Dear all,
there's two small issues in RSA_X931_derive_ex(), both fips and non-fips
version.
ctx = BN_CTX_new();
BN_CTX_start(ctx);
The result of BN_CTX_new() is passed on to BN_CTX_start(), which
dereferences it without any further checks. This fails for ctx == NULL.
So does the following code for rsa == NULL.
if (!rsa)
goto err;
...
err:
...
if (rsa->iqmp != NULL)
...
The attached patch against today's snapshot fixes this.
Best regards,
Martin
diff -ru openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/rsa/rsa_x931g.c
openssl-0.9.8-stable-SNAP-20090209/crypto/rsa/rsa_x931g.c
--- openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/rsa/rsa_x931g.c
2009-02-09 22:17:21.000000000 +0100
+++ openssl-0.9.8-stable-SNAP-20090209/crypto/rsa/rsa_x931g.c
2009-02-09 22:20:46.000000000 +0100
@@ -79,6 +79,8 @@
goto err;
ctx = BN_CTX_new();
+ if (!ctx)
+ goto err;
BN_CTX_start(ctx);
if (!ctx)
goto err;
@@ -190,7 +192,7 @@
if (ctx2)
BN_CTX_free(ctx2);
/* If this is set all calls successful */
- if (rsa->iqmp != NULL)
+ if ((rsa) && (rsa->iqmp != NULL))
return 1;
return 0;
diff -ru
openssl-0.9.8-stable-SNAP-20090209.ORIG/fips/rsa/fips_rsa_x931g.c
openssl-0.9.8-stable-SNAP-20090209/fips/rsa/fips_rsa_x931g.c
--- openssl-0.9.8-stable-SNAP-20090209.ORIG/fips/rsa/fips_rsa_x931g.c
2009-02-09 22:17:21.000000000 +0100
+++ openssl-0.9.8-stable-SNAP-20090209/fips/rsa/fips_rsa_x931g.c
2009-02-09 22:23:05.000000000 +0100
@@ -83,6 +83,8 @@
goto err;
ctx = BN_CTX_new();
+ if (!ctx)
+ goto err;
BN_CTX_start(ctx);
if (!ctx)
goto err;
@@ -194,7 +196,7 @@
if (ctx2)
BN_CTX_free(ctx2);
/* If this is set all calls successful */
- if (rsa->iqmp != NULL)
+ if ((rsa) && (rsa->iqmp != NULL))
return 1;
return 0;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
