From 0618b62ca2a9c5fb7bf8421deabaee240c709040 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 12 Feb 2020 11:55:30 +0000
Subject: [PATCH] Fix a mem leak in libssl

Make sure we free up any ENGINE references after we have finished using
them.

Fixes #11064

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11070)
---
 ssl/ssl_lib.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 08fcd83ea7..23101954ec 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -5849,12 +5849,17 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
                                        const char *properties)
 {
 #ifndef OPENSSL_NO_ENGINE
+    ENGINE *eng;
+
     /*
      * If there is an Engine available for this cipher we use the "implicit"
      * form to ensure we use that engine later.
      */
-    if (ENGINE_get_cipher_engine(nid) != NULL)
+    eng = ENGINE_get_cipher_engine(nid);
+    if (eng != NULL) {
+        ENGINE_finish(eng);
         return EVP_get_cipherbynid(nid);
+    }
 #endif
 
     /* Otherwise we do an explicit fetch */
@@ -5894,12 +5899,17 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
                                const char *properties)
 {
 #ifndef OPENSSL_NO_ENGINE
+    ENGINE *eng;
+
     /*
      * If there is an Engine available for this digest we use the "implicit"
      * form to ensure we use that engine later.
      */
-    if (ENGINE_get_digest_engine(nid) != NULL)
+    eng = ENGINE_get_digest_engine(nid);
+    if (eng != NULL) {
+        ENGINE_finish(eng);
         return EVP_get_digestbynid(nid);
+    }
 #endif
 
     /* Otherwise we do an explicit fetch */
-- 
2.34.1