From c9c63b0180f658561f16afeb64e88d125d0ab4ca Mon Sep 17 00:00:00 2001
From: Jonas Maebe <jonas.maebe@elis.ugent.be>
Date: Mon, 2 Dec 2013 22:44:31 +0100
Subject: [PATCH] ASN1_verify, ASN1_item_verify: cleanse and free buf_in on
 error path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 crypto/asn1/a_verify.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 87e7ef4f5e..aacf4763b5 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -101,16 +101,20 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
 	p=buf_in;
 
 	i2d(data,&p);
-	if (!EVP_VerifyInit_ex(&ctx,type, NULL)
-		|| !EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
+	ret=
+		EVP_VerifyInit_ex(&ctx,type, NULL)
+		&& EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
+
+	OPENSSL_cleanse(buf_in,(unsigned int)inl);
+	OPENSSL_free(buf_in);
+
+	if (!ret)
 		{
 		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
-		ret=0;
 		goto err;
 		}
+	ret = -1;
 
-	OPENSSL_cleanse(buf_in,(unsigned int)inl);
-	OPENSSL_free(buf_in);
 
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
 			(unsigned int)signature->length,pkey) <= 0)
@@ -205,15 +209,17 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 		goto err;
 		}
 
-	if (!EVP_DigestVerifyUpdate(&ctx,buf_in,inl))
+	ret = EVP_DigestVerifyUpdate(&ctx,buf_in,inl);
+
+	OPENSSL_cleanse(buf_in,(unsigned int)inl);
+	OPENSSL_free(buf_in);
+
+	if (!ret)
 		{
 		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
-		ret=0;
 		goto err;
 		}
-
-	OPENSSL_cleanse(buf_in,(unsigned int)inl);
-	OPENSSL_free(buf_in);
+	ret = -1;
 
 	if (EVP_DigestVerifyFinal(&ctx,signature->data,
 			(size_t)signature->length) <= 0)
-- 
2.34.1