Permit no/empty digest in core_obj_add_sigid

Also add digest parameter documentation for add_sigid and
permit NULL as digest name in the provider upcall.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16770)

diff --git a/crypto/objects/obj_xref.c b/crypto/objects/obj_xref.c
index 3a6ae02bf02c8239ddc04accbf4a9064751ff035..8b4980d5b59571467173fbf3925b292de4db9d8d 100644 (file)
--- a/crypto/objects/obj_xref.c
+++ b/crypto/objects/obj_xref.c
@@ -141,7 +141,7 @@ int OBJ_add_sigid(int signid, int dig_id, int pkey_id)
     nid_triple *ntr;
     int dnid = NID_undef, pnid = NID_undef, ret = 0;
 
-    if (signid == NID_undef || dig_id == NID_undef || pkey_id == NID_undef)
+    if (signid == NID_undef || pkey_id == NID_undef)
         return 0;
 
     if (!obj_sig_init())

diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index e4069eb4f7179a127531caa5183c1ad00f4e689d..b39fb3bb1d4ac07c3832036b2cda92712276d1cd 100644 (file)
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -1933,9 +1933,13 @@ static int core_obj_add_sigid(const OSSL_CORE_HANDLE *prov,
                               const char *pkey_name)
 {
     int sign_nid = OBJ_txt2nid(sign_name);
-    int digest_nid = OBJ_txt2nid(digest_name);
+    int digest_nid = NID_undef;
     int pkey_nid = OBJ_txt2nid(pkey_name);
 
+    if (digest_name != NULL && digest_name[0] != '\0'
+        && (digest_nid = OBJ_txt2nid(digest_name)) == NID_undef)
+            return 0;
+
     if (sign_nid == NID_undef)
         return 0;
 
@@ -1946,8 +1950,7 @@ static int core_obj_add_sigid(const OSSL_CORE_HANDLE *prov,
     if (OBJ_find_sigid_algs(sign_nid, NULL, NULL))
         return 1;
 
-    if (digest_nid == NID_undef
-            || pkey_nid == NID_undef)
+    if (pkey_nid == NID_undef)
         return 0;
 
     return OBJ_add_sigid(sign_nid, digest_nid, pkey_nid);

diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod
index 2d16cc83ccd6cdb797829f82c86c8b25246d0a50..306b33c03dd962bec8d048c119ebdc9501ae5c3b 100644 (file)
--- a/doc/man3/OBJ_nid2obj.pod
+++ b/doc/man3/OBJ_nid2obj.pod
@@ -99,7 +99,8 @@ given NID with two other NIDs - one representing the underlying signature
 algorithm and the other representing a digest algorithm to be used in
 conjunction with it. I<signid> represents the NID for the composite "Signature
 Algorithm", I<dig_id> is the NID for the digest algorithm and I<pkey_id> is the
-NID for the underlying signature algorithm.
+NID for the underlying signature algorithm. As there are signature algorithms
+that do not require a digest, NID_undef is a valid I<dig_id>.
 
 OBJ_cleanup() releases any resources allocated by creating new objects.
 

diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod
index 881854a3afc74bf262a27c0f70e10293c75ebcac..b3298d5c1051e841adfcc8b2f205ceaee35457cf 100644 (file)
--- a/doc/man7/provider-base.pod
+++ b/doc/man7/provider-base.pod
@@ -284,8 +284,9 @@ function L<OBJ_add_sigid(3)>, except that the objects are identified by name
 rather than a numeric NID. Any name (OID, short name or long name) can be used
 to identify the object. It will treat as success the case where the composite
 signature algorithm already exists (even if registered against a different
-underlying signature or digest algorithm). It returns 1 on success or 0 on
-failure.
+underlying signature or digest algorithm). For I<digest_name>, NULL or an
+empty string is permissible for signature algorithms that do not need a digest
+to operate correctly. The function returns 1 on success or 0 on failure.
 
 CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_memdup(), CRYPTO_strdup(),
 CRYPTO_strndup(), CRYPTO_free(), CRYPTO_clear_free(),

diff --git a/test/upcallstest.c b/test/upcallstest.c
index 01e4e952377de3fb287447ab65abd3ff38f306df..76899fee3de096d2fc5ed36d50801309755a51d2 100644 (file)
--- a/test/upcallstest.c
+++ b/test/upcallstest.c
@@ -68,6 +68,15 @@ static int obj_provider_init(const OSSL_CORE_HANDLE *handle,
     if (!c_obj_add_sigid(handle, SIGALG_OID, DIGEST_SN, SIG_LN))
         return 0;
 
+    /* additional tests checking empty digest algs are accepted, too */
+    if (!c_obj_add_sigid(handle, SIGALG_OID, "", SIG_LN))
+        return 0;
+    if (!c_obj_add_sigid(handle, SIGALG_OID, NULL, SIG_LN))
+        return 0;
+    /* checking wrong digest alg name is rejected: */
+    if (c_obj_add_sigid(handle, SIGALG_OID, "NonsenseAlg", SIG_LN))
+        return 0;
+
     return 1;
 }