[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

Mon May 23 23:09:04 UTC 2016

The branch OpenSSL_1_0_1-stable has been updated
       via  051b9604f1421fe54d10185bc5c348bd343388da (commit)
      from  eea595ff6b554b3876bab51b2560df5fb0006696 (commit)


- Log -----------------------------------------------------------------
commit 051b9604f1421fe54d10185bc5c348bd343388da
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Apr 25 16:22:31 2016 +0100

    Fix error return value in SRP functions
    
    The functions SRP_Calc_client_key() and SRP_Calc_server_key() were
    incorrectly returning a valid pointer in the event of error.
    
    Issue reported by Yuan Jochen Kang
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 308ff28673ae1a4a1b346761224b4a8851d41f58)

-----------------------------------------------------------------------

Summary of changes:
 crypto/srp/srp_lib.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c
index e9a2e05..e310946 100644
--- a/crypto/srp/srp_lib.c
+++ b/crypto/srp/srp_lib.c
@@ -159,8 +159,7 @@ BIGNUM *SRP_Calc_server_key(BIGNUM *A, BIGNUM *v, BIGNUM *u, BIGNUM *b,
     if (u == NULL || A == NULL || v == NULL || b == NULL || N == NULL)
         return NULL;
 
-    if ((bn_ctx = BN_CTX_new()) == NULL ||
-        (tmp = BN_new()) == NULL || (S = BN_new()) == NULL)
+    if ((bn_ctx = BN_CTX_new()) == NULL || (tmp = BN_new()) == NULL)
         goto err;
 
     /* S = (A*v**u) ** b */
@@ -169,8 +168,12 @@ BIGNUM *SRP_Calc_server_key(BIGNUM *A, BIGNUM *v, BIGNUM *u, BIGNUM *b,
         goto err;
     if (!BN_mod_mul(tmp, A, tmp, N, bn_ctx))
         goto err;
-    if (!BN_mod_exp(S, tmp, b, N, bn_ctx))
-        goto err;
+
+    S = BN_new();
+    if (S != NULL && !BN_mod_exp(S, tmp, b, N, bn_ctx)) {
+        BN_free(S);
+        S = NULL;
+    }
  err:
     BN_CTX_free(bn_ctx);
     BN_clear_free(tmp);
@@ -267,7 +270,7 @@ BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM *g, BIGNUM *x,
 
     if ((tmp = BN_new()) == NULL ||
         (tmp2 = BN_new()) == NULL ||
-        (tmp3 = BN_new()) == NULL || (K = BN_new()) == NULL)
+        (tmp3 = BN_new()) == NULL)
         goto err;
 
     if (!BN_mod_exp(tmp, g, x, N, bn_ctx))
@@ -283,8 +286,11 @@ BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM *g, BIGNUM *x,
         goto err;
     if (!BN_mod_add(tmp2, a, tmp3, N, bn_ctx))
         goto err;
-    if (!BN_mod_exp(K, tmp, tmp2, N, bn_ctx))
-        goto err;
+    K = BN_new();
+    if (K != NULL && !BN_mod_exp(K, tmp, tmp2, N, bn_ctx)) {
+        BN_free(K);
+        K = NULL;
+    }
 
  err:
     BN_CTX_free(bn_ctx);
