From: Pauli <ppzgs1@gmail.com>
Date: Mon, 29 Jul 2024 02:07:39 +0000 (+1000)
Subject: signatures: disallow XOF digests when doing signatures
X-Git-Tag: openssl-3.4.0-alpha1~157
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ab9f7e249f4b562a26809577d3aecfb4a1a9549;p=thirdparty%2Fopenssl.git

signatures: disallow XOF digests when doing signatures

Except for Ed448 and RSA PSS where they are mandatory and allow respectively.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
---

diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index 717706a174d..753bc79f83c 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -392,6 +392,11 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
         pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
         if (pdhctx->kdf_md == NULL)
             return 0;
+        /* XOF digests are not allowed */
+        if ((EVP_MD_get_flags(pdhctx->kdf_md) & EVP_MD_FLAG_XOF) != 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+            return 0;
+        }
 #ifdef FIPS_MODULE
         if (!digest_check(pdhctx, pdhctx->kdf_md)) {
             EVP_MD_free(pdhctx->kdf_md);
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 85b782a39d7..ac1f07fa320 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -312,6 +312,11 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
         pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
         if (pectx->kdf_md == NULL)
             return 0;
+        /* XOF digests are not allowed */
+        if ((EVP_MD_get_flags(pectx->kdf_md) & EVP_MD_FLAG_XOF) != 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+            return 0;
+        }
 #ifdef FIPS_MODULE
         if (!ossl_fips_ind_digest_check(OSSL_FIPS_IND_GET(pectx),
                                         OSSL_FIPS_IND_SETTABLE1, pectx->libctx,
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index 832fa2f10da..23441adfdaf 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -156,6 +156,11 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
                                "%s exceeds name buffer length", mdname);
             goto err;
         }
+        /* XOF digests don't work */
+        if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+            return 0;
+        }
 #ifdef FIPS_MODULE
         {
             int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 28e102bd0ff..706b5491757 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -270,6 +270,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
                        "digest=%s", mdname);
         goto err;
     }
+    /* XOF digests don't work */
+    if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+        return 0;
+    }
 
 #ifdef FIPS_MODULE
     {
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 5cbf3ebe3f5..2776213b54c 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -343,6 +343,12 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
                            "digest=%s", mdname);
             goto err;
         }
+        /* XOF digests are not allowed except for RSA PSS */
+        if (ctx->pad_mode != RSA_PKCS1_PSS_PADDING
+                && (EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+            return 0;
+        }
 #ifdef FIPS_MODULE
         {
             int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c
index 346172abc08..5172d6622be 100644
--- a/providers/implementations/signature/sm2_sig.c
+++ b/providers/implementations/signature/sm2_sig.c
@@ -98,6 +98,12 @@ static int sm2sig_set_mdname(PROV_SM2_CTX *psm2ctx, const char *mdname)
     if (psm2ctx->md == NULL)
         return 0;
 
+    /* XOF digests don't work */
+    if ((EVP_MD_get_flags(psm2ctx->md) & EVP_MD_FLAG_XOF) != 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+        return 0;
+    }
+
     if (mdname == NULL)
         return 1;