diff options
Diffstat (limited to 'crypto/srp/srp_vfy.c')
| -rw-r--r-- | crypto/srp/srp_vfy.c | 45 |
1 files changed, 32 insertions, 13 deletions
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 26ad3e07b4bb3..a8ec52a4dadc2 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -80,7 +80,7 @@ static char b64table[] = /* * Convert a base64 string into raw byte array representation. */ -static int t_fromb64(unsigned char *a, const char *src) +static int t_fromb64(unsigned char *a, size_t alen, const char *src) { char *loc; int i, j; @@ -89,6 +89,9 @@ static int t_fromb64(unsigned char *a, const char *src) while (*src && (*src == ' ' || *src == '\t' || *src == '\n')) ++src; size = strlen(src); + if (alen > INT_MAX || size > (int)alen) + return -1; + i = 0; while (i < size) { loc = strchr(b64table, src[i]); @@ -231,13 +234,25 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s, unsigned char tmp[MAX_LEN]; int len; - if (strlen(s) > MAX_LEN || strlen(v) > MAX_LEN) + vinfo->v = NULL; + vinfo->s = NULL; + + len = t_fromb64(tmp, sizeof(tmp), v); + if (len < 0) return 0; - len = t_fromb64(tmp, v); if (NULL == (vinfo->v = BN_bin2bn(tmp, len, NULL))) return 0; - len = t_fromb64(tmp, s); - return ((vinfo->s = BN_bin2bn(tmp, len, NULL)) != NULL); + len = t_fromb64(tmp, sizeof(tmp), s); + if (len < 0) + goto err; + vinfo->s = BN_bin2bn(tmp, len, NULL); + if (vinfo->s == NULL) + goto err; + return 1; + err: + BN_free(vinfo->v); + vinfo->v = NULL; + return 0; } static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) @@ -307,10 +322,13 @@ static SRP_gN_cache *SRP_gN_new_init(const char *ch) if (newgN == NULL) return NULL; + len = t_fromb64(tmp, sizeof(tmp), ch); + if (len < 0) + goto err; + if ((newgN->b64_bn = BUF_strdup(ch)) == NULL) goto err; - len = t_fromb64(tmp, ch); if ((newgN->bn = BN_bin2bn(tmp, len, NULL))) return newgN; @@ -544,7 +562,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) if (!SRP_user_pwd_set_ids(user, username, NULL)) goto err; - if (RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH) < 0) + if (RAND_bytes(digv, SHA_DIGEST_LENGTH) <= 0) goto err; EVP_MD_CTX_init(&ctxt); EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL); @@ -580,10 +598,10 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, goto err; if (N) { - if (!(len = t_fromb64(tmp, N))) + if (!(len = t_fromb64(tmp, sizeof(tmp), N))) goto err; N_bn = BN_bin2bn(tmp, len, NULL); - if (!(len = t_fromb64(tmp, g))) + if (!(len = t_fromb64(tmp, sizeof(tmp), g))) goto err; g_bn = BN_bin2bn(tmp, len, NULL); defgNid = "*"; @@ -597,12 +615,12 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, } if (*salt == NULL) { - if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) goto err; s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); } else { - if (!(len = t_fromb64(tmp2, *salt))) + if (!(len = t_fromb64(tmp2, sizeof(tmp2), *salt))) goto err; s = BN_bin2bn(tmp2, len, NULL); } @@ -635,7 +653,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, BN_free(N_bn); BN_free(g_bn); } - OPENSSL_cleanse(vf, vfsize); + if (vf != NULL) + OPENSSL_cleanse(vf, vfsize); OPENSSL_free(vf); BN_clear_free(s); BN_clear_free(v); @@ -670,7 +689,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, srp_bn_print(g); if (*salt == NULL) { - if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) goto err; salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); |