Commit e1156ee77b for openssl.org
commit e1156ee77b8c16fc92742b408f663ce1780ca45f
Author: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Wed Apr 1 00:02:11 2026 +0800
s_lib.c: Fix refcount leak in EVP_SKEY_to_provider
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Apr 8 10:27:02 2026
(Merged from https://github.com/openssl/openssl/pull/30650)
diff --git a/crypto/evp/s_lib.c b/crypto/evp/s_lib.c
index f4d26846c4..5594dc81c5 100644
--- a/crypto/evp/s_lib.c
+++ b/crypto/evp/s_lib.c
@@ -287,11 +287,15 @@ EVP_SKEY *EVP_SKEY_to_provider(EVP_SKEY *skey, OSSL_LIB_CTX *libctx,
}
if (prov != NULL) {
- if (skey->skeymgmt->prov == prov)
+ if (skey->skeymgmt->prov == prov) {
skeymgmt = skey->skeymgmt;
- else
+ /* Balance the short-circuit free below */
+ if (!EVP_SKEYMGMT_up_ref(skeymgmt))
+ goto err;
+ } else {
skeymgmt = evp_skeymgmt_fetch_from_prov(prov, skey->skeymgmt->type_name,
propquery);
+ }
} else {
/* If no provider, get the default skeymgmt */
skeymgmt = EVP_SKEYMGMT_fetch(libctx, skey->skeymgmt->type_name,
@@ -326,6 +330,9 @@ EVP_SKEY *EVP_SKEY_to_provider(EVP_SKEY *skey, OSSL_LIB_CTX *libctx,
ret->keydata = ctx.keydata;
+ /* Balance the local reference obtained earlier (fetch or alias up_ref) */
+ EVP_SKEYMGMT_free(skeymgmt);
+
return ret;
err: