Various S/MIME bug and compatibility fixes.

[openssl.git] / crypto / pkcs7 / pk7_doit.c

diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index f589508fdd008581b62c439c57d64ee671ef9f52..9382f47767b0d141fc8d76b69147c2eee7188bd4 100644 (file)
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -241,7 +241,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                        M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
                        }
                OPENSSL_free(tmp);
-               memset(key, 0, keylen);
+               OPENSSL_cleanse(key, keylen);
 
                if (out == NULL)
                        out=btmp;
@@ -448,7 +448,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                } 
                EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0);
 
-               memset(tmp,0,jj);
+               OPENSSL_cleanse(tmp,jj);
 
                if (out == NULL)
                        out=etmp;
@@ -578,7 +578,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                        /* We now have the EVP_MD_CTX, lets do the
                         * signing. */
                        EVP_MD_CTX_copy_ex(&ctx_tmp,mdc);
-                       if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))
+                       if (!BUF_MEM_grow_clean(buf,EVP_PKEY_size(si->pkey)))
                                {
                                PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
                                goto err;
@@ -629,7 +629,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                                ctx_tmp.digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
-                       if (si->pkey->type == EVP_PKEY_ECDSA)
+                       if (si->pkey->type == EVP_PKEY_EC)
                                ctx_tmp.digest=EVP_ecdsa();
 #endif
 
@@ -771,6 +771,11 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
                        }
                if (EVP_MD_CTX_type(mdc) == md_type)
                        break;
+               /* Workaround for some broken clients that put the signature
+                * OID instead of the digest OID in digest_alg->algorithm
+                */
+               if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type)
+                       break;
                btmp=BIO_next(btmp);
                }
 
@@ -830,7 +835,7 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
        if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
-       if (pkey->type == EVP_PKEY_ECDSA) mdc_tmp.digest=EVP_ecdsa();
+       if (pkey->type == EVP_PKEY_EC) mdc_tmp.digest=EVP_ecdsa();
 #endif
 
        i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);