From e5c77ffe1bd6d145964f911a678833c4b194d940 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 10 Mar 2022 04:39:49 +0000
Subject: [PATCH] Simple regress for NULL deref reported by Guido Vranken and
 fixed in bn_exp2.c r1.13.

---
 regress/lib/libcrypto/bn/general/Makefile     |  7 ++-
 .../libcrypto/bn/general/bn_mod_exp2_mont.c   | 45 +++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 regress/lib/libcrypto/bn/general/bn_mod_exp2_mont.c

diff --git a/regress/lib/libcrypto/bn/general/Makefile b/regress/lib/libcrypto/bn/general/Makefile
index 6b7919eb532..fec9575d0ee 100644
--- a/regress/lib/libcrypto/bn/general/Makefile
+++ b/regress/lib/libcrypto/bn/general/Makefile
@@ -1,8 +1,9 @@
-#	$OpenBSD: Makefile,v 1.7 2020/12/17 00:51:11 bluhm Exp $
+#	$OpenBSD: Makefile,v 1.8 2022/03/10 04:39:49 tb Exp $
 
 .include "../../Makefile.inc"
 
 PROGS +=	bntest
+PROGS +=	bn_mod_exp2_mont
 PROGS +=	bn_to_string
 
 LDADD =		${CRYPTO_INT}
@@ -20,6 +21,10 @@ run-bc: bntest.out
 	bc < bntest.out | tee bc.out | grep -v '^0$$'
 	! grep -v '^test ' <bc.out | grep -v '^0$$'
 
+REGRESS_TARGETS += run-bn_mod_exp2_mont
+run-bn_mod_exp2_mont: bn_mod_exp2_mont
+	./bn_mod_exp2_mont
+
 REGRESS_TARGETS += run-bn_to_string
 run-bn_to_string: bn_to_string
 	./bn_to_string
diff --git a/regress/lib/libcrypto/bn/general/bn_mod_exp2_mont.c b/regress/lib/libcrypto/bn/general/bn_mod_exp2_mont.c
new file mode 100644
index 00000000000..60bb010b629
--- /dev/null
+++ b/regress/lib/libcrypto/bn/general/bn_mod_exp2_mont.c
@@ -0,0 +1,45 @@
+/*	$OpenBSD: bn_mod_exp2_mont.c,v 1.1 2022/03/10 04:39:49 tb Exp $ */
+/*
+ * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <err.h>
+
+#include <openssl/bn.h>
+
+/*
+ * Small test for a crash reported by Guido Vranken, fixed in bn_exp2.c r1.13.
+ * https://github.com/openssl/openssl/issues/17648
+ */
+
+int
+main(void)
+{
+	BIGNUM *m;
+
+	if ((m = BN_new()) == NULL)
+		errx(1, "BN_new");
+
+	BN_zero_ex(m);
+
+	if (BN_mod_exp2_mont(NULL, NULL, NULL, NULL, NULL, m, NULL, NULL))
+		errx(1, "BN_mod_exp2_mont succeeded");
+
+	BN_free(m);
+
+	printf("SUCCESS\n");
+
+	return 0;
+}
-- 
2.20.1