diff options
author | Clemens Lang <cllang@redhat.com> | 2022-06-15 12:50:07 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-07-01 11:12:12 +0200 |
commit | a7faa8ee677a25331fbe2def6b78cc39323cad4a (patch) | |
tree | ea150a5fedaf1ae73024567943a37ac3f308d904 | |
parent | 610029c28b7532a69c30ff311c95ddbbdcfaf3fe (diff) |
APPS: dsaparam, gendsa: Support setting properties
The -provider and -propquery options did not work on dsaparam and
gendsa. Fix this and add tests that check that operations that are not
supported by the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also https://bugzilla.redhat.com/show_bug.cgi?id=2094956, where this
was initially reported.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18576)
(cherry picked from commit 30b2c3592e8511b60d44f93eb657a1ecb3662c08)
-rw-r--r-- | apps/dsaparam.c | 5 | ||||
-rw-r--r-- | apps/gendsa.c | 2 | ||||
-rw-r--r-- | test/recipes/20-test_cli_fips.t | 46 |
3 files changed, 49 insertions, 4 deletions
diff --git a/apps/dsaparam.c b/apps/dsaparam.c index a34ca235c6..b5555282be 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -147,7 +147,7 @@ int dsaparam_main(int argc, char **argv) if (out == NULL) goto end; - ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); + ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq()); if (ctx == NULL) { BIO_printf(bio_err, "Error, DSA parameter generation context allocation failed\n"); @@ -205,7 +205,8 @@ int dsaparam_main(int argc, char **argv) } if (genkey) { EVP_PKEY_CTX_free(ctx); - ctx = EVP_PKEY_CTX_new(params, NULL); + ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params, + app_get0_propq()); if (ctx == NULL) { BIO_printf(bio_err, "Error, DSA key generation context allocation failed\n"); diff --git a/apps/gendsa.c b/apps/gendsa.c index e5c9bc22ad..2b46e66045 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -134,7 +134,7 @@ int gendsa_main(int argc, char **argv) " Your key size is %d! Larger key size may behave not as expected.\n", OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey)); - ctx = EVP_PKEY_CTX_new(pkey, NULL); + ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq()); if (ctx == NULL) { BIO_printf(bio_err, "unable to create PKEY context\n"); goto end; diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t index f70de7e574..bb5660dc3c 100644 --- a/test/recipes/20-test_cli_fips.t +++ b/test/recipes/20-test_cli_fips.t @@ -273,8 +273,9 @@ SKIP : { my $testtext = ''; my $fips_param = $testtext_prefix.'.fips.param.pem'; my $nonfips_param = $testtext_prefix.'.nonfips.param.pem'; + my $shortnonfips_param = $testtext_prefix.'.shortnonfips.param.pem'; - plan tests => 8 + $tsignverify_count; + plan tests => 13 + $tsignverify_count; $ENV{OPENSSL_CONF} = $defaultconf; @@ -306,6 +307,23 @@ SKIP : { '-out', $testtext_prefix.'.fail.param.pem'])), $testtext); + $testtext = $testtext_prefix.': '. + 'Generate non-FIPS params using non-FIPS property query'. + ' (dsaparam)'; + ok(run(app(['openssl', 'dsaparam', '-provider', 'default', + '-propquery', '?fips!=yes', + '-out', $shortnonfips_param, '1024'])), + $testtext); + + $testtext = $testtext_prefix.': '. + 'Generate non-FIPS params using non-FIPS property query'. + ' (genpkey)'; + ok(run(app(['openssl', 'genpkey', '-provider', 'default', + '-propquery', '?fips!=yes', + '-genparam', '-algorithm', 'DSA', + '-pkeyopt', 'dsa_paramgen_bits:512'])), + $testtext); + $ENV{OPENSSL_CONF} = $defaultconf; $testtext = $testtext_prefix.': '. @@ -339,6 +357,32 @@ SKIP : { '-out', $testtext_prefix.'.fail.priv.pem'])), $testtext); + $testtext = $testtext_prefix.': '. + 'Generate a key with non-FIPS parameters using non-FIPS property'. + ' query (dsaparam)'; + ok(run(app(['openssl', 'dsaparam', '-provider', 'default', + '-propquery', '?fips!=yes', + '-noout', '-genkey', '1024'])), + $testtext); + + $testtext = $testtext_prefix.': '. + 'Generate a key with non-FIPS parameters using non-FIPS property'. + ' query (gendsa)'; + ok(run(app(['openssl', 'gendsa', '-provider', 'default', + '-propquery', '?fips!=yes', + $shortnonfips_param])), + $testtext); + + $testtext = $testtext_prefix.': '. + 'Generate a key with non-FIPS parameters using non-FIPS property'. + ' query (genpkey)'; + ok(run(app(['openssl', 'genpkey', '-provider', 'default', + '-propquery', '?fips!=yes', + '-paramfile', $nonfips_param, + '-pkeyopt', 'type:fips186_2', + '-out', $testtext_prefix.'.fail.priv.pem'])), + $testtext); + tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, $nonfips_pub_key); }; |