params->flags = flags;
}
+void ffc_params_enable_flags(FFC_PARAMS *params, unsigned int flags, int enable)
+{
+ if (enable)
+ params->flags |= flags;
+ else
+ params->flags &= ~flags;
+}
+
int ffc_set_digest(FFC_PARAMS *params, const char *alg, const char *props)
{
params->mdname = alg;
{
size_t L, N;
- if (params->p == NULL || params->q == NULL) {
+ if (params == NULL || params->p == NULL || params->q == NULL) {
*res = FFC_CHECK_INVALID_PQ;
return FFC_PARAM_RET_STATUS_FAILED;
}
params->flags = FFC_PARAM_FLAG_VALIDATE_G;
params->gindex = FFC_UNVERIFIABLE_GINDEX;
- ret = ffc_params_FIPS186_4_validate(libctx, params, type, &res, NULL);
+#ifndef FIPS_MODULE
+ if (save_flags & FFC_PARAM_FLAG_VALIDATE_LEGACY)
+ ret = ffc_params_FIPS186_2_validate(libctx, params, type, &res, NULL);
+ else
+#endif
+ ret = ffc_params_FIPS186_4_validate(libctx, params, type, &res, NULL);
params->flags = save_flags;
params->gindex = save_gindex;
return ret != FFC_PARAM_RET_STATUS_FAILED;
#define FFC_PARAM_RET_STATUS_UNVERIFIABLE_G 2
/* Validation flags */
-# define FFC_PARAM_FLAG_VALIDATE_PQ 0x01
-# define FFC_PARAM_FLAG_VALIDATE_G 0x02
+# define FFC_PARAM_FLAG_VALIDATE_PQ 0x01
+# define FFC_PARAM_FLAG_VALIDATE_G 0x02
# define FFC_PARAM_FLAG_VALIDATE_ALL \
(FFC_PARAM_FLAG_VALIDATE_PQ | FFC_PARAM_FLAG_VALIDATE_G)
+#define FFC_PARAM_FLAG_VALIDATE_LEGACY 0x04
/*
* NB: These values must align with the equivalently named macros in
void ffc_params_set_pcounter(FFC_PARAMS *params, int index);
void ffc_params_set_h(FFC_PARAMS *params, int index);
void ffc_params_set_flags(FFC_PARAMS *params, unsigned int flags);
+void ffc_params_enable_flags(FFC_PARAMS *params, unsigned int flags, int enable);
int ffc_set_digest(FFC_PARAMS *params, const char *alg, const char *props);
int ffc_params_set_validate_params(FFC_PARAMS *params,
goto end;
if (gctx->priv_len > 0)
DH_set_length(dh, (long)gctx->priv_len);
+ ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_LEGACY,
+ gctx->gen_type == DH_PARAMGEN_TYPE_FIPS_186_2);
if (DH_generate_key(dh) <= 0)
goto end;
}
gencb) <= 0)
goto end;
}
+ ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_LEGACY,
+ gctx->gen_type == DSA_PARAMGEN_TYPE_FIPS_186_2);
if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
if (ffc->p == NULL
|| ffc->q == NULL
plan skip_all => "This test is unsupported in a no-dsa build"
if disabled("dsa");
-plan tests => 8;
+plan tests => 10;
ok(run(app([ 'openssl', 'genpkey', '-genparam',
'-algorithm', 'DSA',
'-text'])),
"genpkey DSA params fips186_2");
+ok(run(app([ 'openssl', 'genpkey', '-genparam',
+ '-algorithm', 'DSA',
+ '-pkeyopt', 'type:fips186_2',
+ '-pkeyopt', 'dsa_paramgen_bits:1024',
+ '-out', 'dsagen.legacy.pem'])),
+ "genpkey DSA params fips186_2 PEM");
+
ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DSA',
'-pkeyopt', 'type:group',
'-text'])),
'-out', 'dsagen.der'])),
"genpkey DSA params fips186_4 DER");
+ok(run(app([ 'openssl', 'genpkey',
+ '-paramfile', 'dsagen.legacy.pem',
+ '-pkeyopt', 'type:fips186_2',
+ '-text'])),
+ "genpkey DSA fips186_2 with PEM params");
+
# The seed and counter should be the ones generated from the param generation
# Just put some dummy ones in to show it works.
ok(run(app([ 'openssl', 'genpkey',