From 429608a9d95cdd4ac14a2f5e100f71ce1316c895 Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Mon, 23 Mar 2026 21:53:23 +0000
Subject: [PATCH] fix: resource leaks in _new_key_from_parameters() init on 3.x

On OpenSSL 3.x, the early CHECK_OPEN_SSL() calls for pctx, params_build,
and push_BN operations would croak immediately on failure, bypassing the
err: cleanup label. This leaked pctx, params_build, and the input
BIGNUMs (n, e, d, p, q).

Convert to THROW()/goto err which routes through the existing cleanup
code. Also initialize `error` to 0 at declaration (was uninitialized
before the if(p||q) block).

Additionally adds t/pss_auto_promote.t to MANIFEST (missing since #133).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 MANIFEST |  1 +
 RSA.xs   | 12 ++++++------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/MANIFEST b/MANIFEST
index 21511c3..e7351c6 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -17,6 +17,7 @@ t/format.t
 t/key_lifecycle.t
 t/padding.t
 t/private_crypt.t
+t/pss_auto_promote.t
 t/rsa.t
 t/sig_die.t
 t/sign_verify.t
diff --git a/RSA.xs b/RSA.xs
index 11b555e..7e1ddc6 100644
--- a/RSA.xs
+++ b/RSA.xs
@@ -614,7 +614,7 @@ _new_key_from_parameters(proto, n, e, d, p, q)
     BIGNUM* dmp1 = NULL;
     BIGNUM* dmq1 = NULL;
     BIGNUM* iqmp = NULL;
-    int error;
+    int error = 0;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
     OSSL_PARAM *params = NULL;
     EVP_PKEY_CTX *pctx = NULL;
@@ -628,10 +628,10 @@ _new_key_from_parameters(proto, n, e, d, p, q)
     }
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
     pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
-    CHECK_OPEN_SSL(pctx != NULL);
-    CHECK_OPEN_SSL(EVP_PKEY_fromdata_init(pctx) > 0);
+    THROW(pctx != NULL);
+    THROW(EVP_PKEY_fromdata_init(pctx) > 0);
     params_build = OSSL_PARAM_BLD_new();
-    CHECK_OPEN_SSL(params_build)
+    THROW(params_build);
 #else
     CHECK_OPEN_SSL(rsa = RSA_new());
 #endif
@@ -640,8 +640,8 @@ _new_key_from_parameters(proto, n, e, d, p, q)
     rsa->e = e;
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-    CHECK_OPEN_SSL(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_N, n));
-    CHECK_OPEN_SSL(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_E, e));
+    THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_N, n));
+    THROW(OSSL_PARAM_BLD_push_BN(params_build, OSSL_PKEY_PARAM_RSA_E, e));
 #endif
     if (p || q)
     {