Commit e6c4b93dfc for openssl.org
commit e6c4b93dfcab8a42541debcb567c533ae346566a
Author: Stas Mors <morstas99@mail.ru>
Date: Wed Mar 11 15:33:49 2026 +0300
Change EVP_get_digestbynid to EVP_MD_fetch in a_verify and cms_sd
Exchange EVP_get_digestbynid to EVP_MD_fetch for correct getting nid from provider
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/30206)
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 188c6c93fc..3772939e74 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -86,34 +86,12 @@ err:
#endif
-int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg,
- const ASN1_BIT_STRING *signature, const void *data,
- EVP_PKEY *pkey)
-{
- return ASN1_item_verify_ex(it, alg, signature, data, NULL, pkey, NULL, NULL);
-}
-
-int ASN1_item_verify_ex(const ASN1_ITEM *it, const X509_ALGOR *alg,
- const ASN1_BIT_STRING *signature, const void *data,
- const ASN1_OCTET_STRING *id, EVP_PKEY *pkey,
- OSSL_LIB_CTX *libctx, const char *propq)
-{
- EVP_MD_CTX *ctx;
- int rv = -1;
-
- if ((ctx = evp_md_ctx_new_ex(pkey, id, libctx, propq)) != NULL) {
- rv = ASN1_item_verify_ctx(it, alg, signature, data, ctx);
- EVP_PKEY_CTX_free(EVP_MD_CTX_get_pkey_ctx(ctx));
- EVP_MD_CTX_free(ctx);
- }
- return rv;
-}
-
-int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
+static int item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg,
const ASN1_BIT_STRING *signature, const void *data,
- EVP_MD_CTX *ctx)
+ EVP_MD_CTX *ctx, OSSL_LIB_CTX *libctx, const char *propq)
{
EVP_PKEY *pkey;
+ EVP_MD *type = NULL;
unsigned char *buf_in = NULL;
int ret = -1, inl = 0;
int mdnid, pknid;
@@ -154,8 +132,6 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
if (ret <= 1)
goto err;
} else {
- const EVP_MD *type = NULL;
-
/*
* We don't yet have the ability for providers to be able to handle
* X509_ALGOR style parameters. Fortunately the only one that needs this
@@ -180,7 +156,7 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
}
if (mdnid != NID_undef) {
- type = EVP_get_digestbynid(mdnid);
+ type = EVP_MD_fetch(libctx, OBJ_nid2sn(mdnid), propq);
if (type == NULL) {
ERR_raise_data(ERR_LIB_ASN1,
ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM,
@@ -222,6 +198,37 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
}
ret = 1;
err:
+ EVP_MD_free(type);
OPENSSL_clear_free(buf_in, inll);
return ret;
}
+
+int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg,
+ const ASN1_BIT_STRING *signature, const void *data,
+ EVP_PKEY *pkey)
+{
+ return ASN1_item_verify_ex(it, alg, signature, data, NULL, pkey, NULL, NULL);
+}
+
+int ASN1_item_verify_ex(const ASN1_ITEM *it, const X509_ALGOR *alg,
+ const ASN1_BIT_STRING *signature, const void *data,
+ const ASN1_OCTET_STRING *id, EVP_PKEY *pkey,
+ OSSL_LIB_CTX *libctx, const char *propq)
+{
+ EVP_MD_CTX *ctx;
+ int rv = -1;
+
+ if ((ctx = evp_md_ctx_new_ex(pkey, id, libctx, propq)) != NULL) {
+ rv = item_verify(it, alg, signature, data, ctx, libctx, propq);
+ EVP_PKEY_CTX_free(EVP_MD_CTX_get_pkey_ctx(ctx));
+ EVP_MD_CTX_free(ctx);
+ }
+ return rv;
+}
+
+int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
+ const ASN1_BIT_STRING *signature, const void *data,
+ EVP_MD_CTX *ctx)
+{
+ return item_verify(it, alg, signature, data, ctx, NULL, NULL);
+}
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index afca47a703..60628cb939 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -493,9 +493,9 @@ static const char *cms_mdless_signing(EVP_PKEY *pkey)
return NULL;
}
-static const EVP_MD *ossl_cms_get_default_md(EVP_PKEY *pk, int *md_a_must)
+static EVP_MD *ossl_cms_get_default_md(const CMS_CTX *ctx, EVP_PKEY *pk, int *md_a_must)
{
- const EVP_MD *md;
+ EVP_MD *md = NULL;
unsigned int i;
int def_nid = NID_undef;
@@ -514,29 +514,28 @@ static const EVP_MD *ossl_cms_get_default_md(EVP_PKEY *pk, int *md_a_must)
"pkey nid=%d", EVP_PKEY_get_id(pk));
return NULL;
}
- md = EVP_get_digestbynid(def_nid);
+ md = EVP_MD_fetch(ossl_cms_ctx_get0_libctx(ctx), OBJ_nid2sn(def_nid), ossl_cms_ctx_get0_propq(ctx));
if (md == NULL)
ERR_raise_data(ERR_LIB_CMS, CMS_R_NO_DEFAULT_DIGEST,
"default md nid=%d", def_nid);
return md;
}
-static const EVP_MD *ossl_cms_get_noattr_md(EVP_PKEY *pk, int *noattr_md_a_must)
+static EVP_MD *ossl_cms_get_noattr_md(const CMS_CTX *ctx, EVP_PKEY *pk, int *noattr_md_a_must)
{
unsigned int i;
for (i = 0; key2data[i].name != NULL; i++) {
if (EVP_PKEY_is_a(pk, key2data[i].name)) {
*noattr_md_a_must = key2data[i].noattr_md_a_must;
- return EVP_get_digestbynid(key2data[i].noattr_md_nid);
+ return EVP_MD_fetch(ossl_cms_ctx_get0_libctx(ctx), OBJ_nid2sn(key2data[i].noattr_md_nid), ossl_cms_ctx_get0_propq(ctx));
}
}
return NULL;
}
-static int ossl_cms_adjust_md(EVP_PKEY *pk, const EVP_MD **md, unsigned int flags)
+static int ossl_cms_adjust_md(const CMS_CTX *ctx, EVP_PKEY *pk, const EVP_MD **md, EVP_MD **fetched_md, unsigned int flags)
{
- const EVP_MD *tmp_md;
int md_a_must = 0;
while ((flags & CMS_NOATTR) != 0) {
@@ -547,26 +546,26 @@ static int ossl_cms_adjust_md(EVP_PKEY *pk, const EVP_MD **md, unsigned int flag
*/
int noattr_md_a_must = 0;
- tmp_md = ossl_cms_get_noattr_md(pk, &noattr_md_a_must);
- if (tmp_md == NULL)
+ *fetched_md = ossl_cms_get_noattr_md(ctx, pk, &noattr_md_a_must);
+ if (*fetched_md == NULL)
break; /* key type not listed - use the default */
if (noattr_md_a_must)
- *md = tmp_md;
+ *md = *fetched_md;
else if (*md == NULL)
- *md = tmp_md;
+ *md = *fetched_md;
return 1;
}
if (*md != NULL)
(void)ERR_set_mark(); /* No error if no default md and user-supplied md is set */
- tmp_md = ossl_cms_get_default_md(pk, &md_a_must);
+ *fetched_md = ossl_cms_get_default_md(ctx, pk, &md_a_must);
if (*md != NULL)
(void)ERR_pop_to_mark();
if (md_a_must)
- *md = tmp_md;
+ *md = *fetched_md;
else if (*md == NULL)
- *md = tmp_md;
+ *md = *fetched_md;
if (*md == NULL) /* ED448 case */
return 0;
@@ -578,6 +577,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
X509 *signer, EVP_PKEY *pk, const EVP_MD *md,
unsigned int flags)
{
+ EVP_MD *local_md = NULL;
CMS_SignedData *sd;
CMS_SignerInfo *si = NULL;
X509_ALGOR *alg;
@@ -631,7 +631,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
if (!ossl_cms_set1_SignerIdentifier(si->sid, signer, type, ctx))
goto err;
- if (ossl_cms_adjust_md(pk, &md, flags) != 1)
+ if (ossl_cms_adjust_md(ctx, pk, &md, &local_md, flags) != 1 && local_md != md)
goto err;
if (!X509_ALGOR_set_md(si->digestAlgorithm, md))
@@ -763,9 +763,11 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
ERR_raise(ERR_LIB_CMS, ERR_R_CRYPTO_LIB);
goto err;
}
+ EVP_MD_free(local_md);
return si;
err:
+ EVP_MD_free(local_md);
M_ASN1_free_of(si, CMS_SignerInfo);
return NULL;
}