Open Menu / lib / rsa / rsa-keyprop.c
Loading...
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
// SPDX-License-Identifier: GPL-2.0+ and MIT
/*
 * RSA library - generate parameters for a public key
 *
 * Copyright (c) 2019 Linaro Limited
 * Author: AKASHI Takahiro
 *
 * Big number routines in this file come from BearSSL:
 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
 */

#include <image.h>
#include <malloc.h>
#include <crypto/internal/rsa.h>
#include <u-boot/rsa-mod-exp.h>
#include <asm/unaligned.h>

/**
 * br_dec16be() - Convert 16-bit big-endian integer to native
 * @src:	Pointer to data
 * Return:	Native-endian integer
 */
static unsigned br_dec16be(const void *src)
{
	return get_unaligned_be16(src);
}

/**
 * br_dec32be() - Convert 32-bit big-endian integer to native
 * @src:	Pointer to data
 * Return:	Native-endian integer
 */
static uint32_t br_dec32be(const void *src)
{
	return get_unaligned_be32(src);
}

/**
 * br_enc32be() - Convert native 32-bit integer to big-endian
 * @dst:	Pointer to buffer to store big-endian integer in
 * @x:		Native 32-bit integer
 */
static void br_enc32be(void *dst, uint32_t x)
{
	__be32 tmp;

	tmp = cpu_to_be32(x);
	memcpy(dst, &tmp, sizeof(tmp));
}

/* from BearSSL's src/inner.h */

/*
 * Negate a boolean.
 */
static uint32_t NOT(uint32_t ctl)
{
	return ctl ^ 1;
}

/*
 * Multiplexer: returns x if ctl == 1, y if ctl == 0.
 */
static uint32_t MUX(uint32_t ctl, uint32_t x, uint32_t y)
{
	return y ^ (-ctl & (x ^ y));
}

/*
 * Equality check: returns 1 if x == y, 0 otherwise.
 */
static uint32_t EQ(uint32_t x, uint32_t y)
{
	uint32_t q;

	q = x ^ y;
	return NOT((q | -q) >> 31);
}

/*
 * Inequality check: returns 1 if x != y, 0 otherwise.
 */
static uint32_t NEQ(uint32_t x, uint32_t y)
{
	uint32_t q;

	q = x ^ y;
	return (q | -q) >> 31;
}

/*
 * Comparison: returns 1 if x > y, 0 otherwise.
 */
static uint32_t GT(uint32_t x, uint32_t y)
{
	/*
	 * If both x < 2^31 and y < 2^31, then y-x will have its high
	 * bit set if x > y, cleared otherwise.
	 *
	 * If either x >= 2^31 or y >= 2^31 (but not both), then the
	 * result is the high bit of x.
	 *
	 * If both x >= 2^31 and y >= 2^31, then we can virtually
	 * subtract 2^31 from both, and we are back to the first case.
	 * Since (y-2^31)-(x-2^31) = y-x, the subtraction is already
	 * fine.
	 */
	uint32_t z;

	z = y - x;
	return (z ^ ((x ^ y) & (x ^ z))) >> 31;
}

/*
 * Compute the bit length of a 32-bit integer. Returned value is between 0
 * and 32 (inclusive).
 */
static uint32_t BIT_LENGTH(uint32_t x)
{
	uint32_t k, c;

	k = NEQ(x, 0);
	c = GT(x, 0xFFFF); x = MUX(c, x >> 16, x); k += c << 4;
	c = GT(x, 0x00FF); x = MUX(c, x >>  8, x); k += c << 3;
	c = GT(x, 0x000F); x = MUX(c, x >>  4, x); k += c << 2;
	c = GT(x, 0x0003); x = MUX(c, x >>  2, x); k += c << 1;
	k += GT(x, 0x0001);
	return k;
}

#define GE(x, y)   NOT(GT(y, x))
#define LT(x, y)   GT(y, x)
#define MUL(x, y)   ((uint64_t)(x) * (uint64_t)(y))

/*
 * Integers 'i32'
 * --------------
 *
 * The 'i32' functions implement computations on big integers using
 * an internal representation as an array of 32-bit integers. For
 * an array x[]:
 *  -- x[0] contains the "announced bit length" of the integer
 *  -- x[1], x[2]... contain the value in little-endian order (x[1]
 *     contains the least significant 32 bits)
 *
 * Multiplications rely on the elementary 32x32->64 multiplication.
 *
 * The announced bit length specifies the number of bits that are
 * significant in the subsequent 32-bit words. Unused bits in the
 * last (most significant) word are set to 0; subsequent words are
 * uninitialized and need not exist at all.
 *
 * The execution time and memory access patterns of all computations
 * depend on the announced bit length, but not on the actual word
 * values. For modular integers, the announced bit length of any integer
 * modulo n is equal to the actual bit length of n; thus, computations
 * on modular integers are "constant-time" (only the modulus length may
 * leak).
 */

/*
 * Extract one word from an integer. The offset is counted in bits.
 * The word MUST entirely fit within the word elements corresponding
 * to the announced bit length of a[].
 */
static uint32_t br_i32_word(const uint32_t *a, uint32_t off)
{
	size_t u;
	unsigned j;

	u = (size_t)(off >> 5) + 1;
	j = (unsigned)off & 31;
	if (j == 0) {
		return a[u];
	} else {
		return (a[u] >> j) | (a[u + 1] << (32 - j));
	}
}

/* from BearSSL's src/int/i32_bitlen.c */

/*
 * Compute the actual bit length of an integer. The argument x should
 * point to the first (least significant) value word of the integer.
 * The len 'xlen' contains the number of 32-bit words to access.
 *
 * CT: value or length of x does not leak.
 */
static uint32_t br_i32_bit_length(uint32_t *x, size_t xlen)
{
	uint32_t tw, twk;

	tw = 0;
	twk = 0;
	while (xlen -- > 0) {
		uint32_t w, c;

		c = EQ(tw, 0);
		w = x[xlen];
		tw = MUX(c, w, tw);
		twk = MUX(c, (uint32_t)xlen, twk);
	}
	return (twk << 5) + BIT_LENGTH(tw);
}

/* from BearSSL's src/int/i32_decode.c */

/*
 * Decode an integer from its big-endian unsigned representation. The
 * "true" bit length of the integer is computed, but all words of x[]
 * corresponding to the full 'len' bytes of the source are set.
 *
 * CT: value or length of x does not leak.
 */
static void br_i32_decode(uint32_t *x, const void *src, size_t len)
{
	const unsigned char *buf;
	size_t u, v;

	buf = src;
	u = len;
	v = 1;
	for (;;) {
		if (u < 4) {
			uint32_t w;

			if (u < 2) {
				if (u == 0) {
					break;
				} else {
					w = buf[0];
				}
			} else {
				if (u == 2) {
					w = br_dec16be(buf);
				} else {
					w = ((uint32_t)buf[0] << 16)
						| br_dec16be(buf + 1);
				}
			}
			x[v ++] = w;
			break;
		} else {
			u -= 4;
			x[v ++] = br_dec32be(buf + u);
		}
	}
	x[0] = br_i32_bit_length(x + 1, v - 1);
}

/* from BearSSL's src/int/i32_encode.c */

/*
 * Encode an integer into its big-endian unsigned representation. The
 * output length in bytes is provided (parameter 'len'); if the length
 * is too short then the integer is appropriately truncated; if it is
 * too long then the extra bytes are set to 0.
 */
static void br_i32_encode(void *dst, size_t len, const uint32_t *x)
{
	unsigned char *buf;
	size_t k;

	buf = dst;

	/*
	 * Compute the announced size of x in bytes; extra bytes are
	 * filled with zeros.
	 */
	k = (x[0] + 7) >> 3;
	while (len > k) {
		*buf ++ = 0;
		len --;
	}

	/*
	 * Now we use k as index within x[]. That index starts at 1;
	 * we initialize it to the topmost complete word, and process
	 * any remaining incomplete word.
	 */
	k = (len + 3) >> 2;
	switch (len & 3) {
	case 3:
		*buf ++ = x[k] >> 16;
		/* fall through */
	case 2:
		*buf ++ = x[k] >> 8;
		/* fall through */
	case 1:
		*buf ++ = x[k];
		k --;
	}

	/*
	 * Encode all complete words.
	 */
	while (k > 0) {
		br_enc32be(buf, x[k]);
		k --;
		buf += 4;
	}
}

/* from BearSSL's src/int/i32_ninv32.c */

/*
 * Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
 */
static uint32_t br_i32_ninv32(uint32_t x)
{
	uint32_t y;

	y = 2 - x;
	y *= 2 - y * x;
	y *= 2 - y * x;
	y *= 2 - y * x;
	y *= 2 - y * x;
	return MUX(x & 1, -y, 0);
}

/* from BearSSL's src/int/i32_add.c */

/*
 * Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
 * is unmodified, but the carry is still computed and returned. The
 * arrays a[] and b[] MUST have the same announced bit length.
 *
 * a[] and b[] MAY be the same array, but partial overlap is not allowed.
 */
static uint32_t br_i32_add(uint32_t *a, const uint32_t *b, uint32_t ctl)
{
	uint32_t cc;
	size_t u, m;

	cc = 0;
	m = (a[0] + 63) >> 5;
	for (u = 1; u < m; u ++) {
		uint32_t aw, bw, naw;

		aw = a[u];
		bw = b[u];
		naw = aw + bw + cc;

		/*
		 * Carry is 1 if naw < aw. Carry is also 1 if naw == aw
		 * AND the carry was already 1.
		 */
		cc = (cc & EQ(naw, aw)) | LT(naw, aw);
		a[u] = MUX(ctl, naw, aw);
	}
	return cc;
}

/* from BearSSL's src/int/i32_sub.c */

/*
 * Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
 * then a[] is unmodified, but the carry is still computed and returned.
 * The arrays a[] and b[] MUST have the same announced bit length.
 *
 * a[] and b[] MAY be the same array, but partial overlap is not allowed.
 */
static uint32_t br_i32_sub(uint32_t *a, const uint32_t *b, uint32_t ctl)
{
	uint32_t cc;
	size_t u, m;

	cc = 0;
	m = (a[0] + 63) >> 5;
	for (u = 1; u < m; u ++) {
		uint32_t aw, bw, naw;

		aw = a[u];
		bw = b[u];
		naw = aw - bw - cc;

		/*
		 * Carry is 1 if naw > aw. Carry is 1 also if naw == aw
		 * AND the carry was already 1.
		 */
		cc = (cc & EQ(naw, aw)) | GT(naw, aw);
		a[u] = MUX(ctl, naw, aw);
	}
	return cc;
}

/* from BearSSL's src/int/i32_div32.c */

/*
 * Constant-time division. The dividend hi:lo is divided by the
 * divisor d; the quotient is returned and the remainder is written
 * in *r. If hi == d, then the quotient does not fit on 32 bits;
 * returned value is thus truncated. If hi > d, returned values are
 * indeterminate.
 */
static uint32_t br_divrem(uint32_t hi, uint32_t lo, uint32_t d, uint32_t *r)
{
	/* TODO: optimize this */
	uint32_t q;
	uint32_t ch, cf;
	int k;

	q = 0;
	ch = EQ(hi, d);
	hi = MUX(ch, 0, hi);
	for (k = 31; k > 0; k --) {
		int j;
		uint32_t w, ctl, hi2, lo2;

		j = 32 - k;
		w = (hi << j) | (lo >> k);
		ctl = GE(w, d) | (hi >> k);
		hi2 = (w - d) >> j;
		lo2 = lo - (d << k);
		hi = MUX(ctl, hi2, hi);
		lo = MUX(ctl, lo2, lo);
		q |= ctl << k;
	}
	cf = GE(lo, d) | hi;
	q |= cf;
	*r = MUX(cf, lo - d, lo);
	return q;
}

/*
 * Wrapper for br_divrem(); the remainder is returned, and the quotient
 * is discarded.
 */
static uint32_t br_rem(uint32_t hi, uint32_t lo, uint32_t d)
{
	uint32_t r;

	br_divrem(hi, lo, d, &r);
	return r;
}

/*
 * Wrapper for br_divrem(); the quotient is returned, and the remainder
 * is discarded.
 */
static uint32_t br_div(uint32_t hi, uint32_t lo, uint32_t d)
{
	uint32_t r;

	return br_divrem(hi, lo, d, &r);
}

/* from BearSSL's src/int/i32_muladd.c */

/*
 * Multiply x[] by 2^32 and then add integer z, modulo m[]. This
 * function assumes that x[] and m[] have the same announced bit
 * length, and the announced bit length of m[] matches its true
 * bit length.
 *
 * x[] and m[] MUST be distinct arrays.
 *
 * CT: only the common announced bit length of x and m leaks, not
 * the values of x, z or m.
 */
static void br_i32_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m)
{
	uint32_t m_bitlen;
	size_t u, mlen;
	uint32_t a0, a1, b0, hi, g, q, tb;
	uint32_t chf, clow, under, over;
	uint64_t cc;

	/*
	 * We can test on the modulus bit length since we accept to
	 * leak that length.
	 */
	m_bitlen = m[0];
	if (m_bitlen == 0) {
		return;
	}
	if (m_bitlen <= 32) {
		x[1] = br_rem(x[1], z, m[1]);
		return;
	}
	mlen = (m_bitlen + 31) >> 5;

	/*
	 * Principle: we estimate the quotient (x*2^32+z)/m by
	 * doing a 64/32 division with the high words.
	 *
	 * Let:
	 *   w = 2^32
	 *   a = (w*a0 + a1) * w^N + a2
	 *   b = b0 * w^N + b2
	 * such that:
	 *   0 <= a0 < w
	 *   0 <= a1 < w
	 *   0 <= a2 < w^N
	 *   w/2 <= b0 < w
	 *   0 <= b2 < w^N
	 *   a < w*b
	 * I.e. the two top words of a are a0:a1, the top word of b is
	 * b0, we ensured that b0 is "full" (high bit set), and a is
	 * such that the quotient q = a/b fits on one word (0 <= q < w).
	 *
	 * If a = b*q + r (with 0 <= r < q), we can estimate q by
	 * doing an Euclidean division on the top words:
	 *   a0*w+a1 = b0*u + v  (with 0 <= v < w)
	 * Then the following holds:
	 *   0 <= u <= w
	 *   u-2 <= q <= u
	 */
	a0 = br_i32_word(x, m_bitlen - 32);
	hi = x[mlen];
	memmove(x + 2, x + 1, (mlen - 1) * sizeof *x);
	x[1] = z;
	a1 = br_i32_word(x, m_bitlen - 32);
	b0 = br_i32_word(m, m_bitlen - 32);

	/*
	 * We estimate a divisor q. If the quotient returned by br_div()
	 * is g:
	 * -- If a0 == b0 then g == 0; we want q = 0xFFFFFFFF.
	 * -- Otherwise:
	 *    -- if g == 0 then we set q = 0;
	 *    -- otherwise, we set q = g - 1.
	 * The properties described above then ensure that the true
	 * quotient is q-1, q or q+1.
	 */
	g = br_div(a0, a1, b0);
	q = MUX(EQ(a0, b0), 0xFFFFFFFF, MUX(EQ(g, 0), 0, g - 1));

	/*
	 * We subtract q*m from x (with the extra high word of value 'hi').
	 * Since q may be off by 1 (in either direction), we may have to
	 * add or subtract m afterwards.
	 *
	 * The 'tb' flag will be true (1) at the end of the loop if the
	 * result is greater than or equal to the modulus (not counting
	 * 'hi' or the carry).
	 */
	cc = 0;
	tb = 1;
	for (u = 1; u <= mlen; u ++) {
		uint32_t mw, zw, xw, nxw;
		uint64_t zl;

		mw = m[u];
		zl = MUL(mw, q) + cc;
		cc = (uint32_t)(zl >> 32);
		zw = (uint32_t)zl;
		xw = x[u];
		nxw = xw - zw;
		cc += (uint64_t)GT(nxw, xw);
		x[u] = nxw;
		tb = MUX(EQ(nxw, mw), tb, GT(nxw, mw));
	}

	/*
	 * If we underestimated q, then either cc < hi (one extra bit
	 * beyond the top array word), or cc == hi and tb is true (no
	 * extra bit, but the result is not lower than the modulus). In
	 * these cases we must subtract m once.
	 *
	 * Otherwise, we may have overestimated, which will show as
	 * cc > hi (thus a negative result). Correction is adding m once.
	 */
	chf = (uint32_t)(cc >> 32);
	clow = (uint32_t)cc;
	over = chf | GT(clow, hi);
	under = ~over & (tb | (~chf & LT(clow, hi)));
	br_i32_add(x, m, over);
	br_i32_sub(x, m, under);
}

/* from BearSSL's src/int/i32_reduce.c */

/*
 * Reduce an integer (a[]) modulo another (m[]). The result is written
 * in x[] and its announced bit length is set to be equal to that of m[].
 *
 * x[] MUST be distinct from a[] and m[].
 *
 * CT: only announced bit lengths leak, not values of x, a or m.
 */
static void br_i32_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m)
{
	uint32_t m_bitlen, a_bitlen;
	size_t mlen, alen, u;

	m_bitlen = m[0];
	mlen = (m_bitlen + 31) >> 5;

	x[0] = m_bitlen;
	if (m_bitlen == 0) {
		return;
	}

	/*
	 * If the source is shorter, then simply copy all words from a[]
	 * and zero out the upper words.
	 */
	a_bitlen = a[0];
	alen = (a_bitlen + 31) >> 5;
	if (a_bitlen < m_bitlen) {
		memcpy(x + 1, a + 1, alen * sizeof *a);
		for (u = alen; u < mlen; u ++) {
			x[u + 1] = 0;
		}
		return;
	}

	/*
	 * The source length is at least equal to that of the modulus.
	 * We must thus copy N-1 words, and input the remaining words
	 * one by one.
	 */
	memcpy(x + 1, a + 2 + (alen - mlen), (mlen - 1) * sizeof *a);
	x[mlen] = 0;
	for (u = 1 + alen - mlen; u > 0; u --) {
		br_i32_muladd_small(x, a[u], m);
	}
}

/**
 * rsa_free_key_prop() - Free key properties
 * @prop:	Pointer to struct key_prop
 *
 * This function frees all the memories allocated by rsa_gen_key_prop().
 */
void rsa_free_key_prop(struct key_prop *prop)
{
	if (!prop)
		return;

	free((void *)prop->modulus);
	free((void *)prop->public_exponent);
	free((void *)prop->rr);

	free(prop);
}

/**
 * rsa_gen_key_prop() - Generate key properties of RSA public key
 * @key:	Specifies key data in DER format
 * @keylen:	Length of @key
 * @prop:	Generated key property
 *
 * This function takes a blob of encoded RSA public key data in DER
 * format, parse it and generate all the relevant properties
 * in key_prop structure.
 * Return a pointer to struct key_prop in @prop on success.
 *
 * Return:	0 on success, negative on error
 */
int rsa_gen_key_prop(const void *key, uint32_t keylen, struct key_prop **prop)
{
	struct rsa_key rsa_key;
	uint32_t *n = NULL, *rr = NULL, *rrtmp = NULL;
	int rlen, i, ret = 0;

	*prop = calloc(sizeof(**prop), 1);
	if (!(*prop)) {
		ret = -ENOMEM;
		goto out;
	}

	ret = rsa_parse_pub_key(&rsa_key, key, keylen);
	if (ret)
		goto out;

	/* modulus */
	/* removing leading 0's */
	for (i = 0; i < rsa_key.n_sz && !rsa_key.n[i]; i++)
		;
	(*prop)->num_bits = (rsa_key.n_sz - i) * 8;
	(*prop)->modulus = malloc(rsa_key.n_sz - i);
	if (!(*prop)->modulus) {
		ret = -ENOMEM;
		goto out;
	}
	memcpy((void *)(*prop)->modulus, &rsa_key.n[i], rsa_key.n_sz - i);

	n = calloc(sizeof(uint32_t), 1 + ((*prop)->num_bits >> 5));
	rr = calloc(sizeof(uint32_t), 1 + (((*prop)->num_bits * 2) >> 5));
	rrtmp = calloc(sizeof(uint32_t), 2 + (((*prop)->num_bits * 2) >> 5));
	if (!n || !rr || !rrtmp) {
		ret = -ENOMEM;
		goto out;
	}

	/* exponent */
	(*prop)->public_exponent = calloc(1, sizeof(uint64_t));
	if (!(*prop)->public_exponent) {
		ret = -ENOMEM;
		goto out;
	}
	memcpy((void *)(*prop)->public_exponent + sizeof(uint64_t)
						- rsa_key.e_sz,
	       rsa_key.e, rsa_key.e_sz);
	(*prop)->exp_len = sizeof(uint64_t);

	/* n0 inverse */
	br_i32_decode(n, &rsa_key.n[i], rsa_key.n_sz - i);
	(*prop)->n0inv = br_i32_ninv32(n[1]);

	/* R^2 mod n; R = 2^(num_bits) */
	rlen = (*prop)->num_bits * 2; /* #bits of R^2 = (2^num_bits)^2 */
	rr[0] = 0;
	*(uint8_t *)&rr[0] = (1 << (rlen % 8));
	for (i = 1; i < (((rlen + 31) >> 5) + 1); i++)
		rr[i] = 0;
	br_i32_decode(rrtmp, rr, ((rlen + 7) >> 3) + 1);
	br_i32_reduce(rr, rrtmp, n);

	rlen = ((*prop)->num_bits + 7) >> 3; /* #bytes of R^2 mod n */
	(*prop)->rr = malloc(rlen);
	if (!(*prop)->rr) {
		ret = -ENOMEM;
		goto out;
	}
	br_i32_encode((void *)(*prop)->rr, rlen, rr);

out:
	free(n);
	free(rr);
	free(rrtmp);
	if (ret < 0)
		rsa_free_key_prop(*prop);
	return ret;
}