generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Always check bn_wexpend() return values for failure (CVE-2009-3245).

Browse Source 
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)

Submitted by: Neel Mehta
This commit is contained in:
Bodo Möller
2010-02-23 10:36:41 +00:00
parent 53b5d04715
commit 3e4da3f7cb
5 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -4,6 +4,9 @@
Changes between 0.9.8l and 0.9.8m [xx XXX xxxx]
*) Always check bn_wexpend() return values for failure. (CVE-2009-3245)
[Martin Olsson, Neel Mehta]
*) Fix X509_STORE locking: Every 'objs' access requires a lock (to
accommodate for stack sorting, always a write lock!).
[Bodo Moeller]

2
crypto/bn/bn_div.c
View File

@@ -102,7 +102,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
/* The next 2 are needed so we can do a dv->d[0]|=1 later
* since BN_lshift1 will only work once there is a value :-) */
BN_zero(dv);
bn_wexpand(dv,1);
if(bn_wexpand(dv,1) == NULL) goto end;
dv->top=1;
if (!BN_lshift(D,D,nm-nd)) goto end;

3
crypto/bn/bn_gf2m.c
View File

@@ -294,7 +294,8 @@ int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
if (a->top < b->top) { at = b; bt = a; }
else { at = a; bt = b; }
bn_wexpand(r, at->top);
if(bn_wexpand(r, at->top) == NULL)
return 0;
for (i = 0; i < bt->top; i++)
{

10
crypto/ec/ec2_smpl.c
View File

@@ -174,8 +174,10 @@ int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
dest->poly[2] = src->poly[2];
dest->poly[3] = src->poly[3];
dest->poly[4] = src->poly[4];
bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
return 0;
if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
return 0;
for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
return 1;
@@ -199,12 +201,12 @@ int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
/* group->a */
if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;
for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
/* group->b */
if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;
for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
ret = 1;

4
engines/e_ubsec.c
View File

@@ -934,7 +934,7 @@ static int ubsec_dh_generate_key(DH *dh)
priv_key = BN_new();
if (priv_key == NULL) goto err;
priv_key_len = BN_num_bits(dh->p);
bn_wexpand(priv_key, dh->p->top);
if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err;
do
if (!BN_rand_range(priv_key, dh->p)) goto err;
while (BN_is_zero(priv_key));
@@ -949,7 +949,7 @@ static int ubsec_dh_generate_key(DH *dh)
{
pub_key = BN_new();
pub_key_len = BN_num_bits(dh->p);
bn_wexpand(pub_key, dh->p->top);
if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err;
if(pub_key == NULL) goto err;
}
else