Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable support for DSA sign and key gen by default in the FIPS provider. #23890

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Disable support for DSA sign and key gen by default in the FIPS provider. #23890

wants to merge 6 commits into from

Conversation

slontis
Copy link
Member

@slontis slontis commented Mar 20, 2024

FIPS 140-3 now uses FIPS 186-5 which removes DSA.
DSA may still be used for Verification for legacy purposes.

Checklist
  • documentation is added or updated
  • tests are added or updated

@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label Mar 20, 2024
@slontis slontis mentioned this pull request Mar 20, 2024
Open
@t8m t8m added branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature labels Apr 4, 2024
@slontis slontis force-pushed the fips_no_dsa_sig branch 2 times, most recently from 3039876 to b51fa36 Compare April 22, 2024 01:57
@github-actions github-actions bot added the severity: ABI change This pull request contains ABI changes label Apr 22, 2024
@slontis slontis mentioned this pull request Apr 23, 2024
Open
2 tasks
@slontis slontis changed the title Remove DSA sign and key gen from the FIPS provider. Disable support for DSA sign and key gen by default in the FIPS provider. Apr 23, 2024
@slontis
Add a FIPS indicator callback. This callback is intended to be run
4057d94 
whenever a non approved algorithm test has occurred. It may be used to
log non approved algorithms. The callback is passed a name and
description string. The return value can be either 0 or 1.
A value of 0 can be used to force an error to occur from the algorithm
that called the callback.
@slontis
Add strict FIPS checks for DSA signing.
5dd6618 
DSA signing is no longer approved (in FIPS 140-3).
By default DSA signing wil not be enabled, and will result in an error.

Non approved DSA signing in the FIPS provider can be enabled by either
1) By using the fipsinstall option 'no_dsa_check' OR
2) By setting the OSSL_PARAM OSSL_ALG_PARAM_STRICT_CHECKS to zero during
   the signature init.

When using non approved signing the user may register a callback using
OSSL_INDICATOR_set_callback() that can be used to indicate non approved
behaviour.
@slontis
Change FIPS DSA signature selftest to be verify only.
5fa3402
@slontis
Restrict DSA keygen in FIPS 140-3.
b57121d 
Since DSA generated keys can only be used for signing purposes, restrict
the DSA Keygen also for FIPS 140-3.
@slontis
Update DSA FIPS tests to work with new keygen/sign restrictions
6c9f669
@slontis
fixup! Update DSA FIPS tests to work with new keygen/sign restrictions
ca75024
@t-j-h t-j-h mentioned this pull request May 28, 2024
Closed
@slontis slontis mentioned this pull request Jun 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
branch: master Merge to master branch severity: ABI change This pull request contains ABI changes severity: fips change The pull request changes FIPS provider sources triaged: feature The issue/pr requests/adds a feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@slontis @t8m