securitycheck.c 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256
  1. /*
  2. * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/deprecated.h"
  10. #include <openssl/rsa.h>
  11. #include <openssl/dsa.h>
  12. #include <openssl/dh.h>
  13. #include <openssl/ec.h>
  14. #include <openssl/evp.h>
  15. #include <openssl/err.h>
  16. #include <openssl/proverr.h>
  17. #include <openssl/core_names.h>
  18. #include <openssl/obj_mac.h>
  19. #include "prov/securitycheck.h"
  20. /*
  21. * FIPS requires a minimum security strength of 112 bits (for encryption or
  22. * signing), and for legacy purposes 80 bits (for decryption or verifying).
  23. * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
  24. * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
  25. */
  26. int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
  27. {
  28. int protect = 0;
  29. switch (operation) {
  30. case EVP_PKEY_OP_SIGN:
  31. protect = 1;
  32. /* fallthrough */
  33. case EVP_PKEY_OP_VERIFY:
  34. break;
  35. case EVP_PKEY_OP_ENCAPSULATE:
  36. case EVP_PKEY_OP_ENCRYPT:
  37. protect = 1;
  38. /* fallthrough */
  39. case EVP_PKEY_OP_VERIFYRECOVER:
  40. case EVP_PKEY_OP_DECAPSULATE:
  41. case EVP_PKEY_OP_DECRYPT:
  42. if (RSA_test_flags(rsa,
  43. RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSASSAPSS) {
  44. ERR_raise_data(ERR_LIB_PROV,
  45. PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,
  46. "operation: %d", operation);
  47. return 0;
  48. }
  49. break;
  50. default:
  51. ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
  52. "invalid operation: %d", operation);
  53. return 0;
  54. }
  55. #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
  56. if (ossl_securitycheck_enabled(ctx)) {
  57. int sz = RSA_bits(rsa);
  58. if (protect ? (sz < 2048) : (sz < 1024)) {
  59. ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
  60. "operation: %d", operation);
  61. return 0;
  62. }
  63. }
  64. #else
  65. /* make protect used */
  66. (void)protect;
  67. #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
  68. return 1;
  69. }
  70. #ifndef OPENSSL_NO_EC
  71. /*
  72. * In FIPS mode:
  73. * protect should be 1 for any operations that need 112 bits of security
  74. * strength (such as signing, and key exchange), or 0 for operations that allow
  75. * a lower security strength (such as verify).
  76. *
  77. * For ECDH key agreement refer to SP800-56A
  78. * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
  79. * "Appendix D"
  80. *
  81. * For ECDSA signatures refer to
  82. * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
  83. * "Table 2"
  84. */
  85. int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
  86. {
  87. # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
  88. if (ossl_securitycheck_enabled(ctx)) {
  89. int nid, strength;
  90. const char *curve_name;
  91. const EC_GROUP *group = EC_KEY_get0_group(ec);
  92. if (group == NULL) {
  93. ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
  94. return 0;
  95. }
  96. nid = EC_GROUP_get_curve_name(group);
  97. if (nid == NID_undef) {
  98. ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
  99. "Explicit curves are not allowed in fips mode");
  100. return 0;
  101. }
  102. curve_name = EC_curve_nid2nist(nid);
  103. if (curve_name == NULL) {
  104. ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
  105. "Curve %s is not approved in FIPS mode", curve_name);
  106. return 0;
  107. }
  108. /*
  109. * For EC the security strength is the (order_bits / 2)
  110. * e.g. P-224 is 112 bits.
  111. */
  112. strength = EC_GROUP_order_bits(group) / 2;
  113. /* The min security strength allowed for legacy verification is 80 bits */
  114. if (strength < 80) {
  115. ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
  116. return 0;
  117. }
  118. /*
  119. * For signing or key agreement only allow curves with at least 112 bits of
  120. * security strength
  121. */
  122. if (protect && strength < 112) {
  123. ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
  124. "Curve %s cannot be used for signing", curve_name);
  125. return 0;
  126. }
  127. }
  128. # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
  129. return 1;
  130. }
  131. #endif /* OPENSSL_NO_EC */
  132. #ifndef OPENSSL_NO_DSA
  133. /*
  134. * Check for valid key sizes if fips mode. Refer to
  135. * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
  136. * "Table 2"
  137. */
  138. int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign)
  139. {
  140. # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
  141. if (ossl_securitycheck_enabled(ctx)) {
  142. size_t L, N;
  143. const BIGNUM *p, *q;
  144. if (dsa == NULL)
  145. return 0;
  146. p = DSA_get0_p(dsa);
  147. q = DSA_get0_q(dsa);
  148. if (p == NULL || q == NULL)
  149. return 0;
  150. L = BN_num_bits(p);
  151. N = BN_num_bits(q);
  152. /*
  153. * For Digital signature verification DSA keys with < 112 bits of
  154. * security strength, are still allowed for legacy
  155. * use. The bounds given in SP 800-131Ar2 - Table 2 are
  156. * (512 <= L < 2048 or 160 <= N < 224).
  157. *
  158. * We are a little stricter and insist that both minimums are met.
  159. * For example a L = 256, N = 160 key *would* be allowed by SP 800-131Ar2
  160. * but we don't.
  161. */
  162. if (!sign) {
  163. if (L < 512 || N < 160)
  164. return 0;
  165. if (L < 2048 || N < 224)
  166. return 1;
  167. }
  168. /* Valid sizes for both sign and verify */
  169. if (L == 2048 && (N == 224 || N == 256)) /* 112 bits */
  170. return 1;
  171. return (L == 3072 && N == 256); /* 128 bits */
  172. }
  173. # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
  174. return 1;
  175. }
  176. #endif /* OPENSSL_NO_DSA */
  177. #ifndef OPENSSL_NO_DH
  178. /*
  179. * For DH key agreement refer to SP800-56A
  180. * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
  181. * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
  182. * "Appendix D" FFC Safe-prime Groups
  183. */
  184. int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh)
  185. {
  186. # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
  187. if (ossl_securitycheck_enabled(ctx)) {
  188. size_t L, N;
  189. const BIGNUM *p, *q;
  190. if (dh == NULL)
  191. return 0;
  192. p = DH_get0_p(dh);
  193. q = DH_get0_q(dh);
  194. if (p == NULL || q == NULL)
  195. return 0;
  196. L = BN_num_bits(p);
  197. if (L < 2048)
  198. return 0;
  199. /* If it is a safe prime group then it is ok */
  200. if (DH_get_nid(dh))
  201. return 1;
  202. /* If not then it must be FFC, which only allows certain sizes. */
  203. N = BN_num_bits(q);
  204. return (L == 2048 && (N == 224 || N == 256));
  205. }
  206. # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
  207. return 1;
  208. }
  209. #endif /* OPENSSL_NO_DH */
  210. int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
  211. int sha1_allowed)
  212. {
  213. int mdnid = ossl_digest_get_approved_nid(md);
  214. # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
  215. if (ossl_securitycheck_enabled(ctx)) {
  216. if (mdnid == NID_undef || (mdnid == NID_sha1 && !sha1_allowed))
  217. mdnid = -1; /* disallowed by security checks */
  218. }
  219. # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
  220. return mdnid;
  221. }
  222. int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
  223. {
  224. # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
  225. if (ossl_securitycheck_enabled(ctx))
  226. return ossl_digest_get_approved_nid(md) != NID_undef;
  227. # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
  228. return 1;
  229. }