3 files changed, 16 insertions, 12 deletions

diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 50e4fe39c1..bd873143c1 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.38 2015/09/30 18:41:06 jsing Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.39 2016/11/05 15:19:07 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -811,11 +811,7 @@ PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 
                         j = OBJ_obj2nid(si->digest_alg->algorithm);
 
-                        btmp = bio;
-
-                        btmp = PKCS7_find_digest(&mdc, btmp, j);
-
-                        if (btmp == NULL)
+                        if ((btmp = PKCS7_find_digest(&mdc, bio, j)) == NULL)
                                 goto err;
 
                         /* We now have the EVP_MD_CTX, lets do the
@@ -997,7 +993,10 @@ PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
                 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB);
                 goto err;
         }
-        X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
+        if (X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN) == 0) {
+                X509_STORE_CTX_cleanup(ctx);
+                goto err;
+        }
         i = X509_verify_cert(ctx);
         if (i <= 0) {
                 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB);
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 1c00e5914a..a2f23b37f3 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.20 2015/02/07 14:21:41 doug Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.21 2016/11/05 15:19:07 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -324,8 +324,11 @@ PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata,
                                         sk_X509_free(signers);
                                         return 0;
                                 }
-                                X509_STORE_CTX_set_default(&cert_ctx,
-                                    "smime_sign");
+                                if (X509_STORE_CTX_set_default(&cert_ctx,
+                                    "smime_sign") == 0) {
+                                        sk_X509_free(signers);
+                                        return 0;
+                                }
                         } else if (!X509_STORE_CTX_init(&cert_ctx, store,
                             signer, NULL)) {
                                 PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 204c6a9df8..020658bb02 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.16 2015/07/19 18:25:59 miod Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.17 2016/11/05 15:19:07 miod Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -244,7 +244,9 @@ TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
                 TSerr(TS_F_TS_VERIFY_CERT, ERR_R_X509_LIB);
                 goto err;
         }
-        X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
+        if (X509_STORE_CTX_set_purpose(&cert_ctx,
+            X509_PURPOSE_TIMESTAMP_SIGN) == 0)
+                goto err;
         i = X509_verify_cert(&cert_ctx);
         if (i <= 0) {
                 int j = X509_STORE_CTX_get_error(&cert_ctx);