From db3315078b3ca9c360e8dbe259466d3eadaf37dc Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 26 Feb 2016 11:51:07 +0100
Subject: backported signature checks.

---
 lib/x509/common.c | 2 +-
 lib/x509/x509.c   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/x509/common.c b/lib/x509/common.c
index 6e822ad547..97eb42b09e 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1472,7 +1472,7 @@ _gnutls_x509_get_signature (ASN1_TYPE src, const char *src_name,
       goto cleanup;
     }
 
-  if (bits % 8 != 0)
+  if (bits % 8 != 0 || bits < 8)
     {
       gnutls_assert ();
       result = GNUTLS_E_CERTIFICATE_ERROR;
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index d12d44ed88..b9237ca74b 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -612,7 +612,7 @@ gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert,
       return _gnutls_asn2err (result);
     }
 
-  if (bits % 8 != 0)
+  if (bits % 8 != 0 || bits < 8)
     {
       gnutls_assert ();
       return GNUTLS_E_CERTIFICATE_ERROR;
@@ -632,6 +632,7 @@ gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert,
       gnutls_assert ();
       return _gnutls_asn2err (result);
     }
+  *sizeof_sig = len/8;
 
   return 0;
 }
-- 
cgit v1.2.1