From bbf4dc96fc4344e333d4e73bc2aba848e5bff84b Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Wed, 10 Feb 2021 18:58:01 +0100
Subject: EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted

It would check the keytype and optype before determining if it even
supported the ctrl command number.  This turned out to be disruptive,
so we make it check that it supports the request ctrl command number
first.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
---
 crypto/evp/pmeth_lib.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'crypto')

diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 60f8cb2d0b..500e056479 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1403,6 +1403,19 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,
                                           int cmd, const char *name,
                                           const void *data, size_t data_len)
 {
+    /*
+     * Check that it's one of the supported commands.  The ctrl commands
+     * number cases here must correspond to the cases in the bottom switch
+     * in this function.
+     */
+    switch (cmd = decode_cmd(cmd, name)) {
+    case EVP_PKEY_CTRL_SET1_ID:
+        break;
+    default:
+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+        return -2;
+    }
+
     if (keytype != -1) {
         switch (evp_pkey_ctx_state(ctx)) {
         case EVP_PKEY_STATE_PROVIDER:
@@ -1422,7 +1435,7 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,
                 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
                 return -2;
             }
-            if (ctx->pmeth->pkey_id != keytype) {
+            if (EVP_PKEY_type(ctx->pmeth->pkey_id) != EVP_PKEY_type(keytype)) {
                 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
                 return -1;
             }
@@ -1434,7 +1447,6 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,
         return -1;
     }
 
-    cmd = decode_cmd(cmd, name);
     switch (cmd) {
     case EVP_PKEY_CTRL_SET1_ID:
         evp_pkey_ctx_free_cached_data(ctx, cmd, name);
@@ -1454,11 +1466,9 @@ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,
         }
         ctx->cached_parameters.dist_id_set = 1;
         ctx->cached_parameters.dist_id_len = data_len;
-        return 1;
+        break;
     }
-
-    ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
-    return -2;
+    return 1;
 }
 
 static void evp_pkey_ctx_free_cached_data(EVP_PKEY_CTX *ctx,
-- 
cgit v1.2.3