diff options
author | slontis <shane.lontis@oracle.com> | 2024-07-04 11:59:43 +1000 |
---|---|---|
committer | Pauli <ppzgs1@gmail.com> | 2024-07-26 09:24:04 +1000 |
commit | 85caa417e0915aaae9fa6f87ccfa6c4c79b41dbb (patch) | |
tree | bfb57626e8af7a86422c162845873b61632d5608 /util | |
parent | 86fd4c1df91e58d316c863b5160d18c0f80dc6ac (diff) |
Disable DSA signing in the FIPS provider.
This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24799)
Diffstat (limited to 'util')
-rw-r--r-- | util/mk-fipsmodule-cnf.pl | 4 | ||||
-rw-r--r-- | util/perl/OpenSSL/paramnames.pm | 2 |
2 files changed, 6 insertions, 0 deletions
diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl index b6a49382bd..54b774e063 100644 --- a/util/mk-fipsmodule-cnf.pl +++ b/util/mk-fipsmodule-cnf.pl @@ -15,8 +15,10 @@ my $security_checks = 1; my $ems_check = 1; my $drgb_no_trunc_dgst = 1; my $kdf_digest_check = 1; +my $dsa_sign_disabled = 1; my $activate = 1; +my $version = 1; my $mac_key; my $module_name; my $section_name = "fips_sect"; @@ -44,10 +46,12 @@ my $module_mac = join(':', @module_mac); print <<_____; [$section_name] activate = $activate +install-version = $version conditional-errors = $conditional_errors security-checks = $security_checks tls1-prf-ems-check = $ems_check drbg-no-trunc-md = $drgb_no_trunc_dgst +dsa-sign-disabled = $dsa_sign_disabled module-mac = $module_mac hkdf-digest-check = $kdf_digest_check tls13-kdf-digest-check = $kdf_digest_check diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm index a7087fb3a2..3d1ef1c65e 100644 --- a/util/perl/OpenSSL/paramnames.pm +++ b/util/perl/OpenSSL/paramnames.pm @@ -39,6 +39,7 @@ my %params = ( 'PROV_PARAM_SSHKDF_DIGEST_CHECK' => "sshkdf-digest-check", # uint 'PROV_PARAM_SSKDF_DIGEST_CHECK' => "sskdf-digest-check", # uint 'PROV_PARAM_X963KDF_DIGEST_CHECK' => "x963kdf-digest-check", # uint + 'PROV_PARAM_DSA_SIGN_DISABLED' => "dsa-sign-disabled", # uint # Self test callback parameters 'PROV_PARAM_SELF_TEST_PHASE' => "st-phase",# utf8_string @@ -407,6 +408,7 @@ my %params = ( 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", 'SIGNATURE_PARAM_FIPS_DIGEST_CHECK' => '*PKEY_PARAM_FIPS_DIGEST_CHECK', 'SIGNATURE_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK', + 'SIGNATURE_PARAM_FIPS_SIGN_CHECK' => "sign-check", 'SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', # Asym cipher parameters |