Hi,
On June 6, 2003 10:34 am, Joe Orton wrote:
> Ah, firstly, my apologies, I was out of my tree, I can only get the
> ubsec engine to fail like this in 0.9.7b. The other engines I've tried
> with 0.9.7b work fine.
Ah, ok - that seems less uncool then.
> I think Jonathan Hersch has just answered your question about why this
Before I forget - Jonathan, I've just taken a search through the request
tracker and I can't find any bug corresponding to this - can you remember
anything about the ticket?
> fail on openssl-users - does this make sense to you? I don't know why
> this memset is needed in the first place, though. His suggested fix
> below works for me too, without having to set the RSA_FLAG_NO_BLINDING
> flag.
>
> --- ./hw_ubsec.c.blind Thu Jun 5 12:49:08 2003
> +++ ./hw_ubsec.c Fri Jun 6 15:32:29 2003
> @@ -561,7 +561,6 @@
> UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
> return 0;
> }
> - memset(r->d, 0, BN_num_bytes(m));
>
> if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
> fd = 0;
Yeah, I took a scan over this again and can't see why this was needed,
though I can certainly see why it's coming unstuck. I think we need to
note that BN_mod_exp_*** functions are expected to be robust when the
result BIGNUM is also the input BIGNUM, because it is the case sometimes
(eg. RSA blinding) and it functions ok with the builtin implementation
(which is what essentially defines the interface anyway). Even if
blinding is turned off for ubsec and others, that doesn't guarantee that
its handlers will never be called with 'r'=='a' again so I'd like to fix
this and get it tested *before* disabling blinding.
I'll remove this memset() because it clearly breaks this rule, and if that
in turn leaves anything screwy with ubsec (which could be the only
explanation for why that memset was there in the first place) then it'll
have to be fixed locally to use temporary storage or something. If either
of you are able to run tests on the result, I would be very grateful - I
think we should eventually turn off blinding for these ENGINEs but I'd
like to check how the resulting code holds up first in case there are
other bugs or behavioural problems lurking that might have required the
memset in the first place. Should be in CVS shortly, and so the next
nightly snapshots too.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
