Dear all, there's two small issues in RSA_X931_derive_ex(), both fips and non-fips version.
ctx = BN_CTX_new(); BN_CTX_start(ctx); The result of BN_CTX_new() is passed on to BN_CTX_start(), which dereferences it without any further checks. This fails for ctx == NULL. So does the following code for rsa == NULL. if (!rsa) goto err; ... err: ... if (rsa->iqmp != NULL) ... The attached patch against today's snapshot fixes this. Best regards, Martin diff -ru openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/rsa/rsa_x931g.c openssl-0.9.8-stable-SNAP-20090209/crypto/rsa/rsa_x931g.c --- openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/rsa/rsa_x931g.c 2009-02-09 22:17:21.000000000 +0100 +++ openssl-0.9.8-stable-SNAP-20090209/crypto/rsa/rsa_x931g.c 2009-02-09 22:20:46.000000000 +0100 @@ -79,6 +79,8 @@ goto err; ctx = BN_CTX_new(); + if (!ctx) + goto err; BN_CTX_start(ctx); if (!ctx) goto err; @@ -190,7 +192,7 @@ if (ctx2) BN_CTX_free(ctx2); /* If this is set all calls successful */ - if (rsa->iqmp != NULL) + if ((rsa) && (rsa->iqmp != NULL)) return 1; return 0; diff -ru openssl-0.9.8-stable-SNAP-20090209.ORIG/fips/rsa/fips_rsa_x931g.c openssl-0.9.8-stable-SNAP-20090209/fips/rsa/fips_rsa_x931g.c --- openssl-0.9.8-stable-SNAP-20090209.ORIG/fips/rsa/fips_rsa_x931g.c 2009-02-09 22:17:21.000000000 +0100 +++ openssl-0.9.8-stable-SNAP-20090209/fips/rsa/fips_rsa_x931g.c 2009-02-09 22:23:05.000000000 +0100 @@ -83,6 +83,8 @@ goto err; ctx = BN_CTX_new(); + if (!ctx) + goto err; BN_CTX_start(ctx); if (!ctx) goto err; @@ -194,7 +196,7 @@ if (ctx2) BN_CTX_free(ctx2); /* If this is set all calls successful */ - if (rsa->iqmp != NULL) + if ((rsa) && (rsa->iqmp != NULL)) return 1; return 0; ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org