evp: detect and raise an error if no digest is found for a sign/verify operation

If no digest is specified, the code looks for a default digest per PKEY via the
evp_keymgmt_util_get_deflt_digest_name() call.  If this call returns NULL,
indicating no digest found, the code continues regardless.  If the verify/sign
init later fails, it returns an error without raising one.  This change raises
an error in this case.

Fixes #15372

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16015)

diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 5c5ed05876475226f760f520acf29e592f84911f..63360a94bc81bf373d565527f020a522682594d4 100644 (file)
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -208,7 +208,14 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                                           mdname, provkey, params);
     }
 
-    goto end;
+    /*
+     * If the operation was not a success and no digest was found, an error
+     * needs to be raised.
+     */
+    if (ret > 0 || mdname != NULL)
+        goto end;
+    if (type == NULL)   /* This check is redundant but clarifies matters */
+        ERR_raise(ERR_LIB_EVP, EVP_R_NO_DEFAULT_DIGEST);
 
  err:
     evp_pkey_ctx_free_old_ops(locpctx);