/src/openssl/providers/common/securitycheck.c

Source (jump to first uncovered line)
/*
 * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "internal/deprecated.h"

#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/dh.h>
#include <openssl/ec.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"

int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
{
    int protect = 0;

    switch (operation) {
        case EVP_PKEY_OP_SIGN:
            protect = 1;
            /* fallthrough */
        case EVP_PKEY_OP_VERIFY:
            break;
        case EVP_PKEY_OP_ENCAPSULATE:
        case EVP_PKEY_OP_ENCRYPT:
            protect = 1;
            /* fallthrough */
        case EVP_PKEY_OP_VERIFYRECOVER:
        case EVP_PKEY_OP_DECAPSULATE:
        case EVP_PKEY_OP_DECRYPT:
            if (RSA_test_flags(rsa,
                               RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSASSAPSS) {
                ERR_raise_data(ERR_LIB_PROV,
                               PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,
                               "operation: %d", operation);
                return 0;
            }
            break;
        default:
            ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
                           "invalid operation: %d", operation);
            return 0;
    }
    *outprotect = protect;
    return 1;
}

/*
 * FIPS requires a minimum security strength of 112 bits (for encryption or
 * signing), and for legacy purposes 80 bits (for decryption or verifying).
 * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
 */
int ossl_rsa_check_key_size(const RSA *rsa, int protect)
{
    int sz = RSA_bits(rsa);

    if (protect ? (sz < 2048) : (sz < 1024))
        return 0;
    return 1;
}

#ifndef OPENSSL_NO_EC

int ossl_ec_check_curve_allowed(const EC_GROUP *group)
{
    const char *curve_name;
    int nid = EC_GROUP_get_curve_name(group);

    /* Explict curves are not FIPS approved */
    if (nid == NID_undef)
        return 0;
    /* Only NIST curves are FIPS approved */
    curve_name = EC_curve_nid2nist(nid);
    if (curve_name == NULL)
        return 0;
    return 1;
}

/*
 * In FIPS mode:
 * protect should be 1 for any operations that need 112 bits of security
 * strength (such as signing, and key exchange), or 0 for operations that allow
 * a lower security strength (such as verify).
 *
 * For ECDH key agreement refer to SP800-56A
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
 * "Appendix D"
 *
 * For ECDSA signatures refer to
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
 * "Table 2"
 */
int ossl_ec_check_security_strength(const EC_GROUP *group, int protect)
{
    /*
     * For EC the security strength is the (order_bits / 2)
     * e.g. P-224 is 112 bits.
     */
    int strength = EC_GROUP_order_bits(group) / 2;
    /* The min security strength allowed for legacy verification is 80 bits */
    if (strength < 80)
        return 0;
    /*
     * For signing or key agreement only allow curves with at least 112 bits of
     * security strength
     */
    if (protect && strength < 112)
        return 0;
    return 1;
}

#endif /* OPENSSL_NO_EC */

#ifndef OPENSSL_NO_DSA
/*
 * Check for valid key sizes if fips mode. Refer to
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
 * "Table 2"
 */
int ossl_dsa_check_key(const DSA *dsa, int sign)
{
    size_t L, N;
    const BIGNUM *p, *q;

    if (dsa == NULL)
        return 0;

    p = DSA_get0_p(dsa);
    q = DSA_get0_q(dsa);
    if (p == NULL || q == NULL)
        return 0;

    L = BN_num_bits(p);
    N = BN_num_bits(q);

    /*
     * For Digital signature verification DSA keys with < 112 bits of
     * security strength, are still allowed for legacy
     * use. The bounds given in SP 800-131Ar2 - Table 2 are
     * (512 <= L < 2048 or 160 <= N < 224).
     *
     * We are a little stricter and insist that both minimums are met.
     * For example a L = 256, N = 160 key *would* be allowed by SP 800-131Ar2
     * but we don't.
     */
    if (!sign) {
        if (L < 512 || N < 160)
            return 0;
        if (L < 2048 || N < 224)
            return 1;
    }

     /* Valid sizes for both sign and verify */
    if (L == 2048 && (N == 224 || N == 256))    /* 112 bits */
        return 1;
    return (L == 3072 && N == 256);             /* 128 bits */
}
#endif /* OPENSSL_NO_DSA */

#ifndef OPENSSL_NO_DH
/*
 * For DH key agreement refer to SP800-56A
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
 * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
 * "Appendix D" FFC Safe-prime Groups
 */
int ossl_dh_check_key(const DH *dh)
{
    size_t L, N;
    const BIGNUM *p, *q;

    if (dh == NULL)
        return 0;

    p = DH_get0_p(dh);
    q = DH_get0_q(dh);
    if (p == NULL || q == NULL)
        return 0;

    L = BN_num_bits(p);
    if (L < 2048)
        return 0;

    /* If it is a safe prime group then it is ok */
    if (DH_get_nid(dh))
        return 1;

    /* If not then it must be FFC, which only allows certain sizes. */
    N = BN_num_bits(q);

    return (L == 2048 && (N == 224 || N == 256));
}
#endif /* OPENSSL_NO_DH */

Coverage Report

Created: 2024-07-27 06:36

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include "internal/deprecated.h"
11
12		#include <openssl/rsa.h>
13		#include <openssl/dsa.h>
14		#include <openssl/dh.h>
15		#include <openssl/ec.h>
16		#include <openssl/evp.h>
17		#include <openssl/err.h>
18		#include <openssl/proverr.h>
19		#include <openssl/core_names.h>
20		#include <openssl/obj_mac.h>
21		#include "prov/securitycheck.h"
22		#include "prov/fipsindicator.h"
23
24		int ossl_rsa_key_op_get_protect(const RSA rsa, int operation, int outprotect)
25	0	{
26	0	int protect = 0;
27
28	0	switch (operation) {
29	0	case EVP_PKEY_OP_SIGN:
30	0	protect = 1;
31		/* fallthrough */
32	0	case EVP_PKEY_OP_VERIFY:
33	0	break;
34	0	case EVP_PKEY_OP_ENCAPSULATE:
35	0	case EVP_PKEY_OP_ENCRYPT:
36	0	protect = 1;
37		/* fallthrough */
38	0	case EVP_PKEY_OP_VERIFYRECOVER:
39	0	case EVP_PKEY_OP_DECAPSULATE:
40	0	case EVP_PKEY_OP_DECRYPT:
41	0	if (RSA_test_flags(rsa,
42	0	RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSASSAPSS) {
43	0	ERR_raise_data(ERR_LIB_PROV,
44	0	PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,
45	0	"operation: %d", operation);
46	0	return 0;
47	0	}
48	0	break;
49	0	default:
50	0	ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
51	0	"invalid operation: %d", operation);
52	0	return 0;
53	0	}
54	0	*outprotect = protect;
55	0	return 1;
56	0	}
57
58		/*
59		* FIPS requires a minimum security strength of 112 bits (for encryption or
60		* signing), and for legacy purposes 80 bits (for decryption or verifying).
61		* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
62		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
63		*/
64		int ossl_rsa_check_key_size(const RSA *rsa, int protect)
65	0	{
66	0	int sz = RSA_bits(rsa);
67
68	0	if (protect ? (sz < 2048) : (sz < 1024))
69	0	return 0;
70	0	return 1;
71	0	}
72
73		#ifndef OPENSSL_NO_EC
74
75		int ossl_ec_check_curve_allowed(const EC_GROUP *group)
76	0	{
77	0	const char *curve_name;
78	0	int nid = EC_GROUP_get_curve_name(group);
79
80		/* Explict curves are not FIPS approved */
81	0	if (nid == NID_undef)
82	0	return 0;
83		/* Only NIST curves are FIPS approved */
84	0	curve_name = EC_curve_nid2nist(nid);
85	0	if (curve_name == NULL)
86	0	return 0;
87	0	return 1;
88	0	}
89
90		/*
91		* In FIPS mode:
92		* protect should be 1 for any operations that need 112 bits of security
93		* strength (such as signing, and key exchange), or 0 for operations that allow
94		* a lower security strength (such as verify).
95		*
96		* For ECDH key agreement refer to SP800-56A
97		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
98		* "Appendix D"
99		*
100		* For ECDSA signatures refer to
101		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
102		* "Table 2"
103		*/
104		int ossl_ec_check_security_strength(const EC_GROUP *group, int protect)
105	0	{
106		/*
107		* For EC the security strength is the (order_bits / 2)
108		* e.g. P-224 is 112 bits.
109		*/
110	0	int strength = EC_GROUP_order_bits(group) / 2;
111		/* The min security strength allowed for legacy verification is 80 bits */
112	0	if (strength < 80)
113	0	return 0;
114		/*
115		* For signing or key agreement only allow curves with at least 112 bits of
116		* security strength
117		*/
118	0	if (protect && strength < 112)
119	0	return 0;
120	0	return 1;
121	0	}
122
123		#endif /* OPENSSL_NO_EC */
124
125		#ifndef OPENSSL_NO_DSA
126		/*
127		* Check for valid key sizes if fips mode. Refer to
128		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
129		* "Table 2"
130		*/
131		int ossl_dsa_check_key(const DSA *dsa, int sign)
132	0	{
133	0	size_t L, N;
134	0	const BIGNUM p, q;
135
136	0	if (dsa == NULL)
137	0	return 0;
138
139	0	p = DSA_get0_p(dsa);
140	0	q = DSA_get0_q(dsa);
141	0	if (p == NULL \|\| q == NULL)
142	0	return 0;
143
144	0	L = BN_num_bits(p);
145	0	N = BN_num_bits(q);
146
147		/*
148		* For Digital signature verification DSA keys with < 112 bits of
149		* security strength, are still allowed for legacy
150		* use. The bounds given in SP 800-131Ar2 - Table 2 are
151		* (512 <= L < 2048 or 160 <= N < 224).
152		*
153		* We are a little stricter and insist that both minimums are met.
154		* For example a L = 256, N = 160 key would be allowed by SP 800-131Ar2
155		* but we don't.
156		*/
157	0	if (!sign) {
158	0	if (L < 512 \|\| N < 160)
159	0	return 0;
160	0	if (L < 2048 \|\| N < 224)
161	0	return 1;
162	0	}
163
164		/* Valid sizes for both sign and verify */
165	0	if (L == 2048 && (N == 224 \|\| N == 256)) /* 112 bits */
166	0	return 1;
167	0	return (L == 3072 && N == 256); /* 128 bits */
168	0	}
169		#endif /* OPENSSL_NO_DSA */
170
171		#ifndef OPENSSL_NO_DH
172		/*
173		* For DH key agreement refer to SP800-56A
174		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
175		* "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
176		* "Appendix D" FFC Safe-prime Groups
177		*/
178		int ossl_dh_check_key(const DH *dh)
179	0	{
180	0	size_t L, N;
181	0	const BIGNUM p, q;
182
183	0	if (dh == NULL)
184	0	return 0;
185
186	0	p = DH_get0_p(dh);
187	0	q = DH_get0_q(dh);
188	0	if (p == NULL \|\| q == NULL)
189	0	return 0;
190
191	0	L = BN_num_bits(p);
192	0	if (L < 2048)
193	0	return 0;
194
195		/* If it is a safe prime group then it is ok */
196	0	if (DH_get_nid(dh))
197	0	return 1;
198
199		/* If not then it must be FFC, which only allows certain sizes. */
200	0	N = BN_num_bits(q);
201
202	0	return (L == 2048 && (N == 224 \|\| N == 256));
203	0	}
204		#endif /* OPENSSL_NO_DH */