From defd84da6deb0d20322566a989266e5888a59304 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 16 Aug 2024 10:17:53 +1000
Subject: [PATCH] Fix openssleddsa_isprivate

openssleddsa_isprivate failed to properly determine if a buffer was
private or not. Pass in a buffer so that EVP_PKEY_get_raw_private_key
fails when there is not a private key.
---
 lib/dns/openssleddsa_link.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
index 0fddfd4517..1fc6edfea2 100644
--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
@@ -349,13 +349,20 @@ err:
 static bool
 openssleddsa_isprivate(const dst_key_t *key) {
 	EVP_PKEY *pkey = key->keydata.pkey;
-	size_t len;
+	unsigned char buf[DNS_KEY_ED448SIZE];
+	size_t len = sizeof(buf);
+
+	STATIC_ASSERT(sizeof(buf) >= DNS_KEY_ED448SIZE,
+		      "increase size of 'buf'");
+	STATIC_ASSERT(sizeof(buf) >= DNS_KEY_ED25519SIZE,
+		      "increase size of 'buf'");
 
 	if (pkey == NULL) {
 		return (false);
 	}
 
-	if (EVP_PKEY_get_raw_private_key(pkey, NULL, &len) == 1 && len > 0) {
+	/* Must have a buffer to actually check if there is a private key. */
+	if (EVP_PKEY_get_raw_private_key(pkey, buf, &len) == 1) {
 		return (true);
 	}
 	/* can check if first error is EC_R_INVALID_PRIVATE_KEY */