diff options
| -rw-r--r-- | crypto/ffc/ffc_params.c | 8 | ||||
| -rw-r--r-- | crypto/ffc/ffc_params_validate.c | 9 | ||||
| -rw-r--r-- | include/internal/ffc.h | 6 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/dh_kmgmt.c | 2 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/dsa_kmgmt.c | 2 | ||||
| -rw-r--r-- | test/recipes/15-test_gendsa.t | 15 |
6 files changed, 37 insertions, 5 deletions
diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c index d70aeea35b..ac767c0a1c 100644 --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -117,6 +117,14 @@ void ffc_params_set_flags(FFC_PARAMS *params, unsigned int flags) params->flags = flags; } +void ffc_params_enable_flags(FFC_PARAMS *params, unsigned int flags, int enable) +{ + if (enable) + params->flags |= flags; + else + params->flags &= ~flags; +} + int ffc_set_digest(FFC_PARAMS *params, const char *alg, const char *props) { params->mdname = alg; diff --git a/crypto/ffc/ffc_params_validate.c b/crypto/ffc/ffc_params_validate.c index 821ff3e88a..9221b13d17 100644 --- a/crypto/ffc/ffc_params_validate.c +++ b/crypto/ffc/ffc_params_validate.c @@ -66,7 +66,7 @@ int ffc_params_FIPS186_2_validate(OPENSSL_CTX *libctx, const FFC_PARAMS *params, { size_t L, N; - if (params->p == NULL || params->q == NULL) { + if (params == NULL || params->p == NULL || params->q == NULL) { *res = FFC_CHECK_INVALID_PQ; return FFC_PARAM_RET_STATUS_FAILED; } @@ -99,7 +99,12 @@ int ffc_params_simple_validate(OPENSSL_CTX *libctx, FFC_PARAMS *params, int type params->flags = FFC_PARAM_FLAG_VALIDATE_G; params->gindex = FFC_UNVERIFIABLE_GINDEX; - ret = ffc_params_FIPS186_4_validate(libctx, params, type, &res, NULL); +#ifndef FIPS_MODULE + if (save_flags & FFC_PARAM_FLAG_VALIDATE_LEGACY) + ret = ffc_params_FIPS186_2_validate(libctx, params, type, &res, NULL); + else +#endif + ret = ffc_params_FIPS186_4_validate(libctx, params, type, &res, NULL); params->flags = save_flags; params->gindex = save_gindex; return ret != FFC_PARAM_RET_STATUS_FAILED; diff --git a/include/internal/ffc.h b/include/internal/ffc.h index b352b8d345..3a4dcc9dcb 100644 --- a/include/internal/ffc.h +++ b/include/internal/ffc.h @@ -39,10 +39,11 @@ #define FFC_PARAM_RET_STATUS_UNVERIFIABLE_G 2 /* Validation flags */ -# define FFC_PARAM_FLAG_VALIDATE_PQ 0x01 -# define FFC_PARAM_FLAG_VALIDATE_G 0x02 +# define FFC_PARAM_FLAG_VALIDATE_PQ 0x01 +# define FFC_PARAM_FLAG_VALIDATE_G 0x02 # define FFC_PARAM_FLAG_VALIDATE_ALL \ (FFC_PARAM_FLAG_VALIDATE_PQ | FFC_PARAM_FLAG_VALIDATE_G) +#define FFC_PARAM_FLAG_VALIDATE_LEGACY 0x04 /* * NB: These values must align with the equivalently named macros in @@ -124,6 +125,7 @@ void ffc_params_set_gindex(FFC_PARAMS *params, int index); void ffc_params_set_pcounter(FFC_PARAMS *params, int index); void ffc_params_set_h(FFC_PARAMS *params, int index); void ffc_params_set_flags(FFC_PARAMS *params, unsigned int flags); +void ffc_params_enable_flags(FFC_PARAMS *params, unsigned int flags, int enable); int ffc_set_digest(FFC_PARAMS *params, const char *alg, const char *props); int ffc_params_set_validate_params(FFC_PARAMS *params, diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 0ea6ce7784..002cdec1f9 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -653,6 +653,8 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) goto end; if (gctx->priv_len > 0) DH_set_length(dh, (long)gctx->priv_len); + ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_LEGACY, + gctx->gen_type == DH_PARAMGEN_TYPE_FIPS_186_2); if (DH_generate_key(dh) <= 0) goto end; } diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index d9c6007650..855fa18c38 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/providers/implementations/keymgmt/dsa_kmgmt.c @@ -529,6 +529,8 @@ static void *dsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) gencb) <= 0) goto end; } + ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_LEGACY, + gctx->gen_type == DSA_PARAMGEN_TYPE_FIPS_186_2); if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { if (ffc->p == NULL || ffc->q == NULL diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t index 4344cde95c..4dc387cac5 100644 --- a/test/recipes/15-test_gendsa.t +++ b/test/recipes/15-test_gendsa.t @@ -19,7 +19,7 @@ setup("test_gendsa"); plan skip_all => "This test is unsupported in a no-dsa build" if disabled("dsa"); -plan tests => 8; +plan tests => 10; ok(run(app([ 'openssl', 'genpkey', '-genparam', '-algorithm', 'DSA', @@ -40,6 +40,13 @@ ok(run(app([ 'openssl', 'genpkey', '-genparam', '-text'])), "genpkey DSA params fips186_2"); +ok(run(app([ 'openssl', 'genpkey', '-genparam', + '-algorithm', 'DSA', + '-pkeyopt', 'type:fips186_2', + '-pkeyopt', 'dsa_paramgen_bits:1024', + '-out', 'dsagen.legacy.pem'])), + "genpkey DSA params fips186_2 PEM"); + ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DSA', '-pkeyopt', 'type:group', '-text'])), @@ -62,6 +69,12 @@ ok(run(app([ 'openssl', 'genpkey', '-genparam', '-out', 'dsagen.der'])), "genpkey DSA params fips186_4 DER"); +ok(run(app([ 'openssl', 'genpkey', + '-paramfile', 'dsagen.legacy.pem', + '-pkeyopt', 'type:fips186_2', + '-text'])), + "genpkey DSA fips186_2 with PEM params"); + # The seed and counter should be the ones generated from the param generation # Just put some dummy ones in to show it works. ok(run(app([ 'openssl', 'genpkey', |