Merge branch 'ssl-double-free-v9_11' into 'v9_11'

Fix double free after keygen error in dnssec-keygen Closes #109 See merge request isc-projects/bind9!70
2018-04-06 14:24:36 +10:00
parent 0f67278a7e 9a4414b039
commit 1b4f1c26b2
5 changed files with 20 additions and 9 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
+4918.	[bug]		Fix double free after keygen error in dnssec-keygen
+			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
+			fails. [GL #109]
+
 4915.	[func]		Implement IDNA2008 support in dig by adding support
 			for libidn2.  New dig option +idnin has been added,
 			which allows to process invalid domain names much
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -9,8 +9,6 @@
 * information regarding copyright ownership.
 */

-/* $Id: dst_openssl.h,v 1.11 2011/03/12 04:59:48 tbox Exp $ */
-
 #ifndef DST_OPENSSL_H
 #define DST_OPENSSL_H 1

@@ -41,7 +39,7 @@
 *     	 _cb;
 * #endif
 */
-#define BN_GENCB_free(x) (x = NULL);
+#define BN_GENCB_free(x) ((void)0)
 #define BN_GENCB_new() (&_cb)
 #define BN_GENCB_get_arg(x) ((x)->arg)
 #endif
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -25,7 +25,6 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.20 2011/01/11 23:47:13 tbox Exp $
 */

 #ifdef OPENSSL
@@ -308,6 +307,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 					DST_R_OPENSSLFAILURE));
 		}
 		BN_GENCB_free(cb);
+		cb = NULL;
 #else
 		dh = DH_generate_parameters(key->key_size, generator,
 					    NULL, NULL);
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -487,6 +487,7 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 					       DST_R_OPENSSLFAILURE));
 	}
 	BN_GENCB_free(cb);
+	cb = NULL;
 #else
 	dsa = DSA_generate_parameters(key->key_size, rand_array,
 				      ISC_SHA1_DIGESTLENGTH, NULL, NULL,
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -1043,6 +1043,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 	if (RSA_generate_key_ex(rsa, key->key_size, e, cb)) {
 		BN_free(e);
 		BN_GENCB_free(cb);
+		cb = NULL;
 		SET_FLAGS(rsa);
 #if USE_EVP
 		key->keydata.pkey = pkey;
@@ -1053,21 +1054,28 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #endif
 		return (ISC_R_SUCCESS);
 	}
-	BN_GENCB_free(cb);
 	ret = dst__openssl_toresult2("RSA_generate_key_ex",
 				     DST_R_OPENSSLFAILURE);

 err:
 #if USE_EVP
-	if (pkey != NULL)
+	if (pkey != NULL) {
 		EVP_PKEY_free(pkey);
+		pkey = NULL;
+	}
 #endif
-	if (e != NULL)
+	if (e != NULL) {
 		BN_free(e);
-	if (rsa != NULL)
+		e = NULL;
+	}
+	if (rsa != NULL) {
 		RSA_free(rsa);
-	if (cb != NULL)
+		rsa = NULL;
+	}
+	if (cb != NULL) {
 		BN_GENCB_free(cb);
+		cb = NULL;
+	}
 	return (dst__openssl_toresult(ret));
 #else
 	RSA *rsa;