Hello,
this is a follow-up to #3891
(https://mta.openssl.org/pipermail/openssl-dev/2015-June/001667.html ). Kurt
Roeckx has committed many fixes to the bugs aggregated in that report. Since,
we have been replaying the tests in a recent OpenSSL development version,
posterior to these commits,
On Mon, Oct 19, 2015 at 08:10:01PM +0200, Kurt Roeckx wrote:
> The manpage says that for BN_add(), BN_mul(), BN_sqr(), BN_mod_mul()
> and BN_gcd() r can be one of the other BIGNUMs that got passed, but
> it doesn't say so for BN_sub().
BN_add() can of course already call BN_usub(), and BN_uadd()
On Mon, Oct 19, 2015 at 08:10:01PM +0200, Kurt Roeckx wrote:
> The manpage says that for BN_add(), BN_mul(), BN_sqr(), BN_mod_mul()
> and BN_gcd() r can be one of the other BIGNUMs that got passed, but
> it doesn't say so for BN_sub(). So one could also argue that
> probable_prime_dh_safe()
On Mon, Oct 19, 2015 at 03:55:09PM +, Pascal Cuoq via RT wrote:
>
> One actual sequence for which the pointers ap and rp end up being identical
> is as follows:
>
> 1/ probable_prime_dh_safe calls BN_sub(q, q, t1)
>
> 2/ in BN_sub, r and a are then aliases
>
> 3/ BN_sub calls BN_usub(r,