Overview

File openssl-1_0_0-paramgen-default_to_rfc7919.patch of Package openssl-1_0_0

diff --git a/apps/dhparam.c b/apps/dhparam.c
index bd91234..76e79f6 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -325,14 +325,39 @@ int MAIN(int argc, char **argv)
         } else
 # endif
         {
-            dh = DH_new();
-            BIO_printf(bio_err,
-                       "Generating DH parameters, %d bit long safe prime, generator %d\n",
-                       num, g);
-            BIO_printf(bio_err, "This is going to take a long time\n");
-            if (!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) {
+#ifdef OPENSSL_FIPS
+          if (FIPS_mode()) {
+            /* In FIPS mode, instead of generating DH parameters we use parameters from an approved group,
+             in this case, RFC-7919. */
+            switch (num) {
+            case 8192:
+              dh =DH_rfc7919_get_8192();
+              break;
+            case 6144:
+              dh =DH_rfc7919_get_6144();
+              break;
+            case 4096:
+              dh =DH_rfc7919_get_4096();
+              break;
+            case 3072:
+              dh =DH_rfc7919_get_3072();
+              break;
+            default:
+              dh =DH_rfc7919_get_2048();
+              break;
+            }
+          } else
+#endif /* OPENSSL_FIPS */
+            {
+              dh = DH_new();
+              BIO_printf(bio_err,
+                         "Generating DH parameters, %d bit long safe prime, generator %d\n",
+                         num, g);
+              BIO_printf(bio_err, "This is going to take a long time\n");
+              if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, &cb)) {
                 ERR_print_errors(bio_err);
                 goto end;
+             }
             }
         }

diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 2290c3b..06dc04e 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -378,6 +378,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     DH_PKEY_CTX *dctx = ctx->data;
     BN_GENCB *pcb, cb;
     int ret;
+
+#ifdef OPENSSL_FIPS
+    /* In FIPS mode we default to an appropriate group. */
+    if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) {
+      switch (dctx->prime_len) {
+      case 8192:
+        dctx->param_nid = NID_ffdhe8192;
+        break;
+      case 6144:
+        dctx->param_nid = NID_ffdhe6144;
+        break;
+      case 4096:
+        dctx->param_nid = NID_ffdhe4096;
+        break;
+      case 3072:
+        dctx->param_nid = NID_ffdhe3072;
+        break;
+      default:
+        dctx->param_nid = NID_ffdhe2048;
+        break;
+      }
+    }
+#endif /* OPENSSL_FIPS */
+
     if (dctx->rfc5114_param) {
         switch (dctx->rfc5114_param) {
         case 1:
openSUSE Build Service is sponsored by
Places