Prevent negative zero from being created via BN bit functions.

4a6f656c · 4a6f656c · commit 7c058c6a061d · 2024-04-15T14:35:25.000Z
Both BN_clear_bit() and BN_mask_bits() can create zero values - in both
cases ensure that the negative sign is correctly handled if the value
becomes zero.

Thanks to Guido Vranken for providing a reproducer.

Fixes oss-fuzz #67901

ok tb@
diff --git a/lib/libcrypto/bn/bn_lib.c b/lib/libcrypto/bn/bn_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.90 2023/07/28 10:35:14 tb Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.91 2024/04/15 14:35:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -438,6 +438,9 @@ BN_clear_bit(BIGNUM *a, int n)
 
 	a->d[i] &= (~(((BN_ULONG)1) << j));
 	bn_correct_top(a);
+
+	BN_set_negative(a, a->neg);
+
 	return (1);
 }
 LCRYPTO_ALIAS(BN_clear_bit);
@@ -476,6 +479,9 @@ BN_mask_bits(BIGNUM *a, int n)
 		a->d[w] &= ~(BN_MASK2 << b);
 	}
 	bn_correct_top(a);
+
+	BN_set_negative(a, a->neg);
+
 	return (1);
 }
 LCRYPTO_ALIAS(BN_mask_bits);

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/* $OpenBSD: bn_lib.c,v 1.90 2023/07/28 10:35:14 tb Exp $ */`
	`1`	`+/* $OpenBSD: bn_lib.c,v 1.91 2024/04/15 14:35:25 jsing Exp $ */`
`2`	`2`	`/* Copyright (C) 1995-1998 Eric Young ([email protected])`
`3`	`3`	`* All rights reserved.`
`4`	`4`	`*`
`@@ -438,6 +438,9 @@ BN_clear_bit(BIGNUM *a, int n)`
`438`	`438`
`439`	`439`	`a->d[i] &= (~(((BN_ULONG)1) << j));`
`440`	`440`	`bn_correct_top(a);`
	`441`	`+`
	`442`	`+ BN_set_negative(a, a->neg);`
	`443`	`+`
`441`	`444`	`return (1);`
`442`	`445`	`}`
`443`	`446`	`LCRYPTO_ALIAS(BN_clear_bit);`
`@@ -476,6 +479,9 @@ BN_mask_bits(BIGNUM *a, int n)`
`476`	`479`	`a->d[w] &= ~(BN_MASK2 << b);`
`477`	`480`	`}`
`478`	`481`	`bn_correct_top(a);`
	`482`	`+`
	`483`	`+ BN_set_negative(a, a->neg);`
	`484`	`+`
`479`	`485`	`return (1);`
`480`	`486`	`}`
`481`	`487`	`LCRYPTO_ALIAS(BN_mask_bits);`