Check for errors from EVP_VerifyInit_ex(), or EVP_VerifyUpdate might

cause a segfault...  This was uncovered because EVP_VerifyInit() may fail
in FIPS mode if the wrong algorithm is chosen...

diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index da2a0a6d69505f1e5b118f2186e8e4fc3d807d92..b91678a9f6ecc59a166612d0a43b226daa508113 100644 (file)
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -150,7 +150,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
                goto err;
                }
 
                goto err;
                }
 

-       EVP_VerifyInit_ex(&ctx,type, NULL);
+       if (!EVP_VerifyInit_ex(&ctx,type, NULL))
+               {
+               ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+               ret=0;
+               goto err;
+               }

        EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
        OPENSSL_cleanse(buf_in,(unsigned int)inl);
        EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
        OPENSSL_cleanse(buf_in,(unsigned int)inl);