1 /*
2 * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/deprecated.h"
11
12 #include <openssl/rsa.h>
13 #include <openssl/dsa.h>
14 #include <openssl/dh.h>
15 #include <openssl/ec.h>
16 #include <openssl/err.h>
17 #include <openssl/proverr.h>
18 #include <openssl/core_names.h>
19 #include <openssl/obj_mac.h>
20 #include "prov/securitycheck.h"
21
ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX * libctx)22 int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
23 {
24 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
25 return ossl_fips_config_security_checks(libctx);
26 #else
27 return 0;
28 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
29 }
30
ossl_digest_rsa_sign_get_md_nid(const EVP_MD * md)31 int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)
32 {
33 return ossl_digest_get_approved_nid(md);
34 }
35
ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND * ind,int id,OSSL_LIB_CTX * libctx,const RSA * rsa,const char * desc,int protect)36 int ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND *ind, int id,
37 OSSL_LIB_CTX *libctx,
38 const RSA *rsa, const char *desc, int protect)
39 {
40 int key_approved = ossl_rsa_check_key_size(rsa, protect);
41
42 if (!key_approved) {
43 if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size",
44 ossl_fips_config_securitycheck_enabled)) {
45 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
46 "operation: %s", desc);
47 return 0;
48 }
49 }
50 return 1;
51 }
52
53 # ifndef OPENSSL_NO_EC
ossl_fips_ind_ec_key_check(OSSL_FIPS_IND * ind,int id,OSSL_LIB_CTX * libctx,const EC_GROUP * group,const char * desc,int protect)54 int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id,
55 OSSL_LIB_CTX *libctx,
56 const EC_GROUP *group, const char *desc,
57 int protect)
58 {
59 int curve_allowed, strength_allowed;
60
61 if (group == NULL)
62 return 0;
63
64 curve_allowed = ossl_ec_check_curve_allowed(group);
65 strength_allowed = ossl_ec_check_security_strength(group, protect);
66
67 if (!strength_allowed || !curve_allowed) {
68 if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key",
69 ossl_fips_config_securitycheck_enabled)) {
70 if (!curve_allowed)
71 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
72 if (!strength_allowed)
73 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
74 return 0;
75 }
76 }
77 return 1;
78 }
79 #endif
80
ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND * ind,int id,OSSL_LIB_CTX * libctx,const EVP_MD * md,const char * desc)81 int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id,
82 OSSL_LIB_CTX *libctx,
83 const EVP_MD *md, const char *desc)
84 {
85 int nid = ossl_digest_get_approved_nid(md);
86 int approved = (nid != NID_undef && nid != NID_sha1);
87
88 if (!approved) {
89 if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest",
90 ossl_fips_config_securitycheck_enabled)) {
91 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
92 return 0;
93 }
94 }
95 return 1;
96 }
97
ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND * ind,int id,OSSL_LIB_CTX * libctx,int nid,int sha1_allowed,const char * desc,OSSL_FIPS_IND_CHECK_CB * config_check_f)98 int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,
99 OSSL_LIB_CTX *libctx,
100 int nid, int sha1_allowed,
101 const char *desc,
102 OSSL_FIPS_IND_CHECK_CB *config_check_f)
103 {
104 int approved;
105
106 if (nid == NID_undef)
107 approved = 0;
108 else
109 approved = sha1_allowed || nid != NID_sha1;
110
111 if (!approved) {
112 if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest SHA1",
113 config_check_f)) {
114 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
115 return 0;
116 }
117 }
118 return 1;
119 }
120
