From 866700544190d5e3245e7a8248a04e1fe84d25a6 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Sat, 5 Nov 2016 15:19:07 +0000
Subject: More X509_STORE_CTX_set_*() return value checks.

ok beck@ jsing@
---
 src/lib/libcrypto/pkcs7/pk7_doit.c   | 13 ++++++-------
 src/lib/libcrypto/pkcs7/pk7_smime.c  |  9 ++++++---
 src/lib/libcrypto/ts/ts_rsp_verify.c |  6 ++++--
 3 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 50e4fe39c1..bd873143c1 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.38 2015/09/30 18:41:06 jsing Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.39 2016/11/05 15:19:07 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -811,11 +811,7 @@ PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 
 			j = OBJ_obj2nid(si->digest_alg->algorithm);
 
-			btmp = bio;
-
-			btmp = PKCS7_find_digest(&mdc, btmp, j);
-
-			if (btmp == NULL)
+			if ((btmp = PKCS7_find_digest(&mdc, bio, j)) == NULL)
 				goto err;
 
 			/* We now have the EVP_MD_CTX, lets do the
@@ -997,7 +993,10 @@ PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
 		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB);
 		goto err;
 	}
-	X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
+	if (X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN) == 0) {
+		X509_STORE_CTX_cleanup(ctx);
+		goto err;
+	}
 	i = X509_verify_cert(ctx);
 	if (i <= 0) {
 		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB);
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 1c00e5914a..a2f23b37f3 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.20 2015/02/07 14:21:41 doug Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.21 2016/11/05 15:19:07 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -324,8 +324,11 @@ PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata,
 					sk_X509_free(signers);
 					return 0;
 				}
-				X509_STORE_CTX_set_default(&cert_ctx,
-				    "smime_sign");
+				if (X509_STORE_CTX_set_default(&cert_ctx,
+				    "smime_sign") == 0) {
+					sk_X509_free(signers);
+					return 0;
+				}
 			} else if (!X509_STORE_CTX_init(&cert_ctx, store,
 			    signer, NULL)) {
 				PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 204c6a9df8..020658bb02 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.16 2015/07/19 18:25:59 miod Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.17 2016/11/05 15:19:07 miod Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -244,7 +244,9 @@ TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
 		TSerr(TS_F_TS_VERIFY_CERT, ERR_R_X509_LIB);
 		goto err;
 	}
-	X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
+	if (X509_STORE_CTX_set_purpose(&cert_ctx,
+	    X509_PURPOSE_TIMESTAMP_SIGN) == 0)
+		goto err;
 	i = X509_verify_cert(&cert_ctx);
 	if (i <= 0) {
 		int j = X509_STORE_CTX_get_error(&cert_ctx);
-- 
cgit v1.2.3-55-g6feb