From: Stas Mors <morstas99@mail.ru>
Date: Wed, 11 Mar 2026 12:33:49 +0000 (+0300)
Subject: Change EVP_get_digestbynid to EVP_MD_fetch in a_verify and cms_sd
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6c4b93dfcab8a42541debcb567c533ae346566a;p=thirdparty%2Fopenssl.git

Change EVP_get_digestbynid to EVP_MD_fetch in a_verify and cms_sd

Exchange EVP_get_digestbynid to EVP_MD_fetch for correct getting nid from provider

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/30206)
---

diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 188c6c93fc7..3772939e744 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -86,34 +86,12 @@ err:
 
 #endif
 
-int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg,
-    const ASN1_BIT_STRING *signature, const void *data,
-    EVP_PKEY *pkey)
-{
-    return ASN1_item_verify_ex(it, alg, signature, data, NULL, pkey, NULL, NULL);
-}
-
-int ASN1_item_verify_ex(const ASN1_ITEM *it, const X509_ALGOR *alg,
-    const ASN1_BIT_STRING *signature, const void *data,
-    const ASN1_OCTET_STRING *id, EVP_PKEY *pkey,
-    OSSL_LIB_CTX *libctx, const char *propq)
-{
-    EVP_MD_CTX *ctx;
-    int rv = -1;
-
-    if ((ctx = evp_md_ctx_new_ex(pkey, id, libctx, propq)) != NULL) {
-        rv = ASN1_item_verify_ctx(it, alg, signature, data, ctx);
-        EVP_PKEY_CTX_free(EVP_MD_CTX_get_pkey_ctx(ctx));
-        EVP_MD_CTX_free(ctx);
-    }
-    return rv;
-}
-
-int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
+static int item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg,
     const ASN1_BIT_STRING *signature, const void *data,
-    EVP_MD_CTX *ctx)
+    EVP_MD_CTX *ctx, OSSL_LIB_CTX *libctx, const char *propq)
 {
     EVP_PKEY *pkey;
+    EVP_MD *type = NULL;
     unsigned char *buf_in = NULL;
     int ret = -1, inl = 0;
     int mdnid, pknid;
@@ -154,8 +132,6 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
         if (ret <= 1)
             goto err;
     } else {
-        const EVP_MD *type = NULL;
-
         /*
          * We don't yet have the ability for providers to be able to handle
          * X509_ALGOR style parameters. Fortunately the only one that needs this
@@ -180,7 +156,7 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
             }
 
             if (mdnid != NID_undef) {
-                type = EVP_get_digestbynid(mdnid);
+                type = EVP_MD_fetch(libctx, OBJ_nid2sn(mdnid), propq);
                 if (type == NULL) {
                     ERR_raise_data(ERR_LIB_ASN1,
                         ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM,
@@ -222,6 +198,37 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
     }
     ret = 1;
 err:
+    EVP_MD_free(type);
     OPENSSL_clear_free(buf_in, inll);
     return ret;
 }
+
+int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg,
+    const ASN1_BIT_STRING *signature, const void *data,
+    EVP_PKEY *pkey)
+{
+    return ASN1_item_verify_ex(it, alg, signature, data, NULL, pkey, NULL, NULL);
+}
+
+int ASN1_item_verify_ex(const ASN1_ITEM *it, const X509_ALGOR *alg,
+    const ASN1_BIT_STRING *signature, const void *data,
+    const ASN1_OCTET_STRING *id, EVP_PKEY *pkey,
+    OSSL_LIB_CTX *libctx, const char *propq)
+{
+    EVP_MD_CTX *ctx;
+    int rv = -1;
+
+    if ((ctx = evp_md_ctx_new_ex(pkey, id, libctx, propq)) != NULL) {
+        rv = item_verify(it, alg, signature, data, ctx, libctx, propq);
+        EVP_PKEY_CTX_free(EVP_MD_CTX_get_pkey_ctx(ctx));
+        EVP_MD_CTX_free(ctx);
+    }
+    return rv;
+}
+
+int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
+    const ASN1_BIT_STRING *signature, const void *data,
+    EVP_MD_CTX *ctx)
+{
+    return item_verify(it, alg, signature, data, ctx, NULL, NULL);
+}
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index afca47a703d..60628cb9396 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -493,9 +493,9 @@ static const char *cms_mdless_signing(EVP_PKEY *pkey)
     return NULL;
 }
 
-static const EVP_MD *ossl_cms_get_default_md(EVP_PKEY *pk, int *md_a_must)
+static EVP_MD *ossl_cms_get_default_md(const CMS_CTX *ctx, EVP_PKEY *pk, int *md_a_must)
 {
-    const EVP_MD *md;
+    EVP_MD *md = NULL;
     unsigned int i;
     int def_nid = NID_undef;
 
@@ -514,29 +514,28 @@ static const EVP_MD *ossl_cms_get_default_md(EVP_PKEY *pk, int *md_a_must)
             "pkey nid=%d", EVP_PKEY_get_id(pk));
         return NULL;
     }
-    md = EVP_get_digestbynid(def_nid);
+    md = EVP_MD_fetch(ossl_cms_ctx_get0_libctx(ctx), OBJ_nid2sn(def_nid), ossl_cms_ctx_get0_propq(ctx));
     if (md == NULL)
         ERR_raise_data(ERR_LIB_CMS, CMS_R_NO_DEFAULT_DIGEST,
             "default md nid=%d", def_nid);
     return md;
 }
 
-static const EVP_MD *ossl_cms_get_noattr_md(EVP_PKEY *pk, int *noattr_md_a_must)
+static EVP_MD *ossl_cms_get_noattr_md(const CMS_CTX *ctx, EVP_PKEY *pk, int *noattr_md_a_must)
 {
     unsigned int i;
 
     for (i = 0; key2data[i].name != NULL; i++) {
         if (EVP_PKEY_is_a(pk, key2data[i].name)) {
             *noattr_md_a_must = key2data[i].noattr_md_a_must;
-            return EVP_get_digestbynid(key2data[i].noattr_md_nid);
+            return EVP_MD_fetch(ossl_cms_ctx_get0_libctx(ctx), OBJ_nid2sn(key2data[i].noattr_md_nid), ossl_cms_ctx_get0_propq(ctx));
         }
     }
     return NULL;
 }
 
-static int ossl_cms_adjust_md(EVP_PKEY *pk, const EVP_MD **md, unsigned int flags)
+static int ossl_cms_adjust_md(const CMS_CTX *ctx, EVP_PKEY *pk, const EVP_MD **md, EVP_MD **fetched_md, unsigned int flags)
 {
-    const EVP_MD *tmp_md;
     int md_a_must = 0;
 
     while ((flags & CMS_NOATTR) != 0) {
@@ -547,26 +546,26 @@ static int ossl_cms_adjust_md(EVP_PKEY *pk, const EVP_MD **md, unsigned int flag
          */
         int noattr_md_a_must = 0;
 
-        tmp_md = ossl_cms_get_noattr_md(pk, &noattr_md_a_must);
-        if (tmp_md == NULL)
+        *fetched_md = ossl_cms_get_noattr_md(ctx, pk, &noattr_md_a_must);
+        if (*fetched_md == NULL)
             break; /* key type not listed - use the default */
 
         if (noattr_md_a_must)
-            *md = tmp_md;
+            *md = *fetched_md;
         else if (*md == NULL)
-            *md = tmp_md;
+            *md = *fetched_md;
         return 1;
     }
 
     if (*md != NULL)
         (void)ERR_set_mark(); /* No error if no default md and user-supplied md is set */
-    tmp_md = ossl_cms_get_default_md(pk, &md_a_must);
+    *fetched_md = ossl_cms_get_default_md(ctx, pk, &md_a_must);
     if (*md != NULL)
         (void)ERR_pop_to_mark();
     if (md_a_must)
-        *md = tmp_md;
+        *md = *fetched_md;
     else if (*md == NULL)
-        *md = tmp_md;
+        *md = *fetched_md;
 
     if (*md == NULL) /* ED448 case */
         return 0;
@@ -578,6 +577,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
     X509 *signer, EVP_PKEY *pk, const EVP_MD *md,
     unsigned int flags)
 {
+    EVP_MD *local_md = NULL;
     CMS_SignedData *sd;
     CMS_SignerInfo *si = NULL;
     X509_ALGOR *alg;
@@ -631,7 +631,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
     if (!ossl_cms_set1_SignerIdentifier(si->sid, signer, type, ctx))
         goto err;
 
-    if (ossl_cms_adjust_md(pk, &md, flags) != 1)
+    if (ossl_cms_adjust_md(ctx, pk, &md, &local_md, flags) != 1 && local_md != md)
         goto err;
 
     if (!X509_ALGOR_set_md(si->digestAlgorithm, md))
@@ -763,9 +763,11 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
         ERR_raise(ERR_LIB_CMS, ERR_R_CRYPTO_LIB);
         goto err;
     }
+    EVP_MD_free(local_md);
     return si;
 
 err:
+    EVP_MD_free(local_md);
     M_ASN1_free_of(si, CMS_SignerInfo);
     return NULL;
 }