From bee6e76cd9d03327ee25bd59b539d7ca2ed3da98 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 7 Jun 2024 15:33:04 +0100
Subject: [PATCH] ITS#10224 libldap: check for OpenSSL EVP_Digest* failure

---
 libraries/libldap/tls_o.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index c93579fd86..e7afeaa938 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -1170,15 +1170,19 @@ tlso_session_pinning( LDAP *ld, tls_session *sess, char *hashalg, struct berval
 			goto done;
 		}
 
-		EVP_DigestInit_ex( mdctx, md, NULL );
-		EVP_DigestUpdate( mdctx, key.bv_val, key.bv_len );
-		EVP_DigestFinal_ex( mdctx, (unsigned char *)keyhash.bv_val, &len );
-		keyhash.bv_len = len;
+		if ( EVP_DigestInit_ex( mdctx, md, NULL ) &&
+			EVP_DigestUpdate( mdctx, key.bv_val, key.bv_len ) &&
+			EVP_DigestFinal_ex( mdctx, (unsigned char *)keyhash.bv_val, &len ))
+			keyhash.bv_len = len;
+		else
+			rc = -1;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
 		EVP_MD_CTX_free( mdctx );
 #else
 		EVP_MD_CTX_destroy( mdctx );
 #endif
+		if ( rc )
+			goto done;
 	} else {
 		keyhash = key;
 	}
-- 
2.47.2