From: Michael Baentsch Date: Thu, 7 Oct 2021 08:45:48 +0000 (+0200) Subject: Permit no/empty digest in core_obj_add_sigid X-Git-Tag: openssl-3.2.0-alpha1~3438 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f716249643fe97a2bdf59a11cc10e1bef8103e9;p=thirdparty%2Fopenssl.git Permit no/empty digest in core_obj_add_sigid Also add digest parameter documentation for add_sigid and permit NULL as digest name in the provider upcall. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16770) --- diff --git a/crypto/objects/obj_xref.c b/crypto/objects/obj_xref.c index 3a6ae02bf02..8b4980d5b59 100644 --- a/crypto/objects/obj_xref.c +++ b/crypto/objects/obj_xref.c @@ -141,7 +141,7 @@ int OBJ_add_sigid(int signid, int dig_id, int pkey_id) nid_triple *ntr; int dnid = NID_undef, pnid = NID_undef, ret = 0; - if (signid == NID_undef || dig_id == NID_undef || pkey_id == NID_undef) + if (signid == NID_undef || pkey_id == NID_undef) return 0; if (!obj_sig_init()) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index e4069eb4f71..b39fb3bb1d4 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -1933,9 +1933,13 @@ static int core_obj_add_sigid(const OSSL_CORE_HANDLE *prov, const char *pkey_name) { int sign_nid = OBJ_txt2nid(sign_name); - int digest_nid = OBJ_txt2nid(digest_name); + int digest_nid = NID_undef; int pkey_nid = OBJ_txt2nid(pkey_name); + if (digest_name != NULL && digest_name[0] != '\0' + && (digest_nid = OBJ_txt2nid(digest_name)) == NID_undef) + return 0; + if (sign_nid == NID_undef) return 0; @@ -1946,8 +1950,7 @@ static int core_obj_add_sigid(const OSSL_CORE_HANDLE *prov, if (OBJ_find_sigid_algs(sign_nid, NULL, NULL)) return 1; - if (digest_nid == NID_undef - || pkey_nid == NID_undef) + if (pkey_nid == NID_undef) return 0; return OBJ_add_sigid(sign_nid, digest_nid, pkey_nid); diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod index 2d16cc83ccd..306b33c03dd 100644 --- a/doc/man3/OBJ_nid2obj.pod +++ b/doc/man3/OBJ_nid2obj.pod @@ -99,7 +99,8 @@ given NID with two other NIDs - one representing the underlying signature algorithm and the other representing a digest algorithm to be used in conjunction with it. I represents the NID for the composite "Signature Algorithm", I is the NID for the digest algorithm and I is the -NID for the underlying signature algorithm. +NID for the underlying signature algorithm. As there are signature algorithms +that do not require a digest, NID_undef is a valid I. OBJ_cleanup() releases any resources allocated by creating new objects. diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index 881854a3afc..b3298d5c105 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -284,8 +284,9 @@ function L, except that the objects are identified by name rather than a numeric NID. Any name (OID, short name or long name) can be used to identify the object. It will treat as success the case where the composite signature algorithm already exists (even if registered against a different -underlying signature or digest algorithm). It returns 1 on success or 0 on -failure. +underlying signature or digest algorithm). For I, NULL or an +empty string is permissible for signature algorithms that do not need a digest +to operate correctly. The function returns 1 on success or 0 on failure. CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_memdup(), CRYPTO_strdup(), CRYPTO_strndup(), CRYPTO_free(), CRYPTO_clear_free(), diff --git a/test/upcallstest.c b/test/upcallstest.c index 01e4e952377..76899fee3de 100644 --- a/test/upcallstest.c +++ b/test/upcallstest.c @@ -68,6 +68,15 @@ static int obj_provider_init(const OSSL_CORE_HANDLE *handle, if (!c_obj_add_sigid(handle, SIGALG_OID, DIGEST_SN, SIG_LN)) return 0; + /* additional tests checking empty digest algs are accepted, too */ + if (!c_obj_add_sigid(handle, SIGALG_OID, "", SIG_LN)) + return 0; + if (!c_obj_add_sigid(handle, SIGALG_OID, NULL, SIG_LN)) + return 0; + /* checking wrong digest alg name is rejected: */ + if (c_obj_add_sigid(handle, SIGALG_OID, "NonsenseAlg", SIG_LN)) + return 0; + return 1; }