Clean up ECDSA EVP_PKEY_CTRL_MD validation.
We have no EVP_MDs with type NID_ecdsa_with_SHA1 (that's a remnant of
the old signature algorithm EVP_MDs). Also there's no sense in calling
EVP_MD_type or performing the cast five times.
Change-Id: I7ea60d80059420b01341accbadf9854b4c3fd1b8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52685
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/evp/p_ec.c b/crypto/evp/p_ec.c
index 9767541..ddb64a4 100644
--- a/crypto/evp/p_ec.c
+++ b/crypto/evp/p_ec.c
@@ -179,18 +179,18 @@
EC_PKEY_CTX *dctx = ctx->data;
switch (type) {
- case EVP_PKEY_CTRL_MD:
- if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
- EVP_MD_type((const EVP_MD *)p2) != NID_sha512) {
+ case EVP_PKEY_CTRL_MD: {
+ const EVP_MD *md = p2;
+ int md_type = EVP_MD_type(md);
+ if (md_type != NID_sha1 && md_type != NID_sha224 &&
+ md_type != NID_sha256 && md_type != NID_sha384 &&
+ md_type != NID_sha512) {
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE);
return 0;
}
- dctx->md = p2;
+ dctx->md = md;
return 1;
+ }
case EVP_PKEY_CTRL_GET_MD:
*(const EVP_MD **)p2 = dctx->md;