summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_eay.c
diff options
context:
space:
mode:
authormarkus <>2002-09-05 12:51:50 +0000
committermarkus <>2002-09-05 12:51:50 +0000
commit15b5d84f9da2ce4bfae8580e56e34a859f74ad71 (patch)
treebf939e82d7fd73cc8a01cf6959002209972091bc /src/lib/libcrypto/rsa/rsa_eay.c
parent027351f729b9e837200dae6e1520cda6577ab930 (diff)
downloadopenbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.tar.gz
openbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.tar.bz2
openbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.zip
import openssl-0.9.7-beta1
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c555
1 files changed, 445 insertions, 110 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 42a77f11cd..0eda816081 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,13 +1,3 @@
1
2/* This file has been explicitly broken by ryker for OpenBSD, July
3 * 1, 1998. In spite of the title, there is no implementation of the
4 * RSA algorithm left in this file. All these routines will return an
5 * error and fail when called. They exist as stubs and can be
6 * ressurected from the bit bucket by someone in the free world once
7 * the RSA algorithm is no longer subject to patent problems. Eric
8 * Young's original copyright is below.
9 */
10
11/* crypto/rsa/rsa_eay.c */ 1/* crypto/rsa/rsa_eay.c */
12/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
13 * All rights reserved. 3 * All rights reserved.
@@ -68,207 +58,552 @@
68 58
69#include <stdio.h> 59#include <stdio.h>
70#include "cryptlib.h" 60#include "cryptlib.h"
71#include "bn.h" 61#include <openssl/bn.h>
72#include "rsa.h" 62#include <openssl/rsa.h>
73#include "rand.h" 63#include <openssl/rand.h>
64#include <openssl/engine.h>
74 65
75#ifndef NOPROTO 66#ifndef RSA_NULL
76static int RSA_eay_public_encrypt(int flen, unsigned char *from, 67
68static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
77 unsigned char *to, RSA *rsa,int padding); 69 unsigned char *to, RSA *rsa,int padding);
78static int RSA_eay_private_encrypt(int flen, unsigned char *from, 70static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
79 unsigned char *to, RSA *rsa,int padding); 71 unsigned char *to, RSA *rsa,int padding);
80static int RSA_eay_public_decrypt(int flen, unsigned char *from, 72static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
81 unsigned char *to, RSA *rsa,int padding); 73 unsigned char *to, RSA *rsa,int padding);
82static int RSA_eay_private_decrypt(int flen, unsigned char *from, 74static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
83 unsigned char *to, RSA *rsa,int padding); 75 unsigned char *to, RSA *rsa,int padding);
84static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa); 76static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
85static int RSA_eay_init(RSA *rsa); 77static int RSA_eay_init(RSA *rsa);
86static int RSA_eay_finish(RSA *rsa); 78static int RSA_eay_finish(RSA *rsa);
87#else
88static int RSA_eay_public_encrypt();
89static int RSA_eay_private_encrypt();
90static int RSA_eay_public_decrypt();
91static int RSA_eay_private_decrypt();
92static int RSA_eay_mod_exp();
93static int RSA_eay_init();
94static int RSA_eay_finish();
95#endif
96
97static RSA_METHOD rsa_pkcs1_eay_meth={ 79static RSA_METHOD rsa_pkcs1_eay_meth={
98 "Eric Young's PKCS#1 RSA", 80 "Eric Young's PKCS#1 RSA",
99 RSA_eay_public_encrypt, 81 RSA_eay_public_encrypt,
100 RSA_eay_public_decrypt, 82 RSA_eay_public_decrypt, /* signature verification */
101 RSA_eay_private_encrypt, 83 RSA_eay_private_encrypt, /* signing */
102 RSA_eay_private_decrypt, 84 RSA_eay_private_decrypt,
103 RSA_eay_mod_exp, 85 RSA_eay_mod_exp,
104 BN_mod_exp_mont, 86 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
105 RSA_eay_init, 87 RSA_eay_init,
106 RSA_eay_finish, 88 RSA_eay_finish,
107 0, 89 0, /* flags */
108 NULL, 90 NULL,
91 0, /* rsa_sign */
92 0 /* rsa_verify */
109 }; 93 };
110 94
111RSA_METHOD *RSA_PKCS1_SSLeay() 95const RSA_METHOD *RSA_PKCS1_SSLeay(void)
112 { 96 {
113 return(&rsa_pkcs1_eay_meth); 97 return(&rsa_pkcs1_eay_meth);
114 } 98 }
115 99
116static int RSA_eay_public_encrypt(flen, from, to, rsa, padding) 100static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
117int flen; 101 unsigned char *to, RSA *rsa, int padding)
118unsigned char *from;
119unsigned char *to;
120RSA *rsa;
121int padding;
122 { 102 {
123 BIGNUM *f=NULL,*ret=NULL; 103 BIGNUM f,ret;
124 int i,j,k,num=0,r= -1; 104 int i,j,k,num=0,r= -1;
125 unsigned char *buf=NULL; 105 unsigned char *buf=NULL;
126 BN_CTX *ctx=NULL; 106 BN_CTX *ctx=NULL;
127 107
128 /* Body of this routine removed for OpenBSD - will return 108 BN_init(&f);
129 * when the RSA patent expires 109 BN_init(&ret);
130 */ 110 if ((ctx=BN_CTX_new()) == NULL) goto err;
111 num=BN_num_bytes(rsa->n);
112 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
113 {
114 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
115 goto err;
116 }
131 117
118 switch (padding)
119 {
120 case RSA_PKCS1_PADDING:
121 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
122 break;
123#ifndef OPENSSL_NO_SHA
124 case RSA_PKCS1_OAEP_PADDING:
125 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
126 break;
127#endif
128 case RSA_SSLV23_PADDING:
129 i=RSA_padding_add_SSLv23(buf,num,from,flen);
130 break;
131 case RSA_NO_PADDING:
132 i=RSA_padding_add_none(buf,num,from,flen);
133 break;
134 default:
135 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
136 goto err;
137 }
138 if (i <= 0) goto err;
139
140 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
141
142 if (BN_ucmp(&f, rsa->n) >= 0)
143 {
144 /* usually the padding functions would catch this */
145 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
146 goto err;
147 }
148
149 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
150 {
151 BN_MONT_CTX* bn_mont_ctx;
152 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
153 goto err;
154 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
155 {
156 BN_MONT_CTX_free(bn_mont_ctx);
157 goto err;
158 }
159 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
160 {
161 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
162 if (rsa->_method_mod_n == NULL)
163 {
164 rsa->_method_mod_n = bn_mont_ctx;
165 bn_mont_ctx = NULL;
166 }
167 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
168 }
169 if (bn_mont_ctx)
170 BN_MONT_CTX_free(bn_mont_ctx);
171 }
172
173 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
174 rsa->_method_mod_n)) goto err;
175
176 /* put in leading 0 bytes if the number is less than the
177 * length of the modulus */
178 j=BN_num_bytes(&ret);
179 i=BN_bn2bin(&ret,&(to[num-j]));
180 for (k=0; k<(num-i); k++)
181 to[k]=0;
182
183 r=num;
132err: 184err:
133 if (ctx != NULL) BN_CTX_free(ctx); 185 if (ctx != NULL) BN_CTX_free(ctx);
134 if (f != NULL) BN_free(f); 186 BN_clear_free(&f);
135 if (ret != NULL) BN_free(ret); 187 BN_clear_free(&ret);
136 if (buf != NULL) 188 if (buf != NULL)
137 { 189 {
138 memset(buf,0,num); 190 memset(buf,0,num);
139 Free(buf); 191 OPENSSL_free(buf);
140 } 192 }
141 return(r); 193 return(r);
142 } 194 }
143 195
144static int RSA_eay_private_encrypt(flen, from, to, rsa, padding) 196/* signing */
145int flen; 197static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
146unsigned char *from; 198 unsigned char *to, RSA *rsa, int padding)
147unsigned char *to;
148RSA *rsa;
149int padding;
150 { 199 {
151 BIGNUM *f=NULL,*ret=NULL; 200 BIGNUM f,ret;
152 int i,j,k,num=0,r= -1; 201 int i,j,k,num=0,r= -1;
153 unsigned char *buf=NULL; 202 unsigned char *buf=NULL;
154 BN_CTX *ctx=NULL; 203 BN_CTX *ctx=NULL;
155 204
156 /* Body of this routine removed for OpenBSD - will return 205 BN_init(&f);
157 * when the RSA patent expires 206 BN_init(&ret);
158 */
159 207
208 if ((ctx=BN_CTX_new()) == NULL) goto err;
209 num=BN_num_bytes(rsa->n);
210 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
211 {
212 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
213 goto err;
214 }
215
216 switch (padding)
217 {
218 case RSA_PKCS1_PADDING:
219 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
220 break;
221 case RSA_NO_PADDING:
222 i=RSA_padding_add_none(buf,num,from,flen);
223 break;
224 case RSA_SSLV23_PADDING:
225 default:
226 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
227 goto err;
228 }
229 if (i <= 0) goto err;
230
231 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
232
233 if (BN_ucmp(&f, rsa->n) >= 0)
234 {
235 /* usually the padding functions would catch this */
236 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
237 goto err;
238 }
239
240 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
241 RSA_blinding_on(rsa,ctx);
242 if (rsa->flags & RSA_FLAG_BLINDING)
243 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
244
245 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
246 ((rsa->p != NULL) &&
247 (rsa->q != NULL) &&
248 (rsa->dmp1 != NULL) &&
249 (rsa->dmq1 != NULL) &&
250 (rsa->iqmp != NULL)) )
251 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
252 else
253 {
254 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
255 }
256
257 if (rsa->flags & RSA_FLAG_BLINDING)
258 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
259
260 /* put in leading 0 bytes if the number is less than the
261 * length of the modulus */
262 j=BN_num_bytes(&ret);
263 i=BN_bn2bin(&ret,&(to[num-j]));
264 for (k=0; k<(num-i); k++)
265 to[k]=0;
266
267 r=num;
160err: 268err:
161 if (ctx != NULL) BN_CTX_free(ctx); 269 if (ctx != NULL) BN_CTX_free(ctx);
162 if (ret != NULL) BN_free(ret); 270 BN_clear_free(&ret);
163 if (f != NULL) BN_free(f); 271 BN_clear_free(&f);
164 if (buf != NULL) 272 if (buf != NULL)
165 { 273 {
166 memset(buf,0,num); 274 memset(buf,0,num);
167 Free(buf); 275 OPENSSL_free(buf);
168 } 276 }
169 return(r); 277 return(r);
170 } 278 }
171 279
172static int RSA_eay_private_decrypt(flen, from, to, rsa,padding) 280static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
173int flen; 281 unsigned char *to, RSA *rsa, int padding)
174unsigned char *from;
175unsigned char *to;
176RSA *rsa;
177int padding;
178 { 282 {
179 BIGNUM *f=NULL,*ret=NULL; 283 BIGNUM f,ret;
180 int j,num=0,r= -1; 284 int j,num=0,r= -1;
181 unsigned char *p; 285 unsigned char *p;
182 unsigned char *buf=NULL; 286 unsigned char *buf=NULL;
183 BN_CTX *ctx=NULL; 287 BN_CTX *ctx=NULL;
184 288
185 /* Body of this routine removed for OpenBSD - will return 289 BN_init(&f);
186 * when the RSA patent expires 290 BN_init(&ret);
187 */ 291 ctx=BN_CTX_new();
292 if (ctx == NULL) goto err;
293
294 num=BN_num_bytes(rsa->n);
295
296 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
297 {
298 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
299 goto err;
300 }
301
302 /* This check was for equality but PGP does evil things
303 * and chops off the top '0' bytes */
304 if (flen > num)
305 {
306 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
307 goto err;
308 }
309
310 /* make data into a big number */
311 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
312
313 if (BN_ucmp(&f, rsa->n) >= 0)
314 {
315 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
316 goto err;
317 }
318
319 if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
320 RSA_blinding_on(rsa,ctx);
321 if (rsa->flags & RSA_FLAG_BLINDING)
322 if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
323
324 /* do the decrypt */
325 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
326 ((rsa->p != NULL) &&
327 (rsa->q != NULL) &&
328 (rsa->dmp1 != NULL) &&
329 (rsa->dmq1 != NULL) &&
330 (rsa->iqmp != NULL)) )
331 { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
332 else
333 {
334 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
335 goto err;
336 }
337
338 if (rsa->flags & RSA_FLAG_BLINDING)
339 if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
340
341 p=buf;
342 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
343
344 switch (padding)
345 {
346 case RSA_PKCS1_PADDING:
347 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
348 break;
349#ifndef OPENSSL_NO_SHA
350 case RSA_PKCS1_OAEP_PADDING:
351 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
352 break;
353#endif
354 case RSA_SSLV23_PADDING:
355 r=RSA_padding_check_SSLv23(to,num,buf,j,num);
356 break;
357 case RSA_NO_PADDING:
358 r=RSA_padding_check_none(to,num,buf,j,num);
359 break;
360 default:
361 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
362 goto err;
363 }
364 if (r < 0)
365 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
188 366
189err: 367err:
190 if (ctx != NULL) BN_CTX_free(ctx); 368 if (ctx != NULL) BN_CTX_free(ctx);
191 if (f != NULL) BN_free(f); 369 BN_clear_free(&f);
192 if (ret != NULL) BN_free(ret); 370 BN_clear_free(&ret);
193 if (buf != NULL) 371 if (buf != NULL)
194 { 372 {
195 memset(buf,0,num); 373 memset(buf,0,num);
196 Free(buf); 374 OPENSSL_free(buf);
197 } 375 }
198 return(r); 376 return(r);
199 } 377 }
200 378
201static int RSA_eay_public_decrypt(flen, from, to, rsa, padding) 379/* signature verification */
202int flen; 380static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
203unsigned char *from; 381 unsigned char *to, RSA *rsa, int padding)
204unsigned char *to;
205RSA *rsa;
206int padding;
207 { 382 {
208 BIGNUM *f=NULL,*ret=NULL; 383 BIGNUM f,ret;
209 int i,num=0,r= -1; 384 int i,num=0,r= -1;
210 unsigned char *p; 385 unsigned char *p;
211 unsigned char *buf=NULL; 386 unsigned char *buf=NULL;
212 BN_CTX *ctx=NULL; 387 BN_CTX *ctx=NULL;
213 388
389 BN_init(&f);
390 BN_init(&ret);
391 ctx=BN_CTX_new();
392 if (ctx == NULL) goto err;
393
394 num=BN_num_bytes(rsa->n);
395 buf=(unsigned char *)OPENSSL_malloc(num);
396 if (buf == NULL)
397 {
398 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
399 goto err;
400 }
401
402 /* This check was for equality but PGP does evil things
403 * and chops off the top '0' bytes */
404 if (flen > num)
405 {
406 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
407 goto err;
408 }
214 409
215 /* Body of this routine removed for OpenBSD - will return 410 if (BN_bin2bn(from,flen,&f) == NULL) goto err;
216 * when the RSA patent expires 411
217 */ 412 if (BN_ucmp(&f, rsa->n) >= 0)
413 {
414 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
415 goto err;
416 }
417
418 /* do the decrypt */
419 if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
420 {
421 BN_MONT_CTX* bn_mont_ctx;
422 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
423 goto err;
424 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
425 {
426 BN_MONT_CTX_free(bn_mont_ctx);
427 goto err;
428 }
429 if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
430 {
431 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
432 if (rsa->_method_mod_n == NULL)
433 {
434 rsa->_method_mod_n = bn_mont_ctx;
435 bn_mont_ctx = NULL;
436 }
437 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
438 }
439 if (bn_mont_ctx)
440 BN_MONT_CTX_free(bn_mont_ctx);
441 }
442
443 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
444 rsa->_method_mod_n)) goto err;
445
446 p=buf;
447 i=BN_bn2bin(&ret,p);
448
449 switch (padding)
450 {
451 case RSA_PKCS1_PADDING:
452 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
453 break;
454 case RSA_NO_PADDING:
455 r=RSA_padding_check_none(to,num,buf,i,num);
456 break;
457 default:
458 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
459 goto err;
460 }
461 if (r < 0)
462 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
218 463
219err: 464err:
220 if (ctx != NULL) BN_CTX_free(ctx); 465 if (ctx != NULL) BN_CTX_free(ctx);
221 if (f != NULL) BN_free(f); 466 BN_clear_free(&f);
222 if (ret != NULL) BN_free(ret); 467 BN_clear_free(&ret);
223 if (buf != NULL) 468 if (buf != NULL)
224 { 469 {
225 memset(buf,0,num); 470 memset(buf,0,num);
226 Free(buf); 471 OPENSSL_free(buf);
227 } 472 }
228 return(r); 473 return(r);
229 } 474 }
230 475
231static int RSA_eay_mod_exp(r0, I, rsa) 476static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
232BIGNUM *r0;
233BIGNUM *I;
234RSA *rsa;
235 { 477 {
236 BIGNUM *r1=NULL,*m1=NULL; 478 BIGNUM r1,m1,vrfy;
237 int ret=0; 479 int ret=0;
238 BN_CTX *ctx; 480 BN_CTX *ctx;
239 481
482 BN_init(&m1);
483 BN_init(&r1);
484 BN_init(&vrfy);
240 if ((ctx=BN_CTX_new()) == NULL) goto err; 485 if ((ctx=BN_CTX_new()) == NULL) goto err;
241 m1=BN_new();
242 r1=BN_new();
243 if ((m1 == NULL) || (r1 == NULL)) goto err;
244 486
245 /* Body of this routine removed for OpenBSD - will return 487 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
246 * when the RSA patent expires 488 {
247 */ 489 if (rsa->_method_mod_p == NULL)
490 {
491 BN_MONT_CTX* bn_mont_ctx;
492 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
493 goto err;
494 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
495 {
496 BN_MONT_CTX_free(bn_mont_ctx);
497 goto err;
498 }
499 if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
500 {
501 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
502 if (rsa->_method_mod_p == NULL)
503 {
504 rsa->_method_mod_p = bn_mont_ctx;
505 bn_mont_ctx = NULL;
506 }
507 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
508 }
509 if (bn_mont_ctx)
510 BN_MONT_CTX_free(bn_mont_ctx);
511 }
512
513 if (rsa->_method_mod_q == NULL)
514 {
515 BN_MONT_CTX* bn_mont_ctx;
516 if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
517 goto err;
518 if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
519 {
520 BN_MONT_CTX_free(bn_mont_ctx);
521 goto err;
522 }
523 if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
524 {
525 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
526 if (rsa->_method_mod_q == NULL)
527 {
528 rsa->_method_mod_q = bn_mont_ctx;
529 bn_mont_ctx = NULL;
530 }
531 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
532 }
533 if (bn_mont_ctx)
534 BN_MONT_CTX_free(bn_mont_ctx);
535 }
536 }
537
538 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
539 if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
540 rsa->_method_mod_q)) goto err;
541
542 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
543 if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
544 rsa->_method_mod_p)) goto err;
545
546 if (!BN_sub(r0,r0,&m1)) goto err;
547 /* This will help stop the size of r0 increasing, which does
548 * affect the multiply if it optimised for a power of 2 size */
549 if (r0->neg)
550 if (!BN_add(r0,r0,rsa->p)) goto err;
551
552 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
553 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
554 /* If p < q it is occasionally possible for the correction of
555 * adding 'p' if r0 is negative above to leave the result still
556 * negative. This can break the private key operations: the following
557 * second correction should *always* correct this rare occurrence.
558 * This will *never* happen with OpenSSL generated keys because
559 * they ensure p > q [steve]
560 */
561 if (r0->neg)
562 if (!BN_add(r0,r0,rsa->p)) goto err;
563 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
564 if (!BN_add(r0,&r1,&m1)) goto err;
565
566 if (rsa->e && rsa->n)
567 {
568 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
569 /* If 'I' was greater than (or equal to) rsa->n, the operation
570 * will be equivalent to using 'I mod n'. However, the result of
571 * the verify will *always* be less than 'n' so we don't check
572 * for absolute equality, just congruency. */
573 if (!BN_sub(&vrfy, &vrfy, I)) goto err;
574 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
575 if (vrfy.neg)
576 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
577 if (!BN_is_zero(&vrfy))
578 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
579 * miscalculated CRT output, just do a raw (slower)
580 * mod_exp and return that instead. */
581 if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
582 }
583 ret=1;
248err: 584err:
249 if (m1 != NULL) BN_free(m1); 585 BN_clear_free(&m1);
250 if (r1 != NULL) BN_free(r1); 586 BN_clear_free(&r1);
587 BN_clear_free(&vrfy);
251 BN_CTX_free(ctx); 588 BN_CTX_free(ctx);
252 return(ret); 589 return(ret);
253 } 590 }
254 591
255static int RSA_eay_init(rsa) 592static int RSA_eay_init(RSA *rsa)
256RSA *rsa;
257 { 593 {
258 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; 594 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
259 return(1); 595 return(1);
260 } 596 }
261 597
262static int RSA_eay_finish(rsa) 598static int RSA_eay_finish(RSA *rsa)
263RSA *rsa;
264 { 599 {
265 if (rsa->method_mod_n != NULL) 600 if (rsa->_method_mod_n != NULL)
266 BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_n); 601 BN_MONT_CTX_free(rsa->_method_mod_n);
267 if (rsa->method_mod_p != NULL) 602 if (rsa->_method_mod_p != NULL)
268 BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_p); 603 BN_MONT_CTX_free(rsa->_method_mod_p);
269 if (rsa->method_mod_q != NULL) 604 if (rsa->_method_mod_q != NULL)
270 BN_MONT_CTX_free((BN_MONT_CTX *)rsa->method_mod_q); 605 BN_MONT_CTX_free(rsa->_method_mod_q);
271 return(1); 606 return(1);
272 } 607 }
273 608
274 609#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-30 20:11:25 +0000