From d9d294463e9d5309336ac4f3d7a5a3e25555c0a2 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Tue, 19 Sep 2006 10:00:29 +0000
Subject: [PATCH] Ensure that the addition mods[i]+delta cannot overflow in
 probable_prime().

[Problem pointed out by Adam Young <adamy (at) acm.org>]
---
 crypto/bn/bn_prime.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index e072d9255c..e03c246102 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -350,13 +350,14 @@ static int probable_prime(BIGNUM *rnd, int bits)
 	{
 	int i;
 	BN_ULONG mods[NUMPRIMES];
-	BN_ULONG delta,d;
+	BN_ULONG delta,maxdelta;
 
 again:
 	if (!BN_rand(rnd,bits,1,1)) return(0);
 	/* we now have a random number 'rand' to test. */
 	for (i=1; i<NUMPRIMES; i++)
 		mods[i]=BN_mod_word(rnd,(BN_ULONG)primes[i]);
+	maxdelta=BN_MASK2 - primes[NUMPRIMES-1];
 	delta=0;
 	loop: for (i=1; i<NUMPRIMES; i++)
 		{
@@ -364,12 +365,8 @@ again:
 		 * that gcd(rnd-1,primes) == 1 (except for 2) */
 		if (((mods[i]+delta)%primes[i]) <= 1)
 			{
-			d=delta;
 			delta+=2;
-			/* perhaps need to check for overflow of
-			 * delta (but delta can be up to 2^32)
-			 * 21-May-98 eay - added overflow check */
-			if (delta < d) goto again;
+			if (delta > maxdelta) goto again;
 			goto loop;
 			}
 		}
-- 
2.25.1