Here is an email I sent to the list back in March regarding what I think is the
same issue (this was entered into the bug database though, I don't know the bug
number). Basically, I saw the same issue with the ESA Blinding patch when
using a Broadcom card (engine ubsec). If I backed out the patch then the
problem went away. However, I was using 0.9.7a, which did not contain the
patch so it was easy to back out, just don't apply it.
I thought the issue was fixed with the version of the RSA Blinding patch that
worked in multithreaded environments, which I think is what's in 0.9.7b.
However, I have not actually tried 0.9.7b.
-- Jonathan
--- Jonathan Hersch <[EMAIL PROTECTED]> wrote:
> Date: Wed, 26 Mar 2003 19:44:30 -0800 (PST)
> From: Jonathan Hersch <[EMAIL PROTECTED]>
> Subject: Crash with openssl and ubsec and RSA blinding patch (CAN-2003-0147)
> To: [EMAIL PROTECTED]
>
> Hi,
>
> I'm using openssl 0.9.7a with a Broadcom accelerator card (engine type
> ubsec).
> If I apply the patches to rsa_eay.c and rsa_lib.c which fix CAN-2003-0147,
> and
> then try and create an RSA key and CSR at the command line while using the
> Broadcom card then openssl crashes. The command is:
>
> openssl req -engine ubsec -newkey rsa:1024 -sha1 -keyout foo.pem -out
> foo.csr
>
> (I use "foobar" for the password, CN, etc., doesn't matter for the test.)
>
> Doing:
>
> openssl req -newkey rsa:1024 -sha1 -keyout foo.pem -out foo.csr
>
> does not crash.
>
> Similarly, building openssl without the patches avoids the crash, even when
> using -engine ubsec.
>
> After some poking around there is a suspicous looking line of code in
> hw_ubsec.c:ubsec_mod_exp() (which gets called eventually by the blinding
> code),
> here's part of that function:
>
>
> /* Check if hardware can't handle this argument. */
> y_len = BN_num_bits(m);
> if (y_len > max_key_len) {
> UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
> return BN_mod_exp(r, a, p, m, ctx);
> }
>
> if(!bn_wexpand(r, m->top))
> {
> UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
> return 0;
> }
> memset(r->d, 0, BN_num_bytes(m)); /* IS THIS RIGHT ??? */
>
> if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
> fd = 0;
> UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
> return BN_mod_exp(r, a, p, m, ctx);
> }
>
> if (p_UBSEC_rsa_mod_exp_ioctl(fd, (unsigned char *)a->d, BN_num_bits(a),
> (unsigned char *)m->d, BN_num_bits(m), (unsigned char *)p->d,
> BN_num_bits(p), (unsigned char *)r->d, &y_len) != 0)
> {
> UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
> p_UBSEC_ubsec_close(fd);
>
> return BN_mod_exp(r, a, p, m, ctx);
> }
>
> Coming into this function from the blinding code the arguments "r" and "a"
> are
> the same BIGNUM. If "r" is zeroed then when the BN_num_bits(a) call is made
> a
> few lines later there is a problem since "a" is now zero.
>
> I don't know the BIGNUM stuff, but this seems suspicious. And removing this
> line of code fixes the problem. Maybe someone who knows this stuff better
> can
> say if it seems ok?
>
> Thanks,
>
> -- Jonathan
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
> http://platinum.yahoo.com
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
