Re: [openssl.org #785] AutoReply: bug in RSA blinding code [WAS: Re: Seg fault in BN_mod_exp]

[Paul Koster via RT]

About a week ago I submitted the report below.
Has any developer plans to look into this?

Kind regards,
Paul


> -------------------------------------------------------------------------
> I've tracked down the problem. It is in the RSA blinding code, because
> RSA_blinding_off(rsa) after the RSA *rsa = RSA_new() solves the problem.
>
> I cc't rt to create a ticket for this bug.
>
> Paul
>
> Original message:
> --------------------------------------------------------------------------
> I have some code that works well with openssl 0.9.7a, but gives a segfault
> in 0.9.7c . See also the two stacktraces below.
>
> It seems like it goes wrong when RSA_blinding_on() passes the rsa->e
> parameter to BN_mod_exp_mont:
>     if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
>
> Which goes wrong here (I'm not sure how the call expands to the _mont
> version):
>     int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
>     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
>     <cut>
>         bn_check_top(p);
>
> The macro uses p as a pointer while it is NULL, which gives a segfault.
>     rsa->e is never set in the code (it's loaded from disk or set
directly),
> only rsa->d and rsa->n which seems valid for an RSA private key...
> When certificates are signed when RSA keys are just created using openssl
> then it goes fine, but that is logical since the RSA structure is then
> filled with rsa->e too for the public key part.
>
> [Switching to Thread 1024 (LWP 23480)]
> 0x08095c33 in BN_mod_exp_mont (rr=0x80cd664, a=0x80cd664, p=0x0,
> m=0x80cc100, ctx=0x80cd660, in_mont=0x0) at bn_exp.c:365
> 365             bn_check_top(p);
> Current language:  auto; currently c
> (gdb) bt
> #0  0x08095c33 in BN_mod_exp_mont (rr=0x80cd664, a=0x80cd664, p=0x0,
> m=0x80cc100, ctx=0x80cd660, in_mont=0x0) at bn_exp.c:365
> #1  0x0805884f in RSA_blinding_on (rsa=0x80cc058, p_ctx=0x80cd660) at
> rsa_lib.c:355
> #2  0x0807380a in rsa_eay_blinding (rsa=0x80cc058, ctx=0x80cd660) at
> rsa_eay.c:201
> #3  0x08073b74 in RSA_eay_private_encrypt (flen=35, from=0x80cd5d8
> "0!0\t\006\005+\016\003\002\032\005", to=0x80cd178 "",
>     rsa=0x80cc058, padding=1) at rsa_eay.c:294
> #4  0x08058613 in RSA_private_encrypt (flen=35, from=0x80cd5d8
> "0!0\t\006\005+\016\003\002\032\005", to=0x80cd178 "",
>     rsa=0x80cc058, padding=1) at rsa_lib.c:286
> #5  0x08074d7d in RSA_sign (type=64, m=0xbffff1e0
> "_\020J¢ÞýqÍ4\222Lÿfz\030nY\023\177`", m_len=20, sigret=0x80cd178 "",
>     siglen=0xbffff238, rsa=0x80cc058) at rsa_sign.c:132
> #6  0x0807dad7 in EVP_SignFinal (ctx=0xbffff250, sigret=0x80cd178 "",
> siglen=0xbffff238, pkey=0x80cd158) at p_sign.c:112
> #7  0x08060f44 in ASN1_sign (i2d=0x8054858 <i2d_X509AC_INFO>,
> algor1=0x80cc4a8, algor2=0x80cc438, signature=0x80cc448,
>     data=0x80cc460 "\020Å\f\b8Å\f\b\230Ä\f\bsÄ\f\b8Ê\f\bpÊ\f\bøÍ\f\b",
> pkey=0x80cd158, type=0x80ada60) at a_sign.c:188
>
> Valgrinds output of the above trace:
> ==23436== Invalid read of size 4
> ==23436==    at 0x8095C33: BN_mod_exp_mont (bn_exp.c:365)
> ==23436==    by 0x805884E: RSA_blinding_on (rsa_lib.c:355)
> ==23436==    by 0x8073809: rsa_eay_blinding (rsa_eay.c:201)
> ==23436==    by 0x8073B73: RSA_eay_private_encrypt (rsa_eay.c:294)
> ==23436==    by 0x8058612: RSA_private_encrypt (rsa_lib.c:286)
> ==23436==    by 0x8074D7C: RSA_sign (rsa_sign.c:132)
> ==23436==    by 0x807DAD6: EVP_SignFinal (p_sign.c:112)
> ==23436==    by 0x8060F43: ASN1_sign (a_sign.c:188)
> ==23436==    Address 0x4 is not stack'd, malloc'd or free'd
>
> [Switching to Thread 1024 (LWP 23867)]
> 0x08099a73 in BN_mod_exp_mont (rr=0x80cf214, a=0x80cf214, p=0x0,
> m=0x80cd928, ctx=0x80cf210, in_mont=0x0) at bn_exp.c:365
> 365             bn_check_top(p);
> Current language:  auto; currently c
> (gdb) bt
> #0  0x08099a73 in BN_mod_exp_mont (rr=0x80cf214, a=0x80cf214, p=0x0,
> m=0x80cd928, ctx=0x80cf210, in_mont=0x0) at bn_exp.c:365
> #1  0x08058f2f in RSA_blinding_on (rsa=0x80cd8d0, p_ctx=0x80cf210) at
> rsa_lib.c:355
> #2  0x080770ba in rsa_eay_blinding (rsa=0x80cd8d0, ctx=0x80cf210) at
> rsa_eay.c:201
> #3  0x08077424 in RSA_eay_private_encrypt (flen=35, from=0x80ce110
> "0!0\t\006\005+\016\003\002\032\005",
>     to=0x80cdf30 "Ðà\022B\bá\f\b", rsa=0x80cd8d0, padding=1) at
> rsa_eay.c:294
> #4  0x08058cf3 in RSA_private_encrypt (flen=35, from=0x80ce110
> "0!0\t\006\005+\016\003\002\032\005", to=0x80cdf30 "Ðà\022B\bá\f\b",
>     rsa=0x80cd8d0, padding=1) at rsa_lib.c:286
> #5  0x0807862d in RSA_sign (type=64, m=0xbffff290 "\236)Lo\206<ú÷
> [EMAIL PROTECTED]", m_len=20,
>     sigret=0x80cdf30 "Ðà\022B\bá\f\b", siglen=0xbffff2ec, rsa=0x80cd8d0)
at
> rsa_sign.c:132
> #6  0x0809d917 in EVP_SignFinal (ctx=0xbffff300, sigret=0x80cdf30
> "Ðà\022B\bá\f\b", siglen=0xbffff2ec, pkey=0x80cdf10)
>     at p_sign.c:112
> #7  0x080848a0 in ASN1_item_sign (it=0x80af6e8, algor1=0x80cd408,
> algor2=0x80cc558, signature=0x80cc568, asn=0x80cd3c0,
>     pkey=0x80cdf10, type=0x80af240) at a_sign.c:271
> #8  0x080690b2 in X509_sign (x=0x80cd9e0, pkey=0x80cdf10, md=0x80af240) at
> x_all.c:95
>
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]