Avoid potential NULL dereference in ssl_set_pkey()

Switch from X509_get_pubkey() to X509_get0_pubkey() to avoid an unnecessary
EVP_PKEY_free(). Check the return values of X509_get0_pubkey() and
EVP_PKEY_copy_parameters(). If the former returns NULL, the latter will
dereference NULL.

CID 25020

ok jsing

diff --git a/lib/libssl/ssl_rsa.c b/lib/libssl/ssl_rsa.c
index 192dc42..98c1e1b 100644 (file)
--- a/lib/libssl/ssl_rsa.c
+++ b/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.45 2022/06/30 09:08:35 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.46 2022/08/31 06:51:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -184,9 +184,13 @@ ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey)
 
        if (c->pkeys[i].x509 != NULL) {
                EVP_PKEY *pktmp;
-               pktmp = X509_get_pubkey(c->pkeys[i].x509);
-               EVP_PKEY_copy_parameters(pktmp, pkey);
-               EVP_PKEY_free(pktmp);
+
+               if ((pktmp = X509_get0_pubkey(c->pkeys[i].x509)) == NULL)
+                       return 0;
+
+               if (!EVP_PKEY_copy_parameters(pktmp, pkey))
+                       return 0;
+
                ERR_clear_error();
 
                /*
@@ -209,7 +213,7 @@ ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey)
        c->key = &(c->pkeys[i]);
 
        c->valid = 0;
-       return (1);
+       return 1;
 }
 
 int