diff options
author | slontis <shane.lontis@oracle.com> | 2024-07-04 11:59:43 +1000 |
---|---|---|
committer | Pauli <ppzgs1@gmail.com> | 2024-07-26 09:24:04 +1000 |
commit | 85caa417e0915aaae9fa6f87ccfa6c4c79b41dbb (patch) | |
tree | bfb57626e8af7a86422c162845873b61632d5608 /apps | |
parent | 86fd4c1df91e58d316c863b5160d18c0f80dc6ac (diff) |
Disable DSA signing in the FIPS provider.
This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24799)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/fipsinstall.c | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 171d616617..d725839787 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -46,6 +46,7 @@ typedef enum OPTION_choice { OPT_SSHKDF_DIGEST_CHECK, OPT_SSKDF_DIGEST_CHECK, OPT_X963KDF_DIGEST_CHECK, + OPT_DISALLOW_DSA_SIGN, OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL } OPTION_CHOICE; @@ -54,7 +55,7 @@ const OPTIONS fipsinstall_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"}, {"verify", OPT_VERIFY, '-', - "Verify a config file instead of generating one"}, + "Verify a config file instead of generating one"}, {"module", OPT_MODULE, '<', "File name of the provider module"}, {"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"}, {"section_name", OPT_SECTION_NAME, 's', @@ -84,6 +85,8 @@ const OPTIONS fipsinstall_options[] = { "Enable digest check for SSKDF"}, {"x963kdf_digest_check", OPT_X963KDF_DIGEST_CHECK, '-', "Enable digest check for X963KDF"}, + {"dsa_sign_disabled", OPT_DISALLOW_DSA_SIGN, '-', + "Disallow DSA signing"}, OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input config file, used when verifying"}, @@ -112,6 +115,7 @@ typedef struct { unsigned int sshkdf_digest_check : 1; unsigned int sskdf_digest_check : 1; unsigned int x963kdf_digest_check : 1; + unsigned int dsa_sign_disabled : 1; } FIPS_OPTS; /* Pedantic FIPS compliance */ @@ -127,6 +131,7 @@ static const FIPS_OPTS pedantic_opts = { 1, /* sshkdf_digest_check */ 1, /* sskdf_digest_check */ 1, /* x963kdf_digest_check */ + 1, /* dsa_sign_disabled */ }; /* Default FIPS settings for backward compatibility */ @@ -142,6 +147,7 @@ static FIPS_OPTS fips_opts = { 0, /* sshkdf_digest_check */ 0, /* sskdf_digest_check */ 0, /* x963kdf_digest_check */ + 0, /* dsa_sign_disabled */ }; static int check_non_pedantic_fips(int pedantic, const char *name) @@ -281,6 +287,8 @@ static int write_config_fips_section(BIO *out, const char *section, || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK, opts->x963kdf_digest_check ? "1": "0") <= 0 + || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED, + opts->dsa_sign_disabled ? "1" : "0") <= 0 || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac, module_mac_len)) goto end; @@ -290,7 +298,7 @@ static int write_config_fips_section(BIO *out, const char *section, install_mac_len) || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS, INSTALL_STATUS_VAL) <= 0) - goto end; + goto end; } ret = 1; end: @@ -307,12 +315,12 @@ static CONF *generate_config_and_load(const char *prov_name, CONF *conf = NULL; mem_bio = BIO_new(BIO_s_mem()); - if (mem_bio == NULL) + if (mem_bio == NULL) return 0; if (!write_config_header(mem_bio, prov_name, section) - || !write_config_fips_section(mem_bio, section, - module_mac, module_mac_len, - opts, NULL, 0)) + || !write_config_fips_section(mem_bio, section, + module_mac, module_mac_len, + opts, NULL, 0)) goto end; conf = app_load_config_bio(mem_bio, NULL); @@ -434,7 +442,7 @@ int fipsinstall_main(int argc, char **argv) switch (o) { case OPT_EOF: case OPT_ERR: -opthelp: + opthelp: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto cleanup; case OPT_HELP: @@ -485,6 +493,9 @@ opthelp: case OPT_X963KDF_DIGEST_CHECK: fips_opts.x963kdf_digest_check = 1; break; + case OPT_DISALLOW_DSA_SIGN: + fips_opts.dsa_sign_disabled = 1; + break; case OPT_QUIET: quiet = 1; /* FALLTHROUGH */ |