From 78d109596cd2171d4ae09b5f7acae04d4d156e48 Mon Sep 17 00:00:00 2001
From: Norbert Pocs <npocs@redhat.com>
Date: Mon, 27 Jun 2022 20:19:40 +0000
Subject: [PATCH] pki_crypto: Fix segfault error when pkcs11

EVP_PKEY_dup can't be used with ENGINE generated keys and
the key can't be freed because it is passing the main key
from the struct.

Signed-off-by: Norbert Pocs <npocs@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/pki_crypto.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 859d05da..621caeef 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -3260,7 +3260,17 @@ int ssh_key_size(ssh_key key)
             return SSH_ERROR;
         }
         bits = EVP_PKEY_bits(pkey);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
         EVP_PKEY_free(pkey);
+/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
+ * https://github.com/openssl/openssl/pull/16624
+ * no need of this free
+ */
+#else
+        if (is_ecdsa_key_type(key->type)) {
+            EVP_PKEY_free(pkey);
+        }
+#endif /* OPENSSL_VERSION_NUMBER */
         return bits;
     case SSH_KEYTYPE_ED25519:
     case SSH_KEYTYPE_ED25519_CERT01: