From: slontis <shane.lontis@oracle.com>
Date: Fri, 29 Aug 2025 04:11:59 +0000 (+1000)
Subject: FIPS: Don't allow SHA512-224 and SHA512-256 for ECDSA/DSA signatures
X-Git-Tag: openssl-3.5.3~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c9ec0346e15dd3f9051cff674a9a9b15de014f77;p=thirdparty%2Fopenssl.git

FIPS: Don't allow SHA512-224 and SHA512-256 for ECDSA/DSA signatures

These algorithms do not have OIDS (Note that RSA does have OIDS),
and are not valid values for FIPS.
Note that this was only possible if the "ECDSA" algorithm is fetched.
Note that "ECDSA-SHA512-256" and "ECDSA-SHA512-224" are not currently
fetchable.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28377)

(cherry picked from commit 5ce54ae14bd1ad1934dfe493fe39d89eb1d5b72d)
---

diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c
index c02fa960c09..5581e13d2d5 100644
--- a/providers/common/securitycheck_fips.c
+++ b/providers/common/securitycheck_fips.c
@@ -98,18 +98,33 @@ int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id,
 int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,
                                     OSSL_LIB_CTX *libctx,
                                     int nid, int sha1_allowed,
+                                    int sha512_trunc_allowed,
                                     const char *desc,
                                     OSSL_FIPS_IND_CHECK_CB *config_check_f)
 {
     int approved;
+    const char *op = "none";
 
-    if (nid == NID_undef)
+    switch (nid) {
+    case NID_undef:
         approved = 0;
-    else
-        approved = sha1_allowed || nid != NID_sha1;
+        break;
+    case NID_sha512_224:
+    case NID_sha512_256:
+        approved = sha512_trunc_allowed;
+        op = "Digest Truncated SHA512";
+        break;
+    case NID_sha1:
+        approved = sha1_allowed;
+        op = "Digest SHA1";
+        break;
+    default:
+        approved = 1;
+        break;
+    }
 
     if (!approved) {
-        if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest SHA1",
+        if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, op,
                                          config_check_f)) {
             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
             return 0;
diff --git a/providers/fips/include/fips/fipsindicator.h b/providers/fips/include/fips/fipsindicator.h
index 045d2108d54..7efe62669ae 100644
--- a/providers/fips/include/fips/fipsindicator.h
+++ b/providers/fips/include/fips/fipsindicator.h
@@ -134,6 +134,7 @@ int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *li
 int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,
                                     OSSL_LIB_CTX *libctx,
                                     int nid, int sha1_allowed,
+                                    int sha512_trunc_allowed,
                                     const char *desc,
                                     OSSL_FIPS_IND_CHECK_CB *config_check_f);
 
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index c5adbf80021..887f6cbb901 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -193,7 +193,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
             if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
                                                  OSSL_FIPS_IND_SETTABLE1,
                                                  ctx->libctx,
-                                                 md_nid, sha1_allowed, desc,
+                                                 md_nid, sha1_allowed, 0, desc,
                                                  ossl_fips_config_signature_digest_check))
                 goto err;
         }
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 4018a772ff1..73bfbf4aa9c 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -219,7 +219,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
         if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
                                              OSSL_FIPS_IND_SETTABLE1,
                                              ctx->libctx,
-                                             md_nid, sha1_allowed, desc,
+                                             md_nid, sha1_allowed, 0, desc,
                                              ossl_fips_config_signature_digest_check))
             goto err;
     }
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 5d52c63e7ed..ff127a462ef 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -411,7 +411,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
             if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
                                                  OSSL_FIPS_IND_SETTABLE1,
                                                  ctx->libctx,
-                                                 md_nid, sha1_allowed, desc,
+                                                 md_nid, sha1_allowed, 1, desc,
                                                  ossl_fips_config_signature_digest_check))
                 goto err;
         }
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index 54b143beada..7d850f4bb80 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -261,6 +261,15 @@ Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
 Result = KEYOP_MISMATCH
 
+FIPSversion = >=3.6.0
+Sign = P-256
+Securitycheck = 1
+Unapproved = 1
+CtrlInit = digest-check:0
+Ctrl = digest:SHA512-224
+Input = "0123456789ABCDEF1234"
+Result = KEYOP_ERROR
+
 Title = XOF disallowed
 
 DigestVerify = SHAKE256