From 7e8f0de8850e4d835fd9bc12ef540caeef22e9ad Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 31 Aug 2022 06:51:36 +0000
Subject: Avoid potential NULL dereference in ssl_set_pkey()

Switch from X509_get_pubkey() to X509_get0_pubkey() to avoid an unnecessary
EVP_PKEY_free(). Check the return values of X509_get0_pubkey() and
EVP_PKEY_copy_parameters(). If the former returns NULL, the latter will
dereference NULL.

CID 25020

ok jsing
---
 src/lib/libssl/ssl_rsa.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 192dc4291e..98c1e1b7b3 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.45 2022/06/30 09:08:35 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.46 2022/08/31 06:51:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -184,9 +184,13 @@ ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey)
 
 	if (c->pkeys[i].x509 != NULL) {
 		EVP_PKEY *pktmp;
-		pktmp = X509_get_pubkey(c->pkeys[i].x509);
-		EVP_PKEY_copy_parameters(pktmp, pkey);
-		EVP_PKEY_free(pktmp);
+
+		if ((pktmp = X509_get0_pubkey(c->pkeys[i].x509)) == NULL)
+			return 0;
+
+		if (!EVP_PKEY_copy_parameters(pktmp, pkey))
+			return 0;
+
 		ERR_clear_error();
 
 		/*
@@ -209,7 +213,7 @@ ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey)
 	c->key = &(c->pkeys[i]);
 
 	c->valid = 0;
-	return (1);
+	return 1;
 }
 
 int
-- 
cgit v1.2.3-55-g6feb