Fix misc NULL derefs in sureware engine
authorMatt Caswell <matt@openssl.org>
Fri, 13 Mar 2015 15:04:54 +0000 (15:04 +0000)
committerMatt Caswell <matt@openssl.org>
Mon, 20 Apr 2015 22:10:56 +0000 (23:10 +0100)
Fix miscellaneous NULL pointer derefs in the sureware engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7b611e5fe8eaac9512f72094c460f3ed6040076a)

engines/e_sureware.c

index 1005dfc..8a23763 100644 (file)
@@ -712,10 +712,12 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id,
         /* set public big nums */
         rsatmp->e = BN_new();
         rsatmp->n = BN_new();
+        if(!rsatmp->e || !rsatmp->n)
+            goto err;
         bn_expand2(rsatmp->e, el / sizeof(BN_ULONG));
         bn_expand2(rsatmp->n, el / sizeof(BN_ULONG));
-        if (!rsatmp->e || rsatmp->e->dmax != (int)(el / sizeof(BN_ULONG)) ||
-            !rsatmp->n || rsatmp->n->dmax != (int)(el / sizeof(BN_ULONG)))
+        if (rsatmp->e->dmax != (int)(el / sizeof(BN_ULONG)) ||
+            rsatmp->n->dmax != (int)(el / sizeof(BN_ULONG)))
             goto err;
         ret = p_surewarehk_Load_Rsa_Pubkey(msg, key_id, el,
                                            (unsigned long *)rsatmp->n->d,
@@ -752,15 +754,16 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id,
         dsatmp->p = BN_new();
         dsatmp->q = BN_new();
         dsatmp->g = BN_new();
+        if(!dsatmp->pub_key || !dsatmp->p || !dsatmp->q || !dsatmp->g)
+            goto err;
         bn_expand2(dsatmp->pub_key, el / sizeof(BN_ULONG));
         bn_expand2(dsatmp->p, el / sizeof(BN_ULONG));
         bn_expand2(dsatmp->q, 20 / sizeof(BN_ULONG));
         bn_expand2(dsatmp->g, el / sizeof(BN_ULONG));
-        if (!dsatmp->pub_key
-            || dsatmp->pub_key->dmax != (int)(el / sizeof(BN_ULONG))
-            || !dsatmp->p || dsatmp->p->dmax != (int)(el / sizeof(BN_ULONG))
-            || !dsatmp->q || dsatmp->q->dmax != 20 / sizeof(BN_ULONG)
-            || !dsatmp->g || dsatmp->g->dmax != (int)(el / sizeof(BN_ULONG)))
+        if (dsatmp->pub_key->dmax != (int)(el / sizeof(BN_ULONG))
+            || dsatmp->p->dmax != (int)(el / sizeof(BN_ULONG))
+            || dsatmp->q->dmax != 20 / sizeof(BN_ULONG)
+            || dsatmp->g->dmax != (int)(el / sizeof(BN_ULONG)))
             goto err;
 
         ret = p_surewarehk_Load_Dsa_Pubkey(msg, key_id, el,
@@ -1038,10 +1041,12 @@ static DSA_SIG *surewarehk_dsa_do_sign(const unsigned char *from, int flen,
         }
         psign->r = BN_new();
         psign->s = BN_new();
+        if(!psign->r || !psign->s)
+            goto err;
         bn_expand2(psign->r, 20 / sizeof(BN_ULONG));
         bn_expand2(psign->s, 20 / sizeof(BN_ULONG));
-        if (!psign->r || psign->r->dmax != 20 / sizeof(BN_ULONG) ||
-            !psign->s || psign->s->dmax != 20 / sizeof(BN_ULONG))
+        if (psign->r->dmax != 20 / sizeof(BN_ULONG) ||
+            psign->s->dmax != 20 / sizeof(BN_ULONG))
             goto err;
         ret = p_surewarehk_Dsa_Sign(msg, flen, from,
                                     (unsigned long *)psign->r->d,
@@ -1070,9 +1075,9 @@ static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     char msg[64] = "ENGINE_modexp";
     if (!p_surewarehk_Mod_Exp) {
         SUREWAREerr(SUREWARE_F_SUREWAREHK_MODEXP, ENGINE_R_NOT_INITIALISED);
-    } else {
+    } else if (r) {
         bn_expand2(r, m->top);
-        if (r && r->dmax == m->top) {
+        if (r->dmax == m->top) {
             /* do it */
             ret = p_surewarehk_Mod_Exp(msg,
                                        m->top * sizeof(BN_ULONG),