openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

APPS: dsaparam, gendsa: Support setting properties 

The -provider and -propquery options did not work on dsaparam and
gendsa. Fix this and add tests that check that operations that are not
supported by the FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

See also https://bugzilla.redhat.com/show_bug.cgi?id=2094956, where this
was initially reported.

Signed-off-by: Clemens Lang <cllang@redhat.com>

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18576)
This commit is contained in:
Clemens Lang 2022-06-15 12:50:07 +02:00 committed by Tomas Mraz
parent d965064882
commit 30b2c3592e
3 changed files with 49 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apps/dsaparam.c
View File

@ -148,7 +148,7 @@ int dsaparam_main(int argc, char **argv)
if (out == NULL)
goto end;
ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err,
"Error, DSA parameter generation context allocation failed\n");
@ -206,7 +206,8 @@ int dsaparam_main(int argc, char **argv)
}
if (genkey) {
EVP_PKEY_CTX_free(ctx);
ctx = EVP_PKEY_CTX_new(params, NULL);
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params,
app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err,
"Error, DSA key generation context allocation failed\n");

2
apps/gendsa.c
View File

@ -136,7 +136,7 @@ int gendsa_main(int argc, char **argv)
" Your key size is %d! Larger key size may behave not as expected.\n",
OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
ctx = EVP_PKEY_CTX_new(pkey, NULL);
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err, "unable to create PKEY context\n");
goto end;

46
test/recipes/20-test_cli_fips.t
View File

@ -273,8 +273,9 @@ SKIP : {
my $testtext = '';
my $fips_param = $testtext_prefix.'.fips.param.pem';
my $nonfips_param = $testtext_prefix.'.nonfips.param.pem';
my $shortnonfips_param = $testtext_prefix.'.shortnonfips.param.pem';
plan tests => 8 + $tsignverify_count;
plan tests => 13 + $tsignverify_count;
$ENV{OPENSSL_CONF} = $defaultconf;
@ -306,6 +307,23 @@ SKIP : {
'-out', $testtext_prefix.'.fail.param.pem'])),
$testtext);
$testtext = $testtext_prefix.': '.
'Generate non-FIPS params using non-FIPS property query'.
' (dsaparam)';
ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
'-propquery', '?fips!=yes',
'-out', $shortnonfips_param, '1024'])),
$testtext);
$testtext = $testtext_prefix.': '.
'Generate non-FIPS params using non-FIPS property query'.
' (genpkey)';
ok(run(app(['openssl', 'genpkey', '-provider', 'default',
'-propquery', '?fips!=yes',
'-genparam', '-algorithm', 'DSA',
'-pkeyopt', 'dsa_paramgen_bits:512'])),
$testtext);
$ENV{OPENSSL_CONF} = $defaultconf;
$testtext = $testtext_prefix.': '.
@ -339,6 +357,32 @@ SKIP : {
'-out', $testtext_prefix.'.fail.priv.pem'])),
$testtext);
$testtext = $testtext_prefix.': '.
'Generate a key with non-FIPS parameters using non-FIPS property'.
' query (dsaparam)';
ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
'-propquery', '?fips!=yes',
'-noout', '-genkey', '1024'])),
$testtext);
$testtext = $testtext_prefix.': '.
'Generate a key with non-FIPS parameters using non-FIPS property'.
' query (gendsa)';
ok(run(app(['openssl', 'gendsa', '-provider', 'default',
'-propquery', '?fips!=yes',
$shortnonfips_param])),
$testtext);
$testtext = $testtext_prefix.': '.
'Generate a key with non-FIPS parameters using non-FIPS property'.
' query (genpkey)';
ok(run(app(['openssl', 'genpkey', '-provider', 'default',
'-propquery', '?fips!=yes',
'-paramfile', $nonfips_param,
'-pkeyopt', 'type:fips186_2',
'-out', $testtext_prefix.'.fail.priv.pem'])),
$testtext);
tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
$nonfips_pub_key);
};