Fix EC_POINT_bn2point() for BN_zero()

EC_POINT_bn2point() rejected BIGNUMs with a zero value.

This behavior indirectly caused failures when converting a point
at infinity through EC_POINT_point2hex() and then back to a point with
EC_POINT_hex2point().

With this change such BIGNUMs are treated like any other and exported to
an octet buffer filled with zero.
It is then EC_POINT_oct2point() (either the default implementation or
the custom one in group->meth->oct2point) to determine if such encoding
maps to a valid point (generally the point at infinity is encoded as
0x00).

Fixes #10258

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10329)

(cherry picked from commit d47c10875656790d146f62ac3c437db54c58dbf7)

diff --git a/crypto/ec/ec_print.c b/crypto/ec/ec_print.c
index f2525cbaa63d7e4508302a02586904257c4d78ef..660fc400fb75808105f04e0bb865b2af39dcb97a 100644 (file)
--- a/crypto/ec/ec_print.c
+++ b/crypto/ec/ec_print.c
@@ -39,13 +39,13 @@ EC_POINT *EC_POINT_bn2point(const EC_GROUP *group,
     EC_POINT *ret;
 
     if ((buf_len = BN_num_bytes(bn)) == 0)
-        return NULL;
+        buf_len = 1;
     if ((buf = OPENSSL_malloc(buf_len)) == NULL) {
         ECerr(EC_F_EC_POINT_BN2POINT, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
 
-    if (!BN_bn2bin(bn, buf)) {
+    if (!BN_bn2binpad(bn, buf, buf_len)) {
         OPENSSL_free(buf);
         return NULL;
     }