diff options
| author | Tomas Mraz <tomas@openssl.org> | 2021-05-10 16:51:39 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-05-12 13:12:00 +0200 |
| commit | 6a2ab4a9c81c676570e849e474ce64f8c2dee2a9 (patch) | |
| tree | 9496947faebd554ee93b7e1f7962aa8b7fb143bf /providers/implementations | |
| parent | apps: make list -help not continue with listing (diff) | |
| download | openssl-6a2ab4a9c81c676570e849e474ce64f8c2dee2a9.tar.xz openssl-6a2ab4a9c81c676570e849e474ce64f8c2dee2a9.zip | |
Allow arbitrary digests with ECDSA and DSA
Unless the FIPS security check is enabled we allow arbitrary digests
with ECDSA and DSA.
Fixes #14696
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15220)
Diffstat (limited to 'providers/implementations')
| -rw-r--r-- | providers/implementations/signature/dsa_sig.c | 4 | ||||
| -rw-r--r-- | providers/implementations/signature/ecdsa_sig.c | 2 | ||||
| -rw-r--r-- | providers/implementations/signature/rsa_sig.c | 8 |
3 files changed, 7 insertions, 7 deletions
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c index dde689903d..23e000db4c 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -131,11 +131,11 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, sha1_allowed); size_t mdname_len = strlen(mdname); - if (md == NULL || md_nid == NID_undef) { + if (md == NULL || md_nid < 0) { if (md == NULL) ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, "%s could not be fetched", mdname); - if (md_nid == NID_undef) + if (md_nid < 0) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); if (mdname_len >= sizeof(ctx->mdname)) diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c index 8c4648106f..a4297d1903 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c @@ -227,7 +227,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, sha1_allowed); - if (md_nid == NID_undef) { + if (md_nid < 0) { ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); EVP_MD_free(md); diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c index 16025bffc0..abd3b1a77b 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -289,13 +289,13 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, size_t mdname_len = strlen(mdname); if (md == NULL - || md_nid == NID_undef + || md_nid <= 0 || !rsa_check_padding(ctx, mdname, NULL, md_nid) || mdname_len >= sizeof(ctx->mdname)) { if (md == NULL) ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, "%s could not be fetched", mdname); - if (md_nid == NID_undef) + if (md_nid <= 0) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); if (mdname_len >= sizeof(ctx->mdname)) @@ -344,9 +344,9 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, return 0; } /* The default for mgf1 is SHA1 - so allow SHA1 */ - if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) == NID_undef + if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) <= 0 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { - if (mdnid == NID_undef) + if (mdnid <= 0) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); EVP_MD_free(md); |