Merge branch '2991-address-reported-by-coverity-in-updated-openssl-code' into 'main'

Resolve "Address reports by Coverity in updated OpenSSL code"

Closes #2991

See merge request isc-projects/bind9!5547

lib/dns/openssldh_link.c

@@ -1116,8 +1116,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		DST_RET(ISC_R_NOMEMORY);
 	}
 	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
-	key->keydata.dh = dh;
-	dh = NULL;
 #else
 	bld = OSSL_PARAM_BLD_new();
 	if (bld == NULL) {
@@ -1155,11 +1153,11 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	}
 
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
-	if (DH_set0_key(key->keydata.dh, pub_key, priv_key) != 1) {
+	if (DH_set0_key(dh, pub_key, priv_key) != 1) {
 		DST_RET(dst__openssl_toresult2("DH_set0_key",
 					       DST_R_OPENSSLFAILURE));
 	}
-	if (DH_set0_pqg(key->keydata.dh, p, NULL, g) != 1) {
+	if (DH_set0_pqg(dh, p, NULL, g) != 1) {
 		DST_RET(dst__openssl_toresult2("DH_set0_pqg",
 					       DST_R_OPENSSLFAILURE));
 	}
@@ -1169,6 +1167,9 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	priv_key = NULL;
 	p = NULL;
 	g = NULL;
+
+	key->keydata.dh = dh;
+	dh = NULL;
 #else
 	if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key) !=
 		    1 ||

lib/dns/opensslrsa_link.c

@@ -811,7 +811,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 
 	if (key->external) {
 		priv.nelements = 0;
-		DST_RET(dst__privstruct_writefile(key, &priv, directory));
+		return (dst__privstruct_writefile(key, &priv, directory));
 	}
 
 	pkey = key->keydata.pkey;
@@ -855,6 +855,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	if (d != NULL) {
 		priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
 		priv.elements[i].length = BN_num_bytes(d);
+		INSIST(i < ARRAY_SIZE(bufs));
 		bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
 		BN_bn2bin(d, bufs[i]);
 		priv.elements[i].data = bufs[i];
@@ -864,6 +865,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	if (p != NULL) {
 		priv.elements[i].tag = TAG_RSA_PRIME1;
 		priv.elements[i].length = BN_num_bytes(p);
+		INSIST(i < ARRAY_SIZE(bufs));
 		bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
 		BN_bn2bin(p, bufs[i]);
 		priv.elements[i].data = bufs[i];
@@ -873,6 +875,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	if (q != NULL) {
 		priv.elements[i].tag = TAG_RSA_PRIME2;
 		priv.elements[i].length = BN_num_bytes(q);
+		INSIST(i < ARRAY_SIZE(bufs));
 		bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
 		BN_bn2bin(q, bufs[i]);
 		priv.elements[i].data = bufs[i];
@@ -882,6 +885,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	if (dmp1 != NULL) {
 		priv.elements[i].tag = TAG_RSA_EXPONENT1;
 		priv.elements[i].length = BN_num_bytes(dmp1);
+		INSIST(i < ARRAY_SIZE(bufs));
 		bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
 		BN_bn2bin(dmp1, bufs[i]);
 		priv.elements[i].data = bufs[i];
@@ -891,6 +895,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	if (dmq1 != NULL) {
 		priv.elements[i].tag = TAG_RSA_EXPONENT2;
 		priv.elements[i].length = BN_num_bytes(dmq1);
+		INSIST(i < ARRAY_SIZE(bufs));
 		bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
 		BN_bn2bin(dmq1, bufs[i]);
 		priv.elements[i].data = bufs[i];
@@ -900,6 +905,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	if (iqmp != NULL) {
 		priv.elements[i].tag = TAG_RSA_COEFFICIENT;
 		priv.elements[i].length = BN_num_bytes(iqmp);
+		INSIST(i < ARRAY_SIZE(bufs));
 		bufs[i] = isc_mem_get(key->mctx, priv.elements[i].length);
 		BN_bn2bin(iqmp, bufs[i]);
 		priv.elements[i].data = bufs[i];
@@ -926,7 +932,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	ret = dst__privstruct_writefile(key, &priv, directory);
 
 err:
-	while (i--) {
+	for (i = 0; i < ARRAY_SIZE(bufs); i++) {
 		if (bufs[i] != NULL) {
 			isc_mem_put(key->mctx, bufs[i],
 				    priv.elements[i].length);