Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers

Adding documentation to that fact as well.

Fixes #17070

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17074)

diff --git a/crypto/param_build.c b/crypto/param_build.c
index e64deaa88fbb3c2b8cefca61ee78925b7076267d..eaece0026dea2186da710a0d54e70f07d34a0d2a 100644 (file)
--- a/crypto/param_build.c
+++ b/crypto/param_build.c
@@ -204,6 +204,12 @@ int OSSL_PARAM_BLD_push_BN_pad(OSSL_PARAM_BLD *bld, const char *key,
     OSSL_PARAM_BLD_DEF *pd;
 
     if (bn != NULL) {
+        if (BN_is_negative(bn)) {
+            ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_UNSUPPORTED,
+                           "Negative big numbers are unsupported for OSSL_PARAM");
+            return 0;
+        }
+
         n = BN_num_bytes(bn);
         if (n < 0) {
             ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_ZERO_LENGTH_NUMBER);

diff --git a/doc/man3/OSSL_PARAM_BLD.pod b/doc/man3/OSSL_PARAM_BLD.pod
index d07eff6f27055471a0dbe1b94b062ab5a0df928e..114ce44489cdb5b9f05d8ec7f8ddab39c16be9d3 100644 (file)
--- a/doc/man3/OSSL_PARAM_BLD.pod
+++ b/doc/man3/OSSL_PARAM_BLD.pod
@@ -124,6 +124,11 @@ on error.
 All of the OSSL_PARAM_BLD_push_TYPE functions return 1 on success and 0
 on error.
 
+=head1 NOTES
+
+OSSL_PARAM_BLD_push_BN() and OSSL_PARAM_BLD_push_BN_pad() currently only
+support nonnegative B<BIGNUM>s.  They return an error on negative B<BIGNUM>s.
+
 =head1 EXAMPLES
 
 Both examples creating an OSSL_PARAM array that contains an RSA key.