From b4fab70bfb6829e4904120769b8e24a99a91cc43 Mon Sep 17 00:00:00 2001
From: Andrew Dinh <andrewd@openssl.org>
Date: Wed, 19 Feb 2025 13:29:07 +0700
Subject: [PATCH] EVP_PKEY_derive_set_peer_ex(): Don't free peer on error

In EVP_PKEY_derive_set_peer_ex, don't free peer
on error. Revert to existing functionality.

Bug was introduced with
https://github.com/openssl/openssl/pull/26294

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26823)
---
 crypto/evp/exchange.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c
index 0c27d34ba44..a24b54dd71b 100644
--- a/crypto/evp/exchange.c
+++ b/crypto/evp/exchange.c
@@ -494,20 +494,15 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
         return -1;
     }
 
+    ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
+    if (ret <= 0)
+        return ret;
     if (!EVP_PKEY_up_ref(peer))
         return -1;
 
     EVP_PKEY_free(ctx->peerkey);
     ctx->peerkey = peer;
 
-    ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
-
-    if (ret <= 0) {
-        EVP_PKEY_free(ctx->peerkey);
-        ctx->peerkey = NULL;
-        return ret;
-    }
-
     return 1;
 #endif
 }
-- 
2.47.2