diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-08-11 10:15:28 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2020-08-17 23:40:20 +1000 |
| commit | 38145fba0a5f6163743f007dd6c9ba1a1e07e4f4 (patch) | |
| tree | af3b5a8ae3d4e004bc6452a1ad3cc3ae96bb2941 /crypto/ffc | |
| parent | 6c4e2e52d87d61a6df3ddf5f67c7207387585d6c (diff) | |
Fix DSA/DH so that legacy keys can still be generated by the default provider
Fixes #12589
The 'type' parameter needed to be propagated to the ffc params during keygen,
so that the simple validation of params done during keygen can handle legacy keys for the default provider.
The fips provider ignores this change and only allows fips186-4 approved sizes.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12623)
Diffstat (limited to 'crypto/ffc')
| -rw-r--r-- | crypto/ffc/ffc_params.c | 8 | ||||
| -rw-r--r-- | crypto/ffc/ffc_params_validate.c | 9 |
2 files changed, 15 insertions, 2 deletions
diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c index d70aeea35b..ac767c0a1c 100644 --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -117,6 +117,14 @@ void ffc_params_set_flags(FFC_PARAMS *params, unsigned int flags) params->flags = flags; } +void ffc_params_enable_flags(FFC_PARAMS *params, unsigned int flags, int enable) +{ + if (enable) + params->flags |= flags; + else + params->flags &= ~flags; +} + int ffc_set_digest(FFC_PARAMS *params, const char *alg, const char *props) { params->mdname = alg; diff --git a/crypto/ffc/ffc_params_validate.c b/crypto/ffc/ffc_params_validate.c index 821ff3e88a..9221b13d17 100644 --- a/crypto/ffc/ffc_params_validate.c +++ b/crypto/ffc/ffc_params_validate.c @@ -66,7 +66,7 @@ int ffc_params_FIPS186_2_validate(OPENSSL_CTX *libctx, const FFC_PARAMS *params, { size_t L, N; - if (params->p == NULL || params->q == NULL) { + if (params == NULL || params->p == NULL || params->q == NULL) { *res = FFC_CHECK_INVALID_PQ; return FFC_PARAM_RET_STATUS_FAILED; } @@ -99,7 +99,12 @@ int ffc_params_simple_validate(OPENSSL_CTX *libctx, FFC_PARAMS *params, int type params->flags = FFC_PARAM_FLAG_VALIDATE_G; params->gindex = FFC_UNVERIFIABLE_GINDEX; - ret = ffc_params_FIPS186_4_validate(libctx, params, type, &res, NULL); +#ifndef FIPS_MODULE + if (save_flags & FFC_PARAM_FLAG_VALIDATE_LEGACY) + ret = ffc_params_FIPS186_2_validate(libctx, params, type, &res, NULL); + else +#endif + ret = ffc_params_FIPS186_4_validate(libctx, params, type, &res, NULL); params->flags = save_flags; params->gindex = save_gindex; return ret != FFC_PARAM_RET_STATUS_FAILED; |