Return an error from BN_mod_inverse if n is 1 (or -1)

Calculating BN_mod_inverse where n is 1 (or -1) doesn't make sense. We should return an error in that case. Instead we were returning a valid result with value 0. Fixes #6004 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6119)
author: Matt Caswell <matt@openssl.org> 2018-04-27 17:36:11 +0100
committer: Matt Caswell <matt@openssl.org> 2018-05-03 10:14:12 +0100
commit: b1860d6c71733314417d053a72af66ae72e8268e (patch)
tree: 0dd7cac671060990c58addb98f72c29b87c7dc4c /crypto/bn/bn_gcd.c
parent: 4db296d9f0cf2855b358883a55b77a6b6f6848ba (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 22f80939d6..6d8c565575 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -140,7 +140,14 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
     BIGNUM *ret = NULL;
     int sign;
 
-    if (pnoinv)
+    /* This is invalid input so we don't worry about constant time here */
+    if (BN_abs_is_word(n, 1) || BN_is_zero(n)) {
+        if (pnoinv != NULL)
+            *pnoinv = 1;
+        return NULL;
+    }
+
+    if (pnoinv != NULL)
         *pnoinv = 0;
 
     if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0)
author	Matt Caswell <matt@openssl.org>	2018-04-27 17:36:11 +0100
committer	Matt Caswell <matt@openssl.org>	2018-05-03 10:14:12 +0100
commit	b1860d6c71733314417d053a72af66ae72e8268e (patch)
tree	0dd7cac671060990c58addb98f72c29b87c7dc4c /crypto/bn/bn_gcd.c
parent	4db296d9f0cf2855b358883a55b77a6b6f6848ba (diff)