Limit size of modulus for BN_mod_exp_mont_consttime()

Otherwise the powerbufLen can overflow. Issue reported by Jiayi Lin. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19632)
author: Tomas Mraz <tomas@openssl.org> 2022-11-08 17:43:22 +0100
committer: Tomas Mraz <tomas@openssl.org> 2022-11-10 17:41:55 +0100
commit: 4378e3cd2a4d73a97a2349efaa143059d8ed05e8 (patch)
tree: 1a9c620c23fd337fb8b13e03baa06e7c499ff85e /crypto/bn
parent: 75fcf1062817421d8c5850ad0d52a913a2e6499a (diff)
download: openssl-new-4378e3cd2a4d73a97a2349efaa143059d8ed05e8.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index c7b62232f3..1f6532dc6b 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -615,6 +615,15 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 
     top = m->top;
 
+    if (in_mont != NULL && BN_is_zero(&in_mont->N)) {
+        ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+    if ((unsigned int)top > INT_MAX / sizeof(m->d[0]) / (1 << 8)) {
+        /* Prevent overflowing the powerbufLen computation below */
+        ERR_raise(ERR_LIB_BN, BN_R_BIGNUM_TOO_LONG);
+        return 0;
+    }
     /*
      * Use all bits stored in |p|, rather than |BN_num_bits|, so we do not leak
      * whether the top bits are zero.
author	Tomas Mraz <tomas@openssl.org>	2022-11-08 17:43:22 +0100
committer	Tomas Mraz <tomas@openssl.org>	2022-11-10 17:41:55 +0100
commit	4378e3cd2a4d73a97a2349efaa143059d8ed05e8 (patch)
tree	1a9c620c23fd337fb8b13e03baa06e7c499ff85e /crypto/bn
parent	75fcf1062817421d8c5850ad0d52a913a2e6499a (diff)
download	openssl-new-4378e3cd2a4d73a97a2349efaa143059d8ed05e8.tar.gz