Change the default key generation type for DH and DSA

doc/man3/EVP_PKEY_CTX_ctrl.pod

@@ -414,7 +414,8 @@ p, q, and verifiable g are required, since it is not part of a persisted key.
 
 EVP_PKEY_CTX_set_dsa_paramgen_type() sets the generation type to use FIPS186-4
 generation if I<name> is "fips186_4", or FIPS186-2 generation if I<name> is
-"fips186_2". The default value is "fips186_4".
+"fips186_2". The default value for the default provider is "fips186_2". The
+default value for the FIPS provider is "fips186_4".
 
 =head2 DH parameters
 
@@ -454,7 +455,10 @@ Uses a safe prime generator g (PKCS#3 format).
 
 =back
 
-The default is B<DH_PARAMGEN_TYPE_GENERATOR>.
+The default in the default provider is B<DH_PARAMGEN_TYPE_GENERATOR> for the
+"DH" keytype, and B<DH_PARAMGEN_TYPE_FIPS_186_2> for the "DHX" keytype. In the
+FIPS provider the default value is B<DH_PARAMGEN_TYPE_FIPS_186_4> for both key
+types.
 
 EVP_PKEY_CTX_set_dh_paramgen_gindex() sets the I<gindex> used by the generator G.
 The default value is -1 which uses unverifiable g, otherwise a positive value

providers/implementations/keymgmt/build.info

@@ -1,17 +1,17 @@
 # We make separate GOAL variables for each algorithm, to make it easy to
 # switch each to the Legacy provider when needed.
 
-$DH_GOAL=../../libimplementations.a
-$DSA_GOAL=../../libimplementations.a
 $EC_GOAL=../../libimplementations.a
 $ECX_GOAL=../../libimplementations.a
 $KDF_GOAL=../../libimplementations.a
 
 IF[{- !$disabled{dh} -}]
-  SOURCE[$DH_GOAL]=dh_kmgmt.c
+  SOURCE[../../libfips.a]=dh_kmgmt.c
+  SOURCE[../../libnonfips.a]=dh_kmgmt.c
 ENDIF
 IF[{- !$disabled{dsa} -}]
-  SOURCE[$DSA_GOAL]=dsa_kmgmt.c
+  SOURCE[../../libfips.a]=dsa_kmgmt.c
+  SOURCE[../../libnonfips.a]=dsa_kmgmt.c
 ENDIF
 IF[{- !$disabled{ec} -}]
   SOURCE[$EC_GOAL]=ec_kmgmt.c

providers/implementations/keymgmt/dh_kmgmt.c

@@ -83,7 +83,6 @@ typedef struct dh_name2id_st{
 
 static const DH_GENTYPE_NAME2ID dhtype2id[]=
 {
-    { "default", DH_PARAMGEN_TYPE_FIPS_186_4 },
     { "fips186_4", DH_PARAMGEN_TYPE_FIPS_186_4 },
     { "fips186_2", DH_PARAMGEN_TYPE_FIPS_186_2 },
     { "group", DH_PARAMGEN_TYPE_GROUP },
@@ -101,10 +100,21 @@ const char *dh_gen_type_id2name(int id)
     return NULL;
 }
 
-static int dh_gen_type_name2id(const char *name)
+static int dh_gen_type_name2id(const char *name, int type)
 {
     size_t i;
 
+    if (strcmp(name, "default") == 0) {
+#ifdef FIPS_MODULE
+        if (type == DH_FLAG_TYPE_DHX)
+            return DH_PARAMGEN_TYPE_FIPS_186_4;
+#else
+        if (type == DH_FLAG_TYPE_DHX)
+            return DH_PARAMGEN_TYPE_FIPS_186_2;
+#endif
+        return DH_PARAMGEN_TYPE_GENERATOR;
+    }
+
     for (i = 0; i < OSSL_NELEM(dhtype2id); ++i) {
         if (strcmp(dhtype2id[i].name, name) == 0)
             return dhtype2id[i].id;
@@ -428,7 +438,13 @@ static void *dh_gen_init_base(void *provctx, int selection, int type)
         gctx->pbits = 2048;
         gctx->qbits = 224;
         gctx->mdname = NULL;
+#ifdef FIPS_MODULE
         gctx->gen_type = DH_PARAMGEN_TYPE_FIPS_186_4;
+#else
+        gctx->gen_type = (type == DH_FLAG_TYPE_DHX)
+                         ? DH_PARAMGEN_TYPE_FIPS_186_2
+                         : DH_PARAMGEN_TYPE_GENERATOR;
+#endif
         gctx->gindex = -1;
         gctx->hindex = 0;
         gctx->pcounter = -1;
@@ -485,7 +501,8 @@ static int dh_gen_set_params(void *genctx, const OSSL_PARAM params[])
     p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_TYPE);
     if (p != NULL) {
         if (p->data_type != OSSL_PARAM_UTF8_STRING
-            || ((gctx->gen_type = dh_gen_type_name2id(p->data)) == -1)) {
+            || ((gctx->gen_type = dh_gen_type_name2id(p->data,
+                                                      gctx->dh_type)) == -1)) {
             ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT);
             return 0;
         }

providers/implementations/keymgmt/dsa_kmgmt.c

@@ -75,7 +75,11 @@ typedef struct dh_name2id_st{
 
 static const DSA_GENTYPE_NAME2ID dsatype2id[]=
 {
+#ifdef FIPS_MODULE
     { "default", DSA_PARAMGEN_TYPE_FIPS_186_4 },
+#else
+    { "default", DSA_PARAMGEN_TYPE_FIPS_186_2 },
+#endif
     { "fips186_4", DSA_PARAMGEN_TYPE_FIPS_186_4 },
     { "fips186_2", DSA_PARAMGEN_TYPE_FIPS_186_2 },
 };
@@ -374,7 +378,11 @@ static void *dsa_gen_init(void *provctx, int selection)
         gctx->libctx = libctx;
         gctx->pbits = 2048;
         gctx->qbits = 224;
+#ifdef FIPS_MODULE
         gctx->gen_type = DSA_PARAMGEN_TYPE_FIPS_186_4;
+#else
+        gctx->gen_type = DSA_PARAMGEN_TYPE_FIPS_186_2;
+#endif
         gctx->gindex = -1;
         gctx->pcounter = -1;
         gctx->hindex = 0;

test/dsatest.c

@@ -249,6 +249,7 @@ static int dsa_keygen_test(void)
         || !TEST_ptr(settables = EVP_PKEY_CTX_settable_params(pg_ctx))
         || !TEST_ptr(OSSL_PARAM_locate_const(settables,
                                              OSSL_PKEY_PARAM_FFC_PBITS))
+        || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_type(pg_ctx, "fips186_4"))
         || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_bits(pg_ctx, 2048))
         || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_q_bits(pg_ctx, 224))
         || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_seed(pg_ctx, seed_data,

test/recipes/15-test_gendsa.t

@@ -79,6 +79,7 @@ ok(run(app([ 'openssl', 'genpkey',
 # Just put some dummy ones in to show it works.
 ok(run(app([ 'openssl', 'genpkey',
              '-paramfile', 'dsagen.der',
+             '-pkeyopt', 'type:fips186_4',
              '-pkeyopt', 'gindex:1',
              '-pkeyopt', 'hexseed:0102030405060708090A0B0C0D0E0F1011121314',
              '-pkeyopt', 'pcounter:25',