gate calling of evp_method_id on having a non-zero name id

If a name is passed to EVP_<OBJ>_fetch of the form:
name1:name2:name3

The names are parsed on the separator ':' and added to the store, but
during the lookup in inner_evp_generic_fetch, the subsequent search of
the store uses the full name1:name2:name3 string, which fails lookup,
and causes subsequent assertion failures in evp_method_id.

instead catch the failure in inner_evp_generic_fetch and return an error
code if the name_id against a colon separated list of names fails.  This
provides a graceful error return path without asserts, and leaves room
for a future feature in which such formatted names can be parsed and
searched for iteratively

Add a simple test to verify that providing a colon separated name
results in an error indicating an invalid lookup.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23110)

diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c
index c643ae8f9a028caa067c1c74c0efc6e5d5978ca5..bd816be5f4feb90c4ea5e45d3994d78651a757ce 100644 (file)
--- a/crypto/evp/evp_fetch.c
+++ b/crypto/evp/evp_fetch.c
@@ -318,13 +318,26 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata,
              * there is a correct name_id and meth_id, since those have
              * already been calculated in get_evp_method_from_store() and
              * put_evp_method_in_store() above.
+             * Note that there is a corner case here, in which, if a user
+             * passes a name of the form name1:name2:..., then the construction
+             * will create a method against all names, but the lookup will fail
+             * as ossl_namemap_name2num treats the name string as a single name
+             * rather than introducing new features where in the EVP_<obj>_fetch
+             * parses the string and querys for each, return an error.
              */
             if (name_id == 0)
                 name_id = ossl_namemap_name2num(namemap, name);
-            meth_id = evp_method_id(name_id, operation_id);
-            if (name_id != 0)
-                ossl_method_store_cache_set(store, prov, meth_id, propq,
-                                            method, up_ref_method, free_method);
+            if (name_id == 0) {
+                ERR_raise_data(ERR_LIB_EVP, ERR_R_FETCH_FAILED,
+                               "Algorithm %s cannot be found", name);
+                free_method(method);
+                method = NULL;
+            } else {
+                meth_id = evp_method_id(name_id, operation_id);
+                if (name_id != 0)
+                    ossl_method_store_cache_set(store, prov, meth_id, propq,
+                                                method, up_ref_method, free_method);
+            }
         }
 
         /*

diff --git a/doc/man7/ossl-guide-libcrypto-introduction.pod b/doc/man7/ossl-guide-libcrypto-introduction.pod
index 719f947487610c34c6764eb0c9f563ee99c86f36..33451b487337073f431e855cd97613c005a535b7 100644 (file)
--- a/doc/man7/ossl-guide-libcrypto-introduction.pod
+++ b/doc/man7/ossl-guide-libcrypto-introduction.pod
@@ -88,6 +88,10 @@ L<OSSL_PROVIDER-FIPS(7)/OPERATIONS AND ALGORITHMS>,
 L<OSSL_PROVIDER-legacy(7)/OPERATIONS AND ALGORITHMS> and
 L<OSSL_PROVIDER-base(7)/OPERATIONS AND ALGORITHMS>.
 
+Note, while providers may register algorithms against a list of names using a
+string with a colon separated list of names, fetching algorithms using that
+format is currently unsupported.
+
 =item A property query string
 
 The property query string used to guide selection of the algorithm

diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c
index a06bd697941e894d4dc4dfbc75dd3d3ccb1a64dc..32ca15bc9a8ab4ca728248da42409187ea2e0416 100644 (file)
--- a/test/evp_extra_test2.c
+++ b/test/evp_extra_test2.c
@@ -1326,6 +1326,24 @@ err:
 }
 #endif
 
+/*
+ * Currently, EVP_<OBJ>_fetch doesn't support
+ * colon separated alternative names for lookup
+ * so add a test here to ensure that when one is provided
+ * libcrypto returns an error
+ */
+static int evp_test_name_parsing(void)
+{
+    EVP_MD *md;
+
+    if (!TEST_ptr_null(md = EVP_MD_fetch(mainctx, "SHA256:BogusName", NULL))) {
+        EVP_MD_free(md);
+        return 0;
+    }
+
+    return 1;
+}
+
 int setup_tests(void)
 {
     if (!test_get_libctx(&mainctx, &nullprov, NULL, NULL, NULL)) {
@@ -1334,6 +1352,7 @@ int setup_tests(void)
         return 0;
     }
 
+    ADD_TEST(evp_test_name_parsing);
     ADD_TEST(test_alternative_default);
     ADD_ALL_TESTS(test_d2i_AutoPrivateKey_ex, OSSL_NELEM(keydata));
 #ifndef OPENSSL_NO_EC