[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Richard Levitte levitte at openssl.org
Wed Feb 1 02:17:42 UTC 2017


The branch OpenSSL_1_1_0-stable has been updated
       via  dfb109c522a450af7f387d66ad32afeee87f9805 (commit)
       via  12ac28e0928a9cb2b970042b86c0a5ff4476590b (commit)
       via  0feb2207e7ff4ecbf9edea1521e44e0b809ad69d (commit)
       via  f8114d7d775b5802f283a9325635f9f2732e0341 (commit)
      from  ae45175406f8dbda8cb77abcc9da5374c35a25ba (commit)


- Log -----------------------------------------------------------------
commit dfb109c522a450af7f387d66ad32afeee87f9805
Author: Richard Levitte <levitte at openssl.org>
Date:   Wed Feb 1 02:29:46 2017 +0100

    bn: fix occurance of negative zero in BN_rshift1()
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 0a2dcb6990dacc94337f746f4f4a6dfac1fbeac4)

commit 12ac28e0928a9cb2b970042b86c0a5ff4476590b
Author: Geoff Thorpe <geoff at openssl.org>
Date:   Thu Oct 6 10:04:56 2016 -0500

    bn: fix occurances of negative zero
    
    The BIGNUM behaviour is supposed to be "consistent" when going into and
    out of APIs, where "consistent" means 'top' is set minimally and that
    'neg' (negative) is not set if the BIGNUM is zero (which is iff 'top' is
    zero, due to the previous point).
    
    The BN_DEBUG testing (make test) caught the cases that this patch
    corrects.
    
    Note, bn_correct_top() could have been used instead, but that is intended
    for where 'top' is expected to (sometimes) require adjustment after direct
    word-array manipulation, and so is heavier-weight. Here, we are just
    catching the negative-zero case, so we test and correct for that
    explicitly, in-place.
    
    Change-Id: Iddefbd3c28a13d935648932beebcc765d5b85ae7
    Signed-off-by: Geoff Thorpe <geoff at openssl.org>
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1672)
    (cherry picked from commit 38d1b3cc0271008b8bd130a2c4b442775b028a08)

commit 0feb2207e7ff4ecbf9edea1521e44e0b809ad69d
Author: Geoff Thorpe <geoff at openssl.org>
Date:   Thu Oct 6 09:02:38 2016 -0500

    bn: catch negative zero as an error
    
    Change-Id: I5ab72ad0aae9069b47d5b7b7b9e25bd1b7afa251
    Signed-off-by: Geoff Thorpe <geoff at openssl.org>
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1672)
    (cherry picked from commit 2fc9b36a96ccd77cbd9ecfb3a3cdaa7ad2ca305e)

commit f8114d7d775b5802f283a9325635f9f2732e0341
Author: Geoff Thorpe <geoff at openssl.org>
Date:   Thu Oct 6 08:25:22 2016 -0500

    bn: fix BN_DEBUG + BN_DEBUG_RAND support
    
    Couple of updates to make this code work properly again;
    * use OPENSSL_assert() instead of assert() (and #include <assert.h>)
    * the circular-dependency-avoidance uses RAND_bytes() (not pseudo)
    
    Change-Id: Iefb5a9dd73f71fd81c1268495c54a64378955354
    Signed-off-by: Geoff Thorpe <geoff at openssl.org>
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1672)
    (cherry picked from commit 0b50ac1a0fe907f4effcf3f2f36dac32523938c5)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_div.c   |  2 +-
 crypto/bn/bn_lcl.h   | 16 +++++++---------
 crypto/bn/bn_mul.c   |  2 +-
 crypto/bn/bn_shift.c |  8 ++++++--
 crypto/bn/bn_word.c  |  2 ++
 5 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 99abf35..5e620b2 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -254,9 +254,9 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
     wnump = &(snum->d[num_n - 1]);
 
     /* Setup to 'res' */
-    res->neg = (num->neg ^ divisor->neg);
     if (!bn_wexpand(res, (loop + 1)))
         goto err;
+    res->neg = (num->neg ^ divisor->neg);
     res->top = loop - no_branch;
     resp = &(res->d[loop - 1]);
 
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index a3911b1..5fb3814 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -146,13 +146,10 @@ extern "C" {
 
 # ifdef BN_DEBUG
 
-/* We only need assert() when debugging */
-#  include <assert.h>
-
 #  ifdef BN_DEBUG_RAND
 /* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
-#   ifndef RAND_pseudo_bytes
-int RAND_pseudo_bytes(unsigned char *buf, int num);
+#   ifndef RAND_bytes
+int RAND_bytes(unsigned char *buf, int num);
 #    define BN_DEBUG_TRIX
 #   endif
 #   define bn_pollute(a) \
@@ -171,7 +168,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
             } \
         } while(0)
 #   ifdef BN_DEBUG_TRIX
-#    undef RAND_pseudo_bytes
+#    undef RAND_bytes
 #   endif
 #  else
 #   define bn_pollute(a)
@@ -180,8 +177,8 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
         do { \
                 const BIGNUM *_bnum2 = (a); \
                 if (_bnum2 != NULL) { \
-                        assert((_bnum2->top == 0) || \
-                                (_bnum2->d[_bnum2->top - 1] != 0)); \
+                        OPENSSL_assert(((_bnum2->top == 0) && !_bnum2->neg) || \
+                                (_bnum2->top && (_bnum2->d[_bnum2->top - 1] != 0))); \
                         bn_pollute(_bnum2); \
                 } \
         } while(0)
@@ -192,7 +189,8 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
 #  define bn_wcheck_size(bn, words) \
         do { \
                 const BIGNUM *_bnum2 = (bn); \
-                assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
+                OPENSSL_assert((words) <= (_bnum2)->dmax && \
+                        (words) >= (_bnum2)->top); \
                 /* avoid unused variable warning with NDEBUG */ \
                 (void)(_bnum2); \
         } while(0)
diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c
index 4c39d40..4a0a950 100644
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -857,7 +857,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
             goto err;
     } else
         rr = r;
-    rr->neg = a->neg ^ b->neg;
 
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
     i = al - bl;
@@ -969,6 +968,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
  end:
 #endif
+    rr->neg = a->neg ^ b->neg;
     bn_correct_top(rr);
     if (r != rr && BN_copy(r, rr) == NULL)
         goto err;
diff --git a/crypto/bn/bn_shift.c b/crypto/bn/bn_shift.c
index 9907b82..6a1eec8 100644
--- a/crypto/bn/bn_shift.c
+++ b/crypto/bn/bn_shift.c
@@ -74,6 +74,8 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
         c = (t & 1) ? BN_TBIT : 0;
     }
     r->top = j;
+    if (!r->top)
+        r->neg = 0; /* don't allow negative zero */
     bn_check_top(r);
     return (1);
 }
@@ -92,10 +94,10 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
         return 0;
     }
 
-    r->neg = a->neg;
     nw = n / BN_BITS2;
     if (bn_wexpand(r, a->top + nw + 1) == NULL)
         return (0);
+    r->neg = a->neg;
     lb = n % BN_BITS2;
     rb = BN_BITS2 - lb;
     f = a->d;
@@ -140,9 +142,9 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
     }
     i = (BN_num_bits(a) - n + (BN_BITS2 - 1)) / BN_BITS2;
     if (r != a) {
-        r->neg = a->neg;
         if (bn_wexpand(r, i) == NULL)
             return (0);
+        r->neg = a->neg;
     } else {
         if (n == 0)
             return 1;           /* or the copying loop will go berserk */
@@ -166,6 +168,8 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
         if ((l = (l >> rb) & BN_MASK2))
             *(t) = l;
     }
+    if (!r->top)
+        r->neg = 0; /* don't allow negative zero */
     bn_check_top(r);
     return (1);
 }
diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c
index a34244c..1af13a5 100644
--- a/crypto/bn/bn_word.c
+++ b/crypto/bn/bn_word.c
@@ -89,6 +89,8 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w)
     if ((a->top > 0) && (a->d[a->top - 1] == 0))
         a->top--;
     ret >>= j;
+    if (!a->top)
+        a->neg = 0; /* don't allow negative zero */
     bn_check_top(a);
     return (ret);
 }


More information about the openssl-commits mailing list