s_lib.c: Fix refcount leak in EVP_SKEY_to_provider

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Apr  8 10:27:02 2026
(Merged from https://github.com/openssl/openssl/pull/30650)

(cherry picked from commit e1156ee77b8c16fc92742b408f663ce1780ca45f)

diff --git a/crypto/evp/s_lib.c b/crypto/evp/s_lib.c
index f4d26846c49823de086574e901821e7a267f97f5..5594dc81c5a330f2761a9ac4e52e5f932aed6396 100644 (file)
--- a/crypto/evp/s_lib.c
+++ b/crypto/evp/s_lib.c
@@ -287,11 +287,15 @@ EVP_SKEY *EVP_SKEY_to_provider(EVP_SKEY *skey, OSSL_LIB_CTX *libctx,
     }
 
     if (prov != NULL) {
-        if (skey->skeymgmt->prov == prov)
+        if (skey->skeymgmt->prov == prov) {
             skeymgmt = skey->skeymgmt;
-        else
+            /* Balance the short-circuit free below */
+            if (!EVP_SKEYMGMT_up_ref(skeymgmt))
+                goto err;
+        } else {
             skeymgmt = evp_skeymgmt_fetch_from_prov(prov, skey->skeymgmt->type_name,
                 propquery);
+        }
     } else {
         /* If no provider, get the default skeymgmt */
         skeymgmt = EVP_SKEYMGMT_fetch(libctx, skey->skeymgmt->type_name,
@@ -326,6 +330,9 @@ EVP_SKEY *EVP_SKEY_to_provider(EVP_SKEY *skey, OSSL_LIB_CTX *libctx,
 
     ret->keydata = ctx.keydata;
 
+    /* Balance the local reference obtained earlier (fetch or alias up_ref) */
+    EVP_SKEYMGMT_free(skeymgmt);
+
     return ret;
 
 err: