[packages/openssl.git] / openssl-CVE-2007-3108.patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --- openssl-0.9.8e/crypto/bn/bn_mont.c	2006-06-16 03:01:14.000000000 +0200
+++ openssl-0.9.8-cvs/crypto/bn/bn_mont.c	2007-06-29 10:13:25.000000000 +0200
@@ -176,7 +176,6 @@
 
 	max=(nl+al+1); /* allow for overflow (no?) XXX */
 	if (bn_wexpand(r,max) == NULL) goto err;
- -	if (bn_wexpand(ret,max) == NULL) goto err;
 
 	r->neg=a->neg^n->neg;
 	np=n->d;
@@ -228,19 +227,70 @@
 		}
 	bn_correct_top(r);
 	
- -	/* mont->ri will be a multiple of the word size */
- -#if 0
- -	BN_rshift(ret,r,mont->ri);
- -#else
- -	ret->neg = r->neg;
- -	x=ri;
+	/* mont->ri will be a multiple of the word size and below code
+	 * is kind of BN_rshift(ret,r,mont->ri) equivalent */
+	if (r->top <= ri)
+		{
+		ret->top=0;
+		retn=1;
+		goto err;
+		}
+	al=r->top-ri;
+
+# define BRANCH_FREE 1
+# if BRANCH_FREE
+	if (bn_wexpand(ret,ri) == NULL) goto err;
+	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
+	ret->top=x=(ri&~x)|(al&x);	/* min(ri,al) */
+	ret->neg=r->neg;
+
 	rp=ret->d;
- -	ap= &(r->d[x]);
- -	if (r->top < x)
- -		al=0;
- -	else
- -		al=r->top-x;
+	ap=&(r->d[ri]);
+
+	{
+	size_t m1,m2;
+
+	v=bn_sub_words(rp,ap,np,ri);
+	/* this ----------------^^ works even in al<ri case
+	 * thanks to zealous zeroing of top of the vector in the
+	 * beginning. */
+
+	/* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
+	/* in other words if subtraction result is real, then
+	 * trick unconditional memcpy below to perform in-place
+	 * "refresh" instead of actual copy. */
+	m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1);	/* al<ri */
+	m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1);	/* al>ri */
+	m1|=m2;			/* (al!=ri) */
+	m1|=(0-(size_t)v);	/* (al!=ri || v) */
+	m1&=~m2;		/* (al!=ri || v) && !al>ri */
+	nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
+	}
+
+	/* 'i<ri' is chosen to eliminate dependency on input data, even
+	 * though it results in redundant copy in al<ri case. */
+	for (i=0,ri-=4; i<ri; i+=4)
+		{
+		BN_ULONG t1,t2,t3,t4;
+		
+		t1=nrp[i+0];
+		t2=nrp[i+1];
+		t3=nrp[i+2];	ap[i+0]=0;
+		t4=nrp[i+3];	ap[i+1]=0;
+		rp[i+0]=t1;	ap[i+2]=0;
+		rp[i+1]=t2;	ap[i+3]=0;
+		rp[i+2]=t3;
+		rp[i+3]=t4;
+		}
+	for (ri+=4; i<ri; i++)
+		rp[i]=nrp[i], ap[i]=0;
+# else
+	if (bn_wexpand(ret,al) == NULL) goto err;
 	ret->top=al;
+	ret->neg=r->neg;
+
+	rp=ret->d;
+	ap=&(r->d[ri]);
 	al-=4;
 	for (i=0; i<al; i+=4)
 		{
@@ -258,7 +308,7 @@
 	al+=4;
 	for (; i<al; i++)
 		rp[i]=ap[i];
- -#endif
+# endif
 #else /* !MONT_WORD */ 
 	BIGNUM *t1,*t2;
 
@@ -278,10 +328,12 @@
 	if (!BN_rshift(ret,t2,mont->ri)) goto err;
 #endif /* MONT_WORD */
 
+#if !defined(BRANCH_FREE) || BRANCH_FREE==0
 	if (BN_ucmp(ret, &(mont->N)) >= 0)
 		{
 		if (!BN_usub(ret,ret,&(mont->N))) goto err;
 		}
+#endif
 	retn=1;
 	bn_check_top(ret);
  err:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQCVAwUBRrGk++6tTP1JpWPZAQJbjwP/W/6mROtxOVU1gvvq/uFHCytNWHVaJfKA
7zh+v4OPQEIYekIBkEpNFgTJbHcyIZoyDNnwOetkRXvI4LDqvV1V5/pA5bzrKqDj
zv7Hj8R7DGqG8ad0Esf3l7SqqirI3curkIzm5/cALJBJxz/Pp7qyXNzzQgp55UPz
iBDdynBpa+s=
=aquq
-----END PGP SIGNATURE-----
Commit	Line	Data
b4c9fbed AG	1	-----BEGIN PGP SIGNED MESSAGE-----
	2	Hash: SHA1
	3
	4	- --- openssl-0.9.8e/crypto/bn/bn_mont.c 2006-06-16 03:01:14.000000000 +0200
	5	+++ openssl-0.9.8-cvs/crypto/bn/bn_mont.c 2007-06-29 10:13:25.000000000 +0200
	6	@@ -176,7 +176,6 @@
	7
	8	max=(nl+al+1); /* allow for overflow (no?) XXX */
	9	if (bn_wexpand(r,max) == NULL) goto err;
	10	- - if (bn_wexpand(ret,max) == NULL) goto err;
	11
	12	r->neg=a->neg^n->neg;
	13	np=n->d;
	14	@@ -228,19 +227,70 @@
	15	}
	16	bn_correct_top(r);
	17
	18	- - /* mont->ri will be a multiple of the word size */
	19	- -#if 0
	20	- - BN_rshift(ret,r,mont->ri);
	21	- -#else
	22	- - ret->neg = r->neg;
	23	- - x=ri;
	24	+ /* mont->ri will be a multiple of the word size and below code
	25	+ * is kind of BN_rshift(ret,r,mont->ri) equivalent */
	26	+ if (r->top <= ri)
	27	+ {
	28	+ ret->top=0;
	29	+ retn=1;
	30	+ goto err;
	31	+ }
	32	+ al=r->top-ri;
	33	+
	34	+# define BRANCH_FREE 1
	35	+# if BRANCH_FREE
	36	+ if (bn_wexpand(ret,ri) == NULL) goto err;
	37	+ x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
	38	+ ret->top=x=(ri&~x)\|(al&x); /* min(ri,al) */
	39	+ ret->neg=r->neg;
	40	+
	41	rp=ret->d;
	42	- - ap= &(r->d[x]);
	43	- - if (r->top < x)
	44	- - al=0;
	45	- - else
	46	- - al=r->top-x;
	47	+ ap=&(r->d[ri]);
	48	+
	49	+ {
	50	+ size_t m1,m2;
	51	+
	52	+ v=bn_sub_words(rp,ap,np,ri);
	53	+ /* this ----------------^^ works even in al<ri case
	54	+ * thanks to zealous zeroing of top of the vector in the
	55	+ * beginning. */
	56	+
	57	+ /* if (al==ri && !v) \|\| al>ri) nrp=rp; else nrp=ap; */
	58	+ /* in other words if subtraction result is real, then
	59	+ * trick unconditional memcpy below to perform in-place
	60	+ * "refresh" instead of actual copy. */
	61	+ m1=0-(size_t)(((al-ri)>>(sizeof(al)8-1))&1); / al<ri */
	62	+ m2=0-(size_t)(((ri-al)>>(sizeof(al)8-1))&1); / al>ri */
	63	+ m1\|=m2; /* (al!=ri) */
	64	+ m1\|=(0-(size_t)v); /* (al!=ri \|\| v) */
65	+ m1&=~m2; /* (al!=ri \|\| v) && !al>ri */
66	+ nrp=(BN_ULONG *)(((size_t)rp&~m1)\|((size_t)ap&m1));
67	+ }
68	+
69	+ /* 'i<ri' is chosen to eliminate dependency on input data, even
70	+ * though it results in redundant copy in al<ri case. */
71	+ for (i=0,ri-=4; i<ri; i+=4)
72	+ {
73	+ BN_ULONG t1,t2,t3,t4;
74	+
75	+ t1=nrp[i+0];
76	+ t2=nrp[i+1];
77	+ t3=nrp[i+2]; ap[i+0]=0;
78	+ t4=nrp[i+3]; ap[i+1]=0;
79	+ rp[i+0]=t1; ap[i+2]=0;
80	+ rp[i+1]=t2; ap[i+3]=0;
81	+ rp[i+2]=t3;
82	+ rp[i+3]=t4;
83	+ }
84	+ for (ri+=4; i<ri; i++)
85	+ rp[i]=nrp[i], ap[i]=0;
86	+# else
87	+ if (bn_wexpand(ret,al) == NULL) goto err;
88	ret->top=al;
89	+ ret->neg=r->neg;
90	+
91	+ rp=ret->d;
92	+ ap=&(r->d[ri]);
93	al-=4;
94	for (i=0; i<al; i+=4)
95	{
96	@@ -258,7 +308,7 @@
97	al+=4;
98	for (; i<al; i++)
99	rp[i]=ap[i];
100	- -#endif
101	+# endif
102	#else /* !MONT_WORD */
103	BIGNUM t1,t2;
104
105	@@ -278,10 +328,12 @@
106	if (!BN_rshift(ret,t2,mont->ri)) goto err;
107	#endif /* MONT_WORD */
108
109	+#if !defined(BRANCH_FREE) \|\| BRANCH_FREE==0
110	if (BN_ucmp(ret, &(mont->N)) >= 0)
111	{
112	if (!BN_usub(ret,ret,&(mont->N))) goto err;
113	}
114	+#endif
115	retn=1;
116	bn_check_top(ret);
117	err:
118	-----BEGIN PGP SIGNATURE-----
119	Version: GnuPG v1.4.5 (GNU/Linux)
120
121	iQCVAwUBRrGk++6tTP1JpWPZAQJbjwP/W/6mROtxOVU1gvvq/uFHCytNWHVaJfKA
122	7zh+v4OPQEIYekIBkEpNFgTJbHcyIZoyDNnwOetkRXvI4LDqvV1V5/pA5bzrKqDj
123	zv7Hj8R7DGqG8ad0Esf3l7SqqirI3curkIzm5/cALJBJxz/Pp7qyXNzzQgp55UPz
124	iBDdynBpa+s=
125	=aquq
126	-----END PGP SIGNATURE-----