1 /* 2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "internal/deprecated.h" 11 12 #include <openssl/rsa.h> 13 #include <openssl/dsa.h> 14 #include <openssl/dh.h> 15 #include <openssl/ec.h> 16 #include <openssl/evp.h> 17 #include <openssl/err.h> 18 #include <openssl/proverr.h> 19 #include <openssl/core_names.h> 20 #include <openssl/obj_mac.h> 21 #include "prov/securitycheck.h" 22 23 /* 24 * FIPS requires a minimum security strength of 112 bits (for encryption or 25 * signing), and for legacy purposes 80 bits (for decryption or verifying). 26 * Set protect = 1 for encryption or signing operations, or 0 otherwise. See 27 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. 28 */ 29 int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) 30 { 31 int protect = 0; 32 33 switch (operation) { 34 case EVP_PKEY_OP_SIGN: 35 protect = 1; 36 /* fallthrough */ 37 case EVP_PKEY_OP_VERIFY: 38 break; 39 case EVP_PKEY_OP_ENCAPSULATE: 40 case EVP_PKEY_OP_ENCRYPT: 41 protect = 1; 42 /* fallthrough */ 43 case EVP_PKEY_OP_VERIFYRECOVER: 44 case EVP_PKEY_OP_DECAPSULATE: 45 case EVP_PKEY_OP_DECRYPT: 46 if (RSA_test_flags(rsa, 47 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSASSAPSS) { 48 ERR_raise_data(ERR_LIB_PROV, 49 PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, 50 "operation: %d", operation); 51 return 0; 52 } 53 break; 54 default: 55 ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR, 56 "invalid operation: %d", operation); 57 return 0; 58 } 59 60 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) 61 if (ossl_securitycheck_enabled(ctx)) { 62 int sz = RSA_bits(rsa); 63 64 if (protect ? (sz < 2048) : (sz < 1024)) { 65 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH, 66 "operation: %d", operation); 67 return 0; 68 } 69 } 70 #else 71 /* make protect used */ 72 (void)protect; 73 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ 74 return 1; 75 } 76 77 #ifndef OPENSSL_NO_EC 78 /* 79 * In FIPS mode: 80 * protect should be 1 for any operations that need 112 bits of security 81 * strength (such as signing, and key exchange), or 0 for operations that allow 82 * a lower security strength (such as verify). 83 * 84 * For ECDH key agreement refer to SP800-56A 85 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf 86 * "Appendix D" 87 * 88 * For ECDSA signatures refer to 89 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf 90 * "Table 2" 91 */ 92 int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect) 93 { 94 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) 95 if (ossl_securitycheck_enabled(ctx)) { 96 int nid, strength; 97 const char *curve_name; 98 const EC_GROUP *group = EC_KEY_get0_group(ec); 99 100 if (group == NULL) { 101 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group"); 102 return 0; 103 } 104 nid = EC_GROUP_get_curve_name(group); 105 if (nid == NID_undef) { 106 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, 107 "Explicit curves are not allowed in fips mode"); 108 return 0; 109 } 110 111 curve_name = EC_curve_nid2nist(nid); 112 if (curve_name == NULL) { 113 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, 114 "Curve %s is not approved in FIPS mode", curve_name); 115 return 0; 116 } 117 118 /* 119 * For EC the security strength is the (order_bits / 2) 120 * e.g. P-224 is 112 bits. 121 */ 122 strength = EC_GROUP_order_bits(group) / 2; 123 /* The min security strength allowed for legacy verification is 80 bits */ 124 if (strength < 80) { 125 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); 126 return 0; 127 } 128 129 /* 130 * For signing or key agreement only allow curves with at least 112 bits of 131 * security strength 132 */ 133 if (protect && strength < 112) { 134 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, 135 "Curve %s cannot be used for signing", curve_name); 136 return 0; 137 } 138 } 139 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ 140 return 1; 141 } 142 #endif /* OPENSSL_NO_EC */ 143 144 #ifndef OPENSSL_NO_DSA 145 /* 146 * Check for valid key sizes if fips mode. Refer to 147 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf 148 * "Table 2" 149 */ 150 int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign) 151 { 152 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) 153 if (ossl_securitycheck_enabled(ctx)) { 154 size_t L, N; 155 const BIGNUM *p, *q; 156 157 if (dsa == NULL) 158 return 0; 159 160 p = DSA_get0_p(dsa); 161 q = DSA_get0_q(dsa); 162 if (p == NULL || q == NULL) 163 return 0; 164 165 L = BN_num_bits(p); 166 N = BN_num_bits(q); 167 168 /* 169 * For Digital signature verification DSA keys with < 112 bits of 170 * security strength (i.e L < 2048 bits), are still allowed for legacy 171 * use. The bounds given in SP800 131Ar2 - Table 2 are 172 * (512 <= L < 2048 and 160 <= N < 224) 173 */ 174 if (!sign && L < 2048) 175 return (L >= 512 && N >= 160 && N < 224); 176 177 /* Valid sizes for both sign and verify */ 178 if (L == 2048 && (N == 224 || N == 256)) 179 return 1; 180 return (L == 3072 && N == 256); 181 } 182 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ 183 return 1; 184 } 185 #endif /* OPENSSL_NO_DSA */ 186 187 #ifndef OPENSSL_NO_DH 188 /* 189 * For DH key agreement refer to SP800-56A 190 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf 191 * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and 192 * "Appendix D" FFC Safe-prime Groups 193 */ 194 int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh) 195 { 196 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) 197 if (ossl_securitycheck_enabled(ctx)) { 198 size_t L, N; 199 const BIGNUM *p, *q; 200 201 if (dh == NULL) 202 return 0; 203 204 p = DH_get0_p(dh); 205 q = DH_get0_q(dh); 206 if (p == NULL || q == NULL) 207 return 0; 208 209 L = BN_num_bits(p); 210 if (L < 2048) 211 return 0; 212 213 /* If it is a safe prime group then it is ok */ 214 if (DH_get_nid(dh)) 215 return 1; 216 217 /* If not then it must be FFC, which only allows certain sizes. */ 218 N = BN_num_bits(q); 219 220 return (L == 2048 && (N == 224 || N == 256)); 221 } 222 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ 223 return 1; 224 } 225 #endif /* OPENSSL_NO_DH */ 226 227 int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, 228 int sha1_allowed) 229 { 230 int mdnid = ossl_digest_get_approved_nid(md); 231 232 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) 233 if (ossl_securitycheck_enabled(ctx)) { 234 if (mdnid == NID_undef || (mdnid == NID_sha1 && !sha1_allowed)) 235 mdnid = -1; /* disallowed by security checks */ 236 } 237 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ 238 return mdnid; 239 } 240 241 int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) 242 { 243 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) 244 if (ossl_securitycheck_enabled(ctx)) 245 return ossl_digest_get_approved_nid(md) != NID_undef; 246 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ 247 return 1; 248 } 249