]>
git.ipfire.org Git - thirdparty/openssl.git/blob - providers/common/securitycheck.c
2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/deprecated.h"
12 #include <openssl/rsa.h>
13 #include <openssl/dsa.h>
14 #include <openssl/dh.h>
15 #include <openssl/ec.h>
16 #include <openssl/err.h>
17 #include <openssl/core_names.h>
18 #include <openssl/obj_mac.h>
19 #include "prov/securitycheck.h"
20 #include "prov/providercommonerr.h"
23 * FIPS requires a minimum security strength of 112 bits (for encryption or
24 * signing), and for legacy purposes 80 bits (for decryption or verifying).
25 * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
26 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
28 int rsa_check_key(const RSA
*rsa
, int protect
)
30 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
31 if (securitycheck_enabled()) {
32 int sz
= RSA_bits(rsa
);
34 return protect
? (sz
>= 2048) : (sz
>= 1024);
36 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
43 * protect should be 1 for any operations that need 112 bits of security
44 * strength (such as signing, and key exchange), or 0 for operations that allow
45 * a lower security strength (such as verify).
47 * For ECDH key agreement refer to SP800-56A
48 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
51 * For ECDSA signatures refer to
52 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
55 int ec_check_key(const EC_KEY
*ec
, int protect
)
57 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
58 if (securitycheck_enabled()) {
60 const char *curve_name
;
61 const EC_GROUP
*group
= EC_KEY_get0_group(ec
);
64 ERR_raise_data(ERR_LIB_PROV
, PROV_R_INVALID_CURVE
, "No group");
67 nid
= EC_GROUP_get_curve_name(group
);
68 if (nid
== NID_undef
) {
69 ERR_raise_data(ERR_LIB_PROV
, PROV_R_INVALID_CURVE
,
70 "Explicit curves are not allowed in fips mode");
74 curve_name
= EC_curve_nid2nist(nid
);
75 if (curve_name
== NULL
) {
76 ERR_raise_data(ERR_LIB_PROV
, PROV_R_INVALID_CURVE
,
77 "Curve %s is not approved in FIPS mode", curve_name
);
82 * For EC the security strength is the (order_bits / 2)
83 * e.g. P-224 is 112 bits.
85 strength
= EC_GROUP_order_bits(group
) / 2;
86 /* The min security strength allowed for legacy verification is 80 bits */
88 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_CURVE
);
93 * For signing or key agreement only allow curves with at least 112 bits of
96 if (protect
&& strength
< 112) {
97 ERR_raise_data(ERR_LIB_PROV
, PROV_R_INVALID_CURVE
,
98 "Curve %s cannot be used for signing", curve_name
);
102 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
105 #endif /* OPENSSL_NO_EC */
107 #ifndef OPENSSL_NO_DSA
109 * Check for valid key sizes if fips mode. Refer to
110 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
113 int dsa_check_key(const DSA
*dsa
, int sign
)
115 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
116 if (securitycheck_enabled()) {
125 if (p
== NULL
|| q
== NULL
)
132 * Valid sizes or verification - Note this could be a fips186-2 type
133 * key - so we allow 512 also. When this is no longer suppported the
134 * lower bound should be increased to 1024.
137 return (L
>= 512 && N
>= 160);
139 /* Valid sizes for both sign and verify */
140 if (L
== 2048 && (N
== 224 || N
== 256))
142 return (L
== 3072 && N
== 256);
144 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
147 #endif /* OPENSSL_NO_DSA */
149 #ifndef OPENSSL_NO_DH
151 * For DH key agreement refer to SP800-56A
152 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
153 * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
154 * "Appendix D" FFC Safe-prime Groups
156 int dh_check_key(const DH
*dh
)
158 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
159 if (securitycheck_enabled()) {
168 if (p
== NULL
|| q
== NULL
)
175 /* If it is a safe prime group then it is ok */
179 /* If not then it must be FFC, which only allows certain sizes. */
182 return (L
== 2048 && (N
== 224 || N
== 256));
184 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
187 #endif /* OPENSSL_NO_DH */
189 int digest_get_approved_nid_with_sha1(const EVP_MD
*md
, int sha1_allowed
)
191 int mdnid
= digest_get_approved_nid(md
);
193 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
194 if (securitycheck_enabled()) {
195 if (mdnid
== NID_sha1
&& !sha1_allowed
)
198 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
202 int digest_is_allowed(const EVP_MD
*md
)
204 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
205 if (securitycheck_enabled())
206 return digest_get_approved_nid(md
) != NID_undef
;
207 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */