From c8d92e7494cde45554fdc18c66728a2adbe1bb71 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sun, 26 Dec 2021 15:16:50 +0000
Subject: Consistently call BN_init() before BN_with_flags()

BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination
which results in a potential use of an uninitialized bit. In practice
this doesn't matter since we don't free the cloned BIGNUMs anyway.

As jsing points out, these are mostly pointless noise and should be
garbage collected. I'll leave that for another rainy day.

Coverity flagged one instance BN_gcd_no_branch(), the rest was found by
the ever so helpful grep(1).

CID 345122

ok jsing
---
 src/lib/libcrypto/rsa/rsa_gen.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/lib/libcrypto/rsa/rsa_gen.c')

diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 596eb8eb78..1c37d8ef21 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.23 2021/12/26 15:16:50 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -194,12 +194,14 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 	if (!BN_mul(r0, r1, r2, ctx))			/* (p-1)(q-1) */
 		goto err;
 
+	BN_init(&pr0);
 	BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
 
 	if (!BN_mod_inverse_ct(rsa->d, rsa->e, &pr0, ctx)) /* d */
 		goto err;
 
 	/* set up d for correct BN_FLG_CONSTTIME flag */
+	BN_init(&d);
 	BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
 
 	/* calculate d mod (p-1) */
@@ -211,6 +213,7 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 		goto err;
 
 	/* calculate inverse of q mod p */
+	BN_init(&p);
 	BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
 	if (!BN_mod_inverse_ct(rsa->iqmp, rsa->q, &p, ctx))
 		goto err;
-- 
cgit v1.2.3-55-g6feb