On 2014/05/05 12:38, Ted Unangst wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: [email protected] 2014/05/05 12:38:42
>
> Modified files:
> lib/libssl/src/crypto/bn: bn_lib.c
>
> Log message:
> inspired by a cloudflare diff, cleanse old memory when expanding a bignum.
> however, instead of trying to audit all the places where a secret bignum
> is used, apply the big hammer and clear all bignums when freed.
> ok deraadt miod
>
this breaks rsa, backout diff below.
openssl openssl genrsa -out some.key 2048
openssl req -new -key some.key -out some.csr
<fill out the fields>
<hangs>
Attaching to program: /usr/sbin/openssl, process 24730
(no debugging symbols found)
Loaded symbols for /usr/sbin/openssl
Reading symbols from /usr/lib/libssl.so.24.0...done.
Loaded symbols for /usr/lib/libssl.so.24.0
Reading symbols from /usr/lib/libcrypto.so.26.1...done.
Loaded symbols for /usr/lib/libcrypto.so.26.1
Reading symbols from /usr/lib/libc.so.74.2...done.
Loaded symbols for /usr/lib/libc.so.74.2
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
[Switching to thread 1024730]
0x00001e9654d61880 in BN_div (dv=Variable "dv" is not available.
) at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_div.c:297
297 q=bn_div_words(n0,n1,d0);
(gdb) bt
#0 0x00001e9654d61880 in BN_div (dv=Variable "dv" is not available.
) at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_div.c:297
#1 0x00001e9654ca997a in e_rsax_rsa_mod_exp (r0=0x1e965520ce18,
I=0x1e965520ce00, rsa=0x1e964ccccb00, ctx=0x1e964a74ea40)
at
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/engine/eng_rsax.c:544
#2 0x00001e9654d2ed9d in RSA_eay_private_encrypt (flen=35, from=Variable
"from" is not available.
) at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/rsa/rsa_eay.c:426
#3 0x00001e9654d4d6ad in RSA_sign (type=64, m=0x1e965520ca00
"0!0\t\006\005+\016\003\002\032\005", m_len=Variable "m_len" is not available.
)
at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/rsa/rsa_sign.c:133
#4 0x00001e9654d07681 in pkey_rsa_sign (ctx=0x1e96525ca180, sig=0x1e964cccce00
'ß' <repeats 200 times>..., siglen=0x7f7fffff28f8,
tbs=0x7f7fffff2850 "\213ì}\f\032@Eý\233\016>bý\214ysóì¶", tbslen=20) at
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/rsa/rsa_pmeth.c:197
#5 0x00001e9654d23d21 in EVP_DigestSignFinal (ctx=0x7f7fffff2950,
sigret=0x1e964cccce00 'ß' <repeats 200 times>..., siglen=0x7f7fffff28f8)
at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/evp/m_sigver.c:154
#6 0x00001e9654d168f0 in ASN1_item_sign_ctx (it=0x1e9654fbdda0,
algor1=Variable "algor1" is not available.
) at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_sign.c:215
#7 0x00001e944651b35c in ?? () from /usr/sbin/openssl
#8 0x00001e944651ce43 in ?? () from /usr/sbin/openssl
#9 0x00001e9446558036 in password_callback () from /usr/sbin/openssl
#10 0x00001e94465588d0 in password_callback () from /usr/sbin/openssl
#11 0x00001e9446519871 in ?? () from /usr/sbin/openssl
#12 0x0000000000000000 in ?? ()
Index: src/crypto/bn/bn_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/bn/bn_lib.c,v
retrieving revision 1.21
diff -u -p -r1.21 bn_lib.c
--- src/crypto/bn/bn_lib.c 5 May 2014 18:38:42 -0000 1.21
+++ src/crypto/bn/bn_lib.c 7 May 2014 12:48:49 -0000
@@ -226,11 +226,22 @@ void BN_clear_free(BIGNUM *a)
free(a);
}
-void
-BN_free(BIGNUM *a)
-{
- BN_clear_free(a);
-}
+void BN_free(BIGNUM *a)
+ {
+ if (a == NULL) return;
+ bn_check_top(a);
+ if ((a->d != NULL) && !(BN_get_flags(a,BN_FLG_STATIC_DATA)))
+ free(a->d);
+ if (a->flags & BN_FLG_MALLOCED)
+ free(a);
+ else
+ {
+#ifndef OPENSSL_NO_DEPRECATED
+ a->flags|=BN_FLG_FREE;
+#endif
+ a->d = NULL;
+ }
+ }
void BN_init(BIGNUM *a)
{
@@ -389,10 +400,7 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
{
BN_ULONG *a = bn_expand_internal(b, words);
if(!a) return NULL;
- if(b->d) {
- OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
- free(b->d);
- }
+ if(b->d) free(b->d);
b->d=a;
b->dmax=words;
}
