Fix a number of issues relating to algorithms in signatures, Mostly

from OpenSSL with a hint of boring and some things done here. Addresses
CVE-2014-8275 for OpenSSL fully
ok miod@ doug@

2 files changed, 5 insertions, 2 deletions

diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index e425949675..d67a87df0b 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.20 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: x509.h,v 1.21 2015/01/28 04:14:31 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -758,6 +758,7 @@ int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
 void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
                                                 X509_ALGOR *algor);
 void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
 
 X509_NAME *X509_NAME_dup(X509_NAME *xn);
 X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index edb5f520fa..28a81c14a7 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.18 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: x_all.c,v 1.19 2015/01/28 04:14:31 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -76,6 +76,8 @@
 int
 X509_verify(X509 *a, EVP_PKEY *r)
 {
+        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
+                return 0;
         return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), a->sig_alg,
             a->signature, a->cert_info, r));
 }