From: sashan <anedvedicky@gmail.com>
Date: Thu, 27 Jun 2024 14:31:41 +0000 (+0200)
Subject: EVP_DigestUpdate(): Check if ctx->update is set
X-Git-Tag: openssl-3.3.2~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6801a2ec0b5654c0660ffd0ec397eed4a4af95a;p=thirdparty%2Fopenssl.git

EVP_DigestUpdate(): Check if ctx->update is set

The issue has been discovered by libFuzzer running on provider target.
There are currently three distinct reports which are addressed by
code change here.

    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69236#c1
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69243#c1
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69261#c1

the issue has been introduced with openssl 3.0.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24753)

(cherry picked from commit ad33d62396b7e9db04fdf060481ced394d391688)
---

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index ab670a8f49c..38343eed4c7 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -425,7 +425,7 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
 
     /* Code below to be removed when legacy support is dropped. */
  legacy:
-    return ctx->update(ctx, data, count);
+    return ctx->update != NULL ? ctx->update(ctx, data, count) : 0;
 }
 
 /* The caller can assume that this removes any secret data from the context */
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index a42e42d929d..256e10f24a9 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -5624,6 +5624,25 @@ static int test_aes_rc4_keylen_change_cve_2023_5363(void)
 }
 #endif
 
+static int test_invalid_ctx_for_digest(void)
+{
+    int ret;
+    EVP_MD_CTX *mdctx;
+
+    mdctx = EVP_MD_CTX_new();
+    if (!TEST_ptr(mdctx))
+        return 0;
+
+    if (!TEST_int_eq(EVP_DigestUpdate(mdctx, "test", sizeof("test") - 1), 0))
+        ret = 0;
+    else
+        ret = 1;
+
+    EVP_MD_CTX_free(mdctx);
+
+    return ret;
+}
+
 int setup_tests(void)
 {
     OPTION_CHOICE o;
@@ -5795,6 +5814,8 @@ int setup_tests(void)
     ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363);
 #endif
 
+    ADD_TEST(test_invalid_ctx_for_digest);
+
     return 1;
 }