1 files changed, 100 insertions, 147 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index be4ac96ce3..d4caab3f95 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -55,59 +55,6 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
-/* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
 #include <stdio.h>
 #include "cryptlib.h"
@@ -198,13 +145,30 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                goto err;
                }
-        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+        if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
                {
-                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
+                BN_MONT_CTX* bn_mont_ctx;
-                                        CRYPTO_LOCK_RSA, rsa->n, ctx))
+                if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+                        goto err;
+                if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
+                        {
+                        BN_MONT_CTX_free(bn_mont_ctx);
                        goto err;
+                        }
+                if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
+                        {
+                        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+                        if (rsa->_method_mod_n == NULL)
+                                {
+                                rsa->_method_mod_n = bn_mont_ctx;
+                                bn_mont_ctx = NULL;
+                                }
+                        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+                        }
+                if (bn_mont_ctx)
+                        BN_MONT_CTX_free(bn_mont_ctx);
                }
+                
        if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
@@ -285,7 +249,7 @@ err:
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
             unsigned char *to, RSA *rsa, int padding)
        {
-        BIGNUM f,ret, *res;
+        BIGNUM f,ret;
        int i,j,k,num=0,r= -1;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
@@ -367,43 +331,19 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                (rsa->dmp1 != NULL) &&
                (rsa->dmq1 != NULL) &&
                (rsa->iqmp != NULL)) )
-                { 
+                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
-                if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
-                }
        else
                {
-                BIGNUM local_d;
+                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
-                BIGNUM *d = NULL;
-                
-                if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
-                        {
-                        BN_init(&local_d);
-                        d = &local_d;
-                        BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
-                        }
-                else
-                        d = rsa->d;
-                if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
                }
        if (blinding)
                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
-        if (padding == RSA_X931_PADDING)
-                {
-                BN_sub(&f, rsa->n, &ret);
-                if (BN_cmp(&ret, &f))
-                        res = &f;
-                else
-                        res = &ret;
-                }
-        else
-                res = &ret;
        /* put in leading 0 bytes if the number is less than the
         * length of the modulus */
-        j=BN_num_bytes(res);
+        j=BN_num_bytes(&ret);
-        i=BN_bn2bin(res,&(to[num-j]));
+        i=BN_bn2bin(&ret,&(to[num-j]));
        for (k=0; k<(num-i); k++)
                to[k]=0;
@@ -504,22 +444,10 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                (rsa->dmp1 != NULL) &&
                (rsa->dmq1 != NULL) &&
                (rsa->iqmp != NULL)) )
-                {
+                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
-                if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
-                }
        else
                {
-                BIGNUM local_d;
+                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
-                BIGNUM *d = NULL;
-                
-                if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
-                        {
-                        d = &local_d;
-                        BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
-                        }
-                else
-                        d = rsa->d;
-                if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
                        goto err;
                }
@@ -606,20 +534,33 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                }
        /* do the decrypt */
+        if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
-        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
                {
-                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
+                BN_MONT_CTX* bn_mont_ctx;
-                                        CRYPTO_LOCK_RSA, rsa->n, ctx))
+                if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+                        goto err;
+                if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
+                        {
+                        BN_MONT_CTX_free(bn_mont_ctx);
                        goto err;
+                        }
+                if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
+                        {
+                        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+                        if (rsa->_method_mod_n == NULL)
+                                {
+                                rsa->_method_mod_n = bn_mont_ctx;
+                                bn_mont_ctx = NULL;
+                                }
+                        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+                        }
+                if (bn_mont_ctx)
+                        BN_MONT_CTX_free(bn_mont_ctx);
                }
+                
        if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
-        if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
-                BN_sub(&ret, rsa->n, &ret);
        p=buf;
        i=BN_bn2bin(&ret,p);
@@ -653,8 +594,6 @@ err:
 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
        {
        BIGNUM r1,m1,vrfy;
-        BIGNUM local_dmp1, local_dmq1;
-        BIGNUM *dmp1, *dmq1;
        int ret=0;
        BN_CTX *ctx;
@@ -665,34 +604,61 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
        if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
                {
-                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
+                if (rsa->_method_mod_p == NULL)
-                                        CRYPTO_LOCK_RSA, rsa->p, ctx))
+                        {
-                        goto err;
+                        BN_MONT_CTX* bn_mont_ctx;
-                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
+                        if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-                                        CRYPTO_LOCK_RSA, rsa->q, ctx))
+                                goto err;
-                        goto err;
+                        if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
-                }
+                                {
+                                BN_MONT_CTX_free(bn_mont_ctx);
+                                goto err;
+                                }
+                        if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
+                                {
+                                CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+                                if (rsa->_method_mod_p == NULL)
+                                        {
+                                        rsa->_method_mod_p = bn_mont_ctx;
+                                        bn_mont_ctx = NULL;
+                                        }
+                                CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+                                }
+                        if (bn_mont_ctx)
+                                BN_MONT_CTX_free(bn_mont_ctx);
+                        }
-        if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
+                if (rsa->_method_mod_q == NULL)
-        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                        {
-                {
+                        BN_MONT_CTX* bn_mont_ctx;
-                dmq1 = &local_dmq1;
+                        if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-                BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
+                                goto err;
+                        if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
+                                {
+                                BN_MONT_CTX_free(bn_mont_ctx);
+                                goto err;
+                                }
+                        if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
+                                {
+                                CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+                                if (rsa->_method_mod_q == NULL)
+                                        {
+                                        rsa->_method_mod_q = bn_mont_ctx;
+                                        bn_mont_ctx = NULL;
+                                        }
+                                CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+                                }
+                        if (bn_mont_ctx)
+                                BN_MONT_CTX_free(bn_mont_ctx);
+                        }
                }
-        else
+                
-                dmq1 = rsa->dmq1;
+        if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
-        if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
+        if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
                rsa->_method_mod_q)) goto err;
        if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
-        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+        if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
-                {
-                dmp1 = &local_dmp1;
-                BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
-                }
-        else
-                dmp1 = rsa->dmp1;
-        if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
                rsa->_method_mod_p)) goto err;
        if (!BN_sub(r0,r0,&m1)) goto err;
@@ -727,23 +693,10 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
                if (vrfy.neg)
                        if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
                if (!BN_is_zero(&vrfy))
-                        {
                        /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
                         * miscalculated CRT output, just do a raw (slower)
                         * mod_exp and return that instead. */
+                        if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
-                        BIGNUM local_d;
-                        BIGNUM *d = NULL;
-                
-                        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
-                                {
-                                d = &local_d;
-                                BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
-                                }
-                        else
-                                d = rsa->d;
-                        if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
-                        }
                }
        ret=1;
 err:

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index be4ac96ce3..d4caab3f95 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -55,59 +55,6 @@
55	* copied and put under another distribution licence	55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]	56	* [including the GNU Public Licence.]
57	*/	57	*/
58	/* ====================================================================
59	* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
60	*
61	* Redistribution and use in source and binary forms, with or without
62	* modification, are permitted provided that the following conditions
63	* are met:
64	*
65	* 1. Redistributions of source code must retain the above copyright
66	* notice, this list of conditions and the following disclaimer.
67	*
68	* 2. Redistributions in binary form must reproduce the above copyright
69	* notice, this list of conditions and the following disclaimer in
70	* the documentation and/or other materials provided with the
71	* distribution.
72	*
73	* 3. All advertising materials mentioning features or use of this
74	* software must display the following acknowledgment:
75	* "This product includes software developed by the OpenSSL Project
76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77	*
78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79	* endorse or promote products derived from this software without
80	* prior written permission. For written permission, please contact
81	* openssl-core@openssl.org.
82	*
83	* 5. Products derived from this software may not be called "OpenSSL"
84	* nor may "OpenSSL" appear in their names without prior written
85	* permission of the OpenSSL Project.
86	*
87	* 6. Redistributions of any form whatsoever must retain the following
88	* acknowledgment:
89	* "This product includes software developed by the OpenSSL Project
90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91	*
92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103	* OF THE POSSIBILITY OF SUCH DAMAGE.
104	* ====================================================================
105	*
106	* This product includes cryptographic software written by Eric Young
107	* (eay@cryptsoft.com). This product includes software written by Tim
108	* Hudson (tjh@cryptsoft.com).
109	*
110	*/
111		58
112	#include <stdio.h>	59	#include <stdio.h>
113	#include "cryptlib.h"	60	#include "cryptlib.h"
@@ -198,13 +145,30 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
198	goto err;	145	goto err;
199	}	146	}
200		147
201	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)	148	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
202	{	149	{
203	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,	150	BN_MONT_CTX* bn_mont_ctx;
204	CRYPTO_LOCK_RSA, rsa->n, ctx))	151	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
		152	goto err;
		153	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
		154	{
		155	BN_MONT_CTX_free(bn_mont_ctx);
205	goto err;	156	goto err;
		157	}
		158	if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
		159	{
		160	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		161	if (rsa->_method_mod_n == NULL)
		162	{
		163	rsa->_method_mod_n = bn_mont_ctx;
		164	bn_mont_ctx = NULL;
		165	}
		166	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		167	}
		168	if (bn_mont_ctx)
		169	BN_MONT_CTX_free(bn_mont_ctx);
206	}	170	}
207		171
208	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,	172	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
209	rsa->_method_mod_n)) goto err;	173	rsa->_method_mod_n)) goto err;
210		174
@@ -285,7 +249,7 @@ err:
285	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,	249	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
286	unsigned char to, RSA rsa, int padding)	250	unsigned char to, RSA rsa, int padding)
287	{	251	{
288	BIGNUM f,ret, *res;	252	BIGNUM f,ret;
289	int i,j,k,num=0,r= -1;	253	int i,j,k,num=0,r= -1;
290	unsigned char *buf=NULL;	254	unsigned char *buf=NULL;
291	BN_CTX *ctx=NULL;	255	BN_CTX *ctx=NULL;
@@ -367,43 +331,19 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
367	(rsa->dmp1 != NULL) &&	331	(rsa->dmp1 != NULL) &&
368	(rsa->dmq1 != NULL) &&	332	(rsa->dmq1 != NULL) &&
369	(rsa->iqmp != NULL)) )	333	(rsa->iqmp != NULL)) )
370	{	334	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
371	if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
372	}
373	else	335	else
374	{	336	{
375	BIGNUM local_d;	337	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
376	BIGNUM *d = NULL;
377
378	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
379	{
380	BN_init(&local_d);
381	d = &local_d;
382	BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
383	}
384	else
385	d = rsa->d;
386	if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
387	}	338	}
388		339
389	if (blinding)	340	if (blinding)
390	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;	341	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
391		342
392	if (padding == RSA_X931_PADDING)
393	{
394	BN_sub(&f, rsa->n, &ret);
395	if (BN_cmp(&ret, &f))
396	res = &f;
397	else
398	res = &ret;
399	}
400	else
401	res = &ret;
402
403	/* put in leading 0 bytes if the number is less than the	343	/* put in leading 0 bytes if the number is less than the
404	* length of the modulus */	344	* length of the modulus */
405	j=BN_num_bytes(res);	345	j=BN_num_bytes(&ret);
406	i=BN_bn2bin(res,&(to[num-j]));	346	i=BN_bn2bin(&ret,&(to[num-j]));
407	for (k=0; k<(num-i); k++)	347	for (k=0; k<(num-i); k++)
408	to[k]=0;	348	to[k]=0;
409		349
@@ -504,22 +444,10 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
504	(rsa->dmp1 != NULL) &&	444	(rsa->dmp1 != NULL) &&
505	(rsa->dmq1 != NULL) &&	445	(rsa->dmq1 != NULL) &&
506	(rsa->iqmp != NULL)) )	446	(rsa->iqmp != NULL)) )
507	{	447	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
508	if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
509	}
510	else	448	else
511	{	449	{
512	BIGNUM local_d;	450	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
513	BIGNUM *d = NULL;
514
515	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
516	{
517	d = &local_d;
518	BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
519	}
520	else
521	d = rsa->d;
522	if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
523	goto err;	451	goto err;
524	}	452	}
525		453
@@ -606,20 +534,33 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
606	}	534	}
607		535
608	/* do the decrypt */	536	/* do the decrypt */
609		537	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
610	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
611	{	538	{
612	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,	539	BN_MONT_CTX* bn_mont_ctx;
613	CRYPTO_LOCK_RSA, rsa->n, ctx))	540	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
		541	goto err;
		542	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
		543	{
		544	BN_MONT_CTX_free(bn_mont_ctx);
614	goto err;	545	goto err;
		546	}
		547	if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
		548	{
		549	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		550	if (rsa->_method_mod_n == NULL)
		551	{
		552	rsa->_method_mod_n = bn_mont_ctx;
		553	bn_mont_ctx = NULL;
		554	}
		555	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		556	}
		557	if (bn_mont_ctx)
		558	BN_MONT_CTX_free(bn_mont_ctx);
615	}	559	}
616		560
617	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,	561	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
618	rsa->_method_mod_n)) goto err;	562	rsa->_method_mod_n)) goto err;
619		563
620	if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
621	BN_sub(&ret, rsa->n, &ret);
622
623	p=buf;	564	p=buf;
624	i=BN_bn2bin(&ret,p);	565	i=BN_bn2bin(&ret,p);
625		566
@@ -653,8 +594,6 @@ err:
653	static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)	594	static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)
654	{	595	{
655	BIGNUM r1,m1,vrfy;	596	BIGNUM r1,m1,vrfy;
656	BIGNUM local_dmp1, local_dmq1;
657	BIGNUM dmp1, dmq1;
658	int ret=0;	597	int ret=0;
659	BN_CTX *ctx;	598	BN_CTX *ctx;
660		599
@@ -665,34 +604,61 @@ static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)
665		604
666	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)	605	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
667	{	606	{
668	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,	607	if (rsa->_method_mod_p == NULL)
669	CRYPTO_LOCK_RSA, rsa->p, ctx))	608	{
670	goto err;	609	BN_MONT_CTX* bn_mont_ctx;
671	if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,	610	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
672	CRYPTO_LOCK_RSA, rsa->q, ctx))	611	goto err;
673	goto err;	612	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
674	}	613	{
		614	BN_MONT_CTX_free(bn_mont_ctx);
		615	goto err;
		616	}
		617	if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
		618	{
		619	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		620	if (rsa->_method_mod_p == NULL)
		621	{
		622	rsa->_method_mod_p = bn_mont_ctx;
		623	bn_mont_ctx = NULL;
		624	}
		625	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		626	}
		627	if (bn_mont_ctx)
		628	BN_MONT_CTX_free(bn_mont_ctx);
		629	}
675		630
676	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;	631	if (rsa->_method_mod_q == NULL)
677	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))	632	{
678	{	633	BN_MONT_CTX* bn_mont_ctx;
679	dmq1 = &local_dmq1;	634	if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
680	BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);	635	goto err;
		636	if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
		637	{
		638	BN_MONT_CTX_free(bn_mont_ctx);
		639	goto err;
		640	}
		641	if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
		642	{
		643	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		644	if (rsa->_method_mod_q == NULL)
		645	{
		646	rsa->_method_mod_q = bn_mont_ctx;
		647	bn_mont_ctx = NULL;
		648	}
		649	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		650	}
		651	if (bn_mont_ctx)
		652	BN_MONT_CTX_free(bn_mont_ctx);
		653	}
681	}	654	}
682	else	655
683	dmq1 = rsa->dmq1;	656	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
684	if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,	657	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
685	rsa->_method_mod_q)) goto err;	658	rsa->_method_mod_q)) goto err;
686		659
687	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;	660	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
688	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))	661	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
689	{
690	dmp1 = &local_dmp1;
691	BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
692	}
693	else
694	dmp1 = rsa->dmp1;
695	if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
696	rsa->_method_mod_p)) goto err;	662	rsa->_method_mod_p)) goto err;
697		663
698	if (!BN_sub(r0,r0,&m1)) goto err;	664	if (!BN_sub(r0,r0,&m1)) goto err;
@@ -727,23 +693,10 @@ static int RSA_eay_mod_exp(BIGNUM r0, const BIGNUM I, RSA *rsa)
727	if (vrfy.neg)	693	if (vrfy.neg)
728	if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;	694	if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
729	if (!BN_is_zero(&vrfy))	695	if (!BN_is_zero(&vrfy))
730	{
731	/* 'I' and 'vrfy' aren't congruent mod n. Don't leak	696	/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
732	* miscalculated CRT output, just do a raw (slower)	697	* miscalculated CRT output, just do a raw (slower)
733	* mod_exp and return that instead. */	698	* mod_exp and return that instead. */
734		699	if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
735	BIGNUM local_d;
736	BIGNUM *d = NULL;
737
738	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
739	{
740	d = &local_d;
741	BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
742	}
743	else
744	d = rsa->d;
745	if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
746	}
747	}	700	}
748	ret=1;	701	ret=1;
749	err:	702	err: