with the corresponding signature operation, but may be specified as an
option.
+=item "sign-check" (B<OSSL_PKEY_PARAM_FIPS_SIGN_CHECK>) <int>
+
+If required this parameter should be set before the OSSL_FUNC_keymgmt_gen()
+function. This value is not supported by all keygen algorithms.
+The default value of 1 will cause an error if the generated key is not
+allowed to be used for signing.
+Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0.
+This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if
+set to 0.
+
+=item "fips-indicator" (B<OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
+
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling OSSL_FUNC_keymgmt_gen() function. It may
+return 0 if either the "digest-check", "key-check", or "sign-check" are set to 0.
+This option is used by the OpenSSL FIPS provider.
+
=back
=head1 RETURN VALUES
The functions OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params() were added in OpenSSL 3.4.
+The parameters "sign-check" and "fips-indicator" were added in OpenSSL 3.4.
+
=head1 COPYRIGHT
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
#include <openssl/bn.h>
#include <openssl/err.h>
#include "prov/providercommon.h"
+#include "prov/fipsindicator.h"
+#include "prov/fipscommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "crypto/dsa.h"
static OSSL_FUNC_keymgmt_gen_set_template_fn dsa_gen_set_template;
static OSSL_FUNC_keymgmt_gen_set_params_fn dsa_gen_set_params;
static OSSL_FUNC_keymgmt_gen_settable_params_fn dsa_gen_settable_params;
+static OSSL_FUNC_keymgmt_gen_get_params_fn dsa_gen_get_params;
+static OSSL_FUNC_keymgmt_gen_gettable_params_fn dsa_gen_gettable_params;
static OSSL_FUNC_keymgmt_gen_fn dsa_gen;
static OSSL_FUNC_keymgmt_gen_cleanup_fn dsa_gen_cleanup;
static OSSL_FUNC_keymgmt_load_fn dsa_load;
char *mdprops;
OSSL_CALLBACK *cb;
void *cbarg;
+ OSSL_FIPS_IND_DECLARE
};
typedef struct dh_name2id_st{
const char *name;
gctx->gindex = -1;
gctx->pcounter = -1;
gctx->hindex = 0;
+ OSSL_FIPS_IND_INIT(gctx)
}
if (!dsa_gen_set_params(gctx, params)) {
OPENSSL_free(gctx);
if (params == NULL)
return 1;
+ if (!OSSL_FIPS_IND_SET_CTX_PARAM(gctx, OSSL_FIPS_IND_SETTABLE0, params,
+ OSSL_PKEY_PARAM_FIPS_SIGN_CHECK))
+ return 0;
p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_TYPE);
if (p != NULL) {
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0),
OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL),
OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL),
+ OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_PKEY_PARAM_FIPS_SIGN_CHECK)
OSSL_PARAM_END
};
return settable;
}
+static int dsa_gen_get_params(void *genctx, OSSL_PARAM *params)
+{
+ struct dsa_gen_ctx *gctx = genctx;
+
+ if (gctx == NULL)
+ return 0;
+ if (params == NULL)
+ return 1;
+ if (!OSSL_FIPS_IND_GET_CTX_PARAM(gctx, params))
+ return 0;
+ return 1;
+}
+
+static const OSSL_PARAM *dsa_gen_gettable_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+{
+ static const OSSL_PARAM dsa_gen_gettable_params_table[] = {
+ OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
+ OSSL_PARAM_END
+ };
+
+ return dsa_gen_gettable_params_table;
+}
+
static int dsa_gencb(int p, int n, BN_GENCB *cb)
{
struct dsa_gen_ctx *gctx = BN_GENCB_get_arg(cb);
if (!ossl_prov_is_running() || gctx == NULL)
return NULL;
+
+#ifdef FIPS_MODULE
+ /*
+ * DSA signing is not approved in FIPS 140-3, so there is no
+ * need for DSA keygen either.
+ */
+ if (!OSSL_FIPS_IND_ON_UNAPPROVED(gctx, OSSL_FIPS_IND_SETTABLE0,
+ gctx->libctx, "DSA", "Keygen",
+ FIPS_dsa_sign_check))
+ return 0;
+#endif
+
dsa = ossl_dsa_new(gctx->libctx);
if (dsa == NULL)
return NULL;
{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (void (*)(void))dsa_gen_set_params },
{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
(void (*)(void))dsa_gen_settable_params },
+ { OSSL_FUNC_KEYMGMT_GEN_GET_PARAMS, (void (*)(void))dsa_gen_get_params },
+ { OSSL_FUNC_KEYMGMT_GEN_GETTABLE_PARAMS,
+ (void (*)(void))dsa_gen_gettable_params },
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))dsa_gen },
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))dsa_gen_cleanup },
{ OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))dsa_load },
'PKEY_PARAM_EC_POINT_CONVERSION_FORMAT' => "point-format",
'PKEY_PARAM_EC_GROUP_CHECK_TYPE' => "group-check",
'PKEY_PARAM_EC_INCLUDE_PUBLIC' => "include-public",
+ 'PKEY_PARAM_FIPS_SIGN_CHECK' => "sign-check",
+ 'PKEY_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
# Key Exchange parameters
'EXCHANGE_PARAM_PAD' => "pad",# uint
'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
'SIGNATURE_PARAM_FIPS_DIGEST_CHECK' => '*PKEY_PARAM_FIPS_DIGEST_CHECK',
'SIGNATURE_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
- 'SIGNATURE_PARAM_FIPS_SIGN_CHECK' => "sign-check",
+ 'SIGNATURE_PARAM_FIPS_SIGN_CHECK' => '*PKEY_PARAM_FIPS_SIGN_CHECK',
'SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK' => "sign-x931-pad-check",
'SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
projects / thirdparty / openssl.git / commitdiff
