Commit c729de6ec3 for openssl.org

commit c729de6ec370fd8d71aa525749662ccb192428f6
Author: Zijie Zhao <zijie4@illinois.edu>
Date:   Thu Jan 15 15:04:49 2026 -0600

    Fix `EVP_KEYMGMT` leak in `evp_pkey_signature_init()` error paths

    Early returns when signature/key type are incompatible bypass cleanup
    of `tmp_keymgmt` allocated via `evp_keymgmt_fetch_from_prov()`. Use goto
    to ensure `EVP_KEYMGMT_free()` is called on all error paths.

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Tue Jan 20 19:01:17 2026
    (Merged from https://github.com/openssl/openssl/pull/29651)

diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c
index d742106a8a..6314dc6dfa 100644
--- a/crypto/evp/signature.c
+++ b/crypto/evp/signature.c
@@ -641,7 +641,8 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
                     break;
             if (*keytypes == NULL) {
                 ERR_raise(ERR_LIB_EVP, EVP_R_SIGNATURE_TYPE_AND_KEY_TYPE_INCOMPATIBLE);
-                return -2;
+                ret = -2;
+                goto end;
             }
         } else {
             /*
@@ -667,12 +668,13 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
             /* If none of the fallbacks helped, we're lost */
             if (!ok) {
                 ERR_raise(ERR_LIB_EVP, EVP_R_SIGNATURE_TYPE_AND_KEY_TYPE_INCOMPATIBLE);
-                return -2;
+                ret = -2;
+                goto end;
             }
         }

         if (!EVP_SIGNATURE_up_ref(signature))
-            return 0;
+            goto err;
     } else {
         /* Without a pre-fetched signature, it must be figured out somehow */
         ERR_set_mark();