Hi,
Moin Otto,
....
I've been working with the big number lib from the open ssl crypto
library, and I have found the following problem, which is demonstrated by
the program below (you may have to fix the includes if you test it on another platform than OpenBSD).
Summary:
It seems that the code
BIGNUM *z = BN_new(); BN_set_word(z, 0); BN_add_word(z, 0);
results in a corrupt z: top is bumped, where it should not have been. The test program core dumps while printing the number.
No, the above does not corrupt the bignum, the problem (core dump) occurs in BN_bn2dec as BN_bn2dec does not correctly check if the value to print is zero (a bignum A is zero if A->top == 0 or A->top == 1 and A->d[0] == 0). Please try this patch:
--- crypto/bn/bn_print_old.c 2003-09-24 12:46:24.000000000 +0200
+++ crypto/bn/bn_print.c 2003-09-24 12:47:05.000000000 +0200
@@ -122,7 +122,7 @@
p=buf;
lp=bn_data;
if (t->neg) *(p++)='-';
- if (t->top == 0)
+ if (BN_is_zero(t))
{
*(p++)='0';
*(p++)='\0';
I've tested this on various versions of OpenBSD, Linux and MacOS 10.
The most simple fix could be:
Index: lib/libssl/src/crypto/bn/bn_word.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/bn/bn_word.c,v
retrieving revision 1.5
diff -u -r1.5 bn_word.c
--- lib/libssl/src/crypto/bn/bn_word.c 12 May 2003 02:18:36 -0000 1.5
+++ lib/libssl/src/crypto/bn/bn_word.c 17 Aug 2003 04:50:15 -0000
@@ -110,6 +110,9 @@
BN_ULONG l;
int i;
+ if ((w & BN_MASK2) == 0)
+ return(1);
+
if (a->neg)
{
a->neg=0;
Nonetheless I think it makes sense to check if the input word in BN_add_word (and BN_sub_word) is zero and immediately return 1 (btw: wouldn't be a simple 'if (w == 0) return 1;' be sufficient ?).
Nils
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
