+/*
+ * Verify that the public data in an RSA key matches the private
+ * data. We also check the private data itself: we ensure that p >
+ * q and that iqmp really is the inverse of q mod p.
+ */
+int rsa_verify(struct RSAKey *key)
+{
+ Bignum n, ed, pm1, qm1;
+ int cmp;
+
+ /* n must equal pq. */
+ n = bigmul(key->p, key->q);
+ cmp = bignum_cmp(n, key->modulus);
+ freebn(n);
+ if (cmp != 0)
+ return 0;
+
+ /* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
+ pm1 = copybn(key->p);
+ decbn(pm1);
+ ed = modmul(key->exponent, key->private_exponent, pm1);
+ cmp = bignum_cmp(ed, One);
+ sfree(ed);
+ if (cmp != 0)
+ return 0;
+
+ qm1 = copybn(key->q);
+ decbn(qm1);
+ ed = modmul(key->exponent, key->private_exponent, qm1);
+ cmp = bignum_cmp(ed, One);
+ sfree(ed);
+ if (cmp != 0)
+ return 0;
+
+ /*
+ * Ensure p > q.
+ */
+ if (bignum_cmp(key->p, key->q) <= 0)
+ return 0;
+
+ /*
+ * Ensure iqmp * q is congruent to 1, modulo p.
+ */
+ n = modmul(key->iqmp, key->q, key->p);
+ cmp = bignum_cmp(n, One);
+ sfree(n);
+ if (cmp != 0)
+ return 0;
+
+ return 1;
+}
+
+/* Public key blob as used by Pageant: exponent before modulus. */
+unsigned char *rsa_public_blob(struct RSAKey *key, int *len)
+{
+ int length, pos;
+ unsigned char *ret;
+
+ length = (ssh1_bignum_length(key->modulus) +
+ ssh1_bignum_length(key->exponent) + 4);
+ ret = smalloc(length);
+
+ PUT_32BIT(ret, bignum_bitcount(key->modulus));
+ pos = 4;
+ pos += ssh1_write_bignum(ret + pos, key->exponent);
+ pos += ssh1_write_bignum(ret + pos, key->modulus);
+
+ *len = length;
+ return ret;
+}
+
+/* Given a public blob, determine its length. */
+int rsa_public_blob_len(void *data)
+{
+ unsigned char *p = (unsigned char *)data;
+ int ret;
+
+ p += 4; /* length word */
+ p += ssh1_read_bignum(p, NULL); /* exponent */
+ p += ssh1_read_bignum(p, NULL); /* modulus */
+
+ return p - (unsigned char *)data;
+}
+
+void freersakey(struct RSAKey *key)
+{
+ if (key->modulus)
+ freebn(key->modulus);
+ if (key->exponent)
+ freebn(key->exponent);
+ if (key->private_exponent)
+ freebn(key->private_exponent);
+ if (key->comment)
+ sfree(key->comment);