From 7c058c6a061daa2a82ab01b18d467f0b177acd49 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Mon, 15 Apr 2024 14:35:25 +0000
Subject: [PATCH] Prevent negative zero from being created via BN bit
 functions.

Both BN_clear_bit() and BN_mask_bits() can create zero values - in both
cases ensure that the negative sign is correctly handled if the value
becomes zero.

Thanks to Guido Vranken for providing a reproducer.

Fixes oss-fuzz #67901

ok tb@
---
 lib/libcrypto/bn/bn_lib.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/libcrypto/bn/bn_lib.c b/lib/libcrypto/bn/bn_lib.c
index c0c0ac876f4..b59e65a1e15 100644
--- a/lib/libcrypto/bn/bn_lib.c
+++ b/lib/libcrypto/bn/bn_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.90 2023/07/28 10:35:14 tb Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.91 2024/04/15 14:35:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -438,6 +438,9 @@ BN_clear_bit(BIGNUM *a, int n)
 
 	a->d[i] &= (~(((BN_ULONG)1) << j));
 	bn_correct_top(a);
+
+	BN_set_negative(a, a->neg);
+
 	return (1);
 }
 LCRYPTO_ALIAS(BN_clear_bit);
@@ -476,6 +479,9 @@ BN_mask_bits(BIGNUM *a, int n)
 		a->d[w] &= ~(BN_MASK2 << b);
 	}
 	bn_correct_top(a);
+
+	BN_set_negative(a, a->neg);
+
 	return (1);
 }
 LCRYPTO_ALIAS(BN_mask_bits);
-- 
2.20.1