Skip to content

Commit a772605

Browse files
lrstewartlrstewart
authored
fix: do not use "digest and sign" for ML-DSA in FIPS mode (#5348)
1 parent a8d4e6d commit a772605

File tree

1 file changed

+13
-3
lines changed

1 file changed

+13
-3
lines changed

crypto/s2n_pkey_evp.c

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ static EVP_PKEY_CTX *s2n_evp_pkey_ctx_new(EVP_PKEY *pkey, s2n_hash_algorithm has
8484

8585
/* Our "digest-and-sign" EVP signing logic is intended to support FIPS 140-3.
8686
* FIPS 140-3 does not allow signing or verifying externally calculated digests
87-
* (except for signing, but not verifying, with ECDSA).
87+
* for RSA and ECDSA verify.
8888
* See https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Digital-Signatures,
8989
* and note that "component" tests only exist for ECDSA sign.
9090
*
@@ -145,6 +145,16 @@ static int s2n_pkey_evp_digest_and_sign(EVP_PKEY_CTX *pctx, s2n_signature_algori
145145
return S2N_SUCCESS;
146146
}
147147

148+
/* See s2n_evp_digest_and_sign for more information */
149+
static bool s2n_pkey_evp_digest_and_sign_is_required(s2n_signature_algorithm sig_alg)
150+
{
151+
if (sig_alg == S2N_SIGNATURE_MLDSA) {
152+
/* The FIPS restrictions do not apply to ML-DSA */
153+
return false;
154+
}
155+
return s2n_libcrypto_is_awslc_fips();
156+
}
157+
148158
/* "digest-then-sign" means that we calculate the digest for a hash state,
149159
* then sign the digest bytes. That is not allowed by FIPS 140-3, but is allowed
150160
* in all other cases.
@@ -192,7 +202,7 @@ int s2n_pkey_evp_sign(const struct s2n_pkey *priv, s2n_signature_algorithm sig_a
192202
POSIX_GUARD_RESULT(s2n_evp_pkey_set_rsa_pss_saltlen(pctx));
193203
}
194204

195-
if (s2n_libcrypto_is_awslc_fips()) {
205+
if (s2n_pkey_evp_digest_and_sign_is_required(sig_alg)) {
196206
POSIX_GUARD(s2n_pkey_evp_digest_and_sign(pctx, sig_alg, hash_state, signature));
197207
} else {
198208
POSIX_GUARD(s2n_pkey_evp_digest_then_sign(pctx, hash_state, signature));
@@ -265,7 +275,7 @@ int s2n_pkey_evp_verify(const struct s2n_pkey *pub, s2n_signature_algorithm sig_
265275
POSIX_GUARD_RESULT(s2n_evp_pkey_set_rsa_pss_saltlen(pctx));
266276
}
267277

268-
if (s2n_libcrypto_is_awslc_fips()) {
278+
if (s2n_pkey_evp_digest_and_sign_is_required(sig_alg)) {
269279
POSIX_GUARD(s2n_pkey_evp_digest_and_verify(pctx, sig_alg, hash_state, signature));
270280
} else {
271281
POSIX_GUARD(s2n_pkey_evp_digest_then_verify(pctx, hash_state, signature));

0 commit comments

Comments
 (0)