rsa_ossl.c 35 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210
  1. /*
  2. * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * RSA low level APIs are deprecated for public use, but still ok for
  11. * internal use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include "internal/cryptlib.h"
  15. #include "crypto/bn.h"
  16. #include "rsa_local.h"
  17. #include "internal/constant_time.h"
  18. #include <openssl/evp.h>
  19. #include <openssl/sha.h>
  20. #include <openssl/hmac.h>
  21. static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
  22. unsigned char *to, RSA *rsa, int padding);
  23. static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
  24. unsigned char *to, RSA *rsa, int padding);
  25. static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
  26. unsigned char *to, RSA *rsa, int padding);
  27. static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
  28. unsigned char *to, RSA *rsa, int padding);
  29. static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
  30. BN_CTX *ctx);
  31. static int rsa_ossl_init(RSA *rsa);
  32. static int rsa_ossl_finish(RSA *rsa);
  33. #ifdef S390X_MOD_EXP
  34. static int rsa_ossl_s390x_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
  35. BN_CTX *ctx);
  36. static RSA_METHOD rsa_pkcs1_ossl_meth = {
  37. "OpenSSL PKCS#1 RSA",
  38. rsa_ossl_public_encrypt,
  39. rsa_ossl_public_decrypt, /* signature verification */
  40. rsa_ossl_private_encrypt, /* signing */
  41. rsa_ossl_private_decrypt,
  42. rsa_ossl_s390x_mod_exp,
  43. s390x_mod_exp,
  44. rsa_ossl_init,
  45. rsa_ossl_finish,
  46. RSA_FLAG_FIPS_METHOD, /* flags */
  47. NULL,
  48. 0, /* rsa_sign */
  49. 0, /* rsa_verify */
  50. NULL, /* rsa_keygen */
  51. NULL /* rsa_multi_prime_keygen */
  52. };
  53. #else
  54. static RSA_METHOD rsa_pkcs1_ossl_meth = {
  55. "OpenSSL PKCS#1 RSA",
  56. rsa_ossl_public_encrypt,
  57. rsa_ossl_public_decrypt, /* signature verification */
  58. rsa_ossl_private_encrypt, /* signing */
  59. rsa_ossl_private_decrypt,
  60. rsa_ossl_mod_exp,
  61. BN_mod_exp_mont, /* XXX probably we should not use Montgomery
  62. * if e == 3 */
  63. rsa_ossl_init,
  64. rsa_ossl_finish,
  65. RSA_FLAG_FIPS_METHOD, /* flags */
  66. NULL,
  67. 0, /* rsa_sign */
  68. 0, /* rsa_verify */
  69. NULL, /* rsa_keygen */
  70. NULL /* rsa_multi_prime_keygen */
  71. };
  72. #endif
  73. static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth;
  74. void RSA_set_default_method(const RSA_METHOD *meth)
  75. {
  76. default_RSA_meth = meth;
  77. }
  78. const RSA_METHOD *RSA_get_default_method(void)
  79. {
  80. return default_RSA_meth;
  81. }
  82. const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
  83. {
  84. return &rsa_pkcs1_ossl_meth;
  85. }
  86. const RSA_METHOD *RSA_null_method(void)
  87. {
  88. return NULL;
  89. }
  90. static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
  91. unsigned char *to, RSA *rsa, int padding)
  92. {
  93. BIGNUM *f, *ret;
  94. int i, num = 0, r = -1;
  95. unsigned char *buf = NULL;
  96. BN_CTX *ctx = NULL;
  97. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  98. ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
  99. return -1;
  100. }
  101. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  102. ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
  103. return -1;
  104. }
  105. /* for large moduli, enforce exponent limit */
  106. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  107. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  108. ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
  109. return -1;
  110. }
  111. }
  112. if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
  113. goto err;
  114. BN_CTX_start(ctx);
  115. f = BN_CTX_get(ctx);
  116. ret = BN_CTX_get(ctx);
  117. num = BN_num_bytes(rsa->n);
  118. buf = OPENSSL_malloc(num);
  119. if (ret == NULL || buf == NULL)
  120. goto err;
  121. switch (padding) {
  122. case RSA_PKCS1_PADDING:
  123. i = ossl_rsa_padding_add_PKCS1_type_2_ex(rsa->libctx, buf, num,
  124. from, flen);
  125. break;
  126. case RSA_PKCS1_OAEP_PADDING:
  127. i = ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(rsa->libctx, buf, num,
  128. from, flen, NULL, 0,
  129. NULL, NULL);
  130. break;
  131. case RSA_NO_PADDING:
  132. i = RSA_padding_add_none(buf, num, from, flen);
  133. break;
  134. default:
  135. ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
  136. goto err;
  137. }
  138. if (i <= 0)
  139. goto err;
  140. if (BN_bin2bn(buf, num, f) == NULL)
  141. goto err;
  142. #ifdef FIPS_MODULE
  143. /*
  144. * See SP800-56Br2, section 7.1.1.1
  145. * RSAEP: 1 < f < (n – 1).
  146. * (where f is the plaintext).
  147. */
  148. if (padding == RSA_NO_PADDING) {
  149. BIGNUM *nminus1 = BN_CTX_get(ctx);
  150. if (BN_ucmp(f, BN_value_one()) <= 0) {
  151. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
  152. goto err;
  153. }
  154. if (nminus1 == NULL
  155. || BN_copy(nminus1, rsa->n) == NULL
  156. || !BN_sub_word(nminus1, 1))
  157. goto err;
  158. if (BN_ucmp(f, nminus1) >= 0) {
  159. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  160. goto err;
  161. }
  162. } else
  163. #endif
  164. {
  165. if (BN_ucmp(f, rsa->n) >= 0) {
  166. /* usually the padding functions would catch this */
  167. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  168. goto err;
  169. }
  170. }
  171. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  172. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  173. rsa->n, ctx))
  174. goto err;
  175. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  176. rsa->_method_mod_n))
  177. goto err;
  178. /*
  179. * BN_bn2binpad puts in leading 0 bytes if the number is less than
  180. * the length of the modulus.
  181. */
  182. r = BN_bn2binpad(ret, to, num);
  183. err:
  184. BN_CTX_end(ctx);
  185. BN_CTX_free(ctx);
  186. OPENSSL_clear_free(buf, num);
  187. return r;
  188. }
  189. static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
  190. {
  191. BN_BLINDING *ret;
  192. if (!CRYPTO_THREAD_read_lock(rsa->lock))
  193. return NULL;
  194. if (rsa->blinding == NULL) {
  195. /*
  196. * This dance with upgrading the lock from read to write will be
  197. * slower in cases of a single use RSA object, but should be
  198. * significantly better in multi-thread cases (e.g. servers). It's
  199. * probably worth it.
  200. */
  201. CRYPTO_THREAD_unlock(rsa->lock);
  202. if (!CRYPTO_THREAD_write_lock(rsa->lock))
  203. return NULL;
  204. if (rsa->blinding == NULL)
  205. rsa->blinding = RSA_setup_blinding(rsa, ctx);
  206. }
  207. ret = rsa->blinding;
  208. if (ret == NULL)
  209. goto err;
  210. if (BN_BLINDING_is_current_thread(ret)) {
  211. /* rsa->blinding is ours! */
  212. *local = 1;
  213. } else {
  214. /* resort to rsa->mt_blinding instead */
  215. /*
  216. * instructs rsa_blinding_convert(), rsa_blinding_invert() that the
  217. * BN_BLINDING is shared, meaning that accesses require locks, and
  218. * that the blinding factor must be stored outside the BN_BLINDING
  219. */
  220. *local = 0;
  221. if (rsa->mt_blinding == NULL) {
  222. CRYPTO_THREAD_unlock(rsa->lock);
  223. if (!CRYPTO_THREAD_write_lock(rsa->lock))
  224. return NULL;
  225. if (rsa->mt_blinding == NULL)
  226. rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
  227. }
  228. ret = rsa->mt_blinding;
  229. }
  230. err:
  231. CRYPTO_THREAD_unlock(rsa->lock);
  232. return ret;
  233. }
  234. static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  235. BN_CTX *ctx)
  236. {
  237. if (unblind == NULL) {
  238. /*
  239. * Local blinding: store the unblinding factor in BN_BLINDING.
  240. */
  241. return BN_BLINDING_convert_ex(f, NULL, b, ctx);
  242. } else {
  243. /*
  244. * Shared blinding: store the unblinding factor outside BN_BLINDING.
  245. */
  246. int ret;
  247. if (!BN_BLINDING_lock(b))
  248. return 0;
  249. ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
  250. BN_BLINDING_unlock(b);
  251. return ret;
  252. }
  253. }
  254. static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
  255. BN_CTX *ctx)
  256. {
  257. /*
  258. * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
  259. * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING
  260. * is shared between threads, unblind must be non-null:
  261. * BN_BLINDING_invert_ex will then use the local unblinding factor, and
  262. * will only read the modulus from BN_BLINDING. In both cases it's safe
  263. * to access the blinding without a lock.
  264. */
  265. BN_set_flags(f, BN_FLG_CONSTTIME);
  266. return BN_BLINDING_invert_ex(f, unblind, b, ctx);
  267. }
  268. /* signing */
  269. static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
  270. unsigned char *to, RSA *rsa, int padding)
  271. {
  272. BIGNUM *f, *ret, *res;
  273. int i, num = 0, r = -1;
  274. unsigned char *buf = NULL;
  275. BN_CTX *ctx = NULL;
  276. int local_blinding = 0;
  277. /*
  278. * Used only if the blinding structure is shared. A non-NULL unblind
  279. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  280. * the unblinding factor outside the blinding structure.
  281. */
  282. BIGNUM *unblind = NULL;
  283. BN_BLINDING *blinding = NULL;
  284. if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
  285. goto err;
  286. BN_CTX_start(ctx);
  287. f = BN_CTX_get(ctx);
  288. ret = BN_CTX_get(ctx);
  289. num = BN_num_bytes(rsa->n);
  290. buf = OPENSSL_malloc(num);
  291. if (ret == NULL || buf == NULL)
  292. goto err;
  293. switch (padding) {
  294. case RSA_PKCS1_PADDING:
  295. i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
  296. break;
  297. case RSA_X931_PADDING:
  298. i = RSA_padding_add_X931(buf, num, from, flen);
  299. break;
  300. case RSA_NO_PADDING:
  301. i = RSA_padding_add_none(buf, num, from, flen);
  302. break;
  303. default:
  304. ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
  305. goto err;
  306. }
  307. if (i <= 0)
  308. goto err;
  309. if (BN_bin2bn(buf, num, f) == NULL)
  310. goto err;
  311. if (BN_ucmp(f, rsa->n) >= 0) {
  312. /* usually the padding functions would catch this */
  313. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  314. goto err;
  315. }
  316. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  317. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  318. rsa->n, ctx))
  319. goto err;
  320. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  321. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  322. if (blinding == NULL) {
  323. ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
  324. goto err;
  325. }
  326. }
  327. if (blinding != NULL) {
  328. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  329. ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
  330. goto err;
  331. }
  332. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  333. goto err;
  334. }
  335. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  336. (rsa->version == RSA_ASN1_VERSION_MULTI) ||
  337. ((rsa->p != NULL) &&
  338. (rsa->q != NULL) &&
  339. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  340. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  341. goto err;
  342. } else {
  343. BIGNUM *d = BN_new();
  344. if (d == NULL) {
  345. ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
  346. goto err;
  347. }
  348. if (rsa->d == NULL) {
  349. ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
  350. BN_free(d);
  351. goto err;
  352. }
  353. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  354. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  355. rsa->_method_mod_n)) {
  356. BN_free(d);
  357. goto err;
  358. }
  359. /* We MUST free d before any further use of rsa->d */
  360. BN_free(d);
  361. }
  362. if (blinding)
  363. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  364. goto err;
  365. if (padding == RSA_X931_PADDING) {
  366. if (!BN_sub(f, rsa->n, ret))
  367. goto err;
  368. if (BN_cmp(ret, f) > 0)
  369. res = f;
  370. else
  371. res = ret;
  372. } else {
  373. res = ret;
  374. }
  375. /*
  376. * BN_bn2binpad puts in leading 0 bytes if the number is less than
  377. * the length of the modulus.
  378. */
  379. r = BN_bn2binpad(res, to, num);
  380. err:
  381. BN_CTX_end(ctx);
  382. BN_CTX_free(ctx);
  383. OPENSSL_clear_free(buf, num);
  384. return r;
  385. }
  386. static int derive_kdk(int flen, const unsigned char *from, RSA *rsa,
  387. unsigned char *buf, int num, unsigned char *kdk)
  388. {
  389. int ret = 0;
  390. HMAC_CTX *hmac = NULL;
  391. EVP_MD *md = NULL;
  392. unsigned int md_len = SHA256_DIGEST_LENGTH;
  393. unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
  394. /*
  395. * because we use d as a handle to rsa->d we need to keep it local and
  396. * free before any further use of rsa->d
  397. */
  398. BIGNUM *d = BN_new();
  399. if (d == NULL) {
  400. ERR_raise(ERR_LIB_RSA, ERR_R_CRYPTO_LIB);
  401. goto err;
  402. }
  403. if (rsa->d == NULL) {
  404. ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
  405. BN_free(d);
  406. goto err;
  407. }
  408. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  409. if (BN_bn2binpad(d, buf, num) < 0) {
  410. ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
  411. BN_free(d);
  412. goto err;
  413. }
  414. BN_free(d);
  415. /*
  416. * we use hardcoded hash so that migrating between versions that use
  417. * different hash doesn't provide a Bleichenbacher oracle:
  418. * if the attacker can see that different versions return different
  419. * messages for the same ciphertext, they'll know that the message is
  420. * synthetically generated, which means that the padding check failed
  421. */
  422. md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
  423. if (md == NULL) {
  424. ERR_raise(ERR_LIB_RSA, ERR_R_FETCH_FAILED);
  425. goto err;
  426. }
  427. if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
  428. ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
  429. goto err;
  430. }
  431. hmac = HMAC_CTX_new();
  432. if (hmac == NULL) {
  433. ERR_raise(ERR_LIB_RSA, ERR_R_CRYPTO_LIB);
  434. goto err;
  435. }
  436. if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
  437. ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
  438. goto err;
  439. }
  440. if (flen < num) {
  441. memset(buf, 0, num - flen);
  442. if (HMAC_Update(hmac, buf, num - flen) <= 0) {
  443. ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
  444. goto err;
  445. }
  446. }
  447. if (HMAC_Update(hmac, from, flen) <= 0) {
  448. ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
  449. goto err;
  450. }
  451. md_len = SHA256_DIGEST_LENGTH;
  452. if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
  453. ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
  454. goto err;
  455. }
  456. ret = 1;
  457. err:
  458. HMAC_CTX_free(hmac);
  459. EVP_MD_free(md);
  460. return ret;
  461. }
  462. static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
  463. unsigned char *to, RSA *rsa, int padding)
  464. {
  465. BIGNUM *f, *ret;
  466. int j, num = 0, r = -1;
  467. unsigned char *buf = NULL;
  468. unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
  469. BN_CTX *ctx = NULL;
  470. int local_blinding = 0;
  471. /*
  472. * Used only if the blinding structure is shared. A non-NULL unblind
  473. * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
  474. * the unblinding factor outside the blinding structure.
  475. */
  476. BIGNUM *unblind = NULL;
  477. BN_BLINDING *blinding = NULL;
  478. /*
  479. * we need the value of the private exponent to perform implicit rejection
  480. */
  481. if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING))
  482. padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
  483. if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
  484. goto err;
  485. BN_CTX_start(ctx);
  486. f = BN_CTX_get(ctx);
  487. ret = BN_CTX_get(ctx);
  488. if (ret == NULL) {
  489. ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
  490. goto err;
  491. }
  492. num = BN_num_bytes(rsa->n);
  493. buf = OPENSSL_malloc(num);
  494. if (buf == NULL)
  495. goto err;
  496. /*
  497. * This check was for equality but PGP does evil things and chops off the
  498. * top '0' bytes
  499. */
  500. if (flen > num) {
  501. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
  502. goto err;
  503. }
  504. if (flen < 1) {
  505. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
  506. goto err;
  507. }
  508. /* make data into a big number */
  509. if (BN_bin2bn(from, (int)flen, f) == NULL)
  510. goto err;
  511. #ifdef FIPS_MODULE
  512. /*
  513. * See SP800-56Br2, section 7.1.2.1
  514. * RSADP: 1 < f < (n – 1)
  515. * (where f is the ciphertext).
  516. */
  517. if (padding == RSA_NO_PADDING) {
  518. BIGNUM *nminus1 = BN_CTX_get(ctx);
  519. if (BN_ucmp(f, BN_value_one()) <= 0) {
  520. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
  521. goto err;
  522. }
  523. if (nminus1 == NULL
  524. || BN_copy(nminus1, rsa->n) == NULL
  525. || !BN_sub_word(nminus1, 1))
  526. goto err;
  527. if (BN_ucmp(f, nminus1) >= 0) {
  528. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  529. goto err;
  530. }
  531. } else
  532. #endif
  533. {
  534. if (BN_ucmp(f, rsa->n) >= 0) {
  535. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  536. goto err;
  537. }
  538. }
  539. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  540. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  541. rsa->n, ctx))
  542. goto err;
  543. if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
  544. blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
  545. if (blinding == NULL) {
  546. ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
  547. goto err;
  548. }
  549. }
  550. if (blinding != NULL) {
  551. if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
  552. ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
  553. goto err;
  554. }
  555. if (!rsa_blinding_convert(blinding, f, unblind, ctx))
  556. goto err;
  557. }
  558. /* do the decrypt */
  559. if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||
  560. (rsa->version == RSA_ASN1_VERSION_MULTI) ||
  561. ((rsa->p != NULL) &&
  562. (rsa->q != NULL) &&
  563. (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {
  564. if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
  565. goto err;
  566. } else {
  567. BIGNUM *d = BN_new();
  568. if (d == NULL) {
  569. ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
  570. goto err;
  571. }
  572. if (rsa->d == NULL) {
  573. ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
  574. BN_free(d);
  575. goto err;
  576. }
  577. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  578. if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
  579. rsa->_method_mod_n)) {
  580. BN_free(d);
  581. goto err;
  582. }
  583. /* We MUST free d before any further use of rsa->d */
  584. BN_free(d);
  585. }
  586. if (blinding)
  587. if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
  588. goto err;
  589. /*
  590. * derive the Key Derivation Key from private exponent and public
  591. * ciphertext
  592. */
  593. if (padding == RSA_PKCS1_PADDING) {
  594. if (derive_kdk(flen, from, rsa, buf, num, kdk) == 0)
  595. goto err;
  596. }
  597. j = BN_bn2binpad(ret, buf, num);
  598. if (j < 0)
  599. goto err;
  600. switch (padding) {
  601. case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING:
  602. r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
  603. break;
  604. case RSA_PKCS1_PADDING:
  605. r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
  606. break;
  607. case RSA_PKCS1_OAEP_PADDING:
  608. r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
  609. break;
  610. case RSA_NO_PADDING:
  611. memcpy(to, buf, (r = j));
  612. break;
  613. default:
  614. ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
  615. goto err;
  616. }
  617. #ifndef FIPS_MODULE
  618. /*
  619. * This trick doesn't work in the FIPS provider because libcrypto manages
  620. * the error stack. Instead we opt not to put an error on the stack at all
  621. * in case of padding failure in the FIPS provider.
  622. */
  623. ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
  624. err_clear_last_constant_time(1 & ~constant_time_msb(r));
  625. #endif
  626. err:
  627. BN_CTX_end(ctx);
  628. BN_CTX_free(ctx);
  629. OPENSSL_clear_free(buf, num);
  630. return r;
  631. }
  632. /* signature verification */
  633. static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
  634. unsigned char *to, RSA *rsa, int padding)
  635. {
  636. BIGNUM *f, *ret;
  637. int i, num = 0, r = -1;
  638. unsigned char *buf = NULL;
  639. BN_CTX *ctx = NULL;
  640. if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
  641. ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
  642. return -1;
  643. }
  644. if (BN_ucmp(rsa->n, rsa->e) <= 0) {
  645. ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
  646. return -1;
  647. }
  648. /* for large moduli, enforce exponent limit */
  649. if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
  650. if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
  651. ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
  652. return -1;
  653. }
  654. }
  655. if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
  656. goto err;
  657. BN_CTX_start(ctx);
  658. f = BN_CTX_get(ctx);
  659. ret = BN_CTX_get(ctx);
  660. if (ret == NULL) {
  661. ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
  662. goto err;
  663. }
  664. num = BN_num_bytes(rsa->n);
  665. buf = OPENSSL_malloc(num);
  666. if (buf == NULL)
  667. goto err;
  668. /*
  669. * This check was for equality but PGP does evil things and chops off the
  670. * top '0' bytes
  671. */
  672. if (flen > num) {
  673. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_GREATER_THAN_MOD_LEN);
  674. goto err;
  675. }
  676. if (BN_bin2bn(from, flen, f) == NULL)
  677. goto err;
  678. if (BN_ucmp(f, rsa->n) >= 0) {
  679. ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
  680. goto err;
  681. }
  682. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  683. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  684. rsa->n, ctx))
  685. goto err;
  686. if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
  687. rsa->_method_mod_n))
  688. goto err;
  689. if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
  690. if (!BN_sub(ret, rsa->n, ret))
  691. goto err;
  692. i = BN_bn2binpad(ret, buf, num);
  693. if (i < 0)
  694. goto err;
  695. switch (padding) {
  696. case RSA_PKCS1_PADDING:
  697. r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
  698. break;
  699. case RSA_X931_PADDING:
  700. r = RSA_padding_check_X931(to, num, buf, i, num);
  701. break;
  702. case RSA_NO_PADDING:
  703. memcpy(to, buf, (r = i));
  704. break;
  705. default:
  706. ERR_raise(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE);
  707. goto err;
  708. }
  709. if (r < 0)
  710. ERR_raise(ERR_LIB_RSA, RSA_R_PADDING_CHECK_FAILED);
  711. err:
  712. BN_CTX_end(ctx);
  713. BN_CTX_free(ctx);
  714. OPENSSL_clear_free(buf, num);
  715. return r;
  716. }
  717. static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
  718. {
  719. BIGNUM *r1, *m1, *vrfy;
  720. int ret = 0, smooth = 0;
  721. #ifndef FIPS_MODULE
  722. BIGNUM *r2, *m[RSA_MAX_PRIME_NUM - 2];
  723. int i, ex_primes = 0;
  724. RSA_PRIME_INFO *pinfo;
  725. #endif
  726. BN_CTX_start(ctx);
  727. r1 = BN_CTX_get(ctx);
  728. #ifndef FIPS_MODULE
  729. r2 = BN_CTX_get(ctx);
  730. #endif
  731. m1 = BN_CTX_get(ctx);
  732. vrfy = BN_CTX_get(ctx);
  733. if (vrfy == NULL)
  734. goto err;
  735. #ifndef FIPS_MODULE
  736. if (rsa->version == RSA_ASN1_VERSION_MULTI
  737. && ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
  738. || ex_primes > RSA_MAX_PRIME_NUM - 2))
  739. goto err;
  740. #endif
  741. if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
  742. BIGNUM *factor = BN_new();
  743. if (factor == NULL)
  744. goto err;
  745. /*
  746. * Make sure BN_mod_inverse in Montgomery initialization uses the
  747. * BN_FLG_CONSTTIME flag
  748. */
  749. if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),
  750. BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,
  751. factor, ctx))
  752. || !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),
  753. BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,
  754. factor, ctx))) {
  755. BN_free(factor);
  756. goto err;
  757. }
  758. #ifndef FIPS_MODULE
  759. for (i = 0; i < ex_primes; i++) {
  760. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  761. BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME);
  762. if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {
  763. BN_free(factor);
  764. goto err;
  765. }
  766. }
  767. #endif
  768. /*
  769. * We MUST free |factor| before any further use of the prime factors
  770. */
  771. BN_free(factor);
  772. smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
  773. #ifndef FIPS_MODULE
  774. && (ex_primes == 0)
  775. #endif
  776. && (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));
  777. }
  778. if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
  779. if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
  780. rsa->n, ctx))
  781. goto err;
  782. if (smooth) {
  783. /*
  784. * Conversion from Montgomery domain, a.k.a. Montgomery reduction,
  785. * accepts values in [0-m*2^w) range. w is m's bit width rounded up
  786. * to limb width. So that at the very least if |I| is fully reduced,
  787. * i.e. less than p*q, we can count on from-to round to perform
  788. * below modulo operations on |I|. Unlike BN_mod it's constant time.
  789. */
  790. if (/* m1 = I moq q */
  791. !bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
  792. || !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
  793. /* r1 = I mod p */
  794. || !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
  795. || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
  796. /*
  797. * Use parallel exponentiations optimization if possible,
  798. * otherwise fallback to two sequential exponentiations:
  799. * m1 = m1^dmq1 mod q
  800. * r1 = r1^dmp1 mod p
  801. */
  802. || !BN_mod_exp_mont_consttime_x2(m1, m1, rsa->dmq1, rsa->q,
  803. rsa->_method_mod_q,
  804. r1, r1, rsa->dmp1, rsa->p,
  805. rsa->_method_mod_p,
  806. ctx)
  807. /* r1 = (r1 - m1) mod p */
  808. /*
  809. * bn_mod_sub_fixed_top is not regular modular subtraction,
  810. * it can tolerate subtrahend to be larger than modulus, but
  811. * not bit-wise wider. This makes up for uncommon q>p case,
  812. * when |m1| can be larger than |rsa->p|.
  813. */
  814. || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
  815. /* r1 = r1 * iqmp mod p */
  816. || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
  817. || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
  818. ctx)
  819. /* r0 = r1 * q + m1 */
  820. || !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
  821. || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
  822. goto err;
  823. goto tail;
  824. }
  825. /* compute I mod q */
  826. {
  827. BIGNUM *c = BN_new();
  828. if (c == NULL)
  829. goto err;
  830. BN_with_flags(c, I, BN_FLG_CONSTTIME);
  831. if (!BN_mod(r1, c, rsa->q, ctx)) {
  832. BN_free(c);
  833. goto err;
  834. }
  835. {
  836. BIGNUM *dmq1 = BN_new();
  837. if (dmq1 == NULL) {
  838. BN_free(c);
  839. goto err;
  840. }
  841. BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
  842. /* compute r1^dmq1 mod q */
  843. if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
  844. rsa->_method_mod_q)) {
  845. BN_free(c);
  846. BN_free(dmq1);
  847. goto err;
  848. }
  849. /* We MUST free dmq1 before any further use of rsa->dmq1 */
  850. BN_free(dmq1);
  851. }
  852. /* compute I mod p */
  853. if (!BN_mod(r1, c, rsa->p, ctx)) {
  854. BN_free(c);
  855. goto err;
  856. }
  857. /* We MUST free c before any further use of I */
  858. BN_free(c);
  859. }
  860. {
  861. BIGNUM *dmp1 = BN_new();
  862. if (dmp1 == NULL)
  863. goto err;
  864. BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
  865. /* compute r1^dmp1 mod p */
  866. if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
  867. rsa->_method_mod_p)) {
  868. BN_free(dmp1);
  869. goto err;
  870. }
  871. /* We MUST free dmp1 before any further use of rsa->dmp1 */
  872. BN_free(dmp1);
  873. }
  874. #ifndef FIPS_MODULE
  875. if (ex_primes > 0) {
  876. BIGNUM *di = BN_new(), *cc = BN_new();
  877. if (cc == NULL || di == NULL) {
  878. BN_free(cc);
  879. BN_free(di);
  880. goto err;
  881. }
  882. for (i = 0; i < ex_primes; i++) {
  883. /* prepare m_i */
  884. if ((m[i] = BN_CTX_get(ctx)) == NULL) {
  885. BN_free(cc);
  886. BN_free(di);
  887. goto err;
  888. }
  889. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  890. /* prepare c and d_i */
  891. BN_with_flags(cc, I, BN_FLG_CONSTTIME);
  892. BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME);
  893. if (!BN_mod(r1, cc, pinfo->r, ctx)) {
  894. BN_free(cc);
  895. BN_free(di);
  896. goto err;
  897. }
  898. /* compute r1 ^ d_i mod r_i */
  899. if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) {
  900. BN_free(cc);
  901. BN_free(di);
  902. goto err;
  903. }
  904. }
  905. BN_free(cc);
  906. BN_free(di);
  907. }
  908. #endif
  909. if (!BN_sub(r0, r0, m1))
  910. goto err;
  911. /*
  912. * This will help stop the size of r0 increasing, which does affect the
  913. * multiply if it optimised for a power of 2 size
  914. */
  915. if (BN_is_negative(r0))
  916. if (!BN_add(r0, r0, rsa->p))
  917. goto err;
  918. if (!BN_mul(r1, r0, rsa->iqmp, ctx))
  919. goto err;
  920. {
  921. BIGNUM *pr1 = BN_new();
  922. if (pr1 == NULL)
  923. goto err;
  924. BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
  925. if (!BN_mod(r0, pr1, rsa->p, ctx)) {
  926. BN_free(pr1);
  927. goto err;
  928. }
  929. /* We MUST free pr1 before any further use of r1 */
  930. BN_free(pr1);
  931. }
  932. /*
  933. * If p < q it is occasionally possible for the correction of adding 'p'
  934. * if r0 is negative above to leave the result still negative. This can
  935. * break the private key operations: the following second correction
  936. * should *always* correct this rare occurrence. This will *never* happen
  937. * with OpenSSL generated keys because they ensure p > q [steve]
  938. */
  939. if (BN_is_negative(r0))
  940. if (!BN_add(r0, r0, rsa->p))
  941. goto err;
  942. if (!BN_mul(r1, r0, rsa->q, ctx))
  943. goto err;
  944. if (!BN_add(r0, r1, m1))
  945. goto err;
  946. #ifndef FIPS_MODULE
  947. /* add m_i to m in multi-prime case */
  948. if (ex_primes > 0) {
  949. BIGNUM *pr2 = BN_new();
  950. if (pr2 == NULL)
  951. goto err;
  952. for (i = 0; i < ex_primes; i++) {
  953. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  954. if (!BN_sub(r1, m[i], r0)) {
  955. BN_free(pr2);
  956. goto err;
  957. }
  958. if (!BN_mul(r2, r1, pinfo->t, ctx)) {
  959. BN_free(pr2);
  960. goto err;
  961. }
  962. BN_with_flags(pr2, r2, BN_FLG_CONSTTIME);
  963. if (!BN_mod(r1, pr2, pinfo->r, ctx)) {
  964. BN_free(pr2);
  965. goto err;
  966. }
  967. if (BN_is_negative(r1))
  968. if (!BN_add(r1, r1, pinfo->r)) {
  969. BN_free(pr2);
  970. goto err;
  971. }
  972. if (!BN_mul(r1, r1, pinfo->pp, ctx)) {
  973. BN_free(pr2);
  974. goto err;
  975. }
  976. if (!BN_add(r0, r0, r1)) {
  977. BN_free(pr2);
  978. goto err;
  979. }
  980. }
  981. BN_free(pr2);
  982. }
  983. #endif
  984. tail:
  985. if (rsa->e && rsa->n) {
  986. if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
  987. if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
  988. rsa->_method_mod_n))
  989. goto err;
  990. } else {
  991. bn_correct_top(r0);
  992. if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
  993. rsa->_method_mod_n))
  994. goto err;
  995. }
  996. /*
  997. * If 'I' was greater than (or equal to) rsa->n, the operation will
  998. * be equivalent to using 'I mod n'. However, the result of the
  999. * verify will *always* be less than 'n' so we don't check for
  1000. * absolute equality, just congruency.
  1001. */
  1002. if (!BN_sub(vrfy, vrfy, I))
  1003. goto err;
  1004. if (BN_is_zero(vrfy)) {
  1005. bn_correct_top(r0);
  1006. ret = 1;
  1007. goto err; /* not actually error */
  1008. }
  1009. if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
  1010. goto err;
  1011. if (BN_is_negative(vrfy))
  1012. if (!BN_add(vrfy, vrfy, rsa->n))
  1013. goto err;
  1014. if (!BN_is_zero(vrfy)) {
  1015. /*
  1016. * 'I' and 'vrfy' aren't congruent mod n. Don't leak
  1017. * miscalculated CRT output, just do a raw (slower) mod_exp and
  1018. * return that instead.
  1019. */
  1020. BIGNUM *d = BN_new();
  1021. if (d == NULL)
  1022. goto err;
  1023. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  1024. if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
  1025. rsa->_method_mod_n)) {
  1026. BN_free(d);
  1027. goto err;
  1028. }
  1029. /* We MUST free d before any further use of rsa->d */
  1030. BN_free(d);
  1031. }
  1032. }
  1033. /*
  1034. * It's unfortunate that we have to bn_correct_top(r0). What hopefully
  1035. * saves the day is that correction is highly unlike, and private key
  1036. * operations are customarily performed on blinded message. Which means
  1037. * that attacker won't observe correlation with chosen plaintext.
  1038. * Secondly, remaining code would still handle it in same computational
  1039. * time and even conceal memory access pattern around corrected top.
  1040. */
  1041. bn_correct_top(r0);
  1042. ret = 1;
  1043. err:
  1044. BN_CTX_end(ctx);
  1045. return ret;
  1046. }
  1047. static int rsa_ossl_init(RSA *rsa)
  1048. {
  1049. rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
  1050. return 1;
  1051. }
  1052. static int rsa_ossl_finish(RSA *rsa)
  1053. {
  1054. #ifndef FIPS_MODULE
  1055. int i;
  1056. RSA_PRIME_INFO *pinfo;
  1057. for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {
  1058. pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i);
  1059. BN_MONT_CTX_free(pinfo->m);
  1060. }
  1061. #endif
  1062. BN_MONT_CTX_free(rsa->_method_mod_n);
  1063. BN_MONT_CTX_free(rsa->_method_mod_p);
  1064. BN_MONT_CTX_free(rsa->_method_mod_q);
  1065. return 1;
  1066. }
  1067. #ifdef S390X_MOD_EXP
  1068. static int rsa_ossl_s390x_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
  1069. BN_CTX *ctx)
  1070. {
  1071. if (rsa->version != RSA_ASN1_VERSION_MULTI) {
  1072. if (s390x_crt(r0, i, rsa->p, rsa->q, rsa->dmp1, rsa->dmq1, rsa->iqmp) == 1)
  1073. return 1;
  1074. }
  1075. return rsa_ossl_mod_exp(r0, i, rsa, ctx);
  1076. }
  1077. #endif