diff options
author | Tomas Mraz <tomas@openssl.org> | 2022-11-08 17:43:22 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-11-10 17:41:55 +0100 |
commit | 4378e3cd2a4d73a97a2349efaa143059d8ed05e8 (patch) | |
tree | 1a9c620c23fd337fb8b13e03baa06e7c499ff85e /crypto/bn | |
parent | 75fcf1062817421d8c5850ad0d52a913a2e6499a (diff) | |
download | openssl-new-4378e3cd2a4d73a97a2349efaa143059d8ed05e8.tar.gz |
Limit size of modulus for BN_mod_exp_mont_consttime()
Otherwise the powerbufLen can overflow.
Issue reported by Jiayi Lin.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19632)
Diffstat (limited to 'crypto/bn')
-rw-r--r-- | crypto/bn/bn_exp.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index c7b62232f3..1f6532dc6b 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -615,6 +615,15 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, top = m->top; + if (in_mont != NULL && BN_is_zero(&in_mont->N)) { + ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + if ((unsigned int)top > INT_MAX / sizeof(m->d[0]) / (1 << 8)) { + /* Prevent overflowing the powerbufLen computation below */ + ERR_raise(ERR_LIB_BN, BN_R_BIGNUM_TOO_LONG); + return 0; + } /* * Use all bits stored in |p|, rather than |BN_num_bits|, so we do not leak * whether the top bits are zero. |