From: Matt Caswell <matt@openssl.org>
Date: Thu, 27 May 2021 08:00:47 +0000 (+0100)
Subject: Make sure X509_dup() also dup's any associated EVP_PKEY
X-Git-Tag: openssl-3.0.0-beta1~198
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6282d6c28456543734defc45f653adeec1362958;p=thirdparty%2Fopenssl.git

Make sure X509_dup() also dup's any associated EVP_PKEY

Otherwise we can end up with a blank EVP_PKEY. If it is later recreated
it can end up with the wrong libctx/propq.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
---

diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index a45b89cbeb9..6666058b4c1 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -104,6 +104,23 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
             if (!ossl_x509_set0_libctx(ret, old->libctx, old->propq))
                 return 0;
+            if (old->cert_info.key != NULL) {
+                EVP_PKEY *pkey = X509_PUBKEY_get0(old->cert_info.key);
+
+                if (pkey != NULL) {
+                    pkey = EVP_PKEY_dup(pkey);
+                    if (pkey == NULL) {
+                        ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                    }
+                    if (!X509_PUBKEY_set(&ret->cert_info.key, pkey)) {
+                        EVP_PKEY_free(pkey);
+                        ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
+                        return 0;
+                    }
+                    EVP_PKEY_free(pkey);
+                }
+            }
         }
         break;
     default: