signatures: disallow XOF digests when doing signatures

Except for Ed448 and RSA PSS where they are mandatory and allow respectively.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)

diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index 717706a174da604fb014c8b1786bcedd1ec5607b..753bc79f83cdcfdc5bddf275f99ed0e65cc08d83 100644 (file)
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -392,6 +392,11 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
         pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
         if (pdhctx->kdf_md == NULL)
             return 0;
+        /* XOF digests are not allowed */
+        if ((EVP_MD_get_flags(pdhctx->kdf_md) & EVP_MD_FLAG_XOF) != 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+            return 0;
+        }
 #ifdef FIPS_MODULE
         if (!digest_check(pdhctx, pdhctx->kdf_md)) {
             EVP_MD_free(pdhctx->kdf_md);

diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 85b782a39d704d894330515bf155d07860e0b51a..ac1f07fa320dacf8e609011d9add3647d4aa5618 100644 (file)
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -312,6 +312,11 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
         pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
         if (pectx->kdf_md == NULL)
             return 0;
+        /* XOF digests are not allowed */
+        if ((EVP_MD_get_flags(pectx->kdf_md) & EVP_MD_FLAG_XOF) != 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+            return 0;
+        }
 #ifdef FIPS_MODULE
         if (!ossl_fips_ind_digest_check(OSSL_FIPS_IND_GET(pectx),
                                         OSSL_FIPS_IND_SETTABLE1, pectx->libctx,

diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index 832fa2f10da4de327ca4aed29e141153166df6c9..23441adfdafeb9310e3452379e3c53a2ea6f5e95 100644 (file)
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -156,6 +156,11 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
                                "%s exceeds name buffer length", mdname);
             goto err;
         }
+        /* XOF digests don't work */
+        if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+            return 0;
+        }
 #ifdef FIPS_MODULE
         {
             int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);

diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 28e102bd0ff3a1268f9227d919b63654245b9941..706b549175781f107be4399171118ca868668ede 100644 (file)
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -270,6 +270,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
                        "digest=%s", mdname);
         goto err;
     }
+    /* XOF digests don't work */
+    if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+        return 0;
+    }
 
 #ifdef FIPS_MODULE
     {

diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 5cbf3ebe3f5f087f88fb4c47f6919a74ed42578c..2776213b54c45086d2446a5f3917326836adb9ca 100644 (file)
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -343,6 +343,12 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
                            "digest=%s", mdname);
             goto err;
         }
+        /* XOF digests are not allowed except for RSA PSS */
+        if (ctx->pad_mode != RSA_PKCS1_PSS_PADDING
+                && (EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+            return 0;
+        }
 #ifdef FIPS_MODULE
         {
             int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);

diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c
index 346172abc085083f6c8ae94973c68a82d9bb8636..5172d6622be27ce137eb6bded7da1bab7b1b6d83 100644 (file)
--- a/providers/implementations/signature/sm2_sig.c
+++ b/providers/implementations/signature/sm2_sig.c
@@ -98,6 +98,12 @@ static int sm2sig_set_mdname(PROV_SM2_CTX *psm2ctx, const char *mdname)
     if (psm2ctx->md == NULL)
         return 0;
 
+    /* XOF digests don't work */
+    if ((EVP_MD_get_flags(psm2ctx->md) & EVP_MD_FLAG_XOF) != 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+        return 0;
+    }
+
     if (mdname == NULL)
         return 1;