diff options
| author | Adam Langley <agl@chromium.org> | 2014-06-20 23:00:00 +0400 |
|---|---|---|
| committer | Adam Langley <agl@chromium.org> | 2014-06-21 00:17:40 +0400 |
| commit | eceb33d3afe6b36061df9c94fb28e0e08f15ea94 (patch) | |
| tree | 134fd7dcff8c48ac012471c262292f7aa53e2f5a /crypto/bn/exponentiation.c | |
| parent | 6a57f9219519a2fb52c45ff6706e36de4735aee0 (diff) | |
bignum: fix boundary condition in montgomery logic
It's not clear whether this inconsistency could lead to an actual
computation error, but it involved a BIGNUM being passed around the
montgomery logic in an inconsistent state. This was found using flags
-DBN_DEBUG -DBN_DEBUG_RAND, and working backwards from this assertion
in 'ectest';
ectest: bn_mul.c:960: BN_mul: Assertion `(_bnum2->top == 0) ||
(_bnum2->d[_bnum2->top - 1] != 0)' failed
(Imported from upstream's 3cc546a3bbcbf26cd14fc45fb133d36820ed0a75)
Diffstat (limited to 'crypto/bn/exponentiation.c')
| -rw-r--r-- | crypto/bn/exponentiation.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/bn/exponentiation.c b/crypto/bn/exponentiation.c index ac47e4b3..83f1667a 100644 --- a/crypto/bn/exponentiation.c +++ b/crypto/bn/exponentiation.c @@ -692,6 +692,9 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, for (i = 1; i < j; i++) r->d[i] = (~m->d[i]) & BN_MASK2; r->top = j; + /* Upper words will be zero if the corresponding words of 'm' + * were 0xfff[...], so decrement r->top accordingly. */ + bn_correct_top(r); } else if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) { goto err; } |