grpc 1.55.0 → 1.56.0.pre3

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c

@@ -71,8 +71,6 @@
 #include "../../internal.h"
 
 
-#define RSA_PKCS1_PADDING_SIZE 11
-
 int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,
                                  const uint8_t *from, size_t from_len) {
   // See RFC 8017, section 9.2.
@@ -146,109 +144,6 @@ int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,
   return 1;
 }
 
-static void rand_nonzero(uint8_t *out, size_t len) {
-  FIPS_service_indicator_lock_state();
-  RAND_bytes(out, len);
-
-  for (size_t i = 0; i < len; i++) {
-    while (out[i] == 0) {
-      RAND_bytes(out + i, 1);
-    }
-  }
-
-  FIPS_service_indicator_unlock_state();
-}
-
-int RSA_padding_add_PKCS1_type_2(uint8_t *to, size_t to_len,
-                                 const uint8_t *from, size_t from_len) {
-  // See RFC 8017, section 7.2.1.
-  if (to_len < RSA_PKCS1_PADDING_SIZE) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
-    return 0;
-  }
-
-  if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-    return 0;
-  }
-
-  to[0] = 0;
-  to[1] = 2;
-
-  size_t padding_len = to_len - 3 - from_len;
-  rand_nonzero(to + 2, padding_len);
-  to[2 + padding_len] = 0;
-  OPENSSL_memcpy(to + to_len - from_len, from, from_len);
-  return 1;
-}
-
-int RSA_padding_check_PKCS1_type_2(uint8_t *out, size_t *out_len,
-                                   size_t max_out, const uint8_t *from,
-                                   size_t from_len) {
-  if (from_len == 0) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
-    return 0;
-  }
-
-  // PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
-  // Standard", section 7.2.2.
-  if (from_len < RSA_PKCS1_PADDING_SIZE) {
-    // |from| is zero-padded to the size of the RSA modulus, a public value, so
-    // this can be rejected in non-constant time.
-    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
-    return 0;
-  }
-
-  crypto_word_t first_byte_is_zero = constant_time_eq_w(from[0], 0);
-  crypto_word_t second_byte_is_two = constant_time_eq_w(from[1], 2);
-
-  crypto_word_t zero_index = 0, looking_for_index = CONSTTIME_TRUE_W;
-  for (size_t i = 2; i < from_len; i++) {
-    crypto_word_t equals0 = constant_time_is_zero_w(from[i]);
-    zero_index =
-        constant_time_select_w(looking_for_index & equals0, i, zero_index);
-    looking_for_index = constant_time_select_w(equals0, 0, looking_for_index);
-  }
-
-  // The input must begin with 00 02.
-  crypto_word_t valid_index = first_byte_is_zero;
-  valid_index &= second_byte_is_two;
-
-  // We must have found the end of PS.
-  valid_index &= ~looking_for_index;
-
-  // PS must be at least 8 bytes long, and it starts two bytes into |from|.
-  valid_index &= constant_time_ge_w(zero_index, 2 + 8);
-
-  // Skip the zero byte.
-  zero_index++;
-
-  // NOTE: Although this logic attempts to be constant time, the API contracts
-  // of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it
-  // impossible to completely avoid Bleichenbacher's attack. Consumers should
-  // use |RSA_PADDING_NONE| and perform the padding check in constant-time
-  // combined with a swap to a random session key or other mitigation.
-  CONSTTIME_DECLASSIFY(&valid_index, sizeof(valid_index));
-  CONSTTIME_DECLASSIFY(&zero_index, sizeof(zero_index));
-
-  if (!valid_index) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
-    return 0;
-  }
-
-  const size_t msg_len = from_len - zero_index;
-  if (msg_len > max_out) {
-    // This shouldn't happen because this function is always called with
-    // |max_out| as the key size and |from_len| is bounded by the key size.
-    OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
-    return 0;
-  }
-
-  OPENSSL_memcpy(out, &from[zero_index], msg_len);
-  *out_len = msg_len;
-  return 1;
-}
-
 int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
                          size_t from_len) {
   if (from_len > to_len) {
@@ -265,8 +160,8 @@ int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
   return 1;
 }
 
-static int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed,
-                      size_t seed_len, const EVP_MD *md) {
+int PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len,
+               const EVP_MD *md) {
   int ret = 0;
   EVP_MD_CTX ctx;
   EVP_MD_CTX_init(&ctx);
@@ -310,184 +205,6 @@ err:
   return ret;
 }
 
-int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, size_t to_len,
-                                    const uint8_t *from, size_t from_len,
-                                    const uint8_t *param, size_t param_len,
-                                    const EVP_MD *md, const EVP_MD *mgf1md) {
-  if (md == NULL) {
-    md = EVP_sha1();
-  }
-  if (mgf1md == NULL) {
-    mgf1md = md;
-  }
-
-  size_t mdlen = EVP_MD_size(md);
-
-  if (to_len < 2 * mdlen + 2) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
-    return 0;
-  }
-
-  size_t emlen = to_len - 1;
-  if (from_len > emlen - 2 * mdlen - 1) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-    return 0;
-  }
-
-  if (emlen < 2 * mdlen + 1) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
-    return 0;
-  }
-
-  to[0] = 0;
-  uint8_t *seed = to + 1;
-  uint8_t *db = to + mdlen + 1;
-
-  uint8_t *dbmask = NULL;
-  int ret = 0;
-  FIPS_service_indicator_lock_state();
-  if (!EVP_Digest(param, param_len, db, NULL, md, NULL)) {
-    goto out;
-  }
-  OPENSSL_memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);
-  db[emlen - from_len - mdlen - 1] = 0x01;
-  OPENSSL_memcpy(db + emlen - from_len - mdlen, from, from_len);
-  if (!RAND_bytes(seed, mdlen)) {
-    goto out;
-  }
-
-  dbmask = OPENSSL_malloc(emlen - mdlen);
-  if (dbmask == NULL) {
-    goto out;
-  }
-
-  if (!PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md)) {
-    goto out;
-  }
-  for (size_t i = 0; i < emlen - mdlen; i++) {
-    db[i] ^= dbmask[i];
-  }
-
-  uint8_t seedmask[EVP_MAX_MD_SIZE];
-  if (!PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md)) {
-    goto out;
-  }
-  for (size_t i = 0; i < mdlen; i++) {
-    seed[i] ^= seedmask[i];
-  }
-  ret = 1;
-
-out:
-  OPENSSL_free(dbmask);
-  FIPS_service_indicator_unlock_state();
-  return ret;
-}
-
-int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len,
-                                      size_t max_out, const uint8_t *from,
-                                      size_t from_len, const uint8_t *param,
-                                      size_t param_len, const EVP_MD *md,
-                                      const EVP_MD *mgf1md) {
-  uint8_t *db = NULL;
-
-  if (md == NULL) {
-    md = EVP_sha1();
-  }
-  if (mgf1md == NULL) {
-    mgf1md = md;
-  }
-
-  size_t mdlen = EVP_MD_size(md);
-
-  // The encoded message is one byte smaller than the modulus to ensure that it
-  // doesn't end up greater than the modulus. Thus there's an extra "+1" here
-  // compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2.
-  if (from_len < 1 + 2*mdlen + 1) {
-    // 'from_len' is the length of the modulus, i.e. does not depend on the
-    // particular ciphertext.
-    goto decoding_err;
-  }
-
-  size_t dblen = from_len - mdlen - 1;
-  FIPS_service_indicator_lock_state();
-  db = OPENSSL_malloc(dblen);
-  if (db == NULL) {
-    goto err;
-  }
-
-  const uint8_t *maskedseed = from + 1;
-  const uint8_t *maskeddb = from + 1 + mdlen;
-
-  uint8_t seed[EVP_MAX_MD_SIZE];
-  if (!PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {
-    goto err;
-  }
-  for (size_t i = 0; i < mdlen; i++) {
-    seed[i] ^= maskedseed[i];
-  }
-
-  if (!PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {
-    goto err;
-  }
-  for (size_t i = 0; i < dblen; i++) {
-    db[i] ^= maskeddb[i];
-  }
-
-  uint8_t phash[EVP_MAX_MD_SIZE];
-  if (!EVP_Digest(param, param_len, phash, NULL, md, NULL)) {
-    goto err;
-  }
-
-  crypto_word_t bad = ~constant_time_is_zero_w(CRYPTO_memcmp(db, phash, mdlen));
-  bad |= ~constant_time_is_zero_w(from[0]);
-
-  crypto_word_t looking_for_one_byte = CONSTTIME_TRUE_W;
-  size_t one_index = 0;
-  for (size_t i = mdlen; i < dblen; i++) {
-    crypto_word_t equals1 = constant_time_eq_w(db[i], 1);
-    crypto_word_t equals0 = constant_time_eq_w(db[i], 0);
-    one_index =
-        constant_time_select_w(looking_for_one_byte & equals1, i, one_index);
-    looking_for_one_byte =
-        constant_time_select_w(equals1, 0, looking_for_one_byte);
-    bad |= looking_for_one_byte & ~equals0;
-  }
-
-  bad |= looking_for_one_byte;
-
-  // Whether the overall padding was valid or not in OAEP is public.
-  if (constant_time_declassify_w(bad)) {
-    goto decoding_err;
-  }
-
-  // Once the padding is known to be valid, the output length is also public.
-  static_assert(sizeof(size_t) <= sizeof(crypto_word_t),
-                "size_t does not fit in crypto_word_t");
-  one_index = constant_time_declassify_w(one_index);
-
-  one_index++;
-  size_t mlen = dblen - one_index;
-  if (max_out < mlen) {
-    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
-    goto err;
-  }
-
-  OPENSSL_memcpy(out, db + one_index, mlen);
-  *out_len = mlen;
-  OPENSSL_free(db);
-  FIPS_service_indicator_unlock_state();
-  return 1;
-
-decoding_err:
-  // To avoid chosen ciphertext attacks, the error message should not reveal
-  // which kind of decoding error happened.
-  OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);
- err:
-  OPENSSL_free(db);
-  FIPS_service_indicator_unlock_state();
-  return 0;
-}
-
 static const uint8_t kPSSZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0};
 
 int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash,
@@ -504,9 +221,9 @@ int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash,
   FIPS_service_indicator_lock_state();
 
   // Negative sLen has special meanings:
-  //	-1	sLen == hLen
-  //	-2	salt length is autorecovered from signature
-  //	-N	reserved
+  //   -1      sLen == hLen
+  //   -2      salt length is autorecovered from signature
+  //   -N      reserved
   size_t hLen = EVP_MD_size(Hash);
   if (sLen == -1) {
     sLen = (int)hLen;

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c

@@ -83,6 +83,126 @@ OPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02)
 
 DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class)
 
+static int bn_dup_into(BIGNUM **dst, const BIGNUM *src) {
+  if (src == NULL) {
+    OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+
+  BN_free(*dst);
+  *dst = BN_dup(src);
+  return *dst != NULL;
+}
+
+RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e) {
+  RSA *rsa = RSA_new();
+  if (rsa == NULL ||               //
+      !bn_dup_into(&rsa->n, n) ||  //
+      !bn_dup_into(&rsa->e, e) ||  //
+      !RSA_check_key(rsa)) {
+    RSA_free(rsa);
+    return NULL;
+  }
+
+  return rsa;
+}
+
+RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d,
+                         const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1,
+                         const BIGNUM *dmq1, const BIGNUM *iqmp) {
+  RSA *rsa = RSA_new();
+  if (rsa == NULL ||                     //
+      !bn_dup_into(&rsa->n, n) ||        //
+      !bn_dup_into(&rsa->e, e) ||        //
+      !bn_dup_into(&rsa->d, d) ||        //
+      !bn_dup_into(&rsa->p, p) ||        //
+      !bn_dup_into(&rsa->q, q) ||        //
+      !bn_dup_into(&rsa->dmp1, dmp1) ||  //
+      !bn_dup_into(&rsa->dmq1, dmq1) ||  //
+      !bn_dup_into(&rsa->iqmp, iqmp) ||  //
+      !RSA_check_key(rsa)) {
+    RSA_free(rsa);
+    return NULL;
+  }
+
+  return rsa;
+}
+
+RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e,
+                                const BIGNUM *d) {
+  RSA *rsa = RSA_new();
+  if (rsa == NULL ||               //
+      !bn_dup_into(&rsa->n, n) ||  //
+      !bn_dup_into(&rsa->e, e) ||  //
+      !bn_dup_into(&rsa->d, d) ||  //
+      !RSA_check_key(rsa)) {
+    RSA_free(rsa);
+    return NULL;
+  }
+
+  return rsa;
+}
+
+RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d) {
+  RSA *rsa = RSA_new();
+  if (rsa == NULL) {
+    return NULL;
+  }
+
+  rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT;
+  if (!bn_dup_into(&rsa->n, n) ||  //
+      !bn_dup_into(&rsa->d, d) ||  //
+      !RSA_check_key(rsa)) {
+    RSA_free(rsa);
+    return NULL;
+  }
+
+  return rsa;
+}
+
+RSA *RSA_new_public_key_large_e(const BIGNUM *n, const BIGNUM *e) {
+  RSA *rsa = RSA_new();
+  if (rsa == NULL) {
+    return NULL;
+  }
+
+  rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT;
+  if (!bn_dup_into(&rsa->n, n) ||  //
+      !bn_dup_into(&rsa->e, e) ||  //
+      !RSA_check_key(rsa)) {
+    RSA_free(rsa);
+    return NULL;
+  }
+
+  return rsa;
+}
+
+RSA *RSA_new_private_key_large_e(const BIGNUM *n, const BIGNUM *e,
+                                 const BIGNUM *d, const BIGNUM *p,
+                                 const BIGNUM *q, const BIGNUM *dmp1,
+                                 const BIGNUM *dmq1, const BIGNUM *iqmp) {
+  RSA *rsa = RSA_new();
+  if (rsa == NULL) {
+    return NULL;
+  }
+
+  rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT;
+  if (!bn_dup_into(&rsa->n, n) ||        //
+      !bn_dup_into(&rsa->e, e) ||        //
+      !bn_dup_into(&rsa->d, d) ||        //
+      !bn_dup_into(&rsa->p, p) ||        //
+      !bn_dup_into(&rsa->q, q) ||        //
+      !bn_dup_into(&rsa->dmp1, dmp1) ||  //
+      !bn_dup_into(&rsa->dmq1, dmq1) ||  //
+      !bn_dup_into(&rsa->iqmp, iqmp) ||  //
+      !RSA_check_key(rsa)) {
+    RSA_free(rsa);
+    return NULL;
+  }
+
+  return rsa;
+}
+
 RSA *RSA_new(void) { return RSA_new_method(NULL); }
 
 RSA *RSA_new_method(const ENGINE *engine) {
@@ -118,9 +238,18 @@ RSA *RSA_new_method(const ENGINE *engine) {
   return rsa;
 }
 
-void RSA_free(RSA *rsa) {
-  unsigned u;
+RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n) {
+  RSA *rsa = RSA_new_method(engine);
+  if (rsa == NULL ||
+      !bn_dup_into(&rsa->n, n)) {
+    RSA_free(rsa);
+    return NULL;
+  }
+  rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT;
+  return rsa;
+}
 
+void RSA_free(RSA *rsa) {
   if (rsa == NULL) {
     return;
   }
@@ -144,18 +273,7 @@ void RSA_free(RSA *rsa) {
   BN_free(rsa->dmp1);
   BN_free(rsa->dmq1);
   BN_free(rsa->iqmp);
-  BN_MONT_CTX_free(rsa->mont_n);
-  BN_MONT_CTX_free(rsa->mont_p);
-  BN_MONT_CTX_free(rsa->mont_q);
-  BN_free(rsa->d_fixed);
-  BN_free(rsa->dmp1_fixed);
-  BN_free(rsa->dmq1_fixed);
-  BN_free(rsa->inv_small_mod_large_mont);
-  for (u = 0; u < rsa->num_blindings; u++) {
-    BN_BLINDING_free(rsa->blindings[u]);
-  }
-  OPENSSL_free(rsa->blindings);
-  OPENSSL_free(rsa->blindings_inuse);
+  rsa_invalidate_key(rsa);
   CRYPTO_MUTEX_cleanup(&rsa->lock);
   OPENSSL_free(rsa);
 }
@@ -244,6 +362,7 @@ int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
     rsa->d = d;
   }
 
+  rsa_invalidate_key(rsa);
   return 1;
 }
 
@@ -262,6 +381,7 @@ int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {
     rsa->q = q;
   }
 
+  rsa_invalidate_key(rsa);
   return 1;
 }
 
@@ -285,24 +405,10 @@ int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
     rsa->iqmp = iqmp;
   }
 
+  rsa_invalidate_key(rsa);
   return 1;
 }
 
-int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
-                       int padding) {
-  size_t out_len;
-
-  if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
-    return -1;
-  }
-
-  if (out_len > INT_MAX) {
-    OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
-    return -1;
-  }
-  return (int)out_len;
-}
-
 static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out,
                                      size_t max_out, const uint8_t *in,
                                      size_t in_len, int padding) {
@@ -320,58 +426,6 @@ int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
                                    padding);
 }
 
-int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
-                        int padding) {
-  size_t out_len;
-
-  if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
-    return -1;
-  }
-
-  if (out_len > INT_MAX) {
-    OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
-    return -1;
-  }
-  return (int)out_len;
-}
-
-int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
-                const uint8_t *in, size_t in_len, int padding) {
-  if (rsa->meth->decrypt) {
-    return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);
-  }
-
-  return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);
-}
-
-int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
-                        int padding) {
-  size_t out_len;
-  if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
-    return -1;
-  }
-
-  if (out_len > INT_MAX) {
-    OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
-    return -1;
-  }
-  return (int)out_len;
-}
-
-int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,
-                       int padding) {
-  size_t out_len;
-  if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {
-    return -1;
-  }
-
-  if (out_len > INT_MAX) {
-    OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);
-    return -1;
-  }
-  return (int)out_len;
-}
-
 unsigned RSA_size(const RSA *rsa) {
   size_t ret = rsa->meth->size ? rsa->meth->size(rsa) : rsa_default_size(rsa);
   // RSA modulus sizes are bounded by |BIGNUM|, which must fit in |unsigned|.
@@ -962,8 +1016,8 @@ cleanup:
   return ret;
 }
 
-int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
-                          size_t len) {
+int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out,
+                                       const uint8_t *in, size_t len) {
   if (rsa->meth->private_transform) {
     return rsa->meth->private_transform(rsa, out, in, len);
   }
@@ -971,6 +1025,12 @@ int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
   return rsa_default_private_transform(rsa, out, in, len);
 }
 
+int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
+                          size_t len) {
+  boringssl_ensure_rsa_self_test();
+  return rsa_private_transform_no_self_test(rsa, out, in, len);
+}
+
 int RSA_flags(const RSA *rsa) { return rsa->flags; }
 
 int RSA_test_flags(const RSA *rsa, int flags) { return rsa->flags & flags; }