commit 71573dc40bea04ee918d186376be0814fe9ce384
author David Benjamin <davidben@google.com> Mon May 23 11:21:04 2022 -0400
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue May 24 00:14:22 2022 +0000
tree 9ebef46c30030537fd62fdf240439792a8d1304f
parent 118a892d2da8c78b46ed549454b3b62ded8c84b7

Clean up ECDSA EVP_PKEY_CTRL_MD validation.

We have no EVP_MDs with type NID_ecdsa_with_SHA1 (that's a remnant of
the old signature algorithm EVP_MDs). Also there's no sense in calling
EVP_MD_type or performing the cast five times.

Change-Id: I7ea60d80059420b01341accbadf9854b4c3fd1b8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52685
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

crypto/evp/p_ec.c

diff --git a/crypto/evp/p_ec.c b/crypto/evp/p_ec.c
index 9767541..ddb64a4 100644
--- a/crypto/evp/p_ec.c
+++ b/crypto/evp/p_ec.c
@@ -179,18 +179,18 @@
   EC_PKEY_CTX *dctx = ctx->data;
 
   switch (type) {
-    case EVP_PKEY_CTRL_MD:
-      if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
-          EVP_MD_type((const EVP_MD *)p2) != NID_ecdsa_with_SHA1 &&
-          EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
-          EVP_MD_type((const EVP_MD *)p2) != NID_sha256 &&
-          EVP_MD_type((const EVP_MD *)p2) != NID_sha384 &&
-          EVP_MD_type((const EVP_MD *)p2) != NID_sha512) {
+    case EVP_PKEY_CTRL_MD: {
+      const EVP_MD *md = p2;
+      int md_type = EVP_MD_type(md);
+      if (md_type != NID_sha1 && md_type != NID_sha224 &&
+          md_type != NID_sha256 && md_type != NID_sha384 &&
+          md_type != NID_sha512) {
         OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE);
         return 0;
       }
-      dctx->md = p2;
+      dctx->md = md;
       return 1;
+    }
 
     case EVP_PKEY_CTRL_GET_MD:
       *(const EVP_MD **)p2 = dctx->md;