/src/openssl30/providers/common/securitycheck.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include "internal/deprecated.h" |
11 | | |
12 | | #include <openssl/rsa.h> |
13 | | #include <openssl/dsa.h> |
14 | | #include <openssl/dh.h> |
15 | | #include <openssl/ec.h> |
16 | | #include <openssl/evp.h> |
17 | | #include <openssl/err.h> |
18 | | #include <openssl/proverr.h> |
19 | | #include <openssl/core_names.h> |
20 | | #include <openssl/obj_mac.h> |
21 | | #include "prov/securitycheck.h" |
22 | | |
23 | | /* |
24 | | * FIPS requires a minimum security strength of 112 bits (for encryption or |
25 | | * signing), and for legacy purposes 80 bits (for decryption or verifying). |
26 | | * Set protect = 1 for encryption or signing operations, or 0 otherwise. See |
27 | | * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. |
28 | | */ |
29 | | int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) |
30 | 31.2k | { |
31 | 31.2k | int protect = 0; |
32 | | |
33 | 31.2k | switch (operation) { |
34 | 19.2k | case EVP_PKEY_OP_SIGN: |
35 | 19.2k | protect = 1; |
36 | | /* fallthrough */ |
37 | 26.6k | case EVP_PKEY_OP_VERIFY: |
38 | 26.6k | break; |
39 | 0 | case EVP_PKEY_OP_ENCAPSULATE: |
40 | 1.91k | case EVP_PKEY_OP_ENCRYPT: |
41 | 1.91k | protect = 1; |
42 | | /* fallthrough */ |
43 | 1.91k | case EVP_PKEY_OP_VERIFYRECOVER: |
44 | 1.91k | case EVP_PKEY_OP_DECAPSULATE: |
45 | 4.60k | case EVP_PKEY_OP_DECRYPT: |
46 | 4.60k | if (RSA_test_flags(rsa, |
47 | 4.60k | RSA_FLAG_TYPE_MASK) |
48 | 4.60k | == RSA_FLAG_TYPE_RSASSAPSS) { |
49 | 0 | ERR_raise_data(ERR_LIB_PROV, |
50 | 0 | PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, |
51 | 0 | "operation: %d", operation); |
52 | 0 | return 0; |
53 | 0 | } |
54 | 4.60k | break; |
55 | 4.60k | default: |
56 | 0 | ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR, |
57 | 0 | "invalid operation: %d", operation); |
58 | 0 | return 0; |
59 | 31.2k | } |
60 | | |
61 | | #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) |
62 | | if (ossl_securitycheck_enabled(ctx)) { |
63 | | int sz = RSA_bits(rsa); |
64 | | |
65 | | if (protect ? (sz < 2048) : (sz < 1024)) { |
66 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH, |
67 | | "operation: %d", operation); |
68 | | return 0; |
69 | | } |
70 | | } |
71 | | #else |
72 | | /* make protect used */ |
73 | 31.2k | (void)protect; |
74 | 31.2k | #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ |
75 | 31.2k | return 1; |
76 | 31.2k | } |
77 | | |
78 | | #ifndef OPENSSL_NO_EC |
79 | | /* |
80 | | * In FIPS mode: |
81 | | * protect should be 1 for any operations that need 112 bits of security |
82 | | * strength (such as signing, and key exchange), or 0 for operations that allow |
83 | | * a lower security strength (such as verify). |
84 | | * |
85 | | * For ECDH key agreement refer to SP800-56A |
86 | | * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf |
87 | | * "Appendix D" |
88 | | * |
89 | | * For ECDSA signatures refer to |
90 | | * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf |
91 | | * "Table 2" |
92 | | */ |
93 | | int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect) |
94 | 9.05k | { |
95 | | #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) |
96 | | if (ossl_securitycheck_enabled(ctx)) { |
97 | | int nid, strength; |
98 | | const char *curve_name; |
99 | | const EC_GROUP *group = EC_KEY_get0_group(ec); |
100 | | |
101 | | if (group == NULL) { |
102 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group"); |
103 | | return 0; |
104 | | } |
105 | | nid = EC_GROUP_get_curve_name(group); |
106 | | if (nid == NID_undef) { |
107 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, |
108 | | "Explicit curves are not allowed in fips mode"); |
109 | | return 0; |
110 | | } |
111 | | |
112 | | curve_name = EC_curve_nid2nist(nid); |
113 | | if (curve_name == NULL) { |
114 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, |
115 | | "Curve %s is not approved in FIPS mode", curve_name); |
116 | | return 0; |
117 | | } |
118 | | |
119 | | /* |
120 | | * For EC the security strength is the (order_bits / 2) |
121 | | * e.g. P-224 is 112 bits. |
122 | | */ |
123 | | strength = EC_GROUP_order_bits(group) / 2; |
124 | | /* The min security strength allowed for legacy verification is 80 bits */ |
125 | | if (strength < 80) { |
126 | | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); |
127 | | return 0; |
128 | | } |
129 | | |
130 | | /* |
131 | | * For signing or key agreement only allow curves with at least 112 bits of |
132 | | * security strength |
133 | | */ |
134 | | if (protect && strength < 112) { |
135 | | ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, |
136 | | "Curve %s cannot be used for signing", curve_name); |
137 | | return 0; |
138 | | } |
139 | | } |
140 | | #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ |
141 | 9.05k | return 1; |
142 | 9.05k | } |
143 | | #endif /* OPENSSL_NO_EC */ |
144 | | |
145 | | #ifndef OPENSSL_NO_DSA |
146 | | /* |
147 | | * Check for valid key sizes if fips mode. Refer to |
148 | | * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf |
149 | | * "Table 2" |
150 | | */ |
151 | | int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign) |
152 | 793 | { |
153 | | #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) |
154 | | if (ossl_securitycheck_enabled(ctx)) { |
155 | | size_t L, N; |
156 | | const BIGNUM *p, *q; |
157 | | |
158 | | if (dsa == NULL) |
159 | | return 0; |
160 | | |
161 | | p = DSA_get0_p(dsa); |
162 | | q = DSA_get0_q(dsa); |
163 | | if (p == NULL || q == NULL) |
164 | | return 0; |
165 | | |
166 | | L = BN_num_bits(p); |
167 | | N = BN_num_bits(q); |
168 | | |
169 | | /* |
170 | | * For Digital signature verification DSA keys with < 112 bits of |
171 | | * security strength, are still allowed for legacy |
172 | | * use. The bounds given in SP 800-131Ar2 - Table 2 are |
173 | | * (512 <= L < 2048 or 160 <= N < 224). |
174 | | * |
175 | | * We are a little stricter and insist that both minimums are met. |
176 | | * For example a L = 256, N = 160 key *would* be allowed by SP 800-131Ar2 |
177 | | * but we don't. |
178 | | */ |
179 | | if (!sign) { |
180 | | if (L < 512 || N < 160) |
181 | | return 0; |
182 | | if (L < 2048 || N < 224) |
183 | | return 1; |
184 | | } |
185 | | |
186 | | /* Valid sizes for both sign and verify */ |
187 | | if (L == 2048 && (N == 224 || N == 256)) /* 112 bits */ |
188 | | return 1; |
189 | | return (L == 3072 && N == 256); /* 128 bits */ |
190 | | } |
191 | | #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ |
192 | 793 | return 1; |
193 | 793 | } |
194 | | #endif /* OPENSSL_NO_DSA */ |
195 | | |
196 | | #ifndef OPENSSL_NO_DH |
197 | | /* |
198 | | * For DH key agreement refer to SP800-56A |
199 | | * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf |
200 | | * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and |
201 | | * "Appendix D" FFC Safe-prime Groups |
202 | | */ |
203 | | int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh) |
204 | 2.02k | { |
205 | | #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) |
206 | | if (ossl_securitycheck_enabled(ctx)) { |
207 | | size_t L, N; |
208 | | const BIGNUM *p, *q; |
209 | | |
210 | | if (dh == NULL) |
211 | | return 0; |
212 | | |
213 | | p = DH_get0_p(dh); |
214 | | q = DH_get0_q(dh); |
215 | | if (p == NULL || q == NULL) |
216 | | return 0; |
217 | | |
218 | | L = BN_num_bits(p); |
219 | | if (L < 2048) |
220 | | return 0; |
221 | | |
222 | | /* If it is a safe prime group then it is ok */ |
223 | | if (DH_get_nid(dh)) |
224 | | return 1; |
225 | | |
226 | | /* If not then it must be FFC, which only allows certain sizes. */ |
227 | | N = BN_num_bits(q); |
228 | | |
229 | | return (L == 2048 && (N == 224 || N == 256)); |
230 | | } |
231 | | #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ |
232 | 2.02k | return 1; |
233 | 2.02k | } |
234 | | #endif /* OPENSSL_NO_DH */ |
235 | | |
236 | | int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, |
237 | | int sha1_allowed) |
238 | 35.9k | { |
239 | 35.9k | int mdnid = ossl_digest_get_approved_nid(md); |
240 | | |
241 | | #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) |
242 | | if (ossl_securitycheck_enabled(ctx)) { |
243 | | if (mdnid == NID_undef || (mdnid == NID_sha1 && !sha1_allowed)) |
244 | | mdnid = -1; /* disallowed by security checks */ |
245 | | } |
246 | | #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ |
247 | 35.9k | return mdnid; |
248 | 35.9k | } |
249 | | |
250 | | int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) |
251 | 0 | { |
252 | | #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) |
253 | | if (ossl_securitycheck_enabled(ctx)) |
254 | | return ossl_digest_get_approved_nid(md) != NID_undef; |
255 | | #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ |
256 | 0 | return 1; |
257 | 0 | } |