From: Angel Yankov <angel.yankov@suse.com>
Date: Thu, 28 Nov 2024 09:02:07 +0000 (+0200)
Subject: SHA-1 cannot be CAVP tested anymore. Thus, Mark it as not approved for signature... 
X-Git-Tag: 3.8.10~28^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6ca7db3672d229cdf415593be294c9d8ba2367f;p=thirdparty%2Fgnutls.git

SHA-1 cannot be CAVP tested anymore. Thus, Mark it as not approved for signature verification.

Signed-off-by: Angel Yankov <angel.yankov@suse.com>
---

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 769cd274a1..d9451cb465 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -2783,10 +2783,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 		if (hash_len > vdata->size)
 			hash_len = vdata->size;
 
-		/* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy
-			 * mode */
 		switch (DIG_TO_MAC(sign_params->dsa_dig)) {
-		case GNUTLS_MAC_SHA1:
 		case GNUTLS_MAC_SHA256:
 		case GNUTLS_MAC_SHA384:
 		case GNUTLS_MAC_SHA512:
@@ -2856,7 +2853,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 		bits = mpz_sizeinbase(pub.n, 2);
 
 		/* In FIPS 140-3, RSA key size should be larger than 2048-bit.
-			 * In addition to this, only SHA-1 and SHA-2 are allowed
+			 * In addition to this, only SHA-2 is allowed
 			 * for SigVer; it is checked in _pkcs1_rsa_verify_sig in
 			 * lib/pubkey.c.
 			 */
@@ -2902,7 +2899,7 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 		}
 
 		/* RSA modulus size should be 2048-bit or larger in FIPS
-			 * 140-3.  In addition to this, only SHA-1 and SHA-2 are
+			 * 140-3.  In addition to this, only SHA-2 are
 			 * allowed for SigVer, while Nettle only supports
 			 * SHA256, SHA384, and SHA512 for RSA-PSS (see
 			 * _rsa_pss_verify_digest in this file for the details).
diff --git a/lib/pubkey.c b/lib/pubkey.c
index 1e5ecf31cd..811e5310ba 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -2516,10 +2516,7 @@ static int _pkcs1_rsa_verify_sig(gnutls_pk_algorithm_t pk,
 	d.size = digest_size;
 
 	if (pk == GNUTLS_PK_RSA) {
-		/* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy
-		 * mode */
 		switch (me->id) {
-		case GNUTLS_MAC_SHA1:
 		case GNUTLS_MAC_SHA256:
 		case GNUTLS_MAC_SHA384:
 		case GNUTLS_MAC_SHA512:
diff --git a/tests/fips-test.c b/tests/fips-test.c
index 3af4df7190..c02442737f 100644
--- a/tests/fips-test.c
+++ b/tests/fips-test.c
@@ -596,7 +596,7 @@ void doit(void)
 	}
 	FIPS_POP_CONTEXT(NOT_APPROVED);
 
-	/* Verify a signature created with 2432-bit RSA and SHA-1; approved */
+	/* Verify a signature created with 2432-bit RSA and SHA-1; not approved */
 	FIPS_PUSH_CONTEXT();
 	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1,
 					 GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1,
@@ -604,7 +604,7 @@ void doit(void)
 	if (ret < 0) {
 		fail("gnutls_pubkey_verify_data2 failed\n");
 	}
-	FIPS_POP_CONTEXT(APPROVED);
+	FIPS_POP_CONTEXT(NOT_APPROVED);
 	gnutls_free(signature.data);
 	gnutls_pubkey_deinit(pubkey);
 	gnutls_privkey_deinit(privkey);
@@ -707,7 +707,7 @@ void doit(void)
 	}
 	FIPS_POP_CONTEXT(NOT_APPROVED);
 
-	/* Verify a signature created with ECDSA and SHA-1; approved */
+	/* Verify a signature created with ECDSA and SHA-1; not approved */
 	FIPS_PUSH_CONTEXT();
 	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA1,
 					 GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1,
@@ -715,7 +715,7 @@ void doit(void)
 	if (ret < 0) {
 		fail("gnutls_pubkey_verify_data2 failed\n");
 	}
-	FIPS_POP_CONTEXT(APPROVED);
+	FIPS_POP_CONTEXT(NOT_APPROVED);
 	gnutls_free(signature.data);
 
 	/* Create a signature with ECDSA and SHA-1 (old API); not approved */