From e5cd7ad2410b187a41e6ac216c000a85d90f9dcd Mon Sep 17 00:00:00 2001
From: bcook <>
Date: Sat, 3 Sep 2016 14:37:52 +0000
Subject: BN_mod_exp_mont_consttime: check for zero modulus.

Don't dereference |d| when |top| is zero. Also test that various
BIGNUM methods behave correctly on zero/even inputs.

Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
---
 src/lib/libcrypto/bn/bn_exp.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index c4ca36d136..9dcbf007f7 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.23 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.24 2016/09/03 14:37:52 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -589,13 +589,14 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 	bn_check_top(p);
 	bn_check_top(m);
 
-	top = m->top;
-
-	if (!(m->d[0] & 1)) {
+	if (!BN_is_odd(m)) {
 		BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,
 		    BN_R_CALLED_WITH_EVEN_MODULUS);
 		return (0);
 	}
+
+	top = m->top;
+
 	bits = BN_num_bits(p);
 	if (bits == 0) {
 		ret = BN_one(rr);
-- 
cgit v1.2.3-55-g6feb