1 /* 2 * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "internal/deprecated.h" 11 12 #include <openssl/rsa.h> 13 #include <openssl/dsa.h> 14 #include <openssl/dh.h> 15 #include <openssl/ec.h> 16 #include <openssl/err.h> 17 #include <openssl/proverr.h> 18 #include <openssl/core_names.h> 19 #include <openssl/obj_mac.h> 20 #include "prov/securitycheck.h" 21 22 int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx) 23 { 24 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) 25 return ossl_fips_config_security_checks(libctx); 26 #else 27 return 0; 28 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ 29 } 30 31 int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md) 32 { 33 return ossl_digest_get_approved_nid(md); 34 } 35 36 int ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND *ind, int id, 37 OSSL_LIB_CTX *libctx, 38 const RSA *rsa, const char *desc, int protect) 39 { 40 int key_approved = ossl_rsa_check_key_size(rsa, protect); 41 42 if (!key_approved) { 43 if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size", 44 ossl_fips_config_securitycheck_enabled)) { 45 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH, 46 "operation: %s", desc); 47 return 0; 48 } 49 } 50 return 1; 51 } 52 53 # ifndef OPENSSL_NO_EC 54 int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id, 55 OSSL_LIB_CTX *libctx, 56 const EC_GROUP *group, const char *desc, 57 int protect) 58 { 59 int curve_allowed, strength_allowed; 60 61 if (group == NULL) 62 return 0; 63 64 curve_allowed = ossl_ec_check_curve_allowed(group); 65 strength_allowed = ossl_ec_check_security_strength(group, protect); 66 67 if (!strength_allowed || !curve_allowed) { 68 if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key", 69 ossl_fips_config_securitycheck_enabled)) { 70 if (!curve_allowed) 71 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); 72 if (!strength_allowed) 73 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 74 return 0; 75 } 76 } 77 return 1; 78 } 79 #endif 80 81 int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id, 82 OSSL_LIB_CTX *libctx, 83 const EVP_MD *md, const char *desc) 84 { 85 int nid = ossl_digest_get_approved_nid(md); 86 int approved = (nid != NID_undef && nid != NID_sha1); 87 88 if (!approved) { 89 if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest", 90 ossl_fips_config_securitycheck_enabled)) { 91 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 92 return 0; 93 } 94 } 95 return 1; 96 } 97 98 int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id, 99 OSSL_LIB_CTX *libctx, 100 int nid, int sha1_allowed, 101 const char *desc, 102 OSSL_FIPS_IND_CHECK_CB *config_check_f) 103 { 104 int approved; 105 106 if (nid == NID_undef) 107 approved = 0; 108 else 109 approved = sha1_allowed || nid != NID_sha1; 110 111 if (!approved) { 112 if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest SHA1", 113 config_check_f)) { 114 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); 115 return 0; 116 } 117 } 118 return 1; 119 } 120