From: Pauli <pauli@openssl.org>
Date: Wed, 7 Jul 2021 06:32:16 +0000 (+1000)
Subject: evp: detect and raise an error if no digest is found for a sign/verify operation
X-Git-Tag: openssl-3.0.0-beta2~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e278127cbfa2709d864ca9628a8ddb160c5c5331;p=thirdparty%2Fopenssl.git

evp: detect and raise an error if no digest is found for a sign/verify operation

If no digest is specified, the code looks for a default digest per PKEY via the
evp_keymgmt_util_get_deflt_digest_name() call.  If this call returns NULL,
indicating no digest found, the code continues regardless.  If the verify/sign
init later fails, it returns an error without raising one.  This change raises
an error in this case.

Fixes #15372

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16015)
---

diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 5c5ed058764..63360a94bc8 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -208,7 +208,14 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                                           mdname, provkey, params);
     }
 
-    goto end;
+    /*
+     * If the operation was not a success and no digest was found, an error
+     * needs to be raised.
+     */
+    if (ret > 0 || mdname != NULL)
+        goto end;
+    if (type == NULL)   /* This check is redundant but clarifies matters */
+        ERR_raise(ERR_LIB_EVP, EVP_R_NO_DEFAULT_DIGEST);
 
  err:
     evp_pkey_ctx_free_old_ops(locpctx);