From e2fdff6ec8caaf7f2ab38d837f605b9724bc5279 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Sun, 19 Jul 2015 05:42:55 +0000
Subject: Now that it is safe to invoke X509_STORE_CTX_cleanup() if
 X509_STORE_CTX_init() fails, check its return value and correctly mop up
 after ourselves. ok beck@ doug@

---
 src/lib/libcrypto/ts/ts_rsp_verify.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

(limited to 'src/lib/libcrypto/ts/ts_rsp_verify.c')

diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 25aa31ee4d..797877011c 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.14 2015/07/19 02:43:24 miod Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.15 2015/07/19 05:42:55 miod Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -234,26 +234,32 @@ static int
 TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
     STACK_OF(X509) **chain)
 {
-	X509_STORE_CTX	cert_ctx;
+	X509_STORE_CTX cert_ctx;
 	int i;
-	int ret = 1;
+	int ret = 0;
 
 	/* chain is an out argument. */
 	*chain = NULL;
-	X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted);
+	if (X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted) == 0) {
+		TSerr(TS_F_TS_VERIFY_CERT, ERR_R_X509_LIB);
+		goto err;
+	}
 	X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
 	i = X509_verify_cert(&cert_ctx);
 	if (i <= 0) {
 		int j = X509_STORE_CTX_get_error(&cert_ctx);
+
 		TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR);
 		ERR_asprintf_error_data("Verify error:%s",
 		    X509_verify_cert_error_string(j));
-		ret = 0;
+		goto err;
 	} else {
 		/* Get a copy of the certificate chain. */
 		*chain = X509_STORE_CTX_get1_chain(&cert_ctx);
+		ret = 1;
 	}
 
+err:
 	X509_STORE_CTX_cleanup(&cert_ctx);
 
 	return ret;
-- 
cgit v1.2.3-55-g6feb