ssl: set tmp.pkey only after successful derive

Assign s->s3.tmp.pkey after ssl_derive succeeds and free skey on failure
to avoid a dangling state.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28878)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index c616ee0c9774029acf207ea4ac6482d3d49fdf0c..ac2bddde3b0c7dffc83c792141b44bb1baf550f3 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -2011,11 +2011,12 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
         /*
          * This causes the crypto state to be updated based on the derived keys
          */
-        s->s3.tmp.pkey = skey;
         if (ssl_derive(s, skey, ckey, 1) == 0) {
             /* SSLfatal() already called */
+            EVP_PKEY_free(skey);
             return EXT_RETURN_FAIL;
         }
+        s->s3.tmp.pkey = skey;
     } else {
         /* KEM mode */
         unsigned char *ct = NULL;