Avoid leak in error path of PKCS5_PBE_keyivgen

[openssl.git] / crypto / evp / p5_crpt.c

diff --git a/crypto/evp/p5_crpt.c b/crypto/evp/p5_crpt.c
index 0f5158e4d69dcee77ef5aadf3b415f8e76b97050..6218c17ce23c6fe77916c77b101a1b3236d1a21f 100644 (file)
--- a/crypto/evp/p5_crpt.c
+++ b/crypto/evp/p5_crpt.c
@@ -51,22 +51,24 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
     ivl = EVP_CIPHER_iv_length(cipher);
     if (ivl < 0 || ivl > 16) {
         EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN, EVP_R_INVALID_IV_LENGTH);
+        PBEPARAM_free(pbe);
         return 0;
     }
     kl = EVP_CIPHER_key_length(cipher);
     if (kl < 0 || kl > (int)sizeof(md_tmp)) {
         EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN, EVP_R_INVALID_KEY_LENGTH);
+        PBEPARAM_free(pbe);
         return 0;
     }
 
-    if (!pbe->iter)
+    if (pbe->iter == NULL)
         iter = 1;
     else
         iter = ASN1_INTEGER_get(pbe->iter);
     salt = pbe->salt->data;
     saltlen = pbe->salt->length;
 
-    if (!pass)
+    if (pass == NULL)
         passlen = 0;
     else if (passlen == -1)
         passlen = strlen(pass);
@@ -84,6 +86,7 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
     if (!EVP_DigestUpdate(ctx, salt, saltlen))
         goto err;
     PBEPARAM_free(pbe);
+    pbe = NULL;
     if (!EVP_DigestFinal_ex(ctx, md_tmp, NULL))
         goto err;
     mdsize = EVP_MD_size(md);
@@ -106,6 +109,7 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
     OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
     rv = 1;
  err:
+    PBEPARAM_free(pbe);
     EVP_MD_CTX_free(ctx);
     return rv;
 }