generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix RSA_X931_derive_ex

Browse Source 
In the RSA_X931_derive_ex a call to BN_CTX_new is made. This can return
NULL on error. However the return value is not tested until *after* it is
derefed! Also at the top of the function a test is made to ensure that
|rsa| is not NULL. If it is we go to the "err" label. Unfortunately the
error handling code deref's rsa.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Matt Caswell 2015-03-11 17:43:38 +00:00
parent d813f9eb38
commit 007fd1404f
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
crypto/rsa/rsa_x931g.c
View File

@ -72,14 +72,15 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
{ {
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL; BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
BN_CTX *ctx = NULL, *ctx2 = NULL; BN_CTX *ctx = NULL, *ctx2 = NULL;
int ret = 0;
if (!rsa) if (!rsa)
goto err; goto err;
ctx = BN_CTX_new(); ctx = BN_CTX_new();
BN_CTX_start(ctx);
if (!ctx) if (!ctx)
goto err; goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx); r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx);
@ -176,6 +177,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
/* calculate inverse of q mod p */ /* calculate inverse of q mod p */
rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2); rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
ret = 1;
err: err:
if (ctx) { if (ctx) {
BN_CTX_end(ctx); BN_CTX_end(ctx);
@ -183,11 +185,8 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
} }
if (ctx2) if (ctx2)
BN_CTX_free(ctx2); BN_CTX_free(ctx2);
/* If this is set all calls successful */
if (rsa->iqmp != NULL)
return 1;
return 0; return ret;
} }