From fbf91f7397d8d82389fade52774c48783241c149 Mon Sep 17 00:00:00 2001
From: Tesfa Mael <tesfa@wolfssl.com>
Date: Wed, 15 Jan 2020 16:03:42 -0800
Subject: [PATCH 1/2] Fix mem leak in DSA

---
 wolfcrypt/src/asn.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 44887763f..cd64eb746 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -4622,6 +4622,7 @@ int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
         GetInt(&key->g, input, inOutIdx, inSz) < 0 ||
         GetOctetString(input, inOutIdx, &length, inSz) < 0 ||
         GetInt(&key->y, input, inOutIdx, inSz) < 0) {
+            wc_FreeDsaKey(key);
             ret = ASN_PARSE_E;
     }
     if (ret == ASN_PARSE_E) {

From 43b7258d3b13ed7bc0b625b1f05478b3f555e057 Mon Sep 17 00:00:00 2001
From: Tesfa Mael <tesfa@wolfssl.com>
Date: Mon, 27 Jan 2020 12:44:16 -0800
Subject: [PATCH 2/2] Review comments

---
 wolfcrypt/src/asn.c | 49 ++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 42 insertions(+), 7 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index cd64eb746..a6d6ab9bb 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -4617,14 +4617,49 @@ int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
 
     temp = (int)*inOutIdx;
 
-    if (GetInt(&key->p, input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->q, input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->g, input, inOutIdx, inSz) < 0 ||
-        GetOctetString(input, inOutIdx, &length, inSz) < 0 ||
-        GetInt(&key->y, input, inOutIdx, inSz) < 0) {
-            wc_FreeDsaKey(key);
-            ret = ASN_PARSE_E;
+    /* Default case expects a certificate with OctetString but no version ID */
+    ret = GetInt(&key->p, input, inOutIdx, inSz);
+    if (ret < 0) {
+        mp_clear(&key->p);
+        ret = ASN_PARSE_E;
     }
+    else {
+        ret = GetInt(&key->q, input, inOutIdx, inSz);
+        if (ret < 0) {
+            mp_clear(&key->p);
+            mp_clear(&key->q);
+            ret = ASN_PARSE_E;
+        }
+        else {
+            ret = GetInt(&key->g, input, inOutIdx, inSz);
+            if (ret < 0) {
+                mp_clear(&key->p);
+                mp_clear(&key->q);
+                mp_clear(&key->g);
+                ret = ASN_PARSE_E;
+            }
+            else {
+                ret = GetOctetString(input, inOutIdx, &length, inSz);
+                if (ret < 0) {
+                    mp_clear(&key->p);
+                    mp_clear(&key->q);
+                    mp_clear(&key->g);
+                    ret = ASN_PARSE_E;
+                }
+                else {
+                    ret = GetInt(&key->y, input, inOutIdx, inSz);
+                    if (ret < 0) {
+                        mp_clear(&key->p);
+                        mp_clear(&key->q);
+                        mp_clear(&key->g);
+                        mp_clear(&key->y);
+                        ret = ASN_PARSE_E;
+                    }
+                }
+            }
+        }
+    }
+    /* An alternate pass if default certificate fails parsing */
     if (ret == ASN_PARSE_E) {
         *inOutIdx = temp;
         if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)