6 files changed, 29 insertions, 22 deletions

diff --git a/CHANGES.md b/CHANGES.md
index 69f9620..305296a 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -83,7 +83,7 @@ OpenSSL 3.4
 
    [fips_module(7)]: https://docs.openssl.org/master/man7/fips_module/#FIPS indicators
 
-   *Shane Lontis, Paul Dale and Po-Hsing Wu*
+   *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov*
 
  * Added support for hardware acceleration for HMAC on S390x architecture.
 
diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c
index 76d95d1..c02fa96 100644
--- a/providers/common/securitycheck_fips.c
+++ b/providers/common/securitycheck_fips.c
@@ -78,11 +78,12 @@ int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id,
 }
 #endif
 
-int ossl_fips_ind_digest_check(OSSL_FIPS_IND *ind, int id,
-                               OSSL_LIB_CTX *libctx,
-                               const EVP_MD *md, const char *desc)
+int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id,
+                                    OSSL_LIB_CTX *libctx,
+                                    const EVP_MD *md, const char *desc)
 {
-    int approved = (ossl_digest_get_approved_nid(md) != NID_undef);
+    int nid = ossl_digest_get_approved_nid(md);
+    int approved = (nid != NID_undef && nid != NID_sha1);
 
     if (!approved) {
         if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest",
diff --git a/providers/fips/include/fips/fipsindicator.h b/providers/fips/include/fips/fipsindicator.h
index 405b800..045d210 100644
--- a/providers/fips/include/fips/fipsindicator.h
+++ b/providers/fips/include/fips/fipsindicator.h
@@ -129,8 +129,8 @@ int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx,
                                const EC_GROUP *group, const char *desc,
                                int protect);
 # endif
-int ossl_fips_ind_digest_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx,
-                               const EVP_MD *md, const char *desc);
+int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx,
+                                    const EVP_MD *md, const char *desc);
 int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,
                                     OSSL_LIB_CTX *libctx,
                                     int nid, int sha1_allowed,
diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index 19007ca..b7fee87 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -113,9 +113,9 @@ static int dh_check_key(PROV_DH_CTX *ctx)
 
 static int digest_check(PROV_DH_CTX *ctx, const EVP_MD *md)
 {
-    return ossl_fips_ind_digest_check(OSSL_FIPS_IND_GET(ctx),
-                                      OSSL_FIPS_IND_SETTABLE1, ctx->libctx,
-                                      md, "DH Set Ctx");
+    return ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND_GET(ctx),
+                                           OSSL_FIPS_IND_SETTABLE1, ctx->libctx,
+                                           md, "DH Set Ctx");
 }
 #endif
 
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 409d047..ee56c1c 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -320,9 +320,9 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
             return 0;
         }
 #ifdef FIPS_MODULE
-        if (!ossl_fips_ind_digest_check(OSSL_FIPS_IND_GET(pectx),
-                                        OSSL_FIPS_IND_SETTABLE1, pectx->libctx,
-                                        pectx->kdf_md, "ECDH Set Ctx")) {
+        if (!ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND_GET(pectx),
+                                             OSSL_FIPS_IND_SETTABLE1, pectx->libctx,
+                                             pectx->kdf_md, "ECDH Set Ctx")) {
             EVP_MD_free(pectx->kdf_md);
             pectx->kdf_md = NULL;
             return 0;
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index f060f47..9ee474f 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -647,18 +647,24 @@ my @smime_cms_param_tests = (
       [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
         "-in", "{output}.cms", "-out", "{output}.txt" ],
       \&final_compare
-    ],
-
-    [ "enveloped content test streaming S/MIME format, X9.42 DH",
-      [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
-        "-stream", "-out", "{output}.cms",
-        "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
-      [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
-        "-in", "{output}.cms", "-out", "{output}.txt" ],
-      \&final_compare
     ]
 );
 
+if ($no_fips || $old_fips) {
+    # Only SHA1 supported in dh_cms_encrypt()
+    push(@smime_cms_param_tests,
+
+	 [ "enveloped content test streaming S/MIME format, X9.42 DH",
+	   [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+	     "-stream", "-out", "{output}.cms",
+	     "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
+	   [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
+	     "-in", "{output}.cms", "-out", "{output}.txt" ],
+	   \&final_compare
+	 ]
+    );
+}
+
 my @smime_cms_param_tests_autodigestmax = (
     [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize < maximum salt length",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",