Add null check on RSA key checks (#2727)

samuel40791765 · web-flow · commit 815eee1b7fbc · 2025-10-07T09:46:48.000-04:00
Was running into segfaults with this with some internal builds switching
over to AWS-LC.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
diff --git a/crypto/fipsmodule/rsa/rsa.c b/crypto/fipsmodule/rsa/rsa.c
@@ -1270,6 +1270,8 @@ static enum rsa_key_type_for_checking determine_key_type_for_checking(const RSA
 // the function can work with.
 int RSA_check_key(const RSA *key) {
   SET_DIT_AUTO_RESET;
+  GUARD_PTR(key);
+
   enum rsa_key_type_for_checking key_type = determine_key_type_for_checking(key);
   if (key_type == RSA_KEY_TYPE_FOR_CHECKING_INVALID) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
@@ -1501,6 +1503,7 @@ DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {
 // approved FIPS services.
 int RSA_check_fips(RSA *key) {
   SET_DIT_AUTO_RESET;
+  GUARD_PTR(key);
 
   enum rsa_key_type_for_checking key_type = determine_key_type_for_checking(key);
   // In addition to invalid key type, stripped private keys can not be checked
