From: Abel Tom <abeltom.kernel@gmail.com>
Date: Sun, 26 Apr 2026 13:52:10 +0000 (+0200)
Subject: Fixes #30966: return value for certain cases in EVP_cipher_get_type
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fa2e0fe749f070fd85526386e99968543b3845b;p=thirdparty%2Fopenssl.git

Fixes #30966: return value for certain cases in EVP_cipher_get_type

The function previously returned `NID_des_cfb64` even when nid of the
passed cipher was NID_des_ede3_cfb64, NID_des_ede3_cfb8,
NID_des_ede3_cfb1.

Corrected now to return `NID_des_ede3_cfb64`.

Added an extra test to verify the change.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May  6 18:58:09 2026
(Merged from https://github.com/openssl/openssl/pull/30977)
---

diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index dee8137ec4f..581771a5c0b 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -283,7 +283,7 @@ int EVP_CIPHER_get_type(const EVP_CIPHER *cipher)
     case NID_des_ede3_cfb8:
     case NID_des_ede3_cfb1:
 
-        return NID_des_cfb64;
+        return NID_des_ede3_cfb64;
 
     default:
 #ifdef FIPS_MODULE
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 61d08c1374c..c178c6b63ad 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -7066,6 +7066,69 @@ end:
     EVP_CIPHER_CTX_free(ctx);
     return ret;
 }
+#ifndef OPENSSL_NO_DES
+static int test_EVP_CIPHER_get_type_des_ede3(void)
+{
+    const EVP_CIPHER *cipher = NULL;
+    int base_type, variant_type, nid;
+    int ret = 0;
+
+    /* Get the base type from CFB64 (should be NID_des_ede3_cfb64) */
+    cipher = EVP_des_ede3_cfb64();
+    base_type = EVP_CIPHER_get_type(cipher);
+
+    /* Test CFB64 - should map to the same base_type */
+    variant_type = EVP_CIPHER_get_type(cipher);
+    nid = EVP_CIPHER_get_nid(cipher);
+
+    /* Verify the returned type */
+    if (!TEST_int_eq(variant_type, base_type))
+        goto end;
+
+    /* Verify that variant_type and nid are same for 64-bit variants */
+    if (!TEST_int_eq(variant_type, nid))
+        goto end;
+
+    if (!TEST_int_eq(NID_des_ede3_cfb64, variant_type))
+        goto end;
+
+    /* Test CFB8 - should map to the same base_type */
+    cipher = EVP_des_ede3_cfb8();
+    variant_type = EVP_CIPHER_get_type(cipher);
+    nid = EVP_CIPHER_get_nid(cipher);
+
+    /* Verify the returned type */
+    if (!TEST_int_eq(variant_type, base_type))
+        goto end;
+
+    /* Verify that variant_type and nid are different for variants */
+    if (!TEST_int_ne(variant_type, nid))
+        goto end;
+
+    if (!TEST_int_eq(NID_des_ede3_cfb64, variant_type))
+        goto end;
+
+    /* Test CFB1 - should map to the same base_type */
+    cipher = EVP_des_ede3_cfb1();
+    variant_type = EVP_CIPHER_get_type(cipher);
+    nid = EVP_CIPHER_get_nid(cipher);
+
+    /* Verify the returned type */
+    if (!TEST_int_eq(variant_type, base_type))
+        goto end;
+
+    /* Verify that variant_type and nid are different for variants */
+    if (!TEST_int_ne(variant_type, nid))
+        goto end;
+
+    if (!TEST_int_eq(NID_des_ede3_cfb64, variant_type))
+        goto end;
+
+    ret = 1;
+end:
+    return ret;
+}
+#endif /*OPENSSL_NO_DES */
 
 static int test_evp_cipher_pipeline(void)
 {
@@ -7870,7 +7933,8 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_evp_iv_aes, 13);
 #ifndef OPENSSL_NO_DES
     ADD_ALL_TESTS(test_evp_iv_des, 6);
-#endif
+    ADD_TEST(test_EVP_CIPHER_get_type_des_ede3);
+#endif /* OPENSSL_NO_DES */
 #ifndef OPENSSL_NO_BF
     ADD_ALL_TESTS(test_evp_bf_default_keylen, 4);
 #endif