diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-03-26 18:49:49 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-03-26 18:49:49 +0000 |
| commit | 5f2d3f58f710ed2ec10693c8866625ac0301f32f (patch) | |
| tree | 867167033988a2bcf8411b3307e4b839f2ba1a4e /lib/libcrypto/bn | |
| parent | 95d933e6c51de0abb144813cb6598bc267e16b91 (diff) | |
Correctly reduce negative inpot to BN_mod_exp2_mont()
Negative bases could result in a negative modulus being returned. This is
not strictly speaking incorrect but slightly surprising. This is all a
consequence of the shortcut of defining BN_mod() as a macro using BN_div().
Fixes ossfuzz #55997
ok jsing
Diffstat (limited to 'lib/libcrypto/bn')
| -rw-r--r-- | lib/libcrypto/bn/bn_exp.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/libcrypto/bn/bn_exp.c b/lib/libcrypto/bn/bn_exp.c index 9abf574b576..ba9b2700f19 100644 --- a/lib/libcrypto/bn/bn_exp.c +++ b/lib/libcrypto/bn/bn_exp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_exp.c,v 1.38 2023/03/15 04:30:20 jsing Exp $ */ +/* $OpenBSD: bn_exp.c,v 1.39 2023/03/26 18:49:48 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1206,7 +1206,7 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, * Build table for a1: val1[i] := a1^(2*i + 1) mod m for i = 0 .. 2^(window1-1) */ if (a1->neg || BN_ucmp(a1, m) >= 0) { - if (!BN_mod_ct(val1[0], a1, m, ctx)) + if (!BN_nnmod(val1[0], a1, m, ctx)) goto err; a_mod_m = val1[0]; } else @@ -1237,7 +1237,7 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, * Build table for a2: val2[i] := a2^(2*i + 1) mod m for i = 0 .. 2^(window2-1) */ if (a2->neg || BN_ucmp(a2, m) >= 0) { - if (!BN_mod_ct(val2[0], a2, m, ctx)) + if (!BN_nnmod(val2[0], a2, m, ctx)) goto err; a_mod_m = val2[0]; } else |