ASN1_verify, ASN1_item_verify: cleanse and free buf_in on error path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 87e7ef4f5ec0f83368299e8c221b9b395ef46512..aacf4763b585c267dc5762f0c57742f3dba06eec 100644 (file)
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -101,16 +101,20 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
        p=buf_in;
 
        i2d(data,&p);
-       if (!EVP_VerifyInit_ex(&ctx,type, NULL)
-               || !EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
+       ret=
+               EVP_VerifyInit_ex(&ctx,type, NULL)
+               && EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
+
+       OPENSSL_cleanse(buf_in,(unsigned int)inl);
+       OPENSSL_free(buf_in);
+
+       if (!ret)
                {
                ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
-               ret=0;
                goto err;
                }
+       ret = -1;
 
-       OPENSSL_cleanse(buf_in,(unsigned int)inl);
-       OPENSSL_free(buf_in);
 
        if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
                        (unsigned int)signature->length,pkey) <= 0)
@@ -205,15 +209,17 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
                goto err;
                }
 
-       if (!EVP_DigestVerifyUpdate(&ctx,buf_in,inl))
+       ret = EVP_DigestVerifyUpdate(&ctx,buf_in,inl);
+
+       OPENSSL_cleanse(buf_in,(unsigned int)inl);
+       OPENSSL_free(buf_in);
+
+       if (!ret)
                {
                ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
-               ret=0;
                goto err;
                }
-
-       OPENSSL_cleanse(buf_in,(unsigned int)inl);
-       OPENSSL_free(buf_in);
+       ret = -1;
 
        if (EVP_DigestVerifyFinal(&ctx,signature->data,
                        (size_t)signature->length) <= 0)