From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Tue, 31 Mar 2026 16:02:11 +0000 (+0800)
Subject: s_lib.c: Fix refcount leak in EVP_SKEY_to_provider
X-Git-Tag: openssl-4.0.0~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=920c0e11afe94cc017c68fc69248f2476b1c0ec7;p=thirdparty%2Fopenssl.git

s_lib.c: Fix refcount leak in EVP_SKEY_to_provider

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Apr  8 10:27:02 2026
(Merged from https://github.com/openssl/openssl/pull/30650)

(cherry picked from commit e1156ee77b8c16fc92742b408f663ce1780ca45f)
---

diff --git a/crypto/evp/s_lib.c b/crypto/evp/s_lib.c
index f4d26846c49..5594dc81c5a 100644
--- a/crypto/evp/s_lib.c
+++ b/crypto/evp/s_lib.c
@@ -287,11 +287,15 @@ EVP_SKEY *EVP_SKEY_to_provider(EVP_SKEY *skey, OSSL_LIB_CTX *libctx,
     }
 
     if (prov != NULL) {
-        if (skey->skeymgmt->prov == prov)
+        if (skey->skeymgmt->prov == prov) {
             skeymgmt = skey->skeymgmt;
-        else
+            /* Balance the short-circuit free below */
+            if (!EVP_SKEYMGMT_up_ref(skeymgmt))
+                goto err;
+        } else {
             skeymgmt = evp_skeymgmt_fetch_from_prov(prov, skey->skeymgmt->type_name,
                 propquery);
+        }
     } else {
         /* If no provider, get the default skeymgmt */
         skeymgmt = EVP_SKEYMGMT_fetch(libctx, skey->skeymgmt->type_name,
@@ -326,6 +330,9 @@ EVP_SKEY *EVP_SKEY_to_provider(EVP_SKEY *skey, OSSL_LIB_CTX *libctx,
 
     ret->keydata = ctx.keydata;
 
+    /* Balance the local reference obtained earlier (fetch or alias up_ref) */
+    EVP_SKEYMGMT_free(skeymgmt);
+
     return ret;
 
 err: