EVP_MD_size() updates

For SHAKE algorithms we now return 0 from EVP_MD_size(). So all the places that check for < 0 needed to change to <= 0 (Otherwise the behaviour will be to digest nothing in most cases). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25285)
2025-04-06 20:20:50 +08:00 · 2024-08-26 11:24:24 +10:00 · 2024-08-26 11:24:24 +10:00 · 14c45338e9
commit 14c45338e9
parent 976dd3581a
23 changed files with 41 additions and 31 deletions
--- a/apps/ts.c
+++ b/apps/ts.c
@ -513,7 +513,7 @@ static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
    EVP_MD_CTX *md_ctx = NULL;

    md_value_len = EVP_MD_get_size(md);
-    if (md_value_len < 0)
+    if (md_value_len <= 0)
        return 0;

    if (input != NULL) {
--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@ -443,6 +443,8 @@ static int sig_out(BIO *b)
    md_size = EVP_MD_get_size(digest);
    md_data = EVP_MD_CTX_get0_md_data(md);

+    if (md_size <= 0)
+        goto berr;
    if (ctx->buf_len + 2 * md_size > OK_BLOCK_SIZE)
        return 1;

@ -485,7 +487,7 @@ static int sig_in(BIO *b)
    if ((md = ctx->md) == NULL)
        goto berr;
    digest = EVP_MD_CTX_get0_md(md);
-    if ((md_size = EVP_MD_get_size(digest)) < 0)
+    if ((md_size = EVP_MD_get_size(digest)) <= 0)
        goto berr;
    md_data = EVP_MD_CTX_get0_md_data(md);

@ -533,6 +535,8 @@ static int block_out(BIO *b)
    md = ctx->md;
    digest = EVP_MD_CTX_get0_md(md);
    md_size = EVP_MD_get_size(digest);
+    if (md_size <= 0)
+        goto berr;

    tl = ctx->buf_len - OK_BLOCK_BLOCK;
    ctx->buf[0] = (unsigned char)(tl >> 24);
@ -563,7 +567,7 @@ static int block_in(BIO *b)
    ctx = BIO_get_data(b);
    md = ctx->md;
    md_size = EVP_MD_get_size(EVP_MD_CTX_get0_md(md));
-    if (md_size < 0)
+    if (md_size <= 0)
        goto berr;

    assert(sizeof(tl) >= OK_BLOCK_BLOCK); /* always true */
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@ -601,7 +601,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
        } else {
            int s = EVP_MD_get_size(ctx->digest);

-            if (s < 0 || EVP_PKEY_sign(pctx, sigret, siglen, NULL, s) <= 0)
+            if (s <= 0 || EVP_PKEY_sign(pctx, sigret, siglen, NULL, s) <= 0)
                return 0;
        }
    }
--- a/crypto/evp/p5_crpt.c
+++ b/crypto/evp/p5_crpt.c
@ -78,7 +78,7 @@ int PKCS5_PBE_keyivgen_ex(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
        passlen = strlen(pass);

    mdsize = EVP_MD_get_size(md);
-    if (mdsize < 0)
+    if (mdsize <= 0)
        goto err;

    kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF1, propq);
--- a/crypto/ffc/ffc_params_generate.c
+++ b/crypto/ffc/ffc_params_generate.c
@ -322,6 +322,9 @@ static int generate_q_fips186_4(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd,
    unsigned char *pmd;
    OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx);

+    if (mdsize <= 0)
+        goto err;
+
    /* find q */
    for (;;) {
        if (!BN_GENCB_call(cb, 0, m++))
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@ -46,7 +46,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
     * The HMAC construction is not allowed to be used with the
     * extendable-output functions (XOF) shake128 and shake256.
     */
-    if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
+    if (EVP_MD_xof(md))
        return 0;

 #ifdef OPENSSL_HMAC_S390X
@ -254,7 +254,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
    size_t temp_md_len = 0;
    unsigned char *ret = NULL;

-    if (size >= 0) {
+    if (size > 0) {
        ret = EVP_Q_mac(NULL, "HMAC", NULL, EVP_MD_get0_name(evp_md), NULL,
                        key, key_len, data, data_len,
                        md == NULL ? static_md : md, size, &temp_md_len);
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@ -328,7 +328,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
        (void)ERR_pop_to_mark();

        mdlen = EVP_MD_get_size(dgst);
-        if (mdlen < 0) {
+        if (mdlen <= 0) {
            ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_SIZE_ERR);
            goto end;
        }
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@ -207,7 +207,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,

    keylen = EVP_MD_get_size(md);
    md_nid = EVP_MD_get_type(md);
-    if (keylen < 0)
+    if (keylen <= 0)
        goto err;

    /* For PBMAC1 we use a special keygen callback if not provided (e.g. on verification) */
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@ -62,7 +62,7 @@ int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
-    if (hLen < 0)
+    if (hLen <= 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
@ -187,7 +187,7 @@ int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
        mgf1Hash = Hash;

    hLen = EVP_MD_get_size(Hash);
-    if (hLen < 0)
+    if (hLen <= 0)
        goto err;
    /*-
     * Negative sLen has special meanings:
--- a/crypto/sm2/sm2_crypt.c
+++ b/crypto/sm2/sm2_crypt.c
@ -91,7 +91,7 @@ int ossl_sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest,
    const int md_size = EVP_MD_get_size(digest);
    size_t sz;

-    if (field_size == 0 || md_size < 0)
+    if (field_size == 0 || md_size <= 0)
        return 0;

    /* Integer and string are simple type; set constructed = 0, means primitive and definite length encoding. */
--- a/crypto/sm2/sm2_sign.c
+++ b/crypto/sm2/sm2_sign.c
@ -160,7 +160,7 @@ static BIGNUM *sm2_compute_msg_hash(const EVP_MD *digest,
    OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
    const char *propq = ossl_ec_key_get0_propq(key);

-    if (md_size < 0) {
+    if (md_size <= 0) {
        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST);
        goto done;
    }
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@ -448,7 +448,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
    (void)ERR_pop_to_mark();

    length = EVP_MD_get_size(md);
-    if (length < 0)
+    if (length <= 0)
        goto err;
    *imprint_len = length;
    if ((*imprint = OPENSSL_malloc(*imprint_len)) == NULL)
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@ -186,7 +186,7 @@ static size_t kdf_hkdf_size(KDF_HKDF *ctx)
        return 0;
    }
    sz = EVP_MD_get_size(md);
-    if (sz < 0)
+    if (sz <= 0)
        return 0;

    return sz;
@ -266,7 +266,7 @@ static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[])
            return 0;

        md = ossl_prov_digest_md(&ctx->digest);
-        if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
+        if (EVP_MD_xof(md)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
            return 0;
        }
@ -463,7 +463,7 @@ static int HKDF(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
    size_t prk_len;

    sz = EVP_MD_get_size(evp_md);
-    if (sz < 0)
+    if (sz <= 0)
        return 0;
    prk_len = (size_t)sz;

@ -510,7 +510,7 @@ static int HKDF_Extract(OSSL_LIB_CTX *libctx, const EVP_MD *evp_md,
 {
    int sz = EVP_MD_get_size(evp_md);

-    if (sz < 0)
+    if (sz <= 0)
        return 0;
    if (prk_len != (size_t)sz) {
        ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE);
--- a/providers/implementations/kdfs/pbkdf1.c
+++ b/providers/implementations/kdfs/pbkdf1.c
@ -70,7 +70,7 @@ static int kdf_pbkdf1_do_derive(const unsigned char *pass, size_t passlen,
        || !EVP_DigestFinal_ex(ctx, md_tmp, NULL))
        goto err;
    mdsize = EVP_MD_size(md_type);
-    if (mdsize < 0)
+    if (mdsize <= 0)
        goto err;
    if (n > (size_t)mdsize) {
        ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE);
--- a/ssl/record/methods/dtls_meth.c
+++ b/ssl/record/methods/dtls_meth.c
@ -151,7 +151,7 @@ static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap)

        if (tmpmd != NULL) {
            imac_size = EVP_MD_get_size(tmpmd);
-            if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
+            if (!ossl_assert(imac_size > 0 && imac_size <= EVP_MAX_MD_SIZE)) {
                RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
                return 0;
            }
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@ -73,7 +73,7 @@ int ossl_set_tls_provider_parameters(OSSL_RECORD_LAYER *rl,
    if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
            && !rl->use_etm)
        imacsize = EVP_MD_get_size(md);
-    if (imacsize >= 0)
+    if (imacsize > 0)
        macsize = (size_t)imacsize;

    *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
@ -773,7 +773,7 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)

        if (tmpmd != NULL) {
            imac_size = EVP_MD_get_size(tmpmd);
-            if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
+            if (!ossl_assert(imac_size > 0 && imac_size <= EVP_MAX_MD_SIZE)) {
                RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
                return OSSL_RECORD_RETURN_FATAL;
            }
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@ -113,7 +113,7 @@ int ssl3_change_cipher_state(SSL_CONNECTION *s, int which)

    p = s->s3.tmp.key_block;
    mdi = EVP_MD_get_size(md);
-    if (mdi < 0) {
+    if (mdi <= 0) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        goto err;
    }
@ -188,7 +188,7 @@ int ssl3_setup_key_block(SSL_CONNECTION *s)
 #endif

    num = EVP_MD_get_size(hash);
-    if (num < 0)
+    if (num <= 0)
        return 0;

    num = EVP_CIPHER_get_key_length(c) + num + EVP_CIPHER_get_iv_length(c);
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@ -338,7 +338,8 @@ int ssl_load_ciphers(SSL_CTX *ctx)
            ctx->disabled_mac_mask |= t->mask;
        } else {
            int tmpsize = EVP_MD_get_size(md);
-            if (!ossl_assert(tmpsize >= 0))
+
+            if (!ossl_assert(tmpsize > 0))
                return 0;
            ctx->ssl_mac_secret_size[i] = tmpsize;
        }
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@ -1556,7 +1556,7 @@ int tls_psk_do_binder(SSL_CONNECTION *s, const EVP_MD *md,
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);

    /* Ensure cast to size_t is safe */
-    if (!ossl_assert(hashsizei >= 0)) {
+    if (!ossl_assert(hashsizei > 0)) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        goto err;
    }
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@ -2829,7 +2829,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s,
        static const unsigned char nonce_label[] = "resumption";

        /* Ensure cast to size_t is safe */
-        if (!ossl_assert(hashleni >= 0)) {
+        if (!ossl_assert(hashleni > 0)) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
            goto err;
        }
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -4175,7 +4175,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt
        int hashleni = EVP_MD_get_size(md);

        /* Ensure cast to size_t is safe */
-        if (!ossl_assert(hashleni >= 0)) {
+        if (!ossl_assert(hashleni > 0)) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
            goto err;
        }
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@ -188,7 +188,7 @@ int tls13_generate_secret(SSL_CONNECTION *s, const EVP_MD *md,

    mdleni = EVP_MD_get_size(md);
    /* Ensure cast to size_t is safe */
-    if (!ossl_assert(mdleni >= 0)) {
+    if (!ossl_assert(mdleni > 0)) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        EVP_KDF_CTX_free(kctx);
        return 0;
@ -361,7 +361,7 @@ static int derive_secret_key_and_iv(SSL_CONNECTION *s, const EVP_MD *md,
    int mode, mac_mdleni;

    /* Ensure cast to size_t is safe */
-    if (!ossl_assert(hashleni >= 0)) {
+    if (!ossl_assert(hashleni > 0)) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
        return 0;
    }
@ -379,7 +379,7 @@ static int derive_secret_key_and_iv(SSL_CONNECTION *s, const EVP_MD *md,
        && mac_type == NID_hmac) {
        mac_mdleni = EVP_MD_get_size(mac_md);

-        if (mac_mdleni < 0) {
+        if (mac_mdleni <= 0) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
            return 0;
        }
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@ -5726,6 +5726,8 @@ EVP_PKEY_verify_message_init            ?	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_verify_message_update          ?	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_verify_message_final           ?	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_verify_recover_init_ex2        ?	3_4_0	EXIST::FUNCTION:
+EVP_MD_xof                              ?	3_4_0	EXIST::FUNCTION:
+EVP_MD_CTX_get_size_ex                  ?	3_4_0	EXIST::FUNCTION:
 EVP_CIPHER_CTX_set_algor_params         ?	3_4_0	EXIST::FUNCTION:
 EVP_CIPHER_CTX_get_algor_params         ?	3_4_0	EXIST::FUNCTION:
 EVP_CIPHER_CTX_get_algor                ?	3_4_0	EXIST::FUNCTION: