EVP_DigestSignFinal siglen parameter correction

In the EVP_DigestSignFinal API, "before the call the siglen parameter
should contain the length of the sig buffer".

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210312150629.57302-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21663.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 49698e4b3194d87cca6113517a22f18987608506..4486d246d36f874dfe1d2a939c852deaf1c528a5 100644 (file)
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1195,7 +1195,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
     EVP_MD_CTX ctx, ctx_tmp, ctx_init;
     EVP_PKEY *mac_key;
     unsigned char A1[EVP_MAX_MD_SIZE];
-    size_t A1_len;
+    size_t A1_len = EVP_MAX_MD_SIZE;
     int ret = false;
 
     chunk = EVP_MD_size(md);
@@ -1249,6 +1249,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 
         if (olen > chunk)
         {
+            j = olen;
             if (!EVP_DigestSignFinal(&ctx, out, &j))
             {
                 goto err;
@@ -1263,6 +1264,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
         }
         else
         {
+            A1_len = EVP_MAX_MD_SIZE;
             /* last one */
             if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
             {