As of 67cb49d045
and the corresponding upstream
change, BN_mod_word may fail, like BN_div_word. Handle this properly and
document in bn.h. Thanks to Brian Smith for pointing this out.
Change-Id: I6d4f32dc37bcabf70847c9a8b417d55d31b3a380
Reviewed-on: https://boringssl-review.googlesource.com/8491
Reviewed-by: Adam Langley <agl@google.com>
kris/onging/CECPQ3_patch15
@@ -852,7 +852,7 @@ static bool test_div_word(FILE *fp) { | |||||
BN_ULONG s = b->d[0]; | BN_ULONG s = b->d[0]; | ||||
BN_ULONG rmod = BN_mod_word(b.get(), s); | BN_ULONG rmod = BN_mod_word(b.get(), s); | ||||
BN_ULONG r = BN_div_word(b.get(), s); | BN_ULONG r = BN_div_word(b.get(), s); | ||||
if (r == (BN_ULONG)-1) { | |||||
if (r == (BN_ULONG)-1 || rmod == (BN_ULONG)-1) { | |||||
return false; | return false; | ||||
} | } | ||||
@@ -496,7 +496,11 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, | |||||
if (do_trial_division) { | if (do_trial_division) { | ||||
for (i = 1; i < NUMPRIMES; i++) { | for (i = 1; i < NUMPRIMES; i++) { | ||||
if (BN_mod_word(a, primes[i]) == 0) { | |||||
BN_ULONG mod = BN_mod_word(a, primes[i]); | |||||
if (mod == (BN_ULONG)-1) { | |||||
goto err; | |||||
} | |||||
if (mod == 0) { | |||||
return 0; | return 0; | ||||
} | } | ||||
} | } | ||||
@@ -653,7 +657,11 @@ again: | |||||
/* we now have a random number 'rnd' to test. */ | /* we now have a random number 'rnd' to test. */ | ||||
for (i = 1; i < NUMPRIMES; i++) { | for (i = 1; i < NUMPRIMES; i++) { | ||||
mods[i] = (uint16_t)BN_mod_word(rnd, (BN_ULONG)primes[i]); | |||||
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); | |||||
if (mod == (BN_ULONG)-1) { | |||||
return 0; | |||||
} | |||||
mods[i] = (uint16_t)mod; | |||||
} | } | ||||
/* If bits is so small that it fits into a single word then we | /* If bits is so small that it fits into a single word then we | ||||
* additionally don't want to exceed that many bits. */ | * additionally don't want to exceed that many bits. */ | ||||
@@ -753,7 +761,11 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, | |||||
loop: | loop: | ||||
for (i = 1; i < NUMPRIMES; i++) { | for (i = 1; i < NUMPRIMES; i++) { | ||||
/* check that rnd is a prime */ | /* check that rnd is a prime */ | ||||
if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) { | |||||
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); | |||||
if (mod == (BN_ULONG)-1) { | |||||
goto err; | |||||
} | |||||
if (mod <= 1) { | |||||
if (!BN_add(rnd, rnd, add)) { | if (!BN_add(rnd, rnd, add)) { | ||||
goto err; | goto err; | ||||
} | } | ||||
@@ -825,8 +837,12 @@ loop: | |||||
/* check that p and q are prime */ | /* check that p and q are prime */ | ||||
/* check that for p and q | /* check that for p and q | ||||
* gcd(p-1,primes) == 1 (except for 2) */ | * gcd(p-1,primes) == 1 (except for 2) */ | ||||
if ((BN_mod_word(p, (BN_ULONG)primes[i]) == 0) || | |||||
(BN_mod_word(q, (BN_ULONG)primes[i]) == 0)) { | |||||
BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]); | |||||
BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]); | |||||
if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) { | |||||
goto err; | |||||
} | |||||
if (pmod == 0 || qmod == 0) { | |||||
if (!BN_add(p, p, padd)) { | if (!BN_add(p, p, padd)) { | ||||
goto err; | goto err; | ||||
} | } | ||||
@@ -173,11 +173,17 @@ int DH_check(const DH *dh, int *ret) { | |||||
} | } | ||||
} else if (BN_is_word(dh->g, DH_GENERATOR_2)) { | } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { | ||||
l = BN_mod_word(dh->p, 24); | l = BN_mod_word(dh->p, 24); | ||||
if (l == (BN_ULONG)-1) { | |||||
goto err; | |||||
} | |||||
if (l != 11) { | if (l != 11) { | ||||
*ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; | *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; | ||||
} | } | ||||
} else if (BN_is_word(dh->g, DH_GENERATOR_5)) { | } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { | ||||
l = BN_mod_word(dh->p, 10); | l = BN_mod_word(dh->p, 10); | ||||
if (l == (BN_ULONG)-1) { | |||||
goto err; | |||||
} | |||||
if (l != 3 && l != 7) { | if (l != 3 && l != 7) { | ||||
*ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; | *ret |= DH_CHECK_NOT_SUITABLE_GENERATOR; | ||||
} | } | ||||
@@ -502,7 +502,7 @@ OPENSSL_EXPORT int BN_mask_bits(BIGNUM *a, int n); | |||||
/* Modulo arithmetic. */ | /* Modulo arithmetic. */ | ||||
/* BN_mod_word returns |a| mod |w|. */ | |||||
/* BN_mod_word returns |a| mod |w| or (BN_ULONG)-1 on error. */ | |||||
OPENSSL_EXPORT BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w); | OPENSSL_EXPORT BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w); | ||||
/* BN_mod is a helper macro that calls |BN_div| and discards the quotient. */ | /* BN_mod is a helper macro that calls |BN_div| and discards the quotient. */ | ||||