[openssl.org #1612] Bug in EC_POINT_cmp function (with possible fix)
Hi
I believe I've found a bug in the EC_POINT_cmp function.
In particular, if P is a valid point on the curve (other than the point
at infinity) and Q is the point at infinity, then EC_POINT_cmp(group, P,
Q, ctx) returns zero (equal).
But revering the order of the points in the call EC_POINT_cmp(group, Q,
P, ctx) correctly returns 1 (not equal).
I think the problem is in ec_GFp_simple_cmp (ecp_smpl.c) which contains
the following check at the start of the routine:
if (EC_POINT_is_at_infinity(group, a))
{
return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
}
Note that if a is not at infinity, then b is never checked. The
program then proceeds assuming neither point are at infinity, and
returns the default condition 0.
I've verified this still exists in the latest stable snapshot
openssl-0.9.8-stable-SNAP-20071123. I also tried openssl-SNAP-20071123
but got error messages when linking my program. However the file
ecp_smpl.c is unchanged, so I expect the same behaviour.
The problem is fixed by adding the following immediately after the
previous check (note that the case when both are at infinity has already
been tested for):
if (EC_POINT_is_at_infinity(group, b))
{
return 1;
}
Attached are the following files:
testlog : make report output
EC_POINT_cmp_bug.c : My test case
build: A simple compile script for test case
EC_POINT_cmp_bug.patch : Patch to fix the bug
Regards
Robert
#!/bin/sh
g++ -Iopenssl-0.9.8-stable-SNAP-20071123/include EC_POINT_cmp_bug.c
openssl-0.9.8-stable-SNAP-20071123/libcrypto.a -o EC_POINT_cmp_bug
#include openssl/engine.h
int main()
{
BIGNUM *a, *b, *p;
BIGNUM *x, *y;
EC_GROUP *group;
EC_POINT *P, *Q;
int cmpPQ, cmpQP;
const char rnd_seed[] = string to make the random number generator think it has entropy;
// Initialise
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
ERR_load_crypto_strings();
RAND_seed(rnd_seed, sizeof rnd_seed); // or BN_generate_prime may fail
BN_CTX *ctx = BN_CTX_new();
// Curve parameters
p = BN_new(); BN_dec2bn(p, 2003);
a = BN_new(); BN_dec2bn(a, 1132);
b = BN_new(); BN_dec2bn(b, 278);
// Generate curve
group = EC_GROUP_new_curve_GFp(p, a, b, ctx);
// Point coordinates
x = BN_new(); BN_dec2bn(x, 1120);
y = BN_new(); BN_dec2bn(y, 1391);
// Generate point
P = EC_POINT_new(group);
EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx);
// Generate point at infinity
Q = EC_POINT_new(group);
EC_POINT_set_to_infinity(group, Q);
// Check points are on curve
if (!EC_POINT_is_on_curve(group, P, ctx) || !EC_POINT_is_on_curve(group, Q, ctx)) {
printf(Error. Points not on curve.\n);
exit(1);
}
// Compare points
cmpPQ = EC_POINT_cmp(group, P, Q, ctx);
cmpQP = EC_POINT_cmp(group, Q, P, ctx);
// Display results (0: equal, 1: not equal)
printf(EC_POINT_cmp(group, P, Q, ctx) = %d (%s)\n, cmpPQ, cmpPQ ? P != Q : P == Q);
printf(EC_POINT_cmp(group, Q, P, ctx) = %d (%s)\n, cmpQP, cmpQP ? Q != P : Q == P);
// Tidy up
BN_free(p);
BN_free(a);
BN_free(b);
BN_free(x);
BN_free(y);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_GROUP_free(group);
// Clean up
if (ctx) BN_CTX_free(ctx);
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_state(0);
CRYPTO_mem_leaks_fp(stderr);
return 0;
}
--- openssl-0.9.8-stable-SNAP-20071123/crypto/ec/ecp_smpl.c 2006-03-14 00:04:06.0 +
+++ openssl-0.9.8-stable-SNAP-20071123-fixed/crypto/ec/ecp_smpl.c 2007-11-23 16:40:37.0 +
@@ -1406,6 +1406,11 @@
{
return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
}
+
+ if (EC_POINT_is_at_infinity(group, b))
+ {
+ return 1;
+ }
if (a-Z_is_one b-Z_is_one)
{
OpenSSL self-test report:
OpenSSL version: 0.9.8h-dev
Last change: Implement certificate status request TLS extension defi...
Options: no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-rfc3779 no-seed
no-shared no-tlsext no-zlib no-zlib-dynamic
OS (uname): Linux ronnie 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:06 EDT
2006 x86_64 x86_64 x86_64 GNU/Linux
OS (config): x86_64-whatever-linux2
Target (default): linux-x86_64
Target: linux-x86_64
Compiler: Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-libgcj-multifile
--enable-languages=c,c++,objc,java,f95,ada --enable-java-awt=gtk
--with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre
--host=x86_64-redhat-linux
Thread model: posix
gcc version 4.0.2 20051125 (Red Hat 4.0.2-8)
Test passed.
Re: [PATCH] NetWare platform
Hi Peter,
Comment out the align directive. All that's doing is making sure the code
is aligned with the machine cache boundaries for performance.
Unfortunately the COFF object format used on Netware doesn't support that
or at least that's what the assembler says.
It should still run fine without that, just maybe a bit slower.
thanks very much! That solved the COFF issue;
and I was now able to create a patch which solves this so far;
also I found while being on the asm stuff that the Metrowerks Assembler build
is also already broken for 0.9.8; this patch below tries to fix both the
Metrowerks and NASM issue... - well, almost:
--- x86nasm.pl.orig Wed Jul 25 14:01:40 2007
+++ x86nasm.pl Mon Nov 26 18:59:45 2007
@@ -92,6 +92,8 @@
{ my $tmp=___;
%ifdef __omf__
sectioncodeuse32 class=code align=64
+%elifdef __coff__
+section.text code
%else
section.text code align=64
%endif
@@ -102,9 +104,11 @@
sub ::function_begin_B
{ my $func=$under.shift;
+ my $global=(($::mwerks)?.:).global;
+ my $align=(($::mwerks)?.:).align;
my $tmp=___;
-global $func
-align 16
+$global$func
+$align 16
$func:
___
push(@out,$tmp);
@@ -213,7 +217,7 @@
sub ::public_label
{ $label{$_[0]}=${under}${_[0]} if (!defined($label{$_[0]}));
-push(@out,global\t$label{$_[0]}\n);
+push(@out,(($::mwerks)?.:).global\t$label{$_[0]}\n);
}
sub ::label
@@ -235,7 +239,7 @@
{ push(@out,(($::mwerks)?.long\t:dd\t).join(',',@_).\n); }
sub ::align
-{ push(@out,.) if ($::mwerks); push(@out,align\t$_[0]\n);}
+{ push(@out,(($::mwerks)?.:).align\t$_[0]\n); }
sub ::picmeup
{ my($dst,$sym)[EMAIL PROTECTED];
with that I'm now able to produce NASM ELF obj for gcc and COFF obj for
CodeWarrior compiler;
but when using the CodeWarrior assembler then there's still one file broken:
mwasmnlm -maxerrors 20 -o crypto/rc4/asm/r4-nw.o crypto/rc4/asm/r4-nw.asm
### mwasmnlm Assembler:
#File: crypto\rc4\asm\r4-nw.asm
# -
# 112: lea esi,BYTE PTR [1+esi]
# Error:
# Invalid operand size
### mwasmnlm Driver Error:
# The tool did not produce any output while compiling the file
# 'crypto\rc4\asm\r4-nw.asm'
Errors caused tool to abort.
when I replace the BYTE with DWORD it works, but the crazy thing is that in the
same file there's few lines up exactly the same line with DWORD:
@L002loop1:
add bl,cl
mov edx,DWORD PTR [ebx*4+edi]
mov DWORD PTR [ebx*4+edi],ecx
mov DWORD PTR [eax*4+edi],edx
add edx,ecx
inc al
and edx,255
mov edx,DWORD PTR [edx*4+edi]
xor dl,BYTE PTR [esi]
lea esi,DWORD PTR [1+esi] ; here's correct usage of DWORD
mov ecx,DWORD PTR [eax*4+edi]
cmp esi,DWORD PTR [24+esp]
mov BYTE PTR [esi*1+ebp-1],dl
jb @L002loop1
jmp @L004done
.align 16
@L001RC4_CHAR:
movzx ecx,BYTE PTR [eax*1+edi]
@L005cloop1:
add bl,cl
movzx edx,BYTE PTR [ebx*1+edi]
mov BYTE PTR [ebx*1+edi],cl
mov BYTE PTR [eax*1+edi],dl
add dl,cl
movzx edx,BYTE PTR [edx*1+edi]
add al,1
xor dl,BYTE PTR [esi]
lea esi,BYTE PTR [1+esi]; here's the line 112 which
uses BYTE with lea
movzx ecx,BYTE PTR [eax*1+edi]
cmp esi,DWORD PTR [24+esp]
mov BYTE PTR [esi*1+ebp-1],dl
jb @L005cloop1
I think that this is also a problem within x86nasm.pl,
however not yet found where to fix -- somebody who has a hint for me?
please let me know if the above patch is acceptable so far.
thanks, Guenter.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
tar warning when extracting SNAP-20071123 and later
Hi, since openssl-SNAP-20071123.tar.gz and later I get at the end of extraction: openssl-SNAP-20071126/util/x86asm.sh tar: A lone zero block at 36520 is this 'normal'? This doesnt happen with openssl-SNAP-20071122.tar.gz though... thanks, Guenter. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
looking for information on generating RSA key
Hello, I am a novice OpenSSL library user. Currently I am implementing code to generate a RSA key pair. Here is a part of my code: _time_get(tim); RAND_add(tim,sizeof(tim),0); pMiSslCtx = MiSslInitEx( TLSv1_method(), true ); rsa=RSA_generate_key(key_len,RSA_F4,NULLcb,NULL); my key_len is 2048. The code crashes in RSA_generate_key() function call, more particularly in probable_prime(). I am not sure what I am doign wrong here. Any help would be highly apprecaited. Thanks kavita
Re: [PATCH] NetWare platform
Hi all, but when using the CodeWarrior assembler then there's still one file broken: mwasmnlm -maxerrors 20 -o crypto/rc4/asm/r4-nw.o crypto/rc4/asm/r4-nw.asm ### mwasmnlm Assembler: #File: crypto\rc4\asm\r4-nw.asm # - # 112: lea esi,BYTE PTR [1+esi] # Error: # Invalid operand size ### mwasmnlm Driver Error: # The tool did not produce any output while compiling the file # 'crypto\rc4\asm\r4-nw.asm' Errors caused tool to abort. ok, I think I found the place were to fix this: --- rc4-586.pl.orig Thu Apr 26 22:00:56 2007 +++ rc4-586.pl Mon Nov 26 21:56:37 2007 @@ -143,7 +143,7 @@ movz ($ty,BP(0,$dat,$ty)); add(LB($xx),1); xor(LB($ty),BP(0,$inp)); - lea($inp,BP(1,$inp)); + lea($inp,DWP(1,$inp)); movz ($tx,BP(0,$dat,$xx)); cmp($inp,wparam(1)); mov(BP(-1,$out,$inp),LB($ty)); can someone with ASM insight please comment on the correctness of this patch? thanks, Guenter. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1565] [PATCH] New port for the iSeries (AS/400) for version 0.9.8
Third attempt: Applied AS400.patch to openssl 0.9.8e Need to know location of script files in the tree: cvtascii.sh cvtcnfebcdic.sh cvtpemascii.sh cvtcnfascii.sh cvtebcdic.sh cvtpemebcdic.sh Can you point me to a complete OS400 0.9.8e openssl source tree? Thanks Ronald Ojakian Ingrian __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] NetWare platform - next trial
Hi,
Comment out the align directive. All that's doing is making sure the code
is aligned with the machine cache boundaries for performance.
Unfortunately the COFF object format used on Netware doesn't support that
or at least that's what the assembler says.
It should still run fine without that, just maybe a bit slower.
ok, just tested with SNAP-20071126, and few of my old issues are already fixed
now;
so here's what remains:
--- openssl-SNAP-20071126.orig/crypto/perlasm/x86nasm.pl2007-11-24
18:00:16.0 +0100
+++ openssl-SNAP-20071126/crypto/perlasm/x86nasm.pl 2007-11-26
23:09:17.0 +0100
@@ -94,6 +94,8 @@
{ my $tmp=___;
%ifdef __omf__
sectioncodeuse32 class=code align=64
+%elifdef __coff__
+section.text code
%else
section.text code align=64
%endif
diff -ur openssl-SNAP-20071126.orig/crypto/rc4/asm/rc4-586.pl
openssl-SNAP-20071126/crypto/rc4/asm/rc4-586.pl
--- openssl-SNAP-20071126.orig/crypto/rc4/asm/rc4-586.pl2007-04-26
23:00:56.0 +0200
+++ openssl-SNAP-20071126/crypto/rc4/asm/rc4-586.pl 2007-11-26
23:09:17.0 +0100
@@ -143,7 +143,7 @@
movz ($ty,BP(0,$dat,$ty));
add(LB($xx),1);
xor(LB($ty),BP(0,$inp));
- lea($inp,BP(1,$inp));
+ lea($inp,DWP(1,$inp));
movz ($tx,BP(0,$dat,$xx));
cmp($inp,wparam(1));
mov(BP(-1,$out,$inp),LB($ty));
but now I get a new issue:
mwasmnlm -maxerrors 20 -o crypto\des\asm\d-nw.o .\crypto\des\asm\d-nw.asm
### mwasmnlm Assembler:
#File: crypto\des\asm\d-nw.asm
#
#1147: call @L_DES_encrypt2_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt2_begin
### mwasmnlm Assembler:
#1151: call @L_DES_encrypt2_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt2_begin
### mwasmnlm Assembler:
#1155: call @L_DES_encrypt2_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt2_begin
### mwasmnlm Assembler:
#1266: call @L_DES_encrypt2_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt2_begin
### mwasmnlm Assembler:
#1270: call @L_DES_encrypt2_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt2_begin
### mwasmnlm Assembler:
#1274: call @L_DES_encrypt2_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt2_begin
### mwasmnlm Assembler:
#1366: call @L_DES_encrypt1_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt1_begin
### mwasmnlm Assembler:
#1410: call @L_DES_encrypt1_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt1_begin
### mwasmnlm Assembler:
#1426: call @L_DES_encrypt1_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt1_begin
### mwasmnlm Assembler:
#1451: call @L_DES_encrypt1_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt1_begin
### mwasmnlm Assembler:
#1548: call @L_DES_encrypt3_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt3_begin
### mwasmnlm Assembler:
#1592: call @L_DES_encrypt3_begin
# Error: ^
# Unknown identifier, @L_DES_encrypt3_begin
### mwasmnlm Assembler:
#1608: call @L_DES_decrypt3_begin
# Error: ^
# Unknown identifier, @L_DES_decrypt3_begin
### mwasmnlm Assembler:
#1633: call @L_DES_decrypt3_begin
# Error: ^
# Unknown identifier, @L_DES_decrypt3_begin
### mwasmnlm Driver Error:
# The tool did not produce any output while compiling the file
# 'crypto\des\asm\d-nw.asm'
Errors caused tool to abort.
make: *** [crypto\des\asm\d-nw.o] Error 1
with SNAP-20071122 all files were previously compilable with my fix.
thanks, Guenter.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] NetWare platform - next trial
Hi, due to the changes from SNAP-20071122 to SNAP-20071126 I get now compiled: mwasmnlm -maxerrors 20 -o crypto/md5/asm/m5-nw.o crypto/md5/asm/m5-nw.asm mwasmnlm -maxerrors 20 -o crypto/sha/asm/s1-nw.o crypto/sha/asm/s1-nw.asm mwasmnlm -maxerrors 20 -o crypto/ripemd/asm/rm-nw.o crypto/ripemd/asm/rm-nw.asm mwasmnlm -maxerrors 20 -o crypto/des/asm/y-nw.o crypto/des/asm/y-nw.asm mwasmnlm -maxerrors 20 -o crypto/bn/asm/bn-nw.o crypto/bn/asm/bn-nw.asm mwasmnlm -maxerrors 20 -o crypto/rc4/asm/r4-nw.o crypto/rc4/asm/r4-nw.asm and here it starts breaking: mwasmnlm -maxerrors 20 -o crypto/bf/asm/b-nw.o crypto/bf/asm/b-nw.asm ### mwasmnlm Assembler: #File: crypto\bf\asm\b-nw.asm # --- # 740: call @L_BF_encrypt_begin # Error: ^^^ # Unknown identifier, @L_BF_encrypt_begin ### mwasmnlm Assembler: # 788: call @L_BF_encrypt_begin # Error: ^^^ # Unknown identifier, @L_BF_encrypt_begin ### mwasmnlm Assembler: # 808: call @L_BF_decrypt_begin # Error: ^^^ # Unknown identifier, @L_BF_decrypt_begin ### mwasmnlm Assembler: # 837: call @L_BF_decrypt_begin # Error: ^^^ # Unknown identifier, @L_BF_decrypt_begin ### mwasmnlm Driver Error: # The tool did not produce any output while compiling the file # 'crypto\bf\asm\b-nw.asm' Errors caused tool to abort. make: *** [crypto/bf/asm/b-nw.o] Error 1 mwasmnlm -maxerrors 20 -o crypto/cast/asm/c-nw.o crypto/cast/asm/c-nw.asm ### mwasmnlm Assembler: #File: crypto\cast\asm\c-nw.asm # - # 785: call @L_CAST_encrypt_begin # Error: ^ # Unknown identifier, @L_CAST_encrypt_begin ### mwasmnlm Assembler: # 835: call @L_CAST_encrypt_begin # Error: ^ # Unknown identifier, @L_CAST_encrypt_begin ### mwasmnlm Assembler: # 855: call @L_CAST_decrypt_begin # Error: ^ # Unknown identifier, @L_CAST_decrypt_begin ### mwasmnlm Assembler: # 884: call @L_CAST_decrypt_begin # Error: ^ # Unknown identifier, @L_CAST_decrypt_begin ### mwasmnlm Driver Error: # The tool did not produce any output while compiling the file # 'crypto\cast\asm\c-nw.asm' Errors caused tool to abort. make: *** [crypto/cast/asm/c-nw.o] Error 1 mwasmnlm -maxerrors 20 -o crypto\des\asm\d-nw.o .\crypto\des\asm\d-nw.asm ### mwasmnlm Assembler: #File: crypto\des\asm\d-nw.asm # #1147: call @L_DES_encrypt2_begin # Error: ^ # Unknown identifier, @L_DES_encrypt2_begin ### mwasmnlm Assembler: #1151: call @L_DES_encrypt2_begin # Error: ^ # Unknown identifier, @L_DES_encrypt2_begin ### mwasmnlm Assembler: #1155: call @L_DES_encrypt2_begin # Error: ^ # Unknown identifier, @L_DES_encrypt2_begin ### mwasmnlm Assembler: #1266: call @L_DES_encrypt2_begin # Error: ^ # Unknown identifier, @L_DES_encrypt2_begin ### mwasmnlm Assembler: #1270: call @L_DES_encrypt2_begin # Error: ^ # Unknown identifier, @L_DES_encrypt2_begin ### mwasmnlm Assembler: #1274: call @L_DES_encrypt2_begin # Error: ^ # Unknown identifier, @L_DES_encrypt2_begin ### mwasmnlm Assembler: #1366: call @L_DES_encrypt1_begin # Error: ^ # Unknown identifier, @L_DES_encrypt1_begin ### mwasmnlm Assembler: #1410: call @L_DES_encrypt1_begin # Error: ^ # Unknown identifier, @L_DES_encrypt1_begin ### mwasmnlm Assembler: #1426: call @L_DES_encrypt1_begin # Error: ^ # Unknown identifier, @L_DES_encrypt1_begin ### mwasmnlm Assembler: #1451: call @L_DES_encrypt1_begin # Error: ^ # Unknown identifier, @L_DES_encrypt1_begin ### mwasmnlm Assembler: #1548: call @L_DES_encrypt3_begin # Error: ^ # Unknown identifier, @L_DES_encrypt3_begin ### mwasmnlm Assembler: #1592: call @L_DES_encrypt3_begin # Error: ^ # Unknown identifier, @L_DES_encrypt3_begin ### mwasmnlm Assembler: #1608: call @L_DES_decrypt3_begin # Error: ^ # Unknown identifier, @L_DES_decrypt3_begin ### mwasmnlm Assembler: #1633: call @L_DES_decrypt3_begin # Error: ^ # Unknown identifier, @L_DES_decrypt3_begin ### mwasmnlm Driver Error: # The tool did not produce any output while compiling the file # 'crypto\des\asm\d-nw.asm' Errors caused tool to abort. make: *** [crypto\des\asm\d-nw.o] Error 1 mwasmnlm -maxerrors 20 -o crypto/rc5/asm/r5-nw.o crypto/rc5/asm/r5-nw.asm ### mwasmnlm Assembler: #File: crypto\rc5\asm\r5-nw.asm # - # 422: call
