apps/ca.c: Handle EVP_PKEY_get_default_digest_name() returning 1 with "UNDEF" #20460
Conversation
… "UNDEF" EVP_PKEY_get_default_digest_name() may return 1 with the returned digest name "UNDEF". This case hasn't been documented, and the meaning has been left undefined, until now.
levitte
added
branch: master
|
I felt a little unsure if this should go to 3.0, even though #20430 did... |
|
@baentsch, please have a look here |
| ending NUL byte. The name could be C<"UNDEF">, signifying that no digest | ||
| should be used. | ||
| ending NUL byte. The name could be C<"UNDEF">, signifying that a digest | ||
| must (for return value 2) or may (for return value 1) be left unspecified. |
There was a problem hiding this comment.
Strictly speaking, this was possible with EVP_PKEY_get_default_digest_nid() as well. No EVP_PKEY_ASN1_METHOD that I know actually did so, but it's perfectly possible to have the ctrl function to *pnid = NID_undef and return 1.
|
Should there be a test? If it can be treated as bug fix, then it should go to 3.0 as well. |
t8m
removed
the
approval: otc review pending
Just did. What I tried to test this out was to return only "OSSL_PKEY_PARAM_DEFAULT_DIGEST" from oqsprovider (value "UNDEF"). This now passes the previously "suboptimal" checks at Lines 810 to 824 in 9313694 Lines 205 to 214 in 9313694 diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 630d339c35..3286826ba9 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -206,6 +206,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
if (pctx != NULL)
*pctx = locpctx;
+ mdname = canon_mdname(mdname);
if (type != NULL) {
ctx->reqdigest = type;
if (mdname == NULL)
@@ -218,7 +219,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
mdname = canon_mdname(locmdname);
}
}has everything working fine (an |
That looks a bit late... how about this? diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 630d339c35..40312d4d79 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -88,6 +88,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
goto err;
}
+ mdname = canon_mdname(mdname);
if (!reinit) {
evp_pkey_ctx_free_old_ops(locpctx);
} else { |
I was afraid you were going to ask this.... I'm afraid that writing a test for this is a large body of work. |
LGTM (and allows my CA test suite to pass). |
Completely concur. What could be called for are tests for all openssl commands utilizing providers -- times all their parameter options -- that's a true "test case explosion". The underlying issue for this PR has been triggered by |
Then tests: exempted would apply. |
The question is why the UNDEF mdname is passed to the do_sigver_init() at all. |
Someone may have received it by calling |
|
In that case I would consider the change suggested in #20460 (comment) as a API convenience improvement. However the question is why @baentsch sees it in his tests? |
|
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
I don't understand this question. Lines 1332 to 1338 in 7eab768 openssl/crypto/evp/keymgmt_lib.c Lines 560 to 566 in 7eab768 |
tmshort
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
|
So, is this a bug fix? If so IMO it should go to 3.0 too. |
|
I think it's a bug fix, if it isn't it can't go to 3.1. |
|
Merged to master, 3.1, and 3.0 branches. Thank you. |
… "UNDEF" EVP_PKEY_get_default_digest_name() may return 1 with the returned digest name "UNDEF". This case hasn't been documented, and the meaning has been left undefined, until now. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #20460) (cherry picked from commit af99d55)
… "UNDEF" EVP_PKEY_get_default_digest_name() may return 1 with the returned digest name "UNDEF". This case hasn't been documented, and the meaning has been left undefined, until now. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #20460)
… "UNDEF" EVP_PKEY_get_default_digest_name() may return 1 with the returned digest name "UNDEF". This case hasn't been documented, and the meaning has been left undefined, until now. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #20460) (cherry picked from commit af99d55)
levitte
deleted the
fix-apps-ca-regarding-EVP_PKEY_get_default_digest_name
branch
EVP_PKEY_get_default_digest_name()may return 1 with the returned digestname
"UNDEF". This case hasn't been documented, and the meaning has beenleft undefined, until now.
Related to #20428