From: Zijie Zhao <zijie4@illinois.edu>
Date: Thu, 15 Jan 2026 21:04:49 +0000 (-0600)
Subject: Fix `EVP_KEYMGMT` leak in `evp_pkey_signature_init()` error paths
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c729de6ec370fd8d71aa525749662ccb192428f6;p=thirdparty%2Fopenssl.git

Fix `EVP_KEYMGMT` leak in `evp_pkey_signature_init()` error paths

Early returns when signature/key type are incompatible bypass cleanup
of `tmp_keymgmt` allocated via `evp_keymgmt_fetch_from_prov()`. Use goto
to ensure `EVP_KEYMGMT_free()` is called on all error paths.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Jan 20 19:01:17 2026
(Merged from https://github.com/openssl/openssl/pull/29651)
---

diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c
index d742106a8a..6314dc6dfa 100644
--- a/crypto/evp/signature.c
+++ b/crypto/evp/signature.c
@@ -641,7 +641,8 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
                     break;
             if (*keytypes == NULL) {
                 ERR_raise(ERR_LIB_EVP, EVP_R_SIGNATURE_TYPE_AND_KEY_TYPE_INCOMPATIBLE);
-                return -2;
+                ret = -2;
+                goto end;
             }
         } else {
             /*
@@ -667,12 +668,13 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
             /* If none of the fallbacks helped, we're lost */
             if (!ok) {
                 ERR_raise(ERR_LIB_EVP, EVP_R_SIGNATURE_TYPE_AND_KEY_TYPE_INCOMPATIBLE);
-                return -2;
+                ret = -2;
+                goto end;
             }
         }
 
         if (!EVP_SIGNATURE_up_ref(signature))
-            return 0;
+            goto err;
     } else {
         /* Without a pre-fetched signature, it must be figured out somehow */
         ERR_set_mark();