]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f68ba38)
fix: ossl_digest_get_approved_nid() returns NID_undef on invalid digest
authorRichard Levitte <levitte@openssl.org>
Wed, 28 Aug 2024 14:36:31 +0000 (16:36 +0200)
committerTomas Mraz <tomas@openssl.org>
Fri, 30 Aug 2024 09:54:13 +0000 (11:54 +0200)
We checked using 'md_nid < 0', which is faulty.

Impact: DSA and ECDSA signature provider implementations

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24992)

providers/implementations/signature/dsa_sig.c patch | blob | blame | history
providers/implementations/signature/ecdsa_sig.c patch | blob | blame | history
providers/implementations/signature/rsa_sig.c patch | blob | blame | history

diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index a14fa796e93a7630da4d808e0f955759f242d0f0..12cbd97c66b9c3668581dc5eb951dd9fabe02fa4 100644 (file)
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -168,7 +168,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
             if (md == NULL)
                 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
                                "%s could not be fetched", mdname);
-            if (md_nid < 0)
+            if (md_nid == NID_undef)
                 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
                                "digest=%s", mdname);
             if (mdname_len >= sizeof(ctx->mdname))
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 4cbad1c38e0ceed43a47d7e53b2db9aed9b54efe..3f3a596168fc6021d476236b14a7e6d0096aeb40 100644 (file)
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -197,7 +197,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
         goto err;
     }
     md_nid = ossl_digest_get_approved_nid(md);
-    if (md_nid < 0) {
+    if (md_nid == NID_undef) {
         ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
                        "digest=%s", mdname);
         goto err;
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 45c36899e4c125e340cd2dcc3e864d281571e2c3..c5a4acb970a43f1a42e969b6ed021550eaa335e1 100644 (file)
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -387,7 +387,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
             goto err;
         }
         md_nid = ossl_digest_rsa_sign_get_md_nid(md);
-        if (md_nid <= 0) {
+        if (md_nid == NID_undef) {
             ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
                            "digest=%s", mdname);
             goto err;
Mirror of https://github.com/openssl/openssl.git