1 /* crypto/rsa/rsa_eay.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
60 #include <openssl/err.h>
61 #include <openssl/bn.h>
62 #include <openssl/rsa.h>
63 #include <openssl/rand.h>
64 #include <openssl/fips.h>
66 #if !defined(RSA_NULL) && defined(OPENSSL_FIPS)
68 static int RSA_eay_public_encrypt(FIPS_RSA_SIZE_T flen
, const unsigned char *from
,
69 unsigned char *to
, RSA
*rsa
,int padding
);
70 static int RSA_eay_private_encrypt(FIPS_RSA_SIZE_T flen
, const unsigned char *from
,
71 unsigned char *to
, RSA
*rsa
,int padding
);
72 static int RSA_eay_public_decrypt(FIPS_RSA_SIZE_T flen
, const unsigned char *from
,
73 unsigned char *to
, RSA
*rsa
,int padding
);
74 static int RSA_eay_private_decrypt(FIPS_RSA_SIZE_T flen
, const unsigned char *from
,
75 unsigned char *to
, RSA
*rsa
,int padding
);
76 static int RSA_eay_mod_exp(BIGNUM
*r0
, const BIGNUM
*i
, RSA
*rsa
);
77 static int RSA_eay_init(RSA
*rsa
);
78 static int RSA_eay_finish(RSA
*rsa
);
79 static RSA_METHOD rsa_pkcs1_eay_meth
={
80 "Eric Young's PKCS#1 RSA",
81 RSA_eay_public_encrypt
,
82 RSA_eay_public_decrypt
, /* signature verification */
83 RSA_eay_private_encrypt
, /* signing */
84 RSA_eay_private_decrypt
,
86 BN_mod_exp_mont
, /* XXX probably we should not use Montgomery if e == 3 */
95 const RSA_METHOD
*RSA_PKCS1_SSLeay(void)
97 return(&rsa_pkcs1_eay_meth
);
100 static int RSA_eay_public_encrypt(FIPS_RSA_SIZE_T flen
, const unsigned char *from
,
101 unsigned char *to
, RSA
*rsa
, int padding
)
104 int i
,j
,k
,num
=0,r
= -1;
105 unsigned char *buf
=NULL
;
111 if(FIPS_selftest_failed())
113 FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT
,FIPS_R_FIPS_SELFTEST_FAILED
);
117 if ((ctx
=BN_CTX_new()) == NULL
) goto err
;
118 num
=BN_num_bytes(rsa
->n
);
119 if ((buf
=(unsigned char *)OPENSSL_malloc(num
)) == NULL
)
121 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT
,ERR_R_MALLOC_FAILURE
);
127 case RSA_PKCS1_PADDING
:
128 i
=RSA_padding_add_PKCS1_type_2(buf
,num
,from
,flen
);
130 #ifndef OPENSSL_NO_SHA
131 case RSA_PKCS1_OAEP_PADDING
:
132 i
=RSA_padding_add_PKCS1_OAEP(buf
,num
,from
,flen
,NULL
,0);
135 case RSA_SSLV23_PADDING
:
136 i
=RSA_padding_add_SSLv23(buf
,num
,from
,flen
);
139 i
=RSA_padding_add_none(buf
,num
,from
,flen
);
142 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT
,RSA_R_UNKNOWN_PADDING_TYPE
);
145 if (i
<= 0) goto err
;
147 if (BN_bin2bn(buf
,num
,&f
) == NULL
) goto err
;
149 if (BN_ucmp(&f
, rsa
->n
) >= 0)
151 /* usually the padding functions would catch this */
152 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT
,RSA_R_DATA_TOO_LARGE_FOR_MODULUS
);
156 if ((rsa
->_method_mod_n
== NULL
) && (rsa
->flags
& RSA_FLAG_CACHE_PUBLIC
))
158 BN_MONT_CTX
* bn_mont_ctx
;
159 if ((bn_mont_ctx
=BN_MONT_CTX_new()) == NULL
)
161 if (!BN_MONT_CTX_set(bn_mont_ctx
,rsa
->n
,ctx
))
163 BN_MONT_CTX_free(bn_mont_ctx
);
166 if (rsa
->_method_mod_n
== NULL
) /* other thread may have finished first */
168 CRYPTO_w_lock(CRYPTO_LOCK_RSA
);
169 if (rsa
->_method_mod_n
== NULL
)
171 rsa
->_method_mod_n
= bn_mont_ctx
;
174 CRYPTO_w_unlock(CRYPTO_LOCK_RSA
);
177 BN_MONT_CTX_free(bn_mont_ctx
);
180 if (!rsa
->meth
->bn_mod_exp(&ret
,&f
,rsa
->e
,rsa
->n
,ctx
,
181 rsa
->_method_mod_n
)) goto err
;
183 /* put in leading 0 bytes if the number is less than the
184 * length of the modulus */
185 j
=BN_num_bytes(&ret
);
186 i
=BN_bn2bin(&ret
,&(to
[num
-j
]));
187 for (k
=0; k
<(num
-i
); k
++)
192 if (ctx
!= NULL
) BN_CTX_free(ctx
);
197 OPENSSL_cleanse(buf
,num
);
203 static int rsa_eay_blinding(RSA
*rsa
, BN_CTX
*ctx
)
206 CRYPTO_w_lock(CRYPTO_LOCK_RSA
);
207 /* Check again inside the lock - the macro's check is racey */
208 if(rsa
->blinding
== NULL
)
209 ret
= RSA_blinding_on(rsa
, ctx
);
210 CRYPTO_w_unlock(CRYPTO_LOCK_RSA
);
214 #define BLINDING_HELPER(rsa, ctx, err_instr) \
216 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
217 ((rsa)->blinding == NULL) && \
218 !rsa_eay_blinding(rsa, ctx)) \
222 static BN_BLINDING
*setup_blinding(RSA
*rsa
, BN_CTX
*ctx
)
225 BN_BLINDING
*ret
= NULL
;
227 /* added in OpenSSL 0.9.6j and 0.9.7b */
229 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
230 * this should be placed in a new function of its own, but for reasons
231 * of binary compatibility can't */
235 if ((RAND_status() == 0) && rsa
->d
!= NULL
&& rsa
->d
->d
!= NULL
)
237 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
238 RAND_add(rsa
->d
->d
, rsa
->d
->dmax
* sizeof rsa
->d
->d
[0], 0);
239 if (!BN_pseudo_rand_range(A
,rsa
->n
)) goto err
;
243 if (!BN_rand_range(A
,rsa
->n
)) goto err
;
245 if ((Ai
=BN_mod_inverse(NULL
,A
,rsa
->n
,ctx
)) == NULL
) goto err
;
247 if (!rsa
->meth
->bn_mod_exp(A
,A
,rsa
->e
,rsa
->n
,ctx
,rsa
->_method_mod_n
))
249 ret
= BN_BLINDING_new(A
,Ai
,rsa
->n
);
257 static int RSA_eay_private_encrypt(FIPS_RSA_SIZE_T flen
, const unsigned char *from
,
258 unsigned char *to
, RSA
*rsa
, int padding
)
261 int i
,j
,k
,num
=0,r
= -1;
262 unsigned char *buf
=NULL
;
264 int local_blinding
= 0;
265 BN_BLINDING
*blinding
= NULL
;
270 if ((ctx
=BN_CTX_new()) == NULL
) goto err
;
271 num
=BN_num_bytes(rsa
->n
);
272 if ((buf
=(unsigned char *)OPENSSL_malloc(num
)) == NULL
)
274 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,ERR_R_MALLOC_FAILURE
);
280 case RSA_PKCS1_PADDING
:
281 i
=RSA_padding_add_PKCS1_type_1(buf
,num
,from
,flen
);
284 i
=RSA_padding_add_none(buf
,num
,from
,flen
);
286 case RSA_SSLV23_PADDING
:
288 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,RSA_R_UNKNOWN_PADDING_TYPE
);
291 if (i
<= 0) goto err
;
293 if (BN_bin2bn(buf
,num
,&f
) == NULL
) goto err
;
295 if (BN_ucmp(&f
, rsa
->n
) >= 0)
297 /* usually the padding functions would catch this */
298 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,RSA_R_DATA_TOO_LARGE_FOR_MODULUS
);
302 BLINDING_HELPER(rsa
, ctx
, goto err
;);
303 blinding
= rsa
->blinding
;
305 /* Now unless blinding is disabled, 'blinding' is non-NULL.
306 * But the BN_BLINDING object may be owned by some other thread
307 * (we don't want to keep it constant and we don't want to use
308 * lots of locking to avoid race conditions, so only a single
309 * thread can use it; other threads have to use local blinding
311 if (!(rsa
->flags
& RSA_FLAG_NO_BLINDING
))
313 if (blinding
== NULL
)
315 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
, ERR_R_INTERNAL_ERROR
);
320 if (blinding
!= NULL
)
322 if (blinding
->thread_id
!= CRYPTO_thread_id())
324 /* we need a local one-time blinding factor */
326 blinding
= setup_blinding(rsa
, ctx
);
327 if (blinding
== NULL
)
334 if (!BN_BLINDING_convert(&f
, blinding
, ctx
)) goto err
;
336 if ( (rsa
->flags
& RSA_FLAG_EXT_PKEY
) ||
339 (rsa
->dmp1
!= NULL
) &&
340 (rsa
->dmq1
!= NULL
) &&
341 (rsa
->iqmp
!= NULL
)) )
342 { if (!rsa
->meth
->rsa_mod_exp(&ret
,&f
,rsa
)) goto err
; }
345 if (!rsa
->meth
->bn_mod_exp(&ret
,&f
,rsa
->d
,rsa
->n
,ctx
,NULL
)) goto err
;
349 if (!BN_BLINDING_invert(&ret
, blinding
, ctx
)) goto err
;
351 /* put in leading 0 bytes if the number is less than the
352 * length of the modulus */
353 j
=BN_num_bytes(&ret
);
354 i
=BN_bn2bin(&ret
,&(to
[num
-j
]));
355 for (k
=0; k
<(num
-i
); k
++)
360 if (ctx
!= NULL
) BN_CTX_free(ctx
);
364 BN_BLINDING_free(blinding
);
367 OPENSSL_cleanse(buf
,num
);
373 static int RSA_eay_private_decrypt(FIPS_RSA_SIZE_T flen
, const unsigned char *from
,
374 unsigned char *to
, RSA
*rsa
, int padding
)
379 unsigned char *buf
=NULL
;
381 int local_blinding
= 0;
382 BN_BLINDING
*blinding
= NULL
;
387 if (ctx
== NULL
) goto err
;
389 num
=BN_num_bytes(rsa
->n
);
391 if ((buf
=(unsigned char *)OPENSSL_malloc(num
)) == NULL
)
393 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,ERR_R_MALLOC_FAILURE
);
397 /* This check was for equality but PGP does evil things
398 * and chops off the top '0' bytes */
401 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,RSA_R_DATA_GREATER_THAN_MOD_LEN
);
405 /* make data into a big number */
406 if (BN_bin2bn(from
,(int)flen
,&f
) == NULL
) goto err
;
408 if (BN_ucmp(&f
, rsa
->n
) >= 0)
410 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,RSA_R_DATA_TOO_LARGE_FOR_MODULUS
);
414 BLINDING_HELPER(rsa
, ctx
, goto err
;);
415 blinding
= rsa
->blinding
;
417 /* Now unless blinding is disabled, 'blinding' is non-NULL.
418 * But the BN_BLINDING object may be owned by some other thread
419 * (we don't want to keep it constant and we don't want to use
420 * lots of locking to avoid race conditions, so only a single
421 * thread can use it; other threads have to use local blinding
423 if (!(rsa
->flags
& RSA_FLAG_NO_BLINDING
))
425 if (blinding
== NULL
)
427 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
, ERR_R_INTERNAL_ERROR
);
432 if (blinding
!= NULL
)
434 if (blinding
->thread_id
!= CRYPTO_thread_id())
436 /* we need a local one-time blinding factor */
438 blinding
= setup_blinding(rsa
, ctx
);
439 if (blinding
== NULL
)
446 if (!BN_BLINDING_convert(&f
, blinding
, ctx
)) goto err
;
449 if ( (rsa
->flags
& RSA_FLAG_EXT_PKEY
) ||
452 (rsa
->dmp1
!= NULL
) &&
453 (rsa
->dmq1
!= NULL
) &&
454 (rsa
->iqmp
!= NULL
)) )
455 { if (!rsa
->meth
->rsa_mod_exp(&ret
,&f
,rsa
)) goto err
; }
458 if (!rsa
->meth
->bn_mod_exp(&ret
,&f
,rsa
->d
,rsa
->n
,ctx
,NULL
))
463 if (!BN_BLINDING_invert(&ret
, blinding
, ctx
)) goto err
;
466 j
=BN_bn2bin(&ret
,p
); /* j is only used with no-padding mode */
470 case RSA_PKCS1_PADDING
:
471 r
=RSA_padding_check_PKCS1_type_2(to
,num
,buf
,j
,num
);
473 #ifndef OPENSSL_NO_SHA
474 case RSA_PKCS1_OAEP_PADDING
:
475 r
=RSA_padding_check_PKCS1_OAEP(to
,num
,buf
,j
,num
,NULL
,0);
478 case RSA_SSLV23_PADDING
:
479 r
=RSA_padding_check_SSLv23(to
,num
,buf
,j
,num
);
482 r
=RSA_padding_check_none(to
,num
,buf
,j
,num
);
485 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,RSA_R_UNKNOWN_PADDING_TYPE
);
489 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT
,RSA_R_PADDING_CHECK_FAILED
);
492 if (ctx
!= NULL
) BN_CTX_free(ctx
);
496 BN_BLINDING_free(blinding
);
499 OPENSSL_cleanse(buf
,num
);
505 /* signature verification */
506 static int RSA_eay_public_decrypt(FIPS_RSA_SIZE_T flen
, const unsigned char *from
,
507 unsigned char *to
, RSA
*rsa
, int padding
)
512 unsigned char *buf
=NULL
;
518 if (ctx
== NULL
) goto err
;
520 num
=BN_num_bytes(rsa
->n
);
521 buf
=(unsigned char *)OPENSSL_malloc(num
);
524 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,ERR_R_MALLOC_FAILURE
);
528 /* This check was for equality but PGP does evil things
529 * and chops off the top '0' bytes */
532 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,RSA_R_DATA_GREATER_THAN_MOD_LEN
);
536 if (BN_bin2bn(from
,flen
,&f
) == NULL
) goto err
;
538 if (BN_ucmp(&f
, rsa
->n
) >= 0)
540 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,RSA_R_DATA_TOO_LARGE_FOR_MODULUS
);
545 if ((rsa
->_method_mod_n
== NULL
) && (rsa
->flags
& RSA_FLAG_CACHE_PUBLIC
))
547 BN_MONT_CTX
* bn_mont_ctx
;
548 if ((bn_mont_ctx
=BN_MONT_CTX_new()) == NULL
)
550 if (!BN_MONT_CTX_set(bn_mont_ctx
,rsa
->n
,ctx
))
552 BN_MONT_CTX_free(bn_mont_ctx
);
555 if (rsa
->_method_mod_n
== NULL
) /* other thread may have finished first */
557 CRYPTO_w_lock(CRYPTO_LOCK_RSA
);
558 if (rsa
->_method_mod_n
== NULL
)
560 rsa
->_method_mod_n
= bn_mont_ctx
;
563 CRYPTO_w_unlock(CRYPTO_LOCK_RSA
);
566 BN_MONT_CTX_free(bn_mont_ctx
);
569 if (!rsa
->meth
->bn_mod_exp(&ret
,&f
,rsa
->e
,rsa
->n
,ctx
,
570 rsa
->_method_mod_n
)) goto err
;
577 case RSA_PKCS1_PADDING
:
578 r
=RSA_padding_check_PKCS1_type_1(to
,num
,buf
,i
,num
);
581 r
=RSA_padding_check_none(to
,num
,buf
,i
,num
);
584 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,RSA_R_UNKNOWN_PADDING_TYPE
);
588 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT
,RSA_R_PADDING_CHECK_FAILED
);
591 if (ctx
!= NULL
) BN_CTX_free(ctx
);
596 OPENSSL_cleanse(buf
,num
);
602 static int RSA_eay_mod_exp(BIGNUM
*r0
, const BIGNUM
*I
, RSA
*rsa
)
611 if ((ctx
=BN_CTX_new()) == NULL
) goto err
;
613 if (rsa
->flags
& RSA_FLAG_CACHE_PRIVATE
)
615 if (rsa
->_method_mod_p
== NULL
)
617 BN_MONT_CTX
* bn_mont_ctx
;
618 if ((bn_mont_ctx
=BN_MONT_CTX_new()) == NULL
)
620 if (!BN_MONT_CTX_set(bn_mont_ctx
,rsa
->p
,ctx
))
622 BN_MONT_CTX_free(bn_mont_ctx
);
625 if (rsa
->_method_mod_p
== NULL
) /* other thread may have finished first */
627 CRYPTO_w_lock(CRYPTO_LOCK_RSA
);
628 if (rsa
->_method_mod_p
== NULL
)
630 rsa
->_method_mod_p
= bn_mont_ctx
;
633 CRYPTO_w_unlock(CRYPTO_LOCK_RSA
);
636 BN_MONT_CTX_free(bn_mont_ctx
);
639 if (rsa
->_method_mod_q
== NULL
)
641 BN_MONT_CTX
* bn_mont_ctx
;
642 if ((bn_mont_ctx
=BN_MONT_CTX_new()) == NULL
)
644 if (!BN_MONT_CTX_set(bn_mont_ctx
,rsa
->q
,ctx
))
646 BN_MONT_CTX_free(bn_mont_ctx
);
649 if (rsa
->_method_mod_q
== NULL
) /* other thread may have finished first */
651 CRYPTO_w_lock(CRYPTO_LOCK_RSA
);
652 if (rsa
->_method_mod_q
== NULL
)
654 rsa
->_method_mod_q
= bn_mont_ctx
;
657 CRYPTO_w_unlock(CRYPTO_LOCK_RSA
);
660 BN_MONT_CTX_free(bn_mont_ctx
);
664 if (!BN_mod(&r1
,I
,rsa
->q
,ctx
)) goto err
;
665 if (!rsa
->meth
->bn_mod_exp(&m1
,&r1
,rsa
->dmq1
,rsa
->q
,ctx
,
666 rsa
->_method_mod_q
)) goto err
;
668 if (!BN_mod(&r1
,I
,rsa
->p
,ctx
)) goto err
;
669 if (!rsa
->meth
->bn_mod_exp(r0
,&r1
,rsa
->dmp1
,rsa
->p
,ctx
,
670 rsa
->_method_mod_p
)) goto err
;
672 if (!BN_sub(r0
,r0
,&m1
)) goto err
;
673 /* This will help stop the size of r0 increasing, which does
674 * affect the multiply if it optimised for a power of 2 size */
676 if (!BN_add(r0
,r0
,rsa
->p
)) goto err
;
678 if (!BN_mul(&r1
,r0
,rsa
->iqmp
,ctx
)) goto err
;
679 if (!BN_mod(r0
,&r1
,rsa
->p
,ctx
)) goto err
;
680 /* If p < q it is occasionally possible for the correction of
681 * adding 'p' if r0 is negative above to leave the result still
682 * negative. This can break the private key operations: the following
683 * second correction should *always* correct this rare occurrence.
684 * This will *never* happen with OpenSSL generated keys because
685 * they ensure p > q [steve]
688 if (!BN_add(r0
,r0
,rsa
->p
)) goto err
;
689 if (!BN_mul(&r1
,r0
,rsa
->q
,ctx
)) goto err
;
690 if (!BN_add(r0
,&r1
,&m1
)) goto err
;
692 if (rsa
->e
&& rsa
->n
)
694 if (!rsa
->meth
->bn_mod_exp(&vrfy
,r0
,rsa
->e
,rsa
->n
,ctx
,NULL
)) goto err
;
695 /* If 'I' was greater than (or equal to) rsa->n, the operation
696 * will be equivalent to using 'I mod n'. However, the result of
697 * the verify will *always* be less than 'n' so we don't check
698 * for absolute equality, just congruency. */
699 if (!BN_sub(&vrfy
, &vrfy
, I
)) goto err
;
700 if (!BN_mod(&vrfy
, &vrfy
, rsa
->n
, ctx
)) goto err
;
702 if (!BN_add(&vrfy
, &vrfy
, rsa
->n
)) goto err
;
703 if (!BN_is_zero(&vrfy
))
704 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
705 * miscalculated CRT output, just do a raw (slower)
706 * mod_exp and return that instead. */
707 if (!rsa
->meth
->bn_mod_exp(r0
,I
,rsa
->d
,rsa
->n
,ctx
,NULL
)) goto err
;
713 BN_clear_free(&vrfy
);
718 static int RSA_eay_init(RSA
*rsa
)
720 rsa
->flags
|=RSA_FLAG_CACHE_PUBLIC
|RSA_FLAG_CACHE_PRIVATE
;
724 static int RSA_eay_finish(RSA
*rsa
)
726 if (rsa
->_method_mod_n
!= NULL
)
727 BN_MONT_CTX_free(rsa
->_method_mod_n
);
728 if (rsa
->_method_mod_p
!= NULL
)
729 BN_MONT_CTX_free(rsa
->_method_mod_p
);
730 if (rsa
->_method_mod_q
!= NULL
)
731 BN_MONT_CTX_free(rsa
->_method_mod_q
);