From: Richard Levitte <levitte@openssl.org>
Date: Fri, 19 Nov 2021 12:18:34 +0000 (+0100)
Subject: Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers
X-Git-Tag: openssl-3.2.0-alpha1~3300
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db65eabefe76e44818ff8bd19c68990e7dcc70d3;p=thirdparty%2Fopenssl.git

Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers

Adding documentation to that fact as well.

Fixes #17070

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17074)
---

diff --git a/crypto/param_build.c b/crypto/param_build.c
index e64deaa88fb..eaece0026de 100644
--- a/crypto/param_build.c
+++ b/crypto/param_build.c
@@ -204,6 +204,12 @@ int OSSL_PARAM_BLD_push_BN_pad(OSSL_PARAM_BLD *bld, const char *key,
     OSSL_PARAM_BLD_DEF *pd;
 
     if (bn != NULL) {
+        if (BN_is_negative(bn)) {
+            ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_UNSUPPORTED,
+                           "Negative big numbers are unsupported for OSSL_PARAM");
+            return 0;
+        }
+
         n = BN_num_bytes(bn);
         if (n < 0) {
             ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_ZERO_LENGTH_NUMBER);
diff --git a/doc/man3/OSSL_PARAM_BLD.pod b/doc/man3/OSSL_PARAM_BLD.pod
index d07eff6f270..114ce44489c 100644
--- a/doc/man3/OSSL_PARAM_BLD.pod
+++ b/doc/man3/OSSL_PARAM_BLD.pod
@@ -124,6 +124,11 @@ on error.
 All of the OSSL_PARAM_BLD_push_TYPE functions return 1 on success and 0
 on error.
 
+=head1 NOTES
+
+OSSL_PARAM_BLD_push_BN() and OSSL_PARAM_BLD_push_BN_pad() currently only
+support nonnegative B<BIGNUM>s.  They return an error on negative B<BIGNUM>s.
+
 =head1 EXAMPLES
 
 Both examples creating an OSSL_PARAM array that contains an RSA key.