From: Tomas Mraz Date: Thu, 20 Mar 2025 19:47:54 +0000 (+0100) Subject: Allow ECDSA signing with digests without a NID in default provider X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6708df48d6e31a598df2fa24bbc907a762d9a371;p=thirdparty%2Fopenssl.git Allow ECDSA signing with digests without a NID in default provider Also fix ineffective check in DSA signing. Fixes #27084 Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/27107) --- diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c index 4b585bb704c..da09dffc21d 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -164,16 +164,19 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); md_nid = ossl_digest_get_approved_nid(md); - if (md == NULL || md_nid < 0) { - if (md == NULL) - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, - "%s could not be fetched", mdname); - if (md_nid == NID_undef) - ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, - "digest=%s", mdname); - if (mdname_len >= sizeof(ctx->mdname)) - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, - "%s exceeds name buffer length", mdname); + if (md == NULL) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, + "%s could not be fetched", mdname); + goto err; + } + if (md_nid == NID_undef) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest=%s", mdname); + goto err; + } + if (mdname_len >= sizeof(ctx->mdname)) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, + "%s exceeds name buffer length", mdname); goto err; } /* XOF digests don't work */ diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c index 6fef96c86a6..f6af1c96b0a 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c @@ -197,11 +197,13 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, goto err; } md_nid = ossl_digest_get_approved_nid(md); +#ifdef FIPS_MODULE if (md_nid == NID_undef) { ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); goto err; } +#endif /* XOF digests don't work */ if (EVP_MD_xof(md)) { ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); @@ -237,16 +239,22 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, EVP_MD_free(ctx->md); ctx->aid_len = 0; - if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf)) - && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec, - md_nid) - && WPACKET_finish(&pkt)) { - WPACKET_get_total_written(&pkt, &ctx->aid_len); - aid = WPACKET_get_curr(&pkt); +#ifndef FIPS_MODULE + if (md_nid != NID_undef) { +#else + { +#endif + if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf)) + && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec, + md_nid) + && WPACKET_finish(&pkt)) { + WPACKET_get_total_written(&pkt, &ctx->aid_len); + aid = WPACKET_get_curr(&pkt); + } + WPACKET_cleanup(&pkt); + if (aid != NULL && ctx->aid_len != 0) + memmove(ctx->aid_buf, aid, ctx->aid_len); } - WPACKET_cleanup(&pkt); - if (aid != NULL && ctx->aid_len != 0) - memmove(ctx->aid_buf, aid, ctx->aid_len); ctx->mdctx = NULL; ctx->md = md;