[thirdparty/openssl.git] / crypto / rsa / rsa_eay.c

/* crypto/rsa/rsa_eay.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif

#ifndef RSA_NULL

static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
		unsigned char *to, RSA *rsa,int padding);
static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
static int RSA_eay_init(RSA *rsa);
static int RSA_eay_finish(RSA *rsa);
static RSA_METHOD rsa_pkcs1_eay_meth={
	"Eric Young's PKCS#1 RSA",
	RSA_eay_public_encrypt,
	RSA_eay_public_decrypt, /* signature verification */
	RSA_eay_private_encrypt, /* signing */
	RSA_eay_private_decrypt,
	RSA_eay_mod_exp,
	BN_mod_exp_mont, /* XXX probably we should not use Montgomery if  e == 3 */
	RSA_eay_init,
	RSA_eay_finish,
	0, /* flags */
	NULL,
	0, /* rsa_sign */
	0, /* rsa_verify */
	NULL /* rsa_keygen */
	};

const RSA_METHOD *RSA_PKCS1_SSLeay(void)
	{
	return(&rsa_pkcs1_eay_meth);
	}

/* Static helper to reduce oodles of code duplication. As a slight
 * optimisation, the "MONT_HELPER() macro must be used as front-end to this
 * function, to prevent unnecessary function calls - there is an initial test
 * that is performed by the macro-generated code. */
static int rsa_eay_mont_helper(BN_MONT_CTX **ptr, const BIGNUM *modulus, BN_CTX *ctx)
	{
	BN_MONT_CTX *bn_mont_ctx;
	if((bn_mont_ctx = BN_MONT_CTX_new()) == NULL)
		return 0;
	if(!BN_MONT_CTX_set(bn_mont_ctx, modulus, ctx))
		{
		BN_MONT_CTX_free(bn_mont_ctx);
		return 0;
		}
	if (*ptr == NULL) /* other thread may have finished first */
		{
		CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		if (*ptr == NULL) /* check again in the lock to stop races */
			{
			*ptr = bn_mont_ctx;
			bn_mont_ctx = NULL;
			}
		CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		}
	if (bn_mont_ctx)
		BN_MONT_CTX_free(bn_mont_ctx);
	return 1;
	}
/* Usage example;
 *    MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
 */
#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
	if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
			!rsa_eay_mont_helper(&((rsa)->_method_mod_##m), \
				(rsa)->m, (ctx))) \
		err_instr

static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
		break;
#ifndef OPENSSL_NO_SHA
	case RSA_PKCS1_OAEP_PADDING:
	        i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
		break;
#endif
	case RSA_SSLV23_PADDING:
		i=RSA_padding_add_SSLv23(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
	
	if (BN_ucmp(&f, rsa->n) >= 0)
		{	
		/* usually the padding functions would catch this */
		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
		goto err;
		}

	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);

	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL) 
		{
		OPENSSL_cleanse(buf,num);
		OPENSSL_free(buf);
		}
	return(r);
	}

/* signing */
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,j,k,num=0,r= -1;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);

	if ((ctx=BN_CTX_new()) == NULL) goto err;
	num=BN_num_bytes(rsa->n);
	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
		break;
	case RSA_NO_PADDING:
		i=RSA_padding_add_none(buf,num,from,flen);
		break;
	case RSA_SSLV23_PADDING:
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (i <= 0) goto err;

	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
	
	if (BN_ucmp(&f, rsa->n) >= 0)
		{	
		/* usually the padding functions would catch this */
		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
		goto err;
		}

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
		((rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL)) )
		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,
				rsa->_method_mod_n)) goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	/* put in leading 0 bytes if the number is less than the
	 * length of the modulus */
	j=BN_num_bytes(&ret);
	i=BN_bn2bin(&ret,&(to[num-j]));
	for (k=0; k<(num-i); k++)
		to[k]=0;

	r=num;
err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&ret);
	BN_clear_free(&f);
	if (buf != NULL)
		{
		OPENSSL_cleanse(buf,num);
		OPENSSL_free(buf);
		}
	return(r);
	}

static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int j,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);

	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equality but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	/* make data into a big number */
	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;

	if (BN_ucmp(&f, rsa->n) >= 0)
		{
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
		goto err;
		}

	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		RSA_blinding_on(rsa,ctx);
	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

	/* do the decrypt */
	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
		((rsa->p != NULL) &&
		(rsa->q != NULL) &&
		(rsa->dmp1 != NULL) &&
		(rsa->dmq1 != NULL) &&
		(rsa->iqmp != NULL)) )
		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
	else
		{
		MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,
				rsa->_method_mod_n))
			goto err;
		}

	if (rsa->flags & RSA_FLAG_BLINDING)
		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;

	p=buf;
	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
		break;
#ifndef OPENSSL_NO_SHA
        case RSA_PKCS1_OAEP_PADDING:
	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
                break;
#endif
 	case RSA_SSLV23_PADDING:
		r=RSA_padding_check_SSLv23(to,num,buf,j,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,j,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		OPENSSL_cleanse(buf,num);
		OPENSSL_free(buf);
		}
	return(r);
	}

/* signature verification */
static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
	     unsigned char *to, RSA *rsa, int padding)
	{
	BIGNUM f,ret;
	int i,num=0,r= -1;
	unsigned char *p;
	unsigned char *buf=NULL;
	BN_CTX *ctx=NULL;

	BN_init(&f);
	BN_init(&ret);
	ctx=BN_CTX_new();
	if (ctx == NULL) goto err;

	num=BN_num_bytes(rsa->n);
	buf=(unsigned char *)OPENSSL_malloc(num);
	if (buf == NULL)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
		goto err;
		}

	/* This check was for equality but PGP does evil things
	 * and chops off the top '0' bytes */
	if (flen > num)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		goto err;
		}

	if (BN_bin2bn(from,flen,&f) == NULL) goto err;

	if (BN_ucmp(&f, rsa->n) >= 0)
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
		goto err;
		}

	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);

	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		rsa->_method_mod_n)) goto err;

	p=buf;
	i=BN_bn2bin(&ret,p);

	switch (padding)
		{
	case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		break;
	case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,i,num);
		break;
	default:
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		goto err;
		}
	if (r < 0)
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);

err:
	if (ctx != NULL) BN_CTX_free(ctx);
	BN_clear_free(&f);
	BN_clear_free(&ret);
	if (buf != NULL)
		{
		OPENSSL_cleanse(buf,num);
		OPENSSL_free(buf);
		}
	return(r);
	}

static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
	{
	BIGNUM r1,m1,vrfy;
	int ret=0;
	BN_CTX *ctx;

	BN_init(&m1);
	BN_init(&r1);
	BN_init(&vrfy);
	if ((ctx=BN_CTX_new()) == NULL) goto err;

	MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
	MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);

	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
		rsa->_method_mod_q)) goto err;

	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
		rsa->_method_mod_p)) goto err;

	if (!BN_sub(r0,r0,&m1)) goto err;
	/* This will help stop the size of r0 increasing, which does
	 * affect the multiply if it optimised for a power of 2 size */
	if (BN_get_sign(r0))
		if (!BN_add(r0,r0,rsa->p)) goto err;

	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
	/* If p < q it is occasionally possible for the correction of
         * adding 'p' if r0 is negative above to leave the result still
	 * negative. This can break the private key operations: the following
	 * second correction should *always* correct this rare occurrence.
	 * This will *never* happen with OpenSSL generated keys because
         * they ensure p > q [steve]
         */
	if (BN_get_sign(r0))
		if (!BN_add(r0,r0,rsa->p)) goto err;
	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
	if (!BN_add(r0,&r1,&m1)) goto err;

	if (rsa->e && rsa->n)
		{
		if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
		/* If 'I' was greater than (or equal to) rsa->n, the operation
		 * will be equivalent to using 'I mod n'. However, the result of
		 * the verify will *always* be less than 'n' so we don't check
		 * for absolute equality, just congruency. */
		if (!BN_sub(&vrfy, &vrfy, I)) goto err;
		if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
		if (BN_get_sign(&vrfy))
			if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
		if (!BN_is_zero(&vrfy))
			/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
			 * miscalculated CRT output, just do a raw (slower)
			 * mod_exp and return that instead. */
			if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,
					rsa->_method_mod_n)) goto err;
		}
	ret=1;
err:
	BN_clear_free(&m1);
	BN_clear_free(&r1);
	BN_clear_free(&vrfy);
	BN_CTX_free(ctx);
	return(ret);
	}

static int RSA_eay_init(RSA *rsa)
	{
	rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
	return(1);
	}

static int RSA_eay_finish(RSA *rsa)
	{
	if (rsa->_method_mod_n != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_n);
	if (rsa->_method_mod_p != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_p);
	if (rsa->_method_mod_q != NULL)
		BN_MONT_CTX_free(rsa->_method_mod_q);
	return(1);
	}

#endif
Commit	Line	Data
58964a49 RE	1	/* crypto/rsa/rsa_eay.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	#include <stdio.h>
	60	#include "cryptlib.h"
ec577822 BM	61	#include <openssl/bn.h>
	62	#include <openssl/rsa.h>
	63	#include <openssl/rand.h>
0b13e9f0	64	#ifndef OPENSSL_NO_ENGINE
5270e702	65	#include <openssl/engine.h>
0b13e9f0	66	#endif
58964a49	67
c1cd88a0 DSH	68	#ifndef RSA_NULL
c1cd88a0 DSH	69
29c1f061	70	static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
58964a49	71	unsigned char to, RSA rsa,int padding);
29c1f061	72	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
58964a49	73	unsigned char to, RSA rsa,int padding);
29c1f061	74	static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
58964a49	75	unsigned char to, RSA rsa,int padding);
29c1f061	76	static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
58964a49	77	unsigned char to, RSA rsa,int padding);
29c1f061	78	static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM i, RSA *rsa);
58964a49 RE	79	static int RSA_eay_init(RSA *rsa);
58964a49 RE	80	static int RSA_eay_finish(RSA *rsa);
58964a49 RE	81	static RSA_METHOD rsa_pkcs1_eay_meth={
	82	"Eric Young's PKCS#1 RSA",
	83	RSA_eay_public_encrypt,
24cff6ce BM	84	RSA_eay_public_decrypt, /* signature verification */
24cff6ce BM	85	RSA_eay_private_encrypt, /* signing */
58964a49 RE	86	RSA_eay_private_decrypt,
58964a49 RE	87	RSA_eay_mod_exp,
123d24d6	88	BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
58964a49 RE	89	RSA_eay_init,
58964a49 RE	90	RSA_eay_finish,
be6d7700	91	0, /* flags */
58964a49	92	NULL,
be6d7700	93	0, /* rsa_sign */
2814c629 GT	94	0, /* rsa_verify */
2814c629 GT	95	NULL /* rsa_keygen */
58964a49 RE	96	};
58964a49 RE	97
7be7c2ed	98	const RSA_METHOD *RSA_PKCS1_SSLeay(void)
58964a49 RE	99	{
	100	return(&rsa_pkcs1_eay_meth);
	101	}
	102
79221bc2 GT	103	/* Static helper to reduce oodles of code duplication. As a slight
	104	* optimisation, the "MONT_HELPER() macro must be used as front-end to this
	105	* function, to prevent unnecessary function calls - there is an initial test
	106	* that is performed by the macro-generated code. */
	107	static int rsa_eay_mont_helper(BN_MONT_CTX *ptr, const BIGNUM modulus, BN_CTX *ctx)
	108	{
	109	BN_MONT_CTX *bn_mont_ctx;
	110	if((bn_mont_ctx = BN_MONT_CTX_new()) == NULL)
	111	return 0;
	112	if(!BN_MONT_CTX_set(bn_mont_ctx, modulus, ctx))
	113	{
	114	BN_MONT_CTX_free(bn_mont_ctx);
	115	return 0;
	116	}
	117	if (ptr == NULL) / other thread may have finished first */
	118	{
	119	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
	120	if (ptr == NULL) / check again in the lock to stop races */
	121	{
	122	*ptr = bn_mont_ctx;
	123	bn_mont_ctx = NULL;
	124	}
	125	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
	126	}
	127	if (bn_mont_ctx)
	128	BN_MONT_CTX_free(bn_mont_ctx);
	129	return 1;
	130	}
	131	/* Usage example;
	132	* MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
	133	*/
	134	#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
	135	if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
	136	!rsa_eay_mont_helper(&((rsa)->_method_mod_##m), \
	137	(rsa)->m, (ctx))) \
	138	err_instr
	139
29c1f061	140	static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
6b691a5c	141	unsigned char to, RSA rsa, int padding)
58964a49	142	{
dfeab068	143	BIGNUM f,ret;
58964a49 RE	144	int i,j,k,num=0,r= -1;
	145	unsigned char *buf=NULL;
	146	BN_CTX *ctx=NULL;
	147
dfeab068 RE	148	BN_init(&f);
dfeab068 RE	149	BN_init(&ret);
58964a49 RE	150	if ((ctx=BN_CTX_new()) == NULL) goto err;
58964a49 RE	151	num=BN_num_bytes(rsa->n);
26a3a48d	152	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
58964a49 RE	153	{
	154	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
	155	goto err;
	156	}
	157
	158	switch (padding)
	159	{
	160	case RSA_PKCS1_PADDING:
	161	i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
	162	break;
cf1b7d96	163	#ifndef OPENSSL_NO_SHA
a4949896 BL	164	case RSA_PKCS1_OAEP_PADDING:
	165	i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
	166	break;
79df9d62	167	#endif
58964a49 RE	168	case RSA_SSLV23_PADDING:
	169	i=RSA_padding_add_SSLv23(buf,num,from,flen);
	170	break;
	171	case RSA_NO_PADDING:
	172	i=RSA_padding_add_none(buf,num,from,flen);
	173	break;
	174	default:
	175	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	176	goto err;
	177	}
	178	if (i <= 0) goto err;
	179
dfeab068	180	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
58964a49	181
24cff6ce BM	182	if (BN_ucmp(&f, rsa->n) >= 0)
	183	{
	184	/* usually the padding functions would catch this */
	185	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
	186	goto err;
	187	}
	188
79221bc2 GT	189	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
79221bc2 GT	190
cb78486d	191	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	192	rsa->_method_mod_n)) goto err;
58964a49 RE	193
	194	/* put in leading 0 bytes if the number is less than the
	195	* length of the modulus */
dfeab068 RE	196	j=BN_num_bytes(&ret);
dfeab068 RE	197	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	198	for (k=0; k<(num-i); k++)
	199	to[k]=0;
	200
	201	r=num;
	202	err:
	203	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	204	BN_clear_free(&f);
dfeab068 RE	205	BN_clear_free(&ret);
58964a49 RE	206	if (buf != NULL)
58964a49 RE	207	{
4579924b	208	OPENSSL_cleanse(buf,num);
26a3a48d	209	OPENSSL_free(buf);
58964a49 RE	210	}
	211	return(r);
	212	}
	213
24cff6ce	214	/* signing */
29c1f061	215	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
6b691a5c	216	unsigned char to, RSA rsa, int padding)
58964a49	217	{
dfeab068	218	BIGNUM f,ret;
58964a49 RE	219	int i,j,k,num=0,r= -1;
	220	unsigned char *buf=NULL;
	221	BN_CTX *ctx=NULL;
	222
dfeab068 RE	223	BN_init(&f);
	224	BN_init(&ret);
	225
58964a49 RE	226	if ((ctx=BN_CTX_new()) == NULL) goto err;
58964a49 RE	227	num=BN_num_bytes(rsa->n);
26a3a48d	228	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
58964a49 RE	229	{
	230	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
	231	goto err;
	232	}
	233
	234	switch (padding)
	235	{
	236	case RSA_PKCS1_PADDING:
	237	i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
	238	break;
	239	case RSA_NO_PADDING:
	240	i=RSA_padding_add_none(buf,num,from,flen);
	241	break;
	242	case RSA_SSLV23_PADDING:
	243	default:
	244	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	245	goto err;
	246	}
	247	if (i <= 0) goto err;
	248
dfeab068	249	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
24cff6ce BM	250
	251	if (BN_ucmp(&f, rsa->n) >= 0)
	252	{
	253	/* usually the padding functions would catch this */
	254	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
	255	goto err;
	256	}
58964a49 RE	257
	258	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	259	RSA_blinding_on(rsa,ctx);
	260	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	261	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49	262
770d19b8 DSH	263	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
770d19b8 DSH	264	((rsa->p != NULL) &&
58964a49 RE	265	(rsa->q != NULL) &&
	266	(rsa->dmp1 != NULL) &&
	267	(rsa->dmq1 != NULL) &&
770d19b8	268	(rsa->iqmp != NULL)) )
cb78486d	269	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	270	else
58964a49 RE	271	{
b12753df GT	272	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
	273	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,
	274	rsa->_method_mod_n)) goto err;
58964a49 RE	275	}
	276
	277	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	278	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	279
	280	/* put in leading 0 bytes if the number is less than the
	281	* length of the modulus */
dfeab068 RE	282	j=BN_num_bytes(&ret);
dfeab068 RE	283	i=BN_bn2bin(&ret,&(to[num-j]));
58964a49 RE	284	for (k=0; k<(num-i); k++)
	285	to[k]=0;
	286
	287	r=num;
	288	err:
	289	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	290	BN_clear_free(&ret);
dfeab068 RE	291	BN_clear_free(&f);
58964a49 RE	292	if (buf != NULL)
58964a49 RE	293	{
4579924b	294	OPENSSL_cleanse(buf,num);
26a3a48d	295	OPENSSL_free(buf);
58964a49 RE	296	}
	297	return(r);
	298	}
	299
29c1f061	300	static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
6b691a5c	301	unsigned char to, RSA rsa, int padding)
58964a49	302	{
dfeab068	303	BIGNUM f,ret;
58964a49 RE	304	int j,num=0,r= -1;
	305	unsigned char *p;
	306	unsigned char *buf=NULL;
	307	BN_CTX *ctx=NULL;
	308
dfeab068 RE	309	BN_init(&f);
dfeab068 RE	310	BN_init(&ret);
58964a49 RE	311	ctx=BN_CTX_new();
	312	if (ctx == NULL) goto err;
	313
	314	num=BN_num_bytes(rsa->n);
	315
26a3a48d	316	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
58964a49 RE	317	{
	318	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
	319	goto err;
	320	}
	321
657e60fa	322	/* This check was for equality but PGP does evil things
58964a49 RE	323	* and chops off the top '0' bytes */
	324	if (flen > num)
	325	{
	326	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	327	goto err;
	328	}
	329
	330	/* make data into a big number */
dfeab068	331	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
58964a49	332
24cff6ce BM	333	if (BN_ucmp(&f, rsa->n) >= 0)
	334	{
	335	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
	336	goto err;
	337	}
	338
58964a49 RE	339	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	340	RSA_blinding_on(rsa,ctx);
	341	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	342	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
58964a49 RE	343
58964a49 RE	344	/* do the decrypt */
770d19b8 DSH	345	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
770d19b8 DSH	346	((rsa->p != NULL) &&
58964a49 RE	347	(rsa->q != NULL) &&
	348	(rsa->dmp1 != NULL) &&
	349	(rsa->dmq1 != NULL) &&
770d19b8	350	(rsa->iqmp != NULL)) )
cb78486d	351	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
58964a49 RE	352	else
58964a49 RE	353	{
b12753df GT	354	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
	355	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,
	356	rsa->_method_mod_n))
58964a49 RE	357	goto err;
	358	}
	359
	360	if (rsa->flags & RSA_FLAG_BLINDING)
dfeab068	361	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
58964a49 RE	362
58964a49 RE	363	p=buf;
dfeab068	364	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
58964a49 RE	365
	366	switch (padding)
	367	{
	368	case RSA_PKCS1_PADDING:
dfeab068	369	r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
58964a49	370	break;
cf1b7d96	371	#ifndef OPENSSL_NO_SHA
a4949896 BL	372	case RSA_PKCS1_OAEP_PADDING:
	373	r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
	374	break;
79df9d62	375	#endif
a4949896	376	case RSA_SSLV23_PADDING:
dfeab068	377	r=RSA_padding_check_SSLv23(to,num,buf,j,num);
58964a49 RE	378	break;
58964a49 RE	379	case RSA_NO_PADDING:
dfeab068	380	r=RSA_padding_check_none(to,num,buf,j,num);
58964a49 RE	381	break;
	382	default:
	383	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	384	goto err;
	385	}
	386	if (r < 0)
	387	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	388
	389	err:
	390	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	391	BN_clear_free(&f);
dfeab068 RE	392	BN_clear_free(&ret);
58964a49 RE	393	if (buf != NULL)
58964a49 RE	394	{
4579924b	395	OPENSSL_cleanse(buf,num);
26a3a48d	396	OPENSSL_free(buf);
58964a49 RE	397	}
	398	return(r);
	399	}
	400
24cff6ce	401	/* signature verification */
29c1f061	402	static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
6b691a5c	403	unsigned char to, RSA rsa, int padding)
58964a49	404	{
dfeab068	405	BIGNUM f,ret;
58964a49 RE	406	int i,num=0,r= -1;
	407	unsigned char *p;
	408	unsigned char *buf=NULL;
	409	BN_CTX *ctx=NULL;
	410
dfeab068 RE	411	BN_init(&f);
dfeab068 RE	412	BN_init(&ret);
58964a49 RE	413	ctx=BN_CTX_new();
	414	if (ctx == NULL) goto err;
	415
	416	num=BN_num_bytes(rsa->n);
26a3a48d	417	buf=(unsigned char *)OPENSSL_malloc(num);
58964a49 RE	418	if (buf == NULL)
	419	{
	420	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
	421	goto err;
	422	}
	423
657e60fa	424	/* This check was for equality but PGP does evil things
58964a49 RE	425	* and chops off the top '0' bytes */
	426	if (flen > num)
	427	{
	428	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
	429	goto err;
	430	}
	431
dfeab068	432	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
24cff6ce BM	433
	434	if (BN_ucmp(&f, rsa->n) >= 0)
	435	{
	436	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
	437	goto err;
	438	}
	439
79221bc2 GT	440	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
79221bc2 GT	441
cb78486d	442	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
03f8b042	443	rsa->_method_mod_n)) goto err;
58964a49 RE	444
58964a49 RE	445	p=buf;
dfeab068	446	i=BN_bn2bin(&ret,p);
58964a49 RE	447
	448	switch (padding)
	449	{
	450	case RSA_PKCS1_PADDING:
dfeab068	451	r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
58964a49 RE	452	break;
58964a49 RE	453	case RSA_NO_PADDING:
dfeab068	454	r=RSA_padding_check_none(to,num,buf,i,num);
58964a49 RE	455	break;
	456	default:
	457	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
	458	goto err;
	459	}
	460	if (r < 0)
	461	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
	462
	463	err:
	464	if (ctx != NULL) BN_CTX_free(ctx);
dfeab068 RE	465	BN_clear_free(&f);
dfeab068 RE	466	BN_clear_free(&ret);
58964a49 RE	467	if (buf != NULL)
58964a49 RE	468	{
4579924b	469	OPENSSL_cleanse(buf,num);
26a3a48d	470	OPENSSL_free(buf);
58964a49 RE	471	}
	472	return(r);
	473	}
	474
29c1f061	475	static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)
58964a49	476	{
6a5b52ef	477	BIGNUM r1,m1,vrfy;
58964a49 RE	478	int ret=0;
	479	BN_CTX *ctx;
	480
dfeab068 RE	481	BN_init(&m1);
dfeab068 RE	482	BN_init(&r1);
6a5b52ef	483	BN_init(&vrfy);
9cdf87f1	484	if ((ctx=BN_CTX_new()) == NULL) goto err;
58964a49	485
79221bc2 GT	486	MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
79221bc2 GT	487	MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
b12753df	488	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
126fe085	489
dfeab068	490	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
cb78486d	491	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
03f8b042	492	rsa->_method_mod_q)) goto err;
58964a49	493
dfeab068	494	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
cb78486d	495	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
03f8b042	496	rsa->_method_mod_p)) goto err;
58964a49	497
dfeab068 RE	498	if (!BN_sub(r0,r0,&m1)) goto err;
	499	/* This will help stop the size of r0 increasing, which does
	500	* affect the multiply if it optimised for a power of 2 size */
b53e44e5	501	if (BN_get_sign(r0))
dfeab068	502	if (!BN_add(r0,r0,rsa->p)) goto err;
58964a49	503
dfeab068 RE	504	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
dfeab068 RE	505	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
abd4c915 DSH	506	/* If p < q it is occasionally possible for the correction of
	507	* adding 'p' if r0 is negative above to leave the result still
	508	* negative. This can break the private key operations: the following
	509	* second correction should always correct this rare occurrence.
	510	* This will never happen with OpenSSL generated keys because
	511	* they ensure p > q [steve]
	512	*/
b53e44e5	513	if (BN_get_sign(r0))
abd4c915	514	if (!BN_add(r0,r0,rsa->p)) goto err;
dfeab068 RE	515	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
dfeab068 RE	516	if (!BN_add(r0,&r1,&m1)) goto err;
58964a49	517
6a5b52ef UM	518	if (rsa->e && rsa->n)
6a5b52ef UM	519	{
79221bc2	520	if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
81d1998e GT	521	/* If 'I' was greater than (or equal to) rsa->n, the operation
	522	* will be equivalent to using 'I mod n'. However, the result of
	523	* the verify will always be less than 'n' so we don't check
	524	* for absolute equality, just congruency. */
	525	if (!BN_sub(&vrfy, &vrfy, I)) goto err;
	526	if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
b53e44e5	527	if (BN_get_sign(&vrfy))
81d1998e GT	528	if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
	529	if (!BN_is_zero(&vrfy))
	530	/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
	531	* miscalculated CRT output, just do a raw (slower)
	532	* mod_exp and return that instead. */
b12753df GT	533	if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,
b12753df GT	534	rsa->_method_mod_n)) goto err;
6a5b52ef	535	}
58964a49 RE	536	ret=1;
58964a49 RE	537	err:
dfeab068 RE	538	BN_clear_free(&m1);
dfeab068 RE	539	BN_clear_free(&r1);
6a5b52ef	540	BN_clear_free(&vrfy);
e03ddfae	541	BN_CTX_free(ctx);
58964a49 RE	542	return(ret);
	543	}
	544
6b691a5c	545	static int RSA_eay_init(RSA *rsa)
58964a49 RE	546	{
	547	rsa->flags\|=RSA_FLAG_CACHE_PUBLIC\|RSA_FLAG_CACHE_PRIVATE;
	548	return(1);
	549	}
	550
6b691a5c	551	static int RSA_eay_finish(RSA *rsa)
58964a49	552	{
03f8b042 BL	553	if (rsa->_method_mod_n != NULL)
	554	BN_MONT_CTX_free(rsa->_method_mod_n);
	555	if (rsa->_method_mod_p != NULL)
	556	BN_MONT_CTX_free(rsa->_method_mod_p);
	557	if (rsa->_method_mod_q != NULL)
	558	BN_MONT_CTX_free(rsa->_method_mod_q);
58964a49 RE	559	return(1);
	560	}
	561
c1cd88a0	562	#endif