APPS: dsaparam, gendsa: Support setting properties

The -provider and -propquery options did not work on dsaparam and gendsa. Fix this and add tests that check that operations that are not supported by the FIPS provider work when run with | -provider default -propquery '?fips!=yes' See also https://bugzilla.redhat.com/show_bug.cgi?id=2094956, where this was initially reported. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18576)
author: Clemens Lang <cllang@redhat.com> 2022-06-15 12:50:07 +0200
committer: Tomas Mraz <tomas@openssl.org> 2022-07-01 11:11:23 +0200
commit: 30b2c3592e8511b60d44f93eb657a1ecb3662c08 (patch)
tree: ea96b620e829bc78a4c4f5f304ebed84c97f5415
parent: d9650648821aadabf2d9f3de321f344230b13a4a (diff)
3 files changed, 49 insertions, 4 deletions
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index 1bc48fa7da..54b4cd848b 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -148,7 +148,7 @@ int dsaparam_main(int argc, char **argv)
     if (out == NULL)
         goto end;
 
-    ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+    ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
     if (ctx == NULL) {
         BIO_printf(bio_err,
                    "Error, DSA parameter generation context allocation failed\n");
@@ -206,7 +206,8 @@ int dsaparam_main(int argc, char **argv)
     }
     if (genkey) {
         EVP_PKEY_CTX_free(ctx);
-        ctx = EVP_PKEY_CTX_new(params, NULL);
+        ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params,
+                app_get0_propq());
         if (ctx == NULL) {
             BIO_printf(bio_err,
                        "Error, DSA key generation context allocation failed\n");
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 807390542a..bd8aecedbd 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -136,7 +136,7 @@ int gendsa_main(int argc, char **argv)
                    "         Your key size is %d! Larger key size may behave not as expected.\n",
                    OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
 
-    ctx = EVP_PKEY_CTX_new(pkey, NULL);
+    ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
     if (ctx == NULL) {
         BIO_printf(bio_err, "unable to create PKEY context\n");
         goto end;
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
index f70de7e574..bb5660dc3c 100644
--- a/test/recipes/20-test_cli_fips.t
+++ b/test/recipes/20-test_cli_fips.t
@@ -273,8 +273,9 @@ SKIP : {
         my $testtext = '';
         my $fips_param = $testtext_prefix.'.fips.param.pem';
         my $nonfips_param = $testtext_prefix.'.nonfips.param.pem';
+        my $shortnonfips_param = $testtext_prefix.'.shortnonfips.param.pem';
 
-        plan tests => 8 + $tsignverify_count;
+        plan tests => 13 + $tsignverify_count;
 
         $ENV{OPENSSL_CONF} = $defaultconf;
 
@@ -306,6 +307,23 @@ SKIP : {
                      '-out', $testtext_prefix.'.fail.param.pem'])),
            $testtext);
 
+        $testtext = $testtext_prefix.': '.
+            'Generate non-FIPS params using non-FIPS property query'.
+            ' (dsaparam)';
+        ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    '-out', $shortnonfips_param, '1024'])),
+            $testtext);
+
+        $testtext = $testtext_prefix.': '.
+            'Generate non-FIPS params using non-FIPS property query'.
+            ' (genpkey)';
+        ok(run(app(['openssl', 'genpkey', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    '-genparam', '-algorithm', 'DSA',
+                    '-pkeyopt', 'dsa_paramgen_bits:512'])),
+            $testtext);
+
         $ENV{OPENSSL_CONF} = $defaultconf;
 
         $testtext = $testtext_prefix.': '.
@@ -339,6 +357,32 @@ SKIP : {
                      '-out', $testtext_prefix.'.fail.priv.pem'])),
            $testtext);
 
+        $testtext = $testtext_prefix.': '.
+            'Generate a key with non-FIPS parameters using non-FIPS property'.
+            ' query (dsaparam)';
+        ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    '-noout', '-genkey', '1024'])),
+            $testtext);
+
+        $testtext = $testtext_prefix.': '.
+            'Generate a key with non-FIPS parameters using non-FIPS property'.
+            ' query (gendsa)';
+        ok(run(app(['openssl', 'gendsa', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    $shortnonfips_param])),
+            $testtext);
+
+        $testtext = $testtext_prefix.': '.
+            'Generate a key with non-FIPS parameters using non-FIPS property'.
+            ' query (genpkey)';
+        ok(run(app(['openssl', 'genpkey', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    '-paramfile', $nonfips_param,
+                    '-pkeyopt', 'type:fips186_2',
+                    '-out', $testtext_prefix.'.fail.priv.pem'])),
+            $testtext);
+
         tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
                     $nonfips_pub_key);
     };
author	Clemens Lang <cllang@redhat.com>	2022-06-15 12:50:07 +0200
committer	Tomas Mraz <tomas@openssl.org>	2022-07-01 11:11:23 +0200
commit	30b2c3592e8511b60d44f93eb657a1ecb3662c08 (patch)
tree	ea96b620e829bc78a4c4f5f304ebed84c97f5415
parent	d9650648821aadabf2d9f3de321f344230b13a4a (diff)