/src/openssl31/providers/common/securitycheck.c

Source (jump to first uncovered line)
/*
 * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "internal/deprecated.h"

#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/dh.h>
#include <openssl/ec.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"

/*
 * FIPS requires a minimum security strength of 112 bits (for encryption or
 * signing), and for legacy purposes 80 bits (for decryption or verifying).
 * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
 */
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
{
    int protect = 0;

    switch (operation) {
        case EVP_PKEY_OP_SIGN:
            protect = 1;
            /* fallthrough */
        case EVP_PKEY_OP_VERIFY:
            break;
        case EVP_PKEY_OP_ENCAPSULATE:
        case EVP_PKEY_OP_ENCRYPT:
            protect = 1;
            /* fallthrough */
        case EVP_PKEY_OP_VERIFYRECOVER:
        case EVP_PKEY_OP_DECAPSULATE:
        case EVP_PKEY_OP_DECRYPT:
            if (RSA_test_flags(rsa,
                               RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSASSAPSS) {
                ERR_raise_data(ERR_LIB_PROV,
                               PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,
                               "operation: %d", operation);
                return 0;
            }
            break;
        default:
            ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
                           "invalid operation: %d", operation);
            return 0;
    }

#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
    if (ossl_securitycheck_enabled(ctx)) {
        int sz = RSA_bits(rsa);

        if (protect ? (sz < 2048) : (sz < 1024)) {
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
                           "operation: %d", operation);
            return 0;
        }
    }
#else
    /* make protect used */
    (void)protect;
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
    return 1;
}

#ifndef OPENSSL_NO_EC
/*
 * In FIPS mode:
 * protect should be 1 for any operations that need 112 bits of security
 * strength (such as signing, and key exchange), or 0 for operations that allow
 * a lower security strength (such as verify).
 *
 * For ECDH key agreement refer to SP800-56A
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
 * "Appendix D"
 *
 * For ECDSA signatures refer to
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
 * "Table 2"
 */
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
    if (ossl_securitycheck_enabled(ctx)) {
        int nid, strength;
        const char *curve_name;
        const EC_GROUP *group = EC_KEY_get0_group(ec);

        if (group == NULL) {
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
            return 0;
        }
        nid = EC_GROUP_get_curve_name(group);
        if (nid == NID_undef) {
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
                           "Explicit curves are not allowed in fips mode");
            return 0;
        }

        curve_name = EC_curve_nid2nist(nid);
        if (curve_name == NULL) {
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
                           "Curve %s is not approved in FIPS mode", curve_name);
            return 0;
        }

        /*
         * For EC the security strength is the (order_bits / 2)
         * e.g. P-224 is 112 bits.
         */
        strength = EC_GROUP_order_bits(group) / 2;
        /* The min security strength allowed for legacy verification is 80 bits */
        if (strength < 80) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
            return 0;
        }

        /*
         * For signing or key agreement only allow curves with at least 112 bits of
         * security strength
         */
        if (protect && strength < 112) {
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
                           "Curve %s cannot be used for signing", curve_name);
            return 0;
        }
    }
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
    return 1;
}
#endif /* OPENSSL_NO_EC */

#ifndef OPENSSL_NO_DSA
/*
 * Check for valid key sizes if fips mode. Refer to
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
 * "Table 2"
 */
int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
    if (ossl_securitycheck_enabled(ctx)) {
        size_t L, N;
        const BIGNUM *p, *q;

        if (dsa == NULL)
            return 0;

        p = DSA_get0_p(dsa);
        q = DSA_get0_q(dsa);
        if (p == NULL || q == NULL)
            return 0;

        L = BN_num_bits(p);
        N = BN_num_bits(q);

        /*
         * For Digital signature verification DSA keys with < 112 bits of
         * security strength, are still allowed for legacy
         * use. The bounds given in SP 800-131Ar2 - Table 2 are
         * (512 <= L < 2048 or 160 <= N < 224).
         *
         * We are a little stricter and insist that both minimums are met.
         * For example a L = 256, N = 160 key *would* be allowed by SP 800-131Ar2
         * but we don't.
         */
        if (!sign) {
            if (L < 512 || N < 160)
                return 0;
            if (L < 2048 || N < 224)
                return 1;
        }

         /* Valid sizes for both sign and verify */
        if (L == 2048 && (N == 224 || N == 256))    /* 112 bits */
            return 1;
        return (L == 3072 && N == 256);             /* 128 bits */
    }
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
    return 1;
}
#endif /* OPENSSL_NO_DSA */

#ifndef OPENSSL_NO_DH
/*
 * For DH key agreement refer to SP800-56A
 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
 * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
 * "Appendix D" FFC Safe-prime Groups
 */
int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
    if (ossl_securitycheck_enabled(ctx)) {
        size_t L, N;
        const BIGNUM *p, *q;

        if (dh == NULL)
            return 0;

        p = DH_get0_p(dh);
        q = DH_get0_q(dh);
        if (p == NULL || q == NULL)
            return 0;

        L = BN_num_bits(p);
        if (L < 2048)
            return 0;

        /* If it is a safe prime group then it is ok */
        if (DH_get_nid(dh))
            return 1;

        /* If not then it must be FFC, which only allows certain sizes. */
        N = BN_num_bits(q);

        return (L == 2048 && (N == 224 || N == 256));
    }
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
    return 1;
}
#endif /* OPENSSL_NO_DH */

int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
                                           int sha1_allowed)
{
    int mdnid = ossl_digest_get_approved_nid(md);

# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
    if (ossl_securitycheck_enabled(ctx)) {
        if (mdnid == NID_undef || (mdnid == NID_sha1 && !sha1_allowed))
            mdnid = -1; /* disallowed by security checks */
    }
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
    return mdnid;
}

int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
    if (ossl_securitycheck_enabled(ctx))
        return ossl_digest_get_approved_nid(md) != NID_undef;
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
    return 1;
}

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include "internal/deprecated.h"
11
12		#include <openssl/rsa.h>
13		#include <openssl/dsa.h>
14		#include <openssl/dh.h>
15		#include <openssl/ec.h>
16		#include <openssl/evp.h>
17		#include <openssl/err.h>
18		#include <openssl/proverr.h>
19		#include <openssl/core_names.h>
20		#include <openssl/obj_mac.h>
21		#include "prov/securitycheck.h"
22
23		/*
24		* FIPS requires a minimum security strength of 112 bits (for encryption or
25		* signing), and for legacy purposes 80 bits (for decryption or verifying).
26		* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
27		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
28		*/
29		int ossl_rsa_check_key(OSSL_LIB_CTX ctx, const RSA rsa, int operation)
30	39.4k	{
31	39.4k	int protect = 0;
32
33	39.4k	switch (operation) {
34	26.2k	case EVP_PKEY_OP_SIGN:
35	26.2k	protect = 1;
36		/* fallthrough */
37	35.3k	case EVP_PKEY_OP_VERIFY:
38	35.3k	break;
39	0	case EVP_PKEY_OP_ENCAPSULATE:
40	1.01k	case EVP_PKEY_OP_ENCRYPT:
41	1.01k	protect = 1;
42		/* fallthrough */
43	1.01k	case EVP_PKEY_OP_VERIFYRECOVER:
44	1.01k	case EVP_PKEY_OP_DECAPSULATE:
45	4.09k	case EVP_PKEY_OP_DECRYPT:
46	4.09k	if (RSA_test_flags(rsa,
47	4.09k	RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSASSAPSS) {
48	0	ERR_raise_data(ERR_LIB_PROV,
49	0	PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,
50	0	"operation: %d", operation);
51	0	return 0;
52	0	}
53	4.09k	break;
54	4.09k	default:
55	0	ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
56	0	"invalid operation: %d", operation);
57	0	return 0;
58	39.4k	}
59
60		#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
61		if (ossl_securitycheck_enabled(ctx)) {
62		int sz = RSA_bits(rsa);
63
64		if (protect ? (sz < 2048) : (sz < 1024)) {
65		ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
66		"operation: %d", operation);
67		return 0;
68		}
69		}
70		#else
71		/* make protect used */
72	39.4k	(void)protect;
73	39.4k	#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
74	39.4k	return 1;
75	39.4k	}
76
77		#ifndef OPENSSL_NO_EC
78		/*
79		* In FIPS mode:
80		* protect should be 1 for any operations that need 112 bits of security
81		* strength (such as signing, and key exchange), or 0 for operations that allow
82		* a lower security strength (such as verify).
83		*
84		* For ECDH key agreement refer to SP800-56A
85		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
86		* "Appendix D"
87		*
88		* For ECDSA signatures refer to
89		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
90		* "Table 2"
91		*/
92		int ossl_ec_check_key(OSSL_LIB_CTX ctx, const EC_KEY ec, int protect)
93	10.5k	{
94		# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
95		if (ossl_securitycheck_enabled(ctx)) {
96		int nid, strength;
97		const char *curve_name;
98		const EC_GROUP *group = EC_KEY_get0_group(ec);
99
100		if (group == NULL) {
101		ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
102		return 0;
103		}
104		nid = EC_GROUP_get_curve_name(group);
105		if (nid == NID_undef) {
106		ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
107		"Explicit curves are not allowed in fips mode");
108		return 0;
109		}
110
111		curve_name = EC_curve_nid2nist(nid);
112		if (curve_name == NULL) {
113		ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
114		"Curve %s is not approved in FIPS mode", curve_name);
115		return 0;
116		}
117
118		/*
119		* For EC the security strength is the (order_bits / 2)
120		* e.g. P-224 is 112 bits.
121		*/
122		strength = EC_GROUP_order_bits(group) / 2;
123		/* The min security strength allowed for legacy verification is 80 bits */
124		if (strength < 80) {
125		ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
126		return 0;
127		}
128
129		/*
130		* For signing or key agreement only allow curves with at least 112 bits of
131		* security strength
132		*/
133		if (protect && strength < 112) {
134		ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
135		"Curve %s cannot be used for signing", curve_name);
136		return 0;
137		}
138		}
139		# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
140	10.5k	return 1;
141	10.5k	}
142		#endif /* OPENSSL_NO_EC */
143
144		#ifndef OPENSSL_NO_DSA
145		/*
146		* Check for valid key sizes if fips mode. Refer to
147		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
148		* "Table 2"
149		*/
150		int ossl_dsa_check_key(OSSL_LIB_CTX ctx, const DSA dsa, int sign)
151	942	{
152		# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
153		if (ossl_securitycheck_enabled(ctx)) {
154		size_t L, N;
155		const BIGNUM p, q;
156
157		if (dsa == NULL)
158		return 0;
159
160		p = DSA_get0_p(dsa);
161		q = DSA_get0_q(dsa);
162		if (p == NULL \|\| q == NULL)
163		return 0;
164
165		L = BN_num_bits(p);
166		N = BN_num_bits(q);
167
168		/*
169		* For Digital signature verification DSA keys with < 112 bits of
170		* security strength, are still allowed for legacy
171		* use. The bounds given in SP 800-131Ar2 - Table 2 are
172		* (512 <= L < 2048 or 160 <= N < 224).
173		*
174		* We are a little stricter and insist that both minimums are met.
175		* For example a L = 256, N = 160 key would be allowed by SP 800-131Ar2
176		* but we don't.
177		*/
178		if (!sign) {
179		if (L < 512 \|\| N < 160)
180		return 0;
181		if (L < 2048 \|\| N < 224)
182		return 1;
183		}
184
185		/* Valid sizes for both sign and verify */
186		if (L == 2048 && (N == 224 \|\| N == 256)) /* 112 bits */
187		return 1;
188		return (L == 3072 && N == 256); /* 128 bits */
189		}
190		# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
191	942	return 1;
192	942	}
193		#endif /* OPENSSL_NO_DSA */
194
195		#ifndef OPENSSL_NO_DH
196		/*
197		* For DH key agreement refer to SP800-56A
198		* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
199		* "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
200		* "Appendix D" FFC Safe-prime Groups
201		*/
202		int ossl_dh_check_key(OSSL_LIB_CTX ctx, const DH dh)
203	2.78k	{
204		# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
205		if (ossl_securitycheck_enabled(ctx)) {
206		size_t L, N;
207		const BIGNUM p, q;
208
209		if (dh == NULL)
210		return 0;
211
212		p = DH_get0_p(dh);
213		q = DH_get0_q(dh);
214		if (p == NULL \|\| q == NULL)
215		return 0;
216
217		L = BN_num_bits(p);
218		if (L < 2048)
219		return 0;
220
221		/* If it is a safe prime group then it is ok */
222		if (DH_get_nid(dh))
223		return 1;
224
225		/* If not then it must be FFC, which only allows certain sizes. */
226		N = BN_num_bits(q);
227
228		return (L == 2048 && (N == 224 \|\| N == 256));
229		}
230		# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
231	2.78k	return 1;
232	2.78k	}
233		#endif /* OPENSSL_NO_DH */
234
235		int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX ctx, const EVP_MD md,
236		int sha1_allowed)
237	47.0k	{
238	47.0k	int mdnid = ossl_digest_get_approved_nid(md);
239
240		# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
241		if (ossl_securitycheck_enabled(ctx)) {
242		if (mdnid == NID_undef \|\| (mdnid == NID_sha1 && !sha1_allowed))
243		mdnid = -1; /* disallowed by security checks */
244		}
245		# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
246	47.0k	return mdnid;
247	47.0k	}
248
249		int ossl_digest_is_allowed(OSSL_LIB_CTX ctx, const EVP_MD md)
250	0	{
251		# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
252		if (ossl_securitycheck_enabled(ctx))
253		return ossl_digest_get_approved_nid(md) != NID_undef;
254		# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
255	0	return 1;
256	0	}