Add fix for RSA keygen in FIPS using keysizes 2048 < bits < 3072

Fixes #11863 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12162)
author: Shane Lontis <shane.lontis@oracle.com> 2020-06-16 13:04:57 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2020-08-12 09:25:49 +1000
commit: 7c9a7cf12715ac3e906b8d55466f19285fc59e78 (patch)
tree: 908ad763b756ba550f6a3a465017306933f4f589 /apps/genpkey.c
parent: 1017ab21e478b18dd2d9266955dee7e418932a3c (diff)
1 files changed, 38 insertions, 19 deletions
diff --git a/apps/genpkey.c b/apps/genpkey.c
index 389f0e620c..9da5b556e8 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -21,13 +21,15 @@
 # include <openssl/engine.h>
 #endif
 
-static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e);
+static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
+                            OPENSSL_CTX *libctx, const char *propq);
 static int genpkey_cb(EVP_PKEY_CTX *ctx);
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
     OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER,
+    OPT_CONFIG,
     OPT_PROV_ENUM
 } OPTION_CHOICE;
 
@@ -41,6 +43,7 @@ const OPTIONS genpkey_options[] = {
     {"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
     {"pkeyopt", OPT_PKEYOPT, 's',
      "Set the public key algorithm option as opt:value"},
+     OPT_CONFIG_OPTION,
 
     OPT_SECTION("Output"),
     {"out", OPT_OUT, '>', "Output file"},
@@ -60,6 +63,7 @@ const OPTIONS genpkey_options[] = {
 
 int genpkey_main(int argc, char **argv)
 {
+    CONF *conf = NULL;
     BIO *in = NULL, *out = NULL;
     ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
@@ -69,6 +73,8 @@ int genpkey_main(int argc, char **argv)
     OPTION_CHOICE o;
     int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
     int private = 0;
+    OPENSSL_CTX *libctx = app_get0_libctx();
+    const char *propq = app_get0_propq();
 
     prog = opt_init(argc, argv, genpkey_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -98,11 +104,11 @@ int genpkey_main(int argc, char **argv)
         case OPT_PARAMFILE:
             if (do_param == 1)
                 goto opthelp;
-            if (!init_keygen_file(&ctx, opt_arg(), e))
+            if (!init_keygen_file(&ctx, opt_arg(), e, libctx, propq))
                 goto end;
             break;
         case OPT_ALGORITHM:
-            if (!init_gen_str(&ctx, opt_arg(), e, do_param))
+            if (!init_gen_str(&ctx, opt_arg(), e, do_param, libctx, propq))
                 goto end;
             break;
         case OPT_PKEYOPT:
@@ -138,6 +144,11 @@ int genpkey_main(int argc, char **argv)
                 goto end;
             }
             break;
+        case OPT_CONFIG:
+            conf = app_load_config_modules(opt_arg());
+            if (conf == NULL)
+                goto end;
+            break;
         case OPT_PROV_CASES:
             if (!opt_provider(o))
                 goto end;
@@ -220,10 +231,12 @@ int genpkey_main(int argc, char **argv)
     BIO_free(in);
     release_engine(e);
     OPENSSL_free(pass);
+    NCONF_free(conf);
     return ret;
 }
 
-static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
+static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
+                            OPENSSL_CTX *libctx, const char *propq)
 {
     BIO *pbio;
     EVP_PKEY *pkey = NULL;
@@ -247,7 +260,10 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
         return 0;
     }
 
-    ctx = EVP_PKEY_CTX_new(pkey, e);
+    if (e != NULL)
+        ctx = EVP_PKEY_CTX_new(pkey, e);
+    else
+        ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
     if (ctx == NULL)
         goto err;
     if (EVP_PKEY_keygen_init(ctx) <= 0)
@@ -266,7 +282,8 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
 }
 
 int init_gen_str(EVP_PKEY_CTX **pctx,
-                 const char *algname, ENGINE *e, int do_param)
+                 const char *algname, ENGINE *e, int do_param,
+                 OPENSSL_CTX *libctx, const char *propq)
 {
     EVP_PKEY_CTX *ctx = NULL;
     const EVP_PKEY_ASN1_METHOD *ameth;
@@ -278,25 +295,27 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
         return 0;
     }
 
-    ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
+    if (libctx == NULL || e != NULL) {
+        ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
 
 #if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-    if (!ameth && e)
-        ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
+        if (ameth == NULL && e != NULL)
+            ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
 #endif
+        if (ameth == NULL) {
+            BIO_printf(bio_err, "Algorithm %s not found\n", algname);
+            return 0;
+        }
+        ERR_clear_error();
 
-    if (!ameth) {
-        BIO_printf(bio_err, "Algorithm %s not found\n", algname);
-        return 0;
-    }
-
-    ERR_clear_error();
-
-    EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
+        EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
 #if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-    ENGINE_finish(tmpeng);
+        ENGINE_finish(tmpeng);
 #endif
-    ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
+        ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
+    } else {
+        ctx = EVP_PKEY_CTX_new_from_name(libctx, algname, propq);
+    }
 
     if (!ctx)
         goto err;
author	Shane Lontis <shane.lontis@oracle.com>	2020-06-16 13:04:57 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2020-08-12 09:25:49 +1000
commit	7c9a7cf12715ac3e906b8d55466f19285fc59e78 (patch)
tree	908ad763b756ba550f6a3a465017306933f4f589 /apps/genpkey.c
parent	1017ab21e478b18dd2d9266955dee7e418932a3c (diff)