1 files changed, 222 insertions, 30 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index f835be8afc..b7d2460754 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,13 +1,3 @@
-/* This file has been explicitly broken by ryker for OpenBSD, July
- * 1, 1998. In spite of the title, there is no implementation of the
- * RSA algorithm left in this file. All these routines will return an
- * error and fail when called. They exist as stubs and can be
- * ressurected from the bit bucket by someone in the free world once
- * the RSA algorithm is no longer subject to patent problems. Eric
- * Young's original copyright is below. 
- */
 /* crypto/rsa/rsa_eay.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
@@ -184,13 +174,62 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
-        BN_init(&f);
+        BN_init(&f);
-        BN_init(&ret);
+        BN_init(&ret);
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
+        num=BN_num_bytes(rsa->n);
+        if ((buf=(unsigned char *)Malloc(num)) == NULL)
+                {
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        switch (padding)
+                {
+        case RSA_PKCS1_PADDING:
+                i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
+                break;
+        case RSA_NO_PADDING:
+                i=RSA_padding_add_none(buf,num,from,flen);
+                break;
+        case RSA_SSLV23_PADDING:
+        default:
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+                goto err;
+                }
+        if (i <= 0) goto err;
+        if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+        if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+                RSA_blinding_on(rsa,ctx);
+        if (rsa->flags & RSA_FLAG_BLINDING)
+                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
-        /* Body of this routine removed for OpenBSD - will return
+        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
-         * when the RSA patent expires
+                ((rsa->p != NULL) &&
-         */
+                (rsa->q != NULL) &&
+                (rsa->dmp1 != NULL) &&
+                (rsa->dmq1 != NULL) &&
+                (rsa->iqmp != NULL)) )
+                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+        else
+                {
+                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+                }
+        if (rsa->flags & RSA_FLAG_BLINDING)
+                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+        /* put in leading 0 bytes if the number is less than the
+         * length of the modulus */
+        j=BN_num_bytes(&ret);
+        i=BN_bn2bin(&ret,&(to[num-j]));
+        for (k=0; k<(num-i); k++)
+                to[k]=0;
+        r=num;
 err:
        if (ctx != NULL) BN_CTX_free(ctx);
        BN_clear_free(&ret);
@@ -212,12 +251,77 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
-        BN_init(&f);
+        BN_init(&f);
-        BN_init(&ret);
+        BN_init(&ret);
+        ctx=BN_CTX_new();
+        if (ctx == NULL) goto err;
+        num=BN_num_bytes(rsa->n);
+        if ((buf=(unsigned char *)Malloc(num)) == NULL)
+                {
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        /* This check was for equality but PGP does evil things
+         * and chops off the top '0' bytes */
+        if (flen > num)
+                {
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
+                goto err;
+                }
+        /* make data into a big number */
+        if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
-        /* Body of this routine removed for OpenBSD - will return
+        if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-         * when the RSA patent expires
+                RSA_blinding_on(rsa,ctx);
-         */
+        if (rsa->flags & RSA_FLAG_BLINDING)
+                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        /* do the decrypt */
+        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
+                ((rsa->p != NULL) &&
+                (rsa->q != NULL) &&
+                (rsa->dmp1 != NULL) &&
+                (rsa->dmq1 != NULL) &&
+                (rsa->iqmp != NULL)) )
+                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+        else
+                {
+                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+                        goto err;
+                }
+        if (rsa->flags & RSA_FLAG_BLINDING)
+                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+        p=buf;
+        j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
+        switch (padding)
+                {
+        case RSA_PKCS1_PADDING:
+                r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
+                break;
+#ifndef NO_SHA
+        case RSA_PKCS1_OAEP_PADDING:
+                r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
+                break;
+#endif
+        case RSA_SSLV23_PADDING:
+                r=RSA_padding_check_SSLv23(to,num,buf,j,num);
+                break;
+        case RSA_NO_PADDING:
+                r=RSA_padding_check_none(to,num,buf,j,num);
+                break;
+        default:
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+                goto err;
+                }
+        if (r < 0)
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
 err:
        if (ctx != NULL) BN_CTX_free(ctx);
@@ -240,12 +344,56 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
-        BN_init(&f);
+        BN_init(&f);
-        BN_init(&ret);
+        BN_init(&ret);
+        ctx=BN_CTX_new();
+        if (ctx == NULL) goto err;
+        num=BN_num_bytes(rsa->n);
+        buf=(unsigned char *)Malloc(num);
+        if (buf == NULL)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
-        /* Body of this routine removed for OpenBSD - will return
+        /* This check was for equality but PGP does evil things
-         * when the RSA patent expires
+         * and chops off the top '0' bytes */
-         */
+        if (flen > num)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
+                goto err;
+                }
+        if (BN_bin2bn(from,flen,&f) == NULL) goto err;
+        /* do the decrypt */
+        if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+                {
+                if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
+                        if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
+                            goto err;
+                }
+        if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+                rsa->_method_mod_n)) goto err;
+        p=buf;
+        i=BN_bn2bin(&ret,p);
+        switch (padding)
+                {
+        case RSA_PKCS1_PADDING:
+                r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+                break;
+        case RSA_NO_PADDING:
+                r=RSA_padding_check_none(to,num,buf,i,num);
+                break;
+        default:
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
+                goto err;
+                }
+        if (r < 0)
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
 err:
        if (ctx != NULL) BN_CTX_free(ctx);
@@ -263,15 +411,59 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
        {
        BIGNUM r1,m1;
        int ret=0;
-        BN_CTX *ctx = NULL;
+        BN_CTX *ctx;
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
        BN_init(&m1);
        BN_init(&r1);
-        if ((ctx=BN_CTX_new()) == NULL) goto err;
-        /* Body of this routine removed for OpenBSD - will return
+        if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
-         * when the RSA patent expires
+                {
-         */
+                if (rsa->_method_mod_p == NULL)
+                        {
+                        if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
+                                if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
+                                                     ctx))
+                                        goto err;
+                        }
+                if (rsa->_method_mod_q == NULL)
+                        {
+                        if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
+                                if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
+                                                     ctx))
+                                        goto err;
+                        }
+                }
+        if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
+        if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+                rsa->_method_mod_q)) goto err;
+        if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
+        if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+                rsa->_method_mod_p)) goto err;
+        if (!BN_sub(r0,r0,&m1)) goto err;
+        /* This will help stop the size of r0 increasing, which does
+         * affect the multiply if it optimised for a power of 2 size */
+        if (r0->neg)
+                if (!BN_add(r0,r0,rsa->p)) goto err;
+        if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
+        if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
+        /* If p < q it is occasionally possible for the correction of
+         * adding 'p' if r0 is negative above to leave the result still
+         * negative. This can break the private key operations: the following
+         * second correction should *always* correct this rare occurrence.
+         * This will *never* happen with OpenSSL generated keys because
+         * they ensure p > q [steve]
+         */
+        if (r0->neg)
+                if (!BN_add(r0,r0,rsa->p)) goto err;
+        if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
+        if (!BN_add(r0,&r1,&m1)) goto err;
+        ret=1;
 err:
        BN_clear_free(&m1);
        BN_clear_free(&r1);

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index f835be8afc..b7d2460754 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,13 +1,3 @@
1
2	/* This file has been explicitly broken by ryker for OpenBSD, July
3	* 1, 1998. In spite of the title, there is no implementation of the
4	* RSA algorithm left in this file. All these routines will return an
5	* error and fail when called. They exist as stubs and can be
6	* ressurected from the bit bucket by someone in the free world once
7	* the RSA algorithm is no longer subject to patent problems. Eric
8	* Young's original copyright is below.
9	*/
10
11	/* crypto/rsa/rsa_eay.c */	1	/* crypto/rsa/rsa_eay.c */
12	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
13	* All rights reserved.	3	* All rights reserved.
@@ -184,13 +174,62 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
184	unsigned char *buf=NULL;	174	unsigned char *buf=NULL;
185	BN_CTX *ctx=NULL;	175	BN_CTX *ctx=NULL;
186		176
187	BN_init(&f);	177	BN_init(&f);
188	BN_init(&ret);	178	BN_init(&ret);
		179
		180	if ((ctx=BN_CTX_new()) == NULL) goto err;
		181	num=BN_num_bytes(rsa->n);
		182	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		183	{
		184	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
		185	goto err;
		186	}
		187
		188	switch (padding)
		189	{
		190	case RSA_PKCS1_PADDING:
		191	i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
		192	break;
		193	case RSA_NO_PADDING:
		194	i=RSA_padding_add_none(buf,num,from,flen);
		195	break;
		196	case RSA_SSLV23_PADDING:
		197	default:
		198	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		199	goto err;
		200	}
		201	if (i <= 0) goto err;
		202
		203	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
		204
		205	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
		206	RSA_blinding_on(rsa,ctx);
		207	if (rsa->flags & RSA_FLAG_BLINDING)
		208	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
189		209
190	/* Body of this routine removed for OpenBSD - will return	210	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
191	* when the RSA patent expires	211	((rsa->p != NULL) &&
192	*/	212	(rsa->q != NULL) &&
		213	(rsa->dmp1 != NULL) &&
		214	(rsa->dmq1 != NULL) &&
		215	(rsa->iqmp != NULL)) )
		216	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
		217	else
		218	{
		219	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
		220	}
		221
		222	if (rsa->flags & RSA_FLAG_BLINDING)
		223	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
		224
		225	/* put in leading 0 bytes if the number is less than the
		226	* length of the modulus */
		227	j=BN_num_bytes(&ret);
		228	i=BN_bn2bin(&ret,&(to[num-j]));
		229	for (k=0; k<(num-i); k++)
		230	to[k]=0;
193		231
		232	r=num;
194	err:	233	err:
195	if (ctx != NULL) BN_CTX_free(ctx);	234	if (ctx != NULL) BN_CTX_free(ctx);
196	BN_clear_free(&ret);	235	BN_clear_free(&ret);
@@ -212,12 +251,77 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
212	unsigned char *buf=NULL;	251	unsigned char *buf=NULL;
213	BN_CTX *ctx=NULL;	252	BN_CTX *ctx=NULL;
214		253
215	BN_init(&f);	254	BN_init(&f);
216	BN_init(&ret);	255	BN_init(&ret);
		256	ctx=BN_CTX_new();
		257	if (ctx == NULL) goto err;
		258
		259	num=BN_num_bytes(rsa->n);
		260
		261	if ((buf=(unsigned char *)Malloc(num)) == NULL)
		262	{
		263	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
		264	goto err;
		265	}
		266
		267	/* This check was for equality but PGP does evil things
		268	* and chops off the top '0' bytes */
		269	if (flen > num)
		270	{
		271	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		272	goto err;
		273	}
		274
		275	/* make data into a big number */
		276	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
217		277
218	/* Body of this routine removed for OpenBSD - will return	278	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
219	* when the RSA patent expires	279	RSA_blinding_on(rsa,ctx);
220	*/	280	if (rsa->flags & RSA_FLAG_BLINDING)
		281	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
		282
		283	/* do the decrypt */
		284	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
		285	((rsa->p != NULL) &&
		286	(rsa->q != NULL) &&
		287	(rsa->dmp1 != NULL) &&
		288	(rsa->dmq1 != NULL) &&
		289	(rsa->iqmp != NULL)) )
		290	{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
		291	else
		292	{
		293	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
		294	goto err;
		295	}
		296
		297	if (rsa->flags & RSA_FLAG_BLINDING)
		298	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
		299
		300	p=buf;
		301	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
		302
		303	switch (padding)
		304	{
		305	case RSA_PKCS1_PADDING:
		306	r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
		307	break;
		308	#ifndef NO_SHA
		309	case RSA_PKCS1_OAEP_PADDING:
		310	r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
		311	break;
		312	#endif
		313	case RSA_SSLV23_PADDING:
		314	r=RSA_padding_check_SSLv23(to,num,buf,j,num);
		315	break;
		316	case RSA_NO_PADDING:
		317	r=RSA_padding_check_none(to,num,buf,j,num);
		318	break;
		319	default:
		320	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		321	goto err;
		322	}
		323	if (r < 0)
		324	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
221		325
222	err:	326	err:
223	if (ctx != NULL) BN_CTX_free(ctx);	327	if (ctx != NULL) BN_CTX_free(ctx);
@@ -240,12 +344,56 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
240	unsigned char *buf=NULL;	344	unsigned char *buf=NULL;
241	BN_CTX *ctx=NULL;	345	BN_CTX *ctx=NULL;
242		346
243	BN_init(&f);	347	BN_init(&f);
244	BN_init(&ret);	348	BN_init(&ret);
		349	ctx=BN_CTX_new();
		350	if (ctx == NULL) goto err;
		351
		352	num=BN_num_bytes(rsa->n);
		353	buf=(unsigned char *)Malloc(num);
		354	if (buf == NULL)
		355	{
		356	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
		357	goto err;
		358	}
245		359
246	/* Body of this routine removed for OpenBSD - will return	360	/* This check was for equality but PGP does evil things
247	* when the RSA patent expires	361	* and chops off the top '0' bytes */
248	*/	362	if (flen > num)
		363	{
		364	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN);
		365	goto err;
		366	}
		367
		368	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
		369	/* do the decrypt */
		370	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
		371	{
		372	if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
		373	if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
		374	goto err;
		375	}
		376
		377	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
		378	rsa->_method_mod_n)) goto err;
		379
		380	p=buf;
		381	i=BN_bn2bin(&ret,p);
		382
		383	switch (padding)
		384	{
		385	case RSA_PKCS1_PADDING:
		386	r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		387	break;
		388	case RSA_NO_PADDING:
		389	r=RSA_padding_check_none(to,num,buf,i,num);
		390	break;
		391	default:
		392	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE);
		393	goto err;
		394	}
		395	if (r < 0)
		396	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
249		397
250	err:	398	err:
251	if (ctx != NULL) BN_CTX_free(ctx);	399	if (ctx != NULL) BN_CTX_free(ctx);
@@ -263,15 +411,59 @@ static int RSA_eay_mod_exp(BIGNUM r0, BIGNUM I, RSA *rsa)
263	{	411	{
264	BIGNUM r1,m1;	412	BIGNUM r1,m1;
265	int ret=0;	413	int ret=0;
266	BN_CTX *ctx = NULL;	414	BN_CTX *ctx;
267		415
		416	if ((ctx=BN_CTX_new()) == NULL) goto err;
268	BN_init(&m1);	417	BN_init(&m1);
269	BN_init(&r1);	418	BN_init(&r1);
270	if ((ctx=BN_CTX_new()) == NULL) goto err;
271		419
272	/* Body of this routine removed for OpenBSD - will return	420	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
273	* when the RSA patent expires	421	{
274	*/	422	if (rsa->_method_mod_p == NULL)
		423	{
		424	if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
		425	if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
		426	ctx))
		427	goto err;
		428	}
		429	if (rsa->_method_mod_q == NULL)
		430	{
		431	if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
		432	if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
		433	ctx))
		434	goto err;
		435	}
		436	}
		437
		438	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
		439	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
		440	rsa->_method_mod_q)) goto err;
		441
		442	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
		443	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
		444	rsa->_method_mod_p)) goto err;
		445
		446	if (!BN_sub(r0,r0,&m1)) goto err;
		447	/* This will help stop the size of r0 increasing, which does
		448	* affect the multiply if it optimised for a power of 2 size */
		449	if (r0->neg)
		450	if (!BN_add(r0,r0,rsa->p)) goto err;
		451
		452	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
		453	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
		454	/* If p < q it is occasionally possible for the correction of
		455	* adding 'p' if r0 is negative above to leave the result still
		456	* negative. This can break the private key operations: the following
		457	* second correction should always correct this rare occurrence.
		458	* This will never happen with OpenSSL generated keys because
		459	* they ensure p > q [steve]
		460	*/
		461	if (r0->neg)
		462	if (!BN_add(r0,r0,rsa->p)) goto err;
		463	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
		464	if (!BN_add(r0,&r1,&m1)) goto err;
		465
		466	ret=1;
275	err:	467	err:
276	BN_clear_free(&m1);	468	BN_clear_free(&m1);
277	BN_clear_free(&r1);	469	BN_clear_free(&r1);