# include <openssl/dsa.h>
# include "internal/ffc.h"
+/*
+ * DSA Paramgen types
+ * Note, adding to this list requires adjustments to various checks
+ * in dsa_gen range validation checks
+ */
#define DSA_PARAMGEN_TYPE_FIPS_186_4 0 /* Use FIPS186-4 standard */
#define DSA_PARAMGEN_TYPE_FIPS_186_2 1 /* Use legacy FIPS186-2 standard */
#define DSA_PARAMGEN_TYPE_FIPS_DEFAULT 2
#include <stdlib.h>
-/* DH parameter generation types used by EVP_PKEY_CTX_set_dh_paramgen_type() */
+/*
+ * DH parameter generation types used by EVP_PKEY_CTX_set_dh_paramgen_type()
+ * Note that additions/changes to this set of values requires corresponding
+ * adjustments to range checks in dh_gen()
+ */
# define DH_PARAMGEN_TYPE_GENERATOR 0 /* Use a safe prime generator */
# define DH_PARAMGEN_TYPE_FIPS_186_2 1 /* Use FIPS186-2 standard */
# define DH_PARAMGEN_TYPE_FIPS_186_4 2 /* Use FIPS186-4 standard */
if (gctx->group_nid != NID_undef)
gctx->gen_type = DH_PARAMGEN_TYPE_GROUP;
- /* Bounds check on context gen_type */
+ /*
+ * Do a bounds check on context gen_type. Must be in range:
+ * DH_PARAMGEN_TYPE_GENERATOR <= gen_type <= DH_PARAMGEN_TYPE_GROUP
+ * Noted here as this needs to be adjusted if a new group type is
+ * added.
+ */
if (!ossl_assert((gctx->gen_type >= DH_PARAMGEN_TYPE_GENERATOR)
&& (gctx->gen_type <= DH_PARAMGEN_TYPE_GROUP))) {
ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
{
struct dsa_gen_ctx *gctx = genctx;
const OSSL_PARAM *p;
+ int gen_type = -1;
if (gctx == NULL)
return 0;
p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_TYPE);
if (p != NULL) {
if (p->data_type != OSSL_PARAM_UTF8_STRING
- || ((gctx->gen_type = dsa_gen_type_name2id(p->data)) == -1)) {
+ || ((gen_type = dsa_gen_type_name2id(p->data)) == -1)) {
ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT);
return 0;
}
+
+ /*
+ * Ony assign context gen_type if it was set by dsa_gen_type_name2id
+ * must be in range:
+ * DSA_PARAMGEN_TYPE_FIPS_186_4 <= gen_type <= DSA_PARAMGEN_TYPE_FIPS_DEFAULT
+ */
+ if (gen_type != -1)
+ gctx->gen_type = gen_type;
}
p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_GINDEX);
if (p != NULL
gctx->gen_type = (gctx->pbits >= 2048 ? DSA_PARAMGEN_TYPE_FIPS_186_4 :
DSA_PARAMGEN_TYPE_FIPS_186_2);
+ /*
+ * Do a bounds check on context gen_type. Must be in range:
+ * DSA_PARAMGEN_TYPE_FIPS_186_4 <= gen_type <= DSA_PARAMGEN_TYPE_FIPS_DEFAULT
+ * Noted here as this needs to be adjusted if a new type is
+ * added.
+ */
+ if (!ossl_assert((gctx->gen_type >= DSA_PARAMGEN_TYPE_FIPS_186_4)
+ && (gctx->gen_type <= DSA_PARAMGEN_TYPE_FIPS_DEFAULT))) {
+ ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
+ "gen_type set to unsupported value %d", gctx->gen_type);
+ return NULL;
+ }
+
gctx->cb = osslcb;
gctx->cbarg = cbarg;
gencb = BN_GENCB_new();