(Affects 1.0.2 only.) In crypto/ec/asm/ecp_nistz256-x86_64.pl, __ecp_nistz256_sqr_montq, under "Now the reduction" there are a number of comments saying "doesn't overflow". Unfortunately, they aren't correct.
Let f be a field element with value 52998265219372519138277318009572834528257482223861497652862868020346603903843. In Montgomery form, it's represented in memory as f*2^256 mod p, which is 58733536287848456860684025065811053850702581988990452502702607007944524443511. When passed to ecp_nistz256_sqr_mont, this results in the intermediate value (before any reduction) 0x41dd6e8bcf7e19f499c19d0f5f3bba78272201eee64c6a44ca8a4ff275b53fa93b41d5b7035af3effffffff40a05dc36f424ab9438cdec4fa193faebf6ce951. r10 in this case contains 0xffffffff40a05dc3 and the high-word output of the multiplication after "# First iteration" is 0xfa193fad. The addition of r8 and r9 overflows into it leaving it as 0xfa193fae. The addition of rax and r9 also sets the carry flag thus the final add-with-carry of rdx into r10 easily overflows and leaves r10 as 0x3ab99d72. Additionally, I'm not sure about any of the other cases in the same function that have been annotated the same way. There is also a similar annotation in ecp_nistz256_mul_mont that I've not investigated. Cheers AGL ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
