From 2456f6b516587fa3037de7c682735305ed02d053 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sun, 5 Feb 2017 02:33:21 +0000
Subject: Kill leak introduced with refactor ok jsing@

---
 src/lib/libcrypto/x509/x509_vfy.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index b81387a237..fbed5ec800 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.60 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.61 2017/02/05 02:33:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1793,7 +1793,6 @@ internal_verify(X509_STORE_CTX *ctx)
 	 * peril).
 	 */
 	while (n >= 0) {
-		EVP_PKEY *pkey;
 
 		/*
 		 * Skip signature check for self signed certificates
@@ -1805,15 +1804,19 @@ internal_verify(X509_STORE_CTX *ctx)
 		 */
 		if (xs != xi || (ctx->param->flags &
 			X509_V_FLAG_CHECK_SS_SIGNATURE)) {
+			EVP_PKEY *pkey;
 			if ((pkey = X509_get_pubkey(xi)) == NULL) {
 				if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
 					X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
 					return 0;
 			} else if (X509_verify(xs, pkey) <= 0) {
 				if (!verify_cb_cert(ctx, xs, n,
-					X509_V_ERR_CERT_SIGNATURE_FAILURE))
+					X509_V_ERR_CERT_SIGNATURE_FAILURE)) {
+					EVP_PKEY_free(pkey);
 					return 0;
+				}
 			}
+			EVP_PKEY_free(pkey);
 		}
 check_cert:
 		/* Calls verify callback as needed */
-- 
cgit v1.2.3-55-g6feb