diff options
| author | Miod Vallat <miod@cvs.openbsd.org> | 2015-07-19 05:42:56 +0000 |
|---|---|---|
| committer | Miod Vallat <miod@cvs.openbsd.org> | 2015-07-19 05:42:56 +0000 |
| commit | 180e222d017846266e43899483a4547a84a00fcb (patch) | |
| tree | e0a6622955ed37385c4fcaf883817f516b948efc | |
| parent | a346cda69770c3c1ae4b9fb630d1951ddae325fc (diff) | |
Now that it is safe to invoke X509_STORE_CTX_cleanup() if X509_STORE_CTX_init()
fails, check its return value and correctly mop up after ourselves.
ok beck@ doug@
| -rw-r--r-- | lib/libssl/src/crypto/ts/ts_rsp_verify.c | 16 | ||||
| -rw-r--r-- | lib/libssl/src/crypto/x509/x509_vfy.c | 8 |
2 files changed, 16 insertions, 8 deletions
diff --git a/lib/libssl/src/crypto/ts/ts_rsp_verify.c b/lib/libssl/src/crypto/ts/ts_rsp_verify.c index 25aa31ee4df..797877011c2 100644 --- a/lib/libssl/src/crypto/ts/ts_rsp_verify.c +++ b/lib/libssl/src/crypto/ts/ts_rsp_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_verify.c,v 1.14 2015/07/19 02:43:24 miod Exp $ */ +/* $OpenBSD: ts_rsp_verify.c,v 1.15 2015/07/19 05:42:55 miod Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -234,26 +234,32 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer, STACK_OF(X509) **chain) { - X509_STORE_CTX cert_ctx; + X509_STORE_CTX cert_ctx; int i; - int ret = 1; + int ret = 0; /* chain is an out argument. */ *chain = NULL; - X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted); + if (X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted) == 0) { + TSerr(TS_F_TS_VERIFY_CERT, ERR_R_X509_LIB); + goto err; + } X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN); i = X509_verify_cert(&cert_ctx); if (i <= 0) { int j = X509_STORE_CTX_get_error(&cert_ctx); + TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR); ERR_asprintf_error_data("Verify error:%s", X509_verify_cert_error_string(j)); - ret = 0; + goto err; } else { /* Get a copy of the certificate chain. */ *chain = X509_STORE_CTX_get1_chain(&cert_ctx); + ret = 1; } +err: X509_STORE_CTX_cleanup(&cert_ctx); return ret; diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c index bc5905784d2..f2dc356dc8d 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/lib/libssl/src/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.43 2015/07/19 01:44:16 doug Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.44 2015/07/19 05:42:55 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1091,8 +1091,10 @@ check_crl_path(X509_STORE_CTX *ctx, X509 *x) /* Don't allow recursive CRL path validation */ if (ctx->parent) return 0; - if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) - return -1; + if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) { + ret = -1; + goto err; + } crl_ctx.crls = ctx->crls; /* Copy verify params across */ |