avoid potential infinite loop in final reduction round of BN_GF2m_mod_arr()

Submitted by: Huang Ying
Reviewed by: Douglas Stebila

diff --git a/CHANGES b/CHANGES
index 826a29e666ff50d0298a1e5d31e0b1969a3bf970..b78c8d1012134c1e2d7d04e054aee5ebf895d08c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,12 +4,16 @@
 
  Changes between 0.9.8h and 0.9.8i  [xx XXX xxxx]
 
+  *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
+     [Huang Ying]
+
   *) Expand ENGINE to support engine supplied SSL client certificate functions.
 
      This work was sponsored by Logica.
      [Steve Henson]
 
-  *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows         keystores. Support for SSL/TLS client authentication too.
+  *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
+     keystores. Support for SSL/TLS client authentication too.
      Not compiled unless enable-capieng specified to Configure.
 
      This work was sponsored by Logica.

diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
index 6a793857e1305f19a548674a2d69a4bb7abb3111..306f029f2789c907c6fcc949a760622f6b977aa8 100644 (file)
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -384,7 +384,11 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
                if (zz == 0) break;
                d1 = BN_BITS2 - d0;
                
-               if (d0) z[dN] = (z[dN] << d1) >> d1; /* clear up the top d1 bits */
+               /* clear up the top d1 bits */
+               if (d0)
+                       z[dN] = (z[dN] << d1) >> d1;
+               else
+                       z[dN] = 0;
                z[0] ^= zz; /* reduction t^0 component */
 
                for (k = 1; p[k] != 0; k++)