projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 58964a49 RE |
1 | /* crypto/rsa/rsa_eay.c */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
| 3 | * All rights reserved. | |
| 4 | * | |
| 5 | * This package is an SSL implementation written | |
| 6 | * by Eric Young (eay@cryptsoft.com). | |
| 7 | * The implementation was written so as to conform with Netscapes SSL. | |
| 8 | * | |
| 9 | * This library is free for commercial and non-commercial use as long as | |
| 10 | * the following conditions are aheared to. The following conditions | |
| 11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
| 12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
| 13 | * included with this distribution is covered by the same copyright terms | |
| 14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
| 15 | * | |
| 16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
| 17 | * the code are not to be removed. | |
| 18 | * If this package is used in a product, Eric Young should be given attribution | |
| 19 | * as the author of the parts of the library used. | |
| 20 | * This can be in the form of a textual message at program startup or | |
| 21 | * in documentation (online or textual) provided with the package. | |
| 22 | * | |
| 23 | * Redistribution and use in source and binary forms, with or without | |
| 24 | * modification, are permitted provided that the following conditions | |
| 25 | * are met: | |
| 26 | * 1. Redistributions of source code must retain the copyright | |
| 27 | * notice, this list of conditions and the following disclaimer. | |
| 28 | * 2. Redistributions in binary form must reproduce the above copyright | |
| 29 | * notice, this list of conditions and the following disclaimer in the | |
| 30 | * documentation and/or other materials provided with the distribution. | |
| 31 | * 3. All advertising materials mentioning features or use of this software | |
| 32 | * must display the following acknowledgement: | |
| 33 | * "This product includes cryptographic software written by | |
| 34 | * Eric Young (eay@cryptsoft.com)" | |
| 35 | * The word 'cryptographic' can be left out if the rouines from the library | |
| 36 | * being used are not cryptographic related :-). | |
| 37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
| 38 | * the apps directory (application code) you must include an acknowledgement: | |
| 39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
| 40 | * | |
| 41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
| 42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
| 43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
| 44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
| 45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
| 46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
| 47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
| 48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
| 49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
| 50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
| 51 | * SUCH DAMAGE. | |
| 52 | * | |
| 53 | * The licence and distribution terms for any publically available version or | |
| 54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
| 55 | * copied and put under another distribution licence | |
| 56 | * [including the GNU Public Licence.] | |
| 57 | */ | |
| 58 | ||
| 59 | #include <stdio.h> | |
| 60 | #include "cryptlib.h" | |
| 61 | #include "bn.h" | |
| 62 | #include "rsa.h" | |
| 63 | #include "rand.h" | |
| 64 | ||
| 65 | #ifndef NOPROTO | |
| 66 | static int RSA_eay_public_encrypt(int flen, unsigned char *from, | |
| 67 | unsigned char *to, RSA *rsa,int padding); | |
| 68 | static int RSA_eay_private_encrypt(int flen, unsigned char *from, | |
| 69 | unsigned char *to, RSA *rsa,int padding); | |
| 70 | static int RSA_eay_public_decrypt(int flen, unsigned char *from, | |
| 71 | unsigned char *to, RSA *rsa,int padding); | |
| 72 | static int RSA_eay_private_decrypt(int flen, unsigned char *from, | |
| 73 | unsigned char *to, RSA *rsa,int padding); | |
| 74 | static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa); | |
| 75 | static int RSA_eay_init(RSA *rsa); | |
| 76 | static int RSA_eay_finish(RSA *rsa); | |
| 77 | #else | |
| 78 | static int RSA_eay_public_encrypt(); | |
| 79 | static int RSA_eay_private_encrypt(); | |
| 80 | static int RSA_eay_public_decrypt(); | |
| 81 | static int RSA_eay_private_decrypt(); | |
| 82 | static int RSA_eay_mod_exp(); | |
| 83 | static int RSA_eay_init(); | |
| 84 | static int RSA_eay_finish(); | |
| 85 | #endif | |
| 86 | ||
| 87 | static RSA_METHOD rsa_pkcs1_eay_meth={ | |
| 88 | "Eric Young's PKCS#1 RSA", | |
| 89 | RSA_eay_public_encrypt, | |
| 90 | RSA_eay_public_decrypt, | |
| 91 | RSA_eay_private_encrypt, | |
| 92 | RSA_eay_private_decrypt, | |
| 93 | RSA_eay_mod_exp, | |
| 94 | BN_mod_exp_mont, | |
| 95 | RSA_eay_init, | |
| 96 | RSA_eay_finish, | |
| 97 | 0, | |
| 98 | NULL, | |
| 99 | }; | |
| 100 | ||
| 6b691a5c | 101 | RSA_METHOD *RSA_PKCS1_SSLeay(void) |
| 58964a49 RE |
102 | { |
| 103 | return(&rsa_pkcs1_eay_meth); | |
| 104 | } | |
| 105 | ||
| 6b691a5c UM |
106 | static int RSA_eay_public_encrypt(int flen, unsigned char *from, |
| 107 | unsigned char *to, RSA *rsa, int padding) | |
| 58964a49 | 108 | { |
| dfeab068 | 109 | BIGNUM f,ret; |
| 58964a49 RE |
110 | int i,j,k,num=0,r= -1; |
| 111 | unsigned char *buf=NULL; | |
| 112 | BN_CTX *ctx=NULL; | |
| 113 | ||
| dfeab068 RE |
114 | BN_init(&f); |
| 115 | BN_init(&ret); | |
| 58964a49 RE |
116 | if ((ctx=BN_CTX_new()) == NULL) goto err; |
| 117 | num=BN_num_bytes(rsa->n); | |
| 118 | if ((buf=(unsigned char *)Malloc(num)) == NULL) | |
| 119 | { | |
| 120 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); | |
| 121 | goto err; | |
| 122 | } | |
| 123 | ||
| 124 | switch (padding) | |
| 125 | { | |
| 126 | case RSA_PKCS1_PADDING: | |
| 127 | i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); | |
| 128 | break; | |
| a4949896 BL |
129 | case RSA_PKCS1_OAEP_PADDING: |
| 130 | i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); | |
| 131 | break; | |
| 58964a49 RE |
132 | case RSA_SSLV23_PADDING: |
| 133 | i=RSA_padding_add_SSLv23(buf,num,from,flen); | |
| 134 | break; | |
| 135 | case RSA_NO_PADDING: | |
| 136 | i=RSA_padding_add_none(buf,num,from,flen); | |
| 137 | break; | |
| 138 | default: | |
| 139 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | |
| 140 | goto err; | |
| 141 | } | |
| 142 | if (i <= 0) goto err; | |
| 143 | ||
| dfeab068 | 144 | if (BN_bin2bn(buf,num,&f) == NULL) goto err; |
| 58964a49 | 145 | |
| 03f8b042 | 146 | if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) |
| 58964a49 | 147 | { |
| 03f8b042 BL |
148 | if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) |
| 149 | if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) | |
| 150 | goto err; | |
| 58964a49 RE |
151 | } |
| 152 | ||
| dfeab068 | 153 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, |
| 03f8b042 | 154 | rsa->_method_mod_n)) goto err; |
| 58964a49 RE |
155 | |
| 156 | /* put in leading 0 bytes if the number is less than the | |
| 157 | * length of the modulus */ | |
| dfeab068 RE |
158 | j=BN_num_bytes(&ret); |
| 159 | i=BN_bn2bin(&ret,&(to[num-j])); | |
| 58964a49 RE |
160 | for (k=0; k<(num-i); k++) |
| 161 | to[k]=0; | |
| 162 | ||
| 163 | r=num; | |
| 164 | err: | |
| 165 | if (ctx != NULL) BN_CTX_free(ctx); | |
| dfeab068 RE |
166 | BN_clear_free(&f); |
| 167 | BN_clear_free(&ret); | |
| 58964a49 RE |
168 | if (buf != NULL) |
| 169 | { | |
| 170 | memset(buf,0,num); | |
| 171 | Free(buf); | |
| 172 | } | |
| 173 | return(r); | |
| 174 | } | |
| 175 | ||
| 6b691a5c UM |
176 | static int RSA_eay_private_encrypt(int flen, unsigned char *from, |
| 177 | unsigned char *to, RSA *rsa, int padding) | |
| 58964a49 | 178 | { |
| dfeab068 | 179 | BIGNUM f,ret; |
| 58964a49 RE |
180 | int i,j,k,num=0,r= -1; |
| 181 | unsigned char *buf=NULL; | |
| 182 | BN_CTX *ctx=NULL; | |
| 183 | ||
| dfeab068 RE |
184 | BN_init(&f); |
| 185 | BN_init(&ret); | |
| 186 | ||
| 58964a49 RE |
187 | if ((ctx=BN_CTX_new()) == NULL) goto err; |
| 188 | num=BN_num_bytes(rsa->n); | |
| 189 | if ((buf=(unsigned char *)Malloc(num)) == NULL) | |
| 190 | { | |
| 191 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); | |
| 192 | goto err; | |
| 193 | } | |
| 194 | ||
| 195 | switch (padding) | |
| 196 | { | |
| 197 | case RSA_PKCS1_PADDING: | |
| 198 | i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); | |
| 199 | break; | |
| 200 | case RSA_NO_PADDING: | |
| 201 | i=RSA_padding_add_none(buf,num,from,flen); | |
| 202 | break; | |
| 203 | case RSA_SSLV23_PADDING: | |
| 204 | default: | |
| 205 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | |
| 206 | goto err; | |
| 207 | } | |
| 208 | if (i <= 0) goto err; | |
| 209 | ||
| dfeab068 | 210 | if (BN_bin2bn(buf,num,&f) == NULL) goto err; |
| 58964a49 RE |
211 | |
| 212 | if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) | |
| 213 | RSA_blinding_on(rsa,ctx); | |
| 214 | if (rsa->flags & RSA_FLAG_BLINDING) | |
| dfeab068 | 215 | if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; |
| 58964a49 RE |
216 | |
| 217 | if ( (rsa->p != NULL) && | |
| 218 | (rsa->q != NULL) && | |
| 219 | (rsa->dmp1 != NULL) && | |
| 220 | (rsa->dmq1 != NULL) && | |
| 221 | (rsa->iqmp != NULL)) | |
| dfeab068 | 222 | { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } |
| 58964a49 RE |
223 | else |
| 224 | { | |
| dfeab068 | 225 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; |
| 58964a49 RE |
226 | } |
| 227 | ||
| 228 | if (rsa->flags & RSA_FLAG_BLINDING) | |
| dfeab068 | 229 | if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; |
| 58964a49 RE |
230 | |
| 231 | /* put in leading 0 bytes if the number is less than the | |
| 232 | * length of the modulus */ | |
| dfeab068 RE |
233 | j=BN_num_bytes(&ret); |
| 234 | i=BN_bn2bin(&ret,&(to[num-j])); | |
| 58964a49 RE |
235 | for (k=0; k<(num-i); k++) |
| 236 | to[k]=0; | |
| 237 | ||
| 238 | r=num; | |
| 239 | err: | |
| 240 | if (ctx != NULL) BN_CTX_free(ctx); | |
| dfeab068 RE |
241 | BN_clear_free(&ret); |
| 242 | BN_clear_free(&f); | |
| 58964a49 RE |
243 | if (buf != NULL) |
| 244 | { | |
| 245 | memset(buf,0,num); | |
| 246 | Free(buf); | |
| 247 | } | |
| 248 | return(r); | |
| 249 | } | |
| 250 | ||
| 6b691a5c UM |
251 | static int RSA_eay_private_decrypt(int flen, unsigned char *from, |
| 252 | unsigned char *to, RSA *rsa, int padding) | |
| 58964a49 | 253 | { |
| dfeab068 | 254 | BIGNUM f,ret; |
| 58964a49 RE |
255 | int j,num=0,r= -1; |
| 256 | unsigned char *p; | |
| 257 | unsigned char *buf=NULL; | |
| 258 | BN_CTX *ctx=NULL; | |
| 259 | ||
| dfeab068 RE |
260 | BN_init(&f); |
| 261 | BN_init(&ret); | |
| 58964a49 RE |
262 | ctx=BN_CTX_new(); |
| 263 | if (ctx == NULL) goto err; | |
| 264 | ||
| 265 | num=BN_num_bytes(rsa->n); | |
| 266 | ||
| 267 | if ((buf=(unsigned char *)Malloc(num)) == NULL) | |
| 268 | { | |
| 269 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); | |
| 270 | goto err; | |
| 271 | } | |
| 272 | ||
| 273 | /* This check was for equallity but PGP does evil things | |
| 274 | * and chops off the top '0' bytes */ | |
| 275 | if (flen > num) | |
| 276 | { | |
| 277 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); | |
| 278 | goto err; | |
| 279 | } | |
| 280 | ||
| 281 | /* make data into a big number */ | |
| dfeab068 | 282 | if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; |
| 58964a49 RE |
283 | |
| 284 | if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) | |
| 285 | RSA_blinding_on(rsa,ctx); | |
| 286 | if (rsa->flags & RSA_FLAG_BLINDING) | |
| dfeab068 | 287 | if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; |
| 58964a49 RE |
288 | |
| 289 | /* do the decrypt */ | |
| 290 | if ( (rsa->p != NULL) && | |
| 291 | (rsa->q != NULL) && | |
| 292 | (rsa->dmp1 != NULL) && | |
| 293 | (rsa->dmq1 != NULL) && | |
| 294 | (rsa->iqmp != NULL)) | |
| dfeab068 | 295 | { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } |
| 58964a49 RE |
296 | else |
| 297 | { | |
| dfeab068 | 298 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) |
| 58964a49 RE |
299 | goto err; |
| 300 | } | |
| 301 | ||
| 302 | if (rsa->flags & RSA_FLAG_BLINDING) | |
| dfeab068 | 303 | if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; |
| 58964a49 RE |
304 | |
| 305 | p=buf; | |
| dfeab068 | 306 | j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ |
| 58964a49 RE |
307 | |
| 308 | switch (padding) | |
| 309 | { | |
| 310 | case RSA_PKCS1_PADDING: | |
| dfeab068 | 311 | r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); |
| 58964a49 | 312 | break; |
| a4949896 BL |
313 | case RSA_PKCS1_OAEP_PADDING: |
| 314 | r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); | |
| 315 | break; | |
| 316 | case RSA_SSLV23_PADDING: | |
| dfeab068 | 317 | r=RSA_padding_check_SSLv23(to,num,buf,j,num); |
| 58964a49 RE |
318 | break; |
| 319 | case RSA_NO_PADDING: | |
| dfeab068 | 320 | r=RSA_padding_check_none(to,num,buf,j,num); |
| 58964a49 RE |
321 | break; |
| 322 | default: | |
| 323 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | |
| 324 | goto err; | |
| 325 | } | |
| 326 | if (r < 0) | |
| 327 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); | |
| 328 | ||
| 329 | err: | |
| 330 | if (ctx != NULL) BN_CTX_free(ctx); | |
| dfeab068 RE |
331 | BN_clear_free(&f); |
| 332 | BN_clear_free(&ret); | |
| 58964a49 RE |
333 | if (buf != NULL) |
| 334 | { | |
| 335 | memset(buf,0,num); | |
| 336 | Free(buf); | |
| 337 | } | |
| 338 | return(r); | |
| 339 | } | |
| 340 | ||
| 6b691a5c UM |
341 | static int RSA_eay_public_decrypt(int flen, unsigned char *from, |
| 342 | unsigned char *to, RSA *rsa, int padding) | |
| 58964a49 | 343 | { |
| dfeab068 | 344 | BIGNUM f,ret; |
| 58964a49 RE |
345 | int i,num=0,r= -1; |
| 346 | unsigned char *p; | |
| 347 | unsigned char *buf=NULL; | |
| 348 | BN_CTX *ctx=NULL; | |
| 349 | ||
| dfeab068 RE |
350 | BN_init(&f); |
| 351 | BN_init(&ret); | |
| 58964a49 RE |
352 | ctx=BN_CTX_new(); |
| 353 | if (ctx == NULL) goto err; | |
| 354 | ||
| 355 | num=BN_num_bytes(rsa->n); | |
| 356 | buf=(unsigned char *)Malloc(num); | |
| 357 | if (buf == NULL) | |
| 358 | { | |
| 359 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); | |
| 360 | goto err; | |
| 361 | } | |
| 362 | ||
| 363 | /* This check was for equallity but PGP does evil things | |
| 364 | * and chops off the top '0' bytes */ | |
| 365 | if (flen > num) | |
| 366 | { | |
| 367 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); | |
| 368 | goto err; | |
| 369 | } | |
| 370 | ||
| dfeab068 | 371 | if (BN_bin2bn(from,flen,&f) == NULL) goto err; |
| 58964a49 | 372 | /* do the decrypt */ |
| 03f8b042 | 373 | if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) |
| 58964a49 | 374 | { |
| 03f8b042 BL |
375 | if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) |
| 376 | if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) | |
| 377 | goto err; | |
| 58964a49 RE |
378 | } |
| 379 | ||
| dfeab068 | 380 | if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, |
| 03f8b042 | 381 | rsa->_method_mod_n)) goto err; |
| 58964a49 RE |
382 | |
| 383 | p=buf; | |
| dfeab068 | 384 | i=BN_bn2bin(&ret,p); |
| 58964a49 RE |
385 | |
| 386 | switch (padding) | |
| 387 | { | |
| 388 | case RSA_PKCS1_PADDING: | |
| dfeab068 | 389 | r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); |
| 58964a49 RE |
390 | break; |
| 391 | case RSA_NO_PADDING: | |
| dfeab068 | 392 | r=RSA_padding_check_none(to,num,buf,i,num); |
| 58964a49 RE |
393 | break; |
| 394 | default: | |
| 395 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); | |
| 396 | goto err; | |
| 397 | } | |
| 398 | if (r < 0) | |
| 399 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); | |
| 400 | ||
| 401 | err: | |
| 402 | if (ctx != NULL) BN_CTX_free(ctx); | |
| dfeab068 RE |
403 | BN_clear_free(&f); |
| 404 | BN_clear_free(&ret); | |
| 58964a49 RE |
405 | if (buf != NULL) |
| 406 | { | |
| 407 | memset(buf,0,num); | |
| 408 | Free(buf); | |
| 409 | } | |
| 410 | return(r); | |
| 411 | } | |
| 412 | ||
| 6b691a5c | 413 | static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) |
| 58964a49 | 414 | { |
| dfeab068 | 415 | BIGNUM r1,m1; |
| 58964a49 RE |
416 | int ret=0; |
| 417 | BN_CTX *ctx; | |
| 418 | ||
| 419 | if ((ctx=BN_CTX_new()) == NULL) goto err; | |
| dfeab068 RE |
420 | BN_init(&m1); |
| 421 | BN_init(&r1); | |
| 58964a49 RE |
422 | |
| 423 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) | |
| 424 | { | |
| 03f8b042 | 425 | if (rsa->_method_mod_p == NULL) |
| 58964a49 | 426 | { |
| 03f8b042 BL |
427 | if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL) |
| 428 | if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p, | |
| 429 | ctx)) | |
| 58964a49 RE |
430 | goto err; |
| 431 | } | |
| 03f8b042 | 432 | if (rsa->_method_mod_q == NULL) |
| 58964a49 | 433 | { |
| 03f8b042 BL |
434 | if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL) |
| 435 | if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q, | |
| 436 | ctx)) | |
| 58964a49 RE |
437 | goto err; |
| 438 | } | |
| 439 | } | |
| 440 | ||
| dfeab068 RE |
441 | if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; |
| 442 | if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, | |
| 03f8b042 | 443 | rsa->_method_mod_q)) goto err; |
| 58964a49 | 444 | |
| dfeab068 RE |
445 | if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; |
| 446 | if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, | |
| 03f8b042 | 447 | rsa->_method_mod_p)) goto err; |
| 58964a49 | 448 | |
| dfeab068 RE |
449 | if (!BN_sub(r0,r0,&m1)) goto err; |
| 450 | /* This will help stop the size of r0 increasing, which does | |
| 451 | * affect the multiply if it optimised for a power of 2 size */ | |
| 452 | if (r0->neg) | |
| 453 | if (!BN_add(r0,r0,rsa->p)) goto err; | |
| 58964a49 | 454 | |
| dfeab068 RE |
455 | if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; |
| 456 | if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; | |
| abd4c915 DSH |
457 | /* If p < q it is occasionally possible for the correction of |
| 458 | * adding 'p' if r0 is negative above to leave the result still | |
| 459 | * negative. This can break the private key operations: the following | |
| 460 | * second correction should *always* correct this rare occurrence. | |
| 461 | * This will *never* happen with OpenSSL generated keys because | |
| 462 | * they ensure p > q [steve] | |
| 463 | */ | |
| 464 | if (r0->neg) | |
| 465 | if (!BN_add(r0,r0,rsa->p)) goto err; | |
| dfeab068 RE |
466 | if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; |
| 467 | if (!BN_add(r0,&r1,&m1)) goto err; | |
| 58964a49 RE |
468 | |
| 469 | ret=1; | |
| 470 | err: | |
| dfeab068 RE |
471 | BN_clear_free(&m1); |
| 472 | BN_clear_free(&r1); | |
| e03ddfae | 473 | BN_CTX_free(ctx); |
| 58964a49 RE |
474 | return(ret); |
| 475 | } | |
| 476 | ||
| 6b691a5c | 477 | static int RSA_eay_init(RSA *rsa) |
| 58964a49 RE |
478 | { |
| 479 | rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; | |
| 480 | return(1); | |
| 481 | } | |
| 482 | ||
| 6b691a5c | 483 | static int RSA_eay_finish(RSA *rsa) |
| 58964a49 | 484 | { |
| 03f8b042 BL |
485 | if (rsa->_method_mod_n != NULL) |
| 486 | BN_MONT_CTX_free(rsa->_method_mod_n); | |
| 487 | if (rsa->_method_mod_p != NULL) | |
| 488 | BN_MONT_CTX_free(rsa->_method_mod_p); | |
| 489 | if (rsa->_method_mod_q != NULL) | |
| 490 | BN_MONT_CTX_free(rsa->_method_mod_q); | |
| 58964a49 RE |
491 | return(1); |
| 492 | } | |
| 493 | ||
| 494 |