Hi Geoff,
On Thu, Jun 05, 2003 at 03:47:28PM -0400, Geoff Thorpe wrote:
> On June 5, 2003 08:03 am, Joe Orton wrote:
> > Hi, the changes to enable blinding by default in 0.9.7b appear to break
> > when an ENGINE is in use (for all the ENGINEs I've tested), with an
> > assertion failure:
> >
> > openssl: bn_lib.c:254: BN_num_bits: Assertion `l != 0' failed.
> >
> > and backtrace as follows:
> >
> > #4 0x080b97c7 in BN_num_bits (a=0x81e4fd4) at bn_lib.c:254
> > #5 0x080ce940 in ubsec_mod_exp (r=0x81e4fd4, a=0x81e4fd4, p=0x81cdde8,
> > m=0x81cdfb8, ctx=0x81e4fd0)
> > at hw_ubsec.c:578
> > #6 0x080cee37 in ubsec_mod_exp_mont (r=0x81e4fd4, a=0x81e4fd4,
> > p=0x81cdde8, m=0x81cdfb8, ctx=0x81e4fd0,
> > m_ctx=0x0) at hw_ubsec.c:722
> > #7 0x080bf6e6 in RSA_blinding_on (rsa=0x81cdf28, p_ctx=0x81e4fd0) at
> > rsa_lib.c:354
> > #8 0x080bd1aa in rsa_eay_blinding (rsa=0x81cdf28, ctx=0x81e4fd0) at
> > rsa_eay.c:202
> > #9 0x080bd574 in RSA_eay_private_encrypt (flen=36,
> > etc
>
> I'm surfing this backtrace looking at the HEAD source, so it's possible
> that 0.9.7b has something different to HEAD that can explain this. Are
> you able to look through a couple of those stack frames? According to
> what I see (again, ignoring the faint possibility that 0.9.7b is
> different), BN_num_bits() should be getting called on the public modulus
> of the RSA key, and the assertion that is failing there is a sanity check
> on the BIGNUM data (checking the (a->top - 1)th BN_ULONG is the most
> significant word of the array). If this really does fail on every ENGINE
> but works "in software", then something very quirky is going on and
> disabling blinding will only hide the bug you've found.
Ah, firstly, my apologies, I was out of my tree, I can only get the
ubsec engine to fail like this in 0.9.7b. The other engines I've tried
with 0.9.7b work fine.
I think Jonathan Hersch has just answered your question about why this
fail on openssl-users - does this make sense to you? I don't know why
this memset is needed in the first place, though. His suggested fix
below works for me too, without having to set the RSA_FLAG_NO_BLINDING
flag.
--- ./hw_ubsec.c.blind Thu Jun 5 12:49:08 2003
+++ ./hw_ubsec.c Fri Jun 6 15:32:29 2003
@@ -561,7 +561,6 @@
UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
return 0;
}
- memset(r->d, 0, BN_num_bytes(m));
if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
fd = 0;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
