Don't try and verify signatures if key is NULL (CVE-2013-0166)
[openssl.git] / crypto / ocsp / ocsp_vfy.c
index d3b446c..f24080f 100644 (file)
@@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                {
                EVP_PKEY *skey;
                skey = X509_get_pubkey(signer);
                {
                EVP_PKEY *skey;
                skey = X509_get_pubkey(signer);
-               ret = OCSP_BASICRESP_verify(bs, skey, 0);
-               EVP_PKEY_free(skey);
-               if(ret <= 0)
+               if (skey)
+                       {
+                       ret = OCSP_BASICRESP_verify(bs, skey, 0);
+                       EVP_PKEY_free(skey);
+                       }
+               if(!skey || ret <= 0)
                        {
                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
                        goto end;
                        {
                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
                        goto end;