On Wed, Jun 04, 2014 at 18:17, Florian Zumbiehl wrote: > Hi all, > > may I draw your attention to this (my) ticket in the OpenSSL bug tracker? > > http://rt.openssl.org/Ticket/Display.html?id=3226&user=guest&pass=guest > > The patch adds various error checks and fixes an undefined return value in > case of error that could happen despite the error checking that's in place > in the SRP implementation.
Hi, thanks. We haven't paid much attention to SRP ourselves (and it's not being built atm), but no reason not to make it better. That said, I think the DigestUpdate and similar checks are unnecessary and complicate the code more than they help. Those functions really can't fail. However, I think maybe the free() and BN_clear_free() fixes are still applicable?
