rsa_eay.c revision 280297
155099Skris/* crypto/rsa/rsa_eay.c */ 255099Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355099Skris * All rights reserved. 455099Skris * 555099Skris * This package is an SSL implementation written 655099Skris * by Eric Young (eay@cryptsoft.com). 755099Skris * The implementation was written so as to conform with Netscapes SSL. 8280297Sjkim * 955099Skris * This library is free for commercial and non-commercial use as long as 1055099Skris * the following conditions are aheared to. The following conditions 1155099Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255099Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355099Skris * included with this distribution is covered by the same copyright terms 1455099Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280297Sjkim * 1655099Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755099Skris * the code are not to be removed. 1855099Skris * If this package is used in a product, Eric Young should be given attribution 1955099Skris * as the author of the parts of the library used. 2055099Skris * This can be in the form of a textual message at program startup or 2155099Skris * in documentation (online or textual) provided with the package. 22280297Sjkim * 2355099Skris * Redistribution and use in source and binary forms, with or without 2455099Skris * modification, are permitted provided that the following conditions 2555099Skris * are met: 2655099Skris * 1. Redistributions of source code must retain the copyright 2755099Skris * notice, this list of conditions and the following disclaimer. 2855099Skris * 2. Redistributions in binary form must reproduce the above copyright 2955099Skris * notice, this list of conditions and the following disclaimer in the 3055099Skris * documentation and/or other materials provided with the distribution. 3155099Skris * 3. All advertising materials mentioning features or use of this software 3255099Skris * must display the following acknowledgement: 3355099Skris * "This product includes cryptographic software written by 3455099Skris * Eric Young (eay@cryptsoft.com)" 3555099Skris * The word 'cryptographic' can be left out if the rouines from the library 3655099Skris * being used are not cryptographic related :-). 37280297Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855099Skris * the apps directory (application code) you must include an acknowledgement: 3955099Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280297Sjkim * 4155099Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255099Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355099Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455099Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555099Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655099Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755099Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855099Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955099Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055099Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155099Skris * SUCH DAMAGE. 52280297Sjkim * 5355099Skris * The licence and distribution terms for any publically available version or 5455099Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555099Skris * copied and put under another distribution licence 5655099Skris * [including the GNU Public Licence.] 5755099Skris */ 58160817Ssimon/* ==================================================================== 59162914Ssimon * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60160817Ssimon * 61160817Ssimon * Redistribution and use in source and binary forms, with or without 62160817Ssimon * modification, are permitted provided that the following conditions 63160817Ssimon * are met: 64160817Ssimon * 65160817Ssimon * 1. Redistributions of source code must retain the above copyright 66280297Sjkim * notice, this list of conditions and the following disclaimer. 67160817Ssimon * 68160817Ssimon * 2. Redistributions in binary form must reproduce the above copyright 69160817Ssimon * notice, this list of conditions and the following disclaimer in 70160817Ssimon * the documentation and/or other materials provided with the 71160817Ssimon * distribution. 72160817Ssimon * 73160817Ssimon * 3. All advertising materials mentioning features or use of this 74160817Ssimon * software must display the following acknowledgment: 75160817Ssimon * "This product includes software developed by the OpenSSL Project 76160817Ssimon * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77160817Ssimon * 78160817Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79160817Ssimon * endorse or promote products derived from this software without 80160817Ssimon * prior written permission. For written permission, please contact 81160817Ssimon * openssl-core@openssl.org. 82160817Ssimon * 83160817Ssimon * 5. Products derived from this software may not be called "OpenSSL" 84160817Ssimon * nor may "OpenSSL" appear in their names without prior written 85160817Ssimon * permission of the OpenSSL Project. 86160817Ssimon * 87160817Ssimon * 6. Redistributions of any form whatsoever must retain the following 88160817Ssimon * acknowledgment: 89160817Ssimon * "This product includes software developed by the OpenSSL Project 90160817Ssimon * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91160817Ssimon * 92160817Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93160817Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94160817Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95160817Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96160817Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97160817Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98160817Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99160817Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100160817Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101160817Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102160817Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103160817Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 104160817Ssimon * ==================================================================== 105160817Ssimon * 106160817Ssimon * This product includes cryptographic software written by Eric Young 107160817Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 108160817Ssimon * Hudson (tjh@cryptsoft.com). 109160817Ssimon * 110160817Ssimon */ 11155099Skris 11255099Skris#include <stdio.h> 11355099Skris#include "cryptlib.h" 11455099Skris#include <openssl/bn.h> 11555099Skris#include <openssl/rsa.h> 11655099Skris#include <openssl/rand.h> 11755099Skris 118238405Sjkim#ifndef RSA_NULL 11968654Skris 120110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 121280297Sjkim unsigned char *to, RSA *rsa, int padding); 122110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 123280297Sjkim unsigned char *to, RSA *rsa, int padding); 124110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 125280297Sjkim unsigned char *to, RSA *rsa, int padding); 126110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 127280297Sjkim unsigned char *to, RSA *rsa, int padding); 128280297Sjkimstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, 129280297Sjkim BN_CTX *ctx); 13055099Skrisstatic int RSA_eay_init(RSA *rsa); 13155099Skrisstatic int RSA_eay_finish(RSA *rsa); 132280297Sjkimstatic RSA_METHOD rsa_pkcs1_eay_meth = { 133280297Sjkim "Eric Young's PKCS#1 RSA", 134280297Sjkim RSA_eay_public_encrypt, 135280297Sjkim RSA_eay_public_decrypt, /* signature verification */ 136280297Sjkim RSA_eay_private_encrypt, /* signing */ 137280297Sjkim RSA_eay_private_decrypt, 138280297Sjkim RSA_eay_mod_exp, 139280297Sjkim BN_mod_exp_mont, /* XXX probably we should not use Montgomery 140280297Sjkim * if e == 3 */ 141280297Sjkim RSA_eay_init, 142280297Sjkim RSA_eay_finish, 143280297Sjkim 0, /* flags */ 144280297Sjkim NULL, 145280297Sjkim 0, /* rsa_sign */ 146280297Sjkim 0, /* rsa_verify */ 147280297Sjkim NULL /* rsa_keygen */ 148280297Sjkim}; 14955099Skris 150110007Smarkmconst RSA_METHOD *RSA_PKCS1_SSLeay(void) 151280297Sjkim{ 152280297Sjkim return (&rsa_pkcs1_eay_meth); 153280297Sjkim} 15455099Skris 155110007Smarkmstatic int RSA_eay_public_encrypt(int flen, const unsigned char *from, 156280297Sjkim unsigned char *to, RSA *rsa, int padding) 157280297Sjkim{ 158280297Sjkim BIGNUM *f, *ret; 159280297Sjkim int i, j, k, num = 0, r = -1; 160280297Sjkim unsigned char *buf = NULL; 161280297Sjkim BN_CTX *ctx = NULL; 16255099Skris 163280297Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 164280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); 165280297Sjkim return -1; 166280297Sjkim } 167162914Ssimon 168280297Sjkim if (BN_ucmp(rsa->n, rsa->e) <= 0) { 169280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 170280297Sjkim return -1; 171280297Sjkim } 172162914Ssimon 173280297Sjkim /* for large moduli, enforce exponent limit */ 174280297Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 175280297Sjkim if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 176280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); 177280297Sjkim return -1; 178280297Sjkim } 179280297Sjkim } 18055099Skris 181280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 182280297Sjkim goto err; 183280297Sjkim BN_CTX_start(ctx); 184280297Sjkim f = BN_CTX_get(ctx); 185280297Sjkim ret = BN_CTX_get(ctx); 186280297Sjkim num = BN_num_bytes(rsa->n); 187280297Sjkim buf = OPENSSL_malloc(num); 188280297Sjkim if (!f || !ret || !buf) { 189280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 190280297Sjkim goto err; 191280297Sjkim } 19255099Skris 193280297Sjkim switch (padding) { 194280297Sjkim case RSA_PKCS1_PADDING: 195280297Sjkim i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); 196280297Sjkim break; 197280297Sjkim# ifndef OPENSSL_NO_SHA 198280297Sjkim case RSA_PKCS1_OAEP_PADDING: 199280297Sjkim i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); 200280297Sjkim break; 201280297Sjkim# endif 202280297Sjkim case RSA_SSLV23_PADDING: 203280297Sjkim i = RSA_padding_add_SSLv23(buf, num, from, flen); 204280297Sjkim break; 205280297Sjkim case RSA_NO_PADDING: 206280297Sjkim i = RSA_padding_add_none(buf, num, from, flen); 207280297Sjkim break; 208280297Sjkim default: 209280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 210280297Sjkim goto err; 211280297Sjkim } 212280297Sjkim if (i <= 0) 213280297Sjkim goto err; 21489840Skris 215280297Sjkim if (BN_bin2bn(buf, num, f) == NULL) 216280297Sjkim goto err; 217160817Ssimon 218280297Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 219280297Sjkim /* usually the padding functions would catch this */ 220280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, 221280297Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 222280297Sjkim goto err; 223280297Sjkim } 22455099Skris 225280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 226280297Sjkim if (!BN_MONT_CTX_set_locked 227280297Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 228280297Sjkim goto err; 22955099Skris 230280297Sjkim if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 231280297Sjkim rsa->_method_mod_n)) 232280297Sjkim goto err; 23355099Skris 234280297Sjkim /* 235280297Sjkim * put in leading 0 bytes if the number is less than the length of the 236280297Sjkim * modulus 237280297Sjkim */ 238280297Sjkim j = BN_num_bytes(ret); 239280297Sjkim i = BN_bn2bin(ret, &(to[num - j])); 240280297Sjkim for (k = 0; k < (num - i); k++) 241280297Sjkim to[k] = 0; 242280297Sjkim 243280297Sjkim r = num; 244280297Sjkim err: 245280297Sjkim if (ctx != NULL) { 246280297Sjkim BN_CTX_end(ctx); 247280297Sjkim BN_CTX_free(ctx); 248280297Sjkim } 249280297Sjkim if (buf != NULL) { 250280297Sjkim OPENSSL_cleanse(buf, num); 251280297Sjkim OPENSSL_free(buf); 252280297Sjkim } 253280297Sjkim return (r); 254280297Sjkim} 255280297Sjkim 256162914Ssimonstatic BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 257160817Ssimon{ 258280297Sjkim BN_BLINDING *ret; 259280297Sjkim int got_write_lock = 0; 260280297Sjkim CRYPTO_THREADID cur; 261112446Sjedgar 262280297Sjkim CRYPTO_r_lock(CRYPTO_LOCK_RSA); 263162914Ssimon 264280297Sjkim if (rsa->blinding == NULL) { 265280297Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 266280297Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA); 267280297Sjkim got_write_lock = 1; 268162914Ssimon 269280297Sjkim if (rsa->blinding == NULL) 270280297Sjkim rsa->blinding = RSA_setup_blinding(rsa, ctx); 271280297Sjkim } 272112446Sjedgar 273280297Sjkim ret = rsa->blinding; 274280297Sjkim if (ret == NULL) 275280297Sjkim goto err; 276120635Snectar 277280297Sjkim CRYPTO_THREADID_current(&cur); 278280297Sjkim if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) { 279280297Sjkim /* rsa->blinding is ours! */ 280162914Ssimon 281280297Sjkim *local = 1; 282280297Sjkim } else { 283280297Sjkim /* resort to rsa->mt_blinding instead */ 284162914Ssimon 285280297Sjkim /* 286280297Sjkim * instructs rsa_blinding_convert(), rsa_blinding_invert() that the 287280297Sjkim * BN_BLINDING is shared, meaning that accesses require locks, and 288280297Sjkim * that the blinding factor must be stored outside the BN_BLINDING 289280297Sjkim */ 290280297Sjkim *local = 0; 291162914Ssimon 292280297Sjkim if (rsa->mt_blinding == NULL) { 293280297Sjkim if (!got_write_lock) { 294280297Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 295280297Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA); 296280297Sjkim got_write_lock = 1; 297280297Sjkim } 298162914Ssimon 299280297Sjkim if (rsa->mt_blinding == NULL) 300280297Sjkim rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); 301280297Sjkim } 302280297Sjkim ret = rsa->mt_blinding; 303280297Sjkim } 304280297Sjkim 305162914Ssimon err: 306280297Sjkim if (got_write_lock) 307280297Sjkim CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 308280297Sjkim else 309280297Sjkim CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 310280297Sjkim return ret; 311160817Ssimon} 312120635Snectar 313237657Sjkimstatic int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 314280297Sjkim BN_CTX *ctx) 315280297Sjkim{ 316280297Sjkim if (unblind == NULL) 317280297Sjkim /* 318280297Sjkim * Local blinding: store the unblinding factor in BN_BLINDING. 319280297Sjkim */ 320280297Sjkim return BN_BLINDING_convert_ex(f, NULL, b, ctx); 321280297Sjkim else { 322280297Sjkim /* 323280297Sjkim * Shared blinding: store the unblinding factor outside BN_BLINDING. 324280297Sjkim */ 325280297Sjkim int ret; 326280297Sjkim CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 327280297Sjkim ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); 328280297Sjkim CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 329280297Sjkim return ret; 330280297Sjkim } 331280297Sjkim} 332120635Snectar 333237657Sjkimstatic int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, 334280297Sjkim BN_CTX *ctx) 335280297Sjkim{ 336280297Sjkim /* 337280297Sjkim * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex 338280297Sjkim * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING 339280297Sjkim * is shared between threads, unblind must be non-null: 340280297Sjkim * BN_BLINDING_invert_ex will then use the local unblinding factor, and 341280297Sjkim * will only read the modulus from BN_BLINDING. In both cases it's safe 342280297Sjkim * to access the blinding without a lock. 343280297Sjkim */ 344280297Sjkim return BN_BLINDING_invert_ex(f, unblind, b, ctx); 345280297Sjkim} 346237657Sjkim 34789840Skris/* signing */ 348110007Smarkmstatic int RSA_eay_private_encrypt(int flen, const unsigned char *from, 349280297Sjkim unsigned char *to, RSA *rsa, int padding) 350280297Sjkim{ 351280297Sjkim BIGNUM *f, *ret, *res; 352280297Sjkim int i, j, k, num = 0, r = -1; 353280297Sjkim unsigned char *buf = NULL; 354280297Sjkim BN_CTX *ctx = NULL; 355280297Sjkim int local_blinding = 0; 356280297Sjkim /* 357280297Sjkim * Used only if the blinding structure is shared. A non-NULL unblind 358280297Sjkim * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 359280297Sjkim * the unblinding factor outside the blinding structure. 360280297Sjkim */ 361280297Sjkim BIGNUM *unblind = NULL; 362280297Sjkim BN_BLINDING *blinding = NULL; 36355099Skris 364280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 365280297Sjkim goto err; 366280297Sjkim BN_CTX_start(ctx); 367280297Sjkim f = BN_CTX_get(ctx); 368280297Sjkim ret = BN_CTX_get(ctx); 369280297Sjkim num = BN_num_bytes(rsa->n); 370280297Sjkim buf = OPENSSL_malloc(num); 371280297Sjkim if (!f || !ret || !buf) { 372280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 373280297Sjkim goto err; 374280297Sjkim } 37555099Skris 376280297Sjkim switch (padding) { 377280297Sjkim case RSA_PKCS1_PADDING: 378280297Sjkim i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); 379280297Sjkim break; 380280297Sjkim case RSA_X931_PADDING: 381280297Sjkim i = RSA_padding_add_X931(buf, num, from, flen); 382280297Sjkim break; 383280297Sjkim case RSA_NO_PADDING: 384280297Sjkim i = RSA_padding_add_none(buf, num, from, flen); 385280297Sjkim break; 386280297Sjkim case RSA_SSLV23_PADDING: 387280297Sjkim default: 388280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 389280297Sjkim goto err; 390280297Sjkim } 391280297Sjkim if (i <= 0) 392280297Sjkim goto err; 39355099Skris 394280297Sjkim if (BN_bin2bn(buf, num, f) == NULL) 395280297Sjkim goto err; 39655099Skris 397280297Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 398280297Sjkim /* usually the padding functions would catch this */ 399280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 400280297Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 401280297Sjkim goto err; 402280297Sjkim } 403112446Sjedgar 404280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 405280297Sjkim blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 406280297Sjkim if (blinding == NULL) { 407280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 408280297Sjkim goto err; 409280297Sjkim } 410280297Sjkim } 411160817Ssimon 412280297Sjkim if (blinding != NULL) { 413280297Sjkim if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 414280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 415280297Sjkim goto err; 416280297Sjkim } 417280297Sjkim if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 418280297Sjkim goto err; 419280297Sjkim } 420160817Ssimon 421280297Sjkim if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 422280297Sjkim ((rsa->p != NULL) && 423280297Sjkim (rsa->q != NULL) && 424280297Sjkim (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 425280297Sjkim if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 426280297Sjkim goto err; 427280297Sjkim } else { 428280297Sjkim BIGNUM local_d; 429280297Sjkim BIGNUM *d = NULL; 43055099Skris 431280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 432280297Sjkim BN_init(&local_d); 433280297Sjkim d = &local_d; 434280297Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 435280297Sjkim } else 436280297Sjkim d = rsa->d; 43755099Skris 438280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 439280297Sjkim if (!BN_MONT_CTX_set_locked 440280297Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 441280297Sjkim goto err; 442160817Ssimon 443280297Sjkim if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 444280297Sjkim rsa->_method_mod_n)) 445280297Sjkim goto err; 446280297Sjkim } 44755099Skris 448280297Sjkim if (blinding) 449280297Sjkim if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 450280297Sjkim goto err; 45155099Skris 452280297Sjkim if (padding == RSA_X931_PADDING) { 453280297Sjkim BN_sub(f, rsa->n, ret); 454280297Sjkim if (BN_cmp(ret, f) > 0) 455280297Sjkim res = f; 456280297Sjkim else 457280297Sjkim res = ret; 458280297Sjkim } else 459280297Sjkim res = ret; 460280297Sjkim 461280297Sjkim /* 462280297Sjkim * put in leading 0 bytes if the number is less than the length of the 463280297Sjkim * modulus 464280297Sjkim */ 465280297Sjkim j = BN_num_bytes(res); 466280297Sjkim i = BN_bn2bin(res, &(to[num - j])); 467280297Sjkim for (k = 0; k < (num - i); k++) 468280297Sjkim to[k] = 0; 469280297Sjkim 470280297Sjkim r = num; 471280297Sjkim err: 472280297Sjkim if (ctx != NULL) { 473280297Sjkim BN_CTX_end(ctx); 474280297Sjkim BN_CTX_free(ctx); 475280297Sjkim } 476280297Sjkim if (buf != NULL) { 477280297Sjkim OPENSSL_cleanse(buf, num); 478280297Sjkim OPENSSL_free(buf); 479280297Sjkim } 480280297Sjkim return (r); 481280297Sjkim} 482280297Sjkim 483110007Smarkmstatic int RSA_eay_private_decrypt(int flen, const unsigned char *from, 484280297Sjkim unsigned char *to, RSA *rsa, int padding) 485280297Sjkim{ 486280297Sjkim BIGNUM *f, *ret; 487280297Sjkim int j, num = 0, r = -1; 488280297Sjkim unsigned char *p; 489280297Sjkim unsigned char *buf = NULL; 490280297Sjkim BN_CTX *ctx = NULL; 491280297Sjkim int local_blinding = 0; 492280297Sjkim /* 493280297Sjkim * Used only if the blinding structure is shared. A non-NULL unblind 494280297Sjkim * instructs rsa_blinding_convert() and rsa_blinding_invert() to store 495280297Sjkim * the unblinding factor outside the blinding structure. 496280297Sjkim */ 497280297Sjkim BIGNUM *unblind = NULL; 498280297Sjkim BN_BLINDING *blinding = NULL; 49955099Skris 500280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 501280297Sjkim goto err; 502280297Sjkim BN_CTX_start(ctx); 503280297Sjkim f = BN_CTX_get(ctx); 504280297Sjkim ret = BN_CTX_get(ctx); 505280297Sjkim num = BN_num_bytes(rsa->n); 506280297Sjkim buf = OPENSSL_malloc(num); 507280297Sjkim if (!f || !ret || !buf) { 508280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 509280297Sjkim goto err; 510280297Sjkim } 51155099Skris 512280297Sjkim /* 513280297Sjkim * This check was for equality but PGP does evil things and chops off the 514280297Sjkim * top '0' bytes 515280297Sjkim */ 516280297Sjkim if (flen > num) { 517280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 518280297Sjkim RSA_R_DATA_GREATER_THAN_MOD_LEN); 519280297Sjkim goto err; 520280297Sjkim } 52155099Skris 522280297Sjkim /* make data into a big number */ 523280297Sjkim if (BN_bin2bn(from, (int)flen, f) == NULL) 524280297Sjkim goto err; 52555099Skris 526280297Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 527280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, 528280297Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 529280297Sjkim goto err; 530280297Sjkim } 53189840Skris 532280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { 533280297Sjkim blinding = rsa_get_blinding(rsa, &local_blinding, ctx); 534280297Sjkim if (blinding == NULL) { 535280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 536280297Sjkim goto err; 537280297Sjkim } 538280297Sjkim } 539112446Sjedgar 540280297Sjkim if (blinding != NULL) { 541280297Sjkim if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) { 542280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 543280297Sjkim goto err; 544280297Sjkim } 545280297Sjkim if (!rsa_blinding_convert(blinding, f, unblind, ctx)) 546280297Sjkim goto err; 547280297Sjkim } 548160817Ssimon 549280297Sjkim /* do the decrypt */ 550280297Sjkim if ((rsa->flags & RSA_FLAG_EXT_PKEY) || 551280297Sjkim ((rsa->p != NULL) && 552280297Sjkim (rsa->q != NULL) && 553280297Sjkim (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) { 554280297Sjkim if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 555280297Sjkim goto err; 556280297Sjkim } else { 557280297Sjkim BIGNUM local_d; 558280297Sjkim BIGNUM *d = NULL; 55955099Skris 560280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 561280297Sjkim d = &local_d; 562280297Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 563280297Sjkim } else 564280297Sjkim d = rsa->d; 56555099Skris 566280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 567280297Sjkim if (!BN_MONT_CTX_set_locked 568280297Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 569280297Sjkim goto err; 570280297Sjkim if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 571280297Sjkim rsa->_method_mod_n)) 572280297Sjkim goto err; 573280297Sjkim } 57455099Skris 575280297Sjkim if (blinding) 576280297Sjkim if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) 577280297Sjkim goto err; 57855099Skris 579280297Sjkim p = buf; 580280297Sjkim j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ 58155099Skris 582280297Sjkim switch (padding) { 583280297Sjkim case RSA_PKCS1_PADDING: 584280297Sjkim r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); 585280297Sjkim break; 586280297Sjkim# ifndef OPENSSL_NO_SHA 587280297Sjkim case RSA_PKCS1_OAEP_PADDING: 588280297Sjkim r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); 589280297Sjkim break; 590280297Sjkim# endif 591280297Sjkim case RSA_SSLV23_PADDING: 592280297Sjkim r = RSA_padding_check_SSLv23(to, num, buf, j, num); 593280297Sjkim break; 594280297Sjkim case RSA_NO_PADDING: 595280297Sjkim r = RSA_padding_check_none(to, num, buf, j, num); 596280297Sjkim break; 597280297Sjkim default: 598280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 599280297Sjkim goto err; 600280297Sjkim } 601280297Sjkim if (r < 0) 602280297Sjkim RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 603280297Sjkim 604280297Sjkim err: 605280297Sjkim if (ctx != NULL) { 606280297Sjkim BN_CTX_end(ctx); 607280297Sjkim BN_CTX_free(ctx); 608280297Sjkim } 609280297Sjkim if (buf != NULL) { 610280297Sjkim OPENSSL_cleanse(buf, num); 611280297Sjkim OPENSSL_free(buf); 612280297Sjkim } 613280297Sjkim return (r); 614280297Sjkim} 615280297Sjkim 61689840Skris/* signature verification */ 617110007Smarkmstatic int RSA_eay_public_decrypt(int flen, const unsigned char *from, 618280297Sjkim unsigned char *to, RSA *rsa, int padding) 619280297Sjkim{ 620280297Sjkim BIGNUM *f, *ret; 621280297Sjkim int i, num = 0, r = -1; 622280297Sjkim unsigned char *p; 623280297Sjkim unsigned char *buf = NULL; 624280297Sjkim BN_CTX *ctx = NULL; 62555099Skris 626280297Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { 627280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); 628280297Sjkim return -1; 629280297Sjkim } 630162914Ssimon 631280297Sjkim if (BN_ucmp(rsa->n, rsa->e) <= 0) { 632280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 633280297Sjkim return -1; 634280297Sjkim } 635162914Ssimon 636280297Sjkim /* for large moduli, enforce exponent limit */ 637280297Sjkim if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { 638280297Sjkim if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { 639280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); 640280297Sjkim return -1; 641280297Sjkim } 642280297Sjkim } 64355099Skris 644280297Sjkim if ((ctx = BN_CTX_new()) == NULL) 645280297Sjkim goto err; 646280297Sjkim BN_CTX_start(ctx); 647280297Sjkim f = BN_CTX_get(ctx); 648280297Sjkim ret = BN_CTX_get(ctx); 649280297Sjkim num = BN_num_bytes(rsa->n); 650280297Sjkim buf = OPENSSL_malloc(num); 651280297Sjkim if (!f || !ret || !buf) { 652280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 653280297Sjkim goto err; 654280297Sjkim } 65555099Skris 656280297Sjkim /* 657280297Sjkim * This check was for equality but PGP does evil things and chops off the 658280297Sjkim * top '0' bytes 659280297Sjkim */ 660280297Sjkim if (flen > num) { 661280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); 662280297Sjkim goto err; 663280297Sjkim } 66489840Skris 665280297Sjkim if (BN_bin2bn(from, flen, f) == NULL) 666280297Sjkim goto err; 66789840Skris 668280297Sjkim if (BN_ucmp(f, rsa->n) >= 0) { 669280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, 670280297Sjkim RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 671280297Sjkim goto err; 672280297Sjkim } 673160817Ssimon 674280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 675280297Sjkim if (!BN_MONT_CTX_set_locked 676280297Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 677280297Sjkim goto err; 67855099Skris 679280297Sjkim if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 680280297Sjkim rsa->_method_mod_n)) 681280297Sjkim goto err; 682160817Ssimon 683280297Sjkim if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 684280297Sjkim if (!BN_sub(ret, rsa->n, ret)) 685280297Sjkim goto err; 68655099Skris 687280297Sjkim p = buf; 688280297Sjkim i = BN_bn2bin(ret, p); 68955099Skris 690280297Sjkim switch (padding) { 691280297Sjkim case RSA_PKCS1_PADDING: 692280297Sjkim r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); 693280297Sjkim break; 694280297Sjkim case RSA_X931_PADDING: 695280297Sjkim r = RSA_padding_check_X931(to, num, buf, i, num); 696280297Sjkim break; 697280297Sjkim case RSA_NO_PADDING: 698280297Sjkim r = RSA_padding_check_none(to, num, buf, i, num); 699280297Sjkim break; 700280297Sjkim default: 701280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); 702280297Sjkim goto err; 703280297Sjkim } 704280297Sjkim if (r < 0) 705280297Sjkim RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED); 70655099Skris 707280297Sjkim err: 708280297Sjkim if (ctx != NULL) { 709280297Sjkim BN_CTX_end(ctx); 710280297Sjkim BN_CTX_free(ctx); 711280297Sjkim } 712280297Sjkim if (buf != NULL) { 713280297Sjkim OPENSSL_cleanse(buf, num); 714280297Sjkim OPENSSL_free(buf); 715280297Sjkim } 716280297Sjkim return (r); 717280297Sjkim} 718280297Sjkim 719160817Ssimonstatic int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 720280297Sjkim{ 721280297Sjkim BIGNUM *r1, *m1, *vrfy; 722280297Sjkim BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 723280297Sjkim BIGNUM *dmp1, *dmq1, *c, *pr1; 724280297Sjkim int ret = 0; 72555099Skris 726280297Sjkim BN_CTX_start(ctx); 727280297Sjkim r1 = BN_CTX_get(ctx); 728280297Sjkim m1 = BN_CTX_get(ctx); 729280297Sjkim vrfy = BN_CTX_get(ctx); 73055099Skris 731280297Sjkim { 732280297Sjkim BIGNUM local_p, local_q; 733280297Sjkim BIGNUM *p = NULL, *q = NULL; 734160817Ssimon 735280297Sjkim /* 736280297Sjkim * Make sure BN_mod_inverse in Montgomery intialization uses the 737280297Sjkim * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 738280297Sjkim */ 739280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 740280297Sjkim BN_init(&local_p); 741280297Sjkim p = &local_p; 742280297Sjkim BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 743194206Ssimon 744280297Sjkim BN_init(&local_q); 745280297Sjkim q = &local_q; 746280297Sjkim BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 747280297Sjkim } else { 748280297Sjkim p = rsa->p; 749280297Sjkim q = rsa->q; 750280297Sjkim } 751194206Ssimon 752280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 753280297Sjkim if (!BN_MONT_CTX_set_locked 754280297Sjkim (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 755280297Sjkim goto err; 756280297Sjkim if (!BN_MONT_CTX_set_locked 757280297Sjkim (&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 758280297Sjkim goto err; 759280297Sjkim } 760280297Sjkim } 761194206Ssimon 762280297Sjkim if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 763280297Sjkim if (!BN_MONT_CTX_set_locked 764280297Sjkim (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 765280297Sjkim goto err; 766194206Ssimon 767280297Sjkim /* compute I mod q */ 768280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 769280297Sjkim c = &local_c; 770280297Sjkim BN_with_flags(c, I, BN_FLG_CONSTTIME); 771280297Sjkim if (!BN_mod(r1, c, rsa->q, ctx)) 772280297Sjkim goto err; 773280297Sjkim } else { 774280297Sjkim if (!BN_mod(r1, I, rsa->q, ctx)) 775280297Sjkim goto err; 776280297Sjkim } 777194206Ssimon 778280297Sjkim /* compute r1^dmq1 mod q */ 779280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 780280297Sjkim dmq1 = &local_dmq1; 781280297Sjkim BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 782280297Sjkim } else 783280297Sjkim dmq1 = rsa->dmq1; 784280297Sjkim if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) 785280297Sjkim goto err; 78655099Skris 787280297Sjkim /* compute I mod p */ 788280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 789280297Sjkim c = &local_c; 790280297Sjkim BN_with_flags(c, I, BN_FLG_CONSTTIME); 791280297Sjkim if (!BN_mod(r1, c, rsa->p, ctx)) 792280297Sjkim goto err; 793280297Sjkim } else { 794280297Sjkim if (!BN_mod(r1, I, rsa->p, ctx)) 795280297Sjkim goto err; 796280297Sjkim } 797194206Ssimon 798280297Sjkim /* compute r1^dmp1 mod p */ 799280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 800280297Sjkim dmp1 = &local_dmp1; 801280297Sjkim BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 802280297Sjkim } else 803280297Sjkim dmp1 = rsa->dmp1; 804280297Sjkim if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) 805280297Sjkim goto err; 80655099Skris 807280297Sjkim if (!BN_sub(r0, r0, m1)) 808280297Sjkim goto err; 809280297Sjkim /* 810280297Sjkim * This will help stop the size of r0 increasing, which does affect the 811280297Sjkim * multiply if it optimised for a power of 2 size 812280297Sjkim */ 813280297Sjkim if (BN_is_negative(r0)) 814280297Sjkim if (!BN_add(r0, r0, rsa->p)) 815280297Sjkim goto err; 81655099Skris 817280297Sjkim if (!BN_mul(r1, r0, rsa->iqmp, ctx)) 818280297Sjkim goto err; 819194206Ssimon 820280297Sjkim /* Turn BN_FLG_CONSTTIME flag on before division operation */ 821280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 822280297Sjkim pr1 = &local_r1; 823280297Sjkim BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 824280297Sjkim } else 825280297Sjkim pr1 = r1; 826280297Sjkim if (!BN_mod(r0, pr1, rsa->p, ctx)) 827280297Sjkim goto err; 828194206Ssimon 829280297Sjkim /* 830280297Sjkim * If p < q it is occasionally possible for the correction of adding 'p' 831280297Sjkim * if r0 is negative above to leave the result still negative. This can 832280297Sjkim * break the private key operations: the following second correction 833280297Sjkim * should *always* correct this rare occurrence. This will *never* happen 834280297Sjkim * with OpenSSL generated keys because they ensure p > q [steve] 835280297Sjkim */ 836280297Sjkim if (BN_is_negative(r0)) 837280297Sjkim if (!BN_add(r0, r0, rsa->p)) 838280297Sjkim goto err; 839280297Sjkim if (!BN_mul(r1, r0, rsa->q, ctx)) 840280297Sjkim goto err; 841280297Sjkim if (!BN_add(r0, r1, m1)) 842280297Sjkim goto err; 84355099Skris 844280297Sjkim if (rsa->e && rsa->n) { 845280297Sjkim if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, 846280297Sjkim rsa->_method_mod_n)) 847280297Sjkim goto err; 848280297Sjkim /* 849280297Sjkim * If 'I' was greater than (or equal to) rsa->n, the operation will 850280297Sjkim * be equivalent to using 'I mod n'. However, the result of the 851280297Sjkim * verify will *always* be less than 'n' so we don't check for 852280297Sjkim * absolute equality, just congruency. 853280297Sjkim */ 854280297Sjkim if (!BN_sub(vrfy, vrfy, I)) 855280297Sjkim goto err; 856280297Sjkim if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) 857280297Sjkim goto err; 858280297Sjkim if (BN_is_negative(vrfy)) 859280297Sjkim if (!BN_add(vrfy, vrfy, rsa->n)) 860280297Sjkim goto err; 861280297Sjkim if (!BN_is_zero(vrfy)) { 862280297Sjkim /* 863280297Sjkim * 'I' and 'vrfy' aren't congruent mod n. Don't leak 864280297Sjkim * miscalculated CRT output, just do a raw (slower) mod_exp and 865280297Sjkim * return that instead. 866280297Sjkim */ 867160817Ssimon 868280297Sjkim BIGNUM local_d; 869280297Sjkim BIGNUM *d = NULL; 87055099Skris 871280297Sjkim if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 872280297Sjkim d = &local_d; 873280297Sjkim BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 874280297Sjkim } else 875280297Sjkim d = rsa->d; 876280297Sjkim if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, 877280297Sjkim rsa->_method_mod_n)) 878280297Sjkim goto err; 879280297Sjkim } 880280297Sjkim } 881280297Sjkim ret = 1; 882280297Sjkim err: 883280297Sjkim BN_CTX_end(ctx); 884280297Sjkim return (ret); 885280297Sjkim} 886280297Sjkim 88755099Skrisstatic int RSA_eay_init(RSA *rsa) 888280297Sjkim{ 889280297Sjkim rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; 890280297Sjkim return (1); 891280297Sjkim} 89255099Skris 89355099Skrisstatic int RSA_eay_finish(RSA *rsa) 894280297Sjkim{ 895280297Sjkim if (rsa->_method_mod_n != NULL) 896280297Sjkim BN_MONT_CTX_free(rsa->_method_mod_n); 897280297Sjkim if (rsa->_method_mod_p != NULL) 898280297Sjkim BN_MONT_CTX_free(rsa->_method_mod_p); 899280297Sjkim if (rsa->_method_mod_q != NULL) 900280297Sjkim BN_MONT_CTX_free(rsa->_method_mod_q); 901280297Sjkim return (1); 902280297Sjkim} 90355099Skris 90468654Skris#endif 905