimon got_write_lock = 1; 301162914Ssimon } 302162914Ssimon 303160817Ssimon if (rsa->mt_blinding == NULL) 304160817Ssimon rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 305160817Ssimon } 306160817Ssimon ret = rsa->mt_blinding; 307160817Ssimon } 308162914Ssimon 309162914Ssimon err: 310162914Ssimon if (got_write_lock) 311162914Ssimon CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 312160817Ssimon else 313162914Ssimon CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 314160817Ssimon return ret; 315160817Ssimon} 316120635Snectar 317237657Sjkimstatic int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 318237657Sjkim BN_CTX *ctx) 319237657Sjkim { 320237657Sjkim if (unblind == NULL) 321237657Sjkim /* Local blinding: store the unblinding factor 322237657Sjkim * in BN_BLINDING. */ 323160817Ssimon return BN_BLINDING_convert_ex(f, NULL, b, ctx); 324160817Ssimon else 325120635Snectar { 326237657Sjkim /* Shared blinding: store the unblinding factor 327237657Sjkim * outside BN_BLINDING. */ 328160817Ssimon int ret; 329160817Ssimon CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 330237657Sjkim ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 331160817Ssimon CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 332160817Ssimon return ret; 333120635Snectar } 334237657Sjkim } 335120635Snectar 336237657Sjkimstatic int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 337237657Sjkim BN_CTX *ctx) 338237657Sjkim { 339237657Sjkim /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 340237657Sjkim * will use the unblinding factor stored in BN_BLINDING. 341237657Sjkim * If BN_BLINDING is shared between threads, unblind must be non-null: 342237657Sjkim * BN_BLINDING_invert_ex will then use the local unblinding factor, 343237657Sjkim * and will only read the modulus from BN_BLINDING. 344237657Sjkim * In both cases it's safe to access the blinding without a lock. 345237657Sjkim */ 346237657Sjkim return BN_BLINDING_invert_ex(f, unblind, b, ctx); 347237657Sjkim } 348237657Sjkim 34989840Skris/* signing */ 350110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 35155099Skris unsigned char *to, RSA *rsa, int padding) 35255099Skris { 353237657Sjkim BIGNUM *f, *ret, *res; 35455099Skris int i,j,k,num=0,r= -1; 35555099Skris unsigned char *buf=NULL; 35655099Skris BN_CTX *ctx=NULL; 357120635Snectar int local_blinding = 0; 358237657Sjkim /* Used only if the blinding structure is shared. A non-NULL unblind 359237657Sjkim * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 360237657Sjkim * the unblinding factor outside the blinding structure. */ 361237657Sjkim BIGNUM *unblind = NULL; 362120635Snectar BN_BLINDING *blinding = NULL; 36355099Skris 36455099Skris if ((ctx=BN_CTX_new()) == NULL) goto err; 365160817Ssimon BN_CTX_start(ctx); 366160817Ssimon f = BN_CTX_get(ctx); 367160817Ssimon ret = BN_CTX_get(ctx); 368160817Ssimon num = BN_num_bytes(rsa->n); 369160817Ssimon buf = OPENSSL_malloc(num); 370160817Ssimon if(!f || !ret || !buf) 37155099Skris { 37255099Skris RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 37355099Skris goto err; 37455099Skris } 37555099Skris 37655099Skris switch (padding) 37755099Skris { 37855099Skris case RSA_PKCS1_PADDING: 37955099Skris i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 38055099Skris break; 381160817Ssimon case RSA_X931_PADDING: 382160817Ssimon i=RSA_padding_add_X931(buf,num,from,flen); 383160817Ssimon break; 38455099Skris case RSA_NO_PADDING: 38555099Skris i=RSA_padding_add_none(buf,num,from,flen); 38655099Skris break; 38755099Skris case RSA_SSLV23_PADDING: 38855099Skris default: 38955099Skris RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 39055099Skris goto err; 39155099Skris } 39255099Skris if (i <= 0) goto err; 39355099Skris 394160817Ssimon if (BN_bin2bn(buf,num,f) == NULL) goto err; 39589840Skris 396160817Ssimon if (BN_ucmp(f, rsa->n) >= 0) 39789840Skris { 39889840Skris /* usually the padding functions would catch this */ 39989840Skris RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 40089840Skris goto err; 40189840Skris } 40255099Skris 403120635Snectar if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 404120635Snectar { 405162914Ssimon blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 406120635Snectar if (blinding == NULL) 407120635Snectar { 408120635Snectar RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 409120635Snectar goto err; 410120635Snectar } 411120635Snectar } 412120635Snectar 413120635Snectar if (blinding != NULL) 414237657Sjkim { 415237657Sjkim if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 416237657Sjkim { 417237657Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 418160817Ssimon goto err; 419237657Sjkim } 420237657Sjkim if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 421237657Sjkim goto err; 422237657Sjkim } 423112446Sjedgar 42455099Skris if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 42555099Skris ((rsa->p != NULL) && 42655099Skris (rsa->q != NULL) && 42755099Skris (rsa->dmp1 != NULL) && 42855099Skris (rsa->dmq1 != NULL) && 42955099Skris (rsa->iqmp != NULL)) ) 430160817Ssimon { 431160817Ssimon if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 432160817Ssimon } 43355099Skris else 43455099Skris { 435160817Ssimon BIGNUM local_d; 436160817Ssimon BIGNUM *d = NULL; 437160817Ssimon 438194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 439160817Ssimon { 440160817Ssimon BN_init(&local_d); 441160817Ssimon d = &local_d; 442194206Ssimon BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 443160817Ssimon } 444160817Ssimon else 445194206Ssimon d= rsa->d; 446160817Ssimon 447194206Ssimon if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 448194206Ssimon if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 449194206Ssimon goto err; 450160817Ssimon 451160817Ssimon if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 452160817Ssimon rsa->_method_mod_n)) goto err; 45355099Skris } 45455099Skris 455120635Snectar if (blinding) 456237657Sjkim if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 457160817Ssimon goto err; 45855099Skris 459160817Ssimon if (padding == RSA_X931_PADDING) 460160817Ssimon { 461160817Ssimon BN_sub(f, rsa->n, ret); 462160817Ssimon if (BN_cmp(ret, f)) 463160817Ssimon res = f; 464160817Ssimon else 465160817Ssimon res = ret; 466160817Ssimon } 467160817Ssimon else 468160817Ssimon res = ret; 469160817Ssimon 47055099Skris /* put in leading 0 bytes if the number is less than the 47155099Skris * length of the modulus */ 472160817Ssimon j=BN_num_bytes(res); 473160817Ssimon i=BN_bn2bin(res,&(to[num-j])); 47455099Skris for (k=0; k<(num-i); k++) 47555099Skris to[k]=0; 47655099Skris 47755099Skris r=num; 47855099Skriserr: 479160817Ssimon if (ctx != NULL) 480160817Ssimon { 481160817Ssimon BN_CTX_end(ctx); 482160817Ssimon BN_CTX_free(ctx); 483160817Ssimon } 48455099Skris if (buf != NULL) 48555099Skris { 486110007Smarkm OPENSSL_cleanse(buf,num); 48768654Skris OPENSSL_free(buf); 48855099Skris } 48955099Skris return(r); 49055099Skris } 49155099Skris 492110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 49355099Skris unsigned char *to, RSA *rsa, int padding) 49455099Skris { 495237657Sjkim BIGNUM *f, *ret; 49655099Skris int j,num=0,r= -1; 49755099Skris unsigned char *p; 49855099Skris unsigned char *buf=NULL; 49955099Skris BN_CTX *ctx=NULL; 500120635Snectar int local_blinding = 0; 501237657Sjkim /* Used only if the blinding structure is shared. A non-NULL unblind 502237657Sjkim * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 503237657Sjkim * the unblinding factor outside the blinding structure. */ 504237657Sjkim BIGNUM *unblind = NULL; 505120635Snectar BN_BLINDING *blinding = NULL; 50655099Skris 507160817Ssimon if((ctx = BN_CTX_new()) == NULL) goto err; 508160817Ssimon BN_CTX_start(ctx); 509160817Ssimon f = BN_CTX_get(ctx); 510160817Ssimon ret = BN_CTX_get(ctx); 511160817Ssimon num = BN_num_bytes(rsa->n); 512160817Ssimon buf = OPENSSL_malloc(num); 513160817Ssimon if(!f || !ret || !buf) 51455099Skris { 51555099Skris RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 51655099Skris goto err; 51755099Skris } 51855099Skris 51968654Skris /* This check was for equality but PGP does evil things 52055099Skris * and chops off the top '0' bytes */ 52155099Skris if (flen > num) 52255099Skris { 52355099Skris RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 52455099Skris goto err; 52555099Skris } 52655099Skris 52755099Skris /* make data into a big number */ 528160817Ssimon if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 52955099Skris 530160817Ssimon if (BN_ucmp(f, rsa->n) >= 0) 53189840Skris { 53289840Skris RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 53389840Skris goto err; 53489840Skris } 53589840Skris 536120635Snectar if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 537120635Snectar { 538162914Ssimon blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 539120635Snectar if (blinding == NULL) 540120635Snectar { 541120635Snectar RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 542120635Snectar goto err; 543120635Snectar } 544120635Snectar } 545120635Snectar 546120635Snectar if (blinding != NULL) 547237657Sjkim { 548237657Sjkim if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) 549237657Sjkim { 550237657Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 551160817Ssimon goto err; 552237657Sjkim } 553237657Sjkim if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 554237657Sjkim goto err; 555237657Sjkim } 556112446Sjedgar 55755099Skris /* do the decrypt */ 55855099Skris if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 55955099Skris ((rsa->p != NULL) && 56055099Skris (rsa->q != NULL) && 56155099Skris (rsa->dmp1 != NULL) && 56255099Skris (rsa->dmq1 != NULL) && 56355099Skris (rsa->iqmp != NULL)) ) 564160817Ssimon { 565160817Ssimon if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 566160817Ssimon } 56755099Skris else 56855099Skris { 569160817Ssimon BIGNUM local_d; 570160817Ssimon BIGNUM *d = NULL; 571160817Ssimon 572194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 573160817Ssimon { 574160817Ssimon d = &local_d; 575194206Ssimon BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 576160817Ssimon } 577160817Ssimon else 578160817Ssimon d = rsa->d; 579160817Ssimon 580194206Ssimon if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 581194206Ssimon if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 582194206Ssimon goto err; 583160817Ssimon if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, 584160817Ssimon rsa->_method_mod_n)) 585160817Ssimon goto err; 58655099Skris } 58755099Skris 588120635Snectar if (blinding) 589237657Sjkim if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 590160817Ssimon goto err; 59155099Skris 59255099Skris p=buf; 593160817Ssimon j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 59455099Skris 59555099Skris switch (padding) 59655099Skris { 59755099Skris case RSA_PKCS1_PADDING: 59855099Skris r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); 59955099Skris break; 600110007Smarkm#ifndef OPENSSL_NO_SHA 60155099Skris case RSA_PKCS1_OAEP_PADDING: 60255099Skris r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); 60355099Skris break; 60455099Skris#endif 60555099Skris case RSA_SSLV23_PADDING: 60655099Skris r=RSA_padding_check_SSLv23(to,num,buf,j,num); 60755099Skris break; 60855099Skris case RSA_NO_PADDING: 60955099Skris r=RSA_padding_check_none(to,num,buf,j,num); 61055099Skris break; 61155099Skris default: 61255099Skris RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 61355099Skris goto err; 61455099Skris } 61555099Skris if (r < 0) 61655099Skris RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 61755099Skris 61855099Skriserr: 619160817Ssimon if (ctx != NULL) 620160817Ssimon { 621160817Ssimon BN_CTX_end(ctx); 622160817Ssimon BN_CTX_free(ctx); 623160817Ssimon } 62455099Skris if (buf != NULL) 62555099Skris { 626110007Smarkm OPENSSL_cleanse(buf,num); 62768654Skris OPENSSL_free(buf); 62855099Skris } 62955099Skris return(r); 63055099Skris } 63155099Skris 63289840Skris/* signature verification */ 633110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 63455099Skris unsigned char *to, RSA *rsa, int padding) 63555099Skris { 636160817Ssimon BIGNUM *f,*ret; 63755099Skris int i,num=0,r= -1; 63855099Skris unsigned char *p; 63955099Skris unsigned char *buf=NULL; 64055099Skris BN_CTX *ctx=NULL; 64155099Skris 642162914Ssimon if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 643162914Ssimon { 644162914Ssimon RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 645162914Ssimon return -1; 646162914Ssimon } 647162914Ssimon 648162914Ssimon if (BN_ucmp(rsa->n, rsa->e) <= 0) 649162914Ssimon { 650162914Ssimon RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 651162914Ssimon return -1; 652162914Ssimon } 653162914Ssimon 654162914Ssimon /* for large moduli, enforce exponent limit */ 655162914Ssimon if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) 656162914Ssimon { 657162914Ssimon if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) 658162914Ssimon { 659162914Ssimon RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 660162914Ssimon return -1; 661162914Ssimon } 662162914Ssimon } 663162914Ssimon 664160817Ssimon if((ctx = BN_CTX_new()) == NULL) goto err; 665160817Ssimon BN_CTX_start(ctx); 666160817Ssimon f = BN_CTX_get(ctx); 667160817Ssimon ret = BN_CTX_get(ctx); 66855099Skris num=BN_num_bytes(rsa->n); 669160817Ssimon buf = OPENSSL_malloc(num); 670160817Ssimon if(!f || !ret || !buf) 67155099Skris { 67255099Skris RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 67355099Skris goto err; 67455099Skris } 67555099Skris 67668654Skris /* This check was for equality but PGP does evil things 67755099Skris * and chops off the top '0' bytes */ 67855099Skris if (flen > num) 67955099Skris { 68055099Skris RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); 68155099Skris goto err; 68255099Skris } 68355099Skris 684160817Ssimon if (BN_bin2bn(from,flen,f) == NULL) goto err; 68589840Skris 686160817Ssimon if (BN_ucmp(f, rsa->n) >= 0) 68789840Skris { 68889840Skris RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 68989840Skris goto err; 69089840Skris } 69189840Skris 692194206Ssimon if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 693194206Ssimon if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 694194206Ssimon goto err; 695160817Ssimon 696160817Ssimon if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 69755099Skris rsa->_method_mod_n)) goto err; 69855099Skris 699160817Ssimon if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 700215697Ssimon if (!BN_sub(ret, rsa->n, ret)) goto err; 701160817Ssimon 70255099Skris p=buf; 703160817Ssimon i=BN_bn2bin(ret,p); 70455099Skris 70555099Skris switch (padding) 70655099Skris { 70755099Skris case RSA_PKCS1_PADDING: 70855099Skris r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 70955099Skris break; 710160817Ssimon case RSA_X931_PADDING: 711160817Ssimon r=RSA_padding_check_X931(to,num,buf,i,num); 712160817Ssimon break; 71355099Skris case RSA_NO_PADDING: 71455099Skris r=RSA_padding_check_none(to,num,buf,i,num); 71555099Skris break; 71655099Skris default: 71755099Skris RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); 71855099Skris goto err; 71955099Skris } 72055099Skris if (r < 0) 72155099Skris RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 72255099Skris 72355099Skriserr: 724160817Ssimon if (ctx != NULL) 725160817Ssimon { 726160817Ssimon BN_CTX_end(ctx); 727160817Ssimon BN_CTX_free(ctx); 728160817Ssimon } 72955099Skris if (buf != NULL) 73055099Skris { 731110007Smarkm OPENSSL_cleanse(buf,num); 73268654Skris OPENSSL_free(buf); 73355099Skris } 73455099Skris return(r); 73555099Skris } 73655099Skris 737160817Ssimonstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 73855099Skris { 739160817Ssimon BIGNUM *r1,*m1,*vrfy; 740194206Ssimon BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 741194206Ssimon BIGNUM *dmp1,*dmq1,*c,*pr1; 74255099Skris int ret=0; 74355099Skris 744160817Ssimon BN_CTX_start(ctx); 745160817Ssimon r1 = BN_CTX_get(ctx); 746160817Ssimon m1 = BN_CTX_get(ctx); 747160817Ssimon vrfy = BN_CTX_get(ctx); 74855099Skris 749194206Ssimon { 750194206Ssimon BIGNUM local_p, local_q; 751194206Ssimon BIGNUM *p = NULL, *q = NULL; 752160817Ssimon 753194206Ssimon /* Make sure BN_mod_inverse in Montgomery intialization uses the 754194206Ssimon * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 755194206Ssimon */ 756194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 757194206Ssimon { 758194206Ssimon BN_init(&local_p); 759194206Ssimon p = &local_p; 760194206Ssimon BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 761194206Ssimon 762194206Ssimon BN_init(&local_q); 763194206Ssimon q = &local_q; 764194206Ssimon BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 765194206Ssimon } 766194206Ssimon else 767194206Ssimon { 768194206Ssimon p = rsa->p; 769194206Ssimon q = rsa->q; 770194206Ssimon } 771194206Ssimon 772194206Ssimon if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 773194206Ssimon { 774194206Ssimon if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 775194206Ssimon goto err; 776194206Ssimon if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 777194206Ssimon goto err; 778194206Ssimon } 779194206Ssimon } 780194206Ssimon 781194206Ssimon if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 782194206Ssimon if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 783194206Ssimon goto err; 784194206Ssimon 785194206Ssimon /* compute I mod q */ 786194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 78755099Skris { 788194206Ssimon c = &local_c; 789194206Ssimon BN_with_flags(c, I, BN_FLG_CONSTTIME); 790194206Ssimon if (!BN_mod(r1,c,rsa->q,ctx)) goto err; 791194206Ssimon } 792194206Ssimon else 793194206Ssimon { 794194206Ssimon if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 795194206Ssimon } 796194206Ssimon 797194206Ssimon /* compute r1^dmq1 mod q */ 798194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 799194206Ssimon { 800160817Ssimon dmq1 = &local_dmq1; 801194206Ssimon BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 80255099Skris } 803160817Ssimon else 804160817Ssimon dmq1 = rsa->dmq1; 805160817Ssimon if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 80655099Skris rsa->_method_mod_q)) goto err; 80755099Skris 808194206Ssimon /* compute I mod p */ 809194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 810160817Ssimon { 811194206Ssimon c = &local_c; 812194206Ssimon BN_with_flags(c, I, BN_FLG_CONSTTIME); 813194206Ssimon if (!BN_mod(r1,c,rsa->p,ctx)) goto err; 814194206Ssimon } 815194206Ssimon else 816194206Ssimon { 817194206Ssimon if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 818194206Ssimon } 819194206Ssimon 820194206Ssimon /* compute r1^dmp1 mod p */ 821194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 822194206Ssimon { 823160817Ssimon dmp1 = &local_dmp1; 824194206Ssimon BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 825160817Ssimon } 826160817Ssimon else 827160817Ssimon dmp1 = rsa->dmp1; 828160817Ssimon if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 82955099Skris rsa->_method_mod_p)) goto err; 83055099Skris 831160817Ssimon if (!BN_sub(r0,r0,m1)) goto err; 83255099Skris /* This will help stop the size of r0 increasing, which does 83355099Skris * affect the multiply if it optimised for a power of 2 size */ 834160817Ssimon if (BN_is_negative(r0)) 83555099Skris if (!BN_add(r0,r0,rsa->p)) goto err; 83655099Skris 837160817Ssimon if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 838194206Ssimon 839194206Ssimon /* Turn BN_FLG_CONSTTIME flag on before division operation */ 840194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 841194206Ssimon { 842194206Ssimon pr1 = &local_r1; 843194206Ssimon BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 844194206Ssimon } 845194206Ssimon else 846194206Ssimon pr1 = r1; 847194206Ssimon if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 848194206Ssimon 84955099Skris /* If p < q it is occasionally possible for the correction of 85055099Skris * adding 'p' if r0 is negative above to leave the result still 85155099Skris * negative. This can break the private key operations: the following 85255099Skris * second correction should *always* correct this rare occurrence. 85355099Skris * This will *never* happen with OpenSSL generated keys because 85455099Skris * they ensure p > q [steve] 85555099Skris */ 856160817Ssimon if (BN_is_negative(r0)) 85755099Skris if (!BN_add(r0,r0,rsa->p)) goto err; 858160817Ssimon if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 859160817Ssimon if (!BN_add(r0,r1,m1)) goto err; 86055099Skris 86176870Skris if (rsa->e && rsa->n) 86276870Skris { 863160817Ssimon if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 864110007Smarkm /* If 'I' was greater than (or equal to) rsa->n, the operation 865110007Smarkm * will be equivalent to using 'I mod n'. However, the result of 866110007Smarkm * the verify will *always* be less than 'n' so we don't check 867110007Smarkm * for absolute equality, just congruency. */ 868160817Ssimon if (!BN_sub(vrfy, vrfy, I)) goto err; 869160817Ssimon if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 870160817Ssimon if (BN_is_negative(vrfy)) 871160817Ssimon if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 872160817Ssimon if (!BN_is_zero(vrfy)) 873160817Ssimon { 874110007Smarkm /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 875110007Smarkm * miscalculated CRT output, just do a raw (slower) 876110007Smarkm * mod_exp and return that instead. */ 877160817Ssimon 878160817Ssimon BIGNUM local_d; 879160817Ssimon BIGNUM *d = NULL; 880160817Ssimon 881194206Ssimon if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 882160817Ssimon { 883160817Ssimon d = &local_d; 884194206Ssimon BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 885160817Ssimon } 886160817Ssimon else 887160817Ssimon d = rsa->d; 888160817Ssimon if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 889160817Ssimon rsa->_method_mod_n)) goto err; 890160817Ssimon } 89176870Skris } 89255099Skris ret=1; 89355099Skriserr: 894160817Ssimon BN_CTX_end(ctx); 89555099Skris return(ret); 89655099Skris } 89755099Skris 89855099Skrisstatic int RSA_eay_init(RSA *rsa) 89955099Skris { 90055099Skris rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 90155099Skris return(1); 90255099Skris } 90355099Skris 90455099Skrisstatic int RSA_eay_finish(RSA *rsa) 90555099Skris { 90655099Skris if (rsa->_method_mod_n != NULL) 90755099Skris BN_MONT_CTX_free(rsa->_method_mod_n); 90855099Skris if (rsa->_method_mod_p != NULL) 90955099Skris BN_MONT_CTX_free(rsa->_method_mod_p); 91055099Skris if (rsa->_method_mod_q != NULL) 91155099Skris BN_MONT_CTX_free(rsa->_method_mod_q); 91255099Skris return(1); 91355099Skris } 91455099Skris 91568654Skris#endif 916