Attachment 159381 Details for Bug 245732 – Proposed patch for 0.9.6 and 0.9.6b

[patch] Proposed patch for 0.9.6 and 0.9.6b

openssl-0.9.6b-cve-2007-3108.patch (text/plain), 3.08 KB, created by Miloslav Trmač on 2007-07-16 21:53:23 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Miloslav Trmač

Created: 2007-07-16 21:53:23 UTC

Size: 3.08 KB

patch

obsolete

>--- openssl-engine-0.9.6b/crypto/bn/bn_mont.c.cve-2007-3108	2000-09-20 15:45:29.000000000 +0200
>+++ openssl-engine-0.9.6b/crypto/bn/bn_mont.c	2007-07-16 23:43:29.000000000 +0200
>@@ -108,6 +108,7 @@ int BN_from_montgomery(BIGNUM *ret, BIGN
> 	BIGNUM *n,*r;
> 	BN_ULONG *ap,*np,*rp,n0,v,*nrp;
> 	int al,nl,max,i,x,ri;
>+	size_t m1,m2;
> 
> 	BN_CTX_start(ctx);
> 	if ((r = BN_CTX_get(ctx)) == NULL) goto err;
>@@ -125,7 +126,6 @@ int BN_from_montgomery(BIGNUM *ret, BIGN
> 
> 	max=(nl+al+1); /* allow for overflow (no?) XXX */
> 	if (bn_wexpand(r,max) == NULL) goto err;
>-	if (bn_wexpand(ret,max) == NULL) goto err;
> 
> 	r->neg=a->neg^n->neg;
> 	np=n->d;
>@@ -177,37 +177,70 @@ int BN_from_montgomery(BIGNUM *ret, BIGN
> 		}
> 	bn_fix_top(r);
> 	
>-	/* mont->ri will be a multiple of the word size */
>-#if 0
>-	BN_rshift(ret,r,mont->ri);
>-#else
>+	/* mont->ri will be a multiple of the word size and below code
>+	 * is kind of BN_rshift(ret,r,mont->ri) equivalent */
>+	if (r->top < ri)
>+		{
>+		ret->top=0;
>+		retn=1;
>+		goto err;
>+		}
>+	al=r->top-ri;
>+	if (bn_wexpand(ret,ri) == NULL) goto err;
>+	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
>+	ret->top=x=(ri&~x)|(al&x);	/* min(ri,al) */
> 	ret->neg = r->neg;
>-	x=ri;
>+
> 	rp=ret->d;
>-	ap= &(r->d[x]);
>-	if (r->top < x)
>-		al=0;
>-	else
>-		al=r->top-x;
>-	ret->top=al;
>-	al-=4;
>-	for (i=0; i<al; i+=4)
>+	ap=&(r->d[ri]);
>+
>+	v=bn_sub_words(rp,ap,mont->N.d,ri);
>+	/* this -----------------------^^ works even in al<ri case
>+	 * thanks to zealous zeroing of top of the vector in the
>+	 * beginning. */
>+
>+	/* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
>+	/* in other words if subtraction result is real, then
>+	 * trick unconditional memcpy below to perform in-place
>+	 * "refresh" instead of actual copy. */
>+	m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1);	/* al<ri */
>+	m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1);	/* al>ri */
>+	m1|=m2;			/* (al!=ri) */
>+	m1|=(0-(size_t)v);	/* (al!=ri || v) */
>+	m1&=~m2;		/* (al!=ri || v) && !al>ri */
>+	nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
>+
>+	/* 'i<ri' is chosen to eliminate dependency on input data, even
>+	 * though it results in redundant copy in al<ri case. */
>+	for (i=0,ri-=4; i<ri; i+=4)
> 		{
> 		BN_ULONG t1,t2,t3,t4;
> 		
>-		t1=ap[i+0];
>-		t2=ap[i+1];
>-		t3=ap[i+2];
>-		t4=ap[i+3];
>+		t1=nrp[i+0];
>+		t2=nrp[i+1];
>+		t3=nrp[i+2];
>+		t4=nrp[i+3];
> 		rp[i+0]=t1;
> 		rp[i+1]=t2;
> 		rp[i+2]=t3;
> 		rp[i+3]=t4;
> 		}
>-	al+=4;
>-	for (; i<al; i++)
>-		rp[i]=ap[i];
>-#endif
>+	for (ri+=4; i<ri; i++)
>+		rp[i]=nrp[i];
>+	/* The API only prohibits inputs > N in newer openssl releases.  For
>+	   now, handle al > ri. */
>+	if (ri < al)
>+		{
>+		if (bn_wexpand(ret,al) == NULL) goto err;
>+		ret->top=al;
>+		rp=ret->d;
>+		for (; i < al; i++)
>+			{
>+			rp[i]=ap[i]-v;
>+			v=ap[i]<v;
>+			}
>+		bn_fix_top(ret);
>+		}
> #else /* !MONT_WORD */ 
> 	BIGNUM *t1,*t2;
> 
>@@ -225,12 +258,12 @@ int BN_from_montgomery(BIGNUM *ret, BIGN
> 	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
> 	if (!BN_add(t2,a,t1)) goto err;
> 	BN_rshift(ret,t2,mont->ri);
>-#endif /* MONT_WORD */
> 
> 	if (BN_ucmp(ret, &(mont->N)) >= 0)
> 		{
> 		BN_usub(ret,ret,&(mont->N));
> 		}
>+#endif /* MONT_WORD */
> 	retn=1;
>  err:
> 	BN_CTX_end(ctx);

Actions: View | Diff

Attachments on bug 245732: 159337 | 159339 | 159381 | 159391