=back
-The default is B<DH_PARAMGEN_TYPE_GENERATOR> in the default provider for the
-"DH" keytype, and B<DH_PARAMGEN_TYPE_FIPS_186_4> in the FIPS provider and for
-the "DHX" keytype in the default provider.
+The default in the default provider is B<DH_PARAMGEN_TYPE_GENERATOR> for the
+"DH" keytype, and B<DH_PARAMGEN_TYPE_FIPS_186_2> for the "DHX" keytype. In the
+FIPS provider the default value is B<DH_PARAMGEN_TYPE_GROUP> for the "DH"
+keytype and <B<DH_PARAMGEN_TYPE_FIPS_186_4> for the "DHX" keytype.
EVP_PKEY_CTX_set_dh_paramgen_gindex() sets the I<gindex> used by the generator G.
The default value is -1 which uses unverifiable g, otherwise a positive value
# We make separate GOAL variables for each algorithm, to make it easy to
# switch each to the Legacy provider when needed.
-$DSA_GOAL=../../libimplementations.a
$EC_GOAL=../../libimplementations.a
$ECX_GOAL=../../libimplementations.a
$KDF_GOAL=../../libimplementations.a
SOURCE[../../libnonfips.a]=dh_kmgmt.c
ENDIF
IF[{- !$disabled{dsa} -}]
- SOURCE[$DSA_GOAL]=dsa_kmgmt.c
+ SOURCE[../../libfips.a]=dsa_kmgmt.c
+ SOURCE[../../libnonfips.a]=dsa_kmgmt.c
ENDIF
IF[{- !$disabled{ec} -}]
SOURCE[$EC_GOAL]=ec_kmgmt.c
static const DSA_GENTYPE_NAME2ID dsatype2id[]=
{
+#ifdef FIPS_MODULE
{ "default", DSA_PARAMGEN_TYPE_FIPS_186_4 },
+#else
+ { "default", DSA_PARAMGEN_TYPE_FIPS_186_2 },
+#endif
{ "fips186_4", DSA_PARAMGEN_TYPE_FIPS_186_4 },
{ "fips186_2", DSA_PARAMGEN_TYPE_FIPS_186_2 },
};
gctx->libctx = libctx;
gctx->pbits = 2048;
gctx->qbits = 224;
+#ifdef FIPS_MODULE
gctx->gen_type = DSA_PARAMGEN_TYPE_FIPS_186_4;
+#else
+ gctx->gen_type = DSA_PARAMGEN_TYPE_FIPS_186_2;
+#endif
gctx->gindex = -1;
gctx->pcounter = -1;
gctx->hindex = 0;
|| !TEST_ptr(settables = EVP_PKEY_CTX_settable_params(pg_ctx))
|| !TEST_ptr(OSSL_PARAM_locate_const(settables,
OSSL_PKEY_PARAM_FFC_PBITS))
+ || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_type(pg_ctx, "fips186_4"))
|| !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_bits(pg_ctx, 2048))
|| !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_q_bits(pg_ctx, 224))
|| !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_seed(pg_ctx, seed_data,
# Just put some dummy ones in to show it works.
ok(run(app([ 'openssl', 'genpkey',
'-paramfile', 'dsagen.der',
+ '-pkeyopt', 'type:fips186_4',
'-pkeyopt', 'gindex:1',
'-pkeyopt', 'hexseed:0102030405060708090A0B0C0D0E0F1011121314',
'-pkeyopt', 'pcounter:25',