I found a crash issue in all versions of openssl-fips-2.0.x in the 
dsa_do_sign() function. It happens when it incorrectly tries to call 
BN_clear_free(&m) without calling BN_init(&m) function first when 
fips_check_dsa_prng() fails. The following is code snippets.

136 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
137         {
...
139         BIGNUM m;
...
146 #ifdef OPENSSL_FIPS
...
159         if (!fips_check_dsa_prng(dsa, 0, 0))        < if this fails
160                 goto err;
161 #endif
162
163         BN_init(&m);                                        < this line is 
not executed
...
222 err:
...
230         BN_clear_free(&m);                          < then, it crashes when 
this function is called

The attached patch was generated against openssl-fips-2.0.7.

Thanks,

James Lee
OpenText Connectivity Solutions Group

Attachment: dsa_ossl_crash.patch
Description: Binary data

Reply via email to