From c9c63b0180f658561f16afeb64e88d125d0ab4ca Mon Sep 17 00:00:00 2001
From: Jonas Maebe <jonas.maebe@elis.ugent.be>
Date: Mon, 2 Dec 2013 22:44:31 +0100
Subject: [PATCH] ASN1_verify, ASN1_item_verify: cleanse and free buf_in on
 error path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 crypto/asn1/a_verify.c | 32 +++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 87e7ef4f5..aacf4763b 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -101,17 +101,21 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
 	p=buf_in;
 
 	i2d(data,&p);
-	if (!EVP_VerifyInit_ex(&ctx,type, NULL)
-		|| !EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
-		{
-		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
-		ret=0;
-		goto err;
-		}
+	ret=
+		EVP_VerifyInit_ex(&ctx,type, NULL)
+		&& EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
 	OPENSSL_cleanse(buf_in,(unsigned int)inl);
 	OPENSSL_free(buf_in);
 
+	if (!ret)
+		{
+		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+		goto err;
+		}
+	ret = -1;
+
+
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
 			(unsigned int)signature->length,pkey) <= 0)
 		{
@@ -205,16 +209,18 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 		goto err;
 		}
 
-	if (!EVP_DigestVerifyUpdate(&ctx,buf_in,inl))
-		{
-		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
-		ret=0;
-		goto err;
-		}
+	ret = EVP_DigestVerifyUpdate(&ctx,buf_in,inl);
 
 	OPENSSL_cleanse(buf_in,(unsigned int)inl);
 	OPENSSL_free(buf_in);
 
+	if (!ret)
+		{
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
+		goto err;
+		}
+	ret = -1;
+
 	if (EVP_DigestVerifyFinal(&ctx,signature->data,
 			(size_t)signature->length) <= 0)
 		{