Hi,
I've discovered a possible {bug,something unexpected} in BN_dec2bn() in
bn_print.c. I'll call it my "problem" until confirmed.
System info in case it matters:
openssl-0.9.6g
Linux dollar 2.4.18-14 #1 Wed Sep 4 12:13:11 EDT 2002 i686 athlon i386
GNU/Linux
The problem is when doing the following:
char buf[1024];
BIGNUM *u;
u = BN_new();
...code that sets buf to have a number in it , like fgets() from a file....
BN_dec2bn(u, buf);
...code to get another number, i.e. fgets in a loop through a file...
BN_dec2bn(u,buf);
The problem seems to be calling BN_dec2bn with an already allocated BIGNUM
that's been previously used. Inside BN_dec2bn the code is something like:
int BN_dec2bn(BIGNUM **bn, const char *a){
BIGNUM *ret = NULL;
...
if(*bn == NULL){
ret = BN_new();
} else {
ret = *bn;
BN_zero(ret); // Call this line a
}
.. yadada ..
while(*a) {
...
BN_mul_word(ret,BN_DEC_CONV); //call this line b
BN_add_word(ret, l);
....
}
*bn = ret;
...
}
This function appears to want to decide whether or not the parameter bn has
already been allocated. If not, allocated a fresh BIGNUM. If so, zero out
the bignum (e.g. line a). However, BN_zero() doesn't actually zero out all
of the BIGNUM structure, i.e. d[1-top] isn't zeroed out, only d[0] in struct
BIGNUM.
The problem seems to be manifested in BN_dec2bn() because of the BN_mul_words
and BN_add_words (e.g. line b). Since the upper parts of d aren't cleared
out, those routines end up adding to whatever junk happened to be left in d
from the previous iteration.
Calling BN_dec2bn with BIGNUM *a = NULL of course fixes my problem.
Is this a bug? It certainly seems like the code is attempting to accept the
case I gave it. If you need more extensive examples, let me know.
Thanks,
-david brumley
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
