Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/providers/common/securitycheck_fips.c
48266 views
1
/*

2
 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.

3
 *

4
 * Licensed under the Apache License 2.0 (the "License").  You may not use

5
 * this file except in compliance with the License.  You can obtain a copy

6
 * in the file LICENSE in the source distribution or at

7
 * https://www.openssl.org/source/license.html

8
 */

9


10
#include "internal/deprecated.h"

11


12
#include <openssl/rsa.h>

13
#include <openssl/dsa.h>

14
#include <openssl/dh.h>

15
#include <openssl/ec.h>

16
#include <openssl/err.h>

17
#include <openssl/proverr.h>

18
#include <openssl/core_names.h>

19
#include <openssl/obj_mac.h>

20
#include "prov/securitycheck.h"

21


22
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)

23
{

24
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)

25
    return ossl_fips_config_security_checks(libctx);

26
#else

27
    return 0;

28
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */

29
}

30


31
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)

32
{

33
    return ossl_digest_get_approved_nid(md);

34
}

35


36
int ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND *ind, int id,

37
                                OSSL_LIB_CTX *libctx,

38
                                const RSA *rsa, const char *desc, int protect)

39
{

40
    int key_approved = ossl_rsa_check_key_size(rsa, protect);

41


42
    if (!key_approved) {

43
        if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size",

44
                                         ossl_fips_config_securitycheck_enabled)) {

45
                ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,

46
                               "operation: %s", desc);

47
            return 0;

48
        }

49
    }

50
    return 1;

51
}

52


53
# ifndef OPENSSL_NO_EC

54
int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id,

55
                               OSSL_LIB_CTX *libctx,

56
                               const EC_GROUP *group, const char *desc,

57
                               int protect)

58
{

59
    int curve_allowed, strength_allowed;

60


61
    if (group == NULL)

62
        return 0;

63


64
    curve_allowed = ossl_ec_check_curve_allowed(group);

65
    strength_allowed = ossl_ec_check_security_strength(group, protect);

66


67
    if (!strength_allowed || !curve_allowed) {

68
        if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key",

69
                                         ossl_fips_config_securitycheck_enabled)) {

70
            if (!curve_allowed)

71
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);

72
            if (!strength_allowed)

73
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);

74
            return 0;

75
        }

76
    }

77
    return 1;

78
}

79
#endif

80


81
int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id,

82
                                    OSSL_LIB_CTX *libctx,

83
                                    const EVP_MD *md, const char *desc)

84
{

85
    int nid = ossl_digest_get_approved_nid(md);

86
    int approved = (nid != NID_undef && nid != NID_sha1);

87


88
    if (!approved) {

89
        if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest",

90
                                         ossl_fips_config_securitycheck_enabled)) {

91
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);

92
            return 0;

93
        }

94
    }

95
    return 1;

96
}

97


98
int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,

99
                                    OSSL_LIB_CTX *libctx,

100
                                    int nid, int sha1_allowed,

101
                                    int sha512_trunc_allowed,

102
                                    const char *desc,

103
                                    OSSL_FIPS_IND_CHECK_CB *config_check_f)

104
{

105
    int approved;

106
    const char *op = "none";

107


108
    switch (nid) {

109
    case NID_undef:

110
        approved = 0;

111
        break;

112
    case NID_sha512_224:

113
    case NID_sha512_256:

114
        approved = sha512_trunc_allowed;

115
        op = "Digest Truncated SHA512";

116
        break;

117
    case NID_sha1:

118
        approved = sha1_allowed;

119
        op = "Digest SHA1";

120
        break;

121
    default:

122
        approved = 1;

123
        break;

124
    }

125


126
    if (!approved) {

127
        if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, op,

128
                                         config_check_f)) {

129
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);

130
            return 0;

131
        }

132
    }

133
    return 1;

134
}

135


136