From 1b731c1f439c73f98d49b476b859a6ec22c81da0 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Wed, 29 Jan 2025 23:08:40 +0900
Subject: [PATCH] [ruby/openssl] pkey: avoid calling i2d_PUBKEY family on an
 incomplete key

Call ossl_pkey_check_public_key() to ensure that
EVP_PKEY_missing_parameters() passes. This check should be cheap.

DSA#{to_der,to_pem,export,to_s} and PKey#{public_to_der,public_to_pem}
cause a segfault if the receiver is an empty DSA instance with no
parameters set.

Fixes <https://github.com/ruby/openssl/issues/845>.

https://github.com/ruby/openssl/commit/5aeed935e5
---
 ext/openssl/ossl_pkey.c       | 1 +
 test/openssl/test_pkey_dsa.rb | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
index 207d1fa361..03cb859790 100644
--- a/ext/openssl/ossl_pkey.c
+++ b/ext/openssl/ossl_pkey.c
@@ -919,6 +919,7 @@ ossl_pkey_export_spki(VALUE self, int to_der)
     BIO *bio;
 
     GetPKey(self, pkey);
+    ossl_pkey_check_public_key(pkey);
     bio = BIO_new(BIO_s_mem());
     if (!bio)
 	ossl_raise(ePKeyError, "BIO_new");
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
index e45c3da3e2..a8578daf55 100644
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@@ -33,6 +33,12 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
     end
   end
 
+  def test_new_empty
+    key = OpenSSL::PKey::DSA.new
+    assert_nil(key.p)
+    assert_raise(OpenSSL::PKey::PKeyError) { key.to_der }
+  end
+
   def test_generate
     # DSA.generate used to call DSA_generate_parameters_ex(), which adjusts the
     # size of q according to the size of p