X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Frsa%2Frsa_eay.c;h=f325050c1c91e6cbc7dc32bf1bb4d770cfc7a8a2;hp=35db9e5687ce1e69047ccb5a2bf2d8de26b249ae;hb=81d1998e096684d8ca4318ffdfc07495a8c906de;hpb=126fe085db74d512260dd042d1f9dfe816f819dc

diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 35db9e5687..f325050c1c 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -120,7 +120,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
 	case RSA_PKCS1_PADDING:
 		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
 		break;
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 	case RSA_PKCS1_OAEP_PADDING:
 	        i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
 		break;
@@ -329,7 +329,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 	case RSA_PKCS1_PADDING:
 		r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
 		break;
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
         case RSA_PKCS1_OAEP_PADDING:
 	        r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
                 break;
@@ -453,7 +453,7 @@ err:
 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	const RSA_METHOD *meth;
-	BIGNUM r1,m1;
+	BIGNUM r1,m1,vrfy;
 	int ret=0;
 	BN_CTX *ctx;
 
@@ -461,6 +461,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
 	BN_init(&m1);
 	BN_init(&r1);
+	BN_init(&vrfy);
 
 	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
 		{
@@ -496,7 +497,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
 				{
 				BN_MONT_CTX_free(bn_mont_ctx);
-					goto err;
+				goto err;
 				}
 			if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
 				{
@@ -541,10 +542,28 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
 	if (!BN_add(r0,&r1,&m1)) goto err;
 
+	if (rsa->e && rsa->n)
+		{
+		if (!meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
+		/* If 'I' was greater than (or equal to) rsa->n, the operation
+		 * will be equivalent to using 'I mod n'. However, the result of
+		 * the verify will *always* be less than 'n' so we don't check
+		 * for absolute equality, just congruency. */
+		if (!BN_sub(&vrfy, &vrfy, I)) goto err;
+		if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
+		if (vrfy.neg)
+			if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
+		if (!BN_is_zero(&vrfy))
+			/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
+			 * miscalculated CRT output, just do a raw (slower)
+			 * mod_exp and return that instead. */
+			if (!meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+		}
 	ret=1;
 err:
 	BN_clear_free(&m1);
 	BN_clear_free(&r1);
+	BN_clear_free(&vrfy);
 	BN_CTX_free(ctx);
 	return(ret);
 	}