diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2021-03-11 13:36:27 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2021-03-15 09:01:51 +1000 |
| commit | 3a37ddde911fe735c73121a8a561451cc719fc91 (patch) | |
| tree | 36c5f038fa4efbf166358a48e465744bd3c965ca /crypto/ffc | |
| parent | 91bd45eb9ac26daf87abc2c21cb03143a745a420 (diff) | |
Fix DSA EVP_PKEY_param_check() when defaults are used for param generation.
Fixes #14480
An internal flag that is set during param gen was not being tested, so
the wrong type was used to select the dsa domain param validation method.
In the default provider - if no gen_type is set then by default the fips186_4 gentype
will be selected when pbits >=2048 otherwise it selects fips186_2.
The fips provider ignores the gen_type and always uses fips186_4.
Before this change dsa used fips186_2 by default in the default
provider.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14508)
Diffstat (limited to 'crypto/ffc')
| -rw-r--r-- | crypto/ffc/ffc_params_validate.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/crypto/ffc/ffc_params_validate.c b/crypto/ffc/ffc_params_validate.c index 0abbad2801..c1b4cf05d2 100644 --- a/crypto/ffc/ffc_params_validate.c +++ b/crypto/ffc/ffc_params_validate.c @@ -152,8 +152,12 @@ int ossl_ffc_params_full_validate(OSSL_LIB_CTX *libctx, const FFC_PARAMS *params res, NULL); #else if (params->seed != NULL) { - return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype, - res, NULL); + if (params->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY) + return ossl_ffc_params_FIPS186_2_validate(libctx, params, paramstype, + res, NULL); + else + return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype, + res, NULL); } else { int ret = 0; |