From 24e0ccbe05a7fdbbbd23d395dfd276b28272d851 Mon Sep 17 00:00:00 2001
From: joshua <joshua@openbsd.org>
Date: Sun, 28 Jan 2024 14:43:48 +0000
Subject: [PATCH] Clean up EVP_MD_CTX_{init,cleanup}() usage in
 ASN1_item_verify()

ok tb@
---
 lib/libcrypto/asn1/asn1_item.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/lib/libcrypto/asn1/asn1_item.c b/lib/libcrypto/asn1/asn1_item.c
index 18da77433e9..99a08698c8d 100644
--- a/lib/libcrypto/asn1/asn1_item.c
+++ b/lib/libcrypto/asn1/asn1_item.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_item.c,v 1.19 2024/01/13 13:59:18 joshua Exp $ */
+/* $OpenBSD: asn1_item.c,v 1.20 2024/01/28 14:43:48 joshua Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -381,7 +381,7 @@ int
 ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
     ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
 {
-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *md_ctx = NULL;
 	unsigned char *in = NULL;
 	int mdnid, pknid;
 	int in_len = 0;
@@ -389,15 +389,16 @@ ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 
 	if (pkey == NULL) {
 		ASN1error(ERR_R_PASSED_NULL_PARAMETER);
-		return -1;
+		goto err;
 	}
 
 	if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) {
 		ASN1error(ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
-		return -1;
+		goto err;
 	}
 
-	EVP_MD_CTX_init(&ctx);
+	if ((md_ctx = EVP_MD_CTX_new()) == NULL)
+		goto err;
 
 	/* Convert signature OID into digest and public key OIDs */
 	if (!OBJ_find_sigid_algs(OBJ_obj2nid(a->algorithm), &mdnid, &pknid)) {
@@ -409,7 +410,7 @@ ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 			ASN1error(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
 			goto err;
 		}
-		ret = pkey->ameth->item_verify(&ctx, it, asn, a,
+		ret = pkey->ameth->item_verify(md_ctx, it, asn, a,
 		    signature, pkey);
 		/* Return value of 2 means carry on, anything else means we
 		 * exit straight away: either a fatal error of the underlying
@@ -432,7 +433,7 @@ ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 			goto err;
 		}
 
-		if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey)) {
+		if (!EVP_DigestVerifyInit(md_ctx, NULL, type, NULL, pkey)) {
 			ASN1error(ERR_R_EVP_LIB);
 			ret = 0;
 			goto err;
@@ -446,7 +447,7 @@ ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 		goto err;
 	}
 
-	if (EVP_DigestVerify(&ctx, signature->data, signature->length,
+	if (EVP_DigestVerify(md_ctx, signature->data, signature->length,
 	    in, in_len) <= 0) {
 		ASN1error(ERR_R_EVP_LIB);
 		ret = 0;
@@ -456,7 +457,7 @@ ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 	ret = 1;
 
  err:
-	EVP_MD_CTX_cleanup(&ctx);
+	EVP_MD_CTX_free(md_ctx);
 	freezero(in, in_len);
 
 	return ret;
-- 
2.20.1