Add fips checks for ecdsa signatures

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
2025-03-19 19:50:42 +08:00 · 2020-08-29 12:51:14 +10:00 · 2020-08-29 12:51:14 +10:00 · 0645110ebd
commit 0645110ebd
parent e43b448241
7 changed files with 312 additions and 173 deletions
--- a/providers/common/include/prov/provider_util.h
+++ b/providers/common/include/prov/provider_util.h
@ -132,3 +132,4 @@ void ossl_prov_cache_exported_algorithms(const OSSL_ALGORITHM_CAPABLE *in,
 int ossl_prov_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it,
                               size_t it_len);
 int ossl_prov_digest_get_approved_nid(const EVP_MD *md, int sha1_allowed);
+int ossl_prov_ec_check(const EC_KEY *ec, int protect);
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@ -353,3 +353,66 @@ int ossl_prov_digest_get_approved_nid(const EVP_MD *md, int sha1_allowed)
 #endif
    return mdnid;
 }
+
+/*
+ * In FIPS mode:
+ * protect should be 1 for any operations that need 112 bits of security
+ * strength (such as signing, and key exchange), or 0 for operations that allow
+ * a lower security strength (such as verify).
+ *
+ * For ECDH key agreement refer to SP800-56A
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
+ * "Appendix D"
+ *
+ * For ECDSA signatures refer to
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
+ * "Table 2"
+ */
+int ossl_prov_ec_check(const EC_KEY *ec, int protect)
+{
+#ifdef FIPS_MODULE
+    int nid, strength;
+    const char *curve_name;
+    const EC_GROUP *group = EC_KEY_get0_group(ec);
+
+    if (group == NULL) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
+        return 0;
+    }
+    nid = EC_GROUP_get_curve_name(group);
+    if (nid == NID_undef) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
+                       "Explicit curves are not allowed in fips mode");
+        return 0;
+    }
+
+    curve_name = EC_curve_nid2nist(nid);
+    if (curve_name == NULL) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
+                       "Curve %s is not approved in FIPS mode", curve_name);
+        return 0;
+    }
+
+    /*
+     * For EC the security strength is the (order_bits / 2)
+     * e.g. P-224 is 112 bits.
+     */
+    strength = EC_GROUP_order_bits(group) / 2;
+    /* The min security strength allowed for legacy verification is 80 bits */
+    if (strength < 80) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
+        return 0;
+    }
+
+    /*
+     * For signing/or key agreement only allow curves with at least 112 bits of
+     * security strength
+     */
+    if (protect && strength < 112) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
+                       "Curve %s cannot be used for signing", curve_name);
+        return 0;
+    }
+#endif
+    return 1;
+}
--- a/providers/implementations/signature/ecdsa.c
+++ b/providers/implementations/signature/ecdsa.c
@ -28,18 +28,19 @@
 #include "prov/providercommonerr.h"
 #include "prov/implementations.h"
 #include "prov/provider_ctx.h"
+#include "prov/provider_util.h"
 #include "crypto/ec.h"
 #include "prov/der_ec.h"

 static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
-static OSSL_FUNC_signature_sign_init_fn ecdsa_signature_init;
-static OSSL_FUNC_signature_verify_init_fn ecdsa_signature_init;
+static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
+static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
 static OSSL_FUNC_signature_sign_fn ecdsa_sign;
 static OSSL_FUNC_signature_verify_fn ecdsa_verify;
-static OSSL_FUNC_signature_digest_sign_init_fn ecdsa_digest_signverify_init;
+static OSSL_FUNC_signature_digest_sign_init_fn ecdsa_digest_sign_init;
 static OSSL_FUNC_signature_digest_sign_update_fn ecdsa_digest_signverify_update;
 static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
-static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_signverify_init;
+static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
 static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
 static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
 static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
@ -70,6 +71,7 @@ typedef struct {
    unsigned char *aid;
    size_t  aid_len;
    size_t mdsize;
+    int operation;

    EVP_MD *md;
    EVP_MD_CTX *mdctx;
@ -114,7 +116,7 @@ static void *ecdsa_newctx(void *provctx, const char *propq)
    return ctx;
 }

-static int ecdsa_signature_init(void *vctx, void *ec)
+static int ecdsa_signverify_init(void *vctx, void *ec, int operation)
 {
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;

@ -125,7 +127,18 @@ static int ecdsa_signature_init(void *vctx, void *ec)
        return 0;
    EC_KEY_free(ctx->ec);
    ctx->ec = ec;
-    return 1;
+    ctx->operation = operation;
+    return ossl_prov_ec_check(ec, operation == EVP_PKEY_OP_SIGN);
+}
+
+static int ecdsa_sign_init(void *vctx, void *ec)
+{
+    return ecdsa_signverify_init(vctx, ec, EVP_PKEY_OP_SIGN);
+}
+
+static int ecdsa_verify_init(void *vctx, void *ec)
+{
+    return ecdsa_signverify_init(vctx, ec, EVP_PKEY_OP_VERIFY);
 }

 static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
@ -174,44 +187,11 @@ static int ecdsa_verify(void *vctx, const unsigned char *sig, size_t siglen,
    return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
 }

-static int get_md_nid(const EVP_MD *md)
+static int get_md_nid(const PROV_ECDSA_CTX *ctx, const EVP_MD *md)
 {
-    /*
-     * Because the ECDSA library deals with NIDs, we need to translate.
-     * We do so using EVP_MD_is_a(), and therefore need a name to NID
-     * map.
-     */
-    static const OSSL_ITEM name_to_nid[] = {
-        { NID_sha1,   OSSL_DIGEST_NAME_SHA1   },
-        { NID_sha224, OSSL_DIGEST_NAME_SHA2_224 },
-        { NID_sha256, OSSL_DIGEST_NAME_SHA2_256 },
-        { NID_sha384, OSSL_DIGEST_NAME_SHA2_384 },
-        { NID_sha512, OSSL_DIGEST_NAME_SHA2_512 },
-        { NID_sha3_224, OSSL_DIGEST_NAME_SHA3_224 },
-        { NID_sha3_256, OSSL_DIGEST_NAME_SHA3_256 },
-        { NID_sha3_384, OSSL_DIGEST_NAME_SHA3_384 },
-        { NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 },
-        /* TODO - Add SHAKE OIDS when they are standardized */
+    int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);

-    };
-    size_t i;
-    int mdnid = NID_undef;
-
-    if (md == NULL)
-        goto end;
-
-    for (i = 0; i < OSSL_NELEM(name_to_nid); i++) {
-        if (EVP_MD_is_a(md, name_to_nid[i].ptr)) {
-            mdnid = (int)name_to_nid[i].id;
-            break;
-        }
-    }
-
-    if (mdnid == NID_undef)
-        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
-
- end:
-    return mdnid;
+    return ossl_prov_digest_get_approved_nid(md, sha1_allowed);
 }

 static void free_md(PROV_ECDSA_CTX *ctx)
@ -226,7 +206,7 @@ static void free_md(PROV_ECDSA_CTX *ctx)
 }

 static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
-                                        void *ec)
+                                        void *ec, int operation)
 {
    PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
    int md_nid = NID_undef;
@ -237,11 +217,12 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,

    free_md(ctx);

-    if (!ecdsa_signature_init(vctx, ec))
+    if (!ecdsa_signverify_init(vctx, ec, operation))
        return 0;

    ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq);
-    if ((md_nid = get_md_nid(ctx->md)) == NID_undef)
+    md_nid = get_md_nid(ctx, ctx->md);
+    if (md_nid == NID_undef)
        goto error;

    ctx->mdsize = EVP_MD_size(ctx->md);
@ -273,6 +254,16 @@ error:
    return 0;
 }

+static int ecdsa_digest_sign_init(void *vctx, const char *mdname, void *ec)
+{
+    return ecdsa_digest_signverify_init(vctx, mdname, ec, EVP_PKEY_OP_SIGN);
+}
+
+static int ecdsa_digest_verify_init(void *vctx, const char *mdname, void *ec)
+{
+    return ecdsa_digest_signverify_init(vctx, mdname, ec, EVP_PKEY_OP_VERIFY);
+}
+
 int ecdsa_digest_signverify_update(void *vctx, const unsigned char *data,
                                   size_t datalen)
 {
@ -521,18 +512,18 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)

 const OSSL_DISPATCH ecdsa_signature_functions[] = {
    { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
-    { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_signature_init },
+    { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
    { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))ecdsa_sign },
-    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_signature_init },
+    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))ecdsa_verify_init },
    { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ecdsa_verify },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
-      (void (*)(void))ecdsa_digest_signverify_init },
+      (void (*)(void))ecdsa_digest_sign_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
      (void (*)(void))ecdsa_digest_signverify_update },
    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
      (void (*)(void))ecdsa_digest_sign_final },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
-      (void (*)(void))ecdsa_digest_signverify_init },
+      (void (*)(void))ecdsa_digest_verify_init },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
      (void (*)(void))ecdsa_digest_signverify_update },
    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
--- a/test/evp_test.c
+++ b/test/evp_test.c
@ -1627,8 +1627,11 @@ static int pderive_test_parse(EVP_TEST *t,
        EVP_PKEY *peer;
        if (find_key(&peer, value, public_keys) == 0)
            return -1;
-        if (EVP_PKEY_derive_set_peer(kdata->ctx, peer) <= 0)
-            return -1;
+        if (EVP_PKEY_derive_set_peer(kdata->ctx, peer) <= 0) {
+            t->err = "DERIVE_SET_PEER_ERROR";
+            return 1;
+        }
+        t->err = NULL;
        return 1;
    }
    if (strcmp(keyword, "SharedSecret") == 0)
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@ -90,7 +90,6 @@ Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
 Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8

-
 Title = DigestSign and DigestVerify

 DigestVerify = SHA256
@ -108,3 +107,85 @@ OneShotDigestVerify = SHA256
 Key = P-256-PUBLIC
 Input = "Hello World"
 Output = 3046022100e7515177ec3817b77a4a94066ab3070817b7aa9d44a8a09f040da250116e8972022100ba59b0f631258e59a9026be5d84f60685f4cf22b9165a0c2736d5c21c8ec1862
+
+PrivateKey = P-256_NAMED_CURVE_EXPLICIT
+-----BEGIN PRIVATE KEY-----
+MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
+AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
+///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
+AMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg
+9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8A
+AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
+0BOXUa/4r82DJ30QoupYS/wlilW4gWehRANCAATM0n3q2UaDyaQ7OxzJM3B6prhW
+3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
+-----END PRIVATE KEY-----
+
+PrivateKey = EC_EXPLICIT
+-----BEGIN PRIVATE KEY-----
+MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
+AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
+///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
+AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
+l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
+AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
+OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
+46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
+-----END PRIVATE KEY-----
+
+PrivateKey = B-163
+-----BEGIN PRIVATE KEY-----
+MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
+DnVlDgChLgMsAAQB1qZ00fPIct+QN8skv1XIHtBNp3EGLytJV0tsAUTYtGhtrzRj
+e3GzYyg=
+-----END PRIVATE KEY-----
+
+PrivateKey = secp256k1
+-----BEGIN PRIVATE KEY-----
+MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgsLpFV9joHc0bisyV53XL
+mrG6/Gu6ZaHoXtKP/VFX44ehRANCAARLYWGgp5nP4N8guypLSbYGCVN6ZPCnWW4x
+srYkcpdbxr4neRT3zC62keCKgPbJf5SIHkJ2Tcaw6hVSrBOUFtix
+-----END PRIVATE KEY-----
+
+Title = FIPS tests
+
+# Test that a nist curve with < 112 bits is allowed in fips mode for verifying
+DigestVerify = SHA256
+Key = B-163
+Input = "Hello World"
+Output = 302e0215027bb891747468b4b59ca2a2bf8f42d29d08866cf5021502cc311b25e9a2168e42240b07a6071070f687eb3b
+
+# Test that a nist curve with SHA3 is allowed in fips mode
+# The sign will get a mismatch error since the output signature changes on each run 
+DigestSign = SHA3-512
+Key = P-256
+Input = "Hello World"
+Result = SIGNATURE_MISMATCH
+
+# Test that a explicit curve that is a named curve is allowed in fips mode
+DigestVerify = SHA256
+Key = P-256_NAMED_CURVE_EXPLICIT
+Input = "Hello World"
+Output = 30450220796fcf472882ed5779226dcd0217b9d2b9acfe4fa2fb0109c8ee63c63adc1033022100e306c69f7e31b9a5d54eb12ba813cddf4de4af933e4f6cea38a0817d9d831d91
+
+Title = FIPS Negative tests (using different curves and digests)
+
+# Test that a explicit curve is not allowed in fips mode
+Availablein = fips
+DigestVerify = SHA256
+Key = EC_EXPLICIT
+Input = "Hello World"
+Result = DIGESTVERIFYINIT_ERROR
+
+# Test that a curve with < 112 bits is not allowed in fips mode for signing
+Availablein = fips
+DigestSign = SHA3-512
+Key = B-163
+Input = "Hello World"
+Result = DIGESTSIGNINIT_ERROR
+
+# Test that a non nist curve is not allowed in fips mode
+Availablein = fips
+DigestSign = SHA3-512
+Key = secp256k1
+Input = "Hello World"
+Result = DIGESTSIGNINIT_ERROR
--- a/test/ssl-tests/20-cert-select.cnf
+++ b/test/ssl-tests/20-cert-select.cnf
@ -10,14 +10,14 @@ test-4 = 4-P-256 CipherString and Signature Algorithm Selection
 test-5 = 5-ECDSA CipherString Selection, no ECDSA certificate
 test-6 = 6-ECDSA Signature Algorithm Selection
 test-7 = 7-ECDSA Signature Algorithm Selection SHA384
-test-8 = 8-ECDSA Signature Algorithm Selection SHA1
-test-9 = 9-ECDSA Signature Algorithm Selection compressed point
-test-10 = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate
-test-11 = 11-RSA Signature Algorithm Selection
-test-12 = 12-RSA-PSS Signature Algorithm Selection
-test-13 = 13-RSA key exchange with all RSA certificate types
-test-14 = 14-Suite B P-256 Hash Algorithm Selection
-test-15 = 15-Suite B P-384 Hash Algorithm Selection
+test-8 = 8-ECDSA Signature Algorithm Selection compressed point
+test-9 = 9-ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-10 = 10-RSA Signature Algorithm Selection
+test-11 = 11-RSA-PSS Signature Algorithm Selection
+test-12 = 12-RSA key exchange with all RSA certificate types
+test-13 = 13-Suite B P-256 Hash Algorithm Selection
+test-14 = 14-Suite B P-384 Hash Algorithm Selection
+test-15 = 15-ECDSA Signature Algorithm Selection SHA1
 test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection
 test-17 = 17-Ed448 CipherString and Signature Algorithm Selection
 test-18 = 18-ECDSA with brainpool
@ -319,48 +319,14 @@ ExpectedServerSignType = EC

 # ===========================================================

-[8-ECDSA Signature Algorithm Selection SHA1]
-ssl_conf = 8-ECDSA Signature Algorithm Selection SHA1-ssl
+[8-ECDSA Signature Algorithm Selection compressed point]
+ssl_conf = 8-ECDSA Signature Algorithm Selection compressed point-ssl

-[8-ECDSA Signature Algorithm Selection SHA1-ssl]
-server = 8-ECDSA Signature Algorithm Selection SHA1-server
-client = 8-ECDSA Signature Algorithm Selection SHA1-client
+[8-ECDSA Signature Algorithm Selection compressed point-ssl]
+server = 8-ECDSA Signature Algorithm Selection compressed point-server
+client = 8-ECDSA Signature Algorithm Selection compressed point-client

-[8-ECDSA Signature Algorithm Selection SHA1-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT:@SECLEVEL=0
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[8-ECDSA Signature Algorithm Selection SHA1-client]
-CipherString = DEFAULT:@SECLEVEL=0
-SignatureAlgorithms = ECDSA+SHA1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-8]
-ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA1
-ExpectedServerSignType = EC
-
-
-# ===========================================================
-
-[9-ECDSA Signature Algorithm Selection compressed point]
-ssl_conf = 9-ECDSA Signature Algorithm Selection compressed point-ssl
-
-[9-ECDSA Signature Algorithm Selection compressed point-ssl]
-server = 9-ECDSA Signature Algorithm Selection compressed point-server
-client = 9-ECDSA Signature Algorithm Selection compressed point-client
-
-[9-ECDSA Signature Algorithm Selection compressed point-server]
+[8-ECDSA Signature Algorithm Selection compressed point-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
@ -368,13 +334,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[9-ECDSA Signature Algorithm Selection compressed point-client]
+[8-ECDSA Signature Algorithm Selection compressed point-client]
 CipherString = DEFAULT
 SignatureAlgorithms = ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-9]
+[test-8]
 ExpectedResult = Success
 ExpectedServerCertType = P-256
 ExpectedServerSignHash = SHA256
@ -383,39 +349,39 @@ ExpectedServerSignType = EC

 # ===========================================================

-[10-ECDSA Signature Algorithm Selection, no ECDSA certificate]
-ssl_conf = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+[9-ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 9-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl

-[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
-server = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
-client = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+[9-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 9-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 9-ECDSA Signature Algorithm Selection, no ECDSA certificate-client

-[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+[9-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+[9-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
 CipherString = DEFAULT
 SignatureAlgorithms = ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-10]
+[test-9]
 ExpectedResult = ServerFail


 # ===========================================================

-[11-RSA Signature Algorithm Selection]
-ssl_conf = 11-RSA Signature Algorithm Selection-ssl
+[10-RSA Signature Algorithm Selection]
+ssl_conf = 10-RSA Signature Algorithm Selection-ssl

-[11-RSA Signature Algorithm Selection-ssl]
-server = 11-RSA Signature Algorithm Selection-server
-client = 11-RSA Signature Algorithm Selection-client
+[10-RSA Signature Algorithm Selection-ssl]
+server = 10-RSA Signature Algorithm Selection-server
+client = 10-RSA Signature Algorithm Selection-client

-[11-RSA Signature Algorithm Selection-server]
+[10-RSA Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@ -427,13 +393,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[11-RSA Signature Algorithm Selection-client]
+[10-RSA Signature Algorithm Selection-client]
 CipherString = DEFAULT
 SignatureAlgorithms = RSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-11]
+[test-10]
 ExpectedResult = Success
 ExpectedServerCertType = RSA
 ExpectedServerSignHash = SHA256
@ -442,14 +408,14 @@ ExpectedServerSignType = RSA

 # ===========================================================

-[12-RSA-PSS Signature Algorithm Selection]
-ssl_conf = 12-RSA-PSS Signature Algorithm Selection-ssl
+[11-RSA-PSS Signature Algorithm Selection]
+ssl_conf = 11-RSA-PSS Signature Algorithm Selection-ssl

-[12-RSA-PSS Signature Algorithm Selection-ssl]
-server = 12-RSA-PSS Signature Algorithm Selection-server
-client = 12-RSA-PSS Signature Algorithm Selection-client
+[11-RSA-PSS Signature Algorithm Selection-ssl]
+server = 11-RSA-PSS Signature Algorithm Selection-server
+client = 11-RSA-PSS Signature Algorithm Selection-client

-[12-RSA-PSS Signature Algorithm Selection-server]
+[11-RSA-PSS Signature Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@ -461,13 +427,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[12-RSA-PSS Signature Algorithm Selection-client]
+[11-RSA-PSS Signature Algorithm Selection-client]
 CipherString = DEFAULT
 SignatureAlgorithms = RSA-PSS+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-12]
+[test-11]
 ExpectedResult = Success
 ExpectedServerCertType = RSA
 ExpectedServerSignHash = SHA256
@ -476,41 +442,41 @@ ExpectedServerSignType = RSA-PSS

 # ===========================================================

-[13-RSA key exchange with all RSA certificate types]
-ssl_conf = 13-RSA key exchange with all RSA certificate types-ssl
+[12-RSA key exchange with all RSA certificate types]
+ssl_conf = 12-RSA key exchange with all RSA certificate types-ssl

-[13-RSA key exchange with all RSA certificate types-ssl]
-server = 13-RSA key exchange with all RSA certificate types-server
-client = 13-RSA key exchange with all RSA certificate types-client
+[12-RSA key exchange with all RSA certificate types-ssl]
+server = 12-RSA key exchange with all RSA certificate types-server
+client = 12-RSA key exchange with all RSA certificate types-client

-[13-RSA key exchange with all RSA certificate types-server]
+[12-RSA key exchange with all RSA certificate types-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
 PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[13-RSA key exchange with all RSA certificate types-client]
+[12-RSA key exchange with all RSA certificate types-client]
 CipherString = kRSA
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

-[test-13]
+[test-12]
 ExpectedResult = Success
 ExpectedServerCertType = RSA


 # ===========================================================

-[14-Suite B P-256 Hash Algorithm Selection]
-ssl_conf = 14-Suite B P-256 Hash Algorithm Selection-ssl
+[13-Suite B P-256 Hash Algorithm Selection]
+ssl_conf = 13-Suite B P-256 Hash Algorithm Selection-ssl

-[14-Suite B P-256 Hash Algorithm Selection-ssl]
-server = 14-Suite B P-256 Hash Algorithm Selection-server
-client = 14-Suite B P-256 Hash Algorithm Selection-client
+[13-Suite B P-256 Hash Algorithm Selection-ssl]
+server = 13-Suite B P-256 Hash Algorithm Selection-server
+client = 13-Suite B P-256 Hash Algorithm Selection-client

-[14-Suite B P-256 Hash Algorithm Selection-server]
+[13-Suite B P-256 Hash Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = SUITEB128
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem
@ -518,13 +484,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[14-Suite B P-256 Hash Algorithm Selection-client]
+[13-Suite B P-256 Hash Algorithm Selection-client]
 CipherString = DEFAULT
 SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
 VerifyMode = Peer

-[test-14]
+[test-13]
 ExpectedResult = Success
 ExpectedServerCertType = P-256
 ExpectedServerSignHash = SHA256
@ -533,14 +499,14 @@ ExpectedServerSignType = EC

 # ===========================================================

-[15-Suite B P-384 Hash Algorithm Selection]
-ssl_conf = 15-Suite B P-384 Hash Algorithm Selection-ssl
+[14-Suite B P-384 Hash Algorithm Selection]
+ssl_conf = 14-Suite B P-384 Hash Algorithm Selection-ssl

-[15-Suite B P-384 Hash Algorithm Selection-ssl]
-server = 15-Suite B P-384 Hash Algorithm Selection-server
-client = 15-Suite B P-384 Hash Algorithm Selection-client
+[14-Suite B P-384 Hash Algorithm Selection-ssl]
+server = 14-Suite B P-384 Hash Algorithm Selection-server
+client = 14-Suite B P-384 Hash Algorithm Selection-client

-[15-Suite B P-384 Hash Algorithm Selection-server]
+[14-Suite B P-384 Hash Algorithm Selection-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = SUITEB128
 ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
@ -548,19 +514,53 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

-[15-Suite B P-384 Hash Algorithm Selection-client]
+[14-Suite B P-384 Hash Algorithm Selection-client]
 CipherString = DEFAULT
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
 VerifyMode = Peer

-[test-15]
+[test-14]
 ExpectedResult = Success
 ExpectedServerCertType = P-384
 ExpectedServerSignHash = SHA384
 ExpectedServerSignType = EC


+# ===========================================================
+
+[15-ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 15-ECDSA Signature Algorithm Selection SHA1-ssl
+
+[15-ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 15-ECDSA Signature Algorithm Selection SHA1-server
+client = 15-ECDSA Signature Algorithm Selection SHA1-client
+
+[15-ECDSA Signature Algorithm Selection SHA1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT:@SECLEVEL=0
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[15-ECDSA Signature Algorithm Selection SHA1-client]
+CipherString = DEFAULT:@SECLEVEL=0
+SignatureAlgorithms = ECDSA+SHA1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-15]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA1
+ExpectedServerSignType = EC
+
+
 # ===========================================================

 [16-Ed25519 CipherString and Signature Algorithm Selection]
--- a/test/ssl-tests/20-cert-select.cnf.in
+++ b/test/ssl-tests/20-cert-select.cnf.in
@ -199,29 +199,6 @@ our @tests = (
            "ExpectedResult" => "Success"
        },
    },
-    {
-        name => "ECDSA Signature Algorithm Selection SHA1",
-        server => {
-            "CipherString" => "DEFAULT:\@SECLEVEL=0",
-            "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
-            "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
-            "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
-            "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
-            "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
-            "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
-            "MaxProtocol" => "TLSv1.2"
-        },
-        client => {
-            "CipherString" => "DEFAULT:\@SECLEVEL=0",
-            "SignatureAlgorithms" => "ECDSA+SHA1",
-        },
-        test   => {
-            "ExpectedServerCertType" => "P-256",
-            "ExpectedServerSignHash" => "SHA1",
-            "ExpectedServerSignType" => "EC",
-            "ExpectedResult" => "Success"
-        },
-    },
    {
        name => "ECDSA Signature Algorithm Selection compressed point",
        server => {
@ -330,6 +307,29 @@ our @tests = (
 );

 my @tests_non_fips = (
+    {
+        name => "ECDSA Signature Algorithm Selection SHA1",
+        server => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
+            "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+            "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+            "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+            "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+            "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+            "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+            "MaxProtocol" => "TLSv1.2"
+        },
+        client => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
+            "SignatureAlgorithms" => "ECDSA+SHA1",
+        },
+        test   => {
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA1",
+            "ExpectedServerSignType" => "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
    # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
    {
        name => "Ed25519 CipherString and Signature Algorithm Selection",