APPS: ecparam: Support setting properties

The -provider and -propquery options did not work on ecparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)

diff --git a/apps/ecparam.c b/apps/ecparam.c
index 608014be8f13e470bdebd219bdaa79781c1353e8..5d66b65569d5cd66de1476ed978c52bbd0381275 100644 (file)
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -229,9 +229,11 @@ int ecparam_main(int argc, char **argv)
         *p = OSSL_PARAM_construct_end();
 
         if (OPENSSL_strcasecmp(curve_name, "SM2") == 0)
-            gctx_params = EVP_PKEY_CTX_new_from_name(NULL, "sm2", NULL);
+            gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "sm2",
+                                                     app_get0_propq());
         else
-            gctx_params = EVP_PKEY_CTX_new_from_name(NULL, "ec", NULL);
+            gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "ec",
+                                                     app_get0_propq());
         if (gctx_params == NULL
             || EVP_PKEY_keygen_init(gctx_params) <= 0
             || EVP_PKEY_CTX_set_params(gctx_params, params) <= 0
@@ -282,7 +284,8 @@ int ecparam_main(int argc, char **argv)
                 BIO_printf(bio_err, "unable to set check_type\n");
                 goto end;
         }
-        pctx = EVP_PKEY_CTX_new_from_pkey(NULL, params_key, NULL);
+        pctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
+                                          app_get0_propq());
         if (pctx == NULL || EVP_PKEY_param_check(pctx) <= 0) {
             BIO_printf(bio_err, "failed\n");
             goto end;
@@ -312,7 +315,8 @@ int ecparam_main(int argc, char **argv)
          *    EVP_PKEY_CTX_set_group_name(gctx, curvename);
          *    EVP_PKEY_keygen(gctx, &key) <= 0)
          */
-        gctx_key = EVP_PKEY_CTX_new_from_pkey(NULL, params_key, NULL);
+        gctx_key = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
+                                              app_get0_propq());
         if (EVP_PKEY_keygen_init(gctx_key) <= 0
             || EVP_PKEY_keygen(gctx_key, &key) <= 0) {
             BIO_printf(bio_err, "unable to generate key\n");

diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t
index 34efe7adb0e00e7d7ee961de8104fd75b4dc4eae..17ee9e2d98b90804402e309be0db11a98b389e23 100644 (file)
--- a/test/recipes/15-test_ecparam.t
+++ b/test/recipes/15-test_ecparam.t
@@ -119,7 +119,7 @@ subtest "Check pkeyparam does not change the parameter file on output" => sub {
 subtest "Check loading of fips and non-fips params" => sub {
     plan skip_all => "FIPS is disabled"
         if $no_fips;
-    plan tests => 3;
+    plan tests => 6;
 
     my $fipsconf = srctop_file("test", "fips-and-base.cnf");
     my $defaultconf = srctop_file("test", "default.cnf");
@@ -141,5 +141,23 @@ subtest "Check loading of fips and non-fips params" => sub {
                 '-check'])),
        "Fail loading named non-fips curve");
 
+    ok(run(app(['openssl', 'ecparam',
+                '-provider', 'default',
+                '-propquery', '?fips!=yes',
+                '-in', data_file('valid', 'secp112r1-named.pem'),
+                '-check'])),
+       "Loading named non-fips curve in FIPS mode with non-FIPS property".
+       " query");
+
+    ok(!run(app(['openssl', 'ecparam',
+                '-genkey', '-name', 'secp112r1'])),
+       "Fail generating key for named non-fips curve");
+
+    ok(run(app(['openssl', 'ecparam',
+                '-provider', 'default',
+                '-propquery', '?fips!=yes',
+                '-genkey', '-name', 'secp112r1'])),
+       "Generating key for named non-fips curve with non-FIPS property query");
+
     $ENV{OPENSSL_CONF} = $defaultconf;
 };