From 125c748cc93b84fb92dfec4b91cee0076b658ffe Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Tue, 14 Apr 2026 16:24:03 +0200
Subject: [PATCH] Add missing NULL check for server key generation in ML-KEM
 hybrids

Resolves: RHEL-168106
---
 openssh-10.0-mlkem-nist.patch | 2 +-
 openssh.spec                  | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/openssh-10.0-mlkem-nist.patch b/openssh-10.0-mlkem-nist.patch
index 22b8ec6..cb873c6 100644
--- a/openssh-10.0-mlkem-nist.patch
+++ b/openssh-10.0-mlkem-nist.patch
@@ -676,7 +676,7 @@ index 670049dcd..463d18771 100644
 +	/* generate ECDH key pair, store server pubkey after ciphertext */
 +	server_key = nist_pkey_keygen(server_key_len);
 +
-+	if ((r = get_uncompressed_ec_pubkey(server_key, server_pub, server_key_len) != 0) ||
++	if ((server_key == NULL) || (r = get_uncompressed_ec_pubkey(server_key, server_pub, server_key_len) != 0) ||
 +	    (r = sshbuf_put(buf, secret, sizeof(secret))) != 0 ||
 +	    (r = sshbuf_put(server_blob, enc_out, enc_out_len) != 0)||
 +	    (r = sshbuf_put(server_blob, server_pub, server_key_len)) != 0)
diff --git a/openssh.spec b/openssh.spec
index 650998a..cbb2de7 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -743,6 +743,8 @@ test -f %{sysconfig_anaconda} && \
 * Tue Apr 14 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-26
 - Improve keytab detection when obtaining Kerberos tickets on behalf of user on SSH authentication
   Related: RHEL-92932
+- Add missing NULL check for server key generation in ML-KEM hybrids
+  Resolves: RHEL-168106
 
 * Wed Apr 01 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-25
 - Fix static analysis issues