Add missing NULL check for server key generation in ML-KEM hybrids

Resolves: RHEL-168106
2026-04-14 16:24:03 +02:00 · 2026-04-14 16:24:03 +02:00 · 125c748cc9
commit 125c748cc9
parent b35a30acc7
2 changed files with 3 additions and 1 deletions
--- a/openssh-10.0-mlkem-nist.patch
+++ b/openssh-10.0-mlkem-nist.patch
@ -676,7 +676,7 @@ index 670049dcd..463d18771 100644
 +	/* generate ECDH key pair, store server pubkey after ciphertext */
 +	server_key = nist_pkey_keygen(server_key_len);
 +
-+	if ((r = get_uncompressed_ec_pubkey(server_key, server_pub, server_key_len) != 0) ||
+	if ((server_key == NULL) || (r = get_uncompressed_ec_pubkey(server_key, server_pub, server_key_len) != 0) ||
 +	    (r = sshbuf_put(buf, secret, sizeof(secret))) != 0 ||
 +	    (r = sshbuf_put(server_blob, enc_out, enc_out_len) != 0)||
 +	    (r = sshbuf_put(server_blob, server_pub, server_key_len)) != 0)
--- a/openssh.spec
+++ b/openssh.spec
@ -743,6 +743,8 @@ test -f %{sysconfig_anaconda} && \
 * Tue Apr 14 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-26
 - Improve keytab detection when obtaining Kerberos tickets on behalf of user on SSH authentication
  Related: RHEL-92932
+- Add missing NULL check for server key generation in ML-KEM hybrids
+  Resolves: RHEL-168106

 * Wed Apr 01 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-25
 - Fix static analysis issues