ring-native 0.0.0

data/vendor/ring/crypto/rsa/internal.h

@@ -0,0 +1,108 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#ifndef OPENSSL_HEADER_RSA_INTERNAL_H
+#define OPENSSL_HEADER_RSA_INTERNAL_H
+
+#include <openssl/base.h>
+
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+#define RSA_PKCS1_PADDING_SIZE 11
+
+
+/* BN_BLINDING flags */
+#define BN_BLINDING_NO_UPDATE 0x00000001
+#define BN_BLINDING_NO_RECREATE 0x00000002
+
+BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod);
+void BN_BLINDING_free(BN_BLINDING *b);
+int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx);
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
+int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
+unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
+void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
+BN_BLINDING *BN_BLINDING_create_param(
+    BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+    int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                      const BIGNUM *m, BN_CTX *ctx, const BN_MONT_CTX *mont),
+    const BN_MONT_CTX *mont);
+BN_BLINDING *rsa_setup_blinding(RSA *rsa, BN_CTX *in_ctx);
+
+
+int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned to_len,
+                                 const uint8_t *from, unsigned from_len);
+int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned to_len,
+                                   const uint8_t *from, unsigned from_len);
+int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned to_len,
+                                 const uint8_t *from, unsigned from_len);
+int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned to_len,
+                                   const uint8_t *from, unsigned from_len);
+int RSA_padding_add_none(uint8_t *to, unsigned to_len, const uint8_t *from,
+                         unsigned from_len);
+
+
+#if defined(__cplusplus)
+} /* extern C */
+#endif
+
+#endif /* OPENSSL_HEADER_RSA_INTERNAL_H */

data/vendor/ring/crypto/rsa/padding.c

@@ -0,0 +1,300 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com). */
+
+#include <openssl/rsa.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/rand.h>
+
+#include "internal.h"
+
+/* TODO(fork): don't the check functions have to be constant time? */
+
+int RSA_padding_add_PKCS1_type_1(uint8_t *to, unsigned tlen,
+                                 const uint8_t *from, unsigned flen) {
+  unsigned j;
+  uint8_t *p;
+
+  if (tlen < RSA_PKCS1_PADDING_SIZE) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
+    return 0;
+  }
+
+  if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+    return 0;
+  }
+
+  p = (uint8_t *)to;
+
+  *(p++) = 0;
+  *(p++) = 1; /* Private Key BT (Block Type) */
+
+  /* pad out with 0xff data */
+  j = tlen - 3 - flen;
+  memset(p, 0xff, j);
+  p += j;
+  *(p++) = 0;
+  memcpy(p, from, (unsigned int)flen);
+  return 1;
+}
+
+int RSA_padding_check_PKCS1_type_1(uint8_t *to, unsigned tlen,
+                                   const uint8_t *from, unsigned flen) {
+  unsigned i, j;
+  const uint8_t *p;
+
+  if (flen < 2) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
+    return -1;
+  }
+
+  p = from;
+  if ((*(p++) != 0) || (*(p++) != 1)) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);
+    return -1;
+  }
+
+  /* scan over padding data */
+  j = flen - 2; /* one for leading 00, one for type. */
+  for (i = 0; i < j; i++) {
+    /* should decrypt to 0xff */
+    if (*p != 0xff) {
+      if (*p == 0) {
+        p++;
+        break;
+      } else {
+        OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);
+        return -1;
+      }
+    }
+    p++;
+  }
+
+  if (i == j) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);
+    return -1;
+  }
+
+  if (i < 8) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);
+    return -1;
+  }
+  i++; /* Skip over the '\0' */
+  j -= i;
+  if (j > tlen) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
+    return -1;
+  }
+  memcpy(to, p, j);
+
+  return j;
+}
+
+int RSA_padding_add_PKCS1_type_2(uint8_t *to, unsigned tlen,
+                                 const uint8_t *from, unsigned flen) {
+  unsigned i, j;
+  uint8_t *p;
+
+  if (tlen < RSA_PKCS1_PADDING_SIZE) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
+    return 0;
+  }
+
+  if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+    return 0;
+  }
+
+  p = (unsigned char *)to;
+
+  *(p++) = 0;
+  *(p++) = 2; /* Public Key BT (Block Type) */
+
+  /* pad out with non-zero random data */
+  j = tlen - 3 - flen;
+
+  if (!RAND_bytes(p, j)) {
+    return 0;
+  }
+
+  for (i = 0; i < j; i++) {
+    while (*p == 0) {
+      if (!RAND_bytes(p, 1)) {
+        return 0;
+      }
+    }
+    p++;
+  }
+
+  *(p++) = 0;
+
+  memcpy(p, from, (unsigned int)flen);
+  return 1;
+}
+
+/* constant_time_byte_eq returns 1 if |x| == |y| and 0 otherwise. */
+static int constant_time_byte_eq(unsigned char a, unsigned char b) {
+  unsigned char z = ~(a ^ b);
+  z &= z >> 4;
+  z &= z >> 2;
+  z &= z >> 1;
+
+  return z;
+}
+
+/* constant_time_select returns |x| if |v| is 1 and |y| if |v| is 0.
+ * Its behavior is undefined if |v| takes any other value. */
+static int constant_time_select(int v, int x, int y) {
+  return ((~(v - 1)) & x) | ((v - 1) & y);
+}
+
+/* constant_time_le returns 1 if |x| <= |y| and 0 otherwise.
+ * |x| and |y| must be positive. */
+static int constant_time_le(int x, int y) {
+  return ((x - y - 1) >> (sizeof(int) * 8 - 1)) & 1;
+}
+
+int RSA_message_index_PKCS1_type_2(const uint8_t *from, size_t from_len,
+                                   size_t *out_index) {
+  size_t i;
+  int first_byte_is_zero, second_byte_is_two, looking_for_index;
+  int valid_index, zero_index = 0;
+
+  /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
+   * Standard", section 7.2.2. */
+  if (from_len < RSA_PKCS1_PADDING_SIZE) {
+    /* |from| is zero-padded to the size of the RSA modulus, a public value, so
+     * this can be rejected in non-constant time. */
+    *out_index = 0;
+    return 0;
+  }
+
+  first_byte_is_zero = constant_time_byte_eq(from[0], 0);
+  second_byte_is_two = constant_time_byte_eq(from[1], 2);
+
+  looking_for_index = 1;
+  for (i = 2; i < from_len; i++) {
+    int equals0 = constant_time_byte_eq(from[i], 0);
+    zero_index =
+        constant_time_select(looking_for_index & equals0, i, zero_index);
+    looking_for_index = constant_time_select(equals0, 0, looking_for_index);
+  }
+
+  /* The input must begin with 00 02. */
+  valid_index = first_byte_is_zero;
+  valid_index &= second_byte_is_two;
+
+  /* We must have found the end of PS. */
+  valid_index &= ~looking_for_index;
+
+  /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */
+  valid_index &= constant_time_le(2 + 8, zero_index);
+
+  /* Skip the zero byte. */
+  zero_index++;
+
+  *out_index = constant_time_select(valid_index, zero_index, 0);
+  return valid_index;
+}
+
+int RSA_padding_check_PKCS1_type_2(uint8_t *to, unsigned tlen,
+                                   const uint8_t *from, unsigned flen) {
+  size_t msg_index, msg_len;
+
+  if (flen == 0) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);
+    return -1;
+  }
+
+  /* NOTE: Although |RSA_message_index_PKCS1_type_2| itself is constant time,
+   * the API contracts of this function and |RSA_decrypt| with
+   * |RSA_PKCS1_PADDING| make it impossible to completely avoid Bleichenbacher's
+   * attack. */
+  if (!RSA_message_index_PKCS1_type_2(from, flen, &msg_index)) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
+    return -1;
+  }
+
+  msg_len = flen - msg_index;
+  if (msg_len > tlen) {
+    /* This shouldn't happen because this function is always called with |tlen|
+     * the key size and |flen| is bounded by the key size. */
+    OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
+    return -1;
+  }
+  memcpy(to, &from[msg_index], msg_len);
+  return msg_len;
+}
+
+int RSA_padding_add_none(uint8_t *to, unsigned tlen, const uint8_t *from, unsigned flen) {
+  if (flen > tlen) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+    return 0;
+  }
+
+  if (flen < tlen) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE);
+    return 0;
+  }
+
+  memcpy(to, from, (unsigned int)flen);
+  return 1;
+}

data/vendor/ring/crypto/rsa/rsa.c

@@ -0,0 +1,450 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/rsa.h>
+
+#include <limits.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj_mac.h>
+#include <openssl/thread.h>
+
+#include "internal.h"
+#include "../internal.h"
+
+
+int RSA_verify_pkcs1_signed_digest(size_t min_bits, size_t max_bits,
+                                   int hash_nid, const uint8_t *digest,
+                                   size_t digest_len, const uint8_t *sig,
+                                   size_t sig_len, const uint8_t *rsa_key,
+                                   const size_t rsa_key_len) {
+  /* TODO(perf): Avoid all the overhead of allocating an |RSA| on the heap and
+   * dealing with the mutex and whatnot. */
+
+  RSA *key = RSA_public_key_from_bytes(rsa_key, rsa_key_len);
+  if (key == NULL) {
+    return 0;
+  }
+
+  int ret = 0;
+
+  size_t len = RSA_size(key);
+  if (len > SIZE_MAX / 8 || len * 8 < min_bits || len * 8 > max_bits) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); /* XXX: Or too big. */
+    goto err;
+  }
+
+  /* Don't cache the intermediate values since we're not reusing the key. */
+  key->flags &= ~RSA_FLAG_CACHE_PUBLIC;
+
+  ret = RSA_verify(hash_nid, digest, digest_len, sig, sig_len, key);
+
+err:
+  RSA_free(key);
+  return ret;
+}
+
+RSA *RSA_new(void) { return RSA_new_method(NULL); }
+
+RSA *RSA_new_method(const ENGINE *engine) {
+  if (engine != NULL) {
+    OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); /* TODO: error code */
+    return NULL;
+  }
+
+  RSA *rsa = (RSA *)OPENSSL_malloc(sizeof(RSA));
+  if (rsa == NULL) {
+    OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  memset(rsa, 0, sizeof(RSA));
+
+  rsa->references = 1;
+  rsa->flags = RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
+  CRYPTO_MUTEX_init(&rsa->lock);
+
+  return rsa;
+}
+
+void RSA_free(RSA *rsa) {
+  unsigned u;
+
+  if (rsa == NULL) {
+    return;
+  }
+
+  if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {
+    return;
+  }
+
+  BN_clear_free(rsa->n);
+  BN_clear_free(rsa->e);
+  BN_clear_free(rsa->d);
+  BN_clear_free(rsa->p);
+  BN_clear_free(rsa->q);
+  BN_clear_free(rsa->dmp1);
+  BN_clear_free(rsa->dmq1);
+  BN_clear_free(rsa->iqmp);
+  BN_MONT_CTX_free(rsa->mont_n);
+  BN_MONT_CTX_free(rsa->mont_p);
+  BN_MONT_CTX_free(rsa->mont_q);
+  for (u = 0; u < rsa->num_blindings; u++) {
+    BN_BLINDING_free(rsa->blindings[u]);
+  }
+  OPENSSL_free(rsa->blindings);
+  OPENSSL_free(rsa->blindings_inuse);
+  CRYPTO_MUTEX_cleanup(&rsa->lock);
+  OPENSSL_free(rsa);
+}
+
+int RSA_up_ref(RSA *rsa) {
+  CRYPTO_refcount_inc(&rsa->references);
+  return 1;
+}
+
+/* SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
+ * the length of an MD5 and SHA1 hash. */
+static const unsigned SSL_SIG_LENGTH = 36;
+
+/* pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
+ * to be signed with PKCS#1. */
+struct pkcs1_sig_prefix {
+  /* nid identifies the hash function. */
+  int nid;
+  /* len is the number of bytes of |bytes| which are valid. */
+  uint8_t len;
+  /* bytes contains the DER bytes. */
+  uint8_t bytes[19];
+};
+
+/* kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
+ * different hash functions. */
+static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
+    {
+     NID_sha1,
+     15,
+     {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+      0x00, 0x04, 0x14},
+    },
+    {
+     NID_sha256,
+     19,
+     {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+      0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
+    },
+    {
+     NID_sha384,
+     19,
+     {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+      0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
+    },
+    {
+     NID_sha512,
+     19,
+     {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+      0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
+    },
+    {
+     NID_undef, 0, {0},
+    },
+};
+
+int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
+                         int *is_alloced, int hash_nid, const uint8_t *msg,
+                         size_t msg_len) {
+  unsigned i;
+
+  if (hash_nid == NID_md5_sha1) {
+    /* Special case: SSL signature, just check the length. */
+    if (msg_len != SSL_SIG_LENGTH) {
+      OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
+      return 0;
+    }
+
+    *out_msg = (uint8_t*) msg;
+    *out_msg_len = SSL_SIG_LENGTH;
+    *is_alloced = 0;
+    return 1;
+  }
+
+  for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
+    const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
+    if (sig_prefix->nid != hash_nid) {
+      continue;
+    }
+
+    const uint8_t* prefix = sig_prefix->bytes;
+    unsigned prefix_len = sig_prefix->len;
+    unsigned signed_msg_len;
+    uint8_t *signed_msg;
+
+    signed_msg_len = prefix_len + msg_len;
+    if (signed_msg_len < prefix_len) {
+      OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
+      return 0;
+    }
+
+    signed_msg = OPENSSL_malloc(signed_msg_len);
+    if (!signed_msg) {
+      OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+      return 0;
+    }
+
+    memcpy(signed_msg, prefix, prefix_len);
+    memcpy(signed_msg + prefix_len, msg, msg_len);
+
+    *out_msg = signed_msg;
+    *out_msg_len = signed_msg_len;
+    *is_alloced = 1;
+
+    return 1;
+  }
+
+  OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+  return 0;
+}
+
+int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
+             unsigned *out_len, RSA *rsa) {
+  const unsigned rsa_size = RSA_size(rsa);
+  int ret = 0;
+  uint8_t *signed_msg;
+  size_t signed_msg_len;
+  int signed_msg_is_alloced = 0;
+  size_t size_t_out_len;
+
+  if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
+                            &signed_msg_is_alloced, hash_nid, in, in_len)) {
+    return 0;
+  }
+
+  if (rsa_size < RSA_PKCS1_PADDING_SIZE ||
+      signed_msg_len > rsa_size - RSA_PKCS1_PADDING_SIZE) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
+    goto finish;
+  }
+
+  if (RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
+                   signed_msg_len, RSA_PKCS1_PADDING)) {
+    *out_len = size_t_out_len;
+    ret = 1;
+  }
+
+finish:
+  if (signed_msg_is_alloced) {
+    OPENSSL_free(signed_msg);
+  }
+  return ret;
+}
+
+int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
+               const uint8_t *sig, size_t sig_len, RSA *rsa) {
+  const size_t rsa_size = RSA_size(rsa);
+  uint8_t *buf = NULL;
+  int ret = 0;
+  uint8_t *signed_msg = NULL;
+  size_t signed_msg_len, len;
+  int signed_msg_is_alloced = 0;
+
+  if (sig_len != rsa_size) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_WRONG_SIGNATURE_LENGTH);
+    return 0;
+  }
+
+  if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
+    return 0;
+  }
+
+  buf = OPENSSL_malloc(rsa_size);
+  if (!buf) {
+    OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len,
+                      RSA_PKCS1_PADDING)) {
+    goto out;
+  }
+
+  if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
+                            &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
+    goto out;
+  }
+
+  if (len != signed_msg_len || CRYPTO_memcmp(buf, signed_msg, len) != 0) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
+    goto out;
+  }
+
+  ret = 1;
+
+out:
+  OPENSSL_free(buf);
+  if (signed_msg_is_alloced) {
+    OPENSSL_free(signed_msg);
+  }
+  return ret;
+}
+
+int RSA_check_key(const RSA *key) {
+  BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp;
+  BN_CTX *ctx;
+  int ok = 0, has_crt_values;
+
+  if ((key->p != NULL) != (key->q != NULL)) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
+    return 0;
+  }
+
+  if (!key->n || !key->e) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
+    return 0;
+  }
+
+  if (!key->d || !key->p) {
+    /* For a public key, or without p and q, there's nothing that can be
+     * checked. */
+    return 1;
+  }
+
+  ctx = BN_CTX_new();
+  if (ctx == NULL) {
+    OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  BN_init(&n);
+  BN_init(&pm1);
+  BN_init(&qm1);
+  BN_init(&lcm);
+  BN_init(&gcd);
+  BN_init(&de);
+  BN_init(&dmp1);
+  BN_init(&dmq1);
+  BN_init(&iqmp);
+
+  if (/* n = pq */
+      !BN_mul(&n, key->p, key->q, ctx) ||
+      /* lcm = lcm(p-1, q-1) */
+      !BN_sub(&pm1, key->p, BN_value_one()) ||
+      !BN_sub(&qm1, key->q, BN_value_one()) ||
+      !BN_mul(&lcm, &pm1, &qm1, ctx) ||
+      !BN_gcd(&gcd, &pm1, &qm1, ctx) ||
+      !BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
+      /* de = d*e mod lcm(p-1, q-1) */
+      !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
+    OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
+    goto out;
+  }
+
+  if (BN_cmp(&n, key->n) != 0) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
+    goto out;
+  }
+
+  if (!BN_is_one(&de)) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
+    goto out;
+  }
+
+  has_crt_values = key->dmp1 != NULL;
+  if (has_crt_values != (key->dmq1 != NULL) ||
+      has_crt_values != (key->iqmp != NULL)) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
+    goto out;
+  }
+
+  if (has_crt_values) {
+    if (/* dmp1 = d mod (p-1) */
+        !BN_mod(&dmp1, key->d, &pm1, ctx) ||
+        /* dmq1 = d mod (q-1) */
+        !BN_mod(&dmq1, key->d, &qm1, ctx) ||
+        /* iqmp = q^-1 mod p */
+        !BN_mod_inverse(&iqmp, key->q, key->p, ctx)) {
+      OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
+      goto out;
+    }
+
+    if (BN_cmp(&dmp1, key->dmp1) != 0 ||
+        BN_cmp(&dmq1, key->dmq1) != 0 ||
+        BN_cmp(&iqmp, key->iqmp) != 0) {
+      OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
+      goto out;
+    }
+  }
+
+  ok = 1;
+
+out:
+  BN_free(&n);
+  BN_free(&pm1);
+  BN_free(&qm1);
+  BN_free(&lcm);
+  BN_free(&gcd);
+  BN_free(&de);
+  BN_free(&dmp1);
+  BN_free(&dmq1);
+  BN_free(&iqmp);
+  BN_CTX_free(ctx);
+
+  return ok;
+}
+