bn/asm/x86_64-mont5.pl: fix carry propagating bug (CVE-2015-3193).
Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107)
This commit is contained in:
parent
cc598f321f
commit
d73cc256c8
@ -1784,6 +1784,15 @@ sqr8x_reduction:
|
|||||||
.align 32
|
.align 32
|
||||||
.L8x_tail_done:
|
.L8x_tail_done:
|
||||||
add (%rdx),%r8 # can this overflow?
|
add (%rdx),%r8 # can this overflow?
|
||||||
|
adc \$0,%r9
|
||||||
|
adc \$0,%r10
|
||||||
|
adc \$0,%r11
|
||||||
|
adc \$0,%r12
|
||||||
|
adc \$0,%r13
|
||||||
|
adc \$0,%r14
|
||||||
|
adc \$0,%r15 # can't overflow, because we
|
||||||
|
# started with "overhung" part
|
||||||
|
# of multiplication
|
||||||
xor %rax,%rax
|
xor %rax,%rax
|
||||||
|
|
||||||
neg $carry
|
neg $carry
|
||||||
@ -3130,6 +3139,15 @@ sqrx8x_reduction:
|
|||||||
.align 32
|
.align 32
|
||||||
.Lsqrx8x_tail_done:
|
.Lsqrx8x_tail_done:
|
||||||
add 24+8(%rsp),%r8 # can this overflow?
|
add 24+8(%rsp),%r8 # can this overflow?
|
||||||
|
adc \$0,%r9
|
||||||
|
adc \$0,%r10
|
||||||
|
adc \$0,%r11
|
||||||
|
adc \$0,%r12
|
||||||
|
adc \$0,%r13
|
||||||
|
adc \$0,%r14
|
||||||
|
adc \$0,%r15 # can't overflow, because we
|
||||||
|
# started with "overhung" part
|
||||||
|
# of multiplication
|
||||||
mov $carry,%rax # xor %rax,%rax
|
mov $carry,%rax # xor %rax,%rax
|
||||||
|
|
||||||
sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
|
sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
|
||||||
@ -3173,13 +3191,11 @@ my ($rptr,$nptr)=("%rdx","%rbp");
|
|||||||
my @ri=map("%r$_",(10..13));
|
my @ri=map("%r$_",(10..13));
|
||||||
my @ni=map("%r$_",(14..15));
|
my @ni=map("%r$_",(14..15));
|
||||||
$code.=<<___;
|
$code.=<<___;
|
||||||
xor %rbx,%rbx
|
xor %ebx,%ebx
|
||||||
sub %r15,%rsi # compare top-most words
|
sub %r15,%rsi # compare top-most words
|
||||||
adc %rbx,%rbx
|
adc %rbx,%rbx
|
||||||
mov %rcx,%r10 # -$num
|
mov %rcx,%r10 # -$num
|
||||||
.byte 0x67
|
|
||||||
or %rbx,%rax
|
or %rbx,%rax
|
||||||
.byte 0x67
|
|
||||||
mov %rcx,%r9 # -$num
|
mov %rcx,%r9 # -$num
|
||||||
xor \$1,%rax
|
xor \$1,%rax
|
||||||
sar \$3+2,%rcx # cf=0
|
sar \$3+2,%rcx # cf=0
|
||||||
|
@ -1016,6 +1016,24 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Regression test for carry propagation bug in sqr8x_reduction */
|
||||||
|
BN_hex2bn(&a, "050505050505");
|
||||||
|
BN_hex2bn(&b, "02");
|
||||||
|
BN_hex2bn(&c,
|
||||||
|
"4141414141414141414141274141414141414141414141414141414141414141"
|
||||||
|
"4141414141414141414141414141414141414141414141414141414141414141"
|
||||||
|
"4141414141414141414141800000000000000000000000000000000000000000"
|
||||||
|
"0000000000000000000000000000000000000000000000000000000000000000"
|
||||||
|
"0000000000000000000000000000000000000000000000000000000000000000"
|
||||||
|
"0000000000000000000000000000000000000000000000000000000001");
|
||||||
|
BN_mod_exp(d, a, b, c, ctx);
|
||||||
|
BN_mul(e, a, a, ctx);
|
||||||
|
if (BN_cmp(d, e)) {
|
||||||
|
fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
BN_free(a);
|
BN_free(a);
|
||||||
BN_free(b);
|
BN_free(b);
|
||||||
BN_free(c);
|
BN_free(c);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user