Dev news

Commit a21f77dbc9 for openssl.org

commit a21f77dbc99c242b73b5b420714a2cd36bee084a
Author: rootvector2 <dxbnaveed.k@gmail.com>
Date:   Wed May 27 23:44:23 2026 +0530

    crypto/evp: fix double free of tmp_keymgmt in sig/kem/asym init

    Commit ecb4757b377f "crypto/evp/m_sigver.c: fix potential double free
    on error path in do_sigver_init" has fixed double-free of tmp_keymgmt
    in do_sigver_init() by setting it to NULL after EVP_KEYMGMT_free() call;
    the same issue present in evp_kem_init(), evp_pkey_asym_cipher_init(),
    and evp_pkey_signature_init().  Address it similarly, by setting
    the pointers to NULL after *_free() calls.

    Complements: ecb4757b377f "crypto/evp/m_sigver.c: fix potential double free on error path in do_sigver_init"
    Fixes: 839ffdd11cd4 "EVP: Allow a fallback for operations that work with an EVP_PKEY"
    CLA: trivial

    Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Sun May 31 11:03:15 2026
    (Merged from https://github.com/openssl/openssl/pull/31312)

diff --git a/crypto/evp/asymcipher.c b/crypto/evp/asymcipher.c
index bdcb8b59dc..e31e601c63 100644
--- a/crypto/evp/asymcipher.c
+++ b/crypto/evp/asymcipher.c
@@ -102,7 +102,9 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation,
          * iteration we're on.
          */
         EVP_ASYM_CIPHER_free(cipher);
+        cipher = NULL;
         EVP_KEYMGMT_free(tmp_keymgmt);
+        tmp_keymgmt = NULL;

         switch (iter) {
         case 1:
diff --git a/crypto/evp/kem.c b/crypto/evp/kem.c
index 317db87b52..92db961892 100644
--- a/crypto/evp/kem.c
+++ b/crypto/evp/kem.c
@@ -97,7 +97,9 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation,
          * iteration we're on.
          */
         EVP_KEM_free(kem);
+        kem = NULL;
         EVP_KEYMGMT_free(tmp_keymgmt);
+        tmp_keymgmt = NULL;

         switch (iter) {
         case 1:
diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c
index 51a5f0c4df..3737bc6ba4 100644
--- a/crypto/evp/signature.c
+++ b/crypto/evp/signature.c
@@ -736,7 +736,9 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *signature,
              * iteration we're on.
              */
             EVP_SIGNATURE_free(signature);
+            signature = NULL;
             EVP_KEYMGMT_free(tmp_keymgmt);
+            tmp_keymgmt = NULL;

             switch (iter) {
             case 1: