Avoid use of uninitialized in BN_mod_exp_recp()

If either of the two initial BN_CTX_get() fails, we will call
BN_RECP_CTX_free() on the uninitialized recp, which won't end
well, so hoist the BN_RECP_CTX_init() call a few lines up.

From Pauli, OpenSSL ad249412

ok inoguchi jsing

1 files changed, 3 insertions, 2 deletions

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index b778d5d67c..3525b50388 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.31 2017/05/02 03:59:44 deraadt Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.32 2022/04/20 13:32:34 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -278,13 +278,14 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
                 return ret;
         }
 
+        BN_RECP_CTX_init(&recp);
+
         BN_CTX_start(ctx);
         if ((aa = BN_CTX_get(ctx)) == NULL)
                 goto err;
         if ((val[0] = BN_CTX_get(ctx)) == NULL)
                 goto err;
 
-        BN_RECP_CTX_init(&recp);
         if (m->neg) {
                 /* ignore sign of 'm' */
                 if (!BN_copy(aa, m))