OpenCoverage

rsa_ossl.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/rsa/rsa_ossl.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* -

3 * -

4 * Licensed under the OpenSSL license (the "License"). You may not use -

5 * this file except in compliance with the License. You can obtain a copy -

6 * in the file LICENSE in the source distribution or at -

7 * https://www.openssl.org/source/license.html -

8 */ -

9 -

10 #include "internal/cryptlib.h" -

11 #include "internal/bn_int.h" -

12 #include "rsa_locl.h" -

13 -

14 static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, -

15 unsigned char *to, RSA *rsa, int padding); -

16 static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, -

17 unsigned char *to, RSA *rsa, int padding); -

18 static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, -

19 unsigned char *to, RSA *rsa, int padding); -

20 static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, -

21 unsigned char *to, RSA *rsa, int padding); -

22 static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, -

23 BN_CTX *ctx); -

24 static int rsa_ossl_init(RSA *rsa); -

25 static int rsa_ossl_finish(RSA *rsa); -

26 static RSA_METHOD rsa_pkcs1_ossl_meth = { -

27 "OpenSSL PKCS#1 RSA", -

28 rsa_ossl_public_encrypt, -

29 rsa_ossl_public_decrypt, /* signature verification */ -

30 rsa_ossl_private_encrypt, /* signing */ -

31 rsa_ossl_private_decrypt, -

32 rsa_ossl_mod_exp, -

33 BN_mod_exp_mont, /* XXX probably we should not use Montgomery -

34 * if e == 3 */ -

35 rsa_ossl_init, -

36 rsa_ossl_finish, -

37 RSA_FLAG_FIPS_METHOD, /* flags */ -

38 NULL, -

39 0, /* rsa_sign */ -

40 0, /* rsa_verify */ -

41 NULL, /* rsa_keygen */ -

42 NULL /* rsa_multi_prime_keygen */ -

43 }; -

44 -

45 static const RSA_METHOD *default_RSA_meth = &rsa_pkcs1_ossl_meth; -

46 -

47 void RSA_set_default_method(const RSA_METHOD *meth) -

48 { -

49 default_RSA_meth = meth; -

}

never executed: end of block

51 -

52 const RSA_METHOD *RSA_get_default_method(void) -

53 { -

return default_RSA_meth;

executed 25970 times by 1 test: return default_RSA_meth;

Executed by:

libcrypto.so.1.1

25970

55 } -

56 -

57 const RSA_METHOD *RSA_PKCS1_OpenSSL(void) -

58 { -

return &rsa_pkcs1_ossl_meth;

never executed: return &rsa_pkcs1_ossl_meth;

60 } -

61 -

62 const RSA_METHOD *RSA_null_method(void) -

63 { -

return NULL;

never executed: return ((void *)0) ;

65 } -

66 -

67 static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, -

68 unsigned char *to, RSA *rsa, int padding) -

69 { -

70 BIGNUM *f, *ret; -

71 int i, num = 0, r = -1; -

72 unsigned char *buf = NULL; -

73 BN_CTX *ctx = NULL; -

74 -

if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {

BN_num_bits(rsa->n) > 16384	Description
TRUE	never evaluated
FALSE	evaluated 499 times by 1 test Evaluated by: libcrypto.so.1.1

0-499

76 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); -

return -1;

never executed: return -1;

78 } -

79 -

if (BN_ucmp(rsa->n, rsa->e) <= 0) {

BN_ucmp(rsa->n, rsa->e) <= 0	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 498 times by 1 test Evaluated by: libcrypto.so.1.1

1-498

81 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); -

return -1;

executed 1 time by 1 test: return -1;

Executed by:

libcrypto.so.1.1

83 } -

84 -

85 /* for large moduli, enforce exponent limit */ -

if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {

BN_num_bits(rsa->n) > 3072	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 494 times by 1 test Evaluated by: libcrypto.so.1.1

4-494

if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {

BN_num_bits(rsa->e) > 64	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

0-4

88 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); -

return -1;

never executed: return -1;

90 } -

}

executed 4 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

92 -

if ((ctx = BN_CTX_new()) == NULL)

(ctx = BN_CTX_...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 498 times by 1 test Evaluated by: libcrypto.so.1.1

0-498

goto err;

never executed: goto err;

95 BN_CTX_start(ctx); -

96 f = BN_CTX_get(ctx); -

97 ret = BN_CTX_get(ctx); -

98 num = BN_num_bytes(rsa->n); -

99 buf = OPENSSL_malloc(num); -

100

if (ret == NULL || buf == NULL) {

ret == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 498 times by 1 test Evaluated by: libcrypto.so.1.1

buf == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 498 times by 1 test Evaluated by: libcrypto.so.1.1

0-498

101 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); -

102

goto err;

never executed: goto err;

103 } -

104 -

105 switch (padding) { -

106

case RSA_PKCS1_PADDING:

executed 493 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

493

107 i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen); -

108

break;

executed 493 times by 1 test: break;

Executed by:

libcrypto.so.1.1

493

109

case RSA_PKCS1_OAEP_PADDING:

executed 3 times by 1 test: case 4:

Executed by:

libcrypto.so.1.1

110 i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0); -

111

break;

executed 3 times by 1 test: break;

Executed by:

libcrypto.so.1.1

112

case RSA_SSLV23_PADDING:

never executed: case 2:

113 i = RSA_padding_add_SSLv23(buf, num, from, flen); -

114

break;

never executed: break;

115

case RSA_NO_PADDING:

executed 2 times by 1 test: case 3:

Executed by:

libcrypto.so.1.1

116 i = RSA_padding_add_none(buf, num, from, flen); -

117

break;

executed 2 times by 1 test: break;

Executed by:

libcrypto.so.1.1

118

default:

never executed: default:

119 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); -

120

goto err;

never executed: goto err;

121 } -

122

if (i <= 0)

i <= 0	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 497 times by 1 test Evaluated by: libcrypto.so.1.1

1-497

123

goto err;

executed 1 time by 1 test: goto err;

Executed by:

libcrypto.so.1.1

124 -

125

if (BN_bin2bn(buf, num, f) == NULL)

BN_bin2bn(buf,...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 497 times by 1 test Evaluated by: libcrypto.so.1.1

0-497

126

goto err;

never executed: goto err;

127 -

128

if (BN_ucmp(f, rsa->n) >= 0) {

BN_ucmp(f, rsa->n) >= 0	Description
TRUE	never evaluated
FALSE	evaluated 497 times by 1 test Evaluated by: libcrypto.so.1.1

0-497

129 /* usually the padding functions would catch this */ -

130 RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, -

131 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); -

132

goto err;

never executed: goto err;

133 } -

134 -

135

if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

rsa->flags & 0x0002	Description
TRUE	evaluated 497 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-497

136

if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 482 times by 1 test Evaluated by: libcrypto.so.1.1

15-482

137

rsa->n, ctx))

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 482 times by 1 test Evaluated by: libcrypto.so.1.1

15-482

138

goto err;

executed 15 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

139 -

140

if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	evaluated 482 times by 1 test Evaluated by: libcrypto.so.1.1

0-482

141

rsa->_method_mod_n))

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	evaluated 482 times by 1 test Evaluated by: libcrypto.so.1.1

0-482

142

goto err;

never executed: goto err;

143 -

144 /* -

145 * BN_bn2binpad puts in leading 0 bytes if the number is less than -

146 * the length of the modulus. -

147 */ -

148 r = BN_bn2binpad(ret, to, num); -

149

err:

code before this statement executed 482 times by 1 test: err:

Executed by:

libcrypto.so.1.1

482

150

if (ctx != NULL)

ctx != ((void *)0)	Description
TRUE	evaluated 498 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-498

151

BN_CTX_end(ctx);

executed 498 times by 1 test: BN_CTX_end(ctx);

Executed by:

libcrypto.so.1.1

498

152 BN_CTX_free(ctx); -

153 OPENSSL_clear_free(buf, num); -

154

return r;

executed 498 times by 1 test: return r;

Executed by:

libcrypto.so.1.1

498

155 } -

156 -

157 static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) -

158 { -

159 BN_BLINDING *ret; -

160 -

161 CRYPTO_THREAD_write_lock(rsa->lock); -

162 -

163

if (rsa->blinding == NULL) {

rsa->blinding == ((void *)0)	Description
TRUE	evaluated 1733 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 648 times by 1 test Evaluated by: libcrypto.so.1.1

648-1733

164 rsa->blinding = RSA_setup_blinding(rsa, ctx); -

165

}

executed 1733 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1733

166 -

167 ret = rsa->blinding; -

168

if (ret == NULL)

ret == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

169

goto err;

never executed: goto err;

170 -

171

if (BN_BLINDING_is_current_thread(ret)) {

BN_BLINDING_is...nt_thread(ret)	Description
TRUE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2381

172 /* rsa->blinding is ours! */ -

173 -

174 *local = 1; -

175

} else {

executed 2381 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2381

176 /* resort to rsa->mt_blinding instead */ -

177 -

178 /* -

179 * instructs rsa_blinding_convert(), rsa_blinding_invert() that the -

180 * BN_BLINDING is shared, meaning that accesses require locks, and -

181 * that the blinding factor must be stored outside the BN_BLINDING -

182 */ -

183 *local = 0; -

184 -

185

if (rsa->mt_blinding == NULL) {

rsa->mt_blindi...== ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

186 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); -

187

}

never executed: end of block

188 ret = rsa->mt_blinding; -

189

}

never executed: end of block

190 -

191

err:

code before this statement executed 2381 times by 1 test: err:

Executed by:

libcrypto.so.1.1

2381

192 CRYPTO_THREAD_unlock(rsa->lock); -

193

return ret;

executed 2381 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

2381

194 } -

195 -

196 static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, -

197 BN_CTX *ctx) -

198 { -

199

if (unblind == NULL) {

unblind == ((void *)0)	Description
TRUE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2381

200 /* -

201 * Local blinding: store the unblinding factor in BN_BLINDING. -

202 */ -

203

return BN_BLINDING_convert_ex(f, NULL, b, ctx);

executed 2381 times by 1 test: return BN_BLINDING_convert_ex(f, ((void *)0) , b, ctx);

Executed by:

libcrypto.so.1.1

2381

204 } else { -

205 /* -

206 * Shared blinding: store the unblinding factor outside BN_BLINDING. -

207 */ -

208 int ret; -

209 -

210 BN_BLINDING_lock(b); -

211 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); -

212 BN_BLINDING_unlock(b); -

213 -

214

return ret;

never executed: return ret;

215 } -

216 } -

217 -

218 static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, -

219 BN_CTX *ctx) -

220 { -

221 /* -

222 * For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex -

223 * will use the unblinding factor stored in BN_BLINDING. If BN_BLINDING -

224 * is shared between threads, unblind must be non-null: -

225 * BN_BLINDING_invert_ex will then use the local unblinding factor, and -

226 * will only read the modulus from BN_BLINDING. In both cases it's safe -

227 * to access the blinding without a lock. -

228 */ -

229

return BN_BLINDING_invert_ex(f, unblind, b, ctx);

executed 2381 times by 1 test: return BN_BLINDING_invert_ex(f, unblind, b, ctx);

Executed by:

libcrypto.so.1.1

2381

230 } -

231 -

232 /* signing */ -

233 static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, -

234 unsigned char *to, RSA *rsa, int padding) -

235 { -

236 BIGNUM *f, *ret, *res; -

237 int i, num = 0, r = -1; -

238 unsigned char *buf = NULL; -

239 BN_CTX *ctx = NULL; -

240 int local_blinding = 0; -

241 /* -

242 * Used only if the blinding structure is shared. A non-NULL unblind -

243 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store -

244 * the unblinding factor outside the blinding structure. -

245 */ -

246 BIGNUM *unblind = NULL; -

247 BN_BLINDING *blinding = NULL; -

248 -

249

if ((ctx = BN_CTX_new()) == NULL)

(ctx = BN_CTX_...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

250

goto err;

never executed: goto err;

251 BN_CTX_start(ctx); -

252 f = BN_CTX_get(ctx); -

253 ret = BN_CTX_get(ctx); -

254 num = BN_num_bytes(rsa->n); -

255 buf = OPENSSL_malloc(num); -

256

if (ret == NULL || buf == NULL) {

ret == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

buf == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

257 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); -

258

goto err;

never executed: goto err;

259 } -

260 -

261 switch (padding) { -

262

case RSA_PKCS1_PADDING:

executed 559 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

559

263 i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen); -

264

break;

executed 559 times by 1 test: break;

Executed by:

libcrypto.so.1.1

559

265

case RSA_X931_PADDING:

never executed: case 5:

266 i = RSA_padding_add_X931(buf, num, from, flen); -

267

break;

never executed: break;

268

case RSA_NO_PADDING:

executed 1092 times by 1 test: case 3:

Executed by:

libcrypto.so.1.1

1092

269 i = RSA_padding_add_none(buf, num, from, flen); -

270

break;

executed 1092 times by 1 test: break;

Executed by:

libcrypto.so.1.1

1092

271

case RSA_SSLV23_PADDING:

never executed: case 2:

272

default:

never executed: default:

273 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); -

274

goto err;

never executed: goto err;

275 } -

276

if (i <= 0)

i <= 0	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

277

goto err;

never executed: goto err;

278 -

279

if (BN_bin2bn(buf, num, f) == NULL)

BN_bin2bn(buf,...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

280

goto err;

never executed: goto err;

281 -

282

if (BN_ucmp(f, rsa->n) >= 0) {

BN_ucmp(f, rsa->n) >= 0	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

283 /* usually the padding functions would catch this */ -

284 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, -

285 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); -

286

goto err;

never executed: goto err;

287 } -

288 -

289

if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {

!(rsa->flags & 0x0080)	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1651

290 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); -

291

if (blinding == NULL) {

blinding == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

292 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); -

293

goto err;

never executed: goto err;

294 } -

295

}

executed 1651 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1651

296 -

297

if (blinding != NULL) {

blinding != ((void *)0)	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1651

298

if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {

!local_blinding	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

((unblind = BN... ((void *)0) )	Description
TRUE	never evaluated
FALSE	never evaluated

0-1651

299 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); -

300

goto err;

never executed: goto err;

301 } -

302

if (!rsa_blinding_convert(blinding, f, unblind, ctx))

!rsa_blinding_... unblind, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

303

goto err;

never executed: goto err;

304

}

executed 1651 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1651

305 -

306

if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||

(rsa->flags & 0x0020)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

307

(rsa->version == RSA_ASN1_VERSION_MULTI) ||

(rsa->version == 1)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

308

((rsa->p != NULL) &&

(rsa->p != ((void *)0) )	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1651

309

(rsa->q != NULL) &&

(rsa->q != ((void *)0) )	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1651

310

(rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {

(rsa->dmp1 != ((void *)0) )	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

(rsa->dmq1 != ((void *)0) )	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

(rsa->iqmp != ((void *)0) )	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1651

311

if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))

!rsa->meth->rs..., f, rsa, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

312

goto err;

never executed: goto err;

313

} else {

executed 1651 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1651

314 BIGNUM *d = BN_new(); -

315

if (d == NULL) {

d == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

316 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); -

317

goto err;

never executed: goto err;

318 } -

319 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -

320 -

321

if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

rsa->flags & 0x0002	Description
TRUE	never evaluated
FALSE	never evaluated

322

if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	never evaluated
FALSE	never evaluated

323

rsa->n, ctx)) {

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	never evaluated
FALSE	never evaluated

324 BN_free(d); -

325

goto err;

never executed: goto err;

326 } -

327 -

328

if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	never evaluated

329

rsa->_method_mod_n)) {

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	never evaluated

330 BN_free(d); -

331

goto err;

never executed: goto err;

332 } -

333 /* We MUST free d before any further use of rsa->d */ -

334 BN_free(d); -

335

}

never executed: end of block

336 -

337

if (blinding)

blinding	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1651

338

if (!rsa_blinding_invert(blinding, ret, unblind, ctx))

!rsa_blinding_... unblind, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

339

goto err;

never executed: goto err;

340 -

341

if (padding == RSA_X931_PADDING) {

padding == 5	Description
TRUE	never evaluated
FALSE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1

0-1651

342

if (!BN_sub(f, rsa->n, ret))

!BN_sub(f, rsa->n, ret)	Description
TRUE	never evaluated
FALSE	never evaluated

343

goto err;

never executed: goto err;

344

if (BN_cmp(ret, f) > 0)

BN_cmp(ret, f) > 0	Description
TRUE	never evaluated
FALSE	never evaluated

345

res = f;

never executed: res = f;

346 else -

347

res = ret;

never executed: res = ret;

348 } else { -

349 res = ret; -

350

}

executed 1651 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1651

351 -

352 /* -

353 * BN_bn2binpad puts in leading 0 bytes if the number is less than -

354 * the length of the modulus. -

355 */ -

356 r = BN_bn2binpad(res, to, num); -

357

err:

code before this statement executed 1651 times by 1 test: err:

Executed by:

libcrypto.so.1.1

1651

358

if (ctx != NULL)

ctx != ((void *)0)	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1651

359

BN_CTX_end(ctx);

executed 1651 times by 1 test: BN_CTX_end(ctx);

Executed by:

libcrypto.so.1.1

1651

360 BN_CTX_free(ctx); -

361 OPENSSL_clear_free(buf, num); -

362

return r;

executed 1651 times by 1 test: return r;

Executed by:

libcrypto.so.1.1

1651

363 } -

364 -

365 static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, -

366 unsigned char *to, RSA *rsa, int padding) -

367 { -

368 BIGNUM *f, *ret; -

369 int j, num = 0, r = -1; -

370 unsigned char *buf = NULL; -

371 BN_CTX *ctx = NULL; -

372 int local_blinding = 0; -

373 /* -

374 * Used only if the blinding structure is shared. A non-NULL unblind -

375 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store -

376 * the unblinding factor outside the blinding structure. -

377 */ -

378 BIGNUM *unblind = NULL; -

379 BN_BLINDING *blinding = NULL; -

380 -

381

if ((ctx = BN_CTX_new()) == NULL)

(ctx = BN_CTX_...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 735 times by 1 test Evaluated by: libcrypto.so.1.1

0-735

382

goto err;

never executed: goto err;

383 BN_CTX_start(ctx); -

384 f = BN_CTX_get(ctx); -

385 ret = BN_CTX_get(ctx); -

386 num = BN_num_bytes(rsa->n); -

387 buf = OPENSSL_malloc(num); -

388

if (ret == NULL || buf == NULL) {

ret == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 735 times by 1 test Evaluated by: libcrypto.so.1.1

buf == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 735 times by 1 test Evaluated by: libcrypto.so.1.1

0-735

389 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); -

390

goto err;

never executed: goto err;

391 } -

392 -

393 /* -

394 * This check was for equality but PGP does evil things and chops off the -

395 * top '0' bytes -

396 */ -

397

if (flen > num) {

flen > num	Description
TRUE	never evaluated
FALSE	evaluated 735 times by 1 test Evaluated by: libcrypto.so.1.1

0-735

398 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, -

399 RSA_R_DATA_GREATER_THAN_MOD_LEN); -

400

goto err;

never executed: goto err;

401 } -

402 -

403 /* make data into a big number */ -

404

if (BN_bin2bn(from, (int)flen, f) == NULL)

BN_bin2bn(from...== ((void *)0)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 732 times by 1 test Evaluated by: libcrypto.so.1.1

3-732

405

goto err;

executed 3 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

406 -

407

if (BN_ucmp(f, rsa->n) >= 0) {

BN_ucmp(f, rsa->n) >= 0	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1

2-730

408 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, -

409 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); -

410

goto err;

executed 2 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

411 } -

412 -

413

if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {

!(rsa->flags & 0x0080)	Description
TRUE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-730

414 blinding = rsa_get_blinding(rsa, &local_blinding, ctx); -

415

if (blinding == NULL) {

blinding == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1

0-730

416 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); -

417

goto err;

never executed: goto err;

418 } -

419

}

executed 730 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

730

420 -

421

if (blinding != NULL) {

blinding != ((void *)0)	Description
TRUE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-730

422

if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {

!local_blinding	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1

((unblind = BN... ((void *)0) )	Description
TRUE	never evaluated
FALSE	never evaluated

0-730

423 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); -

424

goto err;

never executed: goto err;

425 } -

426

if (!rsa_blinding_convert(blinding, f, unblind, ctx))

!rsa_blinding_... unblind, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1

0-730

427

goto err;

never executed: goto err;

428

}

executed 730 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

730

429 -

430 /* do the decrypt */ -

431

if ((rsa->flags & RSA_FLAG_EXT_PKEY) ||

(rsa->flags & 0x0020)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1

0-730

432

(rsa->version == RSA_ASN1_VERSION_MULTI) ||

(rsa->version == 1)	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 723 times by 1 test Evaluated by: libcrypto.so.1.1

7-723

433

((rsa->p != NULL) &&

(rsa->p != ((void *)0) )	Description
TRUE	evaluated 723 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-723

434

(rsa->q != NULL) &&

(rsa->q != ((void *)0) )	Description
TRUE	evaluated 723 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-723

435

(rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL))) {

(rsa->dmp1 != ((void *)0) )	Description
TRUE	evaluated 723 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

(rsa->dmq1 != ((void *)0) )	Description
TRUE	evaluated 723 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

(rsa->iqmp != ((void *)0) )	Description
TRUE	evaluated 723 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-723

436

if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))

!rsa->meth->rs..., f, rsa, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1

0-730

437

goto err;

never executed: goto err;

438

} else {

executed 730 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

730

439 BIGNUM *d = BN_new(); -

440

if (d == NULL) {

d == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

441 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); -

442

goto err;

never executed: goto err;

443 } -

444 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -

445 -

446

if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

rsa->flags & 0x0002	Description
TRUE	never evaluated
FALSE	never evaluated

447

if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	never evaluated
FALSE	never evaluated

448

rsa->n, ctx)) {

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	never evaluated
FALSE	never evaluated

449 BN_free(d); -

450

goto err;

never executed: goto err;

451 } -

452

if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	never evaluated

453

rsa->_method_mod_n)) {

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	never evaluated

454 BN_free(d); -

455

goto err;

never executed: goto err;

456 } -

457 /* We MUST free d before any further use of rsa->d */ -

458 BN_free(d); -

459

}

never executed: end of block

460 -

461

if (blinding)

blinding	Description
TRUE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-730

462

if (!rsa_blinding_invert(blinding, ret, unblind, ctx))

!rsa_blinding_... unblind, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 1 test Evaluated by: libcrypto.so.1.1

0-730

463

goto err;

never executed: goto err;

464 -

465 j = BN_bn2binpad(ret, buf, num); -

466 -

467 switch (padding) { -

468

case RSA_PKCS1_PADDING:

executed 31 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

469 r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); -

470

break;

executed 31 times by 1 test: break;

Executed by:

libcrypto.so.1.1

471

case RSA_PKCS1_OAEP_PADDING:

executed 490 times by 1 test: case 4:

Executed by:

libcrypto.so.1.1

490

472 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); -

473

break;

executed 490 times by 1 test: break;

Executed by:

libcrypto.so.1.1

490

474

case RSA_SSLV23_PADDING:

never executed: case 2:

475 r = RSA_padding_check_SSLv23(to, num, buf, j, num); -

476

break;

never executed: break;

477

case RSA_NO_PADDING:

executed 209 times by 1 test: case 3:

Executed by:

libcrypto.so.1.1

209

478 memcpy(to, buf, (r = j)); -

479

break;

executed 209 times by 1 test: break;

Executed by:

libcrypto.so.1.1

209

480

default:

never executed: default:

481 RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); -

482

goto err;

never executed: goto err;

483 } -

484

if (r < 0)

r < 0	Description
TRUE	evaluated 489 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 241 times by 1 test Evaluated by: libcrypto.so.1.1

241-489

485

RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);

executed 489 times by 1 test: ERR_put_error(4,(101),(114),__FILE__,485);

Executed by:

libcrypto.so.1.1

489

486 -

487

err:

code before this statement executed 730 times by 1 test: err:

Executed by:

libcrypto.so.1.1

730

488

if (ctx != NULL)

ctx != ((void *)0)	Description
TRUE	evaluated 735 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-735

489

BN_CTX_end(ctx);

executed 735 times by 1 test: BN_CTX_end(ctx);

Executed by:

libcrypto.so.1.1

735

490 BN_CTX_free(ctx); -

491 OPENSSL_clear_free(buf, num); -

492

return r;

executed 735 times by 1 test: return r;

Executed by:

libcrypto.so.1.1

735

493 } -

494 -

495 /* signature verification */ -

496 static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, -

497 unsigned char *to, RSA *rsa, int padding) -

498 { -

499 BIGNUM *f, *ret; -

500 int i, num = 0, r = -1; -

501 unsigned char *buf = NULL; -

502 BN_CTX *ctx = NULL; -

503 -

504

if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {

BN_num_bits(rsa->n) > 16384	Description
TRUE	never evaluated
FALSE	evaluated 2776 times by 1 test Evaluated by: libcrypto.so.1.1

0-2776

505 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); -

506

return -1;

never executed: return -1;

507 } -

508 -

509

if (BN_ucmp(rsa->n, rsa->e) <= 0) {

BN_ucmp(rsa->n, rsa->e) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 2776 times by 1 test Evaluated by: libcrypto.so.1.1

0-2776

510 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); -

511

return -1;

never executed: return -1;

512 } -

513 -

514 /* for large moduli, enforce exponent limit */ -

515

if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {

BN_num_bits(rsa->n) > 3072	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2772 times by 1 test Evaluated by: libcrypto.so.1.1

4-2772

516

if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {

BN_num_bits(rsa->e) > 64	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

0-4

517 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); -

518

return -1;

never executed: return -1;

519 } -

520

}

executed 4 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

521 -

522

if ((ctx = BN_CTX_new()) == NULL)

(ctx = BN_CTX_...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2776 times by 1 test Evaluated by: libcrypto.so.1.1

0-2776

523

goto err;

never executed: goto err;

524 BN_CTX_start(ctx); -

525 f = BN_CTX_get(ctx); -

526 ret = BN_CTX_get(ctx); -

527 num = BN_num_bytes(rsa->n); -

528 buf = OPENSSL_malloc(num); -

529

if (ret == NULL || buf == NULL) {

ret == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2776 times by 1 test Evaluated by: libcrypto.so.1.1

buf == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2776 times by 1 test Evaluated by: libcrypto.so.1.1

0-2776

530 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); -

531

goto err;

never executed: goto err;

532 } -

533 -

534 /* -

535 * This check was for equality but PGP does evil things and chops off the -

536 * top '0' bytes -

537 */ -

538

if (flen > num) {

flen > num	Description
TRUE	never evaluated
FALSE	evaluated 2776 times by 1 test Evaluated by: libcrypto.so.1.1

0-2776

539 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN); -

540

goto err;

never executed: goto err;

541 } -

542 -

543

if (BN_bin2bn(from, flen, f) == NULL)

BN_bin2bn(from...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2776 times by 1 test Evaluated by: libcrypto.so.1.1

0-2776

544

goto err;

never executed: goto err;

545 -

546

if (BN_ucmp(f, rsa->n) >= 0) {

BN_ucmp(f, rsa->n) >= 0	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2774 times by 1 test Evaluated by: libcrypto.so.1.1

2-2774

547 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, -

548 RSA_R_DATA_TOO_LARGE_FOR_MODULUS); -

549

goto err;

executed 2 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

550 } -

551 -

552

if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

rsa->flags & 0x0002	Description
TRUE	evaluated 2774 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2774

553

if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2772 times by 1 test Evaluated by: libcrypto.so.1.1

2-2772

554

rsa->n, ctx))

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2772 times by 1 test Evaluated by: libcrypto.so.1.1

2-2772

555

goto err;

executed 2 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

556 -

557

if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	evaluated 2772 times by 1 test Evaluated by: libcrypto.so.1.1

0-2772

558

rsa->_method_mod_n))

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	evaluated 2772 times by 1 test Evaluated by: libcrypto.so.1.1

0-2772

559

goto err;

never executed: goto err;

560 -

561

if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))

(padding == 5)	Description
TRUE	never evaluated
FALSE	evaluated 2772 times by 1 test Evaluated by: libcrypto.so.1.1

((bn_get_words... & 0xf) != 12)	Description
TRUE	never evaluated
FALSE	never evaluated

0-2772

562

if (!BN_sub(ret, rsa->n, ret))

!BN_sub(ret, rsa->n, ret)	Description
TRUE	never evaluated
FALSE	never evaluated

563

goto err;

never executed: goto err;

564 -

565 i = BN_bn2binpad(ret, buf, num); -

566 -

567 switch (padding) { -

568

case RSA_PKCS1_PADDING:

executed 1763 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

1763

569 r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num); -

570

break;

executed 1763 times by 1 test: break;

Executed by:

libcrypto.so.1.1

1763

571

case RSA_X931_PADDING:

never executed: case 5:

572 r = RSA_padding_check_X931(to, num, buf, i, num); -

573

break;

never executed: break;

574

case RSA_NO_PADDING:

executed 1009 times by 1 test: case 3:

Executed by:

libcrypto.so.1.1

1009

575 memcpy(to, buf, (r = i)); -

576

break;

executed 1009 times by 1 test: break;

Executed by:

libcrypto.so.1.1

1009

577

default:

never executed: default:

578 RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); -

579

goto err;

never executed: goto err;

580 } -

581

if (r < 0)

r < 0	Description
TRUE	evaluated 20 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2752 times by 1 test Evaluated by: libcrypto.so.1.1

20-2752

582

RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);

executed 20 times by 1 test: ERR_put_error(4,(103),(114),__FILE__,582);

Executed by:

libcrypto.so.1.1

583 -

584

err:

code before this statement executed 2772 times by 1 test: err:

Executed by:

libcrypto.so.1.1

2772

585

if (ctx != NULL)

ctx != ((void *)0)	Description
TRUE	evaluated 2776 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2776

586

BN_CTX_end(ctx);

executed 2776 times by 1 test: BN_CTX_end(ctx);

Executed by:

libcrypto.so.1.1

2776

587 BN_CTX_free(ctx); -

588 OPENSSL_clear_free(buf, num); -

589

return r;

executed 2776 times by 1 test: return r;

Executed by:

libcrypto.so.1.1

2776

590 } -

591 -

592 static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) -

593 { -

594 BIGNUM *r1, *m1, *vrfy, *r2, *m[RSA_MAX_PRIME_NUM - 2]; -

595 int ret = 0, i, ex_primes = 0, smooth = 0; -

596 RSA_PRIME_INFO *pinfo; -

597 -

598 BN_CTX_start(ctx); -

599 -

600 r1 = BN_CTX_get(ctx); -

601 r2 = BN_CTX_get(ctx); -

602 m1 = BN_CTX_get(ctx); -

603 vrfy = BN_CTX_get(ctx); -

604

if (vrfy == NULL)

vrfy == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

605

goto err;

never executed: goto err;

606 -

607

if (rsa->version == RSA_ASN1_VERSION_MULTI

rsa->version == 1	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

7-2374

608

&& ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0

(ex_primes = s...e_infos)) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

609

|| ex_primes > RSA_MAX_PRIME_NUM - 2))

ex_primes > 5 - 2	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

610

goto err;

never executed: goto err;

611 -

612

if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {

rsa->flags & 0x0004	Description
TRUE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2381

613 BIGNUM *factor = BN_new(); -

614 -

615

if (factor == NULL)

factor == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

616

goto err;

never executed: goto err;

617 -

618 /* -

619 * Make sure BN_mod_inverse in Montgomery initialization uses the -

620 * BN_FLG_CONSTTIME flag -

621 */ -

622

if (!(BN_with_flags(factor, rsa->p, BN_FLG_CONSTTIME),

!(BN_with_flag... factor, ctx))	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

623

BN_MONT_CTX_set_locked(&rsa->_method_mod_p, rsa->lock,

!(BN_with_flag... factor, ctx))	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

624

factor, ctx))

!(BN_with_flag... factor, ctx))	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

625

|| !(BN_with_flags(factor, rsa->q, BN_FLG_CONSTTIME),

!(BN_with_flag... factor, ctx))	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

626

BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock,

!(BN_with_flag... factor, ctx))	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

627

factor, ctx))) {

!(BN_with_flag... factor, ctx))	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

628 BN_free(factor); -

629

goto err;

never executed: goto err;

630 } -

631

for (i = 0; i < ex_primes; i++) {

i < ex_primes	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

13-2381

632 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); -

633 BN_with_flags(factor, pinfo->r, BN_FLG_CONSTTIME); -

634

if (!BN_MONT_CTX_set_locked(&pinfo->m, rsa->lock, factor, ctx)) {

!BN_MONT_CTX_s..., factor, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

635 BN_free(factor); -

636

goto err;

never executed: goto err;

637 } -

638

}

executed 13 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

639 /* -

640 * We MUST free |factor| before any further use of the prime factors -

641 */ -

642 BN_free(factor); -

643 -

644

smooth = (ex_primes == 0)

(ex_primes == 0)	Description
TRUE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

7-2374

645

&& (rsa->meth->bn_mod_exp == BN_mod_exp_mont)

(rsa->meth->bn..._mod_exp_mont)	Description
TRUE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2374

646

&& (BN_num_bits(rsa->q) == BN_num_bits(rsa->p));

(BN_num_bits(r..._bits(rsa->p))	Description
TRUE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2374

647

}

executed 2381 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2381

648 -

649

if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

rsa->flags & 0x0002	Description
TRUE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2381

650

if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

651

rsa->n, ctx))

!BN_MONT_CTX_s..., rsa->n, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

652

goto err;

never executed: goto err;

653 -

654

if (smooth) {

smooth	Description
TRUE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

7-2374

655 /* -

656 * Conversion from Montgomery domain, a.k.a. Montgomery reduction, -

657 * accepts values in [0-m*2^w) range. w is m's bit width rounded up -

658 * to limb width. So that at the very least if |I| is fully reduced, -

659 * i.e. less than p*q, we can count on from-to round to perform -

660 * below modulo operations on |I|. Unlike BN_mod it's constant time. -

661 */ -

662 if (/* m1 = I moq q */ -

663

!bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)

!bn_from_mont_...od_mod_q, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

664

|| !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)

!bn_to_mont_fi...od_mod_q, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

665 /* m1 = m1^dmq1 mod q */ -

666

|| !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx,

!BN_mod_exp_mo..._method_mod_q)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

667

rsa->_method_mod_q)

!BN_mod_exp_mo..._method_mod_q)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

668 /* r1 = I mod p */ -

669

|| !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)

!bn_from_mont_...od_mod_p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

670

|| !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)

!bn_to_mont_fi...od_mod_p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

671 /* r1 = r1^dmp1 mod p */ -

672

|| !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx,

!BN_mod_exp_mo..._method_mod_p)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

673

rsa->_method_mod_p)

!BN_mod_exp_mo..._method_mod_p)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

674 /* r1 = (r1 - m1) mod p */ -

675 /* -

676 * bn_mod_sub_fixed_top is not regular modular subtraction, -

677 * it can tolerate subtrahend to be larger than modulus, but -

678 * not bit-wise wider. This makes up for uncommon q>p case, -

679 * when |m1| can be larger than |rsa->p|. -

680 */ -

681

|| !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)

!bn_mod_sub_fi...1, m1, rsa->p)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

682 -

683 /* r0 = r0 * iqmp mod p */ -

684

|| !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)

!bn_to_mont_fi...od_mod_p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

685

|| !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,

!bn_mul_mont_f...od_mod_p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

686

ctx)

!bn_mul_mont_f...od_mod_p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

687

|| !bn_mul_fixed_top(r0, r1, rsa->q, ctx)

!bn_mul_fixed_..., rsa->q, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

688

|| !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))

!bn_mod_add_fi...0, m1, rsa->n)	Description
TRUE	never evaluated
FALSE	evaluated 2374 times by 1 test Evaluated by: libcrypto.so.1.1

0-2374

689

goto err;

never executed: goto err;

690 -

691

goto tail;

executed 2374 times by 1 test: goto tail;

Executed by:

libcrypto.so.1.1

2374

692 } -

693 -

694 /* compute I mod q */ -

695 { -

696 BIGNUM *c = BN_new(); -

697

if (c == NULL)

c == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

698

goto err;

never executed: goto err;

699 BN_with_flags(c, I, BN_FLG_CONSTTIME); -

700 -

701

if (!BN_mod(r1, c, rsa->q, ctx)) {

!BN_div( ((voi...rsa->q),(ctx))	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

702 BN_free(c); -

703

goto err;

never executed: goto err;

704 } -

705 -

706 { -

707 BIGNUM *dmq1 = BN_new(); -

708

if (dmq1 == NULL) {

dmq1 == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

709 BN_free(c); -

710

goto err;

never executed: goto err;

711 } -

712 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); -

713 -

714 /* compute r1^dmq1 mod q */ -

715

if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,

!rsa->meth->bn..._method_mod_q)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

716

rsa->_method_mod_q)) {

!rsa->meth->bn..._method_mod_q)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

717 BN_free(c); -

718 BN_free(dmq1); -

719

goto err;

never executed: goto err;

720 } -

721 /* We MUST free dmq1 before any further use of rsa->dmq1 */ -

722 BN_free(dmq1); -

723 } -

724 -

725 /* compute I mod p */ -

726

if (!BN_mod(r1, c, rsa->p, ctx)) {

!BN_div( ((voi...rsa->p),(ctx))	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

727 BN_free(c); -

728

goto err;

never executed: goto err;

729 } -

730 /* We MUST free c before any further use of I */ -

731 BN_free(c); -

732 } -

733 -

734 { -

735 BIGNUM *dmp1 = BN_new(); -

736

if (dmp1 == NULL)

dmp1 == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

737

goto err;

never executed: goto err;

738 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); -

739 -

740 /* compute r1^dmp1 mod p */ -

741

if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,

!rsa->meth->bn..._method_mod_p)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

742

rsa->_method_mod_p)) {

!rsa->meth->bn..._method_mod_p)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

743 BN_free(dmp1); -

744

goto err;

never executed: goto err;

745 } -

746 /* We MUST free dmp1 before any further use of rsa->dmp1 */ -

747 BN_free(dmp1); -

748 } -

749 -

750 /* -

751 * calculate m_i in multi-prime case -

752 * -

753 * TODO: -

754 * 1. squash the following two loops and calculate |m_i| there. -

755 * 2. remove cc and reuse |c|. -

756 * 3. remove |dmq1| and |dmp1| in previous block and use |di|. -

757 * -

758 * If these things are done, the code will be more readable. -

759 */ -

760

if (ex_primes > 0) {

ex_primes > 0	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-7

761 BIGNUM *di = BN_new(), *cc = BN_new(); -

762 -

763

if (cc == NULL || di == NULL) {

cc == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

di == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

764 BN_free(cc); -

765 BN_free(di); -

766

goto err;

never executed: goto err;

767 } -

768 -

769

for (i = 0; i < ex_primes; i++) {

i < ex_primes	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

7-13

770 /* prepare m_i */ -

771

if ((m[i] = BN_CTX_get(ctx)) == NULL) {

(m[i] = BN_CTX...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

772 BN_free(cc); -

773 BN_free(di); -

774

goto err;

never executed: goto err;

775 } -

776 -

777 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); -

778 -

779 /* prepare c and d_i */ -

780 BN_with_flags(cc, I, BN_FLG_CONSTTIME); -

781 BN_with_flags(di, pinfo->d, BN_FLG_CONSTTIME); -

782 -

783

if (!BN_mod(r1, cc, pinfo->r, ctx)) {

!BN_div( ((voi...nfo->r),(ctx))	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

784 BN_free(cc); -

785 BN_free(di); -

786

goto err;

never executed: goto err;

787 } -

788 /* compute r1 ^ d_i mod r_i */ -

789

if (!rsa->meth->bn_mod_exp(m[i], r1, di, pinfo->r, ctx, pinfo->m)) {

!rsa->meth->bn...ctx, pinfo->m)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

790 BN_free(cc); -

791 BN_free(di); -

792

goto err;

never executed: goto err;

793 } -

794

}

executed 13 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

795 -

796 BN_free(cc); -

797 BN_free(di); -

798

}

executed 7 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

799 -

800

if (!BN_sub(r0, r0, m1))

!BN_sub(r0, r0, m1)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

801

goto err;

never executed: goto err;

802 /* -

803 * This will help stop the size of r0 increasing, which does affect the -

804 * multiply if it optimised for a power of 2 size -

805 */ -

806

if (BN_is_negative(r0))

BN_is_negative(r0)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

2-5

807

if (!BN_add(r0, r0, rsa->p))

!BN_add(r0, r0, rsa->p)	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

808

goto err;

never executed: goto err;

809 -

810

if (!BN_mul(r1, r0, rsa->iqmp, ctx))

!BN_mul(r1, r0...sa->iqmp, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

811

goto err;

never executed: goto err;

812 -

813 { -

814 BIGNUM *pr1 = BN_new(); -

815

if (pr1 == NULL)

pr1 == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

816

goto err;

never executed: goto err;

817 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); -

818 -

819

if (!BN_mod(r0, pr1, rsa->p, ctx)) {

!BN_div( ((voi...rsa->p),(ctx))	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

820 BN_free(pr1); -

821

goto err;

never executed: goto err;

822 } -

823 /* We MUST free pr1 before any further use of r1 */ -

824 BN_free(pr1); -

825 } -

826 -

827 /* -

828 * If p < q it is occasionally possible for the correction of adding 'p' -

829 * if r0 is negative above to leave the result still negative. This can -

830 * break the private key operations: the following second correction -

831 * should *always* correct this rare occurrence. This will *never* happen -

832 * with OpenSSL generated keys because they ensure p > q [steve] -

833 */ -

834

if (BN_is_negative(r0))

BN_is_negative(r0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

835

if (!BN_add(r0, r0, rsa->p))

!BN_add(r0, r0, rsa->p)	Description
TRUE	never evaluated
FALSE	never evaluated

836

goto err;

never executed: goto err;

837

if (!BN_mul(r1, r0, rsa->q, ctx))

!BN_mul(r1, r0, rsa->q, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

838

goto err;

never executed: goto err;

839

if (!BN_add(r0, r1, m1))

!BN_add(r0, r1, m1)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

840

goto err;

never executed: goto err;

841 -

842 /* add m_i to m in multi-prime case */ -

843

if (ex_primes > 0) {

ex_primes > 0	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-7

844 BIGNUM *pr2 = BN_new(); -

845 -

846

if (pr2 == NULL)

pr2 == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

847

goto err;

never executed: goto err;

848 -

849

for (i = 0; i < ex_primes; i++) {

i < ex_primes	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

7-13

850 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); -

851

if (!BN_sub(r1, m[i], r0)) {

!BN_sub(r1, m[i], r0)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

852 BN_free(pr2); -

853

goto err;

never executed: goto err;

854 } -

855 -

856

if (!BN_mul(r2, r1, pinfo->t, ctx)) {

!BN_mul(r2, r1, pinfo->t, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

857 BN_free(pr2); -

858

goto err;

never executed: goto err;

859 } -

860 -

861 BN_with_flags(pr2, r2, BN_FLG_CONSTTIME); -

862 -

863

if (!BN_mod(r1, pr2, pinfo->r, ctx)) {

!BN_div( ((voi...nfo->r),(ctx))	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

864 BN_free(pr2); -

865

goto err;

never executed: goto err;

866 } -

867 -

868

if (BN_is_negative(r1))

BN_is_negative(r1)	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-13

869

if (!BN_add(r1, r1, pinfo->r)) {

!BN_add(r1, r1, pinfo->r)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

870 BN_free(pr2); -

871

goto err;

never executed: goto err;

872 } -

873

if (!BN_mul(r1, r1, pinfo->pp, ctx)) {

!BN_mul(r1, r1...info->pp, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

874 BN_free(pr2); -

875

goto err;

never executed: goto err;

876 } -

877

if (!BN_add(r0, r0, r1)) {

!BN_add(r0, r0, r1)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

878 BN_free(pr2); -

879

goto err;

never executed: goto err;

880 } -

881

}

executed 13 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

882 BN_free(pr2); -

883

}

executed 7 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

884 -

885

tail:

code before this statement executed 7 times by 1 test: tail:

Executed by:

libcrypto.so.1.1

886

if (rsa->e && rsa->n) {

rsa->e	Description
TRUE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

rsa->n	Description
TRUE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2381

887

if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {

rsa->meth->bn_...N_mod_exp_mont	Description
TRUE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2381

888

if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,

!BN_mod_exp_mo..._method_mod_n)	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

889

rsa->_method_mod_n))

!BN_mod_exp_mo..._method_mod_n)	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

890

goto err;

never executed: goto err;

891

} else {

executed 2381 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2381

892 bn_correct_top(r0); -

893

if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	never evaluated

894

rsa->_method_mod_n))

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	never evaluated

895

goto err;

never executed: goto err;

896

}

never executed: end of block

897 /* -

898 * If 'I' was greater than (or equal to) rsa->n, the operation will -

899 * be equivalent to using 'I mod n'. However, the result of the -

900 * verify will *always* be less than 'n' so we don't check for -

901 * absolute equality, just congruency. -

902 */ -

903

if (!BN_sub(vrfy, vrfy, I))

!BN_sub(vrfy, vrfy, I)	Description
TRUE	never evaluated
FALSE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1

0-2381

904

goto err;

never executed: goto err;

905

if (BN_is_zero(vrfy)) {

BN_is_zero(vrfy)	Description
TRUE	evaluated 2381 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2381

906 bn_correct_top(r0); -

907 ret = 1; -

908

goto err; /* not actually error */

executed 2381 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

2381

909 } -

910

if (!BN_mod(vrfy, vrfy, rsa->n, ctx))

!BN_div( ((voi...rsa->n),(ctx))	Description
TRUE	never evaluated
FALSE	never evaluated

911

goto err;

never executed: goto err;

912

if (BN_is_negative(vrfy))

BN_is_negative(vrfy)	Description
TRUE	never evaluated
FALSE	never evaluated

913

if (!BN_add(vrfy, vrfy, rsa->n))

!BN_add(vrfy, vrfy, rsa->n)	Description
TRUE	never evaluated
FALSE	never evaluated

914

goto err;

never executed: goto err;

915

if (!BN_is_zero(vrfy)) {

!BN_is_zero(vrfy)	Description
TRUE	never evaluated
FALSE	never evaluated

916 /* -

917 * 'I' and 'vrfy' aren't congruent mod n. Don't leak -

918 * miscalculated CRT output, just do a raw (slower) mod_exp and -

919 * return that instead. -

920 */ -

921 -

922 BIGNUM *d = BN_new(); -

923

if (d == NULL)

d == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

924

goto err;

never executed: goto err;

925 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -

926 -

927

if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	never evaluated

928

rsa->_method_mod_n)) {

!rsa->meth->bn..._method_mod_n)	Description
TRUE	never evaluated
FALSE	never evaluated

929 BN_free(d); -

930

goto err;

never executed: goto err;

931 } -

932 /* We MUST free d before any further use of rsa->d */ -

933 BN_free(d); -

934

}

never executed: end of block

935

}

never executed: end of block

936 /* -

937 * It's unfortunate that we have to bn_correct_top(r0). What hopefully -

938 * saves the day is that correction is highly unlike, and private key -

939 * operations are customarily performed on blinded message. Which means -

940 * that attacker won't observe correlation with chosen plaintext. -

941 * Secondly, remaining code would still handle it in same computational -

942 * time and even conceal memory access pattern around corrected top. -

943 */ -

944 bn_correct_top(r0); -

945 ret = 1; -

946

err:

code before this statement never executed: err:

947 BN_CTX_end(ctx); -

948

return ret;

executed 2381 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

2381

949 } -

950 -

951 static int rsa_ossl_init(RSA *rsa) -

952 { -

953 rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; -

954

return 1;

executed 25970 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

25970

955 } -

956 -

957 static int rsa_ossl_finish(RSA *rsa) -

958 { -

959 int i; -

960 RSA_PRIME_INFO *pinfo; -

961 -

962 BN_MONT_CTX_free(rsa->_method_mod_n); -

963 BN_MONT_CTX_free(rsa->_method_mod_p); -

964 BN_MONT_CTX_free(rsa->_method_mod_q); -

965

for (i = 0; i < sk_RSA_PRIME_INFO_num(rsa->prime_infos); i++) {

i < sk_RSA_PRI...->prime_infos)	Description
TRUE	evaluated 8639 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 25970 times by 1 test Evaluated by: libcrypto.so.1.1

8639-25970

966 pinfo = sk_RSA_PRIME_INFO_value(rsa->prime_infos, i); -

967 BN_MONT_CTX_free(pinfo->m); -

968

}

executed 8639 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

8639

969

return 1;

executed 25970 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

25970

970 } -

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2