]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_ossl.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix Timing Oracle in RSA decryption
[thirdparty/openssl.git] / crypto / rsa / rsa_ossl.c
CommitLineData
2039c421 1/*
fecb3aae 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
46a64376 3 *
2a7b6f39 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
46a64376 8 */
58964a49 9
c5f87134
P		 10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
b39fc560 16#include "internal/cryptlib.h"
25f2138b 17#include "crypto/bn.h"
706457b7
DMSP		 18#include "rsa_local.h"
19#include "internal/constant_time.h"
7fc67e0a
HK		 20#include <openssl/evp.h>
21#include <openssl/sha.h>
22#include <openssl/hmac.h>
58964a49 23
bf160551 24static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e 25 unsigned char *to, RSA *rsa, int padding);
bf160551 26static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e 27 unsigned char *to, RSA *rsa, int padding);
bf160551 28static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e 29 unsigned char *to, RSA *rsa, int padding);
bf160551 30static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e 31 unsigned char *to, RSA *rsa, int padding);
bf160551 32static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
0f113f3e 33 BN_CTX *ctx);
bf160551
RS		 34static int rsa_ossl_init(RSA *rsa);
35static int rsa_ossl_finish(RSA *rsa);
36static RSA_METHOD rsa_pkcs1_ossl_meth = {
076fc555 37 "OpenSSL PKCS#1 RSA",
bf160551
RS		 38 rsa_ossl_public_encrypt,
39 rsa_ossl_public_decrypt, /* signature verification */
40 rsa_ossl_private_encrypt, /* signing */
41 rsa_ossl_private_decrypt,
42 rsa_ossl_mod_exp,
0f113f3e
MC		 43 BN_mod_exp_mont, /* XXX probably we should not use Montgomery
44 * if e == 3 */
bf160551
RS		 45 rsa_ossl_init,
46 rsa_ossl_finish,
0f113f3e
MC		 47 RSA_FLAG_FIPS_METHOD, /* flags */
48 NULL,
49 0, /* rsa_sign */
50 0, /* rsa_verify */
665d899f
PY		 51 NULL, /* rsa_keygen */
52 NULL /* rsa_multi_prime_keygen */
0f113f3e 53};
58964a49 54
076fc555
RS		 55static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth;
56
57void RSA_set_default_method(const RSA_METHOD *meth)
58{
59 default_RSA_meth = meth;
60}
61
62const RSA_METHOD *RSA_get_default_method(void)
63{
64 return default_RSA_meth;
65}
66
b0700d2c 67const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
0f113f3e 68{
bf160551 69 return &rsa_pkcs1_ossl_meth;
0f113f3e 70}
58964a49 71
076fc555
RS		 72const RSA_METHOD *RSA_null_method(void)
73{
74 return NULL;
75}
76
bf160551 77static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 78 unsigned char *to, RSA *rsa, int padding)
79{
80 BIGNUM *f, *ret;
582ad5d4 81 int i, num = 0, r = -1;
0f113f3e
MC		 82 unsigned char *buf = NULL;
83 BN_CTX *ctx = NULL;
84
85 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
9311d0c4 86 ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 87 return -1;
88 }
89
90 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
9311d0c4 91 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 92 return -1;
93 }
94
95 /* for large moduli, enforce exponent limit */
96 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
97 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
9311d0c4 98 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 99 return -1;
100 }
101 }
102
afb638f1 103 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 104 goto err;
105 BN_CTX_start(ctx);
106 f = BN_CTX_get(ctx);
107 ret = BN_CTX_get(ctx);
108 num = BN_num_bytes(rsa->n);
109 buf = OPENSSL_malloc(num);
e077455e 110 if (ret == NULL || buf == NULL)
0f113f3e 111 goto err;
0f113f3e
MC		 112
113 switch (padding) {
114 case RSA_PKCS1_PADDING:
23b2fc0b
P		 115 i = ossl_rsa_padding_add_PKCS1_type_2_ex(rsa->libctx, buf, num,
116 from, flen);
0f113f3e 117 break;
0f113f3e 118 case RSA_PKCS1_OAEP_PADDING:
23b2fc0b
P		 119 i = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(rsa->libctx, buf, num,
120 from, flen, NULL, 0,
121 NULL, NULL);
0f113f3e 122 break;
0f113f3e
MC		 123 case RSA_NO_PADDING:
124 i = RSA_padding_add_none(buf, num, from, flen);
125 break;
126 default:
9311d0c4 127 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 128 goto err;
129 }
130 if (i <= 0)
131 goto err;
132
133 if (BN_bin2bn(buf, num, f) == NULL)
134 goto err;
135
136 if (BN_ucmp(f, rsa->n) >= 0) {
137 /* usually the padding functions would catch this */
9311d0c4 138 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 139 goto err;
140 }
141
142 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 143 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
144 rsa->n, ctx))
0f113f3e
MC		 145 goto err;
146
147 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
148 rsa->_method_mod_n))
149 goto err;
150
151 /*
582ad5d4
AP		 152 * BN_bn2binpad puts in leading 0 bytes if the number is less than
153 * the length of the modulus.
0f113f3e 154 */
582ad5d4 155 r = BN_bn2binpad(ret, to, num);
0f113f3e 156 err:
ce1415ed 157 BN_CTX_end(ctx);
23a1d5e9 158 BN_CTX_free(ctx);
4b45c6e5 159 OPENSSL_clear_free(buf, num);
8686c474 160 return r;
0f113f3e 161}
58964a49 162
675f605d 163static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
800e400d 164{
0f113f3e 165 BN_BLINDING *ret;
0f113f3e 166
cd3f8c1b
RS		 167 if (!CRYPTO_THREAD_write_lock(rsa->lock))
168 return NULL;
0f113f3e
MC		 169
170 if (rsa->blinding == NULL) {
d188a536 171 rsa->blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 172 }
173
174 ret = rsa->blinding;
175 if (ret == NULL)
176 goto err;
177
0b1a07c8 178 if (BN_BLINDING_is_current_thread(ret)) {
0f113f3e
MC		 179 /* rsa->blinding is ours! */
180
181 *local = 1;
182 } else {
183 /* resort to rsa->mt_blinding instead */
184
185 /*
186 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
187 * BN_BLINDING is shared, meaning that accesses require locks, and
188 * that the blinding factor must be stored outside the BN_BLINDING
189 */
190 *local = 0;
191
192 if (rsa->mt_blinding == NULL) {
d188a536 193 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
0f113f3e
MC		 194 }
195 ret = rsa->mt_blinding;
196 }
5679bcce 197
675f605d 198 err:
d188a536 199 CRYPTO_THREAD_unlock(rsa->lock);
0f113f3e 200 return ret;
800e400d 201}
5679bcce 202
e5641d7f 203static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 204 BN_CTX *ctx)
205{
90862ab4 206 if (unblind == NULL) {
0f113f3e
MC		 207 /*
208 * Local blinding: store the unblinding factor in BN_BLINDING.
209 */
210 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
90862ab4 211 } else {
0f113f3e
MC		 212 /*
213 * Shared blinding: store the unblinding factor outside BN_BLINDING.
214 */
215 int ret;
0b1a07c8 216
aefbcde2
JJ		 217 if (!BN_BLINDING_lock(b))
218 return 0;
219
0f113f3e 220 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
0b1a07c8
AG		 221 BN_BLINDING_unlock(b);
222
0f113f3e
MC		 223 return ret;
224 }
225}
e5641d7f
BM		 226
227static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
0f113f3e
MC		 228 BN_CTX *ctx)
229{
230 /*
231 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
232 * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
233 * is shared between threads, unblind must be non-null:
234 * BN_BLINDING_invert_ex will then use the local unblinding factor, and
235 * will only read the modulus from BN_BLINDING. In both cases it's safe
236 * to access the blinding without a lock.
237 */
238 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
239}
5679bcce 240
24cff6ce 241/* signing */
bf160551 242static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
0f113f3e
MC		 243 unsigned char *to, RSA *rsa, int padding)
244{
245 BIGNUM *f, *ret, *res;
582ad5d4 246 int i, num = 0, r = -1;
0f113f3e
MC		 247 unsigned char *buf = NULL;
248 BN_CTX *ctx = NULL;
249 int local_blinding = 0;
250 /*
251 * Used only if the blinding structure is shared. A non-NULL unblind
252 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
253 * the unblinding factor outside the blinding structure.
254 */
255 BIGNUM *unblind = NULL;
256 BN_BLINDING *blinding = NULL;
257
afb638f1 258 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 259 goto err;
260 BN_CTX_start(ctx);
261 f = BN_CTX_get(ctx);
262 ret = BN_CTX_get(ctx);
263 num = BN_num_bytes(rsa->n);
264 buf = OPENSSL_malloc(num);
e077455e 265 if (ret == NULL || buf == NULL)
0f113f3e 266 goto err;
0f113f3e
MC		 267
268 switch (padding) {
269 case RSA_PKCS1_PADDING:
270 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
271 break;
272 case RSA_X931_PADDING:
273 i = RSA_padding_add_X931(buf, num, from, flen);
274 break;
275 case RSA_NO_PADDING:
276 i = RSA_padding_add_none(buf, num, from, flen);
277 break;
0f113f3e 278 default:
9311d0c4 279 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 280 goto err;
281 }
282 if (i <= 0)
283 goto err;
284
285 if (BN_bin2bn(buf, num, f) == NULL)
286 goto err;
287
288 if (BN_ucmp(f, rsa->n) >= 0) {
289 /* usually the padding functions would catch this */
9311d0c4 290 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 291 goto err;
292 }
293
2cc3f68c
AP		 294 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
295 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
296 rsa->n, ctx))
297 goto err;
298
0f113f3e
MC		 299 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
300 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
301 if (blinding == NULL) {
9311d0c4 302 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 303 goto err;
304 }
305 }
306
307 if (blinding != NULL) {
308 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
e077455e 309 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
0f113f3e
MC		 310 goto err;
311 }
312 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
313 goto err;
314 }
315
316 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
665d899f 317 (rsa->version == RSA_ASN1_VERSION_MULTI) ||
0f113f3e
MC		 318 ((rsa->p != NULL) &&
319 (rsa->q != NULL) &&
320 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
321 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
322 goto err;
323 } else {
5584f65a
MC		 324 BIGNUM *d = BN_new();
325 if (d == NULL) {
e077455e 326 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
5584f65a 327 goto err;
fd7d2520 328 }
7408f675 329 if (rsa->d == NULL) {
9311d0c4 330 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
7408f675
DO		 331 BN_free(d);
332 goto err;
333 }
5584f65a 334 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 335
0f113f3e
MC		 336 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
337 rsa->_method_mod_n)) {
5584f65a 338 BN_free(d);
0f113f3e
MC		 339 goto err;
340 }
5584f65a
MC		 341 /* We MUST free d before any further use of rsa->d */
342 BN_free(d);
0f113f3e
MC		 343 }
344
345 if (blinding)
346 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
347 goto err;
348
349 if (padding == RSA_X931_PADDING) {
3d3cbce5
P		 350 if (!BN_sub(f, rsa->n, ret))
351 goto err;
0f113f3e
MC		 352 if (BN_cmp(ret, f) > 0)
353 res = f;
354 else
355 res = ret;
90862ab4 356 } else {
0f113f3e 357 res = ret;
90862ab4 358 }
0f113f3e
MC		 359
360 /*
582ad5d4
AP		 361 * BN_bn2binpad puts in leading 0 bytes if the number is less than
362 * the length of the modulus.
0f113f3e 363 */
582ad5d4 364 r = BN_bn2binpad(res, to, num);
0f113f3e 365 err:
ce1415ed 366 BN_CTX_end(ctx);
23a1d5e9 367 BN_CTX_free(ctx);
4b45c6e5 368 OPENSSL_clear_free(buf, num);
8686c474 369 return r;
0f113f3e 370}
58964a49 371
b1892d21
DB		 372static int derive_kdk(int flen, const unsigned char *from, RSA *rsa,
373 unsigned char *buf, int num, unsigned char *kdk)
374{
375 int ret = 0;
376 HMAC_CTX *hmac = NULL;
377 EVP_MD *md = NULL;
378 unsigned int md_len = SHA256_DIGEST_LENGTH;
379 unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
380 /*
381 * because we use d as a handle to rsa->d we need to keep it local and
382 * free before any further use of rsa->d
383 */
384 BIGNUM *d = BN_new();
385
386 if (d == NULL) {
387 ERR_raise(ERR_LIB_RSA, ERR_R_CRYPTO_LIB);
388 goto err;
389 }
390 if (rsa->d == NULL) {
391 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
392 BN_free(d);
393 goto err;
394 }
395 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
396 if (BN_bn2binpad(d, buf, num) < 0) {
397 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
398 BN_free(d);
399 goto err;
400 }
401 BN_free(d);
402
403 /*
404 * we use hardcoded hash so that migrating between versions that use
405 * different hash doesn't provide a Bleichenbacher oracle:
406 * if the attacker can see that different versions return different
407 * messages for the same ciphertext, they'll know that the message is
408 * syntethically generated, which means that the padding check failed
409 */
410 md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
411 if (md == NULL) {
412 ERR_raise(ERR_LIB_RSA, ERR_R_FETCH_FAILED);
413 goto err;
414 }
415
416 if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
417 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
418 goto err;
419 }
420
421 hmac = HMAC_CTX_new();
422 if (hmac == NULL) {
423 ERR_raise(ERR_LIB_RSA, ERR_R_CRYPTO_LIB);
424 goto err;
425 }
426
427 if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
428 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
429 goto err;
430 }
431
432 if (flen < num) {
433 memset(buf, 0, num - flen);
434 if (HMAC_Update(hmac, buf, num - flen) <= 0) {
435 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
436 goto err;
437 }
438 }
439 if (HMAC_Update(hmac, from, flen) <= 0) {
440 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
441 goto err;
442 }
443
444 md_len = SHA256_DIGEST_LENGTH;
445 if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
446 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
447 goto err;
448 }
449 ret = 1;
450
451 err:
452 HMAC_CTX_free(hmac);
453 EVP_MD_free(md);
454 return ret;
455}
456
bf160551 457static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 458 unsigned char *to, RSA *rsa, int padding)
459{
460 BIGNUM *f, *ret;
461 int j, num = 0, r = -1;
0f113f3e 462 unsigned char *buf = NULL;
7fc67e0a 463 unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
0f113f3e
MC		 464 BN_CTX *ctx = NULL;
465 int local_blinding = 0;
466 /*
467 * Used only if the blinding structure is shared. A non-NULL unblind
468 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
469 * the unblinding factor outside the blinding structure.
470 */
471 BIGNUM *unblind = NULL;
472 BN_BLINDING *blinding = NULL;
473
5ab3ec1b
HK		 474 /*
475 * we need the value of the private exponent to perform implicit rejection
476 */
477 if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING))
478 padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
479
afb638f1 480 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 481 goto err;
482 BN_CTX_start(ctx);
483 f = BN_CTX_get(ctx);
484 ret = BN_CTX_get(ctx);
e077455e
RL		 485 if (ret == NULL) {
486 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
487 goto err;
488 }
0f113f3e
MC		 489 num = BN_num_bytes(rsa->n);
490 buf = OPENSSL_malloc(num);
e077455e 491 if (buf == NULL)
0f113f3e 492 goto err;
0f113f3e
MC		 493
494 /*
495 * This check was for equality but PGP does evil things and chops off the
496 * top '0' bytes
497 */
498 if (flen > num) {
9311d0c4 499 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 500 goto err;
501 }
502
7fc67e0a
HK		 503 if (flen < 1) {
504 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
505 goto err;
506 }
507
0f113f3e
MC		 508 /* make data into a big number */
509 if (BN_bin2bn(from, (int)flen, f) == NULL)
510 goto err;
511
512 if (BN_ucmp(f, rsa->n) >= 0) {
9311d0c4 513 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 514 goto err;
515 }
516
517 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
518 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
519 if (blinding == NULL) {
9311d0c4 520 ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 521 goto err;
522 }
523 }
524
525 if (blinding != NULL) {
526 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
e077455e 527 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
0f113f3e
MC		 528 goto err;
529 }
530 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
531 goto err;
532 }
533
534 /* do the decrypt */
535 if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
665d899f 536 (rsa->version == RSA_ASN1_VERSION_MULTI) ||
0f113f3e
MC		 537 ((rsa->p != NULL) &&
538 (rsa->q != NULL) &&
539 (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
540 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
541 goto err;
542 } else {
5584f65a
MC		 543 BIGNUM *d = BN_new();
544 if (d == NULL) {
e077455e 545 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
5584f65a 546 goto err;
7408f675
DO		 547 }
548 if (rsa->d == NULL) {
9311d0c4 549 ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
7408f675
DO		 550 BN_free(d);
551 goto err;
fd7d2520 552 }
5584f65a 553 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e
MC		 554
555 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 556 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
557 rsa->n, ctx)) {
5584f65a 558 BN_free(d);
0f113f3e
MC		 559 goto err;
560 }
561 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
562 rsa->_method_mod_n)) {
5584f65a 563 BN_free(d);
0f113f3e
MC		 564 goto err;
565 }
5584f65a
MC		 566 /* We MUST free d before any further use of rsa->d */
567 BN_free(d);
0f113f3e
MC		 568 }
569
7fc67e0a
HK		 570 /*
571 * derive the Key Derivation Key from private exponent and public
572 * ciphertext
573 */
5ab3ec1b 574 if (padding == RSA_PKCS1_PADDING) {
b1892d21 575 if (derive_kdk(flen, from, rsa, buf, num, kdk) == 0)
7fc67e0a 576 goto err;
b1892d21 577 }
7fc67e0a 578
b1892d21 579 if (blinding) {
7fc67e0a 580 /*
b1892d21
DB		 581 * ossl_bn_rsa_do_unblind() combines blinding inversion and
582 * 0-padded BN BE serialization
7fc67e0a 583 */
b1892d21
DB		 584 j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
585 buf, num);
586 if (j == 0)
7fc67e0a 587 goto err;
b1892d21
DB		 588 } else {
589 j = BN_bn2binpad(ret, buf, num);
590 if (j < 0)
7fc67e0a 591 goto err;
7fc67e0a
HK		 592 }
593
0f113f3e 594 switch (padding) {
5ab3ec1b
HK		 595 case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING:
596 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
597 break;
0f113f3e 598 case RSA_PKCS1_PADDING:
5ab3ec1b 599 r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
0f113f3e 600 break;
0f113f3e
MC		 601 case RSA_PKCS1_OAEP_PADDING:
602 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
603 break;
0f113f3e 604 case RSA_NO_PADDING:
582ad5d4 605 memcpy(to, buf, (r = j));
0f113f3e
MC		 606 break;
607 default:
9311d0c4 608 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 609 goto err;
610 }
f844f9eb 611#ifndef FIPS_MODULE
afb638f1
MC		 612 /*
613 * This trick doesn't work in the FIPS provider because libcrypto manages
614 * the error stack. Instead we opt not to put an error on the stack at all
615 * in case of padding failure in the FIPS provider.
616 */
9311d0c4 617 ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
94dc53a3 618 err_clear_last_constant_time(1 & ~constant_time_msb(r));
afb638f1 619#endif
0f113f3e
MC		 620
621 err:
ce1415ed 622 BN_CTX_end(ctx);
23a1d5e9 623 BN_CTX_free(ctx);
4b45c6e5 624 OPENSSL_clear_free(buf, num);
8686c474 625 return r;
0f113f3e 626}
58964a49 627
24cff6ce 628/* signature verification */
bf160551 629static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
0f113f3e
MC		 630 unsigned char *to, RSA *rsa, int padding)
631{
632 BIGNUM *f, *ret;
633 int i, num = 0, r = -1;
0f113f3e
MC		 634 unsigned char *buf = NULL;
635 BN_CTX *ctx = NULL;
636
637 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
9311d0c4 638 ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
0f113f3e
MC		 639 return -1;
640 }
641
642 if (BN_ucmp(rsa->n, rsa->e) <= 0) {
9311d0c4 643 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 644 return -1;
645 }
646
647 /* for large moduli, enforce exponent limit */
648 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
649 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
9311d0c4 650 ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
0f113f3e
MC		 651 return -1;
652 }
653 }
654
afb638f1 655 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
0f113f3e
MC		 656 goto err;
657 BN_CTX_start(ctx);
658 f = BN_CTX_get(ctx);
659 ret = BN_CTX_get(ctx);
e077455e
RL		 660 if (ret == NULL) {
661 ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
662 goto err;
663 }
0f113f3e
MC		 664 num = BN_num_bytes(rsa->n);
665 buf = OPENSSL_malloc(num);
e077455e 666 if (buf == NULL)
0f113f3e 667 goto err;
0f113f3e
MC		 668
669 /*
670 * This check was for equality but PGP does evil things and chops off the
671 * top '0' bytes
672 */
673 if (flen > num) {
9311d0c4 674 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
0f113f3e
MC		 675 goto err;
676 }
677
678 if (BN_bin2bn(from, flen, f) == NULL)
679 goto err;
680
681 if (BN_ucmp(f, rsa->n) >= 0) {
9311d0c4 682 ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
0f113f3e
MC		 683 goto err;
684 }
685
686 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 687 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
688 rsa->n, ctx))
0f113f3e
MC		 689 goto err;
690
691 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
692 rsa->_method_mod_n))
693 goto err;
694
695 if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
696 if (!BN_sub(ret, rsa->n, ret))
697 goto err;
698
582ad5d4 699 i = BN_bn2binpad(ret, buf, num);
4a3dd629
P		 700 if (i < 0)
701 goto err;
0f113f3e
MC		 702
703 switch (padding) {
704 case RSA_PKCS1_PADDING:
705 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
706 break;
707 case RSA_X931_PADDING:
708 r = RSA_padding_check_X931(to, num, buf, i, num);
709 break;
710 case RSA_NO_PADDING:
582ad5d4 711 memcpy(to, buf, (r = i));
0f113f3e
MC		 712 break;
713 default:
9311d0c4 714 ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
0f113f3e
MC		 715 goto err;
716 }
717 if (r < 0)
9311d0c4 718 ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
0f113f3e
MC		 719
720 err:
ce1415ed 721 BN_CTX_end(ctx);
23a1d5e9 722 BN_CTX_free(ctx);
4b45c6e5 723 OPENSSL_clear_free(buf, num);
8686c474 724 return r;
0f113f3e 725}
58964a49 726
bf160551 727static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
0f113f3e 728{
afb638f1
MC		 729 BIGNUM *r1, *m1, *vrfy;
730 int ret = 0, smooth = 0;
f844f9eb 731#ifndef FIPS_MODULE
afb638f1
MC		 732 BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2];
733 int i, ex_primes = 0;
665d899f 734 RSA_PRIME_INFO *pinfo;
afb638f1 735#endif
0f113f3e 736
c804d23d
PC		 737 BN_CTX_start(ctx);
738
0f113f3e 739 r1 = BN_CTX_get(ctx);
f844f9eb 740#ifndef FIPS_MODULE
665d899f 741 r2 = BN_CTX_get(ctx);
afb638f1 742#endif
0f113f3e
MC		 743 m1 = BN_CTX_get(ctx);
744 vrfy = BN_CTX_get(ctx);
5625567f
BE		 745 if (vrfy == NULL)
746 goto err;
0f113f3e 747
f844f9eb 748#ifndef FIPS_MODULE
665d899f 749 if (rsa->version == RSA_ASN1_VERSION_MULTI
a1471588
BE		 750 && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
751 || ex_primes > RSA_MAX_PRIME_NUM - 2))
665d899f 752 goto err;
afb638f1 753#endif
665d899f 754
41bfd5e7
AP		 755 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
756 BIGNUM *factor = BN_new();
757
758 if (factor == NULL)
759 goto err;
0f113f3e
MC		 760
761 /*
0d4fb843 762 * Make sure BN_mod_inverse in Montgomery initialization uses the
5584f65a 763 * BN_FLG_CONSTTIME flag
0f113f3e 764 */
41bfd5e7
AP		 765 if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
766 BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
767 factor, ctx))
768 || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
769 BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
770 factor, ctx))) {
771 BN_free(factor);
5584f65a 772 goto err;
0f113f3e 773 }
f844f9eb 774#ifndef FIPS_MODULE
41bfd5e7
AP		 775 for (i = 0; i < ex_primes; i++) {
776 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
777 BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME);
778 if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {
779 BN_free(factor);
0f113f3e
MC		 780 goto err;
781 }
782 }
afb638f1 783#endif
fd7d2520 784 /*
41bfd5e7 785 * We MUST free |factor| before any further use of the prime factors
fd7d2520 786 */
41bfd5e7
AP		 787 BN_free(factor);
788
afb638f1 789 smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
f844f9eb 790#ifndef FIPS_MODULE
afb638f1
MC		 791 && (ex_primes == 0)
792#endif
41bfd5e7 793 && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
0f113f3e
MC		 794 }
795
796 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
41bfd5e7
AP		 797 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
798 rsa->n, ctx))
799 goto err;
800
801 if (smooth) {
802 /*
803 * Conversion from Montgomery domain, a.k.a. Montgomery reduction,
804 * accepts values in [0-m*2^w) range. w is m's bit width rounded up
805 * to limb width. So that at the very least if |I| is fully reduced,
806 * i.e. less than p*q, we can count on from-to round to perform
807 * below modulo operations on |I|. Unlike BN_mod it's constant time.
808 */
809 if (/* m1 = I moq q */
810 !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
811 || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
41bfd5e7
AP		 812 /* r1 = I mod p */
813 || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
814 || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
c781eb1c
AM		 815 /*
816 * Use parallel exponentiations optimization if possible,
817 * otherwise fallback to two sequential exponentiations:
818 * m1 = m1^dmq1 mod q
819 * r1 = r1^dmp1 mod p
820 */
821 || !BN_mod_exp_mont_consttime_x2(m1, m1, rsa->dmq1, rsa->q,
822 rsa->_method_mod_q,
823 r1, r1, rsa->dmp1, rsa->p,
824 rsa->_method_mod_p,
825 ctx)
41bfd5e7
AP		 826 /* r1 = (r1 - m1) mod p */
827 /*
828 * bn_mod_sub_fixed_top is not regular modular subtraction,
829 * it can tolerate subtrahend to be larger than modulus, but
830 * not bit-wise wider. This makes up for uncommon q>p case,
831 * when |m1| can be larger than |rsa->p|.
832 */
833 || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
834
d1c008f6 835 /* r1 = r1 * iqmp mod p */
41bfd5e7
AP		 836 || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
837 || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
838 ctx)
d1c008f6 839 /* r0 = r1 * q + m1 */
41bfd5e7
AP		 840 || !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
841 || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
0f113f3e
MC		 842 goto err;
843
41bfd5e7
AP		 844 goto tail;
845 }
846
0f113f3e 847 /* compute I mod q */
fd7d2520 848 {
5584f65a
MC		 849 BIGNUM *c = BN_new();
850 if (c == NULL)
851 goto err;
852 BN_with_flags(c, I, BN_FLG_CONSTTIME);
853
fd7d2520 854 if (!BN_mod(r1, c, rsa->q, ctx)) {
5584f65a 855 BN_free(c);
0f113f3e 856 goto err;
fd7d2520 857 }
0f113f3e 858
fd7d2520 859 {
5584f65a
MC		 860 BIGNUM *dmq1 = BN_new();
861 if (dmq1 == NULL) {
862 BN_free(c);
863 goto err;
fd7d2520 864 }
5584f65a
MC		 865 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
866
867 /* compute r1^dmq1 mod q */
fd7d2520 868 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
41bfd5e7 869 rsa->_method_mod_q)) {
5584f65a
MC		 870 BN_free(c);
871 BN_free(dmq1);
fd7d2520
MC		 872 goto err;
873 }
5584f65a
MC		 874 /* We MUST free dmq1 before any further use of rsa->dmq1 */
875 BN_free(dmq1);
fd7d2520 876 }
0f113f3e 877
fd7d2520
MC		 878 /* compute I mod p */
879 if (!BN_mod(r1, c, rsa->p, ctx)) {
5584f65a 880 BN_free(c);
0f113f3e 881 goto err;
fd7d2520 882 }
5584f65a
MC		 883 /* We MUST free c before any further use of I */
884 BN_free(c);
0f113f3e
MC		 885 }
886
fd7d2520 887 {
5584f65a
MC		 888 BIGNUM *dmp1 = BN_new();
889 if (dmp1 == NULL)
890 goto err;
891 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
892
fd7d2520 893 /* compute r1^dmp1 mod p */
fd7d2520
MC		 894 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
895 rsa->_method_mod_p)) {
5584f65a 896 BN_free(dmp1);
fd7d2520
MC		 897 goto err;
898 }
5584f65a
MC		 899 /* We MUST free dmp1 before any further use of rsa->dmp1 */
900 BN_free(dmp1);
fd7d2520 901 }
0f113f3e 902
f844f9eb 903#ifndef FIPS_MODULE
665d899f
PY		 904 if (ex_primes > 0) {
905 BIGNUM *di = BN_new(), *cc = BN_new();
906
907 if (cc == NULL || di == NULL) {
908 BN_free(cc);
909 BN_free(di);
910 goto err;
911 }
912
913 for (i = 0; i < ex_primes; i++) {
914 /* prepare m_i */
915 if ((m[i] = BN_CTX_get(ctx)) == NULL) {
916 BN_free(cc);
917 BN_free(di);
918 goto err;
919 }
920
921 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
922
923 /* prepare c and d_i */
924 BN_with_flags(cc, I, BN_FLG_CONSTTIME);
925 BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME);
926
927 if (!BN_mod(r1, cc, pinfo->r, ctx)) {
928 BN_free(cc);
929 BN_free(di);
930 goto err;
931 }
932 /* compute r1 ^ d_i mod r_i */
933 if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) {
934 BN_free(cc);
935 BN_free(di);
936 goto err;
937 }
938 }
939
940 BN_free(cc);
941 BN_free(di);
942 }
afb638f1 943#endif
665d899f 944
0f113f3e
MC		 945 if (!BN_sub(r0, r0, m1))
946 goto err;
947 /*
948 * This will help stop the size of r0 increasing, which does affect the
949 * multiply if it optimised for a power of 2 size
950 */
951 if (BN_is_negative(r0))
952 if (!BN_add(r0, r0, rsa->p))
953 goto err;
954
955 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
956 goto err;
957
fd7d2520 958 {
5584f65a
MC		 959 BIGNUM *pr1 = BN_new();
960 if (pr1 == NULL)
961 goto err;
962 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
963
fd7d2520 964 if (!BN_mod(r0, pr1, rsa->p, ctx)) {
5584f65a 965 BN_free(pr1);
fd7d2520
MC		 966 goto err;
967 }
5584f65a
MC		 968 /* We MUST free pr1 before any further use of r1 */
969 BN_free(pr1);
fd7d2520 970 }
0f113f3e
MC		 971
972 /*
973 * If p < q it is occasionally possible for the correction of adding 'p'
974 * if r0 is negative above to leave the result still negative. This can
975 * break the private key operations: the following second correction
976 * should *always* correct this rare occurrence. This will *never* happen
977 * with OpenSSL generated keys because they ensure p > q [steve]
978 */
979 if (BN_is_negative(r0))
980 if (!BN_add(r0, r0, rsa->p))
981 goto err;
982 if (!BN_mul(r1, r0, rsa->q, ctx))
983 goto err;
984 if (!BN_add(r0, r1, m1))
985 goto err;
986
f844f9eb 987#ifndef FIPS_MODULE
665d899f
PY		 988 /* add m_i to m in multi-prime case */
989 if (ex_primes > 0) {
990 BIGNUM *pr2 = BN_new();
991
992 if (pr2 == NULL)
993 goto err;
994
995 for (i = 0; i < ex_primes; i++) {
996 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
997 if (!BN_sub(r1, m[i], r0)) {
998 BN_free(pr2);
999 goto err;
1000 }
1001
1002 if (!BN_mul(r2, r1, pinfo->t, ctx)) {
1003 BN_free(pr2);
1004 goto err;
1005 }
1006
1007 BN_with_flags(pr2, r2, BN_FLG_CONSTTIME);
1008
1009 if (!BN_mod(r1, pr2, pinfo->r, ctx)) {
1010 BN_free(pr2);
1011 goto err;
1012 }
1013
1014 if (BN_is_negative(r1))
1015 if (!BN_add(r1, r1, pinfo->r)) {
1016 BN_free(pr2);
1017 goto err;
1018 }
1019 if (!BN_mul(r1, r1, pinfo->pp, ctx)) {
1020 BN_free(pr2);
1021 goto err;
1022 }
1023 if (!BN_add(r0, r0, r1)) {
1024 BN_free(pr2);
1025 goto err;
1026 }
1027 }
1028 BN_free(pr2);
1029 }
afb638f1 1030#endif
665d899f 1031
41bfd5e7 1032 tail:
0f113f3e 1033 if (rsa->e && rsa->n) {
41bfd5e7
AP		 1034 if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
1035 if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
1036 rsa->_method_mod_n))
1037 goto err;
1038 } else {
1039 bn_correct_top(r0);
1040 if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
1041 rsa->_method_mod_n))
1042 goto err;
1043 }
0f113f3e
MC		 1044 /*
1045 * If 'I' was greater than (or equal to) rsa->n, the operation will
1046 * be equivalent to using 'I mod n'. However, the result of the
1047 * verify will *always* be less than 'n' so we don't check for
1048 * absolute equality, just congruency.
1049 */
1050 if (!BN_sub(vrfy, vrfy, I))
1051 goto err;
41bfd5e7
AP		 1052 if (BN_is_zero(vrfy)) {
1053 bn_correct_top(r0);
1054 ret = 1;
1055 goto err; /* not actually error */
1056 }
0f113f3e
MC		 1057 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
1058 goto err;
1059 if (BN_is_negative(vrfy))
1060 if (!BN_add(vrfy, vrfy, rsa->n))
1061 goto err;
1062 if (!BN_is_zero(vrfy)) {
1063 /*
1064 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
1065 * miscalculated CRT output, just do a raw (slower) mod_exp and
1066 * return that instead.
1067 */
1068
5584f65a
MC		 1069 BIGNUM *d = BN_new();
1070 if (d == NULL)
1071 goto err;
1072 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e 1073
0f113f3e
MC		 1074 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
1075 rsa->_method_mod_n)) {
5584f65a 1076 BN_free(d);
0f113f3e
MC		 1077 goto err;
1078 }
5584f65a
MC		 1079 /* We MUST free d before any further use of rsa->d */
1080 BN_free(d);
0f113f3e
MC		 1081 }
1082 }
41bfd5e7
AP		 1083 /*
1084 * It's unfortunate that we have to bn_correct_top(r0). What hopefully
1085 * saves the day is that correction is highly unlike, and private key
1086 * operations are customarily performed on blinded message. Which means
1087 * that attacker won't observe correlation with chosen plaintext.
1088 * Secondly, remaining code would still handle it in same computational
1089 * time and even conceal memory access pattern around corrected top.
1090 */
1091 bn_correct_top(r0);
0f113f3e
MC		 1092 ret = 1;
1093 err:
0f113f3e 1094 BN_CTX_end(ctx);
8686c474 1095 return ret;
0f113f3e 1096}
58964a49 1097
bf160551 1098static int rsa_ossl_init(RSA *rsa)
0f113f3e
MC		 1099{
1100 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
8686c474 1101 return 1;
0f113f3e 1102}
58964a49 1103
bf160551 1104static int rsa_ossl_finish(RSA *rsa)
0f113f3e 1105{
f844f9eb 1106#ifndef FIPS_MODULE
665d899f
PY		 1107 int i;
1108 RSA_PRIME_INFO *pinfo;
1109
665d899f
PY		 1110 for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {
1111 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
1112 BN_MONT_CTX_free(pinfo->m);
1113 }
afb638f1
MC		 1114#endif
1115
1116 BN_MONT_CTX_free(rsa->_method_mod_n);
1117 BN_MONT_CTX_free(rsa->_method_mod_p);
1118 BN_MONT_CTX_free(rsa->_method_mod_q);
8686c474 1119 return 1;
0f113f3e 1120}
A mirror of the official openssl repository