APPS: dsaparam, gendsa: Support setting properties

The -provider and -propquery options did not work on dsaparam and
gendsa. Fix this and add tests that check that operations that are not
supported by the FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

See also https://bugzilla.redhat.com/show_bug.cgi?id=2094956, where this
was initially reported.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18576)

(cherry picked from commit 30b2c3592e8511b60d44f93eb657a1ecb3662c08)

diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index a34ca235c6148674ef458a99b6a61723c38bb1a0..b5555282be6e18ad2275488c7226f82b9f2dff58 100644 (file)
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -147,7 +147,7 @@ int dsaparam_main(int argc, char **argv)
     if (out == NULL)
         goto end;
 
-    ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+    ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
     if (ctx == NULL) {
         BIO_printf(bio_err,
                    "Error, DSA parameter generation context allocation failed\n");
@@ -205,7 +205,8 @@ int dsaparam_main(int argc, char **argv)
     }
     if (genkey) {
         EVP_PKEY_CTX_free(ctx);
-        ctx = EVP_PKEY_CTX_new(params, NULL);
+        ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params,
+                app_get0_propq());
         if (ctx == NULL) {
             BIO_printf(bio_err,
                        "Error, DSA key generation context allocation failed\n");

diff --git a/apps/gendsa.c b/apps/gendsa.c
index e5c9bc22adaa209940a69a92aaffbfb8d3268dff..2b46e660453c45f8426b7a2b80fbfddb532a68a8 100644 (file)
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -134,7 +134,7 @@ int gendsa_main(int argc, char **argv)
                    "         Your key size is %d! Larger key size may behave not as expected.\n",
                    OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
 
-    ctx = EVP_PKEY_CTX_new(pkey, NULL);
+    ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
     if (ctx == NULL) {
         BIO_printf(bio_err, "unable to create PKEY context\n");
         goto end;

diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
index f70de7e5741751368e749903c97988c0a3f5bde8..bb5660dc3c5efd325d4cf0ba7b1f51029033c217 100644 (file)
--- a/test/recipes/20-test_cli_fips.t
+++ b/test/recipes/20-test_cli_fips.t
@@ -273,8 +273,9 @@ SKIP : {
         my $testtext = '';
         my $fips_param = $testtext_prefix.'.fips.param.pem';
         my $nonfips_param = $testtext_prefix.'.nonfips.param.pem';
+        my $shortnonfips_param = $testtext_prefix.'.shortnonfips.param.pem';
 
-        plan tests => 8 + $tsignverify_count;
+        plan tests => 13 + $tsignverify_count;
 
         $ENV{OPENSSL_CONF} = $defaultconf;
 
@@ -306,6 +307,23 @@ SKIP : {
                      '-out', $testtext_prefix.'.fail.param.pem'])),
            $testtext);
 
+        $testtext = $testtext_prefix.': '.
+            'Generate non-FIPS params using non-FIPS property query'.
+            ' (dsaparam)';
+        ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    '-out', $shortnonfips_param, '1024'])),
+            $testtext);
+
+        $testtext = $testtext_prefix.': '.
+            'Generate non-FIPS params using non-FIPS property query'.
+            ' (genpkey)';
+        ok(run(app(['openssl', 'genpkey', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    '-genparam', '-algorithm', 'DSA',
+                    '-pkeyopt', 'dsa_paramgen_bits:512'])),
+            $testtext);
+
         $ENV{OPENSSL_CONF} = $defaultconf;
 
         $testtext = $testtext_prefix.': '.
@@ -339,6 +357,32 @@ SKIP : {
                      '-out', $testtext_prefix.'.fail.priv.pem'])),
            $testtext);
 
+        $testtext = $testtext_prefix.': '.
+            'Generate a key with non-FIPS parameters using non-FIPS property'.
+            ' query (dsaparam)';
+        ok(run(app(['openssl', 'dsaparam', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    '-noout', '-genkey', '1024'])),
+            $testtext);
+
+        $testtext = $testtext_prefix.': '.
+            'Generate a key with non-FIPS parameters using non-FIPS property'.
+            ' query (gendsa)';
+        ok(run(app(['openssl', 'gendsa', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    $shortnonfips_param])),
+            $testtext);
+
+        $testtext = $testtext_prefix.': '.
+            'Generate a key with non-FIPS parameters using non-FIPS property'.
+            ' query (genpkey)';
+        ok(run(app(['openssl', 'genpkey', '-provider', 'default',
+                    '-propquery', '?fips!=yes',
+                    '-paramfile', $nonfips_param,
+                    '-pkeyopt', 'type:fips186_2',
+                    '-out', $testtext_prefix.'.fail.priv.pem'])),
+            $testtext);
+
         tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
                     $nonfips_pub_key);
     };