From: Clemens Lang Date: Fri, 1 Jul 2022 12:50:59 +0000 (+0200) Subject: APPS: dhparam: Support setting properties X-Git-Tag: openssl-3.2.0-alpha1~2286 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae3c30acac17271693e91dcae42c804cd96e8f93;p=thirdparty%2Fopenssl.git APPS: dhparam: Support setting properties The -provider and -propquery options did not work on dhparam. Fix this and add tests that check that operations that would usually fail with the FIPS provider work when run with | -provider default -propquery '?fips!=yes' See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously fixed the same problem in dsaparam and gendsa. See also the initial report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956. Signed-off-by: Clemens Lang Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/18717) --- diff --git a/apps/dhparam.c b/apps/dhparam.c index c1d7168a608..93a858d7460 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -194,7 +194,7 @@ int dhparam_main(int argc, char **argv) BIO_printf(bio_err, "Warning, input file %s ignored\n", infile); } - ctx = EVP_PKEY_CTX_new_from_name(NULL, alg, NULL); + ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), alg, app_get0_propq()); if (ctx == NULL) { BIO_printf(bio_err, "Error, %s param generation context allocation failed\n", @@ -324,7 +324,7 @@ int dhparam_main(int argc, char **argv) EVP_PKEY_print_params(out, pkey, 4, NULL); if (check) { - ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL); + ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq()); if (ctx == NULL) { BIO_printf(bio_err, "Error, failed to check DH parameters\n"); goto end; @@ -396,7 +396,7 @@ static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh) goto err; } - ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL); + ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DHX", app_get0_propq()); if (ctx == NULL || EVP_PKEY_fromdata_init(ctx) <= 0 || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) { diff --git a/test/recipes/20-test_dhparam.t b/test/recipes/20-test_dhparam.t index 9688b10dbbc..72c878371eb 100644 --- a/test/recipes/20-test_dhparam.t +++ b/test/recipes/20-test_dhparam.t @@ -10,7 +10,7 @@ use strict; use warnings; -use OpenSSL::Test qw(:DEFAULT data_file); +use OpenSSL::Test qw(:DEFAULT data_file srctop_file); use OpenSSL::Test::Utils; #Tests for the dhparam CLI application @@ -19,7 +19,9 @@ setup("test_dhparam"); plan skip_all => "DH is not supported in this build" if disabled("dh"); -plan tests => 17; +plan tests => 21; + +my $fipsconf = srctop_file("test", "fips-and-base.cnf"); sub checkdhparams { my $file = shift; #Filename containing params @@ -179,6 +181,34 @@ SKIP: { checkdhparams("gen-x942-0-512.der", "X9.42", 0, "DER", 512); }; } +SKIP: { + skip "Skipping tests that are only supported in a fips build with security ". + "checks", 4 if (disabled("fips") || disabled("fips-securitychecks")); + + $ENV{OPENSSL_CONF} = $fipsconf; + + ok(!run(app(['openssl', 'dhparam', '-check', '512'])), + "Generating 512 bit DH params should fail in FIPS mode"); + + ok(run(app(['openssl', 'dhparam', '-provider', 'default', '-propquery', + '?fips!=yes', '-check', '512'])), + "Generating 512 bit DH params should succeed in FIPS mode using". + " non-FIPS property query"); + + SKIP: { + skip "Skipping tests that require DSA", 2 if disabled("dsa"); + + ok(!run(app(['openssl', 'dhparam', '-dsaparam', '-check', '512'])), + "Generating 512 bit DSA-style DH params should fail in FIPS mode"); + + ok(run(app(['openssl', 'dhparam', '-provider', 'default', '-propquery', + '?fips!=yes', '-dsaparam', '-check', '512'])), + "Generating 512 bit DSA-style DH params should succeed in FIPS". + " mode using non-FIPS property query"); + } + + delete $ENV{OPENSSL_CONF}; +} ok(run(app(["openssl", "dhparam", "-noout", "-text"], stdin => data_file("pkcs3-2-1024.pem"))),