Correct top for EC/DSA nonces if BN_DEBUG is on

Otherwise following operations would bail out in bn_check_top().

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)

diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index a93bd68c736b252d09f4e63e9a08862bcc3e223a..650d05747040ab7456b3998d52f39854eaa590c9 100644 (file)
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -274,6 +274,10 @@ int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
             ossl_bn_mask_bits_fixed_top(r, n);
         }
         while (BN_ucmp(r, range) >= 0);
+#ifdef BN_DEBUG
+        /* With BN_DEBUG on a fixed top number cannot be returned */
+        bn_correct_top(r);
+#endif
     }
 
     return 1;
@@ -370,6 +374,10 @@ int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
 
         if (BN_ucmp(out, range) < 0) {
             ret = 1;
+#ifdef BN_DEBUG
+            /* With BN_DEBUG on a fixed top number cannot be returned */
+            bn_correct_top(out);
+#endif
             goto end;
         }
     }

diff --git a/crypto/deterministic_nonce.c b/crypto/deterministic_nonce.c
index a37edea2a1ae6066919f2ca13414935ad815d69c..67a5b98d2b2385f3edd593b7848fffbed54069ff 100644 (file)
--- a/crypto/deterministic_nonce.c
+++ b/crypto/deterministic_nonce.c
@@ -227,6 +227,10 @@ int ossl_gen_deterministic_nonce_rfc6979(BIGNUM *out, const BIGNUM *q,
     } while (ossl_bn_is_word_fixed_top(out, 0)
             || ossl_bn_is_word_fixed_top(out, 1)
             || BN_ucmp(out, q) >= 0);
+#ifdef BN_DEBUG
+    /* With BN_DEBUG on a fixed top number cannot be returned */
+    bn_correct_top(out);
+#endif
     ret = 1;
 
 end: