Fix possible null pointer dereference of evp_pkey_get_legacy()

evp_pkey_get_legacy() will return NULL on failure, however several uses of it or its wrappers does not check the return value of evp_pkey_get_legacy(), which could lead to NULL pointer dereference. Fix those possible bugs by adding NULL checking. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17967) (cherry picked from commit b9a86d5dd8b5bd33be42390bcbb5121fe0ae71a1)
author: Zhou Qingyang <zhou1615@umn.edu> 2022-03-25 20:28:32 +0800
committer: Tomas Mraz <tomas@openssl.org> 2022-06-02 12:06:40 +0200
commit: b375e158cb910b253d4bb68c2fd5c30a2da60670 (patch)
tree: 6c831eade342d08d1dc334b8bb44c0bd02b8b4d8 /crypto/evp
parent: 13bc9889cb2a19613397fd5f26ee60f2b031432b (diff)
2 files changed, 12 insertions, 4 deletions
diff --git a/crypto/evp/p_dec.c b/crypto/evp/p_dec.c
index 7b33edecd5..29ea3f5fbc 100644
--- a/crypto/evp/p_dec.c
+++ b/crypto/evp/p_dec.c
@@ -22,15 +22,19 @@ int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl,
                          EVP_PKEY *priv)
 {
     int ret = -1;
+    RSA *rsa = NULL;
 
     if (EVP_PKEY_get_id(priv) != EVP_PKEY_RSA) {
         ERR_raise(ERR_LIB_EVP, EVP_R_PUBLIC_KEY_NOT_RSA);
         goto err;
     }
 
+    rsa = evp_pkey_get0_RSA_int(priv);
+    if (rsa == NULL)
+        goto err;
+
     ret =
-        RSA_private_decrypt(ekl, ek, key, evp_pkey_get0_RSA_int(priv),
-                            RSA_PKCS1_PADDING);
+        RSA_private_decrypt(ekl, ek, key, rsa, RSA_PKCS1_PADDING);
  err:
     return ret;
 }
diff --git a/crypto/evp/p_enc.c b/crypto/evp/p_enc.c
index d4db595164..64e6751456 100644
--- a/crypto/evp/p_enc.c
+++ b/crypto/evp/p_enc.c
@@ -22,15 +22,19 @@ int EVP_PKEY_encrypt_old(unsigned char *ek, const unsigned char *key,
                          int key_len, EVP_PKEY *pubk)
 {
     int ret = 0;
+    RSA *rsa = NULL;
 
     if (EVP_PKEY_get_id(pubk) != EVP_PKEY_RSA) {
         ERR_raise(ERR_LIB_EVP, EVP_R_PUBLIC_KEY_NOT_RSA);
         goto err;
     }
 
+    rsa = evp_pkey_get0_RSA_int(pubk);
+    if (rsa == NULL)
+        goto err;
+
     ret =
-        RSA_public_encrypt(key_len, key, ek, evp_pkey_get0_RSA_int(pubk),
-                           RSA_PKCS1_PADDING);
+        RSA_public_encrypt(key_len, key, ek, rsa, RSA_PKCS1_PADDING);
  err:
     return ret;
 }
author	Zhou Qingyang <zhou1615@umn.edu>	2022-03-25 20:28:32 +0800
committer	Tomas Mraz <tomas@openssl.org>	2022-06-02 12:06:40 +0200
commit	b375e158cb910b253d4bb68c2fd5c30a2da60670 (patch)
tree	6c831eade342d08d1dc334b8bb44c0bd02b8b4d8 /crypto/evp
parent	13bc9889cb2a19613397fd5f26ee60f2b031432b (diff)