/* if management client cannot do digest -- we do it here */ - if (!strcmp(alg.op, "DigestSign") && !(flags & MF_EXTERNAL_KEY_DIGEST)) + if (!strcmp(alg.op, "DigestSign") && !(flags & MF_EXTERNAL_KEY_DIGEST) + && strcmp(alg.mdname, "none") != 0)nit: Why not strcmp(alg.mdname, "none")? That's how we use it elsewhere in the patch and this file. Unless our coding style now requires this.
clang-tidy complained but I have no strong preference, I will remove the != 0 in v3 of the patch.
} + else if (EVP_PKEY_get_id(pkey) == EVP_PKEY_ED25519) + { + mdname = NULL; + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)mdname, 0);I think it's wrong to pass NULL here as the last 0 in OSSL_PARAM_construct() means what is passed is a null-terminated string. We cope with this in xkey_provider for this particular case by checking for NULL, but generally we would dereference strings in OSSL_PARAM without checking. OpenSSL also may. In any case, mdname = NULL is all that is required for this key type and no need to set any params (same as with EC).
Good point. I still think the OpenSSL API is kind of broken here as it basically forces you do pass NULL in EVP_DigestSignInit/EVP_DigestSignInit_ex but you cannot pass the same with params but that is not the place to fix it.
Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
