I valgrind'ed OpenSSL as follows:
I compiled OpenSSL (0.9.8g) with my own random number engine - in order to
generate
pseudo random numbers that are not based on unitialized values (if you run
openssl
without doing this you get infinite warnings - of course).
The results are as follows
==26139== Conditional jump or move depends on uninitialised value(s)
==26139== at 0x81095FF: BN_mod_inverse (bn_gcd.c:215)
==26139== by 0x810D29F: BN_MONT_CTX_set (bn_mont.c:406)
==26139== by 0x8103E8F: BN_mod_exp_mont (bn_exp.c:417)
==26139== by 0x81036E9: BN_mod_exp (bn_exp.c:223)
==26139== by 0x81090FD: BN_BLINDING_create_param (bn_blind.c:352)
==26139== by 0x80C9844: RSA_setup_blinding (rsa_lib.c:413)
==26139==
==26139== Conditional jump or move depends on uninitialised value(s)
==26139== at 0x8128F5A: BN_div (bn_div.c:190)
==26139== by 0x810D318: BN_MONT_CTX_set (bn_mont.c:417)
==26139== by 0x8103E8F: BN_mod_exp_mont (bn_exp.c:417)
==26139== by 0x81036E9: BN_mod_exp (bn_exp.c:223)
==26139== by 0x81090FD: BN_BLINDING_create_param (bn_blind.c:352)
==26139== by 0x80C9844: RSA_setup_blinding (rsa_lib.c:413)
...above repeated several times.
The code that gives the error is the BN_get_flags() macro
(see bn_div.c extract about line 190 below):
Could this be highlighting a bug in OpenSSL?????
Kind regards
-paul
static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
const BIGNUM *divisor, BN_CTX *ctx);
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx)
{
int norm_shift,i,loop;
BIGNUM *tmp,wnum,*snum,*sdiv,*res;
BN_ULONG *resp,*wnump;
BN_ULONG d0,d1;
int num_n,div_n;
==HERE==> if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) ||
(BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
{
return BN_div_no_branch(dv, rm, num, divisor, ctx);
}
...and so on
