]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_ossl.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
rsa: add implicit rejection in PKCS#1 v1.5
[thirdparty/openssl.git] / crypto / rsa / rsa_ossl.c
CommitLineData
2039c421 1/*
fecb3aae 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
46a64376 3 *
2a7b6f39 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
46a64376 8 */
58964a49 9
c5f87134
P		 10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
b39fc560 16#include "internal/cryptlib.h"
25f2138b 17#include "crypto/bn.h"
706457b7
DMSP		 18#include "rsa_local.h"
19#include "internal/constant_time.h"
7fc67e0a
HK		 20#include <openssl/evp.h>
21#include <openssl/sha.h>
22#include <openssl/hmac.h>
58964a49 23
bf160551 24static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e 25 unsigned char *to, RSA *rsa, int padding);
bf160551 26static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e 27 unsigned char *to, RSA *rsa, int padding);
bf160551 28static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e 29 unsigned char *to, RSA *rsa, int padding);
bf160551 30static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e 31 unsigned char *to, RSA *rsa, int padding);
bf160551 32static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
0f113f3e 33 BN_CTX *ctx);
bf160551
RS		 34static int rsa_ossl_init(RSA *rsa);
35static int rsa_ossl_finish(RSA *rsa);
36static RSA_METHOD rsa_pkcs1_ossl_meth = {
076fc555 37 "OpenSSL PKCS#1 RSA",
bf160551
RS		 38 rsa_ossl_public_encrypt,
39 rsa_ossl_public_decrypt, /* signature verification */
40 rsa_ossl_private_encrypt, /* signing */
41 rsa_ossl_private_decrypt,
42 rsa_ossl_mod_exp,
0f113f3e
MC		 43 BN_mod_exp_mont, /* XXX probably we should not use Montgomery
44 * if e == 3 */
bf160551
RS		 45 rsa_ossl_init,
46 rsa_ossl_finish,
0f113f3e
MC		 47 RSA_FLAG_FIPS_METHOD, /* flags */
48 NULL,
49 0, /* rsa_sign */
50 0, /* rsa_verify */
665d899f
PY		 51 NULL, /* rsa_keygen */
52 NULL /* rsa_multi_prime_keygen */
0f113f3e 53};
58964a49 54
076fc555
RS		 55static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth;
56
57void RSA_set_default_method(const RSA_METHOD *meth)
58{
59 default_RSA_meth = meth;
60}
61
62const RSA_METHOD *RSA_get_default_method(void)
63{
64 return default_RSA_meth;
65}
66
b0700d2c 67const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
0f113f3e 68{
bf160551 69 return &rsa_pkcs1_ossl_meth;
0f113f3e 70}
58964a49 71
076fc555
RS		 72const RSA_METHOD *RSA_null_method(void)
73{
74 return NULL;
75}
76
bf160551 77static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 78 unsigned char *to, RSA *rsa, int padding)
79{
80 BIGNUM *f, *ret;
582ad5d4 81 int i, num = 0, r = -1;
0f113f3e
MC		 82 unsigned char *buf = NULL;
83 BN_CTX *ctx = NULL;
84
85 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
9311d0c4 86 ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 87 return -1;
88 }
89
90 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
9311d0c4 91 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 92 return -1;
93 }
94
95 /* for large moduli, enforce exponent limit */
96 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
97 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
9311d0c4 98 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 99 return -1;
100 }
101 }
102
afb638f1 103 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 104 goto err;
105 BN_CTX_start(ctx);
106 f = BN_CTX_get(ctx);
107 ret = BN_CTX_get(ctx);
108 num = BN_num_bytes(rsa->n);
109 buf = OPENSSL_malloc(num);
e077455e 110 if (ret == NULL || buf == NULL)
0f113f3e 111 goto err;
0f113f3e
MC		 112
113 switch (padding) {
114 case RSA_PKCS1_PADDING:
23b2fc0b
P		 115 i = ossl_rsa_padding_add_PKCS1_type_2_ex(rsa->libctx, buf, num,
116 from, flen);
0f113f3e 117 break;
0f113f3e 118 case RSA_PKCS1_OAEP_PADDING:
23b2fc0b
P		 119 i = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(rsa->libctx, buf, num,
120 from, flen, NULL, 0,
121 NULL, NULL);
0f113f3e 122 break;
0f113f3e
MC		 123 case RSA_NO_PADDING:
124 i = RSA_padding_add_none(buf, num, from, flen);
125 break;
126 default:
9311d0c4 127 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 128 goto err;
129 }
130 if (i <= 0)
131 goto err;
132
133 if (BN_bin2bn(buf, num, f) == NULL)
134 goto err;
135
136 if (BN_ucmp(f, rsa->n) >= 0) {
137 /* usually the padding functions would catch this */
9311d0c4 138 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 139 goto err;
140 }
141
142 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 143 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
144 rsa->n, ctx))
0f113f3e
MC		 145 goto err;
146
147 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
148 rsa->_method_mod_n))
149 goto err;
150
151 /*
582ad5d4
AP		 152 * BN_bn2binpad puts in leading 0 bytes if the number is less than
153 * the length of the modulus.
0f113f3e 154 */
582ad5d4 155 r = BN_bn2binpad(ret, to, num);
0f113f3e 156 err:
ce1415ed 157 BN_CTX_end(ctx);
23a1d5e9 158 BN_CTX_free(ctx);
4b45c6e5 159 OPENSSL_clear_free(buf, num);
8686c474 160 return r;
0f113f3e 161}
58964a49 162
675f605d 163static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
800e400d 164{
0f113f3e 165 BN_BLINDING *ret;
0f113f3e 166
cd3f8c1b
RS		 167 if (!CRYPTO_THREAD_write_lock(rsa->lock))
168 return NULL;
0f113f3e
MC		 169
170 if (rsa->blinding == NULL) {
d188a536 171 rsa->blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 172 }
173
174 ret = rsa->blinding;
175 if (ret == NULL)
176 goto err;
177
0b1a07c8 178 if (BN_BLINDING_is_current_thread(ret)) {
0f113f3e
MC		 179 /* rsa->blinding is ours! */
180
181 *local = 1;
182 } else {
183 /* resort to rsa->mt_blinding instead */
184
185 /*
186 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
187 * BN_BLINDING is shared, meaning that accesses require locks, and
188 * that the blinding factor must be stored outside the BN_BLINDING
189 */
190 *local = 0;
191
192 if (rsa->mt_blinding == NULL) {
d188a536 193 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 194 }
195 ret = rsa->mt_blinding;
196 }
5679bcce 197
675f605d 198 err:
d188a536 199 CRYPTO_THREAD_unlock(rsa->lock);
0f113f3e 200 return ret;
800e400d 201}
5679bcce 202
e5641d7f 203static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 204 BN_CTX *ctx)
205{
90862ab4 206 if (unblind == NULL) {
0f113f3e
MC		 207 /*
208 * Local blinding: store the unblinding factor in BN_BLINDING.
209 */
210 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
90862ab4 211 } else {
0f113f3e
MC		 212 /*
213 * Shared blinding: store the unblinding factor outside BN_BLINDING.
214 */
215 int ret;
0b1a07c8 216
aefbcde2
JJ		 217 if (!BN_BLINDING_lock(b))
218 return 0;
219
0f113f3e 220 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
0b1a07c8
AG		 221 BN_BLINDING_unlock(b);
222
0f113f3e
MC		 223 return ret;
224 }
225}
e5641d7f
BM		 226
227static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 228 BN_CTX *ctx)
229{
230 /*
231 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
232 * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
233 * is shared between threads, unblind must be non-null:
234 * BN_BLINDING_invert_ex will then use the local unblinding factor, and
235 * will only read the modulus from BN_BLINDING. In both cases it's safe
236 * to access the blinding without a lock.
237 */
238 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
239}
5679bcce 240
24cff6ce 241/* signing */
bf160551 242static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 243 unsigned char *to, RSA *rsa, int padding)
244{
245 BIGNUM *f, *ret, *res;
582ad5d4 246 int i, num = 0, r = -1;
0f113f3e
MC		 247 unsigned char *buf = NULL;
248 BN_CTX *ctx = NULL;
249 int local_blinding = 0;
250 /*
251 * Used only if the blinding structure is shared. A non-NULL unblind
252 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
253 * the unblinding factor outside the blinding structure.
254 */
255 BIGNUM *unblind = NULL;
256 BN_BLINDING *blinding = NULL;
257
afb638f1 258 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 259 goto err;
260 BN_CTX_start(ctx);
261 f = BN_CTX_get(ctx);
262 ret = BN_CTX_get(ctx);
263 num = BN_num_bytes(rsa->n);
264 buf = OPENSSL_malloc(num);
e077455e 265 if (ret == NULL || buf == NULL)
0f113f3e 266 goto err;
0f113f3e
MC		 267
268 switch (padding) {
269 case RSA_PKCS1_PADDING:
270 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
271 break;
272 case RSA_X931_PADDING:
273 i = RSA_padding_add_X931(buf, num, from, flen);
274 break;
275 case RSA_NO_PADDING:
276 i = RSA_padding_add_none(buf, num, from, flen);
277 break;
0f113f3e 278 default:
9311d0c4 279 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 280 goto err;
281 }
282 if (i <= 0)
283 goto err;
284
285 if (BN_bin2bn(buf, num, f) == NULL)
286 goto err;
287
288 if (BN_ucmp(f, rsa->n) >= 0) {
289 /* usually the padding functions would catch this */
9311d0c4 290 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 291 goto err;
292 }
293
2cc3f68c
AP		 294 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
295 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
296 rsa->n, ctx))
297 goto err;
298
0f113f3e
MC		 299 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
300 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
301 if (blinding == NULL) {
9311d0c4 302 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 303 goto err;
304 }
305 }
306
307 if (blinding != NULL) {
308 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
e077455e 309 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
0f113f3e
MC		 310 goto err;
311 }
312 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
313 goto err;
314 }
315
316 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
665d899f 317 (rsa->version == RSA_ASN1_VERSION_MULTI) ||
0f113f3e
MC		 318 ((rsa->p != NULL) &&
319 (rsa->q != NULL) &&
320 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
321 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
322 goto err;
323 } else {
5584f65a
MC		 324 BIGNUM *d = BN_new();
325 if (d == NULL) {
e077455e 326 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
5584f65a 327 goto err;
fd7d2520 328 }
7408f675 329 if (rsa->d == NULL) {
9311d0c4 330 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
7408f675
DO		 331 BN_free(d);
332 goto err;
333 }
5584f65a 334 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 335
0f113f3e
MC		 336 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
337 rsa->_method_mod_n)) {
5584f65a 338 BN_free(d);
0f113f3e
MC		 339 goto err;
340 }
5584f65a
MC		 341 /* We MUST free d before any further use of rsa->d */
342 BN_free(d);
0f113f3e
MC		 343 }
344
345 if (blinding)
346 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
347 goto err;
348
349 if (padding == RSA_X931_PADDING) {
3d3cbce5
P		 350 if (!BN_sub(f, rsa->n, ret))
351 goto err;
0f113f3e
MC		 352 if (BN_cmp(ret, f) > 0)
353 res = f;
354 else
355 res = ret;
90862ab4 356 } else {
0f113f3e 357 res = ret;
90862ab4 358 }
0f113f3e
MC		 359
360 /*
582ad5d4
AP		 361 * BN_bn2binpad puts in leading 0 bytes if the number is less than
362 * the length of the modulus.
0f113f3e 363 */
582ad5d4 364 r = BN_bn2binpad(res, to, num);
0f113f3e 365 err:
ce1415ed 366 BN_CTX_end(ctx);
23a1d5e9 367 BN_CTX_free(ctx);
4b45c6e5 368 OPENSSL_clear_free(buf, num);
8686c474 369 return r;
0f113f3e 370}
58964a49 371
bf160551 372static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 373 unsigned char *to, RSA *rsa, int padding)
374{
375 BIGNUM *f, *ret;
376 int j, num = 0, r = -1;
0f113f3e 377 unsigned char *buf = NULL;
7fc67e0a
HK		 378 unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
379 HMAC_CTX *hmac = NULL;
380 unsigned int md_len = SHA256_DIGEST_LENGTH;
381 unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
0f113f3e
MC		 382 BN_CTX *ctx = NULL;
383 int local_blinding = 0;
7fc67e0a 384 EVP_MD *md = NULL;
0f113f3e
MC		 385 /*
386 * Used only if the blinding structure is shared. A non-NULL unblind
387 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
388 * the unblinding factor outside the blinding structure.
389 */
390 BIGNUM *unblind = NULL;
391 BN_BLINDING *blinding = NULL;
392
afb638f1 393 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 394 goto err;
395 BN_CTX_start(ctx);
396 f = BN_CTX_get(ctx);
397 ret = BN_CTX_get(ctx);
e077455e
RL		 398 if (ret == NULL) {
399 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
400 goto err;
401 }
0f113f3e
MC		 402 num = BN_num_bytes(rsa->n);
403 buf = OPENSSL_malloc(num);
e077455e 404 if (buf == NULL)
0f113f3e 405 goto err;
0f113f3e
MC		 406
407 /*
408 * This check was for equality but PGP does evil things and chops off the
409 * top '0' bytes
410 */
411 if (flen > num) {
9311d0c4 412 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 413 goto err;
414 }
415
7fc67e0a
HK		 416 if (flen < 1) {
417 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
418 goto err;
419 }
420
0f113f3e
MC		 421 /* make data into a big number */
422 if (BN_bin2bn(from, (int)flen, f) == NULL)
423 goto err;
424
425 if (BN_ucmp(f, rsa->n) >= 0) {
9311d0c4 426 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 427 goto err;
428 }
429
430 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
431 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
432 if (blinding == NULL) {
9311d0c4 433 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 434 goto err;
435 }
436 }
437
438 if (blinding != NULL) {
439 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
e077455e 440 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
0f113f3e
MC		 441 goto err;
442 }
443 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
444 goto err;
445 }
446
447 /* do the decrypt */
448 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
665d899f 449 (rsa->version == RSA_ASN1_VERSION_MULTI) ||
0f113f3e
MC		 450 ((rsa->p != NULL) &&
451 (rsa->q != NULL) &&
452 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
453 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
454 goto err;
455 } else {
5584f65a
MC		 456 BIGNUM *d = BN_new();
457 if (d == NULL) {
e077455e 458 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
5584f65a 459 goto err;
7408f675
DO		 460 }
461 if (rsa->d == NULL) {
9311d0c4 462 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
7408f675
DO		 463 BN_free(d);
464 goto err;
fd7d2520 465 }
5584f65a 466 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e
MC		 467
468 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 469 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
470 rsa->n, ctx)) {
5584f65a 471 BN_free(d);
0f113f3e
MC		 472 goto err;
473 }
474 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
475 rsa->_method_mod_n)) {
5584f65a 476 BN_free(d);
0f113f3e
MC		 477 goto err;
478 }
5584f65a
MC		 479 /* We MUST free d before any further use of rsa->d */
480 BN_free(d);
0f113f3e
MC		 481 }
482
483 if (blinding)
484 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
485 goto err;
486
7fc67e0a
HK		 487 /*
488 * derive the Key Derivation Key from private exponent and public
489 * ciphertext
490 */
491 if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) {
492 /*
493 * because we use d as a handle to rsa->d we need to keep it local and
494 * free before any further use of rsa->d
495 */
496 BIGNUM *d = BN_new();
497 if (d == NULL) {
498 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
499 goto err;
500 }
501 if (rsa->d == NULL) {
502 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
503 BN_free(d);
504 goto err;
505 }
506 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
507 if (BN_bn2binpad(d, buf, num) < 0) {
508 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
509 BN_free(d);
510 goto err;
511 }
512 BN_free(d);
513
514 /*
515 * we use hardcoded hash so that migrating between versions that use
516 * different hash doesn't provide a Bleichenbacher oracle:
517 * if the attacker can see that different versions return different
518 * messages for the same ciphertext, they'll know that the message is
519 * syntethically generated, which means that the padding check failed
520 */
521 md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
522 if (md == NULL) {
523 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
524 goto err;
525 }
526
527 if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
528 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
529 goto err;
530 }
531
532 hmac = HMAC_CTX_new();
533 if (hmac == NULL) {
534 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
535 goto err;
536 }
537
538 if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
539 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
540 goto err;
541 }
542
543 if (flen < num) {
544 memset(buf, 0, num - flen);
545 if (HMAC_Update(hmac, buf, num - flen) <= 0) {
546 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
547 goto err;
548 }
549 }
550 if (HMAC_Update(hmac, from, flen) <= 0) {
551 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
552 goto err;
553 }
554
555 md_len = SHA256_DIGEST_LENGTH;
556 if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
557 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
558 goto err;
559 }
560 }
561
582ad5d4 562 j = BN_bn2binpad(ret, buf, num);
4a3dd629
P		 563 if (j < 0)
564 goto err;
0f113f3e
MC		 565
566 switch (padding) {
567 case RSA_PKCS1_PADDING:
7fc67e0a
HK		 568 if (rsa->flags & RSA_FLAG_EXT_PKEY)
569 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
570 else
571 r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
0f113f3e 572 break;
0f113f3e
MC		 573 case RSA_PKCS1_OAEP_PADDING:
574 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
575 break;
0f113f3e 576 case RSA_NO_PADDING:
582ad5d4 577 memcpy(to, buf, (r = j));
0f113f3e
MC		 578 break;
579 default:
9311d0c4 580 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 581 goto err;
582 }
f844f9eb 583#ifndef FIPS_MODULE
afb638f1
MC		 584 /*
585 * This trick doesn't work in the FIPS provider because libcrypto manages
586 * the error stack. Instead we opt not to put an error on the stack at all
587 * in case of padding failure in the FIPS provider.
588 */
9311d0c4 589 ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
94dc53a3 590 err_clear_last_constant_time(1 & ~constant_time_msb(r));
afb638f1 591#endif
0f113f3e
MC		 592
593 err:
7fc67e0a
HK		 594 HMAC_CTX_free(hmac);
595 EVP_MD_free(md);
ce1415ed 596 BN_CTX_end(ctx);
23a1d5e9 597 BN_CTX_free(ctx);
4b45c6e5 598 OPENSSL_clear_free(buf, num);
8686c474 599 return r;
0f113f3e 600}
58964a49 601
24cff6ce 602/* signature verification */
bf160551 603static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 604 unsigned char *to, RSA *rsa, int padding)
605{
606 BIGNUM *f, *ret;
607 int i, num = 0, r = -1;
0f113f3e
MC		 608 unsigned char *buf = NULL;
609 BN_CTX *ctx = NULL;
610
611 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
9311d0c4 612 ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 613 return -1;
614 }
615
616 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
9311d0c4 617 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 618 return -1;
619 }
620
621 /* for large moduli, enforce exponent limit */
622 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
623 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
9311d0c4 624 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 625 return -1;
626 }
627 }
628
afb638f1 629 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 630 goto err;
631 BN_CTX_start(ctx);
632 f = BN_CTX_get(ctx);
633 ret = BN_CTX_get(ctx);
e077455e
RL		 634 if (ret == NULL) {
635 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
636 goto err;
637 }
0f113f3e
MC		 638 num = BN_num_bytes(rsa->n);
639 buf = OPENSSL_malloc(num);
e077455e 640 if (buf == NULL)
0f113f3e 641 goto err;
0f113f3e
MC		 642
643 /*
644 * This check was for equality but PGP does evil things and chops off the
645 * top '0' bytes
646 */
647 if (flen > num) {
9311d0c4 648 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 649 goto err;
650 }
651
652 if (BN_bin2bn(from, flen, f) == NULL)
653 goto err;
654
655 if (BN_ucmp(f, rsa->n) >= 0) {
9311d0c4 656 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 657 goto err;
658 }
659
660 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 661 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
662 rsa->n, ctx))
0f113f3e
MC		 663 goto err;
664
665 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
666 rsa->_method_mod_n))
667 goto err;
668
669 if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
670 if (!BN_sub(ret, rsa->n, ret))
671 goto err;
672
582ad5d4 673 i = BN_bn2binpad(ret, buf, num);
4a3dd629
P		 674 if (i < 0)
675 goto err;
0f113f3e
MC		 676
677 switch (padding) {
678 case RSA_PKCS1_PADDING:
679 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
680 break;
681 case RSA_X931_PADDING:
682 r = RSA_padding_check_X931(to, num, buf, i, num);
683 break;
684 case RSA_NO_PADDING:
582ad5d4 685 memcpy(to, buf, (r = i));
0f113f3e
MC		 686 break;
687 default:
9311d0c4 688 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 689 goto err;
690 }
691 if (r < 0)
9311d0c4 692 ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
0f113f3e
MC		 693
694 err:
ce1415ed 695 BN_CTX_end(ctx);
23a1d5e9 696 BN_CTX_free(ctx);
4b45c6e5 697 OPENSSL_clear_free(buf, num);
8686c474 698 return r;
0f113f3e 699}
58964a49 700
bf160551 701static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
0f113f3e 702{
afb638f1
MC		 703 BIGNUM *r1, *m1, *vrfy;
704 int ret = 0, smooth = 0;
f844f9eb 705#ifndef FIPS_MODULE
afb638f1
MC		 706 BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2];
707 int i, ex_primes = 0;
665d899f 708 RSA_PRIME_INFO *pinfo;
afb638f1 709#endif
0f113f3e 710
c804d23d
PC		 711 BN_CTX_start(ctx);
712
0f113f3e 713 r1 = BN_CTX_get(ctx);
f844f9eb 714#ifndef FIPS_MODULE
665d899f 715 r2 = BN_CTX_get(ctx);
afb638f1 716#endif
0f113f3e
MC		 717 m1 = BN_CTX_get(ctx);
718 vrfy = BN_CTX_get(ctx);
5625567f
BE		 719 if (vrfy == NULL)
720 goto err;
0f113f3e 721
f844f9eb 722#ifndef FIPS_MODULE
665d899f 723 if (rsa->version == RSA_ASN1_VERSION_MULTI
a1471588
BE		 724 && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
725 || ex_primes > RSA_MAX_PRIME_NUM - 2))
665d899f 726 goto err;
afb638f1 727#endif
665d899f 728
41bfd5e7
AP		 729 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
730 BIGNUM *factor = BN_new();
731
732 if (factor == NULL)
733 goto err;
0f113f3e
MC		 734
735 /*
0d4fb843 736 * Make sure BN_mod_inverse in Montgomery initialization uses the
5584f65a 737 * BN_FLG_CONSTTIME flag
0f113f3e 738 */
41bfd5e7
AP		 739 if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
740 BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
741 factor, ctx))
742 || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
743 BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
744 factor, ctx))) {
745 BN_free(factor);
5584f65a 746 goto err;
0f113f3e 747 }
f844f9eb 748#ifndef FIPS_MODULE
41bfd5e7
AP		 749 for (i = 0; i < ex_primes; i++) {
750 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
751 BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME);
752 if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {
753 BN_free(factor);
0f113f3e
MC		 754 goto err;
755 }
756 }
afb638f1 757#endif
fd7d2520 758 /*
41bfd5e7 759 * We MUST free |factor| before any further use of the prime factors
fd7d2520 760 */
41bfd5e7
AP		 761 BN_free(factor);
762
afb638f1 763 smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
f844f9eb 764#ifndef FIPS_MODULE
afb638f1
MC		 765 && (ex_primes == 0)
766#endif
41bfd5e7 767 && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
0f113f3e
MC		 768 }
769
770 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 771 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
772 rsa->n, ctx))
773 goto err;
774
775 if (smooth) {
776 /*
777 * Conversion from Montgomery domain, a.k.a. Montgomery reduction,
778 * accepts values in [0-m*2^w) range. w is m's bit width rounded up
779 * to limb width. So that at the very least if |I| is fully reduced,
780 * i.e. less than p*q, we can count on from-to round to perform
781 * below modulo operations on |I|. Unlike BN_mod it's constant time.
782 */
783 if (/* m1 = I moq q */
784 !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
785 || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
41bfd5e7
AP		 786 /* r1 = I mod p */
787 || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
788 || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
c781eb1c
AM		 789 /*
790 * Use parallel exponentiations optimization if possible,
791 * otherwise fallback to two sequential exponentiations:
792 * m1 = m1^dmq1 mod q
793 * r1 = r1^dmp1 mod p
794 */
795 || !BN_mod_exp_mont_consttime_x2(m1, m1, rsa->dmq1, rsa->q,
796 rsa->_method_mod_q,
797 r1, r1, rsa->dmp1, rsa->p,
798 rsa->_method_mod_p,
799 ctx)
41bfd5e7
AP		 800 /* r1 = (r1 - m1) mod p */
801 /*
802 * bn_mod_sub_fixed_top is not regular modular subtraction,
803 * it can tolerate subtrahend to be larger than modulus, but
804 * not bit-wise wider. This makes up for uncommon q>p case,
805 * when |m1| can be larger than |rsa->p|.
806 */
807 || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
808
d1c008f6 809 /* r1 = r1 * iqmp mod p */
41bfd5e7
AP		 810 || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
811 || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
812 ctx)
d1c008f6 813 /* r0 = r1 * q + m1 */
41bfd5e7
AP		 814 || !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
815 || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
0f113f3e
MC		 816 goto err;
817
41bfd5e7
AP		 818 goto tail;
819 }
820
0f113f3e 821 /* compute I mod q */
fd7d2520 822 {
5584f65a
MC		 823 BIGNUM *c = BN_new();
824 if (c == NULL)
825 goto err;
826 BN_with_flags(c, I, BN_FLG_CONSTTIME);
827
fd7d2520 828 if (!BN_mod(r1, c, rsa->q, ctx)) {
5584f65a 829 BN_free(c);
0f113f3e 830 goto err;
fd7d2520 831 }
0f113f3e 832
fd7d2520 833 {
5584f65a
MC		 834 BIGNUM *dmq1 = BN_new();
835 if (dmq1 == NULL) {
836 BN_free(c);
837 goto err;
fd7d2520 838 }
5584f65a
MC		 839 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
840
841 /* compute r1^dmq1 mod q */
fd7d2520 842 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
41bfd5e7 843 rsa->_method_mod_q)) {
5584f65a
MC		 844 BN_free(c);
845 BN_free(dmq1);
fd7d2520
MC		 846 goto err;
847 }
5584f65a
MC		 848 /* We MUST free dmq1 before any further use of rsa->dmq1 */
849 BN_free(dmq1);
fd7d2520 850 }
0f113f3e 851
fd7d2520
MC		 852 /* compute I mod p */
853 if (!BN_mod(r1, c, rsa->p, ctx)) {
5584f65a 854 BN_free(c);
0f113f3e 855 goto err;
fd7d2520 856 }
5584f65a
MC		 857 /* We MUST free c before any further use of I */
858 BN_free(c);
0f113f3e
MC		 859 }
860
fd7d2520 861 {
5584f65a
MC		 862 BIGNUM *dmp1 = BN_new();
863 if (dmp1 == NULL)
864 goto err;
865 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
866
fd7d2520 867 /* compute r1^dmp1 mod p */
fd7d2520
MC		 868 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
869 rsa->_method_mod_p)) {
5584f65a 870 BN_free(dmp1);
fd7d2520
MC		 871 goto err;
872 }
5584f65a
MC		 873 /* We MUST free dmp1 before any further use of rsa->dmp1 */
874 BN_free(dmp1);
fd7d2520 875 }
0f113f3e 876
f844f9eb 877#ifndef FIPS_MODULE
665d899f
PY		 878 if (ex_primes > 0) {
879 BIGNUM *di = BN_new(), *cc = BN_new();
880
881 if (cc == NULL || di == NULL) {
882 BN_free(cc);
883 BN_free(di);
884 goto err;
885 }
886
887 for (i = 0; i < ex_primes; i++) {
888 /* prepare m_i */
889 if ((m[i] = BN_CTX_get(ctx)) == NULL) {
890 BN_free(cc);
891 BN_free(di);
892 goto err;
893 }
894
895 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
896
897 /* prepare c and d_i */
898 BN_with_flags(cc, I, BN_FLG_CONSTTIME);
899 BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME);
900
901 if (!BN_mod(r1, cc, pinfo->r, ctx)) {
902 BN_free(cc);
903 BN_free(di);
904 goto err;
905 }
906 /* compute r1 ^ d_i mod r_i */
907 if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) {
908 BN_free(cc);
909 BN_free(di);
910 goto err;
911 }
912 }
913
914 BN_free(cc);
915 BN_free(di);
916 }
afb638f1 917#endif
665d899f 918
0f113f3e
MC		 919 if (!BN_sub(r0, r0, m1))
920 goto err;
921 /*
922 * This will help stop the size of r0 increasing, which does affect the
923 * multiply if it optimised for a power of 2 size
924 */
925 if (BN_is_negative(r0))
926 if (!BN_add(r0, r0, rsa->p))
927 goto err;
928
929 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
930 goto err;
931
fd7d2520 932 {
5584f65a
MC		 933 BIGNUM *pr1 = BN_new();
934 if (pr1 == NULL)
935 goto err;
936 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
937
fd7d2520 938 if (!BN_mod(r0, pr1, rsa->p, ctx)) {
5584f65a 939 BN_free(pr1);
fd7d2520
MC		 940 goto err;
941 }
5584f65a
MC		 942 /* We MUST free pr1 before any further use of r1 */
943 BN_free(pr1);
fd7d2520 944 }
0f113f3e
MC		 945
946 /*
947 * If p < q it is occasionally possible for the correction of adding 'p'
948 * if r0 is negative above to leave the result still negative. This can
949 * break the private key operations: the following second correction
950 * should *always* correct this rare occurrence. This will *never* happen
951 * with OpenSSL generated keys because they ensure p > q [steve]
952 */
953 if (BN_is_negative(r0))
954 if (!BN_add(r0, r0, rsa->p))
955 goto err;
956 if (!BN_mul(r1, r0, rsa->q, ctx))
957 goto err;
958 if (!BN_add(r0, r1, m1))
959 goto err;
960
f844f9eb 961#ifndef FIPS_MODULE
665d899f
PY		 962 /* add m_i to m in multi-prime case */
963 if (ex_primes > 0) {
964 BIGNUM *pr2 = BN_new();
965
966 if (pr2 == NULL)
967 goto err;
968
969 for (i = 0; i < ex_primes; i++) {
970 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
971 if (!BN_sub(r1, m[i], r0)) {
972 BN_free(pr2);
973 goto err;
974 }
975
976 if (!BN_mul(r2, r1, pinfo->t, ctx)) {
977 BN_free(pr2);
978 goto err;
979 }
980
981 BN_with_flags(pr2, r2, BN_FLG_CONSTTIME);
982
983 if (!BN_mod(r1, pr2, pinfo->r, ctx)) {
984 BN_free(pr2);
985 goto err;
986 }
987
988 if (BN_is_negative(r1))
989 if (!BN_add(r1, r1, pinfo->r)) {
990 BN_free(pr2);
991 goto err;
992 }
993 if (!BN_mul(r1, r1, pinfo->pp, ctx)) {
994 BN_free(pr2);
995 goto err;
996 }
997 if (!BN_add(r0, r0, r1)) {
998 BN_free(pr2);
999 goto err;
1000 }
1001 }
1002 BN_free(pr2);
1003 }
afb638f1 1004#endif
665d899f 1005
41bfd5e7 1006 tail:
0f113f3e 1007 if (rsa->e && rsa->n) {
41bfd5e7
AP		 1008 if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
1009 if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
1010 rsa->_method_mod_n))
1011 goto err;
1012 } else {
1013 bn_correct_top(r0);
1014 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
1015 rsa->_method_mod_n))
1016 goto err;
1017 }
0f113f3e
MC		 1018 /*
1019 * If 'I' was greater than (or equal to) rsa->n, the operation will
1020 * be equivalent to using 'I mod n'. However, the result of the
1021 * verify will *always* be less than 'n' so we don't check for
1022 * absolute equality, just congruency.
1023 */
1024 if (!BN_sub(vrfy, vrfy, I))
1025 goto err;
41bfd5e7
AP		 1026 if (BN_is_zero(vrfy)) {
1027 bn_correct_top(r0);
1028 ret = 1;
1029 goto err; /* not actually error */
1030 }
0f113f3e
MC		 1031 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
1032 goto err;
1033 if (BN_is_negative(vrfy))
1034 if (!BN_add(vrfy, vrfy, rsa->n))
1035 goto err;
1036 if (!BN_is_zero(vrfy)) {
1037 /*
1038 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
1039 * miscalculated CRT output, just do a raw (slower) mod_exp and
1040 * return that instead.
1041 */
1042
5584f65a
MC		 1043 BIGNUM *d = BN_new();
1044 if (d == NULL)
1045 goto err;
1046 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 1047
0f113f3e
MC		 1048 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
1049 rsa->_method_mod_n)) {
5584f65a 1050 BN_free(d);
0f113f3e
MC		 1051 goto err;
1052 }
5584f65a
MC		 1053 /* We MUST free d before any further use of rsa->d */
1054 BN_free(d);
0f113f3e
MC		 1055 }
1056 }
41bfd5e7
AP		 1057 /*
1058 * It's unfortunate that we have to bn_correct_top(r0). What hopefully
1059 * saves the day is that correction is highly unlike, and private key
1060 * operations are customarily performed on blinded message. Which means
1061 * that attacker won't observe correlation with chosen plaintext.
1062 * Secondly, remaining code would still handle it in same computational
1063 * time and even conceal memory access pattern around corrected top.
1064 */
1065 bn_correct_top(r0);
0f113f3e
MC		 1066 ret = 1;
1067 err:
0f113f3e 1068 BN_CTX_end(ctx);
8686c474 1069 return ret;
0f113f3e 1070}
58964a49 1071
bf160551 1072static int rsa_ossl_init(RSA *rsa)
0f113f3e
MC		 1073{
1074 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
8686c474 1075 return 1;
0f113f3e 1076}
58964a49 1077
bf160551 1078static int rsa_ossl_finish(RSA *rsa)
0f113f3e 1079{
f844f9eb 1080#ifndef FIPS_MODULE
665d899f
PY		 1081 int i;
1082 RSA_PRIME_INFO *pinfo;
1083
665d899f
PY		 1084 for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {
1085 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
1086 BN_MONT_CTX_free(pinfo->m);
1087 }
afb638f1
MC		 1088#endif
1089
1090 BN_MONT_CTX_free(rsa->_method_mod_n);
1091 BN_MONT_CTX_free(rsa->_method_mod_p);
1092 BN_MONT_CTX_free(rsa->_method_mod_q);
8686c474 1093 return 1;
0f113f3e 1094}
A mirror of the official openssl repository