The Blue Coat Systems cryptography team is reviewing our usage of OpenSSL and
has discovered the following minor bug. We do not believe that this bug is
exploitable.
In branch master, file evp_pbe.c, observe the function EVP_Cipher_init. At line
175, we see the following:
if (cipher_nid == -1)
cipher = NULL;
At line 195, we see this:
if (!keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
EVPerr(EVP_F_EVP_PBE_CIPHERINIT, EVP_R_KEYGEN_FAILURE);
return 0;
}
Note that cipher is passed to the keygen function. One of the possible
functions for keygen is PKCS12_PBE_keyivgen (file p12_crpt.c), where we see
this at line 94:
if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_IV_GEN_ERROR);
PBEPARAM_free(pbe);
return 0;
}
Note that cipher is being dereferenced, even though it can be NULL.
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev