Fix incorrect error branch in ossl_bn_rsa_fips186_4_derive_prime()

BN_priv_rand_range_ex() and BN_add() both return a 0 on failure and a 1
on success. In case of failure, the algorithm should fail. However, the
branch that it goes through on failure is "goto end", not "goto err".
Therefore, the algorithm will return 1 which indicates success instead
of 0 for failure, leading to potential problems for the callers.
Fix it by changing the goto to "goto err" instead of "goto end".

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20279)

diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c
index 765ee250e7de7ebb96edaa6c645cab558e5c3a4f..1af30190059be62374d22aca01d50a6d037f5420 100644 (file)
--- a/crypto/bn/bn_rsa_fips186_4.c
+++ b/crypto/bn/bn_rsa_fips186_4.c
@@ -357,7 +357,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
              *    sqrt(2) * 2^(nlen/2-1) <= Random X <= (2^(nlen/2)) - 1.
              */
             if (!BN_priv_rand_range_ex(X, range, 0, ctx) || !BN_add(X, X, base))
-                goto end;
+                goto err;
         }
         /* (Step 4) Y = X + ((R - X) mod 2r1r2) */
         if (!BN_mod_sub(Y, R, X, r1r2x2, ctx) || !BN_add(Y, Y, X))