1 files changed, 668 insertions, 0 deletions
diff --git a/src/lib/libcrypto/engine/eng_rsax.c b/src/lib/libcrypto/engine/eng_rsax.c
new file mode 100644
index 0000000000..96e63477ee
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_rsax.c
@@ -0,0 +1,668 @@
+/* crypto/engine/eng_rsax.c */
+/* Copyright (c) 2010-2010 Intel Corp.
+ *   Author: Vinodh.Gopal@intel.com
+ *           Jim Guilford
+ *           Erdinc.Ozturk@intel.com
+ *           Maxim.Perminov@intel.com
+ *           Ying.Huang@intel.com
+ *
+ * More information about algorithm used can be found at:
+ *   http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ */
+#include <openssl/opensslconf.h>
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#include <openssl/bn.h>
+#include <openssl/err.h>
+/* RSAX is available **ONLY* on x86_64 CPUs */
+#undef COMPILE_RSAX
+#if (defined(__x86_64) || defined(__x86_64__) || \
+     defined(_M_AMD64) || defined (_M_X64)) && !defined(OPENSSL_NO_ASM)
+#define COMPILE_RSAX
+static ENGINE *ENGINE_rsax (void);
+#endif
+void ENGINE_load_rsax (void)
+        {
+/* On non-x86 CPUs it just returns. */
+#ifdef COMPILE_RSAX
+        ENGINE *toadd = ENGINE_rsax();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+#endif
+        }
+#ifdef COMPILE_RSAX
+#define E_RSAX_LIB_NAME "rsax engine"
+static int e_rsax_destroy(ENGINE *e);
+static int e_rsax_init(ENGINE *e);
+static int e_rsax_finish(ENGINE *e);
+static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
+#ifndef OPENSSL_NO_RSA
+/* RSA stuff */
+static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+static int e_rsax_rsa_finish(RSA *r);
+#endif
+static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
+        {0, NULL, NULL, 0}
+        };
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD e_rsax_rsa =
+        {
+        "Intel RSA-X method",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        e_rsax_rsa_mod_exp,
+        NULL,
+        NULL,
+        e_rsax_rsa_finish,
+        RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE,
+        NULL,
+        NULL,
+        NULL
+        };
+#endif
+/* Constants used when creating the ENGINE */
+static const char *engine_e_rsax_id = "rsax";
+static const char *engine_e_rsax_name = "RSAX engine support";
+/* This internal function is used by ENGINE_rsax() */
+static int bind_helper(ENGINE *e)
+        {
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+        if(!ENGINE_set_id(e, engine_e_rsax_id) ||
+                        !ENGINE_set_name(e, engine_e_rsax_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &e_rsax_rsa) ||
+#endif
+                        !ENGINE_set_destroy_function(e, e_rsax_destroy) ||
+                        !ENGINE_set_init_function(e, e_rsax_init) ||
+                        !ENGINE_set_finish_function(e, e_rsax_finish) ||
+                        !ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
+                        !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
+                return 0;
+#ifndef OPENSSL_NO_RSA
+        meth1 = RSA_PKCS1_SSLeay();
+        e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+        e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+        e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+        e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
+#endif
+        return 1;
+        }
+static ENGINE *ENGINE_rsax(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+#ifndef OPENSSL_NO_RSA
+/* Used to attach our own key-data to an RSA structure */
+static int rsax_ex_data_idx = -1;
+#endif
+static int e_rsax_destroy(ENGINE *e)
+        {
+        return 1;
+        }
+/* (de)initialisation functions. */
+static int e_rsax_init(ENGINE *e)
+        {
+#ifndef OPENSSL_NO_RSA
+        if (rsax_ex_data_idx == -1)
+                rsax_ex_data_idx = RSA_get_ex_new_index(0,
+                        NULL,
+                        NULL, NULL, NULL);
+#endif
+        if (rsax_ex_data_idx  == -1)
+                return 0;
+        return 1;
+        }
+static int e_rsax_finish(ENGINE *e)
+        {
+        return 1;
+        }
+static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+        {
+        int to_return = 1;
+        switch(cmd)
+                {
+        /* The command isn't understood by this engine */
+        default:
+                to_return = 0;
+                break;
+                }
+        return to_return;
+        }
+#ifndef OPENSSL_NO_RSA
+#ifdef _WIN32
+typedef unsigned __int64 UINT64;
+#else
+typedef unsigned long long UINT64;
+#endif
+typedef unsigned short UINT16;
+/* Table t is interleaved in the following manner:
+ * The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ...
+ * A particular 512-bit value is stored in t[][index] rather than the more
+ * normal t[index][]; i.e. the qwords of a particular entry in t are not
+ * adjacent in memory
+ */
+/* Init BIGNUM b from the interleaved UINT64 array */
+static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
+/* Extract array elements from BIGNUM b
+ * To set the whole array from b, call with n=8
+ */
+static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array);
+struct mod_ctx_512 {
+    UINT64 t[8][8];
+    UINT64 m[8];
+    UINT64 m1[8]; /* 2^278 % m */
+    UINT64 m2[8]; /* 2^640 % m */
+    UINT64 k1[2]; /* (- 1/m) % 2^128 */
+};
+static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
+void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
+                 UINT64 *g,      /* 512 bits, 8 qwords */
+                 UINT64 *exp,    /* 512 bits, 8 qwords */
+                 struct mod_ctx_512 *data);
+typedef struct st_e_rsax_mod_ctx
+{
+  UINT64 type;
+  union {
+    struct mod_ctx_512 b512;
+  } ctx;
+} E_RSAX_MOD_CTX;
+static E_RSAX_MOD_CTX *e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m)
+{
+        E_RSAX_MOD_CTX *hptr;
+        if (idx < 0 || idx > 2)
+           return NULL;
+        hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
+        if (!hptr) {
+            hptr = OPENSSL_malloc(3*sizeof(E_RSAX_MOD_CTX));
+            if (!hptr) return NULL;
+            hptr[2].type = hptr[1].type= hptr[0].type = 0;
+            RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
+        }
+        if (hptr[idx].type == (UINT64)BN_num_bits(m))
+            return hptr+idx;
+        if (BN_num_bits(m) == 512) {
+            UINT64 _m[8];
+            bn_extract_to_array_512(m, 8, _m);
+            memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
+            mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
+        }
+        hptr[idx].type = BN_num_bits(m);
+        return hptr+idx;
+}
+static int e_rsax_rsa_finish(RSA *rsa)
+        {
+        E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
+        if(hptr)
+                {
+                OPENSSL_free(hptr);
+                RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
+                }
+        if (rsa->_method_mod_n)
+                BN_MONT_CTX_free(rsa->_method_mod_n);
+        if (rsa->_method_mod_p)
+                BN_MONT_CTX_free(rsa->_method_mod_p);
+        if (rsa->_method_mod_q)
+                BN_MONT_CTX_free(rsa->_method_mod_q);
+        return 1;
+        }
+static int e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e,
+                    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx )
+{
+        if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
+           if (BN_num_bits(m) == 512) {
+                UINT64 _r[8];
+                UINT64 _g[8];
+                UINT64 _e[8];
+                /* Init the arrays from the BIGNUMs */
+                bn_extract_to_array_512(g, 8, _g);
+                bn_extract_to_array_512(e, 8, _e);
+                mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
+                /* Return the result in the BIGNUM */
+                interleaved_array_to_bn_512(r, _r);
+                return 1;
+           }
+        }
+        return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
+}
+/* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
+ * exponentiation routine precalculations and a structure to hold the
+ * necessary values.  These files are meant to live in crypto/rsa/ in
+ * the target openssl.
+ */
+/*
+ * Local method: extracts a piece from a BIGNUM, to fit it into
+ * an array. Call with n=8 to extract an entire 512-bit BIGNUM
+ */
+static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
+{
+        int i;
+        UINT64 tmp;
+        unsigned char bn_buff[64];
+        memset(bn_buff, 0, 64);
+        if (BN_num_bytes(b) > 64) {
+                printf ("Can't support this byte size\n");
+                return 0; }
+        if (BN_num_bytes(b)!=0) {
+                if (!BN_bn2bin(b, bn_buff+(64-BN_num_bytes(b)))) {
+                        printf ("Error's in bn2bin\n");
+                        /* We have to error, here */
+                        return 0; } }
+        while (n-- > 0) {
+                array[n] = 0;
+                for (i=7; i>=0; i--) {
+                        tmp = bn_buff[63-(n*8+i)];
+                        array[n] |= tmp << (8*i); } }
+        return 1;
+}
+/* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
+static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
+{
+        unsigned char tmp[64];
+        int n=8;
+        int i;
+        while (n-- > 0) {
+                for (i = 7; i>=0; i--) {
+                        tmp[63-(n*8+i)] = (unsigned char)(array[n]>>(8*i)); } }
+        BN_bin2bn(tmp, 64, b);
+        return 0;
+}
+/* The main 512bit precompute call */
+static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
+ {
+    BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
+    /* We need a BN_CTX for the modulo functions */
+    BN_CTX* ctx;
+    /* Some tmps */
+    UINT64 _t[8];
+    int i, j, ret = 0;
+    /* Init _m with m */
+    BN_init(&_m);
+    interleaved_array_to_bn_512(&_m, m);
+    memset(_t, 0, 64);
+    /* Inits */
+    BN_init(&two_768);
+    BN_init(&two_640);
+    BN_init(&two_128);
+    BN_init(&two_512);
+    BN_init(&tmp);
+    BN_init(&tmp2);
+    /* Create our context */
+    if ((ctx=BN_CTX_new()) == NULL) { goto err; }
+        BN_CTX_start(ctx);
+    /*
+     * For production, if you care, these only need to be set once,
+     * and may be made constants.
+     */
+    BN_lshift(&two_768, BN_value_one(), 768);
+    BN_lshift(&two_640, BN_value_one(), 640);
+    BN_lshift(&two_128, BN_value_one(), 128);
+    BN_lshift(&two_512, BN_value_one(), 512);
+    if (0 == (m[7] & 0x8000000000000000)) {
+        exit(1);
+    }
+    if (0 == (m[0] & 0x1)) { /* Odd modulus required for Mont */
+        exit(1);
+    }
+    /* Precompute m1 */
+    BN_mod(&tmp, &two_768, &_m, ctx);
+    if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
+            goto err; }
+    /* Precompute m2 */
+    BN_mod(&tmp, &two_640, &_m, ctx);
+    if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
+            goto err;
+    }
+    /*
+     * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
+     * be non-negative.
+     */
+    BN_mod_inverse(&tmp, &_m, &two_128, ctx);
+    if (!BN_is_zero(&tmp)) { BN_sub(&tmp, &two_128, &tmp); }
+    if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
+            goto err; }
+    /* Precompute t */
+    for (i=0; i<8; i++) {
+        BN_zero(&tmp);
+        if (i & 1) { BN_add(&tmp, &two_512, &tmp); }
+        if (i & 2) { BN_add(&tmp, &two_512, &tmp); }
+        if (i & 4) { BN_add(&tmp, &two_640, &tmp); }
+        BN_nnmod(&tmp2, &tmp, &_m, ctx);
+        if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
+                goto err; }
+        for (j=0; j<8; j++) data->t[j][i] = _t[j]; }
+    /* Precompute m */
+    for (i=0; i<8; i++) {
+        data->m[i] = m[i]; }
+    ret = 1;
+err:
+    /* Cleanup */
+        if (ctx != NULL) {
+                BN_CTX_end(ctx); BN_CTX_free(ctx); }
+    BN_free(&two_768);
+    BN_free(&two_640);
+    BN_free(&two_128);
+    BN_free(&two_512);
+    BN_free(&tmp);
+    BN_free(&tmp2);
+    BN_free(&_m);
+    return ret;
+}
+static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+        {
+        BIGNUM *r1,*m1,*vrfy;
+        BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
+        BIGNUM *dmp1,*dmq1,*c,*pr1;
+        int ret=0;
+        BN_CTX_start(ctx);
+        r1 = BN_CTX_get(ctx);
+        m1 = BN_CTX_get(ctx);
+        vrfy = BN_CTX_get(ctx);
+        {
+                BIGNUM local_p, local_q;
+                BIGNUM *p = NULL, *q = NULL;
+                int error = 0;
+                /* Make sure BN_mod_inverse in Montgomery
+                 * intialization uses the BN_FLG_CONSTTIME flag
+                 * (unless RSA_FLAG_NO_CONSTTIME is set)
+                 */
+                if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                        {
+                        BN_init(&local_p);
+                        p = &local_p;
+                        BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+                        BN_init(&local_q);
+                        q = &local_q;
+                        BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
+                        }
+                else
+                        {
+                        p = rsa->p;
+                        q = rsa->q;
+                        }
+                if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
+                        {
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
+                                error = 1;
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
+                                error = 1;
+                        }
+                /* clean up */
+                if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                        {
+                        BN_free(&local_p);
+                        BN_free(&local_q);
+                        }
+                if ( error )
+                        goto err;
+        }
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
+        /* compute I mod q */
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                {
+                c = &local_c;
+                BN_with_flags(c, I, BN_FLG_CONSTTIME);
+                if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
+                }
+        else
+                {
+                if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
+                }
+        /* compute r1^dmq1 mod q */
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                {
+                dmq1 = &local_dmq1;
+                BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
+                }
+        else
+                dmq1 = rsa->dmq1;
+        if (!e_rsax_bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
+                rsa->_method_mod_q, e_rsax_get_ctx(rsa, 0, rsa->q) )) goto err;
+        /* compute I mod p */
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                {
+                c = &local_c;
+                BN_with_flags(c, I, BN_FLG_CONSTTIME);
+                if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
+                }
+        else
+                {
+                if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
+                }
+        /* compute r1^dmp1 mod p */
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                {
+                dmp1 = &local_dmp1;
+                BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+                }
+        else
+                dmp1 = rsa->dmp1;
+        if (!e_rsax_bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
+                rsa->_method_mod_p, e_rsax_get_ctx(rsa, 1, rsa->p) )) goto err;
+        if (!BN_sub(r0,r0,m1)) goto err;
+        /* This will help stop the size of r0 increasing, which does
+         * affect the multiply if it optimised for a power of 2 size */
+        if (BN_is_negative(r0))
+                if (!BN_add(r0,r0,rsa->p)) goto err;
+        if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
+        /* Turn BN_FLG_CONSTTIME flag on before division operation */
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                {
+                pr1 = &local_r1;
+                BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
+                }
+        else
+                pr1 = r1;
+        if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
+        /* If p < q it is occasionally possible for the correction of
+         * adding 'p' if r0 is negative above to leave the result still
+         * negative. This can break the private key operations: the following
+         * second correction should *always* correct this rare occurrence.
+         * This will *never* happen with OpenSSL generated keys because
+         * they ensure p > q [steve]
+         */
+        if (BN_is_negative(r0))
+                if (!BN_add(r0,r0,rsa->p)) goto err;
+        if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
+        if (!BN_add(r0,r1,m1)) goto err;
+        if (rsa->e && rsa->n)
+                {
+                if (!e_rsax_bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) ))
+                    goto err;
+                /* If 'I' was greater than (or equal to) rsa->n, the operation
+                 * will be equivalent to using 'I mod n'. However, the result of
+                 * the verify will *always* be less than 'n' so we don't check
+                 * for absolute equality, just congruency. */
+                if (!BN_sub(vrfy, vrfy, I)) goto err;
+                if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
+                if (BN_is_negative(vrfy))
+                        if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
+                if (!BN_is_zero(vrfy))
+                        {
+                        /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
+                         * miscalculated CRT output, just do a raw (slower)
+                         * mod_exp and return that instead. */
+                        BIGNUM local_d;
+                        BIGNUM *d = NULL;
+                        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                                {
+                                d = &local_d;
+                                BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+                                }
+                        else
+                                d = rsa->d;
+                        if (!e_rsax_bn_mod_exp(r0,I,d,rsa->n,ctx,
+                                                   rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) )) goto err;
+                        }
+                }
+        ret=1;
+err:
+        BN_CTX_end(ctx);
+        return ret;
+        }
+#endif /* !OPENSSL_NO_RSA */
+#endif /* !COMPILE_RSAX */

diff --git a/src/lib/libcrypto/engine/eng_rsax.c b/src/lib/libcrypto/engine/eng_rsax.c new file mode 100644 index 0000000000..96e63477ee --- /dev/null +++ b/src/lib/libcrypto/engine/eng_rsax.c
@@ -0,0 +1,668 @@
	1	/* crypto/engine/eng_rsax.c */
	2	/* Copyright (c) 2010-2010 Intel Corp.
	3	* Author: Vinodh.Gopal@intel.com
	4	* Jim Guilford
	5	* Erdinc.Ozturk@intel.com
	6	* Maxim.Perminov@intel.com
	7	* Ying.Huang@intel.com
	8	*
	9	* More information about algorithm used can be found at:
	10	* http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
	11	*/
	12	/* ====================================================================
	13	* Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
	14	*
	15	* Redistribution and use in source and binary forms, with or without
	16	* modification, are permitted provided that the following conditions
	17	* are met:
	18	*
	19	* 1. Redistributions of source code must retain the above copyright
	20	* notice, this list of conditions and the following disclaimer.
	21	*
	22	* 2. Redistributions in binary form must reproduce the above copyright
	23	* notice, this list of conditions and the following disclaimer in
	24	* the documentation and/or other materials provided with the
	25	* distribution.
	26	*
	27	* 3. All advertising materials mentioning features or use of this
	28	* software must display the following acknowledgment:
	29	* "This product includes software developed by the OpenSSL Project
	30	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	31	*
	32	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	33	* endorse or promote products derived from this software without
	34	* prior written permission. For written permission, please contact
	35	* licensing@OpenSSL.org.
	36	*
	37	* 5. Products derived from this software may not be called "OpenSSL"
	38	* nor may "OpenSSL" appear in their names without prior written
	39	* permission of the OpenSSL Project.
	40	*
	41	* 6. Redistributions of any form whatsoever must retain the following
	42	* acknowledgment:
	43	* "This product includes software developed by the OpenSSL Project
	44	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	45	*
	46	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	47	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	48	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	49	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	50	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	51	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	52	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	53	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	54	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	55	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	56	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	57	* OF THE POSSIBILITY OF SUCH DAMAGE.
	58	* ====================================================================
	59	*
	60	* This product includes cryptographic software written by Eric Young
	61	* (eay@cryptsoft.com). This product includes software written by Tim
	62	* Hudson (tjh@cryptsoft.com).
	63	*/
	64
	65	#include <openssl/opensslconf.h>
	66
	67	#include <stdio.h>
	68	#include <string.h>
	69	#include <openssl/crypto.h>
	70	#include <openssl/buffer.h>
	71	#include <openssl/engine.h>
	72	#ifndef OPENSSL_NO_RSA
	73	#include <openssl/rsa.h>
	74	#endif
	75	#include <openssl/bn.h>
	76	#include <openssl/err.h>
	77
	78	/* RSAX is available *ONLY on x86_64 CPUs */
	79	#undef COMPILE_RSAX
	80
	81	#if (defined(__x86_64) \|\| defined(__x86_64__) \|\| \
	82	defined(_M_AMD64) \|\| defined (_M_X64)) && !defined(OPENSSL_NO_ASM)
	83	#define COMPILE_RSAX
	84	static ENGINE *ENGINE_rsax (void);
	85	#endif
	86
	87	void ENGINE_load_rsax (void)
	88	{
	89	/* On non-x86 CPUs it just returns. */
	90	#ifdef COMPILE_RSAX
	91	ENGINE *toadd = ENGINE_rsax();
	92	if(!toadd) return;
	93	ENGINE_add(toadd);
	94	ENGINE_free(toadd);
	95	ERR_clear_error();
	96	#endif
	97	}
	98
	99	#ifdef COMPILE_RSAX
	100	#define E_RSAX_LIB_NAME "rsax engine"
	101
	102	static int e_rsax_destroy(ENGINE *e);
	103	static int e_rsax_init(ENGINE *e);
	104	static int e_rsax_finish(ENGINE *e);
	105	static int e_rsax_ctrl(ENGINE e, int cmd, long i, void p, void (*f)(void));
	106
	107	#ifndef OPENSSL_NO_RSA
	108	/* RSA stuff */
	109	static int e_rsax_rsa_mod_exp(BIGNUM r, const BIGNUM I, RSA rsa, BN_CTX ctx);
	110	static int e_rsax_rsa_finish(RSA *r);
	111	#endif
	112
	113	static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
	114	{0, NULL, NULL, 0}
	115	};
	116
	117	#ifndef OPENSSL_NO_RSA
	118	/* Our internal RSA_METHOD that we provide pointers to */
	119	static RSA_METHOD e_rsax_rsa =
	120	{
	121	"Intel RSA-X method",
	122	NULL,
	123	NULL,
	124	NULL,
	125	NULL,
	126	e_rsax_rsa_mod_exp,
	127	NULL,
	128	NULL,
	129	e_rsax_rsa_finish,
	130	RSA_FLAG_CACHE_PUBLIC\|RSA_FLAG_CACHE_PRIVATE,
	131	NULL,
	132	NULL,
	133	NULL
	134	};
	135	#endif
	136
	137	/* Constants used when creating the ENGINE */
	138	static const char *engine_e_rsax_id = "rsax";
	139	static const char *engine_e_rsax_name = "RSAX engine support";
	140
	141	/* This internal function is used by ENGINE_rsax() */
	142	static int bind_helper(ENGINE *e)
	143	{
	144	#ifndef OPENSSL_NO_RSA
	145	const RSA_METHOD *meth1;
	146	#endif
	147	if(!ENGINE_set_id(e, engine_e_rsax_id) \|\|
	148	!ENGINE_set_name(e, engine_e_rsax_name) \|\|
	149	#ifndef OPENSSL_NO_RSA
	150	!ENGINE_set_RSA(e, &e_rsax_rsa) \|\|
	151	#endif
	152	!ENGINE_set_destroy_function(e, e_rsax_destroy) \|\|
	153	!ENGINE_set_init_function(e, e_rsax_init) \|\|
	154	!ENGINE_set_finish_function(e, e_rsax_finish) \|\|
	155	!ENGINE_set_ctrl_function(e, e_rsax_ctrl) \|\|
	156	!ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
	157	return 0;
	158
	159	#ifndef OPENSSL_NO_RSA
	160	meth1 = RSA_PKCS1_SSLeay();
	161	e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
	162	e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
	163	e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
	164	e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
	165	e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
	166	#endif
	167	return 1;
	168	}
	169
	170	static ENGINE *ENGINE_rsax(void)
	171	{
	172	ENGINE *ret = ENGINE_new();
	173	if(!ret)
	174	return NULL;
	175	if(!bind_helper(ret))
	176	{
	177	ENGINE_free(ret);
	178	return NULL;
	179	}
	180	return ret;
	181	}
	182
	183	#ifndef OPENSSL_NO_RSA
	184	/* Used to attach our own key-data to an RSA structure */
	185	static int rsax_ex_data_idx = -1;
	186	#endif
	187
	188	static int e_rsax_destroy(ENGINE *e)
	189	{
	190	return 1;
	191	}
	192
	193	/* (de)initialisation functions. */
	194	static int e_rsax_init(ENGINE *e)
	195	{
	196	#ifndef OPENSSL_NO_RSA
	197	if (rsax_ex_data_idx == -1)
	198	rsax_ex_data_idx = RSA_get_ex_new_index(0,
	199	NULL,
	200	NULL, NULL, NULL);
	201	#endif
	202	if (rsax_ex_data_idx == -1)
	203	return 0;
	204	return 1;
	205	}
	206
	207	static int e_rsax_finish(ENGINE *e)
	208	{
	209	return 1;
	210	}
	211
	212	static int e_rsax_ctrl(ENGINE e, int cmd, long i, void p, void (*f)(void))
	213	{
	214	int to_return = 1;
	215
	216	switch(cmd)
	217	{
	218	/* The command isn't understood by this engine */
	219	default:
	220	to_return = 0;
	221	break;
	222	}
	223
	224	return to_return;
	225	}
	226
	227
	228	#ifndef OPENSSL_NO_RSA
	229
	230	#ifdef _WIN32
	231	typedef unsigned __int64 UINT64;
	232	#else
	233	typedef unsigned long long UINT64;
	234	#endif
	235	typedef unsigned short UINT16;
	236
	237	/* Table t is interleaved in the following manner:
	238	* The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ...
	239	* A particular 512-bit value is stored in t[][index] rather than the more
	240	* normal t[index][]; i.e. the qwords of a particular entry in t are not
	241	* adjacent in memory
	242	*/
	243
	244	/* Init BIGNUM b from the interleaved UINT64 array */
	245	static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
	246
	247	/* Extract array elements from BIGNUM b
	248	* To set the whole array from b, call with n=8
	249	*/
	250	static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array);
	251
	252	struct mod_ctx_512 {
	253	UINT64 t[8][8];
	254	UINT64 m[8];
	255	UINT64 m1[8]; /* 2^278 % m */
	256	UINT64 m2[8]; /* 2^640 % m */
	257	UINT64 k1[2]; /* (- 1/m) % 2^128 */
	258	};
	259
	260	static int mod_exp_pre_compute_data_512(UINT64 m, struct mod_ctx_512 data);
	261
	262	void mod_exp_512(UINT64 result, / 512 bits, 8 qwords */
	263	UINT64 g, / 512 bits, 8 qwords */
	264	UINT64 exp, / 512 bits, 8 qwords */
	265	struct mod_ctx_512 *data);
	266
	267	typedef struct st_e_rsax_mod_ctx
	268	{
	269	UINT64 type;
	270	union {
	271	struct mod_ctx_512 b512;
	272	} ctx;
	273
	274	} E_RSAX_MOD_CTX;
	275
	276	static E_RSAX_MOD_CTX e_rsax_get_ctx(RSA rsa, int idx, BIGNUM* m)
	277	{
	278	E_RSAX_MOD_CTX *hptr;
	279
	280	if (idx < 0 \|\| idx > 2)
	281	return NULL;
	282
	283	hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
	284	if (!hptr) {
	285	hptr = OPENSSL_malloc(3*sizeof(E_RSAX_MOD_CTX));
	286	if (!hptr) return NULL;
	287	hptr[2].type = hptr[1].type= hptr[0].type = 0;
	288	RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
	289	}
	290
	291	if (hptr[idx].type == (UINT64)BN_num_bits(m))
	292	return hptr+idx;
	293
	294	if (BN_num_bits(m) == 512) {
	295	UINT64 _m[8];
	296	bn_extract_to_array_512(m, 8, _m);
	297	memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
	298	mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
	299	}
	300
	301	hptr[idx].type = BN_num_bits(m);
	302	return hptr+idx;
	303	}
	304
	305	static int e_rsax_rsa_finish(RSA *rsa)
	306	{
	307	E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
	308	if(hptr)
	309	{
	310	OPENSSL_free(hptr);
	311	RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
	312	}
	313	if (rsa->_method_mod_n)
	314	BN_MONT_CTX_free(rsa->_method_mod_n);
	315	if (rsa->_method_mod_p)
	316	BN_MONT_CTX_free(rsa->_method_mod_p);
	317	if (rsa->_method_mod_q)
	318	BN_MONT_CTX_free(rsa->_method_mod_q);
	319	return 1;
	320	}
	321
	322
	323	static int e_rsax_bn_mod_exp(BIGNUM r, const BIGNUM g, const BIGNUM *e,
	324	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX in_mont, E_RSAX_MOD_CTX rsax_mod_ctx )
	325	{
	326	if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
	327	if (BN_num_bits(m) == 512) {
	328	UINT64 _r[8];
	329	UINT64 _g[8];
	330	UINT64 _e[8];
	331
	332	/* Init the arrays from the BIGNUMs */
	333	bn_extract_to_array_512(g, 8, _g);
	334	bn_extract_to_array_512(e, 8, _e);
	335
	336	mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
	337	/* Return the result in the BIGNUM */
	338	interleaved_array_to_bn_512(r, _r);
	339	return 1;
	340	}
	341	}
	342
	343	return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
	344	}
	345
	346	/* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
	347	* exponentiation routine precalculations and a structure to hold the
	348	* necessary values. These files are meant to live in crypto/rsa/ in
	349	* the target openssl.
	350	*/
	351
	352	/*
	353	* Local method: extracts a piece from a BIGNUM, to fit it into
	354	* an array. Call with n=8 to extract an entire 512-bit BIGNUM
	355	*/
	356	static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
	357	{
	358	int i;
	359	UINT64 tmp;
	360	unsigned char bn_buff[64];
	361	memset(bn_buff, 0, 64);
	362	if (BN_num_bytes(b) > 64) {
	363	printf ("Can't support this byte size\n");
	364	return 0; }
	365	if (BN_num_bytes(b)!=0) {
	366	if (!BN_bn2bin(b, bn_buff+(64-BN_num_bytes(b)))) {
	367	printf ("Error's in bn2bin\n");
	368	/* We have to error, here */
	369	return 0; } }
	370	while (n-- > 0) {
	371	array[n] = 0;
	372	for (i=7; i>=0; i--) {
	373	tmp = bn_buff[63-(n*8+i)];
	374	array[n] \|= tmp << (8*i); } }
	375	return 1;
	376	}
	377
	378	/* Init a 512-bit BIGNUM from the UINT64_ (8 64) interleaved array */
	379	static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
	380	{
	381	unsigned char tmp[64];
	382	int n=8;
	383	int i;
	384	while (n-- > 0) {
	385	for (i = 7; i>=0; i--) {
	386	tmp[63-(n8+i)] = (unsigned char)(array[n]>>(8i)); } }
	387	BN_bin2bn(tmp, 64, b);
	388	return 0;
	389	}
	390
	391
	392	/* The main 512bit precompute call */
	393	static int mod_exp_pre_compute_data_512(UINT64 m, struct mod_ctx_512 data)
	394	{
	395	BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
	396
	397	/* We need a BN_CTX for the modulo functions */
	398	BN_CTX* ctx;
	399	/* Some tmps */
	400	UINT64 _t[8];
	401	int i, j, ret = 0;
	402
	403	/* Init _m with m */
	404	BN_init(&_m);
	405	interleaved_array_to_bn_512(&_m, m);
	406	memset(_t, 0, 64);
	407
	408	/* Inits */
	409	BN_init(&two_768);
	410	BN_init(&two_640);
	411	BN_init(&two_128);
	412	BN_init(&two_512);
	413	BN_init(&tmp);
	414	BN_init(&tmp2);
	415
	416	/* Create our context */
	417	if ((ctx=BN_CTX_new()) == NULL) { goto err; }
	418	BN_CTX_start(ctx);
	419
	420	/*
	421	* For production, if you care, these only need to be set once,
	422	* and may be made constants.
	423	*/
	424	BN_lshift(&two_768, BN_value_one(), 768);
	425	BN_lshift(&two_640, BN_value_one(), 640);
	426	BN_lshift(&two_128, BN_value_one(), 128);
	427	BN_lshift(&two_512, BN_value_one(), 512);
	428
	429	if (0 == (m[7] & 0x8000000000000000)) {
	430	exit(1);
	431	}
	432	if (0 == (m[0] & 0x1)) { /* Odd modulus required for Mont */
	433	exit(1);
	434	}
	435
	436	/* Precompute m1 */
	437	BN_mod(&tmp, &two_768, &_m, ctx);
	438	if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
	439	goto err; }
	440
	441	/* Precompute m2 */
	442	BN_mod(&tmp, &two_640, &_m, ctx);
	443	if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
	444	goto err;
	445	}
	446
	447	/*
	448	* Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
	449	* be non-negative.
	450	*/
	451	BN_mod_inverse(&tmp, &_m, &two_128, ctx);
	452	if (!BN_is_zero(&tmp)) { BN_sub(&tmp, &two_128, &tmp); }
	453	if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
	454	goto err; }
	455
	456	/* Precompute t */
	457	for (i=0; i<8; i++) {
	458	BN_zero(&tmp);
	459	if (i & 1) { BN_add(&tmp, &two_512, &tmp); }
	460	if (i & 2) { BN_add(&tmp, &two_512, &tmp); }
	461	if (i & 4) { BN_add(&tmp, &two_640, &tmp); }
	462
	463	BN_nnmod(&tmp2, &tmp, &_m, ctx);
	464	if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
	465	goto err; }
	466	for (j=0; j<8; j++) data->t[j][i] = _t[j]; }
	467
	468	/* Precompute m */
	469	for (i=0; i<8; i++) {
	470	data->m[i] = m[i]; }
	471
	472	ret = 1;
	473
	474	err:
	475	/* Cleanup */
	476	if (ctx != NULL) {
	477	BN_CTX_end(ctx); BN_CTX_free(ctx); }
	478	BN_free(&two_768);
	479	BN_free(&two_640);
	480	BN_free(&two_128);
	481	BN_free(&two_512);
	482	BN_free(&tmp);
	483	BN_free(&tmp2);
	484	BN_free(&_m);
	485
	486	return ret;
	487	}
	488
	489
	490	static int e_rsax_rsa_mod_exp(BIGNUM r0, const BIGNUM I, RSA rsa, BN_CTX ctx)
	491	{
	492	BIGNUM r1,m1,*vrfy;
	493	BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
	494	BIGNUM dmp1,dmq1,c,pr1;
	495	int ret=0;
	496
	497	BN_CTX_start(ctx);
	498	r1 = BN_CTX_get(ctx);
	499	m1 = BN_CTX_get(ctx);
	500	vrfy = BN_CTX_get(ctx);
	501
	502	{
	503	BIGNUM local_p, local_q;
	504	BIGNUM p = NULL, q = NULL;
	505	int error = 0;
	506
	507	/* Make sure BN_mod_inverse in Montgomery
	508	* intialization uses the BN_FLG_CONSTTIME flag
	509	* (unless RSA_FLAG_NO_CONSTTIME is set)
	510	*/
	511	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
	512	{
	513	BN_init(&local_p);
	514	p = &local_p;
	515	BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
	516
	517	BN_init(&local_q);
	518	q = &local_q;
	519	BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
	520	}
	521	else
	522	{
	523	p = rsa->p;
	524	q = rsa->q;
	525	}
	526
	527	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
	528	{
	529	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
	530	error = 1;
	531	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
	532	error = 1;
	533	}
	534
	535	/* clean up */
	536	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
	537	{
	538	BN_free(&local_p);
	539	BN_free(&local_q);
	540	}
	541	if ( error )
	542	goto err;
	543	}
	544
	545	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
	546	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
	547	goto err;
	548
	549	/* compute I mod q */
	550	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
	551	{
	552	c = &local_c;
	553	BN_with_flags(c, I, BN_FLG_CONSTTIME);
	554	if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
	555	}
	556	else
	557	{
	558	if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
	559	}
	560
	561	/* compute r1^dmq1 mod q */
	562	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
	563	{
	564	dmq1 = &local_dmq1;
	565	BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
	566	}
	567	else
	568	dmq1 = rsa->dmq1;
	569
	570	if (!e_rsax_bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
	571	rsa->_method_mod_q, e_rsax_get_ctx(rsa, 0, rsa->q) )) goto err;
	572
	573	/* compute I mod p */
	574	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
	575	{
	576	c = &local_c;
	577	BN_with_flags(c, I, BN_FLG_CONSTTIME);
	578	if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
	579	}
	580	else
	581	{
	582	if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
	583	}
	584
	585	/* compute r1^dmp1 mod p */
	586	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
	587	{
	588	dmp1 = &local_dmp1;
	589	BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
	590	}
	591	else
	592	dmp1 = rsa->dmp1;
	593
	594	if (!e_rsax_bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
	595	rsa->_method_mod_p, e_rsax_get_ctx(rsa, 1, rsa->p) )) goto err;
	596
	597	if (!BN_sub(r0,r0,m1)) goto err;
	598	/* This will help stop the size of r0 increasing, which does
	599	* affect the multiply if it optimised for a power of 2 size */
	600	if (BN_is_negative(r0))
	601	if (!BN_add(r0,r0,rsa->p)) goto err;
	602
	603	if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
	604
	605	/* Turn BN_FLG_CONSTTIME flag on before division operation */
	606	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
	607	{
	608	pr1 = &local_r1;
	609	BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
	610	}
	611	else
	612	pr1 = r1;
	613	if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
	614
	615	/* If p < q it is occasionally possible for the correction of
	616	* adding 'p' if r0 is negative above to leave the result still
	617	* negative. This can break the private key operations: the following
	618	* second correction should always correct this rare occurrence.
	619	* This will never happen with OpenSSL generated keys because
	620	* they ensure p > q [steve]
	621	*/
	622	if (BN_is_negative(r0))
	623	if (!BN_add(r0,r0,rsa->p)) goto err;
	624	if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
	625	if (!BN_add(r0,r1,m1)) goto err;
	626
	627	if (rsa->e && rsa->n)
	628	{
	629	if (!e_rsax_bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) ))
	630	goto err;
	631
	632	/* If 'I' was greater than (or equal to) rsa->n, the operation
	633	* will be equivalent to using 'I mod n'. However, the result of
	634	* the verify will always be less than 'n' so we don't check
	635	* for absolute equality, just congruency. */
	636	if (!BN_sub(vrfy, vrfy, I)) goto err;
	637	if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
	638	if (BN_is_negative(vrfy))
	639	if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
	640	if (!BN_is_zero(vrfy))
	641	{
	642	/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
	643	* miscalculated CRT output, just do a raw (slower)
	644	* mod_exp and return that instead. */
	645
	646	BIGNUM local_d;
	647	BIGNUM *d = NULL;
	648
	649	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
	650	{
	651	d = &local_d;
	652	BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
	653	}
	654	else
	655	d = rsa->d;
	656	if (!e_rsax_bn_mod_exp(r0,I,d,rsa->n,ctx,
	657	rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) )) goto err;
	658	}
	659	}
	660	ret=1;
	661
	662	err:
	663	BN_CTX_end(ctx);
	664
	665	return ret;
	666	}
	667	#endif /* !OPENSSL_NO_RSA */
	668	#endif /* !COMPILE_RSAX */