[openssl] master update

Matt Caswell matt at openssl.org
Mon Feb 25 16:32:06 UTC 2019

The branch master has been updated
       via  576129cd72ae054d246221f111aabf42b9c6d76d (commit)
      from  56a98c3efde3a49084a232a56aa666533362f1a2 (commit)

- Log -----------------------------------------------------------------
commit 576129cd72ae054d246221f111aabf42b9c6d76d
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Feb 25 11:28:32 2019 +0000

    Ensure bn_cmp_words can handle the case where n == 0
    Thanks to David Benjamin who reported this, performed the analysis and
    suggested the patch. I have incorporated some of his analysis in the
    comments below.
    This issue can cause an out-of-bounds read. It is believed that this was
    not reachable until the recent "fixed top" changes. Analysis has so far
    only identified one code path that can encounter this - although it is
    possible that others may be found. The one code path only impacts 1.0.2 in
    certain builds. The fuzzer found a path in RSA where iqmp is too large. If
    the input is all zeros, the RSA CRT logic will multiply a padded zero by
    iqmp. Two mitigating factors:
    - Private keys which trip this are invalid (iqmp is not reduced mod p).
    Only systems which take untrusted private keys care.
    - In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,
    so the bug is only reproducible in 1.0.2 so far.
    Fortunately, the bug appears to be relatively harmless. The consequences of
    bn_cmp_word's misbehavior are:
    - OpenSSL may crash if the buffers are page-aligned and the previous page is
    - OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they
    are equal.
    - Side channel concerns.
    The first is indeed a concern and is a DoS bug. The second is fine in this
    context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)
    in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or
    a1 - a0. The third would be worth thinking about, but it is overshadowed
    by the entire Karatsuba implementation not being constant time.
    Due to the difficulty of tripping this and the low impact no CVE is felt
    necessary for this issue.
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8326)


Summary of changes:
 crypto/bn/bn_lib.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 494ee49..e624caf 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -695,6 +695,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
     int i;
     BN_ULONG aa, bb;
+    if (n == 0)
+        return 0;
     aa = a[n - 1];
     bb = b[n - 1];
     if (aa != bb)

More information about the openssl-commits mailing list