}
/*
- * Retrieve one of the FIPs approved hash algorithms by nid.
+ * Retrieve one of the FIPS approved hash algorithms by nid.
* See FIPS 180-4 "Secure Hash Standard" and FIPS 202 - SHA-3.
*/
int ossl_digest_get_approved_nid(const EVP_MD *md)
int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh);
int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md);
+/* With security check enabled it can return -1 to indicate disallowed md */
int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
int sha1_allowed);
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
if (ossl_securitycheck_enabled(ctx)) {
- if (mdnid == NID_sha1 && !sha1_allowed)
- mdnid = NID_undef;
+ if (mdnid == NID_undef || (mdnid == NID_sha1 && !sha1_allowed))
+ mdnid = -1; /* disallowed by security checks */
}
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
return mdnid;
71c3fbb9bd80f5e7a217cf8005df61f96a645fbdd9daca9949ceef6d33a1feb0 providers/common/provider_err.c
9eae3e2cac89c7b63d091fdca1b6d80c5c5d52aa79c8ba4ce0158c5437ad62f3 providers/common/provider_seeding.c
eec462d685dd3b4764b076a3c18ecd9dd254350a0b78ddc2f8a60587829e1ce3 providers/common/provider_util.c
-494723d55bc6ecdb70f59499a2c42260cabc5fa30681ac3b48267dfa242158b3 providers/common/securitycheck.c
+ce6731be4da709c753bd2c04e88d51d567c955c651e7575bb1410968e6c7620e providers/common/securitycheck.c
50a0e01e877ae818cf874f4515a130db0e869d4e9e8ce882bff1255695aba789 providers/common/securitycheck_fips.c
5c31ba4eedb31e2509288be50280e0df58faa86fe4b5e99a1167a53fd6f3bd0f providers/fips/fipsprov.c
c69e60c29711d55cd5672dab9ff051f3c093d54e63a0ec575baa899e6bbf9c2b providers/fips/self_test.c
c36937930bcaecd6d5131d0317b9162a96cc956df164848dc53f423af838d04a providers/implementations/rands/drbg_hash.c
531c0ce4212570474b59a1b039e61a97ee5504e56e2f10de1f36578f1bca79d3 providers/implementations/rands/drbg_hmac.c
888a671934abef4225956f9931cff842f245f90660e11f23a55228edca962e16 providers/implementations/rands/test_rng.c
-a7f16a6480f5051d1197b992e042a73535d0922bdd3c962d2a96af780994e858 providers/implementations/signature/dsa_sig.c
-1edce687e950bec7c289cdac7c4c455e195942ccddfc38af0344277421afcc0f providers/implementations/signature/ecdsa_sig.c
+3a9dfbf5dcb9e1955f12f71f1ca086dded771b262d6d61bab2874f48260f702a providers/implementations/signature/dsa_sig.c
+0ff792c30ba26f2d8f4d1c14b999f7183dcd928537f950a23573f0b65359b2f4 providers/implementations/signature/ecdsa_sig.c
8074854e90be6a8266cc81ad722ef12213e9fc1360891822f109bfb03791f18e providers/implementations/signature/eddsa_sig.c
1cb6ec2efb7b2bb131622aa95e245273f5967065eb0018392ed4ced50d0813b7 providers/implementations/signature/mac_legacy_sig.c
-25fe1a61578d54c3e67b60646f3fd3d0a47ff1d4cd620ef1f1fca3341f2662a2 providers/implementations/signature/rsa_sig.c
+40322e8782474a35f02fa350b43439a56124e680a1d24556b2a66310ed2e9e2e providers/implementations/signature/rsa_sig.c
53a1e913fcc4a4e8e84009229cba60b9e29c7dc6536182fd290478331fad44b4 ssl/record/tls_pad.c
85a9701b05ab8dfea42550fbc5e4d9f4011d08ccc64829648fc12091cc1133f5 ssl/s3_cbc.c
-b388b982a3a40d326d76d89e0776aefea46084f936f1aed03293e057d5f2a6de providers/fips-sources.checksums
+90d4616e33b95990f96dd2cb1798cae41e6591d5cb55a4f589307908fa699587 providers/fips-sources.checksums
sha1_allowed);
size_t mdname_len = strlen(mdname);
- if (md == NULL || md_nid == NID_undef) {
+ if (md == NULL || md_nid < 0) {
if (md == NULL)
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
"%s could not be fetched", mdname);
- if (md_nid == NID_undef)
+ if (md_nid < 0)
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
if (mdname_len >= sizeof(ctx->mdname))
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
- if (md_nid == NID_undef) {
+ if (md_nid < 0) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
EVP_MD_free(md);
size_t mdname_len = strlen(mdname);
if (md == NULL
- || md_nid == NID_undef
+ || md_nid <= 0
|| !rsa_check_padding(ctx, mdname, NULL, md_nid)
|| mdname_len >= sizeof(ctx->mdname)) {
if (md == NULL)
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
"%s could not be fetched", mdname);
- if (md_nid == NID_undef)
+ if (md_nid <= 0)
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
if (mdname_len >= sizeof(ctx->mdname))
return 0;
}
/* The default for mgf1 is SHA1 - so allow SHA1 */
- if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) == NID_undef
+ if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) <= 0
|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
- if (mdnid == NID_undef)
+ if (mdnid <= 0)
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
EVP_MD_free(md);
Input = "Hello World"
Output = 3046022100e7515177ec3817b77a4a94066ab3070817b7aa9d44a8a09f040da250116e8972022100ba59b0f631258e59a9026be5d84f60685f4cf22b9165a0c2736d5c21c8ec1862
-# Invalid digest
-DigestVerify = MD5
-Key = P-256-PUBLIC
-Result = DIGESTVERIFYINIT_ERROR
-
# Oneshot tests
OneShotDigestVerify = SHA256
Key = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Result = PKEY_CTRL_ERROR
+
+# Invalid non-approved digest
+Availablein = fips
+DigestVerify = MD5
+Securitycheck = 1
+Key = P-256-PUBLIC
+Result = DIGESTVERIFYINIT_ERROR