Disable DSA signing in the FIPS provider.

This is a FIPS 140-3 requirement. This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0, OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24799)
author: slontis <shane.lontis@oracle.com> 2024-07-04 11:59:43 +1000
committer: Pauli <ppzgs1@gmail.com> 2024-07-26 09:24:04 +1000
commit: 85caa417e0915aaae9fa6f87ccfa6c4c79b41dbb (patch)
tree: bfb57626e8af7a86422c162845873b61632d5608 /apps
parent: 86fd4c1df91e58d316c863b5160d18c0f80dc6ac (diff)
1 files changed, 18 insertions, 7 deletions
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 171d616617..d725839787 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -46,6 +46,7 @@ typedef enum OPTION_choice {
     OPT_SSHKDF_DIGEST_CHECK,
     OPT_SSKDF_DIGEST_CHECK,
     OPT_X963KDF_DIGEST_CHECK,
+    OPT_DISALLOW_DSA_SIGN,
     OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
 } OPTION_CHOICE;
 
@@ -54,7 +55,7 @@ const OPTIONS fipsinstall_options[] = {
     {"help", OPT_HELP, '-', "Display this summary"},
     {"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"},
     {"verify", OPT_VERIFY, '-',
-        "Verify a config file instead of generating one"},
+     "Verify a config file instead of generating one"},
     {"module", OPT_MODULE, '<', "File name of the provider module"},
     {"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
     {"section_name", OPT_SECTION_NAME, 's',
@@ -84,6 +85,8 @@ const OPTIONS fipsinstall_options[] = {
      "Enable digest check for SSKDF"},
     {"x963kdf_digest_check", OPT_X963KDF_DIGEST_CHECK, '-',
      "Enable digest check for X963KDF"},
+    {"dsa_sign_disabled", OPT_DISALLOW_DSA_SIGN, '-',
+     "Disallow DSA signing"},
     OPT_SECTION("Input"),
     {"in", OPT_IN, '<', "Input config file, used when verifying"},
 
@@ -112,6 +115,7 @@ typedef struct {
     unsigned int sshkdf_digest_check : 1;
     unsigned int sskdf_digest_check : 1;
     unsigned int x963kdf_digest_check : 1;
+    unsigned int dsa_sign_disabled : 1;
 } FIPS_OPTS;
 
 /* Pedantic FIPS compliance */
@@ -127,6 +131,7 @@ static const FIPS_OPTS pedantic_opts = {
     1,      /* sshkdf_digest_check */
     1,      /* sskdf_digest_check */
     1,      /* x963kdf_digest_check */
+    1,      /* dsa_sign_disabled */
 };
 
 /* Default FIPS settings for backward compatibility */
@@ -142,6 +147,7 @@ static FIPS_OPTS fips_opts = {
     0,      /* sshkdf_digest_check */
     0,      /* sskdf_digest_check */
     0,      /* x963kdf_digest_check */
+    0,      /* dsa_sign_disabled */
 };
 
 static int check_non_pedantic_fips(int pedantic, const char *name)
@@ -281,6 +287,8 @@ static int write_config_fips_section(BIO *out, const char *section,
         || BIO_printf(out, "%s = %s\n",
                       OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK,
                       opts->x963kdf_digest_check ? "1": "0") <= 0
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED,
+                      opts->dsa_sign_disabled ? "1" : "0") <= 0
         || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
                       module_mac_len))
         goto end;
@@ -290,7 +298,7 @@ static int write_config_fips_section(BIO *out, const char *section,
                        install_mac_len)
             || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
                           INSTALL_STATUS_VAL) <= 0)
-        goto end;
+            goto end;
     }
     ret = 1;
 end:
@@ -307,12 +315,12 @@ static CONF *generate_config_and_load(const char *prov_name,
     CONF *conf = NULL;
 
     mem_bio = BIO_new(BIO_s_mem());
-    if (mem_bio  == NULL)
+    if (mem_bio == NULL)
         return 0;
     if (!write_config_header(mem_bio, prov_name, section)
-         || !write_config_fips_section(mem_bio, section,
-                                       module_mac, module_mac_len,
-                                       opts, NULL, 0))
+        || !write_config_fips_section(mem_bio, section,
+                                      module_mac, module_mac_len,
+                                      opts, NULL, 0))
         goto end;
 
     conf = app_load_config_bio(mem_bio, NULL);
@@ -434,7 +442,7 @@ int fipsinstall_main(int argc, char **argv)
         switch (o) {
         case OPT_EOF:
         case OPT_ERR:
-opthelp:
+ opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto cleanup;
         case OPT_HELP:
@@ -485,6 +493,9 @@ opthelp:
         case OPT_X963KDF_DIGEST_CHECK:
             fips_opts.x963kdf_digest_check = 1;
             break;
+        case OPT_DISALLOW_DSA_SIGN:
+            fips_opts.dsa_sign_disabled = 1;
+            break;
         case OPT_QUIET:
             quiet = 1;
             /* FALLTHROUGH */
author	slontis <shane.lontis@oracle.com>	2024-07-04 11:59:43 +1000
committer	Pauli <ppzgs1@gmail.com>	2024-07-26 09:24:04 +1000
commit	85caa417e0915aaae9fa6f87ccfa6c4c79b41dbb (patch)
tree	bfb57626e8af7a86422c162845873b61632d5608 /apps
parent	86fd4c1df91e58d316c863b5160d18c0f80dc6ac (diff)