About a week ago I submitted the report below. Has any developer plans to look into this?
Kind regards, Paul > ------------------------------------------------------------------------- > I've tracked down the problem. It is in the RSA blinding code, because > RSA_blinding_off(rsa) after the RSA *rsa = RSA_new() solves the problem. > > I cc't rt to create a ticket for this bug. > > Paul > > Original message: > -------------------------------------------------------------------------- > I have some code that works well with openssl 0.9.7a, but gives a segfault > in 0.9.7c . See also the two stacktraces below. > > It seems like it goes wrong when RSA_blinding_on() passes the rsa->e > parameter to BN_mod_exp_mont: > if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) > > Which goes wrong here (I'm not sure how the call expands to the _mont > version): > int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, > const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) > <cut> > bn_check_top(p); > > The macro uses p as a pointer while it is NULL, which gives a segfault. > rsa->e is never set in the code (it's loaded from disk or set directly), > only rsa->d and rsa->n which seems valid for an RSA private key... > When certificates are signed when RSA keys are just created using openssl > then it goes fine, but that is logical since the RSA structure is then > filled with rsa->e too for the public key part. > > [Switching to Thread 1024 (LWP 23480)] > 0x08095c33 in BN_mod_exp_mont (rr=0x80cd664, a=0x80cd664, p=0x0, > m=0x80cc100, ctx=0x80cd660, in_mont=0x0) at bn_exp.c:365 > 365 bn_check_top(p); > Current language: auto; currently c > (gdb) bt > #0 0x08095c33 in BN_mod_exp_mont (rr=0x80cd664, a=0x80cd664, p=0x0, > m=0x80cc100, ctx=0x80cd660, in_mont=0x0) at bn_exp.c:365 > #1 0x0805884f in RSA_blinding_on (rsa=0x80cc058, p_ctx=0x80cd660) at > rsa_lib.c:355 > #2 0x0807380a in rsa_eay_blinding (rsa=0x80cc058, ctx=0x80cd660) at > rsa_eay.c:201 > #3 0x08073b74 in RSA_eay_private_encrypt (flen=35, from=0x80cd5d8 > "0!0\t\006\005+\016\003\002\032\005", to=0x80cd178 "", > rsa=0x80cc058, padding=1) at rsa_eay.c:294 > #4 0x08058613 in RSA_private_encrypt (flen=35, from=0x80cd5d8 > "0!0\t\006\005+\016\003\002\032\005", to=0x80cd178 "", > rsa=0x80cc058, padding=1) at rsa_lib.c:286 > #5 0x08074d7d in RSA_sign (type=64, m=0xbffff1e0 > "_\020J¢ÞýqÍ4\222Lÿfz\030nY\023\177`", m_len=20, sigret=0x80cd178 "", > siglen=0xbffff238, rsa=0x80cc058) at rsa_sign.c:132 > #6 0x0807dad7 in EVP_SignFinal (ctx=0xbffff250, sigret=0x80cd178 "", > siglen=0xbffff238, pkey=0x80cd158) at p_sign.c:112 > #7 0x08060f44 in ASN1_sign (i2d=0x8054858 <i2d_X509AC_INFO>, > algor1=0x80cc4a8, algor2=0x80cc438, signature=0x80cc448, > data=0x80cc460 "\020Å\f\b8Å\f\b\230Ä\f\bsÄ\f\b8Ê\f\bpÊ\f\bøÍ\f\b", > pkey=0x80cd158, type=0x80ada60) at a_sign.c:188 > > Valgrinds output of the above trace: > ==23436== Invalid read of size 4 > ==23436== at 0x8095C33: BN_mod_exp_mont (bn_exp.c:365) > ==23436== by 0x805884E: RSA_blinding_on (rsa_lib.c:355) > ==23436== by 0x8073809: rsa_eay_blinding (rsa_eay.c:201) > ==23436== by 0x8073B73: RSA_eay_private_encrypt (rsa_eay.c:294) > ==23436== by 0x8058612: RSA_private_encrypt (rsa_lib.c:286) > ==23436== by 0x8074D7C: RSA_sign (rsa_sign.c:132) > ==23436== by 0x807DAD6: EVP_SignFinal (p_sign.c:112) > ==23436== by 0x8060F43: ASN1_sign (a_sign.c:188) > ==23436== Address 0x4 is not stack'd, malloc'd or free'd > > [Switching to Thread 1024 (LWP 23867)] > 0x08099a73 in BN_mod_exp_mont (rr=0x80cf214, a=0x80cf214, p=0x0, > m=0x80cd928, ctx=0x80cf210, in_mont=0x0) at bn_exp.c:365 > 365 bn_check_top(p); > Current language: auto; currently c > (gdb) bt > #0 0x08099a73 in BN_mod_exp_mont (rr=0x80cf214, a=0x80cf214, p=0x0, > m=0x80cd928, ctx=0x80cf210, in_mont=0x0) at bn_exp.c:365 > #1 0x08058f2f in RSA_blinding_on (rsa=0x80cd8d0, p_ctx=0x80cf210) at > rsa_lib.c:355 > #2 0x080770ba in rsa_eay_blinding (rsa=0x80cd8d0, ctx=0x80cf210) at > rsa_eay.c:201 > #3 0x08077424 in RSA_eay_private_encrypt (flen=35, from=0x80ce110 > "0!0\t\006\005+\016\003\002\032\005", > to=0x80cdf30 "Ðà\022B\bá\f\b", rsa=0x80cd8d0, padding=1) at > rsa_eay.c:294 > #4 0x08058cf3 in RSA_private_encrypt (flen=35, from=0x80ce110 > "0!0\t\006\005+\016\003\002\032\005", to=0x80cdf30 "Ðà\022B\bá\f\b", > rsa=0x80cd8d0, padding=1) at rsa_lib.c:286 > #5 0x0807862d in RSA_sign (type=64, m=0xbffff290 "\236)Lo\206<ú÷ > [EMAIL PROTECTED]", m_len=20, > sigret=0x80cdf30 "Ðà\022B\bá\f\b", siglen=0xbffff2ec, rsa=0x80cd8d0) at > rsa_sign.c:132 > #6 0x0809d917 in EVP_SignFinal (ctx=0xbffff300, sigret=0x80cdf30 > "Ðà\022B\bá\f\b", siglen=0xbffff2ec, pkey=0x80cdf10) > at p_sign.c:112 > #7 0x080848a0 in ASN1_item_sign (it=0x80af6e8, algor1=0x80cd408, > algor2=0x80cc558, signature=0x80cc568, asn=0x80cd3c0, > pkey=0x80cdf10, type=0x80af240) at a_sign.c:271 > #8 0x080690b2 in X509_sign (x=0x80cd9e0, pkey=0x80cdf10, md=0x80af240) at > x_all.c:95 > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]