Hi, So far, no reply at all from openssl-team, so I'm sending this to the dev list.
BTW: if you try this on OpenBSD -current, wou won't see the bug, because it contains the proposed fix. -Otto ---------- Forwarded message ---------- Date: Wed, 20 Aug 2003 11:10:36 +0200 (CEST) From: Otto Moerbeek <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: BN_add_word bug Hi, I've been working with the big number lib from the open ssl crypto library, and I have found the following problem, which is demonstrated by the program below (you may have to fix the includes if you test it on another platform than OpenBSD). Summary: It seems that the code BIGNUM *z = BN_new(); BN_set_word(z, 0); BN_add_word(z, 0); results in a corrupt z: top is bumped, where it should not have been. The test program core dumps while printing the number. I've tested this on various versions of OpenBSD, Linux and MacOS 10. The most simple fix could be: Index: lib/libssl/src/crypto/bn/bn_word.c =================================================================== RCS file: /cvs/src/lib/libssl/src/crypto/bn/bn_word.c,v retrieving revision 1.5 diff -u -r1.5 bn_word.c --- lib/libssl/src/crypto/bn/bn_word.c 12 May 2003 02:18:36 -0000 1.5 +++ lib/libssl/src/crypto/bn/bn_word.c 17 Aug 2003 04:50:15 -0000 @@ -110,6 +110,9 @@ BN_ULONG l; int i; + if ((w & BN_MASK2) == 0) + return(1); + if (a->neg) { a->neg=0; However, I am not sure it fixes 100% of the cases. The one case I found is fixed with this patch. -Otto ==================== Test program ==================== #include <stdlib.h> #include <ssl/bn.h> #include <ssl/ssl.h> void bp(BIGNUM *a) { fprintf(stderr, "top = %d\n", a->top); fprintf(stderr, "dmax = %d\n", a->dmax); fprintf(stderr, "neg = %d\n", a->neg); fprintf(stderr, "flags = %d\n", a->flags); } void f(int i, int x) { BIGNUM *a; char *p; a = BN_new(); BN_set_word(a, i); fprintf(stderr, "before adding %d %d\n", i, x); bp(a); BN_print_fp(stderr, a); fprintf(stderr, " (%s)\n", p=BN_bn2dec(a)); OPENSSL_free(p); BN_add_word(a, x); fprintf(stderr, "after adding:\n"); bp(a); BN_print_fp(stderr, a); fprintf(stderr, " (%s)\n", p=BN_bn2dec(a)); OPENSSL_free(p); BN_free(a); } main() { f(1, 1); f(1, 0); f(0, 1); f(0, 0); } ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]