diff options
| author | slontis <shane.lontis@oracle.com> | 2024-07-01 11:36:58 +1000 |
|---|---|---|
| committer | Pauli <ppzgs1@gmail.com> | 2024-07-11 08:29:43 +1000 |
| commit | c13ddf0a6c71efac8ef546f0d3632341afab3f07 (patch) | |
| tree | 8c87439328e16479f39457c639d5128b3c7bee02 | |
| parent | d4848934a61a668d16078f3118786c9a741b7efd (diff) | |
Change all existing FIPS configurable checks to use FIPS indicators.
This changes the logic to always do the security checks and then decide
what to do based on if this passes or not. Failure of a check causes
either a failure OR the FIPS indicator callback to be triggered.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
32 files changed, 882 insertions, 342 deletions
diff --git a/doc/man7/EVP_ASYM_CIPHER-RSA.pod b/doc/man7/EVP_ASYM_CIPHER-RSA.pod index c68cad6c42..b36927082d 100644 --- a/doc/man7/EVP_ASYM_CIPHER-RSA.pod +++ b/doc/man7/EVP_ASYM_CIPHER-RSA.pod @@ -57,6 +57,10 @@ See L<EVP_PKEY_CTX_set_rsa_padding(3)> for further details. =item "oaep-label" (B<OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL>) <octet string> +=item "fips-indicator" (B<OSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +=item "key-check" (B<OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK>) <int> + =item "tls-client-version" (B<OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION>) <unsigned integer> See B<RSA_PKCS1_WITH_TLS_PADDING> on the page L<EVP_PKEY_CTX_set_rsa_padding(3)>. diff --git a/doc/man7/EVP_KDF-TLS1_PRF.pod b/doc/man7/EVP_KDF-TLS1_PRF.pod index 8a60e97315..1c0bf750ba 100644 --- a/doc/man7/EVP_KDF-TLS1_PRF.pod +++ b/doc/man7/EVP_KDF-TLS1_PRF.pod @@ -44,6 +44,22 @@ This parameter sets the context seed. The length of the context seed cannot exceed 1024 bytes; this should be more than enough for any normal use of the TLS PRF. +=item "fips-indicator" (B<OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. +This may be used after calling EVP_KDF_derive. It returns 0 if the "ems_check" +is set to 0 and the "extended master secret" test fails. +This option is used by the OpenSSL FIPS provider. + +=item "ems_check" (B<OSSL_KDF_PARAM_FIPS_EMS_CHECK>) <int> + +The default value of 1 causes an error during EVP_KDF_derive() if +"master secret" is used instead of "extended master secret" Setting this to zero +will ignore the error and set the approved "fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + + =back =head1 NOTES diff --git a/doc/man7/EVP_KEM-RSA.pod b/doc/man7/EVP_KEM-RSA.pod index 3a89f5db39..2733be6a6c 100644 --- a/doc/man7/EVP_KEM-RSA.pod +++ b/doc/man7/EVP_KEM-RSA.pod @@ -31,8 +31,13 @@ The decapsulate function recovers the secret using the RSA private key. This can be set using EVP_PKEY_CTX_set_kem_op(). -=back +=item "fips-indicator" (B<OSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +=item "key-check" (B<OSSL_KEM_PARAM_FIPS_KEY_CHECK>) <int> +These parameters are described in L<provider-kem(7)>. + +=back =head1 CONFORMING TO diff --git a/doc/man7/EVP_KEYEXCH-DH.pod b/doc/man7/EVP_KEYEXCH-DH.pod index a6927afefb..1ccc469318 100644 --- a/doc/man7/EVP_KEYEXCH-DH.pod +++ b/doc/man7/EVP_KEYEXCH-DH.pod @@ -28,22 +28,20 @@ the KDF type is set to "X942KDF-ASN1" (B<OSSL_KDF_NAME_X942KDF_ASN1>). =item "kdf-type" (B<OSSL_EXCHANGE_PARAM_KDF_TYPE>) <UTF8 string> -See L<provider-keyexch(7)/Common Key Exchange parameters>. - =item "kdf-digest" (B<OSSL_EXCHANGE_PARAM_KDF_DIGEST>) <UTF8 string> -See L<provider-keyexch(7)/Common Key Exchange parameters>. - =item "kdf-digest-props" (B<OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS>) <UTF8 string> -See L<provider-keyexch(7)/Common Key Exchange parameters>. - =item "kdf-outlen" (B<OSSL_EXCHANGE_PARAM_KDF_OUTLEN>) <unsigned integer> -See L<provider-keyexch(7)/Common Key Exchange parameters>. - =item "kdf-ukm" (B<OSSL_EXCHANGE_PARAM_KDF_UKM>) <octet string> +=item "fips-indicator" (B<OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +=item "key-check" (B<OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK>) <int> + +=item "digest-check" (B<OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK>) <int> + See L<provider-keyexch(7)/Common Key Exchange parameters>. =item "cekalg" (B<OSSL_KDF_PARAM_CEK_ALG>) <octet string ptr> diff --git a/doc/man7/EVP_KEYEXCH-ECDH.pod b/doc/man7/EVP_KEYEXCH-ECDH.pod index f9579dab2f..28e8d2a760 100644 --- a/doc/man7/EVP_KEYEXCH-ECDH.pod +++ b/doc/man7/EVP_KEYEXCH-ECDH.pod @@ -33,22 +33,20 @@ per-key basis. =item "kdf-type" (B<OSSL_EXCHANGE_PARAM_KDF_TYPE>) <UTF8 string> -See L<provider-keyexch(7)/Common Key Exchange parameters>. - =item "kdf-digest" (B<OSSL_EXCHANGE_PARAM_KDF_DIGEST>) <UTF8 string> -See L<provider-keyexch(7)/Common Key Exchange parameters>. - =item "kdf-digest-props" (B<OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS>) <UTF8 string> -See L<provider-keyexch(7)/Common Key Exchange parameters>. - =item "kdf-outlen" (B<OSSL_EXCHANGE_PARAM_KDF_OUTLEN>) <unsigned integer> -See L<provider-keyexch(7)/Common Key Exchange parameters>. - =item "kdf-ukm" (B<OSSL_EXCHANGE_PARAM_KDF_UKM>) <octet string> +=item "fips-indicator" (B<OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +=item "key-check" (B<OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK>) <int> + +=item "digest-check" (B<OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK>) <int> + See L<provider-keyexch(7)/Common Key Exchange parameters>. =back diff --git a/doc/man7/EVP_SIGNATURE-DSA.pod b/doc/man7/EVP_SIGNATURE-DSA.pod index 290041a2dd..2e761cb667 100644 --- a/doc/man7/EVP_SIGNATURE-DSA.pod +++ b/doc/man7/EVP_SIGNATURE-DSA.pod @@ -14,7 +14,8 @@ See L<EVP_PKEY-DSA(7)> for information related to DSA keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). They may also be set +using EVP_PKEY_sign_init_ex() or EVP_PKEY_verify_init_ex(). =over 4 @@ -24,6 +25,10 @@ and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer> +=item "key-check" (B<OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK>) <int> + +=item "digest-check" (B<OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK>) <int> + The settable parameters are described in L<provider-signature(7)>. =back @@ -39,6 +44,8 @@ EVP_PKEY_CTX_get_params(). =item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer> +=item "fips-indicator" (B<OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR>) <int> + The gettable parameters are described in L<provider-signature(7)>. =back diff --git a/doc/man7/EVP_SIGNATURE-ECDSA.pod b/doc/man7/EVP_SIGNATURE-ECDSA.pod index a19d467c0d..4d47b8c9bf 100644 --- a/doc/man7/EVP_SIGNATURE-ECDSA.pod +++ b/doc/man7/EVP_SIGNATURE-ECDSA.pod @@ -23,6 +23,10 @@ and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer> +=item "key-check" (B<OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK>) <int> + +=item "digest-check" (B<OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK>) <int> + These parameters are described in L<provider-signature(7)>. =back @@ -38,6 +42,8 @@ EVP_PKEY_CTX_get_params(). =item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer> +=item "fips-indicator" (B<OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR>) <int> + The parameters are described in L<provider-signature(7)>. =back diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod index de6869786c..9398e77019 100644 --- a/doc/man7/EVP_SIGNATURE-RSA.pod +++ b/doc/man7/EVP_SIGNATURE-RSA.pod @@ -14,7 +14,8 @@ See L<EVP_PKEY-RSA(7)> for information related to RSA keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). They may also be set +using EVP_PKEY_sign_init_ex() or EVP_PKEY_verify_init_ex(). =over 4 @@ -22,6 +23,10 @@ and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =item "properties" (B<OSSL_SIGNATURE_PARAM_PROPERTIES>) <UTF8 string> +=item "key-check" (B<OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK>) <int> + +=item "digest-check" (B<OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK>) <int> + These common parameters are described in L<provider-signature(7)>. =item "pad-mode" (B<OSSL_SIGNATURE_PARAM_PAD_MODE>) <UTF8 string> @@ -84,7 +89,9 @@ EVP_PKEY_CTX_get_params(). =item "algorithm-id" (B<OSSL_SIGNATURE_PARAM_ALGORITHM_ID>) <octet string> -This common parameter is described in L<provider-signature(7)>. +=item "fips-indicator" (B<OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +These common parameter are described in L<provider-signature(7)>. =item "digest" (B<OSSL_SIGNATURE_PARAM_DIGEST>) <UTF8 string> diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod index 24fe160bf7..9602367da8 100644 --- a/doc/man7/provider-asym_cipher.pod +++ b/doc/man7/provider-asym_cipher.pod @@ -243,6 +243,23 @@ This makes exploitation of the Bleichenbacher significantly harder, even if the code using the RSA decryption API is not implemented in side-channel free manner. Set by default. Requires provider support. +=item "fips-indicator" (B<OSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. +This may be used after calling either OSSL_FUNC_asym_cipher_encrypt() or +OSSL_FUNC_asym_cipher_decrypt(). It may return 0 if "key-check" is set to 0. +This option is used by the OpenSSL FIPS provider. + +=item "key-check" (B<OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK>) <int> + +If required this parameter should be set using either +OSSL_FUNC_asym_cipher_encrypt_init() or OSSL_FUNC_asym_cipher_decrypt_init(). +The default value of 1 causes an error during the init if the key is not FIPS +approved (e.g. The key has a security strength of less than 112 bits). Setting +this to 0 will ignore the error and set the approved "fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + =back OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() @@ -264,6 +281,8 @@ L<provider(7)> =head1 HISTORY The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0. +The Asymmetric Cipher Parameters "fips-indicator" and "key-check" +were added in OpenSSL 3.4. =head1 COPYRIGHT diff --git a/doc/man7/provider-kem.pod b/doc/man7/provider-kem.pod index 970105a269..eb04beb429 100644 --- a/doc/man7/provider-kem.pod +++ b/doc/man7/provider-kem.pod @@ -186,12 +186,36 @@ See L<OSSL_PARAM(3)> for further details on the parameters structure used by the OSSL_FUNC_kem_get_ctx_params() and OSSL_FUNC_kem_set_ctx_params() functions. -OSSL_FUNC_kem_get_ctx_params() gets asymmetric kem parameters associated +Common parameters currently recognised by built-in key encapsulation algorithms +are as follows. + +=over 4 + +=item "fips-indicator" (B<OSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. +This may be used after calling either OSSL_FUNC_kem_encapsulate() or +OSSL_FUNC_kem_decapsulate(). It may return 0 if the "key-check" is set to 0. +This option is used by the OpenSSL FIPS provider. + +=item "key-check" (B<OSSL_KEM_PARAM_FIPS_KEY_CHECK>) <int> + +If required this parameter should be set using OSSL_FUNC_kem_encapsulate_init() +or OSSL_FUNC_kem_decapsulate_init(). +The default value of 1 causes an error during the init if the key is not FIPS +approved (e.g. The key has a security strength of less than 112 bits). Setting +this to 0 will ignore the error and set the approved "fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + +=back + +OSSL_FUNC_kem_get_ctx_params() gets asymmetric KEM parameters associated with the given provider side asymmetric kem context I<ctx> and stores them in I<params>. Passing NULL for I<params> should return true. -OSSL_FUNC_kem_set_ctx_params() sets the asymmetric kem parameters associated +OSSL_FUNC_kem_set_ctx_params() sets the asymmetric KEM parameters associated with the given provider side asymmetric kem context I<ctx> to I<params>. Any parameter settings are additional to any that were previously set. Passing NULL for I<params> should return true. @@ -221,6 +245,9 @@ The provider KEM interface was introduced in OpenSSL 3.0. OSSL_FUNC_kem_auth_encapsulate_init() and OSSL_FUNC_kem_auth_decapsulate_init() were added in OpenSSL 3.2. +The Asymmetric Key Encapsulation Parameters "fips-indicator" and "key-check" +were added in OpenSSL 3.4. + =head1 COPYRIGHT Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/provider-keyexch.pod b/doc/man7/provider-keyexch.pod index 9e146d31c7..702bfb01f6 100644 --- a/doc/man7/provider-keyexch.pod +++ b/doc/man7/provider-keyexch.pod @@ -204,6 +204,31 @@ usually do not need to support this gettable parameter as its sole purpose is to support functionality of the deprecated EVP_PKEY_CTX_get0_ecdh_kdf_ukm() and EVP_PKEY_CTX_get0_dh_kdf_ukm() functions. +=item "fips-indicator" (B<OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. +This may be used after calling OSSL_FUNC_keyexch_derive(). It may +return 0 if either the "digest-check" or the "key-check" are set to 0. +This option is used by the OpenSSL FIPS provider. + +=item "key-check" (B<OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK>) <int> + +If required this parameter should be set using OSSL_FUNC_keyexch_init(). +The default value of 1 causes an error during the init if the key is not FIPS +approved (e.g. The key has a security strength of less than 112 bits). Setting +this to 0 will ignore the error and set the approved "fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + +=item "digest-check" (B<OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK>) <int> + +If required this parameter should be set before any optional digest is set. +The default value of 1 causes an error when the digest is set if the digest is +not FIPS approved. Setting this to 0 will ignore the error and set the +approved "fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + =back =head1 RETURN VALUES @@ -226,6 +251,9 @@ L<provider(7)> The provider KEYEXCH interface was introduced in OpenSSL 3.0. +The Key Exchange Parameters "fips-indicator", "key-check" and "digest-check" +were added in OpenSSL 3.4. + =head1 COPYRIGHT Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/provider-rand.pod b/doc/man7/provider-rand.pod index e115d845dc..aa1df965f6 100644 --- a/doc/man7/provider-rand.pod +++ b/doc/man7/provider-rand.pod @@ -254,6 +254,22 @@ Sets the properties to be queried when trying to fetch an underlying algorithm. This must be given together with the algorithm naming parameter to be considered valid. +=item "fips-indicator" (B<OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. +This may be used after calling OSSL_FUNC_rand_generate(). It may +return 0 if the "digest-check" is set to 0. +This option is used by the OpenSSL FIPS provider. + +=item "digest-check" (B<OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK>) <int> + +If required this parameter should be set before the digest is set. +The default value of 1 causes an error when the digest is set if the digest is +not FIPS approved (e.g. truncated digests). Setting this to 0 will ignore +the error and set the approved "fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + =back =head1 RETURN VALUES @@ -289,6 +305,8 @@ L<EVP_RAND(3)> =head1 HISTORY The provider RAND interface was introduced in OpenSSL 3.0. +The Rand Parameters "fips-indicator" and "digest-check" were added in +OpenSSL 3.4. =head1 COPYRIGHT diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index b26b8b6a5b..7763112d06 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -257,7 +257,7 @@ the I<routlen> parameter. =head2 Digest Sign Functions -OSSL_FUNC_signature_digeset_sign_init() initialises a context for signing given a +OSSL_FUNC_signature_digest_sign_init() initialises a context for signing given a provider side signature context in the I<ctx> parameter, and a pointer to a provider key object in the I<provkey> parameter. The I<params>, if not NULL, should be set on the context in a manner similar to @@ -388,6 +388,32 @@ was successful. Known answer tests can be performed if the random generator is overridden to supply known values that either pass or fail. +=item "fips-indicator" (B<OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. +This may be used after calling either the sign or verify final functions. It may +return 0 if either the "digest-check" or the "key-check" are set to 0. +This option is used by the OpenSSL FIPS provider. + +=item "key-check" (B<OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK>) <int> + +If required this parameter should be set early via an init function +(e.g. OSSL_FUNC_signature_sign_init() or OSSL_FUNC_signature_verify_init()). +The default value of 1 causes an error during the init if the key is not FIPS +approved (e.g. The key has a security strength of less than 112 bits). +Setting this to 0 will ignore the error and set the approved "indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + +=item "digest-check" (B<OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK>) <int> + +If required this parameter should be set before the signature digest is set. +The default value of 1 causes an error when the digest is set if the digest is +not FIPS approved (e.g. SHA1 is used for signing). Setting this to 0 will ignore +the error and set the approved "fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + =back OSSL_FUNC_signature_gettable_ctx_params() and OSSL_FUNC_signature_settable_ctx_params() get a @@ -438,6 +464,8 @@ L<provider(7)> =head1 HISTORY The provider SIGNATURE interface was introduced in OpenSSL 3.0. +The Signature Parameters "fips-indicator", "key-check" and "digest-check" +were added in OpenSSL 3.4. =head1 COPYRIGHT diff --git a/providers/common/include/prov/fipsindicator.h b/providers/common/include/prov/fipsindicator.h index fbfa7e0790..0b6c52ed8c 100644 --- a/providers/common/include/prov/fipsindicator.h +++ b/providers/common/include/prov/fipsindicator.h @@ -116,6 +116,20 @@ void ossl_FIPS_IND_copy(OSSL_FIPS_IND *dst, const OSSL_FIPS_IND *src); #define OSSL_FIPS_IND_GET(ctx) &((ctx)->indicator) +int ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx, + const RSA *rsa, const char *desc, int protect); +# ifndef OPENSSL_NO_EC +int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx, + const EC_GROUP *group, const char *desc, + int protect); +# endif +int ossl_fips_ind_digest_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx, + const EVP_MD *md, const char *desc); +int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id, + OSSL_LIB_CTX *libctx, + int nid, int sha1_allowed, + const char *desc); + #else # define OSSL_FIPS_IND_DECLARE # define OSSL_FIPS_IND_INIT(ctx) diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h index 611c6d531b..4db5202c59 100644 --- a/providers/common/include/prov/securitycheck.h +++ b/providers/common/include/prov/securitycheck.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,24 +8,24 @@ */ #include "crypto/types.h" +#include <openssl/ec.h> /* Functions that are common */ -int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation); -int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect); -int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign); -int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh); +int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect); +int ossl_rsa_check_key_size(const RSA *rsa, int protect); -int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md); -/* With security check enabled it can return -1 to indicate disallowed md */ -int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, - int sha1_allowed); +#ifndef OPENSSL_NO_EC +int ossl_ec_check_curve_allowed(const EC_GROUP *group); +int ossl_ec_check_security_strength(const EC_GROUP *group, int protect); +#endif + +int ossl_dsa_check_key(const DSA *dsa, int sign); +int ossl_dh_check_key(const DH *dh); -/* Functions that are common */ int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len); int ossl_digest_get_approved_nid(const EVP_MD *md); /* Functions that have different implementations for the FIPS_MODULE */ -int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - int sha1_allowed); +int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md); int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx); diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 0d3acdbe56..e8e1c2400a 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -19,14 +19,9 @@ #include <openssl/core_names.h> #include <openssl/obj_mac.h> #include "prov/securitycheck.h" +#include "prov/fipsindicator.h" -/* - * FIPS requires a minimum security strength of 112 bits (for encryption or - * signing), and for legacy purposes 80 bits (for decryption or verifying). - * Set protect = 1 for encryption or signing operations, or 0 otherwise. See - * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. - */ -int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) +int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect) { int protect = 0; @@ -56,25 +51,42 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) "invalid operation: %d", operation); return 0; } + *outprotect = protect; + return 1; +} -#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled(ctx)) { - int sz = RSA_bits(rsa); +/* + * FIPS requires a minimum security strength of 112 bits (for encryption or + * signing), and for legacy purposes 80 bits (for decryption or verifying). + * Set protect = 1 for encryption or signing operations, or 0 otherwise. See + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. + */ +int ossl_rsa_check_key_size(const RSA *rsa, int protect) +{ + int sz = RSA_bits(rsa); - if (protect ? (sz < 2048) : (sz < 1024)) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH, - "operation: %d", operation); - return 0; - } - } -#else - /* make protect used */ - (void)protect; -#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ + if (protect ? (sz < 2048) : (sz < 1024)) + return 0; return 1; } #ifndef OPENSSL_NO_EC + +int ossl_ec_check_curve_allowed(const EC_GROUP *group) +{ + const char *curve_name; + int nid = EC_GROUP_get_curve_name(group); + + /* Explict curves are not FIPS approved */ + if (nid == NID_undef) + return 0; + /* Only NIST curves are FIPS approved */ + curve_name = EC_curve_nid2nist(nid); + if (curve_name == NULL) + return 0; + return 1; +} + /* * In FIPS mode: * protect should be 1 for any operations that need 112 bits of security @@ -89,56 +101,25 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect) +int ossl_ec_check_security_strength(const EC_GROUP *group, int protect) { -# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled(ctx)) { - int nid, strength; - const char *curve_name; - const EC_GROUP *group = EC_KEY_get0_group(ec); - - if (group == NULL) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group"); - return 0; - } - nid = EC_GROUP_get_curve_name(group); - if (nid == NID_undef) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, - "Explicit curves are not allowed in fips mode"); - return 0; - } - - curve_name = EC_curve_nid2nist(nid); - if (curve_name == NULL) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, - "Curve %s is not approved in FIPS mode", curve_name); - return 0; - } - - /* - * For EC the security strength is the (order_bits / 2) - * e.g. P-224 is 112 bits. - */ - strength = EC_GROUP_order_bits(group) / 2; - /* The min security strength allowed for legacy verification is 80 bits */ - if (strength < 80) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); - return 0; - } - - /* - * For signing or key agreement only allow curves with at least 112 bits of - * security strength - */ - if (protect && strength < 112) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, - "Curve %s cannot be used for signing", curve_name); - return 0; - } - } -# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ + /* + * For EC the security strength is the (order_bits / 2) + * e.g. P-224 is 112 bits. + */ + int strength = EC_GROUP_order_bits(grou |