From 9849d2bdc1aee697555f8fac1a009599770ab5c8 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <dev@ddvo.net>
Date: Thu, 7 Nov 2024 21:55:53 +0100
Subject: [PATCH] APPS/pkeyutl: remove wrong check for -verifyrecover regarding
 too long sign/verify input

Fixed #25898
---
 apps/pkeyutl.c                 |  3 +--
 test/recipes/20-test_pkeyutl.t | 14 ++++++++++----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index ca2575bc179cb..64c5d5871a69d 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -490,8 +490,7 @@ int pkeyutl_main(int argc, char **argv)
 
     /* Sanity check the input if the input is not raw */
     if (!rawin
-        && (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY
-            || pkey_op == EVP_PKEY_OP_VERIFYRECOVER)) {
+        && (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY)) {
         if (buf_inlen > EVP_MAX_MD_SIZE) {
             BIO_printf(bio_err,
                        "Error: The non-raw input data length %d is too long - max supported hashed size is %d\n",
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index d78e74d38abdc..abdbac7541299 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -17,7 +17,7 @@ use File::Compare qw/compare_text compare/;
 
 setup("test_pkeyutl");
 
-plan tests => 23;
+plan tests => 24;
 
 # For the tests below we use the cert itself as the TBS file
 
@@ -92,6 +92,7 @@ SKIP: {
                   "Verify an Ed448 signature against a piece of data, no -rawin");
 }
 
+my $sigfile;
 sub tsignverify {
     my $testtext = shift;
     my $privkey = shift;
@@ -100,7 +101,7 @@ sub tsignverify {
 
     my $data_to_sign = srctop_file('test', 'data.bin');
     my $other_data = srctop_file('test', 'data2.bin');
-    my $sigfile = basename($privkey, '.pem') . '.sig';
+    $sigfile = basename($privkey, '.pem') . '.sig';
 
     my @args = ();
     plan tests => 5;
@@ -149,7 +150,7 @@ sub tsignverify {
 }
 
 SKIP: {
-    skip "RSA is not supported by this OpenSSL build", 1
+    skip "RSA is not supported by this OpenSSL build", 3
         if disabled("rsa");
 
     subtest "RSA CLI signature generation and verification" => sub {
@@ -159,6 +160,10 @@ SKIP: {
                     "-rawin", "-digest", "sha256");
     };
 
+    ok(run(app((['openssl', 'pkeyutl', '-verifyrecover', '-in', $sigfile,
+                 '-pubin', '-inkey', srctop_file('test', 'testrsapub.pem')]))),
+       "RSA: Verify signature with -verifyrecover");
+
     subtest "RSA CLI signature and verification with pkeyopt" => sub {
         tsignverify("RSA",
                     srctop_file("test","testrsa.pem"),
@@ -166,6 +171,7 @@ SKIP: {
                     "-rawin", "-digest", "sha256",
                     "-pkeyopt", "rsa_padding_mode:pss");
     };
+
 }
 
 SKIP: {
@@ -228,7 +234,7 @@ SKIP: {
 # openssl pkeyutl -decap -inkey rsa_priv.pem -in encap_out.bin -out decap_out.bin
 # decap_out is equal to secret
 SKIP: {
-    skip "RSA is not supported by this OpenSSL build", 3
+    skip "RSA is not supported by this OpenSSL build", 5
         if disabled("rsa");
 
     # Self-compat