Check for 0 modulus in BN_MONT_CTX_set.
The function BN_MONT_CTX_set was assuming that the modulus was non-zero
and therefore that |mod->top| > 0. In an error situation that may not be
the case and could cause a seg fault.
This is a follow on from CVE-2015-1794.
(Imported from upstream's 512368c9ed4d53fb230000e83071eb81bf628b22.)
The CVE itself doesn't affect us as the bit strength check in the DHE logic
excludes zero.
Also add tests to bn_test for a couple of division by zero cases. (This and
BN_div.)
Change-Id: Ibd8ef98d6be48eb95110021c23cd8e278656764d
Reviewed-on: https://boringssl-review.googlesource.com/5690
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/bn/bn_test.cc b/crypto/bn/bn_test.cc
index f9f83d3..e1588f7 100644
--- a/crypto/bn/bn_test.cc
+++ b/crypto/bn/bn_test.cc
@@ -488,6 +488,14 @@
return false;
}
+ // Test the BN_div checks for division by zero.
+ BN_zero(b.get());
+ if (BN_div(d.get(), c.get(), a.get(), b.get(), ctx)) {
+ fprintf(stderr, "Divided by zero!\n");
+ return false;
+ }
+ ERR_clear_error();
+
return true;
}
@@ -912,6 +920,14 @@
return false;
}
}
+
+ BN_zero(n.get());
+ if (BN_MONT_CTX_set(mont.get(), n.get(), ctx)) {
+ fprintf(stderr, "Division by zero!\n");
+ return false;
+ }
+ ERR_clear_error();
+
return true;
}
diff --git a/crypto/bn/montgomery.c b/crypto/bn/montgomery.c
index 152cf2d..c6c9c88 100644
--- a/crypto/bn/montgomery.c
+++ b/crypto/bn/montgomery.c
@@ -110,6 +110,7 @@
#include <string.h>
+#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/thread.h>
@@ -176,6 +177,11 @@
BIGNUM tmod;
BN_ULONG buf[2];
+ if (BN_is_zero(mod)) {
+ OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
+ return 0;
+ }
+
BN_CTX_start(ctx);
Ri = BN_CTX_get(ctx);
if (Ri == NULL) {
