33 static void subM(const RSAPublicKey* key,  in subM()  argument
37     for (i = 0; i < key->len; ++i) {  in subM()
38         A += (uint64_t)a[i] - key->n[i];  in subM()
45 static int geM(const RSAPublicKey* key,  in geM()  argument
48     for (i = key->len; i;) {  in geM()
50         if (a[i] < key->n[i]) return 0;  in geM()
51         if (a[i] > key->n[i]) return 1;  in geM()
57 static void montMulAdd(const RSAPublicKey* key,  in montMulAdd()  argument
62     uint32_t d0 = (uint32_t)A * key->n0inv;  in montMulAdd()
63     uint64_t B = (uint64_t)d0 * key->n[0] + (uint32_t)A;  in montMulAdd()
66     for (i = 1; i < key->len; ++i) {  in montMulAdd()
68         B = (B >> 32) + (uint64_t)d0 * key->n[i] + (uint32_t)A;  in montMulAdd()
77         subM(key, c);  in montMulAdd()
82 static void montMul(const RSAPublicKey* key,  in montMul()  argument
87     for (i = 0; i < key->len; ++i) {  in montMul()
90     for (i = 0; i < key->len; ++i) {  in montMul()
91         montMulAdd(key, c, a[i], b);  in montMul()
97 static void modpow(const RSAPublicKey* key,  in modpow()  argument
106     for (i = 0; i < key->len; ++i) {  in modpow()
108             (inout[((key->len - 1 - i) * 4) + 0] << 24) |  in modpow()
109             (inout[((key->len - 1 - i) * 4) + 1] << 16) |  in modpow()
110             (inout[((key->len - 1 - i) * 4) + 2] << 8) |  in modpow()
111             (inout[((key->len - 1 - i) * 4) + 3] << 0);  in modpow()
115     if (key->exponent == 65537) {  in modpow()
117         montMul(key, aR, a, key->rr);  // aR = a * RR / R mod M  in modpow()
119             montMul(key, aaR, aR, aR);  // aaR = aR * aR / R mod M  in modpow()
120             montMul(key, aR, aaR, aaR);  // aR = aaR * aaR / R mod M  in modpow()
122         montMul(key, aaa, aR, a);  // aaa = aR * a / R mod M  in modpow()
123     } else if (key->exponent == 3) {  in modpow()
125         montMul(key, aR, a, key->rr);  /* aR = a * RR / R mod M   */  in modpow()
126         montMul(key, aaR, aR, aR);     /* aaR = aR * aR / R mod M */  in modpow()
127         montMul(key, aaa, aaR, a);     /* aaa = aaR * a / R mod M */  in modpow()
131     if (geM(key, aaa)) {  in modpow()
132         subM(key, aaa);  in modpow()
136     for (i = key->len - 1; i >= 0; --i) {  in modpow()
249 int RSA_verify(const RSAPublicKey *key,  in RSA_verify()  argument
258     if (key->len != RSANUMWORDS) {  in RSA_verify()
271     if (key->exponent != 3 && key->exponent != 65537) {  in RSA_verify()
279     modpow(key, buf);  // In-place exponentiation.  in RSA_verify()