Fix various certificate fingerprint issues.

[openssl.git] / crypto / asn1 / a_verify.c

diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 87e7ef4f5ec0f83368299e8c221b9b395ef46512..fdeeef6761e65fdd2b3c28deea66a52f4233354d 100644 (file)
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -90,6 +90,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
                ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
                goto err;
                }
+
+       if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+               {
+               ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+               goto err;
+               }
        
        inl=i2d(data,NULL);
        buf_in=OPENSSL_malloc((unsigned int)inl);
@@ -101,16 +107,20 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
        p=buf_in;
 
        i2d(data,&p);
-       if (!EVP_VerifyInit_ex(&ctx,type, NULL)
-               || !EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
+       ret=
+               EVP_VerifyInit_ex(&ctx,type, NULL)
+               && EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
+
+       OPENSSL_cleanse(buf_in,(unsigned int)inl);
+       OPENSSL_free(buf_in);
+
+       if (!ret)
                {
                ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
-               ret=0;
                goto err;
                }
+       ret = -1;
 
-       OPENSSL_cleanse(buf_in,(unsigned int)inl);
-       OPENSSL_free(buf_in);
 
        if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
                        (unsigned int)signature->length,pkey) <= 0)
@@ -146,6 +156,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
                return -1;
                }
 
+       if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+               {
+               ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+               return -1;
+               }
+
        EVP_MD_CTX_init(&ctx);
 
        /* Convert signature OID into digest and public key OIDs */
@@ -205,15 +221,17 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
                goto err;
                }
 
-       if (!EVP_DigestVerifyUpdate(&ctx,buf_in,inl))
+       ret = EVP_DigestVerifyUpdate(&ctx,buf_in,inl);
+
+       OPENSSL_cleanse(buf_in,(unsigned int)inl);
+       OPENSSL_free(buf_in);
+
+       if (!ret)
                {
                ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
-               ret=0;
                goto err;
                }
-
-       OPENSSL_cleanse(buf_in,(unsigned int)inl);
-       OPENSSL_free(buf_in);
+       ret = -1;
 
        if (EVP_DigestVerifyFinal(&ctx,signature->data,
                        (size_t)signature->length) <= 0)