Enable signing of empty files with pkeyutl

The allocated buffer for the file contents is then zero bytes long, which `app_malloc()` used to refuse. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> MergeDate: Tue Jan 20 18:17:12 2026 (Merged from https://github.com/openssl/openssl/pull/29613)
2026-01-25 02:56:43 +00:00 · 2026-01-13 19:34:54 +11:00
parent 233e181058
commit aa4802204b
3 changed files with 16 additions and 10 deletions
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -837,7 +837,8 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
                "Error: unable to determine file size for oneshot operation\n");
            goto end;
        }
-        mbuf = app_malloc(filesize, "oneshot sign/verify buffer");
+        if (filesize > 0)
+            mbuf = app_malloc(filesize, "oneshot sign/verify buffer");
        switch (pkey_op) {
        case EVP_PKEY_OP_VERIFY:
            buf_len = BIO_read(in, mbuf, filesize);
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -346,15 +346,22 @@ static ossl_ssize_t hexdecode(const char **inptr, void *result)
 {
    unsigned char **out = (unsigned char **)result;
    const char *in = *inptr;
-    unsigned char *ret = app_malloc(strlen(in) / 2, "hexdecode");
-    unsigned char *cp = ret;
+    size_t retlen = strlen(in) / 2;
+    unsigned char *ret = NULL, *cp;
    uint8_t byte;
    int nibble = 0;

-    if (ret == NULL)
+    if (retlen > 0) {
+        if ((ret = app_malloc(retlen, "hexdecode")) == NULL)
+            return -1;
+    } else if (*in == '\0') {
+        *out = NULL;
+        return 0;
+    } else {
        return -1;
+    }

-    for (byte = 0; *in; ++in) {
+    for (cp = ret, byte = 0; *in; ++in) {
        int x;

        if (isspace(_UC(*in)))
@@ -425,9 +432,7 @@ static int tlsa_import_rr(SSL *con, const char *rrdata)
        { &selector, "selector", checked_uint8 },
        { &mtype, "mtype", checked_uint8 },
        { &data, "data", hexdecode },
-        {
-            NULL,
-        }
+        { NULL, NULL, NULL },
    };
    struct tlsa_field *f;
    int ret;
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3435,7 +3435,7 @@ static void print_connection_info(SSL *con)
    if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION))
        BIO_printf(bio_s_out, "Renegotiation is DISABLED\n");

-    if (keymatexportlabel != NULL) {
+    if (keymatexportlabel != NULL && keymatexportlen > 0) {
        BIO_printf(bio_s_out, "Keying material exporter:\n");
        BIO_printf(bio_s_out, "    Label: '%s'\n", keymatexportlabel);
        BIO_printf(bio_s_out, "    Length: %i bytes\n", keymatexportlen);
@@ -4134,7 +4134,7 @@ static int add_session(SSL *ssl, SSL_SESSION *session)

    SSL_SESSION_get_id(session, &sess->idlen);
    sess->derlen = i2d_SSL_SESSION(session, NULL);
-    if (sess->derlen < 0) {
+    if (sess->derlen <= 0) {
        BIO_printf(bio_err, "Error encoding session\n");
        OPENSSL_free(sess);
        return 0;