Commit 917d286c40 for openssl.org

commit 917d286c403b76de6d6133b0b65d1ba112866f09
Author: Viktor Dukhovni <openssl-users@dukhovni.org>
Date:   Wed Feb 11 01:55:02 2026 +1100

    SM2 digest sign/verify context initialisation fix

    SM digest sign/verify context initialisation needs to set the
    "compute_z_digest" flag earlier, before calling sm2sig_signature_init(),
    to process the provided parameters, because otherwise attempts to set
    the "distinguished identifier" will erroneously fail.

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
    MergeDate: Sat Feb 21 13:25:19 2026
    (Merged from https://github.com/openssl/openssl/pull/29953)

diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c
index b79485c52d..1c0433f677 100644
--- a/providers/implementations/signature/sm2_sig.c
+++ b/providers/implementations/signature/sm2_sig.c
@@ -215,6 +215,12 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
     int ret = 0;
     unsigned char *aid = NULL;

+    /*
+     * Each EVP_Digest{Sign,Verify}Init_ex(3) starts with fresh content, that
+     * needs to recompute the "Z" digest.
+     */
+    ctx->flag_compute_z_digest = 1;
+
     if (!sm2sig_signature_init(vpsm2ctx, ec, params)
         || !sm2sig_set_mdname(ctx, mdname))
         return ret;
@@ -248,8 +254,6 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
     if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params))
         goto error;

-    ctx->flag_compute_z_digest = 1;
-
     ret = 1;

 error: