From e9a55ae1263c68bae55239aea1904e96a982247e Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 7 Nov 2024 22:01:41 +0100 Subject: [PATCH] APPS/pkeyutl: add missing high-level check for -verifyrecover not being compatible with EdDSA --- apps/pkeyutl.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 64c5d5871a69d1..a08869434bc350 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -43,7 +43,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx, int filesize, unsigned char *sig, int siglen, unsigned char **out, size_t *poutlen); -static int only_rawin(const EVP_PKEY *pkey) +static int is_EdDSA(const EVP_PKEY *pkey) { if (pkey == NULL) return 0; @@ -51,6 +51,11 @@ static int only_rawin(const EVP_PKEY *pkey) || EVP_PKEY_is_a(pkey, "ED448"); } +static int only_rawin(const EVP_PKEY *pkey) +{ + return is_EdDSA(pkey); +} + typedef enum OPTION_choice { OPT_COMMON, OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT, @@ -309,10 +314,15 @@ int pkeyutl_main(int argc, char **argv) } pkey = get_pkey(kdfalg, inkey, keyform, key_type, passinarg, pkey_op, e); + + if (pkey_op == EVP_PKEY_OP_VERIFYRECOVER && is_EdDSA(pkey)) { + BIO_printf(bio_err, "%s: -verifyrecover cannot be used with EdDSA\n", prog); + goto end; + } + if (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY) { if (only_rawin(pkey)) { - if ((EVP_PKEY_is_a(pkey, "ED25519") || EVP_PKEY_is_a(pkey, "ED448")) - && digestname != NULL) { + if (is_EdDSA(pkey) && digestname != NULL) { BIO_printf(bio_err, "%s: -digest (prehash) is not supported with EdDSA\n", prog); EVP_PKEY_free(pkey);