- rel 3; use groff symlink for man

[packages/openssl.git] / openssl-CVE-2007-3108.patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --- openssl-0.9.8e/crypto/bn/bn_mont.c        2006-06-16 03:01:14.000000000 +0200
+++ openssl-0.9.8-cvs/crypto/bn/bn_mont.c       2007-06-29 10:13:25.000000000 +0200
@@ -176,7 +176,6 @@
 
        max=(nl+al+1); /* allow for overflow (no?) XXX */
        if (bn_wexpand(r,max) == NULL) goto err;
- -     if (bn_wexpand(ret,max) == NULL) goto err;
 
        r->neg=a->neg^n->neg;
        np=n->d;
@@ -228,19 +227,70 @@
                }
        bn_correct_top(r);
        
- -     /* mont->ri will be a multiple of the word size */
- -#if 0
- -     BN_rshift(ret,r,mont->ri);
- -#else
- -     ret->neg = r->neg;
- -     x=ri;
+       /* mont->ri will be a multiple of the word size and below code
+        * is kind of BN_rshift(ret,r,mont->ri) equivalent */
+       if (r->top <= ri)
+               {
+               ret->top=0;
+               retn=1;
+               goto err;
+               }
+       al=r->top-ri;
+
+# define BRANCH_FREE 1
+# if BRANCH_FREE
+       if (bn_wexpand(ret,ri) == NULL) goto err;
+       x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
+       ret->top=x=(ri&~x)|(al&x);      /* min(ri,al) */
+       ret->neg=r->neg;
+
        rp=ret->d;
- -     ap= &(r->d[x]);
- -     if (r->top < x)
- -             al=0;
- -     else
- -             al=r->top-x;
+       ap=&(r->d[ri]);
+
+       {
+       size_t m1,m2;
+
+       v=bn_sub_words(rp,ap,np,ri);
+       /* this ----------------^^ works even in al<ri case
+        * thanks to zealous zeroing of top of the vector in the
+        * beginning. */
+
+       /* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
+       /* in other words if subtraction result is real, then
+        * trick unconditional memcpy below to perform in-place
+        * "refresh" instead of actual copy. */
+       m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1);   /* al<ri */
+       m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1);   /* al>ri */
+       m1|=m2;                 /* (al!=ri) */
+       m1|=(0-(size_t)v);      /* (al!=ri || v) */
+       m1&=~m2;                /* (al!=ri || v) && !al>ri */
+       nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
+       }
+
+       /* 'i<ri' is chosen to eliminate dependency on input data, even
+        * though it results in redundant copy in al<ri case. */
+       for (i=0,ri-=4; i<ri; i+=4)
+               {
+               BN_ULONG t1,t2,t3,t4;
+               
+               t1=nrp[i+0];
+               t2=nrp[i+1];
+               t3=nrp[i+2];    ap[i+0]=0;
+               t4=nrp[i+3];    ap[i+1]=0;
+               rp[i+0]=t1;     ap[i+2]=0;
+               rp[i+1]=t2;     ap[i+3]=0;
+               rp[i+2]=t3;
+               rp[i+3]=t4;
+               }
+       for (ri+=4; i<ri; i++)
+               rp[i]=nrp[i], ap[i]=0;
+# else
+       if (bn_wexpand(ret,al) == NULL) goto err;
        ret->top=al;
+       ret->neg=r->neg;
+
+       rp=ret->d;
+       ap=&(r->d[ri]);
        al-=4;
        for (i=0; i<al; i+=4)
                {
@@ -258,7 +308,7 @@
        al+=4;
        for (; i<al; i++)
                rp[i]=ap[i];
- -#endif
+# endif
 #else /* !MONT_WORD */ 
        BIGNUM *t1,*t2;
 
@@ -278,10 +328,12 @@
        if (!BN_rshift(ret,t2,mont->ri)) goto err;
 #endif /* MONT_WORD */
 
+#if !defined(BRANCH_FREE) || BRANCH_FREE==0
        if (BN_ucmp(ret, &(mont->N)) >= 0)
                {
                if (!BN_usub(ret,ret,&(mont->N))) goto err;
                }
+#endif
        retn=1;
        bn_check_top(ret);
  err:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQCVAwUBRrGk++6tTP1JpWPZAQJbjwP/W/6mROtxOVU1gvvq/uFHCytNWHVaJfKA
7zh+v4OPQEIYekIBkEpNFgTJbHcyIZoyDNnwOetkRXvI4LDqvV1V5/pA5bzrKqDj
zv7Hj8R7DGqG8ad0Esf3l7SqqirI3curkIzm5/cALJBJxz/Pp7qyXNzzQgp55UPz
iBDdynBpa+s=
=aquq
-----END PGP SIGNATURE-----