crypto: evp: fix potential null pointer dereference in EVP_DigestSignUpdate in m_sigver.c

Static analysis detected that EVP_DigestSign() could lead to null pointer
dereference in EVP_DigestSignUpdate() when pctx->pmeth is NULL. The issue
occurs in the legacy code path where pmeth is accessed without prior null
check.

This fix adds a proper null check for pctx->pmeth in the legacy section
of EVP_DigestSignUpdate() to prevent the crash when the function is called
through EVP_DigestSign() with improperly initialized context.

The check is placed in EVP_DigestSignUpdate() rather than EVP_DigestSign()
to maintain proper separation of concerns and follow OpenSSL's architectural
patterns where lower-level functions handle their own parameter validation.

Fixes potential crash in signature operations with legacy providers.

CLA: trivial
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28095)

diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index b24a7451df4c4adee646ba0ad9be83bff67fd6f1..dfb844b53368fab781f3b890f2ac7b9c662aadfe 100644 (file)
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -434,6 +434,10 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
 
  legacy:
     if (pctx != NULL) {
+        if (pctx->pmeth == NULL) {
+            ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+            return 0;
+        }
         /* do_sigver_init() checked that |digest_custom| is non-NULL */
         if (pctx->flag_call_digest_custom
             && !ctx->pctx->pmeth->digest_custom(ctx->pctx, ctx))