1 files changed, 147 insertions, 100 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index d4caab3f95..be4ac96ce3 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 #include <stdio.h>
 #include "cryptlib.h"
@@ -145,30 +198,13 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                goto err;
                }
-        if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
                {
-                BN_MONT_CTX* bn_mont_ctx;
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
-                if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+                                        CRYPTO_LOCK_RSA, rsa->n, ctx))
-                        goto err;
-                if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
-                        {
-                        BN_MONT_CTX_free(bn_mont_ctx);
                        goto err;
-                        }
-                if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
-                        {
-                        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-                        if (rsa->_method_mod_n == NULL)
-                                {
-                                rsa->_method_mod_n = bn_mont_ctx;
-                                bn_mont_ctx = NULL;
-                                }
-                        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-                        }
-                if (bn_mont_ctx)
-                        BN_MONT_CTX_free(bn_mont_ctx);
                }
-                
        if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
@@ -249,7 +285,7 @@ err:
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
             unsigned char *to, RSA *rsa, int padding)
        {
-        BIGNUM f,ret;
+        BIGNUM f,ret, *res;
        int i,j,k,num=0,r= -1;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
@@ -331,19 +367,43 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                (rsa->dmp1 != NULL) &&
                (rsa->dmq1 != NULL) &&
                (rsa->iqmp != NULL)) )
-                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+                { 
+                if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+                }
        else
                {
-                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+                BIGNUM local_d;
+                BIGNUM *d = NULL;
+                
+                if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                        {
+                        BN_init(&local_d);
+                        d = &local_d;
+                        BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+                        }
+                else
+                        d = rsa->d;
+                if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
                }
        if (blinding)
                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
+        if (padding == RSA_X931_PADDING)
+                {
+                BN_sub(&f, rsa->n, &ret);
+                if (BN_cmp(&ret, &f))
+                        res = &f;
+                else
+                        res = &ret;
+                }
+        else
+                res = &ret;
        /* put in leading 0 bytes if the number is less than the
         * length of the modulus */
-        j=BN_num_bytes(&ret);
+        j=BN_num_bytes(res);
-        i=BN_bn2bin(&ret,&(to[num-j]));
+        i=BN_bn2bin(res,&(to[num-j]));
        for (k=0; k<(num-i); k++)
                to[k]=0;
@@ -444,10 +504,22 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                (rsa->dmp1 != NULL) &&
                (rsa->dmq1 != NULL) &&
                (rsa->iqmp != NULL)) )
-                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+                {
+                if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+                }
        else
                {
-                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+                BIGNUM local_d;
+                BIGNUM *d = NULL;
+                
+                if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                        {
+                        d = &local_d;
+                        BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+                        }
+                else
+                        d = rsa->d;
+                if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
                        goto err;
                }
@@ -534,33 +606,20 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                }
        /* do the decrypt */
-        if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
                {
-                BN_MONT_CTX* bn_mont_ctx;
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
-                if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+                                        CRYPTO_LOCK_RSA, rsa->n, ctx))
-                        goto err;
-                if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
-                        {
-                        BN_MONT_CTX_free(bn_mont_ctx);
                        goto err;
-                        }
-                if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
-                        {
-                        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-                        if (rsa->_method_mod_n == NULL)
-                                {
-                                rsa->_method_mod_n = bn_mont_ctx;
-                                bn_mont_ctx = NULL;
-                                }
-                        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-                        }
-                if (bn_mont_ctx)
-                        BN_MONT_CTX_free(bn_mont_ctx);
                }
-                
        if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
+        if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
+                BN_sub(&ret, rsa->n, &ret);
        p=buf;
        i=BN_bn2bin(&ret,p);
@@ -594,6 +653,8 @@ err:
 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
        {
        BIGNUM r1,m1,vrfy;
+        BIGNUM local_dmp1, local_dmq1;
+        BIGNUM *dmp1, *dmq1;
        int ret=0;
        BN_CTX *ctx;
@@ -604,61 +665,34 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
        if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
                {
-                if (rsa->_method_mod_p == NULL)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
-                        {
+                                        CRYPTO_LOCK_RSA, rsa->p, ctx))
-                        BN_MONT_CTX* bn_mont_ctx;
+                        goto err;
-                        if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
-                                goto err;
+                                        CRYPTO_LOCK_RSA, rsa->q, ctx))
-                        if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
+                        goto err;
-                                {
-                                BN_MONT_CTX_free(bn_mont_ctx);
-                                goto err;
-                                }
-                        if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
-                                {
-                                CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-                                if (rsa->_method_mod_p == NULL)
-                                        {
-                                        rsa->_method_mod_p = bn_mont_ctx;
-                                        bn_mont_ctx = NULL;
-                                        }
-                                CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-                                }
-                        if (bn_mont_ctx)
-                                BN_MONT_CTX_free(bn_mont_ctx);
-                        }
-                if (rsa->_method_mod_q == NULL)
-                        {
-                        BN_MONT_CTX* bn_mont_ctx;
-                        if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-                                goto err;
-                        if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
-                                {
-                                BN_MONT_CTX_free(bn_mont_ctx);
-                                goto err;
-                                }
-                        if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
-                                {
-                                CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-                                if (rsa->_method_mod_q == NULL)
-                                        {
-                                        rsa->_method_mod_q = bn_mont_ctx;
-                                        bn_mont_ctx = NULL;
-                                        }
-                                CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-                                }
-                        if (bn_mont_ctx)
-                                BN_MONT_CTX_free(bn_mont_ctx);
-                        }
                }
-                
        if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
-        if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                {
+                dmq1 = &local_dmq1;
+                BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
+                }
+        else
+                dmq1 = rsa->dmq1;
+        if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
                rsa->_method_mod_q)) goto err;
        if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
-        if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                {
+                dmp1 = &local_dmp1;
+                BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
+                }
+        else
+                dmp1 = rsa->dmp1;
+        if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
                rsa->_method_mod_p)) goto err;
        if (!BN_sub(r0,r0,&m1)) goto err;
@@ -693,10 +727,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
                if (vrfy.neg)
                        if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
                if (!BN_is_zero(&vrfy))
+                        {
                        /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
                         * miscalculated CRT output, just do a raw (slower)
                         * mod_exp and return that instead. */
-                        if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+                        BIGNUM local_d;
+                        BIGNUM *d = NULL;
+                
+                        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                                {
+                                d = &local_d;
+                                BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+                                }
+                        else
+                                d = rsa->d;
+                        if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
+                        }
                }
        ret=1;
 err:

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index d4caab3f95..be4ac96ce3 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -55,6 +55,59 @@
55	* copied and put under another distribution licence	55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]	56	* [including the GNU Public Licence.]
57	*/	57	*/
		58	/* ====================================================================
		59	* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
		60	*
		61	* Redistribution and use in source and binary forms, with or without
		62	* modification, are permitted provided that the following conditions
		63	* are met:
		64	*
		65	* 1. Redistributions of source code must retain the above copyright
		66	* notice, this list of conditions and the following disclaimer.
		67	*
		68	* 2. Redistributions in binary form must reproduce the above copyright
		69	* notice, this list of conditions and the following disclaimer in
		70	* the documentation and/or other materials provided with the
		71	* distribution.
		72	*
		73	* 3. All advertising materials mentioning features or use of this
		74	* software must display the following acknowledgment:
		75	* "This product includes software developed by the OpenSSL Project
		76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
		77	*
		78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
		79	* endorse or promote products derived from this software without
		80	* prior written permission. For written permission, please contact
		81	* openssl-core@openssl.org.
		82	*
		83	* 5. Products derived from this software may not be called "OpenSSL"
		84	* nor may "OpenSSL" appear in their names without prior written
		85	* permission of the OpenSSL Project.
		86	*
		87	* 6. Redistributions of any form whatsoever must retain the following
		88	* acknowledgment:
		89	* "This product includes software developed by the OpenSSL Project
		90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
		91	*
		92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
		93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
		96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
		101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
		103	* OF THE POSSIBILITY OF SUCH DAMAGE.
		104	* ====================================================================
		105	*
		106	* This product includes cryptographic software written by Eric Young
		107	* (eay@cryptsoft.com). This product includes software written by Tim
		108	* Hudson (tjh@cryptsoft.com).
		109	*
		110	*/
58		111
59	#include <stdio.h>	112	#include <stdio.h>
60	#include "cryptlib.h"	113	#include "cryptlib.h"
@@ -145,30 +198,13 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
145	goto err;	198	goto err;
146	}	199	}
147		200
148	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))	201	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
149	{	202	{
150	BN_MONT_CTX* bn_mont_ctx;	203	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
151	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)	204	CRYPTO_LOCK_RSA, rsa->n, ctx))
152	goto err;
153	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
154	{
155	BN_MONT_CTX_free(bn_mont_ctx);
156	goto err;	205	goto err;
157	}
158	if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
159	{
160	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
161	if (rsa->_method_mod_n == NULL)
162	{
163	rsa->_method_mod_n = bn_mont_ctx;
164	bn_mont_ctx = NULL;
165	}
166	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
167	}
168	if (bn_mont_ctx)
169	BN_MONT_CTX_free(bn_mont_ctx);
170	}	206	}
171		207
172	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,	208	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
173	rsa->_method_mod_n)) goto err;	209	rsa->_method_mod_n)) goto err;
174		210
@@ -249,7 +285,7 @@ err:
249	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,	285	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
250	unsigned char to, RSA rsa, int padding)	286	unsigned char to, RSA rsa, int padding)
251	{	287	{
252	BIGNUM f,ret;	288	BIGNUM f,ret, *res;
253	int i,j,k,num=0,r= -1;	289	int i,j,k,num=0,r= -1;
254	unsigned char *buf=NULL;	290	unsigned char *buf=NULL;
255	BN_CTX *ctx=NULL;	291	BN_CTX *ctx=NULL;
@@ -331,19 +367,43 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
331	(rsa->dmp1 != NULL) &&	367	(rsa->dmp1 != NULL) &&
332	(rsa->dmq1 != NULL) &&	368	(rsa->dmq1 != NULL) &&
333	(rsa->iqmp != NULL)) )	369	(rsa->iqmp != NULL)) )
334	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }	370	{
		371	if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
		372	}
335	else	373	else
336	{	374	{
337	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;	375	BIGNUM local_d;
		376	BIGNUM *d = NULL;
		377
		378	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
		379	{
		380	BN_init(&local_d);
		381	d = &local_d;
		382	BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
		383	}
		384	else
		385	d = rsa->d;
		386	if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
338	}	387	}
339		388
340	if (blinding)	389	if (blinding)
341	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;	390	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
342		391
		392	if (padding == RSA_X931_PADDING)
		393	{
		394	BN_sub(&f, rsa->n, &ret);
		395	if (BN_cmp(&ret, &f))
		396	res = &f;
		397	else
		398	res = &ret;
		399	}
		400	else
		401	res = &ret;
		402
343	/* put in leading 0 bytes if the number is less than the	403	/* put in leading 0 bytes if the number is less than the
344	* length of the modulus */	404	* length of the modulus */
345	j=BN_num_bytes(&ret);	405	j=BN_num_bytes(res);
346	i=BN_bn2bin(&ret,&(to[num-j]));	406	i=BN_bn2bin(res,&(to[num-j]));
347	for (k=0; k<(num-i); k++)	407	for (k=0; k<(num-i); k++)
348	to[k]=0;	408	to[k]=0;
349		409
@@ -444,10 +504,22 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
444	(rsa->dmp1 != NULL) &&	504	(rsa->dmp1 != NULL) &&
445	(rsa->dmq1 != NULL) &&	505	(rsa->dmq1 != NULL) &&
446	(rsa->iqmp != NULL)) )	506	(rsa->iqmp != NULL)) )
447	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }	507	{
		508	if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
		509	}
448	else	510	else
449	{	511	{
450	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))	512	BIGNUM local_d;
		513	BIGNUM *d = NULL;
		514
		515	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
		516	{
		517	d = &local_d;
		518	BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
		519	}
		520	else
		521	d = rsa->d;
		522	if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
451	goto err;	523	goto err;
452	}	524	}
453		525
@@ -534,33 +606,20 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
534	}	606	}
535		607
536	/* do the decrypt */	608	/* do the decrypt */
537	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))	609
		610	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
538	{	611	{
539	BN_MONT_CTX* bn_mont_ctx;	612	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
540	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)	613	CRYPTO_LOCK_RSA, rsa->n, ctx))
541	goto err;
542	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
543	{
544	BN_MONT_CTX_free(bn_mont_ctx);
545	goto err;	614	goto err;
546	}
547	if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
548	{
549	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
550	if (rsa->_method_mod_n == NULL)
551	{
552	rsa->_method_mod_n = bn_mont_ctx;
553	bn_mont_ctx = NULL;
554	}
555	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
556	}
557	if (bn_mont_ctx)
558	BN_MONT_CTX_free(bn_mont_ctx);
559	}	615	}
560		616
561	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,	617	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
562	rsa->_method_mod_n)) goto err;	618	rsa->_method_mod_n)) goto err;
563		619
		620	if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
		621	BN_sub(&ret, rsa->n, &ret);
		622
564	p=buf;	623	p=buf;
565	i=BN_bn2bin(&ret,p);	624	i=BN_bn2bin(&ret,p);
566		625
@@ -594,6 +653,8 @@ err:
594	static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)	653	static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)
595	{	654	{
596	BIGNUM r1,m1,vrfy;	655	BIGNUM r1,m1,vrfy;
		656	BIGNUM local_dmp1, local_dmq1;
		657	BIGNUM dmp1, dmq1;
597	int ret=0;	658	int ret=0;
598	BN_CTX *ctx;	659	BN_CTX *ctx;
599		660
@@ -604,61 +665,34 @@ static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)
604		665
605	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)	666	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
606	{	667	{
607	if (rsa->_method_mod_p == NULL)	668	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
608	{	669	CRYPTO_LOCK_RSA, rsa->p, ctx))
609	BN_MONT_CTX* bn_mont_ctx;	670	goto err;
610	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)	671	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
611	goto err;	672	CRYPTO_LOCK_RSA, rsa->q, ctx))
612	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))	673	goto err;
613	{
614	BN_MONT_CTX_free(bn_mont_ctx);
615	goto err;
616	}
617	if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
618	{
619	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
620	if (rsa->_method_mod_p == NULL)
621	{
622	rsa->_method_mod_p = bn_mont_ctx;
623	bn_mont_ctx = NULL;
624	}
625	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
626	}
627	if (bn_mont_ctx)
628	BN_MONT_CTX_free(bn_mont_ctx);
629	}
630
631	if (rsa->_method_mod_q == NULL)
632	{
633	BN_MONT_CTX* bn_mont_ctx;
634	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
635	goto err;
636	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
637	{
638	BN_MONT_CTX_free(bn_mont_ctx);
639	goto err;
640	}
641	if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
642	{
643	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
644	if (rsa->_method_mod_q == NULL)
645	{
646	rsa->_method_mod_q = bn_mont_ctx;
647	bn_mont_ctx = NULL;
648	}
649	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
650	}
651	if (bn_mont_ctx)
652	BN_MONT_CTX_free(bn_mont_ctx);
653	}
654	}	674	}
655		675
656	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;	676	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
657	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,	677	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
		678	{
		679	dmq1 = &local_dmq1;
		680	BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
		681	}
		682	else
		683	dmq1 = rsa->dmq1;
		684	if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
658	rsa->_method_mod_q)) goto err;	685	rsa->_method_mod_q)) goto err;
659		686
660	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;	687	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
661	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,	688	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
		689	{
		690	dmp1 = &local_dmp1;
		691	BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
		692	}
		693	else
		694	dmp1 = rsa->dmp1;
		695	if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
662	rsa->_method_mod_p)) goto err;	696	rsa->_method_mod_p)) goto err;
663		697
664	if (!BN_sub(r0,r0,&m1)) goto err;	698	if (!BN_sub(r0,r0,&m1)) goto err;
@@ -693,10 +727,23 @@ static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)
693	if (vrfy.neg)	727	if (vrfy.neg)
694	if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;	728	if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
695	if (!BN_is_zero(&vrfy))	729	if (!BN_is_zero(&vrfy))
		730	{
696	/* 'I' and 'vrfy' aren't congruent mod n. Don't leak	731	/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
697	* miscalculated CRT output, just do a raw (slower)	732	* miscalculated CRT output, just do a raw (slower)
698	* mod_exp and return that instead. */	733	* mod_exp and return that instead. */
699	if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;	734
		735	BIGNUM local_d;
		736	BIGNUM *d = NULL;
		737
		738	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
		739	{
		740	d = &local_d;
		741	BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
		742	}
		743	else
		744	d = rsa->d;
		745	if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
		746	}
700	}	747	}
701	ret=1;	748	ret=1;
702	err:	749	err: