Avoid negative zero.

Whenever setting negative to one (or when it could potentially be one),
always use BN_set_negative() since it checks for a zero valued bignum and
will not permit negative to be set in this case. Since BN_is_zero()
currently relies on top == 0, call BN_set_negative() after top has been
set (or bn_correct_top() has been called).

This fixes a long standing issue where -0 and +0 have been permitted,
however multiple code paths (such as BN_cmp()) fail to treat these as
equivalent.

Prompted by Guido Vranken who is adding negative zero fuzzing to oss-fuzz.

ok tb@

1 files changed, 4 insertions, 5 deletions

diff --git a/src/lib/libcrypto/bn/bn_word.c b/src/lib/libcrypto/bn/bn_word.c
index 7077d3ad7a..a44221c35f 100644
--- a/src/lib/libcrypto/bn/bn_word.c
+++ b/src/lib/libcrypto/bn/bn_word.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_word.c,v 1.17 2023/01/28 16:33:34 jsing Exp $ */
+/* $OpenBSD: bn_word.c,v 1.18 2023/02/13 04:25:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -152,8 +152,7 @@ BN_add_word(BIGNUM *a, BN_ULONG w)
         if (a->neg) {
                 a->neg = 0;
                 i = BN_sub_word(a, w);
-                if (!BN_is_zero(a))
-                        a->neg=!(a->neg);
+                BN_set_negative(a, 1);
                 return (i);
         }
         for (i = 0; w != 0 && i < a->top; i++) {
@@ -190,13 +189,13 @@ BN_sub_word(BIGNUM *a, BN_ULONG w)
         if (a->neg) {
                 a->neg = 0;
                 i = BN_add_word(a, w);
-                a->neg = 1;
+                BN_set_negative(a, 1);
                 return (i);
         }
 
         if ((a->top == 1) && (a->d[0] < w)) {
                 a->d[0] = w - a->d[0];
-                a->neg = 1;
+                BN_set_negative(a, 1);
                 return (1);
         }
         i = 0;