/* * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include "internal/deprecated.h" #include #include #include #include #include #include #include #include #include #include "prov/securitycheck.h" /* * FIPS requires a minimum security strength of 112 bits (for encryption or * signing), and for legacy purposes 80 bits (for decryption or verifying). * Set protect = 1 for encryption or signing operations, or 0 otherwise. See * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. */ int ossl_rsa_check_key(const RSA *rsa, int operation) { int protect = 0; switch (operation) { case EVP_PKEY_OP_SIGN: protect = 1; /* fallthrough */ case EVP_PKEY_OP_VERIFY: break; case EVP_PKEY_OP_ENCAPSULATE: case EVP_PKEY_OP_ENCRYPT: protect = 1; /* fallthrough */ case EVP_PKEY_OP_VERIFYRECOVER: case EVP_PKEY_OP_DECAPSULATE: case EVP_PKEY_OP_DECRYPT: if (RSA_test_flags(rsa, RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSASSAPSS) { ERR_raise_data(ERR_LIB_PROV, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, "operation: %d", operation); return 0; } break; default: ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR, "invalid operation: %d", operation); return 0; } #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) if (ossl_securitycheck_enabled()) { int sz = RSA_bits(rsa); if (protect ? (sz < 2048) : (sz < 1024)) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH, "operation: %d", operation); return 0; } } #else /* make protect used */ (void)protect; #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; } #ifndef OPENSSL_NO_EC /* * In FIPS mode: * protect should be 1 for any operations that need 112 bits of security * strength (such as signing, and key exchange), or 0 for operations that allow * a lower security strength (such as verify). * * For ECDH key agreement refer to SP800-56A * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf * "Appendix D" * * For ECDSA signatures refer to * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ int ossl_ec_check_key(const EC_KEY *ec, int protect) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) if (ossl_securitycheck_enabled()) { int nid, strength; const char *curve_name; const EC_GROUP *group = EC_KEY_get0_group(ec); if (group == NULL) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group"); return 0; } nid = EC_GROUP_get_curve_name(group); if (nid == NID_undef) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "Explicit curves are not allowed in fips mode"); return 0; } curve_name = EC_curve_nid2nist(nid); if (curve_name == NULL) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "Curve %s is not approved in FIPS mode", curve_name); return 0; } /* * For EC the security strength is the (order_bits / 2) * e.g. P-224 is 112 bits. */ strength = EC_GROUP_order_bits(group) / 2; /* The min security strength allowed for legacy verification is 80 bits */ if (strength < 80) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); return 0; } /* * For signing or key agreement only allow curves with at least 112 bits of * security strength */ if (protect && strength < 112) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "Curve %s cannot be used for signing", curve_name); return 0; } } # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; } #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_DSA /* * Check for valid key sizes if fips mode. Refer to * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ int ossl_dsa_check_key(const DSA *dsa, int sign) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) if (ossl_securitycheck_enabled()) { size_t L, N; const BIGNUM *p, *q; if (dsa == NULL) return 0; p = DSA_get0_p(dsa); q = DSA_get0_q(dsa); if (p == NULL || q == NULL) return 0; L = BN_num_bits(p); N = BN_num_bits(q); /* * For Digital signature verification DSA keys with < 112 bits of * security strength (i.e L < 2048 bits), are still allowed for legacy * use. The bounds given in SP800 131Ar2 - Table 2 are * (512 <= L < 2048 and 160 <= N < 224) */ if (!sign && L < 2048) return (L >= 512 && N >= 160 && N < 224); /* Valid sizes for both sign and verify */ if (L == 2048 && (N == 224 || N == 256)) return 1; return (L == 3072 && N == 256); } # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; } #endif /* OPENSSL_NO_DSA */ #ifndef OPENSSL_NO_DH /* * For DH key agreement refer to SP800-56A * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and * "Appendix D" FFC Safe-prime Groups */ int ossl_dh_check_key(const DH *dh) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) if (ossl_securitycheck_enabled()) { size_t L, N; const BIGNUM *p, *q; if (dh == NULL) return 0; p = DH_get0_p(dh); q = DH_get0_q(dh); if (p == NULL || q == NULL) return 0; L = BN_num_bits(p); if (L < 2048) return 0; /* If it is a safe prime group then it is ok */ if (DH_get_nid(dh)) return 1; /* If not then it must be FFC, which only allows certain sizes. */ N = BN_num_bits(q); return (L == 2048 && (N == 224 || N == 256)); } # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; } #endif /* OPENSSL_NO_DH */ int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) { int mdnid = ossl_digest_get_approved_nid(md); # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) if (ossl_securitycheck_enabled()) { if (mdnid == NID_sha1 && !sha1_allowed) mdnid = NID_undef; } # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return mdnid; } int ossl_digest_is_allowed(const EVP_MD *md) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) if (ossl_securitycheck_enabled()) return ossl_digest_get_approved_nid(md) != NID_undef; # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; }