Fix a potential NULL-deref in EVP_PKEY_keygen()

After a EVP_PKEY_new() failure, a NULL pointer would be passed to the
keygen pmeth, which could result in tears.

ok beck jsing

1 files changed, 8 insertions, 6 deletions

diff --git a/src/lib/libcrypto/evp/pmeth_gn.c b/src/lib/libcrypto/evp/pmeth_gn.c
index 2711ba1a9e..b86ecc6811 100644
--- a/src/lib/libcrypto/evp/pmeth_gn.c
+++ b/src/lib/libcrypto/evp/pmeth_gn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_gn.c,v 1.16 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: pmeth_gn.c,v 1.17 2024/04/12 02:56:15 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -141,7 +141,7 @@ EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
 {
         int ret;
 
-        if (!ctx || !ctx->pmeth || !ctx->pmeth->keygen) {
+        if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->keygen == NULL) {
                 EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
                 return -2;
         }
@@ -150,17 +150,19 @@ EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
                 return -1;
         }
 
-        if (!ppkey)
+        if (ppkey == NULL)
                 return -1;
 
-        if (!*ppkey)
+        if (*ppkey == NULL)
                 *ppkey = EVP_PKEY_new();
+        if (*ppkey == NULL)
+                return -1;
 
-        ret = ctx->pmeth->keygen(ctx, *ppkey);
-        if (ret <= 0) {
+        if ((ret = ctx->pmeth->keygen(ctx, *ppkey)) <= 0) {
                 EVP_PKEY_free(*ppkey);
                 *ppkey = NULL;
         }
+
         return ret;
 }
 LCRYPTO_ALIAS(EVP_PKEY_keygen);