res, NULL);
#else
if (params->seed != NULL) {
- return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype,
- res, NULL);
+ if (params->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY)
+ return ossl_ffc_params_FIPS186_2_validate(libctx, params, paramstype,
+ res, NULL);
+ else
+ return ossl_ffc_params_FIPS186_4_validate(libctx, params, paramstype,
+ res, NULL);
} else {
int ret = 0;
=item "fips186_4"
-The current standard. This is the default value.
+The current standard.
=item "fips186_2"
=item "default"
-This is an alias to use the latest implemented standard.
-It is currently set to "fips186_4".
+This can choose one of "fips186_4" or "fips186_2" depending on other
+parameters set for parameter generation.
=back
#define DSA_PARAMGEN_TYPE_FIPS_186_4 0 /* Use FIPS186-4 standard */
#define DSA_PARAMGEN_TYPE_FIPS_186_2 1 /* Use legacy FIPS186-2 standard */
+#define DSA_PARAMGEN_TYPE_FIPS_DEFAULT 2
DSA *ossl_dsa_new(OSSL_LIB_CTX *libctx);
void ossl_dsa_set0_libctx(DSA *d, OSSL_LIB_CTX *libctx);
#ifdef FIPS_MODULE
{ "default", DSA_PARAMGEN_TYPE_FIPS_186_4 },
#else
- { "default", DSA_PARAMGEN_TYPE_FIPS_186_2 },
+ { "default", DSA_PARAMGEN_TYPE_FIPS_DEFAULT },
#endif
{ "fips186_4", DSA_PARAMGEN_TYPE_FIPS_186_4 },
{ "fips186_2", DSA_PARAMGEN_TYPE_FIPS_186_2 },
#ifdef FIPS_MODULE
gctx->gen_type = DSA_PARAMGEN_TYPE_FIPS_186_4;
#else
- gctx->gen_type = DSA_PARAMGEN_TYPE_FIPS_186_2;
+ gctx->gen_type = DSA_PARAMGEN_TYPE_FIPS_DEFAULT;
#endif
gctx->gindex = -1;
gctx->pcounter = -1;
if (dsa == NULL)
return NULL;
+ if (gctx->gen_type == DSA_PARAMGEN_TYPE_FIPS_DEFAULT)
+ gctx->gen_type = (gctx->pbits >= 2048 ? DSA_PARAMGEN_TYPE_FIPS_186_4 :
+ DSA_PARAMGEN_TYPE_FIPS_186_2);
+
gctx->cb = osslcb;
gctx->cbarg = cbarg;
gencb = BN_GENCB_new();
return ret;
}
+static int test_dsa_default_paramgen_validate(int i)
+{
+ int ret;
+ EVP_PKEY_CTX *gen_ctx = NULL;
+ EVP_PKEY_CTX *check_ctx = NULL;
+ EVP_PKEY *params = NULL;
+
+ ret = TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL))
+ && TEST_int_gt(EVP_PKEY_paramgen_init(gen_ctx), 0)
+ && (i == 0
+ || TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_bits(gen_ctx, 512)))
+ && TEST_int_gt(EVP_PKEY_gen(gen_ctx, ¶ms), 0)
+ && TEST_ptr(check_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, params, NULL))
+ && TEST_int_gt(EVP_PKEY_param_check(check_ctx), 0);
+
+ EVP_PKEY_free(params);
+ EVP_PKEY_CTX_free(check_ctx);
+ EVP_PKEY_CTX_free(gen_ctx);
+ return ret;
+}
+
#endif /* OPENSSL_NO_DSA */
int setup_tests(void)
#ifndef OPENSSL_NO_DSA
ADD_TEST(dsa_test);
ADD_TEST(dsa_keygen_test);
+ ADD_ALL_TESTS(test_dsa_default_paramgen_validate, 2);
#endif
return 1;
}