tolerate broken CMS/PKCS7 implementations using signature OID instead of digest

[oweals/openssl.git] / crypto / bn / bn_div.c

diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 1fd0206e1da79f7edf4da477616264ab35292267..5ea0d6510f8734b0d46537849bfe70c96374adaf 100644 (file)
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -169,13 +169,15 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 #endif /* OPENSSL_NO_ASM */
 
 
-/* BN_div computes  dv := num / divisor,  rounding towards zero, and sets up
- * rm  such that  dv*divisor + rm = num  holds.
+/* BN_div[_no_branch] computes  dv := num / divisor,  rounding towards
+ * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
  * Thus:
  *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
  *     rm->neg == num->neg                 (unless the remainder is zero)
  * If 'dv' or 'rm' is NULL, the respective value is not returned.
  */
+static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
+        const BIGNUM *divisor, BN_CTX *ctx);
 int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
           BN_CTX *ctx)
        {
@@ -185,14 +187,25 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
        BN_ULONG d0,d1;
        int num_n,div_n;
 
-       if (BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
+       /* Invalid zero-padding would have particularly bad consequences
+        * in the case of 'num', so don't just rely on bn_check_top() for this one
+        * (bn_check_top() works only for BN_DEBUG builds) */
+       if (num->top > 0 && num->d[num->top - 1] == 0)
+               {
+               BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
+               return 0;
+               }
+
+       bn_check_top(num);
+
+       if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
                {
                return BN_div_no_branch(dv, rm, num, divisor, ctx);
                }
 
        bn_check_top(dv);
        bn_check_top(rm);
-       bn_check_top(num);
+       /* bn_check_top(num); */ /* 'num' has been checked already */
        bn_check_top(divisor);
 
        if (BN_is_zero(divisor))
@@ -216,7 +229,8 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
        if (dv == NULL)
                res=BN_CTX_get(ctx);
        else    res=dv;
-       if (sdiv == NULL || res == NULL) goto err;
+       if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL)
+               goto err;
 
        /* First we normalise the numbers */
        norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
@@ -406,7 +420,7 @@ err:
 /* BN_div_no_branch is a special version of BN_div. It does not contain
  * branches that may leak sensitive information.
  */
-int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, 
+static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, 
        const BIGNUM *divisor, BN_CTX *ctx)
        {
        int norm_shift,i,loop;
@@ -417,12 +431,12 @@ int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
 
        bn_check_top(dv);
        bn_check_top(rm);
-       bn_check_top(num);
+       /* bn_check_top(num); */ /* 'num' has been checked in BN_div() */
        bn_check_top(divisor);
 
        if (BN_is_zero(divisor))
                {
-               BNerr(BN_F_BN_DIV,BN_R_DIV_BY_ZERO);
+               BNerr(BN_F_BN_DIV_NO_BRANCH,BN_R_DIV_BY_ZERO);
                return(0);
                }
 
@@ -618,6 +632,7 @@ X) -> 0x%08X\n",
                        rm->neg = neg;
                bn_check_top(rm);
                }
+       bn_correct_top(res);
        BN_CTX_end(ctx);
        return(1);
 err: