evp: prevent underflow in base64 decoding

[openssl.git] / ssl / ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index be51b42f23c6d30dc9b901b91078dd1b578570dc..5123a89182e590267edcb5b382ab5a767128fb85 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -160,6 +160,21 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void)
        return ssl_x509_store_ctx_idx;
        }
 
+static void ssl_cert_set_default_md(CERT *cert)
+       {
+       /* Set digest values to defaults */
+#ifndef OPENSSL_NO_DSA
+       cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_RSA
+       cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
+       cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_ECDSA
+       cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
+#endif
+       }
+
 CERT *ssl_cert_new(void)
        {
        CERT *ret;
@@ -174,7 +189,7 @@ CERT *ssl_cert_new(void)
 
        ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
        ret->references=1;
-
+       ssl_cert_set_default_md(ret);
        return(ret);
        }
 
@@ -307,6 +322,10 @@ CERT *ssl_cert_dup(CERT *cert)
         * chain is held inside SSL_CTX */
 
        ret->references=1;
+       /* Set digests to defaults. NB: we don't copy existing values as they
+        * will be set during handshake.
+        */
+       ssl_cert_set_default_md(ret);
 
        return(ret);
        
@@ -755,6 +774,8 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                        sk_X509_NAME_push(stack,xn);
                }
 
+       ERR_clear_error();
+
        if (0)
                {
 err: