Hi Geoff, On Thu, Jun 05, 2003 at 03:47:28PM -0400, Geoff Thorpe wrote: > On June 5, 2003 08:03 am, Joe Orton wrote: > > Hi, the changes to enable blinding by default in 0.9.7b appear to break > > when an ENGINE is in use (for all the ENGINEs I've tested), with an > > assertion failure: > > > > openssl: bn_lib.c:254: BN_num_bits: Assertion `l != 0' failed. > > > > and backtrace as follows: > > > > #4 0x080b97c7 in BN_num_bits (a=0x81e4fd4) at bn_lib.c:254 > > #5 0x080ce940 in ubsec_mod_exp (r=0x81e4fd4, a=0x81e4fd4, p=0x81cdde8, > > m=0x81cdfb8, ctx=0x81e4fd0) > > at hw_ubsec.c:578 > > #6 0x080cee37 in ubsec_mod_exp_mont (r=0x81e4fd4, a=0x81e4fd4, > > p=0x81cdde8, m=0x81cdfb8, ctx=0x81e4fd0, > > m_ctx=0x0) at hw_ubsec.c:722 > > #7 0x080bf6e6 in RSA_blinding_on (rsa=0x81cdf28, p_ctx=0x81e4fd0) at > > rsa_lib.c:354 > > #8 0x080bd1aa in rsa_eay_blinding (rsa=0x81cdf28, ctx=0x81e4fd0) at > > rsa_eay.c:202 > > #9 0x080bd574 in RSA_eay_private_encrypt (flen=36, > > etc > > I'm surfing this backtrace looking at the HEAD source, so it's possible > that 0.9.7b has something different to HEAD that can explain this. Are > you able to look through a couple of those stack frames? According to > what I see (again, ignoring the faint possibility that 0.9.7b is > different), BN_num_bits() should be getting called on the public modulus > of the RSA key, and the assertion that is failing there is a sanity check > on the BIGNUM data (checking the (a->top - 1)th BN_ULONG is the most > significant word of the array). If this really does fail on every ENGINE > but works "in software", then something very quirky is going on and > disabling blinding will only hide the bug you've found.
Ah, firstly, my apologies, I was out of my tree, I can only get the ubsec engine to fail like this in 0.9.7b. The other engines I've tried with 0.9.7b work fine. I think Jonathan Hersch has just answered your question about why this fail on openssl-users - does this make sense to you? I don't know why this memset is needed in the first place, though. His suggested fix below works for me too, without having to set the RSA_FLAG_NO_BLINDING flag. --- ./hw_ubsec.c.blind Thu Jun 5 12:49:08 2003 +++ ./hw_ubsec.c Fri Jun 6 15:32:29 2003 @@ -561,7 +561,6 @@ UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL); return 0; } - memset(r->d, 0, BN_num_bytes(m)); if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) { fd = 0; ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]