1 /*
2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "internal/deprecated.h"
11
12 #include <openssl/rsa.h>
13 #include <openssl/dsa.h>
14 #include <openssl/dh.h>
15 #include <openssl/ec.h>
16 #include <openssl/evp.h>
17 #include <openssl/err.h>
18 #include <openssl/proverr.h>
19 #include <openssl/core_names.h>
20 #include <openssl/obj_mac.h>
21 #include "prov/securitycheck.h"
22
23 /*
24 * FIPS requires a minimum security strength of 112 bits (for encryption or
25 * signing), and for legacy purposes 80 bits (for decryption or verifying).
26 * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
27 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
28 */
ossl_rsa_check_key(OSSL_LIB_CTX * ctx,const RSA * rsa,int operation)29 int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
30 {
31 int protect = 0;
32
33 switch (operation) {
34 case EVP_PKEY_OP_SIGN:
35 protect = 1;
36 /* fallthrough */
37 case EVP_PKEY_OP_VERIFY:
38 break;
39 case EVP_PKEY_OP_ENCAPSULATE:
40 case EVP_PKEY_OP_ENCRYPT:
41 protect = 1;
42 /* fallthrough */
43 case EVP_PKEY_OP_VERIFYRECOVER:
44 case EVP_PKEY_OP_DECAPSULATE:
45 case EVP_PKEY_OP_DECRYPT:
46 if (RSA_test_flags(rsa,
47 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSASSAPSS) {
48 ERR_raise_data(ERR_LIB_PROV,
49 PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,
50 "operation: %d", operation);
51 return 0;
52 }
53 break;
54 default:
55 ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
56 "invalid operation: %d", operation);
57 return 0;
58 }
59
60 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
61 if (ossl_securitycheck_enabled(ctx)) {
62 int sz = RSA_bits(rsa);
63
64 if (protect ? (sz < 2048) : (sz < 1024)) {
65 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
66 "operation: %d", operation);
67 return 0;
68 }
69 }
70 #else
71 /* make protect used */
72 (void)protect;
73 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
74 return 1;
75 }
76
77 #ifndef OPENSSL_NO_EC
78 /*
79 * In FIPS mode:
80 * protect should be 1 for any operations that need 112 bits of security
81 * strength (such as signing, and key exchange), or 0 for operations that allow
82 * a lower security strength (such as verify).
83 *
84 * For ECDH key agreement refer to SP800-56A
85 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
86 * "Appendix D"
87 *
88 * For ECDSA signatures refer to
89 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
90 * "Table 2"
91 */
ossl_ec_check_key(OSSL_LIB_CTX * ctx,const EC_KEY * ec,int protect)92 int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
93 {
94 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
95 if (ossl_securitycheck_enabled(ctx)) {
96 int nid, strength;
97 const char *curve_name;
98 const EC_GROUP *group = EC_KEY_get0_group(ec);
99
100 if (group == NULL) {
101 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
102 return 0;
103 }
104 nid = EC_GROUP_get_curve_name(group);
105 if (nid == NID_undef) {
106 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
107 "Explicit curves are not allowed in fips mode");
108 return 0;
109 }
110
111 curve_name = EC_curve_nid2nist(nid);
112 if (curve_name == NULL) {
113 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
114 "Curve %s is not approved in FIPS mode", curve_name);
115 return 0;
116 }
117
118 /*
119 * For EC the security strength is the (order_bits / 2)
120 * e.g. P-224 is 112 bits.
121 */
122 strength = EC_GROUP_order_bits(group) / 2;
123 /* The min security strength allowed for legacy verification is 80 bits */
124 if (strength < 80) {
125 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
126 return 0;
127 }
128
129 /*
130 * For signing or key agreement only allow curves with at least 112 bits of
131 * security strength
132 */
133 if (protect && strength < 112) {
134 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
135 "Curve %s cannot be used for signing", curve_name);
136 return 0;
137 }
138 }
139 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
140 return 1;
141 }
142 #endif /* OPENSSL_NO_EC */
143
144 #ifndef OPENSSL_NO_DSA
145 /*
146 * Check for valid key sizes if fips mode. Refer to
147 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
148 * "Table 2"
149 */
ossl_dsa_check_key(OSSL_LIB_CTX * ctx,const DSA * dsa,int sign)150 int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign)
151 {
152 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
153 if (ossl_securitycheck_enabled(ctx)) {
154 size_t L, N;
155 const BIGNUM *p, *q;
156
157 if (dsa == NULL)
158 return 0;
159
160 p = DSA_get0_p(dsa);
161 q = DSA_get0_q(dsa);
162 if (p == NULL || q == NULL)
163 return 0;
164
165 L = BN_num_bits(p);
166 N = BN_num_bits(q);
167
168 /*
169 * For Digital signature verification DSA keys with < 112 bits of
170 * security strength (i.e L < 2048 bits), are still allowed for legacy
171 * use. The bounds given in SP800 131Ar2 - Table 2 are
172 * (512 <= L < 2048 and 160 <= N < 224)
173 */
174 if (!sign && L < 2048)
175 return (L >= 512 && N >= 160 && N < 224);
176
177 /* Valid sizes for both sign and verify */
178 if (L == 2048 && (N == 224 || N == 256))
179 return 1;
180 return (L == 3072 && N == 256);
181 }
182 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
183 return 1;
184 }
185 #endif /* OPENSSL_NO_DSA */
186
187 #ifndef OPENSSL_NO_DH
188 /*
189 * For DH key agreement refer to SP800-56A
190 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
191 * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
192 * "Appendix D" FFC Safe-prime Groups
193 */
ossl_dh_check_key(OSSL_LIB_CTX * ctx,const DH * dh)194 int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh)
195 {
196 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
197 if (ossl_securitycheck_enabled(ctx)) {
198 size_t L, N;
199 const BIGNUM *p, *q;
200
201 if (dh == NULL)
202 return 0;
203
204 p = DH_get0_p(dh);
205 q = DH_get0_q(dh);
206 if (p == NULL || q == NULL)
207 return 0;
208
209 L = BN_num_bits(p);
210 if (L < 2048)
211 return 0;
212
213 /* If it is a safe prime group then it is ok */
214 if (DH_get_nid(dh))
215 return 1;
216
217 /* If not then it must be FFC, which only allows certain sizes. */
218 N = BN_num_bits(q);
219
220 return (L == 2048 && (N == 224 || N == 256));
221 }
222 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
223 return 1;
224 }
225 #endif /* OPENSSL_NO_DH */
226
ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX * ctx,const EVP_MD * md,int sha1_allowed)227 int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
228 int sha1_allowed)
229 {
230 int mdnid = ossl_digest_get_approved_nid(md);
231
232 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
233 if (ossl_securitycheck_enabled(ctx)) {
234 if (mdnid == NID_undef || (mdnid == NID_sha1 && !sha1_allowed))
235 mdnid = -1; /* disallowed by security checks */
236 }
237 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
238 return mdnid;
239 }
240
ossl_digest_is_allowed(OSSL_LIB_CTX * ctx,const EVP_MD * md)241 int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
242 {
243 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
244 if (ossl_securitycheck_enabled(ctx))
245 return ossl_digest_get_approved_nid(md) != NID_undef;
246 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
247 return 1;
248 }
249