From 4eae9e5142e24b0b3da6d497c62856773b455057 Mon Sep 17 00:00:00 2001
From: Emmanuel Deloget <logout@free.fr>
Date: Fri, 12 Jan 2018 17:48:24 +0100
Subject: [PATCH] OpenSSL: check EVP_PKEY key types before returning the pkey

The internal EVP_PKEY::pkey member is an union thus we need to check for
the real key type before we can return the corresponding RSA, DSA or EC
public key.

Reported-by: Selva Nair <selva.nair@gmail.com>
Signed-off-by: Emmanuel Deloget <logout@free.fr>

Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <e8333f0b838670e558a9fe292cea8988484cd77f.1515775195.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16202.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e603afabb845d2552198843a987b5d9b0b7ac404)
---
 src/openvpn/openssl_compat.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 70b19aea9..8b29cdaf1 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -240,7 +240,7 @@ X509_OBJECT_get_type(const X509_OBJECT *obj)
 static inline RSA *
 EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
 {
-    return pkey ? pkey->pkey.rsa : NULL;
+    return (pkey && pkey->type == EVP_PKEY_RSA) ? pkey->pkey.rsa : NULL;
 }
 #endif
 
@@ -254,7 +254,7 @@ EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
 static inline EC_KEY *
 EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
 {
-    return pkey ? pkey->pkey.ec : NULL;
+    return (pkey && pkey->type == EVP_PKEY_EC) ? pkey->pkey.ec : NULL;
 }
 #endif
 
@@ -282,7 +282,7 @@ EVP_PKEY_id(const EVP_PKEY *pkey)
 static inline DSA *
 EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
 {
-    return pkey ? pkey->pkey.dsa : NULL;
+    return (pkey && pkey->type == EVP_PKEY_DSA) ? pkey->pkey.dsa : NULL;
 }
 #endif
 
-- 
2.47.2