From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sat, 11 Oct 2025 12:05:38 +0000 (+0800)
Subject: ssl: set tmp.pkey only after successful derive
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b8d80f0e9346ef7645dbc71a3e44b8087b70f3f2;p=thirdparty%2Fopenssl.git

ssl: set tmp.pkey only after successful derive

Assign s->s3.tmp.pkey after ssl_derive succeeds and free skey on failure
to avoid a dangling state.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28878)
---

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index c616ee0c977..ac2bddde3b0 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -2011,11 +2011,12 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
         /*
          * This causes the crypto state to be updated based on the derived keys
          */
-        s->s3.tmp.pkey = skey;
         if (ssl_derive(s, skey, ckey, 1) == 0) {
             /* SSLfatal() already called */
+            EVP_PKEY_free(skey);
             return EXT_RETURN_FAIL;
         }
+        s->s3.tmp.pkey = skey;
     } else {
         /* KEM mode */
         unsigned char *ct = NULL;