Hi, I found that EVP_PKEY_get0_DH(EVP_PKEY *pkey) may return a NULL value.
While in ssl/statem_srvr.c in both 1.1.1 and 1.1.0 version of OpenSSL, function tls_construct_server_key_exchange and tls_process_cke_dhe seem to call EVP_PKEY_get0_DH without checking the returned value, and then pass the returned value directly into other function calls.

Take tls_construct_server_key_exchange for example:
int tls_construct_server_key_exchange(SSL *s, WPACKET pkt)
{ ......
s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
if (s->s3->tmp.pkey == NULL) {
/ SSLfatal() already called */
goto err;
}
dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey); //here dh may need a check on the NULL situation
......
DH_get0_pqg(dh, &r[0], NULL, &r[1]);
......
}