Now that it is safe to invoke X509_STORE_CTX_cleanup() if X509_STORE_CTX_init()

fails, check its return value and correctly mop up after ourselves.
ok beck@ doug@

1 files changed, 11 insertions, 5 deletions

diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 25aa31ee4d..797877011c 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.14 2015/07/19 02:43:24 miod Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.15 2015/07/19 05:42:55 miod Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -234,26 +234,32 @@ static int
 TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
     STACK_OF(X509) **chain)
 {
-        X509_STORE_CTX  cert_ctx;
+        X509_STORE_CTX cert_ctx;
         int i;
-        int ret = 1;
+        int ret = 0;
 
         /* chain is an out argument. */
         *chain = NULL;
-        X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted);
+        if (X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted) == 0) {
+                TSerr(TS_F_TS_VERIFY_CERT, ERR_R_X509_LIB);
+                goto err;
+        }
         X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
         i = X509_verify_cert(&cert_ctx);
         if (i <= 0) {
                 int j = X509_STORE_CTX_get_error(&cert_ctx);
+
                 TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR);
                 ERR_asprintf_error_data("Verify error:%s",
                     X509_verify_cert_error_string(j));
-                ret = 0;
+                goto err;
         } else {
                 /* Get a copy of the certificate chain. */
                 *chain = X509_STORE_CTX_get1_chain(&cert_ctx);
+                ret = 1;
         }
 
+err:
         X509_STORE_CTX_cleanup(&cert_ctx);
 
         return ret;