crypto: evp: fix potential null pointer dereference in EVP_DigestSignUpdate in m_sigver.c

Static analysis detected that EVP_DigestSign() could lead to null pointer dereference in EVP_DigestSignUpdate() when pctx->pmeth is NULL. The issue occurs in the legacy code path where pmeth is accessed without prior null check. This fix adds a proper null check for pctx->pmeth in the legacy section of EVP_DigestSignUpdate() to prevent the crash when the function is called through EVP_DigestSign() with improperly initialized context. The check is placed in EVP_DigestSignUpdate() rather than EVP_DigestSign() to maintain proper separation of concerns and follow OpenSSL's architectural patterns where lower-level functions handle their own parameter validation. Fixes potential crash in signature operations with legacy providers. CLA: trivial Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28095)
2026-01-18 17:11:31 +01:00 · 2025-07-25 15:43:15 +03:00
parent 3c4f009959
commit daa004d484
1 changed files with 4 additions and 0 deletions
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -434,6 +434,10 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)

 legacy:
    if (pctx != NULL) {
+        if (pctx->pmeth == NULL) {
+            ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+            return 0;
+        }
        /* do_sigver_init() checked that |digest_custom| is non-NULL */
        if (pctx->flag_call_digest_custom
            && !ctx->pctx->pmeth->digest_custom(ctx->pctx, ctx))