[External] : Re: BIO_read() crash
Thomas Dwyer III
thomas.dwyer at oracle.com
Mon Dec 5 19:31:18 UTC 2022
Why does EVP_get_digestbyname("md4") return non-NULL if the legacy
provider isn't loaded? Similarly, why does it return non-NULL for "md5"
after doing EVP_set_default_properties(NULL, "fips=yes")? This seems
unintuitive. Legacy code that does not know about EVP_MD_fetch() checks
the return value of EVP_get_digestbyname(). Isn't that where the error
should be detected? Why let it get all the way to BIO_set_md() (or
EVP_DigestInit() or whatever) before the error is detected?
Tom.III
||
On 12/5/22 02:24, Tomas Mraz wrote:
> Hi,
>
> there is an error in your code - see my comment below.
>
>
> On Mon, 2022-12-05 at 08:45 +0000, Zhongyan Wang wrote:
> ...
>> md = EVP_get_digestbyname(dgst);
>> if (!md) {
>> printf("Error EVP_get_digestbyname %s\n", dgst);
>> goto err_exit;
>> }
>>
>> in = BIO_new_file(datain, "rb");
>> if (!in) {
>> printf("Error BIO_new_file %s\n", datain);
>> goto err_exit;
>> }
>>
>> out = BIO_new(BIO_s_mem());
>> if (!out) {
>> printf("Error BIO_new out\n");
>> goto err_exit;
>> }
>>
>> rbio = in;
>>
>> bmd = BIO_new(BIO_f_md());
>> if (!bmd){
>> printf("Error BIO_new bmd\n");
>> goto err_exit;
>> }
>>
>> BIO_set_md(bmd, md);
> You do not check the return value here. This call will return <= 0
> return value in case the legacy provider is not loaded.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20221205/3f6a9e52/attachment.htm>
More information about the openssl-users
mailing list