key algorithms and leaking if the signature verify
fails.
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
+ *) Avoid coredump with unsupported or invalid public keys by checking if
+ X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
+ PKCS7_verify() fails with non detached data.
+ [Steve Henson]
+
*) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
ID to be generated from the issuer certificate alone which can then be
os=si->enc_digest;
pkey = X509_get_pubkey(x509);
+ if (!pkey)
+ {
+ ret = -1;
+ goto err;
+ }
if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);
PKCS7_SIGNER_INFO *si;
X509_STORE_CTX cert_ctx;
char buf[4096];
- int i, j=0, k;
+ int i, j=0, k, ret = 0;
BIO *p7bio;
BIO *tmpout;
}
}
- sk_X509_free(signers);
- if(indata) BIO_pop(p7bio);
- BIO_free_all(p7bio);
-
- return 1;
+ ret = 1;
err:
+ if(indata) BIO_pop(p7bio);
+ BIO_free_all(p7bio);
sk_X509_free(signers);
- BIO_free(p7bio);
- return 0;
+ return ret;
}
STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)