I found a crash issue in all versions of openssl-fips-2.0.x in the dsa_do_sign() function. It happens when it incorrectly tries to call BN_clear_free(&m) without calling BN_init(&m) function first when fips_check_dsa_prng() fails. The following is code snippets.
136 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
137 {
...
139 BIGNUM m;
...
146 #ifdef OPENSSL_FIPS
...
159 if (!fips_check_dsa_prng(dsa, 0, 0)) < if this fails
160 goto err;
161 #endif
162
163 BN_init(&m); < this line is
not executed
...
222 err:
...
230 BN_clear_free(&m); < then, it crashes when
this function is called
The attached patch was generated against openssl-fips-2.0.7.
Thanks,
James Lee
OpenText Connectivity Solutions Group
dsa_ossl_crash.patch
Description: Binary data
