File openssl-CVE-2024-13176.patch of Package openssl-1_1

diff -Naru openssl-1.1.1w_orig/crypto/bn/bn_exp.c openssl-1.1.1w/crypto/bn/bn_exp.c
--- openssl-1.1.1w_orig/crypto/bn/bn_exp.c	2023-09-11 23:08:11.000000000 +0900
+++ openssl-1.1.1w/crypto/bn/bn_exp.c	2025-10-03 12:27:29.779604865 +0900
@@ -601,7 +601,7 @@
  * out by Colin Percival,
  * http://www.daemonology.net/hyperthreading-considered-harmful/)
  */
-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
                               const BIGNUM *m, BN_CTX *ctx,
                               BN_MONT_CTX *in_mont)
 {
@@ -618,10 +618,6 @@
     unsigned int t4 = 0;
 #endif
 
-    bn_check_top(a);
-    bn_check_top(p);
-    bn_check_top(m);
-
     if (!BN_is_odd(m)) {
         BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
         return 0;
@@ -1141,7 +1137,7 @@
             goto err;
     } else
 #endif
-    if (!BN_from_montgomery(rr, &tmp, mont, ctx))
+    if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
         goto err;
     ret = 1;
  err:
@@ -1155,6 +1151,19 @@
     return ret;
 }
 
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                              const BIGNUM *m, BN_CTX *ctx,
+                              BN_MONT_CTX *in_mont)
+{
+    bn_check_top(a);
+    bn_check_top(p);
+    bn_check_top(m);
+    if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
+        return 0;
+    bn_correct_top(rr);
+    return 1;
+}
+
 int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
 {
diff -Naru openssl-1.1.1w_orig/crypto/ec/ec_lib.c openssl-1.1.1w/crypto/ec/ec_lib.c
--- openssl-1.1.1w_orig/crypto/ec/ec_lib.c	2025-10-03 12:24:25.536563470 +0900
+++ openssl-1.1.1w/crypto/ec/ec_lib.c	2025-10-03 12:40:25.122348148 +0900
@@ -14,6 +14,7 @@
 #include <openssl/opensslv.h>
 
 #include "ec_local.h"
+#include "crypto/bn.h"
 
 /* functions for EC_GROUP objects */
 
@@ -1168,10 +1169,10 @@
     if (!BN_sub(e, group->order, e))
         goto err;
     /*-
-     * Exponent e is public.
-     * No need for scatter-gather or BN_FLG_CONSTTIME.
+     * Although the exponent is public we want the result to be
+     * fixed top.
      */
-    if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
+    if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
         goto err;
 
     ret = 1;
diff -Naru openssl-1.1.1w_orig/include/crypto/bn.h openssl-1.1.1w/include/crypto/bn.h
--- openssl-1.1.1w_orig/include/crypto/bn.h	2023-09-11 23:08:11.000000000 +0900
+++ openssl-1.1.1w/include/crypto/bn.h	2025-10-03 12:27:29.780604864 +0900
@@ -72,6 +72,9 @@
  */
 int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
                           BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                              const BIGNUM *m, BN_CTX *ctx,
+                              BN_MONT_CTX *in_mont);
 int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
                          BN_CTX *ctx);
 int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
Places

File openssl-CVE-2024-13176.patch of Package openssl-1_1

Places
