| From: "Dr. Stephen Henson" <steve@openssl.org> |
| Date: Thu, 16 Apr 2015 16:43:09 +0100 |
| Subject: [PATCH] Fix encoding bug in i2c_ASN1_INTEGER |
| |
| Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as |
| negative. |
| |
| Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and |
| Hanno Bรถck <hanno@hboeck.de> for reporting this issue. |
| |
| Reviewed-by: Rich Salz <rsalz@openssl.org> |
| |
| --- |
| crypto/asn1/a_int.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c |
| index ad0d250..6574260 100644 |
| --- a/crypto/asn1/a_int.c |
| +++ b/crypto/asn1/a_int.c |
| @@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) |
| { |
| ret=a->length; |
| i=a->data[0]; |
| + if (ret == 1 && i == 0) |
| + neg = 0; |
| if (!neg && (i > 127)) { |
| pad=1; |
| pb=0; |
| @@ -157,7 +159,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) |
| p += a->length - 1; |
| i = a->length; |
| /* Copy zeros to destination as long as source is zero */ |
| - while(!*n) { |
| + while(!*n && i > 1) { |
| *(p--) = 0; |
| n--; |
| i--; |
| @@ -415,7 +417,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) |
| ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR); |
| goto err; |
| } |
| - if (BN_is_negative(bn)) |
| + if (BN_is_negative(bn) && !BN_is_zero(bn)) |
| ret->type = V_ASN1_NEG_INTEGER; |
| else ret->type=V_ASN1_INTEGER; |
| j=BN_num_bits(bn); |
| -- |
| 2.8.0.rc3.226.g39d4020 |
| |