New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apps/ca.c: Handle EVP_PKEY_get_default_digest_name() returning 1 with "UNDEF" #20460
apps/ca.c: Handle EVP_PKEY_get_default_digest_name() returning 1 with "UNDEF" #20460
Conversation
… "UNDEF" EVP_PKEY_get_default_digest_name() may return 1 with the returned digest name "UNDEF". This case hasn't been documented, and the meaning has been left undefined, until now.
I felt a little unsure if this should go to 3.0, even though #20430 did... |
@baentsch, please have a look here |
ending NUL byte. The name could be C<"UNDEF">, signifying that no digest | ||
should be used. | ||
ending NUL byte. The name could be C<"UNDEF">, signifying that a digest | ||
must (for return value 2) or may (for return value 1) be left unspecified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strictly speaking, this was possible with EVP_PKEY_get_default_digest_nid()
as well. No EVP_PKEY_ASN1_METHOD
that I know actually did so, but it's perfectly possible to have the ctrl function to *pnid = NID_undef
and return 1.
Should there be a test? If it can be treated as bug fix, then it should go to 3.0 as well. |
Just did. What I tried to test this out was to return only "OSSL_PKEY_PARAM_DEFAULT_DIGEST" from oqsprovider (value "UNDEF"). This now passes the previously "suboptimal" checks at Lines 810 to 824 in 9313694
Lines 205 to 214 in 9313694
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 630d339c35..3286826ba9 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -206,6 +206,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
if (pctx != NULL)
*pctx = locpctx;
+ mdname = canon_mdname(mdname);
if (type != NULL) {
ctx->reqdigest = type;
if (mdname == NULL)
@@ -218,7 +219,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
mdname = canon_mdname(locmdname);
}
} has everything working fine (an |
That looks a bit late... how about this? diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 630d339c35..40312d4d79 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -88,6 +88,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
goto err;
}
+ mdname = canon_mdname(mdname);
if (!reinit) {
evp_pkey_ctx_free_old_ops(locpctx);
} else { |
I was afraid you were going to ask this.... I'm afraid that writing a test for this is a large body of work. |
LGTM (and allows my CA test suite to pass). |
Completely concur. What could be called for are tests for all openssl commands utilizing providers -- times all their parameter options -- that's a true "test case explosion". The underlying issue for this PR has been triggered by |
Then tests: exempted would apply. |
The question is why the UNDEF mdname is passed to the do_sigver_init() at all. |
Someone may have received it by calling |
In that case I would consider the change suggested in #20460 (comment) as a API convenience improvement. However the question is why @baentsch sees it in his tests? |
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
I don't understand this question. Lines 1332 to 1338 in 7eab768
openssl/crypto/evp/keymgmt_lib.c Lines 560 to 566 in 7eab768
|
This pull request is ready to merge |
So, is this a bug fix? If so IMO it should go to 3.0 too. |
I think it's a bug fix, if it isn't it can't go to 3.1. |
Merged to master, 3.1, and 3.0 branches. Thank you. |
… "UNDEF" EVP_PKEY_get_default_digest_name() may return 1 with the returned digest name "UNDEF". This case hasn't been documented, and the meaning has been left undefined, until now. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #20460) (cherry picked from commit af99d55)
… "UNDEF" EVP_PKEY_get_default_digest_name() may return 1 with the returned digest name "UNDEF". This case hasn't been documented, and the meaning has been left undefined, until now. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #20460)
… "UNDEF" EVP_PKEY_get_default_digest_name() may return 1 with the returned digest name "UNDEF". This case hasn't been documented, and the meaning has been left undefined, until now. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #20460) (cherry picked from commit af99d55)
EVP_PKEY_get_default_digest_name()
may return 1 with the returned digestname
"UNDEF"
. This case hasn't been documented, and the meaning has beenleft undefined, until now.
Related to #20428