diff options
| author | Geoff Thorpe <geoff@openssl.org> | 2014-04-30 11:39:24 -0400 |
|---|---|---|
| committer | Geoff Thorpe <geoff@openssl.org> | 2014-04-30 11:49:31 -0400 |
| commit | a52926189155d906d8c11ff97cbc1e5191d202cd (patch) | |
| tree | 3afdb2399a90409ecf6212cd5e0c57e878eec604 /crypto/bn/bn_exp.c | |
| parent | 9cabf6bb802b705d6bbbc9525a03e922a58d5d5b (diff) | |
bignum: fix boundary condition in montgomery logic
It's not clear whether this inconsistency could lead to an actual
computation error, but it involved a BIGNUM being passed around the
montgomery logic in an inconsistent state. This was found using flags
-DBN_DEBUG -DBN_DEBUG_RAND, and working backwards from this assertion
in 'ectest';
ectest: bn_mul.c:960: BN_mul: Assertion `(_bnum2->top == 0) ||
(_bnum2->d[_bnum2->top - 1] != 0)' failed
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Diffstat (limited to 'crypto/bn/bn_exp.c')
| -rw-r--r-- | crypto/bn/bn_exp.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index baeda372cf..ea2bd0a898 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -494,6 +494,9 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, r->d[0] = (0-m->d[0])&BN_MASK2; for(i=1;i<j;i++) r->d[i] = (~m->d[i])&BN_MASK2; r->top = j; + /* Upper words will be zero if the corresponding words of 'm' + * were 0xfff[...], so decrement r->top accordingly. */ + bn_correct_top(r); } else #endif |