OpenSSL  1.0.1c
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Macros
eng_rsax.c
Go to the documentation of this file.
1 /* crypto/engine/eng_rsax.c */
2 /* Copyright (c) 2010-2010 Intel Corp.
3  * Author: [email protected]
4  * Jim Guilford
5  * [email protected]
6  * [email protected]
7  * [email protected]
8  *
9  * More information about algorithm used can be found at:
10  * http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
11  */
12 /* ====================================================================
13  * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  *
19  * 1. Redistributions of source code must retain the above copyright
20  * notice, this list of conditions and the following disclaimer.
21  *
22  * 2. Redistributions in binary form must reproduce the above copyright
23  * notice, this list of conditions and the following disclaimer in
24  * the documentation and/or other materials provided with the
25  * distribution.
26  *
27  * 3. All advertising materials mentioning features or use of this
28  * software must display the following acknowledgment:
29  * "This product includes software developed by the OpenSSL Project
30  * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31  *
32  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33  * endorse or promote products derived from this software without
34  * prior written permission. For written permission, please contact
35  * [email protected].
36  *
37  * 5. Products derived from this software may not be called "OpenSSL"
38  * nor may "OpenSSL" appear in their names without prior written
39  * permission of the OpenSSL Project.
40  *
41  * 6. Redistributions of any form whatsoever must retain the following
42  * acknowledgment:
43  * "This product includes software developed by the OpenSSL Project
44  * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45  *
46  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57  * OF THE POSSIBILITY OF SUCH DAMAGE.
58  * ====================================================================
59  *
60  * This product includes cryptographic software written by Eric Young
61  * ([email protected]). This product includes software written by Tim
62  * Hudson ([email protected]).
63  */
64 
65 #include <openssl/opensslconf.h>
66 
67 #include <stdio.h>
68 #include <string.h>
69 #include <openssl/crypto.h>
70 #include <openssl/buffer.h>
71 #include <openssl/engine.h>
72 #ifndef OPENSSL_NO_RSA
73 #include <openssl/rsa.h>
74 #endif
75 #include <openssl/bn.h>
76 #include <openssl/err.h>
77 
78 /* RSAX is available **ONLY* on x86_64 CPUs */
79 #undef COMPILE_RSAX
80 
81 #if (defined(__x86_64) || defined(__x86_64__) || \
82  defined(_M_AMD64) || defined (_M_X64)) && !defined(OPENSSL_NO_ASM)
83 #define COMPILE_RSAX
84 static ENGINE *ENGINE_rsax (void);
85 #endif
86 
87 void ENGINE_load_rsax (void)
88  {
89 /* On non-x86 CPUs it just returns. */
90 #ifdef COMPILE_RSAX
91  ENGINE *toadd = ENGINE_rsax();
92  if(!toadd) return;
93  ENGINE_add(toadd);
94  ENGINE_free(toadd);
95  ERR_clear_error();
96 #endif
97  }
98 
99 #ifdef COMPILE_RSAX
100 #define E_RSAX_LIB_NAME "rsax engine"
101 
102 static int e_rsax_destroy(ENGINE *e);
103 static int e_rsax_init(ENGINE *e);
104 static int e_rsax_finish(ENGINE *e);
105 static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
106 
107 #ifndef OPENSSL_NO_RSA
108 /* RSA stuff */
109 static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
110 static int e_rsax_rsa_finish(RSA *r);
111 #endif
112 
113 static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
114  {0, NULL, NULL, 0}
115  };
116 
117 #ifndef OPENSSL_NO_RSA
118 /* Our internal RSA_METHOD that we provide pointers to */
119 static RSA_METHOD e_rsax_rsa =
120  {
121  "Intel RSA-X method",
122  NULL,
123  NULL,
124  NULL,
125  NULL,
126  e_rsax_rsa_mod_exp,
127  NULL,
128  NULL,
129  e_rsax_rsa_finish,
130  RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE,
131  NULL,
132  NULL,
133  NULL
134  };
135 #endif
136 
137 /* Constants used when creating the ENGINE */
138 static const char *engine_e_rsax_id = "rsax";
139 static const char *engine_e_rsax_name = "RSAX engine support";
140 
141 /* This internal function is used by ENGINE_rsax() */
142 static int bind_helper(ENGINE *e)
143  {
144 #ifndef OPENSSL_NO_RSA
145  const RSA_METHOD *meth1;
146 #endif
147  if(!ENGINE_set_id(e, engine_e_rsax_id) ||
148  !ENGINE_set_name(e, engine_e_rsax_name) ||
149 #ifndef OPENSSL_NO_RSA
150  !ENGINE_set_RSA(e, &e_rsax_rsa) ||
151 #endif
152  !ENGINE_set_destroy_function(e, e_rsax_destroy) ||
153  !ENGINE_set_init_function(e, e_rsax_init) ||
154  !ENGINE_set_finish_function(e, e_rsax_finish) ||
155  !ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
156  !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
157  return 0;
158 
159 #ifndef OPENSSL_NO_RSA
160  meth1 = RSA_PKCS1_SSLeay();
161  e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
162  e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
163  e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
164  e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
165  e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
166 #endif
167  return 1;
168  }
169 
170 static ENGINE *ENGINE_rsax(void)
171  {
172  ENGINE *ret = ENGINE_new();
173  if(!ret)
174  return NULL;
175  if(!bind_helper(ret))
176  {
177  ENGINE_free(ret);
178  return NULL;
179  }
180  return ret;
181  }
182 
183 #ifndef OPENSSL_NO_RSA
184 /* Used to attach our own key-data to an RSA structure */
185 static int rsax_ex_data_idx = -1;
186 #endif
187 
188 static int e_rsax_destroy(ENGINE *e)
189  {
190  return 1;
191  }
192 
193 /* (de)initialisation functions. */
194 static int e_rsax_init(ENGINE *e)
195  {
196 #ifndef OPENSSL_NO_RSA
197  if (rsax_ex_data_idx == -1)
198  rsax_ex_data_idx = RSA_get_ex_new_index(0,
199  NULL,
200  NULL, NULL, NULL);
201 #endif
202  if (rsax_ex_data_idx == -1)
203  return 0;
204  return 1;
205  }
206 
207 static int e_rsax_finish(ENGINE *e)
208  {
209  return 1;
210  }
211 
212 static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
213  {
214  int to_return = 1;
215 
216  switch(cmd)
217  {
218  /* The command isn't understood by this engine */
219  default:
220  to_return = 0;
221  break;
222  }
223 
224  return to_return;
225  }
226 
227 
228 #ifndef OPENSSL_NO_RSA
229 
230 #ifdef _WIN32
231 typedef unsigned __int64 UINT64;
232 #else
233 typedef unsigned long long UINT64;
234 #endif
235 typedef unsigned short UINT16;
236 
237 /* Table t is interleaved in the following manner:
238  * The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ...
239  * A particular 512-bit value is stored in t[][index] rather than the more
240  * normal t[index][]; i.e. the qwords of a particular entry in t are not
241  * adjacent in memory
242  */
243 
244 /* Init BIGNUM b from the interleaved UINT64 array */
245 static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
246 
247 /* Extract array elements from BIGNUM b
248  * To set the whole array from b, call with n=8
249  */
250 static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array);
251 
252 struct mod_ctx_512 {
253  UINT64 t[8][8];
254  UINT64 m[8];
255  UINT64 m1[8]; /* 2^278 % m */
256  UINT64 m2[8]; /* 2^640 % m */
257  UINT64 k1[2]; /* (- 1/m) % 2^128 */
258 };
259 
260 static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
261 
262 void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
263  UINT64 *g, /* 512 bits, 8 qwords */
264  UINT64 *exp, /* 512 bits, 8 qwords */
265  struct mod_ctx_512 *data);
266 
267 typedef struct st_e_rsax_mod_ctx
268 {
269  UINT64 type;
270  union {
271  struct mod_ctx_512 b512;
272  } ctx;
273 
274 } E_RSAX_MOD_CTX;
275 
276 static E_RSAX_MOD_CTX *e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m)
277 {
278  E_RSAX_MOD_CTX *hptr;
279 
280  if (idx < 0 || idx > 2)
281  return NULL;
282 
283  hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
284  if (!hptr) {
285  hptr = OPENSSL_malloc(3*sizeof(E_RSAX_MOD_CTX));
286  if (!hptr) return NULL;
287  hptr[2].type = hptr[1].type= hptr[0].type = 0;
288  RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
289  }
290 
291  if (hptr[idx].type == (UINT64)BN_num_bits(m))
292  return hptr+idx;
293 
294  if (BN_num_bits(m) == 512) {
295  UINT64 _m[8];
296  bn_extract_to_array_512(m, 8, _m);
297  memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
298  mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
299  }
300 
301  hptr[idx].type = BN_num_bits(m);
302  return hptr+idx;
303 }
304 
305 static int e_rsax_rsa_finish(RSA *rsa)
306  {
307  E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
308  if(hptr)
309  {
310  OPENSSL_free(hptr);
311  RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
312  }
313  if (rsa->_method_mod_n)
314  BN_MONT_CTX_free(rsa->_method_mod_n);
315  if (rsa->_method_mod_p)
316  BN_MONT_CTX_free(rsa->_method_mod_p);
317  if (rsa->_method_mod_q)
318  BN_MONT_CTX_free(rsa->_method_mod_q);
319  return 1;
320  }
321 
322 
323 static int e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e,
324  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx )
325 {
326  if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
327  if (BN_num_bits(m) == 512) {
328  UINT64 _r[8];
329  UINT64 _g[8];
330  UINT64 _e[8];
331 
332  /* Init the arrays from the BIGNUMs */
333  bn_extract_to_array_512(g, 8, _g);
334  bn_extract_to_array_512(e, 8, _e);
335 
336  mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
337  /* Return the result in the BIGNUM */
338  interleaved_array_to_bn_512(r, _r);
339  return 1;
340  }
341  }
342 
343  return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
344 }
345 
346 /* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
347  * exponentiation routine precalculations and a structure to hold the
348  * necessary values. These files are meant to live in crypto/rsa/ in
349  * the target openssl.
350  */
351 
352 /*
353  * Local method: extracts a piece from a BIGNUM, to fit it into
354  * an array. Call with n=8 to extract an entire 512-bit BIGNUM
355  */
356 static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
357 {
358  int i;
359  UINT64 tmp;
360  unsigned char bn_buff[64];
361  memset(bn_buff, 0, 64);
362  if (BN_num_bytes(b) > 64) {
363  printf ("Can't support this byte size\n");
364  return 0; }
365  if (BN_num_bytes(b)!=0) {
366  if (!BN_bn2bin(b, bn_buff+(64-BN_num_bytes(b)))) {
367  printf ("Error's in bn2bin\n");
368  /* We have to error, here */
369  return 0; } }
370  while (n-- > 0) {
371  array[n] = 0;
372  for (i=7; i>=0; i--) {
373  tmp = bn_buff[63-(n*8+i)];
374  array[n] |= tmp << (8*i); } }
375  return 1;
376 }
377 
378 /* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
379 static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
380 {
381  unsigned char tmp[64];
382  int n=8;
383  int i;
384  while (n-- > 0) {
385  for (i = 7; i>=0; i--) {
386  tmp[63-(n*8+i)] = (unsigned char)(array[n]>>(8*i)); } }
387  BN_bin2bn(tmp, 64, b);
388  return 0;
389 }
390 
391 
392 /* The main 512bit precompute call */
393 static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
394  {
395  BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
396 
397  /* We need a BN_CTX for the modulo functions */
398  BN_CTX* ctx;
399  /* Some tmps */
400  UINT64 _t[8];
401  int i, j, ret = 0;
402 
403  /* Init _m with m */
404  BN_init(&_m);
405  interleaved_array_to_bn_512(&_m, m);
406  memset(_t, 0, 64);
407 
408  /* Inits */
409  BN_init(&two_768);
410  BN_init(&two_640);
411  BN_init(&two_128);
412  BN_init(&two_512);
413  BN_init(&tmp);
414  BN_init(&tmp2);
415 
416  /* Create our context */
417  if ((ctx=BN_CTX_new()) == NULL) { goto err; }
418  BN_CTX_start(ctx);
419 
420  /*
421  * For production, if you care, these only need to be set once,
422  * and may be made constants.
423  */
424  BN_lshift(&two_768, BN_value_one(), 768);
425  BN_lshift(&two_640, BN_value_one(), 640);
426  BN_lshift(&two_128, BN_value_one(), 128);
427  BN_lshift(&two_512, BN_value_one(), 512);
428 
429  if (0 == (m[7] & 0x8000000000000000)) {
430  exit(1);
431  }
432  if (0 == (m[0] & 0x1)) { /* Odd modulus required for Mont */
433  exit(1);
434  }
435 
436  /* Precompute m1 */
437  BN_mod(&tmp, &two_768, &_m, ctx);
438  if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
439  goto err; }
440 
441  /* Precompute m2 */
442  BN_mod(&tmp, &two_640, &_m, ctx);
443  if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
444  goto err;
445  }
446 
447  /*
448  * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
449  * be non-negative.
450  */
451  BN_mod_inverse(&tmp, &_m, &two_128, ctx);
452  if (!BN_is_zero(&tmp)) { BN_sub(&tmp, &two_128, &tmp); }
453  if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
454  goto err; }
455 
456  /* Precompute t */
457  for (i=0; i<8; i++) {
458  BN_zero(&tmp);
459  if (i & 1) { BN_add(&tmp, &two_512, &tmp); }
460  if (i & 2) { BN_add(&tmp, &two_512, &tmp); }
461  if (i & 4) { BN_add(&tmp, &two_640, &tmp); }
462 
463  BN_nnmod(&tmp2, &tmp, &_m, ctx);
464  if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
465  goto err; }
466  for (j=0; j<8; j++) data->t[j][i] = _t[j]; }
467 
468  /* Precompute m */
469  for (i=0; i<8; i++) {
470  data->m[i] = m[i]; }
471 
472  ret = 1;
473 
474 err:
475  /* Cleanup */
476  if (ctx != NULL) {
477  BN_CTX_end(ctx); BN_CTX_free(ctx); }
478  BN_free(&two_768);
479  BN_free(&two_640);
480  BN_free(&two_128);
481  BN_free(&two_512);
482  BN_free(&tmp);
483  BN_free(&tmp2);
484  BN_free(&_m);
485 
486  return ret;
487 }
488 
489 
490 static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
491  {
492  BIGNUM *r1,*m1,*vrfy;
493  BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
494  BIGNUM *dmp1,*dmq1,*c,*pr1;
495  int ret=0;
496 
497  BN_CTX_start(ctx);
498  r1 = BN_CTX_get(ctx);
499  m1 = BN_CTX_get(ctx);
500  vrfy = BN_CTX_get(ctx);
501 
502  {
503  BIGNUM local_p, local_q;
504  BIGNUM *p = NULL, *q = NULL;
505  int error = 0;
506 
507  /* Make sure BN_mod_inverse in Montgomery
508  * intialization uses the BN_FLG_CONSTTIME flag
509  * (unless RSA_FLAG_NO_CONSTTIME is set)
510  */
511  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
512  {
513  BN_init(&local_p);
514  p = &local_p;
515  BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
516 
517  BN_init(&local_q);
518  q = &local_q;
519  BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
520  }
521  else
522  {
523  p = rsa->p;
524  q = rsa->q;
525  }
526 
527  if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
528  {
529  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
530  error = 1;
531  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
532  error = 1;
533  }
534 
535  /* clean up */
536  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
537  {
538  BN_free(&local_p);
539  BN_free(&local_q);
540  }
541  if ( error )
542  goto err;
543  }
544 
545  if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
546  if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
547  goto err;
548 
549  /* compute I mod q */
550  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
551  {
552  c = &local_c;
553  BN_with_flags(c, I, BN_FLG_CONSTTIME);
554  if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
555  }
556  else
557  {
558  if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
559  }
560 
561  /* compute r1^dmq1 mod q */
562  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
563  {
564  dmq1 = &local_dmq1;
565  BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
566  }
567  else
568  dmq1 = rsa->dmq1;
569 
570  if (!e_rsax_bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
571  rsa->_method_mod_q, e_rsax_get_ctx(rsa, 0, rsa->q) )) goto err;
572 
573  /* compute I mod p */
574  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
575  {
576  c = &local_c;
577  BN_with_flags(c, I, BN_FLG_CONSTTIME);
578  if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
579  }
580  else
581  {
582  if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
583  }
584 
585  /* compute r1^dmp1 mod p */
586  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
587  {
588  dmp1 = &local_dmp1;
589  BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
590  }
591  else
592  dmp1 = rsa->dmp1;
593 
594  if (!e_rsax_bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
595  rsa->_method_mod_p, e_rsax_get_ctx(rsa, 1, rsa->p) )) goto err;
596 
597  if (!BN_sub(r0,r0,m1)) goto err;
598  /* This will help stop the size of r0 increasing, which does
599  * affect the multiply if it optimised for a power of 2 size */
600  if (BN_is_negative(r0))
601  if (!BN_add(r0,r0,rsa->p)) goto err;
602 
603  if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
604 
605  /* Turn BN_FLG_CONSTTIME flag on before division operation */
606  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
607  {
608  pr1 = &local_r1;
609  BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
610  }
611  else
612  pr1 = r1;
613  if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
614 
615  /* If p < q it is occasionally possible for the correction of
616  * adding 'p' if r0 is negative above to leave the result still
617  * negative. This can break the private key operations: the following
618  * second correction should *always* correct this rare occurrence.
619  * This will *never* happen with OpenSSL generated keys because
620  * they ensure p > q [steve]
621  */
622  if (BN_is_negative(r0))
623  if (!BN_add(r0,r0,rsa->p)) goto err;
624  if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
625  if (!BN_add(r0,r1,m1)) goto err;
626 
627  if (rsa->e && rsa->n)
628  {
629  if (!e_rsax_bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) ))
630  goto err;
631 
632  /* If 'I' was greater than (or equal to) rsa->n, the operation
633  * will be equivalent to using 'I mod n'. However, the result of
634  * the verify will *always* be less than 'n' so we don't check
635  * for absolute equality, just congruency. */
636  if (!BN_sub(vrfy, vrfy, I)) goto err;
637  if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
638  if (BN_is_negative(vrfy))
639  if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
640  if (!BN_is_zero(vrfy))
641  {
642  /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
643  * miscalculated CRT output, just do a raw (slower)
644  * mod_exp and return that instead. */
645 
646  BIGNUM local_d;
647  BIGNUM *d = NULL;
648 
649  if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
650  {
651  d = &local_d;
652  BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
653  }
654  else
655  d = rsa->d;
656  if (!e_rsax_bn_mod_exp(r0,I,d,rsa->n,ctx,
657  rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) )) goto err;
658  }
659  }
660  ret=1;
661 
662 err:
663  BN_CTX_end(ctx);
664 
665  return ret;
666  }
667 #endif /* !OPENSSL_NO_RSA */
668 #endif /* !COMPILE_RSAX */
Generated on Thu Jan 10 2013 09:53:36 for OpenSSL by   doxygen 1.8.2