Commit 63f62bf4e5 for openssl.org

commit 63f62bf4e55111d87898f534ad0a2164e13ba289
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Mon Jan 26 09:51:33 2026 +0100

    srtpkdf.c: avoid ctx NULL dereference kdf_srtpkdf_set_ctx_params()

    ctx is dereferenced before NULL check to obtain libctx.  Fix it
    by moving the dereference after the NULL check.

    Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1680648
    Fixes: fe67753da4096 "Add SRTPKDF implementation"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Norbert Pocs <norbertp@openssl.org>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Neil Horman <nhorman@openssl.org>
    MergeDate: Wed Jan 28 12:57:00 2026
    (Merged from https://github.com/openssl/openssl/pull/29757)

diff --git a/providers/implementations/kdfs/srtpkdf.c b/providers/implementations/kdfs/srtpkdf.c
index 46e5411bf2..5fe65831a9 100644
--- a/providers/implementations/kdfs/srtpkdf.c
+++ b/providers/implementations/kdfs/srtpkdf.c
@@ -206,7 +206,7 @@ static int kdf_srtpkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
 {
     struct srtp_set_ctx_params_st p;
     KDF_SRTPKDF *ctx = vctx;
-    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+    OSSL_LIB_CTX *libctx;
     const EVP_CIPHER *cipher;

     if (params == NULL)
@@ -215,6 +215,8 @@ static int kdf_srtpkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     if (ctx == NULL || !srtp_set_ctx_params_decoder(params, &p))
         return 0;

+    libctx = PROV_LIBCTX_OF(ctx->provctx);
+
     if ((p.cipher != NULL)
         && !ossl_prov_cipher_load(&ctx->cipher, p.cipher, p.propq, libctx))
         return 0;