@@ -96,13 +96,24 @@ BOOL crypto_cert_get_public_key(CryptoCert cert, BYTE** PublicKey, DWORD* Public
9696static int crypto_rsa_common (const BYTE * input , int length , UINT32 key_length , const BYTE * modulus ,
9797 const BYTE * exponent , int exponent_size , BYTE * output )
9898{
99- BN_CTX * ctx ;
99+ BN_CTX * ctx = NULL ;
100100 int output_length = -1 ;
101- BYTE * input_reverse ;
102- BYTE * modulus_reverse ;
103- BYTE * exponent_reverse ;
104- BIGNUM * mod , * exp , * x , * y ;
105- input_reverse = (BYTE * )malloc (2 * key_length + exponent_size );
101+ BYTE * input_reverse = NULL ;
102+ BYTE * modulus_reverse = NULL ;
103+ BYTE * exponent_reverse = NULL ;
104+ BIGNUM * mod = NULL ;
105+ BIGNUM * exp = NULL ;
106+ BIGNUM * x = NULL ;
107+ BIGNUM * y = NULL ;
108+ size_t bufferSize = 2 * key_length + exponent_size ;
109+
110+ if (!input || (length < 0 ) || (exponent_size < 0 ) || !modulus || !exponent || !output )
111+ return -1 ;
112+
113+ if (length > bufferSize )
114+ bufferSize = length ;
115+
116+ input_reverse = (BYTE * )calloc (bufferSize , 1 );
106117
107118 if (!input_reverse )
108119 return -1 ;
@@ -131,16 +142,24 @@ static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, c
131142 if (!(y = BN_new ()))
132143 goto fail_bn_y ;
133144
134- BN_bin2bn (modulus_reverse , key_length , mod );
135- BN_bin2bn (exponent_reverse , exponent_size , exp );
136- BN_bin2bn (input_reverse , length , x );
137- BN_mod_exp (y , x , exp , mod , ctx );
145+ if (!BN_bin2bn (modulus_reverse , key_length , mod ))
146+ goto fail ;
147+
148+ if (!BN_bin2bn (exponent_reverse , exponent_size , exp ))
149+ goto fail ;
150+ if (!BN_bin2bn (input_reverse , length , x ))
151+ goto fail ;
152+ if (BN_mod_exp (y , x , exp , mod , ctx ) != 1 )
153+ goto fail ;
138154 output_length = BN_bn2bin (y , output );
155+ if (output_length < 0 )
156+ goto fail ;
139157 crypto_reverse (output , output_length );
140158
141- if (output_length < ( int ) key_length )
159+ if (output_length < key_length )
142160 memset (output + output_length , 0 , key_length - output_length );
143161
162+ fail :
144163 BN_free (y );
145164fail_bn_y :
146165 BN_clear_free (x );
0 commit comments