[thirdparty/openssl.git] / crypto / rsa / rsa_eay.c

/* crypto/rsa/rsa_eay.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
#include <openssl/engine.h>

#ifndef RSA_NULL

static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
static int RSA_eay_init(RSA *rsa);
static int RSA_eay_finish(RSA *rsa);
static RSA_METHOD rsa_pkcs1_eay_meth={
	"Eric Young's PKCS#1 RSA",
	RSA_eay_public_encrypt,
	RSA_eay_public_decrypt,
	RSA_eay_private_encrypt,
	RSA_eay_private_decrypt,
	RSA_eay_mod_exp,
	BN_mod_exp_mont,
	RSA_eay_init,
	RSA_eay_finish,
	0,
	NULL,
	};

const RSA_METHOD *RSA_PKCS1_SSLeay(void)
	{
	return(&rsa_pkcs1_eay_meth);
	}

static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	const RSA_METHOD *meth;
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	meth = ENGINE_get_RSA(rsa->engine);
	BN_init(&f);
	BN_init(&ret);
	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
		break;
#ifndef NO_SHA
	case RSA_PKCS1_OAEP_PADDING:
	        i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
		break;
#endif
	case RSA_SSLV23_PADDING:
		i=RSA_padding_add_SSLv23(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
	
	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		{
		CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		if (rsa->_method_mod_n == NULL)
			{
			BN_MONT_CTX* bn_mont_ctx;
			if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
				{
				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
				goto err;
				}
			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
				{
				BN_MONT_CTX_free(bn_mont_ctx);
				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
				goto err;
				}
			rsa->_method_mod_n = bn_mont_ctx;
			}
		CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		}

	if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL) 
		{
		memset(buf,0,num);
		OPENSSL_free(buf);
		}
	return(r);
	}

static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	const RSA_METHOD *meth;
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	meth = ENGINE_get_RSA(rsa->engine);
	BN_init(&f);
	BN_init(&ret);

	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	case RSA_SSLV23_PADDING:
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
		((rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL)) )
		{ if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&ret);
	BN_clear_free(&f);
	if (buf != NULL)
		{
		memset(buf,0,num);
		OPENSSL_free(buf);
		}
	return(r);
	}

static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	const RSA_METHOD *meth;
	BIGNUM f,ret;
	int j,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	meth = ENGINE_get_RSA(rsa->engine);
	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);

	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equality but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	/* make data into a big number */
	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	/* do the decrypt */
	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
		((rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL)) )
		{ if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
			goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	p=buf;
	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
		break;
#ifndef NO_SHA
        case RSA_PKCS1_OAEP_PADDING:
	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
                break;
#endif
 	case RSA_SSLV23_PADDING:
		r=RSA_padding_check_SSLv23(to,num,buf,j,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,j,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		memset(buf,0,num);
		OPENSSL_free(buf);
		}
	return(r);
	}

static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	const RSA_METHOD *meth;
	BIGNUM f,ret;
	int i,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	meth = ENGINE_get_RSA(rsa->engine);
	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);
	buf=(unsigned char *)OPENSSL_malloc(num);
	if (buf == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equality but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
	/* do the decrypt */
	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		{
		CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		if (rsa->_method_mod_n == NULL)
			{
			BN_MONT_CTX* bn_mont_ctx;
			if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
				{
				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
				goto err;
				}
			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
				{
				BN_MONT_CTX_free(bn_mont_ctx);
				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
				goto err;
				}
			rsa->_method_mod_n = bn_mont_ctx;
			}
		CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		}

	if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	p=buf;
	i=BN_bn2bin(&ret,p);

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,i,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		memset(buf,0,num);
		OPENSSL_free(buf);
		}
	return(r);
	}

static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
	{
	const RSA_METHOD *meth;
	BIGNUM r1,m1;
	int ret=0;
	BN_CTX *ctx;

	meth = ENGINE_get_RSA(rsa->engine);
	if ((ctx=BN_CTX_new()) == NULL) goto err;
	BN_init(&m1);
	BN_init(&r1);

	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
		{
		if (rsa->_method_mod_p == NULL)
			{
			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
			if (rsa->_method_mod_p == NULL)
				{
				BN_MONT_CTX* bn_mont_ctx;
				if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
					{
					CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
					goto err;
					}
				if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
					{
					BN_MONT_CTX_free(bn_mont_ctx);
					CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
					goto err;
					}
				rsa->_method_mod_p = bn_mont_ctx;
				}
				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
			}
		if (rsa->_method_mod_q == NULL)
			{
			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
			if (rsa->_method_mod_q == NULL)
				{
				BN_MONT_CTX* bn_mont_ctx;
				if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
					{
					CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
					goto err;
					}
				if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
					{
					BN_MONT_CTX_free(bn_mont_ctx);
					CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
					goto err;
					}
				rsa->_method_mod_q = bn_mont_ctx;
				}
			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
			}
		}

	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
	if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
		rsa->_method_mod_q)) goto err;

	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
	if (!meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
		rsa->_method_mod_p)) goto err;

	if (!BN_sub(r0,r0,&m1)) goto err;
	/* This will help stop the size of r0 increasing, which does
	 * affect the multiply if it optimised for a power of 2 size */
	if (r0->neg)
		if (!BN_add(r0,r0,rsa->p)) goto err;

	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
	/* If p < q it is occasionally possible for the correction of
         * adding 'p' if r0 is negative above to leave the result still
	 * negative. This can break the private key operations: the following
	 * second correction should *always* correct this rare occurrence.
	 * This will *never* happen with OpenSSL generated keys because
         * they ensure p > q [steve]
         */
	if (r0->neg)
		if (!BN_add(r0,r0,rsa->p)) goto err;
	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
	if (!BN_add(r0,&r1,&m1)) goto err;

	ret=1;
err:
	BN_clear_free(&m1);
	BN_clear_free(&r1);
	BN_CTX_free(ctx);
	return(ret);
	}

static int RSA_eay_init(RSA *rsa)
	{
	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
	return(1);
	}

static int RSA_eay_finish(RSA *rsa)
	{
	if (rsa->_method_mod_n != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_n);
	if (rsa->_method_mod_p != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_p);
	if (rsa->_method_mod_q != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_q);
	return(1);
	}

#endif
Commit	Line	Data
58964a49 RE	1	/* crypto/rsa/rsa_eay.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	#include <stdio.h>
	60	#include "cryptlib.h"
ec577822 BM	61	#include <openssl/bn.h>
	62	#include <openssl/rsa.h>
	63	#include <openssl/rand.h>
5270e702	64	#include <openssl/engine.h>
58964a49	65
c1cd88a0 DSH	66	#ifndef RSA_NULL
c1cd88a0 DSH	67
29c1f061	68	static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
58964a49	69	unsigned char to, RSA rsa,int padding);
29c1f061	70	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
58964a49	71	unsigned char to, RSA rsa,int padding);
29c1f061	72	static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
58964a49	73	unsigned char to, RSA rsa,int padding);
29c1f061	74	static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
58964a49	75	unsigned char to, RSA rsa,int padding);
29c1f061	76	static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM i, RSA *rsa);
58964a49 RE	77	static int RSA_eay_init(RSA *rsa);
58964a49 RE	78	static int RSA_eay_finish(RSA *rsa);
58964a49 RE	79	static RSA_METHOD rsa_pkcs1_eay_meth={
	80	"Eric Young's PKCS#1 RSA",
	81	RSA_eay_public_encrypt,
	82	RSA_eay_public_decrypt,
	83	RSA_eay_private_encrypt,
	84	RSA_eay_private_decrypt,
	85	RSA_eay_mod_exp,
	86	BN_mod_exp_mont,
	87	RSA_eay_init,
	88	RSA_eay_finish,
	89	0,
	90	NULL,
	91	};
	92
7be7c2ed	93	const RSA_METHOD *RSA_PKCS1_SSLeay(void)
58964a49 RE	94	{
	95	return(&rsa_pkcs1_eay_meth);
	96	}
	97
29c1f061	98	static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
6b691a5c	99	unsigned char to, RSA rsa, int padding)
58964a49	100	{
5270e702	101	const RSA_METHOD *meth;
dfeab068	102	BIGNUM f,ret;
58964a49 RE	103	int i,j,k,num=0,r= -1;
	104	unsigned char *buf=NULL;
	105	BN_CTX *ctx=NULL;
	106
5270e702	107	meth = ENGINE_get_RSA(rsa->engine);
dfeab068 RE	108	BN_init(&f);
dfeab068 RE	109	BN_init(&ret);
58964a49 RE	110	if ((ctx=BN_CTX_new()) == NULL) goto err;
58964a49 RE	111	num=BN_num_bytes(rsa->n);
26a3a48d	112	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
58964a49 RE	113	{
	114	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
	115	goto err;
	116	}
	117
	118	switch (padding)
	119	{
	120	case RSA_PKCS1_PADDING:
	121	i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
	122	break;
79df9d62	123	#ifndef NO_SHA
a4949896 BL	124	case RSA_PKCS1_OAEP_PADDING:
	125	i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
	126	break;
79df9d62	127	#endif
58964a49 RE	128	case RSA_SSLV23_PADDING:
	129	i=RSA_padding_add_SSLv23(buf,num,from,flen);
	130	break;
	131	case RSA_NO_PADDING:
	132	i=RSA_padding_add_none(buf,num,from,flen);
	133	break;
	134	default:
	135	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	136	goto err;
	137	}
	138	if (i <= 0) goto err;
	139
dfeab068	140	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49	141
03f8b042	142	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
58964a49	143	{
f640ee90 BM	144	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
	145	if (rsa->_method_mod_n == NULL)
	146	{
	147	BN_MONT_CTX* bn_mont_ctx;
	148	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
	149	{
	150	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
	151	goto err;
	152	}
	153	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
	154	{
	155	BN_MONT_CTX_free(bn_mont_ctx);
	156	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
	157	goto err;
	158	}
	159	rsa->_method_mod_n = bn_mont_ctx;
	160	}
	161	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
58964a49 RE	162	}
58964a49 RE	163
5270e702	164	if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	165	rsa->_method_mod_n)) goto err;
58964a49 RE	166
	167	/* put in leading 0 bytes if the number is less than the
	168	* length of the modulus */
dfeab068 RE	169	j=BN_num_bytes(&ret);
dfeab068 RE	170	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	171	for (k=0; k<(num-i); k++)
	172	to[k]=0;
	173
	174	r=num;
	175	err:
	176	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	177	BN_clear_free(&f);
dfeab068 RE	178	BN_clear_free(&ret);
58964a49 RE	179	if (buf != NULL)
	180	{
	181	memset(buf,0,num);
26a3a48d	182	OPENSSL_free(buf);
58964a49 RE	183	}
	184	return(r);
	185	}
	186
29c1f061	187	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
6b691a5c	188	unsigned char to, RSA rsa, int padding)
58964a49	189	{
5270e702	190	const RSA_METHOD *meth;
dfeab068	191	BIGNUM f,ret;
58964a49 RE	192	int i,j,k,num=0,r= -1;
	193	unsigned char *buf=NULL;
	194	BN_CTX *ctx=NULL;
	195
5270e702	196	meth = ENGINE_get_RSA(rsa->engine);
dfeab068 RE	197	BN_init(&f);
	198	BN_init(&ret);
	199
58964a49 RE	200	if ((ctx=BN_CTX_new()) == NULL) goto err;
58964a49 RE	201	num=BN_num_bytes(rsa->n);
26a3a48d	202	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
58964a49 RE	203	{
	204	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
	205	goto err;
	206	}
	207
	208	switch (padding)
	209	{
	210	case RSA_PKCS1_PADDING:
	211	i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
	212	break;
	213	case RSA_NO_PADDING:
	214	i=RSA_padding_add_none(buf,num,from,flen);
	215	break;
	216	case RSA_SSLV23_PADDING:
	217	default:
	218	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	219	goto err;
	220	}
	221	if (i <= 0) goto err;
	222
dfeab068	223	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49 RE	224
	225	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	226	RSA_blinding_on(rsa,ctx);
	227	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	228	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49	229
770d19b8 DSH	230	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
770d19b8 DSH	231	((rsa->p != NULL) &&
58964a49 RE	232	(rsa->q != NULL) &&
	233	(rsa->dmp1 != NULL) &&
	234	(rsa->dmq1 != NULL) &&
770d19b8	235	(rsa->iqmp != NULL)) )
5270e702	236	{ if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	237	else
58964a49 RE	238	{
5270e702	239	if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
58964a49 RE	240	}
	241
	242	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	243	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	244
	245	/* put in leading 0 bytes if the number is less than the
	246	* length of the modulus */
dfeab068 RE	247	j=BN_num_bytes(&ret);
dfeab068 RE	248	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	249	for (k=0; k<(num-i); k++)
	250	to[k]=0;
	251
	252	r=num;
	253	err:
	254	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	255	BN_clear_free(&ret);
dfeab068 RE	256	BN_clear_free(&f);
58964a49 RE	257	if (buf != NULL)
	258	{
	259	memset(buf,0,num);
26a3a48d	260	OPENSSL_free(buf);
58964a49 RE	261	}
	262	return(r);
	263	}
	264
29c1f061	265	static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
6b691a5c	266	unsigned char to, RSA rsa, int padding)
58964a49	267	{
5270e702	268	const RSA_METHOD *meth;
dfeab068	269	BIGNUM f,ret;
58964a49 RE	270	int j,num=0,r= -1;
	271	unsigned char *p;
	272	unsigned char *buf=NULL;
	273	BN_CTX *ctx=NULL;
	274
5270e702	275	meth = ENGINE_get_RSA(rsa->engine);
dfeab068 RE	276	BN_init(&f);
dfeab068 RE	277	BN_init(&ret);
58964a49 RE	278	ctx=BN_CTX_new();
	279	if (ctx == NULL) goto err;
	280
	281	num=BN_num_bytes(rsa->n);
	282
26a3a48d	283	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
58964a49 RE	284	{
	285	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
	286	goto err;
	287	}
	288
657e60fa	289	/* This check was for equality but PGP does evil things
58964a49 RE	290	* and chops off the top '0' bytes */
	291	if (flen > num)
	292	{
	293	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	294	goto err;
	295	}
	296
	297	/* make data into a big number */
dfeab068	298	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
58964a49 RE	299
	300	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	301	RSA_blinding_on(rsa,ctx);
	302	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	303	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49 RE	304
58964a49 RE	305	/* do the decrypt */
770d19b8 DSH	306	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
770d19b8 DSH	307	((rsa->p != NULL) &&
58964a49 RE	308	(rsa->q != NULL) &&
	309	(rsa->dmp1 != NULL) &&
	310	(rsa->dmq1 != NULL) &&
770d19b8	311	(rsa->iqmp != NULL)) )
5270e702	312	{ if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	313	else
58964a49 RE	314	{
5270e702	315	if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
58964a49 RE	316	goto err;
	317	}
	318
	319	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	320	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	321
58964a49 RE	322	p=buf;
dfeab068	323	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
58964a49 RE	324
	325	switch (padding)
	326	{
	327	case RSA_PKCS1_PADDING:
dfeab068	328	r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
58964a49	329	break;
79df9d62	330	#ifndef NO_SHA
a4949896 BL	331	case RSA_PKCS1_OAEP_PADDING:
	332	r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
	333	break;
79df9d62	334	#endif
a4949896	335	case RSA_SSLV23_PADDING:
dfeab068	336	r=RSA_padding_check_SSLv23(to,num,buf,j,num);
58964a49 RE	337	break;
58964a49 RE	338	case RSA_NO_PADDING:
dfeab068	339	r=RSA_padding_check_none(to,num,buf,j,num);
58964a49 RE	340	break;
	341	default:
	342	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	343	goto err;
	344	}
	345	if (r < 0)
	346	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	347
	348	err:
	349	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	350	BN_clear_free(&f);
dfeab068 RE	351	BN_clear_free(&ret);
58964a49 RE	352	if (buf != NULL)
	353	{
	354	memset(buf,0,num);
26a3a48d	355	OPENSSL_free(buf);
58964a49 RE	356	}
	357	return(r);
	358	}
	359
29c1f061	360	static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
6b691a5c	361	unsigned char to, RSA rsa, int padding)
58964a49	362	{
5270e702	363	const RSA_METHOD *meth;
dfeab068	364	BIGNUM f,ret;
58964a49 RE	365	int i,num=0,r= -1;
	366	unsigned char *p;
	367	unsigned char *buf=NULL;
	368	BN_CTX *ctx=NULL;
	369
5270e702	370	meth = ENGINE_get_RSA(rsa->engine);
dfeab068 RE	371	BN_init(&f);
dfeab068 RE	372	BN_init(&ret);
58964a49 RE	373	ctx=BN_CTX_new();
	374	if (ctx == NULL) goto err;
	375
	376	num=BN_num_bytes(rsa->n);
26a3a48d	377	buf=(unsigned char *)OPENSSL_malloc(num);
58964a49 RE	378	if (buf == NULL)
	379	{
	380	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
	381	goto err;
	382	}
	383
657e60fa	384	/* This check was for equality but PGP does evil things
58964a49 RE	385	* and chops off the top '0' bytes */
	386	if (flen > num)
	387	{
	388	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	389	goto err;
	390	}
	391
dfeab068	392	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
58964a49	393	/* do the decrypt */
03f8b042	394	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
58964a49	395	{
f640ee90 BM	396	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
	397	if (rsa->_method_mod_n == NULL)
	398	{
	399	BN_MONT_CTX* bn_mont_ctx;
	400	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
	401	{
	402	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
	403	goto err;
	404	}
	405	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
	406	{
	407	BN_MONT_CTX_free(bn_mont_ctx);
	408	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
	409	goto err;
	410	}
	411	rsa->_method_mod_n = bn_mont_ctx;
	412	}
	413	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
58964a49 RE	414	}
58964a49 RE	415
5270e702	416	if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	417	rsa->_method_mod_n)) goto err;
58964a49 RE	418
58964a49 RE	419	p=buf;
dfeab068	420	i=BN_bn2bin(&ret,p);
58964a49 RE	421
	422	switch (padding)
	423	{
	424	case RSA_PKCS1_PADDING:
dfeab068	425	r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
58964a49 RE	426	break;
58964a49 RE	427	case RSA_NO_PADDING:
dfeab068	428	r=RSA_padding_check_none(to,num,buf,i,num);
58964a49 RE	429	break;
	430	default:
	431	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	432	goto err;
	433	}
	434	if (r < 0)
	435	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	436
	437	err:
	438	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	439	BN_clear_free(&f);
dfeab068 RE	440	BN_clear_free(&ret);
58964a49 RE	441	if (buf != NULL)
	442	{
	443	memset(buf,0,num);
26a3a48d	444	OPENSSL_free(buf);
58964a49 RE	445	}
	446	return(r);
	447	}
	448
29c1f061	449	static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)
58964a49	450	{
5270e702	451	const RSA_METHOD *meth;
dfeab068	452	BIGNUM r1,m1;
58964a49 RE	453	int ret=0;
	454	BN_CTX *ctx;
	455
5270e702	456	meth = ENGINE_get_RSA(rsa->engine);
58964a49	457	if ((ctx=BN_CTX_new()) == NULL) goto err;
dfeab068 RE	458	BN_init(&m1);
dfeab068 RE	459	BN_init(&r1);
58964a49 RE	460
	461	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
	462	{
03f8b042	463	if (rsa->_method_mod_p == NULL)
58964a49	464	{
f640ee90 BM	465	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
	466	if (rsa->_method_mod_p == NULL)
	467	{
	468	BN_MONT_CTX* bn_mont_ctx;
	469	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
	470	{
	471	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
	472	goto err;
	473	}
	474	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
	475	{
	476	BN_MONT_CTX_free(bn_mont_ctx);
	477	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
58964a49	478	goto err;
f640ee90 BM	479	}
	480	rsa->_method_mod_p = bn_mont_ctx;
	481	}
	482	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
58964a49	483	}
03f8b042	484	if (rsa->_method_mod_q == NULL)
58964a49	485	{
f640ee90 BM	486	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
	487	if (rsa->_method_mod_q == NULL)
	488	{
	489	BN_MONT_CTX* bn_mont_ctx;
	490	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
	491	{
	492	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
	493	goto err;
	494	}
	495	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
	496	{
	497	BN_MONT_CTX_free(bn_mont_ctx);
	498	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
58964a49	499	goto err;
f640ee90 BM	500	}
	501	rsa->_method_mod_q = bn_mont_ctx;
	502	}
	503	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
58964a49 RE	504	}
	505	}
	506
dfeab068	507	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
5270e702	508	if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
03f8b042	509	rsa->_method_mod_q)) goto err;
58964a49	510
dfeab068	511	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
5270e702	512	if (!meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
03f8b042	513	rsa->_method_mod_p)) goto err;
58964a49	514
dfeab068 RE	515	if (!BN_sub(r0,r0,&m1)) goto err;
	516	/* This will help stop the size of r0 increasing, which does
	517	* affect the multiply if it optimised for a power of 2 size */
	518	if (r0->neg)
	519	if (!BN_add(r0,r0,rsa->p)) goto err;
58964a49	520
dfeab068 RE	521	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
dfeab068 RE	522	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
abd4c915 DSH	523	/* If p < q it is occasionally possible for the correction of
	524	* adding 'p' if r0 is negative above to leave the result still
	525	* negative. This can break the private key operations: the following
	526	* second correction should always correct this rare occurrence.
	527	* This will never happen with OpenSSL generated keys because
	528	* they ensure p > q [steve]
	529	*/
	530	if (r0->neg)
	531	if (!BN_add(r0,r0,rsa->p)) goto err;
dfeab068 RE	532	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
dfeab068 RE	533	if (!BN_add(r0,&r1,&m1)) goto err;
58964a49 RE	534
	535	ret=1;
	536	err:
dfeab068 RE	537	BN_clear_free(&m1);
dfeab068 RE	538	BN_clear_free(&r1);
e03ddfae	539	BN_CTX_free(ctx);
58964a49 RE	540	return(ret);
	541	}
	542
6b691a5c	543	static int RSA_eay_init(RSA *rsa)
58964a49 RE	544	{
	545	rsa->flags\|=RSA_FLAG_CACHE_PUBLIC\|RSA_FLAG_CACHE_PRIVATE;
	546	return(1);
	547	}
	548
6b691a5c	549	static int RSA_eay_finish(RSA *rsa)
58964a49	550	{
03f8b042 BL	551	if (rsa->_method_mod_n != NULL)
	552	BN_MONT_CTX_free(rsa->_method_mod_n);
	553	if (rsa->_method_mod_p != NULL)
	554	BN_MONT_CTX_free(rsa->_method_mod_p);
	555	if (rsa->_method_mod_q != NULL)
	556	BN_MONT_CTX_free(rsa->_method_mod_q);
58964a49 RE	557	return(1);
	558	}
	559
c1cd88a0	560	#endif