Allow ECDSA signing with digests without a NID in default provider

Also fix ineffective check in DSA signing.

Fixes #27084

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27107)

(cherry picked from commit 6708df48d6e31a598df2fa24bbc907a762d9a371)

diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index eb28c595b7ede241c13b8ee0a467f536a211314b..1f0033279d9821a2cd583136f3fb7e439cab4a91 100644 (file)
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -164,16 +164,19 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
         md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
         md_nid = ossl_digest_get_approved_nid(md);
 
-        if (md == NULL || md_nid < 0) {
-            if (md == NULL)
-                ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
-                               "%s could not be fetched", mdname);
-            if (md_nid == NID_undef)
-                ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
-                               "digest=%s", mdname);
-            if (mdname_len >= sizeof(ctx->mdname))
-                ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
-                               "%s exceeds name buffer length", mdname);
+        if (md == NULL) {
+            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+                           "%s could not be fetched", mdname);
+            goto err;
+        }
+        if (md_nid == NID_undef) {
+            ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+                           "digest=%s", mdname);
+            goto err;
+        }
+        if (mdname_len >= sizeof(ctx->mdname)) {
+            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+                           "%s exceeds name buffer length", mdname);
             goto err;
         }
         /* XOF digests don't work */

diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 72be2bcb62075c9f3a84e89438a387f5b741ed42..618fb4d04e2258edc9b3e12cc3741fd14c073800 100644 (file)
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -197,11 +197,13 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
         goto err;
     }
     md_nid = ossl_digest_get_approved_nid(md);
+#ifdef FIPS_MODULE
     if (md_nid == NID_undef) {
         ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
                        "digest=%s", mdname);
         goto err;
     }
+#endif
     /* XOF digests don't work */
     if (EVP_MD_xof(md)) {
         ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
@@ -237,16 +239,22 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
     EVP_MD_free(ctx->md);
 
     ctx->aid_len = 0;
-    if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
-        && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec,
-                                                        md_nid)
-        && WPACKET_finish(&pkt)) {
-        WPACKET_get_total_written(&pkt, &ctx->aid_len);
-        aid = WPACKET_get_curr(&pkt);
+#ifndef FIPS_MODULE
+    if (md_nid != NID_undef) {
+#else
+    {
+#endif
+        if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
+            && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec,
+                                                            md_nid)
+            && WPACKET_finish(&pkt)) {
+            WPACKET_get_total_written(&pkt, &ctx->aid_len);
+            aid = WPACKET_get_curr(&pkt);
+        }
+        WPACKET_cleanup(&pkt);
+        if (aid != NULL && ctx->aid_len != 0)
+            memmove(ctx->aid_buf, aid, ctx->aid_len);
     }
-    WPACKET_cleanup(&pkt);
-    if (aid != NULL && ctx->aid_len != 0)
-        memmove(ctx->aid_buf, aid, ctx->aid_len);
 
     ctx->mdctx = NULL;
     ctx->md = md;