提交 c1ec4db3 编写于 作者: A Andy Polyakov

bn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input.

All exponentiation subroutines but BN_mod_exp_mont_consttime produce
non-negative result for negative input, which is confusing for fuzzer.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4676)
上级 899e62d1
...@@ -651,31 +651,33 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ...@@ -651,31 +651,33 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
} }
#ifdef RSAZ_ENABLED #ifdef RSAZ_ENABLED
/* if (!a->neg) {
* If the size of the operands allow it, perform the optimized /*
* RSAZ exponentiation. For further information see * If the size of the operands allow it, perform the optimized
* crypto/bn/rsaz_exp.c and accompanying assembly modules. * RSAZ exponentiation. For further information see
*/ * crypto/bn/rsaz_exp.c and accompanying assembly modules.
if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024) */
&& rsaz_avx2_eligible()) { if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024)
if (NULL == bn_wexpand(rr, 16)) && rsaz_avx2_eligible()) {
if (NULL == bn_wexpand(rr, 16))
goto err;
RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d,
mont->n0[0]);
rr->top = 16;
rr->neg = 0;
bn_correct_top(rr);
ret = 1;
goto err; goto err;
RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d, } else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
mont->n0[0]); if (NULL == bn_wexpand(rr, 8))
rr->top = 16; goto err;
rr->neg = 0; RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
bn_correct_top(rr); rr->top = 8;
ret = 1; rr->neg = 0;
goto err; bn_correct_top(rr);
} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) { ret = 1;
if (NULL == bn_wexpand(rr, 8))
goto err; goto err;
RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d); }
rr->top = 8;
rr->neg = 0;
bn_correct_top(rr);
ret = 1;
goto err;
} }
#endif #endif
...@@ -748,7 +750,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ...@@ -748,7 +750,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
/* prepare a^1 in Montgomery domain */ /* prepare a^1 in Montgomery domain */
if (a->neg || BN_ucmp(a, m) >= 0) { if (a->neg || BN_ucmp(a, m) >= 0) {
if (!BN_mod(&am, a, m, ctx)) if (!BN_nnmod(&am, a, m, ctx))
goto err; goto err;
if (!BN_to_montgomery(&am, &am, mont, ctx)) if (!BN_to_montgomery(&am, &am, mont, ctx))
goto err; goto err;
...@@ -1258,7 +1260,7 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, ...@@ -1258,7 +1260,7 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
} }
bits = BN_num_bits(p); bits = BN_num_bits(p);
if (bits == 0) { if (bits == 0) {
/* x**0 mod 1 is still zero. */ /* x**0 mod 1 is still zero. */
if (BN_is_one(m)) { if (BN_is_one(m)) {
ret = 1; ret = 1;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册