1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
/*
* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "internal/deprecated.h"
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/dh.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
{
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
return ossl_fips_config_security_checks(libctx);
#else
return 0;
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
}
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)
{
return ossl_digest_get_approved_nid(md);
}
int ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND *ind, int id,
OSSL_LIB_CTX *libctx,
const RSA *rsa, const char *desc, int protect)
{
int key_approved = ossl_rsa_check_key_size(rsa, protect);
if (!key_approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size",
ossl_fips_config_securitycheck_enabled)) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
"operation: %s", desc);
return 0;
}
}
return 1;
}
# ifndef OPENSSL_NO_EC
int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id,
OSSL_LIB_CTX *libctx,
const EC_GROUP *group, const char *desc,
int protect)
{
int curve_allowed, strength_allowed;
if (group == NULL)
return 0;
curve_allowed = ossl_ec_check_curve_allowed(group);
strength_allowed = ossl_ec_check_security_strength(group, protect);
if (!strength_allowed || !curve_allowed) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key",
ossl_fips_config_securitycheck_enabled)) {
if (!curve_allowed)
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
if (!strength_allowed)
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
}
return 1;
}
#endif
int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id,
OSSL_LIB_CTX *libctx,
const EVP_MD *md, const char *desc)
{
int nid = ossl_digest_get_approved_nid(md);
int approved = (nid != NID_undef && nid != NID_sha1);
if (!approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest",
ossl_fips_config_securitycheck_enabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return 0;
}
}
return 1;
}
int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,
OSSL_LIB_CTX *libctx,
int nid, int sha1_allowed,
int sha512_trunc_allowed,
const char *desc,
OSSL_FIPS_IND_CHECK_CB *config_check_f)
{
int approved;
const char *op = "none";
switch (nid) {
case NID_undef:
approved = 0;
break;
case NID_sha512_224:
case NID_sha512_256:
approved = sha512_trunc_allowed;
op = "Digest Truncated SHA512";
break;
case NID_sha1:
approved = sha1_allowed;
op = "Digest SHA1";
break;
default:
approved = 1;
break;
}
if (!approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, op,
config_check_f)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return 0;
}
}
return 1;
}
|
