From: Geoff Thorpe <geoff@openssl.org>
Date: Wed, 30 Apr 2014 15:39:24 +0000 (-0400)
Subject: bignum: fix boundary condition in montgomery logic
X-Git-Tag: master-post-reformat~846
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=a52926189155d906d8c11ff97cbc1e5191d202cd;p=oweals%2Fopenssl.git

bignum: fix boundary condition in montgomery logic

It's not clear whether this inconsistency could lead to an actual
computation error, but it involved a BIGNUM being passed around the
montgomery logic in an inconsistent state. This was found using flags
-DBN_DEBUG -DBN_DEBUG_RAND, and working backwards from this assertion
in 'ectest';

ectest: bn_mul.c:960: BN_mul: Assertion `(_bnum2->top == 0) ||
(_bnum2->d[_bnum2->top - 1] != 0)' failed

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
---

diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index baeda372cf..ea2bd0a898 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -494,6 +494,9 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 		r->d[0] = (0-m->d[0])&BN_MASK2;
 		for(i=1;i<j;i++) r->d[i] = (~m->d[i])&BN_MASK2;
 		r->top = j;
+		/* Upper words will be zero if the corresponding words of 'm'
+		 * were 0xfff[...], so decrement r->top accordingly. */
+		bn_correct_top(r);
 		}
 	else
 #endif