Blame SOURCES/memory_leak.patch

5fd609
From 8795d8912c8a83aaf900c0260e252a35f64eb200 Mon Sep 17 00:00:00 2001
5fd609
From: Norbert Pocs <npocs@redhat.com>
5fd609
Date: Fri, 18 Nov 2022 17:22:46 +0100
5fd609
Subject: [PATCH] Fix memory leaks of bignums when openssl >= 3.0
5fd609
5fd609
The openssl 3.0 support has introduced some memory leaks at key build as
5fd609
OSSL_PARAM_BLD_push_BN duplicates the bignum and does not save the pointer
5fd609
itself.
5fd609
5fd609
Signed-off-by: Norbert Pocs <npocs@redhat.com>
5fd609
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
5fd609
---
5fd609
 include/libssh/dh.h |   2 +-
5fd609
 src/dh_crypto.c     |  28 ++---
5fd609
 src/pki_crypto.c    | 262 ++++++++++++++++++++++++--------------------
5fd609
 3 files changed, 151 insertions(+), 141 deletions(-)
5fd609
5fd609
diff --git a/include/libssh/dh.h b/include/libssh/dh.h
5fd609
index 353dc233..9b9bb472 100644
5fd609
--- a/include/libssh/dh.h
5fd609
+++ b/include/libssh/dh.h
5fd609
@@ -53,7 +53,7 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
5fd609
                             bignum *priv, bignum *pub);
5fd609
 #endif /* OPENSSL_VERSION_NUMBER */
5fd609
 int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
5fd609
-                            const bignum priv, const bignum pub);
5fd609
+                            bignum priv, bignum pub);
5fd609
5fd609
 int ssh_dh_compute_shared_secret(struct dh_ctx *ctx, int local, int remote,
5fd609
                                  bignum *dest);
5fd609
diff --git a/src/dh_crypto.c b/src/dh_crypto.c
5fd609
index a847c6a2..b578ddec 100644
5fd609
--- a/src/dh_crypto.c
5fd609
+++ b/src/dh_crypto.c
5fd609
@@ -154,12 +154,9 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
5fd609
 #endif /* OPENSSL_VERSION_NUMBER */
5fd609
5fd609
 int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
5fd609
-                            const bignum priv, const bignum pub)
5fd609
+                            bignum priv, bignum pub)
5fd609
 {
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
-    bignum priv_key = NULL;
5fd609
-    bignum pub_key = NULL;
5fd609
-#else
5fd609
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
5fd609
     int rc;
5fd609
     OSSL_PARAM *params = NULL, *out_params = NULL, *merged_params = NULL;
5fd609
     OSSL_PARAM_BLD *param_bld = NULL;
5fd609
@@ -172,7 +169,11 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
5fd609
         return SSH_ERROR;
5fd609
     }
5fd609
5fd609
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
5fd609
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
+    (void)DH_set0_key(ctx->keypair[peer], pub, priv);
5fd609
+
5fd609
+    return SSH_OK;
5fd609
+#else
5fd609
     rc = EVP_PKEY_todata(ctx->keypair[peer], EVP_PKEY_KEYPAIR, &out_params);
5fd609
     if (rc != 1) {
5fd609
         return SSH_ERROR;
5fd609
@@ -195,35 +196,22 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
5fd609
         rc = SSH_ERROR;
5fd609
         goto out;
5fd609
     }
5fd609
-#endif /* OPENSSL_VERSION_NUMBER */
5fd609
5fd609
     if (priv) {
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
-        priv_key = priv;
5fd609
-#else
5fd609
         rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv);
5fd609
         if (rc != 1) {
5fd609
             rc = SSH_ERROR;
5fd609
             goto out;
5fd609
         }
5fd609
-#endif /* OPENSSL_VERSION_NUMBER */
5fd609
     }
5fd609
     if (pub) {
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
-        pub_key = pub;
5fd609
-#else
5fd609
         rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
5fd609
         if (rc != 1) {
5fd609
             rc = SSH_ERROR;
5fd609
             goto out;
5fd609
         }
5fd609
-#endif /* OPENSSL_VERSION_NUMBER */
5fd609
     }
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
-    (void)DH_set0_key(ctx->keypair[peer], pub_key, priv_key);
5fd609
5fd609
-    return SSH_OK;
5fd609
-#else
5fd609
     params = OSSL_PARAM_BLD_to_param(param_bld);
5fd609
     if (params == NULL) {
5fd609
         rc = SSH_ERROR;
5fd609
@@ -248,6 +236,8 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
5fd609
5fd609
     rc = SSH_OK;
5fd609
 out:
5fd609
+    bignum_safe_free(priv);
5fd609
+    bignum_safe_free(pub);
5fd609
     EVP_PKEY_CTX_free(evp_ctx);
5fd609
     OSSL_PARAM_free(out_params);
5fd609
     OSSL_PARAM_free(params);
5fd609
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
5fd609
index 0a5003da..d3359e2d 100644
5fd609
--- a/src/pki_crypto.c
5fd609
+++ b/src/pki_crypto.c
5fd609
@@ -1492,18 +1492,18 @@ int pki_privkey_build_dss(ssh_key key,
5fd609
                           ssh_string privkey)
5fd609
 {
5fd609
     int rc;
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     BIGNUM *bp, *bq, *bg, *bpub_key, *bpriv_key;
5fd609
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
5fd609
+    OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
5fd609
+    if (param_bld == NULL) {
5fd609
+        return SSH_ERROR;
5fd609
+    }
5fd609
 #else
5fd609
-    const BIGNUM *pb, *qb, *gb, *pubb, *privb;
5fd609
-    OSSL_PARAM_BLD *param_bld;
5fd609
-#endif /* OPENSSL_VERSION_NUMBER */
5fd609
-
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     key->dsa = DSA_new();
5fd609
     if (key->dsa == NULL) {
5fd609
         return SSH_ERROR;
5fd609
     }
5fd609
+#endif /* OPENSSL_VERSION_NUMBER */
5fd609
5fd609
     bp = ssh_make_string_bn(p);
5fd609
     bq = ssh_make_string_bn(q);
5fd609
@@ -1512,9 +1512,11 @@ int pki_privkey_build_dss(ssh_key key,
5fd609
     bpriv_key = ssh_make_string_bn(privkey);
5fd609
     if (bp == NULL || bq == NULL ||
5fd609
         bg == NULL || bpub_key == NULL) {
5fd609
+        rc = SSH_ERROR;
5fd609
         goto fail;
5fd609
     }
5fd609
5fd609
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     /* Memory management of bp, qq and bg is transferred to DSA object */
5fd609
     rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
5fd609
     if (rc == 0) {
5fd609
@@ -1532,39 +1534,43 @@ fail:
5fd609
     DSA_free(key->dsa);
5fd609
     return SSH_ERROR;
5fd609
 #else
5fd609
-    param_bld = OSSL_PARAM_BLD_new();
5fd609
-    if (param_bld == NULL)
5fd609
-        goto err;
5fd609
-
5fd609
-    pb = ssh_make_string_bn(p);
5fd609
-    qb = ssh_make_string_bn(q);
5fd609
-    gb = ssh_make_string_bn(g);
5fd609
-    pubb = ssh_make_string_bn(pubkey);
5fd609
-    privb = ssh_make_string_bn(privkey);
5fd609
-
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, privb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, bpriv_key);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
5fd609
     rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
5fd609
+
5fd609
+fail:
5fd609
     OSSL_PARAM_BLD_free(param_bld);
5fd609
+    bignum_safe_free(bp);
5fd609
+    bignum_safe_free(bq);
5fd609
+    bignum_safe_free(bg);
5fd609
+    bignum_safe_free(bpub_key);
5fd609
+    bignum_safe_free(bpriv_key);
5fd609
5fd609
     return rc;
5fd609
-err:
5fd609
-    OSSL_PARAM_BLD_free(param_bld);
5fd609
-    return -1;
5fd609
 #endif /* OPENSSL_VERSION_NUMBER */
5fd609
 }
5fd609
5fd609
@@ -1574,18 +1580,18 @@ int pki_pubkey_build_dss(ssh_key key,
5fd609
                          ssh_string g,
5fd609
                          ssh_string pubkey) {
5fd609
     int rc;
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     BIGNUM *bp = NULL, *bq = NULL, *bg = NULL, *bpub_key = NULL;
5fd609
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
5fd609
+    OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
5fd609
+    if (param_bld == NULL) {
5fd609
+        return SSH_ERROR;
5fd609
+    }
5fd609
 #else
5fd609
-    const BIGNUM *pb, *qb, *gb, *pubb;
5fd609
-    OSSL_PARAM_BLD *param_bld;
5fd609
-#endif /* OPENSSL_VERSION_NUMBER */
5fd609
-
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     key->dsa = DSA_new();
5fd609
     if (key->dsa == NULL) {
5fd609
         return SSH_ERROR;
5fd609
     }
5fd609
+#endif /* OPENSSL_VERSION_NUMBER */
5fd609
5fd609
     bp = ssh_make_string_bn(p);
5fd609
     bq = ssh_make_string_bn(q);
5fd609
@@ -1593,9 +1599,11 @@ int pki_pubkey_build_dss(ssh_key key,
5fd609
     bpub_key = ssh_make_string_bn(pubkey);
5fd609
     if (bp == NULL || bq == NULL ||
5fd609
         bg == NULL || bpub_key == NULL) {
5fd609
+        rc = SSH_ERROR;
5fd609
         goto fail;
5fd609
     }
5fd609
5fd609
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     /* Memory management of bp, bq and bg is transferred to DSA object */
5fd609
     rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
5fd609
     if (rc == 0) {
5fd609
@@ -1613,35 +1621,37 @@ fail:
5fd609
     DSA_free(key->dsa);
5fd609
     return SSH_ERROR;
5fd609
 #else
5fd609
-    param_bld = OSSL_PARAM_BLD_new();
5fd609
-    if (param_bld == NULL)
5fd609
-        goto err;
5fd609
-
5fd609
-    pb = ssh_make_string_bn(p);
5fd609
-    qb = ssh_make_string_bn(q);
5fd609
-    gb = ssh_make_string_bn(g);
5fd609
-    pubb = ssh_make_string_bn(pubkey);
5fd609
-
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
5fd609
     rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
5fd609
+
5fd609
+fail:
5fd609
     OSSL_PARAM_BLD_free(param_bld);
5fd609
+    bignum_safe_free(bp);
5fd609
+    bignum_safe_free(bq);
5fd609
+    bignum_safe_free(bg);
5fd609
+    bignum_safe_free(bpub_key);
5fd609
5fd609
     return rc;
5fd609
-err:
5fd609
-    OSSL_PARAM_BLD_free(param_bld);
5fd609
-    return -1;
5fd609
 #endif /* OPENSSL_VERSION_NUMBER */
5fd609
 }
5fd609
5fd609
@@ -1654,18 +1664,18 @@ int pki_privkey_build_rsa(ssh_key key,
5fd609
                           ssh_string q)
5fd609
 {
5fd609
     int rc;
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     BIGNUM *be, *bn, *bd/*, *biqmp*/, *bp, *bq;
5fd609
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
5fd609
+    OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
5fd609
+    if (param_bld == NULL) {
5fd609
+        return SSH_ERROR;
5fd609
+    }
5fd609
 #else
5fd609
-    const BIGNUM *nb, *eb, *db, *pb, *qb;
5fd609
-    OSSL_PARAM_BLD *param_bld;
5fd609
-#endif /* OPENSSL_VERSION_NUMBER */
5fd609
-
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     key->rsa = RSA_new();
5fd609
     if (key->rsa == NULL) {
5fd609
         return SSH_ERROR;
5fd609
     }
5fd609
+#endif /* OPENSSL_VERSION_NUMBER */
5fd609
5fd609
     bn = ssh_make_string_bn(n);
5fd609
     be = ssh_make_string_bn(e);
5fd609
@@ -1675,9 +1685,11 @@ int pki_privkey_build_rsa(ssh_key key,
5fd609
     bq = ssh_make_string_bn(q);
5fd609
     if (be == NULL || bn == NULL || bd == NULL ||
5fd609
         /*biqmp == NULL ||*/ bp == NULL || bq == NULL) {
5fd609
+        rc = SSH_ERROR;
5fd609
         goto fail;
5fd609
     }
5fd609
5fd609
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     /* Memory management of be, bn and bd is transferred to RSA object */
5fd609
     rc = RSA_set0_key(key->rsa, bn, be, bd);
5fd609
     if (rc == 0) {
5fd609
@@ -1702,41 +1714,49 @@ fail:
5fd609
     RSA_free(key->rsa);
5fd609
     return SSH_ERROR;
5fd609
 #else
5fd609
-    param_bld = OSSL_PARAM_BLD_new();
5fd609
-    if (param_bld == NULL)
5fd609
-        goto err;
5fd609
-
5fd609
-    nb = ssh_make_string_bn(n);
5fd609
-    eb = ssh_make_string_bn(e);
5fd609
-    db = ssh_make_string_bn(d);
5fd609
-    pb = ssh_make_string_bn(p);
5fd609
-    qb = ssh_make_string_bn(q);
5fd609
-
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, db);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, bd);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
5fd609
     rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
5fd609
-    OSSL_PARAM_BLD_free(param_bld);
5fd609
+    if (rc != SSH_OK) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
5fd609
-    rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, pb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
+    rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, bp);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
5fd609
-    rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, qb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
+    rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, bq);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
5fd609
-    return rc;
5fd609
-err:
5fd609
+fail:
5fd609
     OSSL_PARAM_BLD_free(param_bld);
5fd609
-    return -1;
5fd609
+    bignum_safe_free(bn);
5fd609
+    bignum_safe_free(be);
5fd609
+    bignum_safe_free(bd);
5fd609
+    bignum_safe_free(bp);
5fd609
+    bignum_safe_free(bq);
5fd609
+
5fd609
+    return rc;
5fd609
 #endif /* OPENSSL_VERSION_NUMBER */
5fd609
 }
5fd609
5fd609
@@ -1744,25 +1764,27 @@ int pki_pubkey_build_rsa(ssh_key key,
5fd609
                          ssh_string e,
5fd609
                          ssh_string n) {
5fd609
     int rc;
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     BIGNUM *be = NULL, *bn = NULL;
5fd609
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
5fd609
+    OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
5fd609
+    if (param_bld == NULL) {
5fd609
+        return SSH_ERROR;
5fd609
+    }
5fd609
 #else
5fd609
-    const BIGNUM *eb, *nb;
5fd609
-    OSSL_PARAM_BLD *param_bld;
5fd609
-#endif /* OPENSSL_VERSION_NUMBER */
5fd609
-
5fd609
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     key->rsa = RSA_new();
5fd609
     if (key->rsa == NULL) {
5fd609
         return SSH_ERROR;
5fd609
     }
5fd609
+#endif /* OPENSSL_VERSION_NUMBER */
5fd609
5fd609
     be = ssh_make_string_bn(e);
5fd609
     bn = ssh_make_string_bn(n);
5fd609
     if (be == NULL || bn == NULL) {
5fd609
+        rc = SSH_ERROR;
5fd609
         goto fail;
5fd609
     }
5fd609
5fd609
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
5fd609
     /* Memory management of bn and be is transferred to RSA object */
5fd609
     rc = RSA_set0_key(key->rsa, bn, be, NULL);
5fd609
     if (rc == 0) {
5fd609
@@ -1774,27 +1796,25 @@ fail:
5fd609
     RSA_free(key->rsa);
5fd609
     return SSH_ERROR;
5fd609
 #else
5fd609
-    nb = ssh_make_string_bn(n);
5fd609
-    eb = ssh_make_string_bn(e);
5fd609
-
5fd609
-    param_bld = OSSL_PARAM_BLD_new();
5fd609
-    if (param_bld == NULL)
5fd609
-        goto err;
5fd609
-
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
-    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
5fd609
-    if (rc != 1)
5fd609
-        goto err;
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
+    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
5fd609
+    if (rc != 1) {
5fd609
+        rc = SSH_ERROR;
5fd609
+        goto fail;
5fd609
+    }
5fd609
5fd609
     rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
5fd609
+
5fd609
+fail:
5fd609
     OSSL_PARAM_BLD_free(param_bld);
5fd609
+    bignum_safe_free(bn);
5fd609
+    bignum_safe_free(be);
5fd609
5fd609
     return rc;
5fd609
-err:
5fd609
-    OSSL_PARAM_BLD_free(param_bld);
5fd609
-    return -1;
5fd609
 #endif /* OPENSSL_VERSION_NUMBER */
5fd609
 }
5fd609
5fd609
--
5fd609
2.38.1
5fd609