From 53d43909d135b928ff58dfdf0554e5e6b2eef4ab Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 25 May 2025 04:16:36 +0000
Subject: Fix handling of different length inputs in bn_sub().

In the diff_len < 0 case, it incorrectly uses 0 - b[0], which mishandles
the borrow - fix this by using bn_subw_subw(). Do the same in the
diff_len > 0 case for consistency. Note that this is never currently
reached since BN_usub() requires a >= b.

ok beck@ tb@
---
 src/lib/libcrypto/bn/bn_add.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/bn/bn_add.c b/src/lib/libcrypto/bn/bn_add.c
index 79fc1db41e..db1767ea55 100644
--- a/src/lib/libcrypto/bn/bn_add.c
+++ b/src/lib/libcrypto/bn/bn_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_add.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
+/* $OpenBSD: bn_add.c,v 1.28 2025/05/25 04:16:36 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -207,7 +207,7 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 	/* XXX - consider doing four at a time to match bn_sub_words. */
 	while (diff_len < 0) {
 		/* Compute r[0] = 0 - b[0] - borrow. */
-		bn_subw(0 - b[0], borrow, &borrow, &r[0]);
+		bn_subw_subw(0, b[0], borrow, &borrow, &r[0]);
 		diff_len++;
 		b++;
 		r++;
@@ -216,7 +216,7 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 	/* XXX - consider doing four at a time to match bn_sub_words. */
 	while (diff_len > 0) {
 		/* Compute r[0] = a[0] - 0 - borrow. */
-		bn_subw(a[0], borrow, &borrow, &r[0]);
+		bn_subw_subw(a[0], 0, borrow, &borrow, &r[0]);
 		diff_len--;
 		a++;
 		r++;
-- 
cgit v1.2.3-55-g6feb