[openssl] openssl-3.0 update

tomas at openssl.org tomas at openssl.org
Fri Nov 12 15:41:21 UTC 2021


The branch openssl-3.0 has been updated
       via  33665a9389e216b5a1f64fa48c8795dc78973621 (commit)
      from  32b172b0b5ee8f3ba9efffb13b3f612024b9e13d (commit)


- Log -----------------------------------------------------------------
commit 33665a9389e216b5a1f64fa48c8795dc78973621
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Nov 4 11:06:26 2021 +0100

    do_sigver_init: Allow reinitialization of an existing operation.
    
    Fixes #16936
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16964)
    
    (cherry picked from commit ae6b68b761b9c5f30897747487ea943ccfab53ba)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/m_sigver.c                              | 38 ++++++++++++++++------
 .../implementations/signature/mac_legacy_sig.c     | 13 +++++---
 test/evp_extra_test.c                              |  7 ++++
 3 files changed, 43 insertions(+), 15 deletions(-)

diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 80570973dd..9188edbc21 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -49,7 +49,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
     const char *supported_sig = NULL;
     char locmdname[80] = "";     /* 80 chars should be enough */
     void *provkey = NULL;
-    int ret, iter;
+    int ret, iter, reinit = 1;
 
     if (ctx->algctx != NULL) {
         if (!ossl_assert(ctx->digest != NULL)) {
@@ -62,6 +62,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
     }
 
     if (ctx->pctx == NULL) {
+        reinit = 0;
         if (e == NULL)
             ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
         else
@@ -71,22 +72,37 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
         return 0;
 
     locpctx = ctx->pctx;
-    evp_pkey_ctx_free_old_ops(locpctx);
-
-    if (props == NULL)
-        props = locpctx->propquery;
-
     ERR_set_mark();
 
     if (evp_pkey_ctx_is_legacy(locpctx))
         goto legacy;
 
+    /* do not reinitialize if pkey is set or operation is different */
+    if (reinit
+        && (pkey != NULL
+            || locpctx->operation != (ver ? EVP_PKEY_OP_VERIFYCTX
+                                          : EVP_PKEY_OP_SIGNCTX)
+            || (signature = locpctx->op.sig.signature) == NULL
+            || locpctx->op.sig.algctx == NULL))
+        reinit = 0;
+
+    if (props == NULL)
+        props = locpctx->propquery;
+
     if (locpctx->pkey == NULL) {
         ERR_clear_last_mark();
         ERR_raise(ERR_LIB_EVP, EVP_R_NO_KEY_SET);
         goto err;
     }
 
+    if (!reinit) {
+        evp_pkey_ctx_free_old_ops(locpctx);
+    } else {
+        if (mdname == NULL && type == NULL)
+            mdname = canon_mdname(EVP_MD_get0_name(ctx->reqdigest));
+        goto reinitialize;
+    }
+
     /*
      * Try to derive the supported signature from |locpctx->keymgmt|.
      */
@@ -183,9 +199,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 
     /* No more legacy from here down to legacy: */
 
-    if (pctx != NULL)
-        *pctx = locpctx;
-
     locpctx->op.sig.signature = signature;
     locpctx->operation = ver ? EVP_PKEY_OP_VERIFYCTX
                              : EVP_PKEY_OP_SIGNCTX;
@@ -195,12 +208,17 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
         ERR_raise(ERR_LIB_EVP,  EVP_R_INITIALIZATION_ERROR);
         goto err;
     }
+
+ reinitialize:
+    if (pctx != NULL)
+        *pctx = locpctx;
+
     if (type != NULL) {
         ctx->reqdigest = type;
         if (mdname == NULL)
             mdname = canon_mdname(EVP_MD_get0_name(type));
     } else {
-        if (mdname == NULL) {
+        if (mdname == NULL && !reinit) {
             if (evp_keymgmt_util_get_deflt_digest_name(tmp_keymgmt, provkey,
                                                        locmdname,
                                                        sizeof(locmdname)) > 0) {
diff --git a/providers/implementations/signature/mac_legacy_sig.c b/providers/implementations/signature/mac_legacy_sig.c
index 06f79505ff..0866e68d9b 100644
--- a/providers/implementations/signature/mac_legacy_sig.c
+++ b/providers/implementations/signature/mac_legacy_sig.c
@@ -101,13 +101,16 @@ static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey,
     const char *ciphername = NULL, *engine = NULL;
 
     if (!ossl_prov_is_running()
-            || pmacctx == NULL
-            || vkey == NULL
-            || !ossl_mac_key_up_ref(vkey))
+        || pmacctx == NULL
+        || (pmacctx->key == NULL && vkey == NULL))
         return 0;
 
-    ossl_mac_key_free(pmacctx->key);
-    pmacctx->key = vkey;
+    if (vkey != NULL) {
+        if (!ossl_mac_key_up_ref(vkey))
+            return 0;
+        ossl_mac_key_free(pmacctx->key);
+        pmacctx->key = vkey;
+    }
 
     if (pmacctx->key->cipher.cipher != NULL)
         ciphername = (char *)EVP_CIPHER_get0_name(pmacctx->key->cipher.cipher);
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 22cc3b3d03..9433bb9098 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1316,6 +1316,13 @@ static int test_EVP_DigestVerifyInit(void)
             || !TEST_true(EVP_DigestVerifyFinal(md_ctx, kSignature,
                                                  sizeof(kSignature))))
         goto out;
+
+    /* test with reinitialization */
+    if (!TEST_true(EVP_DigestVerifyInit(md_ctx, NULL, NULL, NULL, NULL))
+            || !TEST_true(EVP_DigestVerifyUpdate(md_ctx, kMsg, sizeof(kMsg)))
+            || !TEST_true(EVP_DigestVerifyFinal(md_ctx, kSignature,
+                                                 sizeof(kSignature))))
+        goto out;
     ret = 1;
 
  out:


More information about the openssl-commits mailing list