1 files changed, 22 insertions, 10 deletions
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index a50fa5953c..cb95d711fe 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.47 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.48 2023/10/19 10:17:52 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -180,11 +180,12 @@ int
 BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
    BN_CTX *ctx)
 {
-        int i, j, bits, ret = 0, wstart, wend, window, wvalue;
+        int i, j, bits, wstart, wend, window, wvalue;
        int start = 1;
-        BIGNUM *d;
+        BIGNUM *d, *q;
        /* Table of variables obtained from 'ctx' */
        BIGNUM *val[TABLE_SIZE];
+        int ret = 0;
        if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
                /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
@@ -192,6 +193,11 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
                return -1;
        }
+        if (r == m) {
+                BNerror(BN_R_INVALID_ARGUMENT);
+                return 0;
+        }
        bits = BN_num_bits(p);
        if (bits == 0) {
                /* x**0 mod 1 is still zero. */
@@ -206,16 +212,19 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
        BN_CTX_start(ctx);
        if ((d = BN_CTX_get(ctx)) == NULL)
                goto err;
+        if ((q = BN_CTX_get(ctx)) == NULL)
+                goto err;
        if ((val[0] = BN_CTX_get(ctx)) == NULL)
                goto err;
-        if (!BN_nnmod(val[0],a,m,ctx))
+        if (!BN_nnmod(val[0], a, m, ctx))
                goto err;               /* 1 */
        if (BN_is_zero(val[0])) {
                BN_zero(r);
-                ret = 1;
+                goto done;
-                goto err;
        }
+        if (!bn_copy(q, p))
+                goto err;
        window = BN_window_bits_for_exponent_size(bits);
        if (window > 1) {
@@ -240,7 +249,7 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
                goto err;
        for (;;) {
-                if (BN_is_bit_set(p, wstart) == 0) {
+                if (BN_is_bit_set(q, wstart) == 0) {
                        if (!start)
                                if (!BN_mod_mul(r, r, r, m, ctx))
                                        goto err;
@@ -259,7 +268,7 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
                for (i = 1; i < window; i++) {
                        if (wstart - i < 0)
                                break;
-                        if (BN_is_bit_set(p, wstart - i)) {
+                        if (BN_is_bit_set(q, wstart - i)) {
                                wvalue <<= (i - wend);
                                wvalue |= 1;
                                wend = i;
@@ -286,11 +295,14 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
                if (wstart < 0)
                        break;
        }
+ done:
        ret = 1;
-err:
+ err:
        BN_CTX_end(ctx);
-        return (ret);
+        return ret;
 }
 LCRYPTO_ALIAS(BN_mod_exp_simple);

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c index a50fa5953c..cb95d711fe 100644 --- a/src/lib/libcrypto/bn/bn_exp.c +++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_exp.c,v 1.47 2023/07/08 12:21:58 beck Exp $ */	1	/* $OpenBSD: bn_exp.c,v 1.48 2023/10/19 10:17:52 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -180,11 +180,12 @@ int
180	BN_mod_exp_simple(BIGNUM r, const BIGNUM a, const BIGNUM p, const BIGNUM m,	180	BN_mod_exp_simple(BIGNUM r, const BIGNUM a, const BIGNUM p, const BIGNUM m,
181	BN_CTX *ctx)	181	BN_CTX *ctx)
182	{	182	{
183	int i, j, bits, ret = 0, wstart, wend, window, wvalue;	183	int i, j, bits, wstart, wend, window, wvalue;
184	int start = 1;	184	int start = 1;
185	BIGNUM *d;	185	BIGNUM d, q;
186	/* Table of variables obtained from 'ctx' */	186	/* Table of variables obtained from 'ctx' */
187	BIGNUM *val[TABLE_SIZE];	187	BIGNUM *val[TABLE_SIZE];
		188	int ret = 0;
188		189
189	if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {	190	if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
190	/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */	191	/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
@@ -192,6 +193,11 @@ BN_mod_exp_simple(BIGNUM r, const BIGNUM a, const BIGNUM p, const BIGNUM m,
192	return -1;	193	return -1;
193	}	194	}
194		195
		196	if (r == m) {
		197	BNerror(BN_R_INVALID_ARGUMENT);
		198	return 0;
		199	}
		200
195	bits = BN_num_bits(p);	201	bits = BN_num_bits(p);
196	if (bits == 0) {	202	if (bits == 0) {
197	/* x*0 mod 1 is still zero. /	203	/* x*0 mod 1 is still zero. /
@@ -206,16 +212,19 @@ BN_mod_exp_simple(BIGNUM r, const BIGNUM a, const BIGNUM p, const BIGNUM m,
206	BN_CTX_start(ctx);	212	BN_CTX_start(ctx);
207	if ((d = BN_CTX_get(ctx)) == NULL)	213	if ((d = BN_CTX_get(ctx)) == NULL)
208	goto err;	214	goto err;
		215	if ((q = BN_CTX_get(ctx)) == NULL)
		216	goto err;
209	if ((val[0] = BN_CTX_get(ctx)) == NULL)	217	if ((val[0] = BN_CTX_get(ctx)) == NULL)
210	goto err;	218	goto err;
211		219
212	if (!BN_nnmod(val[0],a,m,ctx))	220	if (!BN_nnmod(val[0], a, m, ctx))
213	goto err; /* 1 */	221	goto err; /* 1 */
214	if (BN_is_zero(val[0])) {	222	if (BN_is_zero(val[0])) {
215	BN_zero(r);	223	BN_zero(r);
216	ret = 1;	224	goto done;
217	goto err;
218	}	225	}
		226	if (!bn_copy(q, p))
		227	goto err;
219		228
220	window = BN_window_bits_for_exponent_size(bits);	229	window = BN_window_bits_for_exponent_size(bits);
221	if (window > 1) {	230	if (window > 1) {
@@ -240,7 +249,7 @@ BN_mod_exp_simple(BIGNUM r, const BIGNUM a, const BIGNUM p, const BIGNUM m,
240	goto err;	249	goto err;
241		250
242	for (;;) {	251	for (;;) {
243	if (BN_is_bit_set(p, wstart) == 0) {	252	if (BN_is_bit_set(q, wstart) == 0) {
244	if (!start)	253	if (!start)
245	if (!BN_mod_mul(r, r, r, m, ctx))	254	if (!BN_mod_mul(r, r, r, m, ctx))
246	goto err;	255	goto err;
@@ -259,7 +268,7 @@ BN_mod_exp_simple(BIGNUM r, const BIGNUM a, const BIGNUM p, const BIGNUM m,
259	for (i = 1; i < window; i++) {	268	for (i = 1; i < window; i++) {
260	if (wstart - i < 0)	269	if (wstart - i < 0)
261	break;	270	break;
262	if (BN_is_bit_set(p, wstart - i)) {	271	if (BN_is_bit_set(q, wstart - i)) {
263	wvalue <<= (i - wend);	272	wvalue <<= (i - wend);
264	wvalue \|= 1;	273	wvalue \|= 1;
265	wend = i;	274	wend = i;
@@ -286,11 +295,14 @@ BN_mod_exp_simple(BIGNUM r, const BIGNUM a, const BIGNUM p, const BIGNUM m,
286	if (wstart < 0)	295	if (wstart < 0)
287	break;	296	break;
288	}	297	}
		298
		299	done:
289	ret = 1;	300	ret = 1;
290		301
291	err:	302	err:
292	BN_CTX_end(ctx);	303	BN_CTX_end(ctx);
293	return (ret);	304
		305	return ret;
294	}	306	}
295	LCRYPTO_ALIAS(BN_mod_exp_simple);	307	LCRYPTO_ALIAS(BN_mod_exp_simple);
296		308