mirror of https://github.com/openssl/openssl
Add 'fips-securitychecks' option and plumb this into the actual fips checks
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
This commit is contained in:
parent
850a485f25
commit
7a810fac86
|
@ -421,6 +421,7 @@ my @disablables = (
|
||||||
"external-tests",
|
"external-tests",
|
||||||
"filenames",
|
"filenames",
|
||||||
"fips",
|
"fips",
|
||||||
|
"fips-securitychecks",
|
||||||
"fuzz-libfuzzer",
|
"fuzz-libfuzzer",
|
||||||
"fuzz-afl",
|
"fuzz-afl",
|
||||||
"gost",
|
"gost",
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
SUBDIRS=der
|
SUBDIRS=der
|
||||||
|
|
||||||
SOURCE[../libcommon.a]=provider_err.c provider_ctx.c
|
SOURCE[../libcommon.a]=provider_err.c provider_ctx.c
|
||||||
$FIPSCOMMON=provider_util.c capabilities.c bio_prov.c digest_to_nid.c
|
$FIPSCOMMON=provider_util.c capabilities.c bio_prov.c digest_to_nid.c\
|
||||||
SOURCE[../libnonfips.a]=$FIPSCOMMON nid_to_name.c check_default.c
|
securitycheck.c
|
||||||
SOURCE[../libfips.a]=$FIPSCOMMON check_fips.c
|
SOURCE[../libnonfips.a]=$FIPSCOMMON nid_to_name.c securitycheck_default.c
|
||||||
|
SOURCE[../libfips.a]=$FIPSCOMMON securitycheck_fips.c
|
||||||
|
|
|
@ -1,188 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
|
||||||
* in the file LICENSE in the source distribution or at
|
|
||||||
* https://www.openssl.org/source/license.html
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include "internal/deprecated.h"
|
|
||||||
|
|
||||||
#include <openssl/rsa.h>
|
|
||||||
#include <openssl/dsa.h>
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
#include <openssl/ec.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
#include <openssl/obj_mac.h>
|
|
||||||
#include "prov/check.h"
|
|
||||||
#include "prov/providercommonerr.h"
|
|
||||||
|
|
||||||
/*
|
|
||||||
* FIPS requires a minimum security strength of 112 bits (for encryption or
|
|
||||||
* signing), and for legacy purposes 80 bits (for decryption or verifying).
|
|
||||||
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
|
|
||||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
|
|
||||||
*/
|
|
||||||
int rsa_check_key(const RSA *rsa, int protect)
|
|
||||||
{
|
|
||||||
int sz = RSA_bits(rsa);
|
|
||||||
|
|
||||||
return protect ? (sz >= 2048) : (sz >= 1024);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
/*
|
|
||||||
* In FIPS mode:
|
|
||||||
* protect should be 1 for any operations that need 112 bits of security
|
|
||||||
* strength (such as signing, and key exchange), or 0 for operations that allow
|
|
||||||
* a lower security strength (such as verify).
|
|
||||||
*
|
|
||||||
* For ECDH key agreement refer to SP800-56A
|
|
||||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
|
|
||||||
* "Appendix D"
|
|
||||||
*
|
|
||||||
* For ECDSA signatures refer to
|
|
||||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
|
|
||||||
* "Table 2"
|
|
||||||
*/
|
|
||||||
int ec_check_key(const EC_KEY *ec, int protect)
|
|
||||||
{
|
|
||||||
int nid, strength;
|
|
||||||
const char *curve_name;
|
|
||||||
const EC_GROUP *group = EC_KEY_get0_group(ec);
|
|
||||||
|
|
||||||
if (group == NULL) {
|
|
||||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
nid = EC_GROUP_get_curve_name(group);
|
|
||||||
if (nid == NID_undef) {
|
|
||||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
|
||||||
"Explicit curves are not allowed in fips mode");
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
curve_name = EC_curve_nid2nist(nid);
|
|
||||||
if (curve_name == NULL) {
|
|
||||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
|
||||||
"Curve %s is not approved in FIPS mode", curve_name);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* For EC the security strength is the (order_bits / 2)
|
|
||||||
* e.g. P-224 is 112 bits.
|
|
||||||
*/
|
|
||||||
strength = EC_GROUP_order_bits(group) / 2;
|
|
||||||
/* The min security strength allowed for legacy verification is 80 bits */
|
|
||||||
if (strength < 80) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* For signing or key agreement only allow curves with at least 112 bits of
|
|
||||||
* security strength
|
|
||||||
*/
|
|
||||||
if (protect && strength < 112) {
|
|
||||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
|
||||||
"Curve %s cannot be used for signing", curve_name);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
#endif /* OPENSSL_NO_EC */
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
/*
|
|
||||||
* Check for valid key sizes if fips mode. Refer to
|
|
||||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
|
|
||||||
* "Table 2"
|
|
||||||
*/
|
|
||||||
int dsa_check_key(const DSA *dsa, int sign)
|
|
||||||
{
|
|
||||||
size_t L, N;
|
|
||||||
const BIGNUM *p, *q;
|
|
||||||
|
|
||||||
if (dsa == NULL)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
p = DSA_get0_p(dsa);
|
|
||||||
q = DSA_get0_q(dsa);
|
|
||||||
if (p == NULL || q == NULL)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
L = BN_num_bits(p);
|
|
||||||
N = BN_num_bits(q);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Valid sizes or verification - Note this could be a fips186-2 type
|
|
||||||
* key - so we allow 512 also. When this is no longer suppported the
|
|
||||||
* lower bound should be increased to 1024.
|
|
||||||
*/
|
|
||||||
if (!sign)
|
|
||||||
return (L >= 512 && N >= 160);
|
|
||||||
|
|
||||||
/* Valid sizes for both sign and verify */
|
|
||||||
if (L == 2048 && (N == 224 || N == 256))
|
|
||||||
return 1;
|
|
||||||
return (L == 3072 && N == 256);
|
|
||||||
}
|
|
||||||
#endif /* OPENSSL_NO_DSA */
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
/*
|
|
||||||
* For DH key agreement refer to SP800-56A
|
|
||||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
|
|
||||||
* "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
|
|
||||||
* "Appendix D" FFC Safe-prime Groups
|
|
||||||
*/
|
|
||||||
int dh_check_key(const DH *dh)
|
|
||||||
{
|
|
||||||
size_t L, N;
|
|
||||||
const BIGNUM *p, *q;
|
|
||||||
|
|
||||||
if (dh == NULL)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
p = DH_get0_p(dh);
|
|
||||||
q = DH_get0_q(dh);
|
|
||||||
if (p == NULL || q == NULL)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
L = BN_num_bits(p);
|
|
||||||
if (L < 2048)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* If it is a safe prime group then it is ok */
|
|
||||||
if (DH_get_nid(dh))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
/* If not then it must be FFC, which only allows certain sizes. */
|
|
||||||
N = BN_num_bits(q);
|
|
||||||
|
|
||||||
return (L == 2048 && (N == 224 || N == 256));
|
|
||||||
}
|
|
||||||
#endif /* OPENSSL_NO_DH */
|
|
||||||
|
|
||||||
int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
|
|
||||||
{
|
|
||||||
int mdnid = digest_get_approved_nid(md);
|
|
||||||
|
|
||||||
if (mdnid == NID_sha1 && !sha1_allowed)
|
|
||||||
mdnid = NID_undef;
|
|
||||||
|
|
||||||
return mdnid;
|
|
||||||
}
|
|
||||||
|
|
||||||
int digest_is_allowed(const EVP_MD *md)
|
|
||||||
{
|
|
||||||
return (digest_get_approved_nid(md) != NID_undef);
|
|
||||||
}
|
|
||||||
|
|
||||||
int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
|
|
||||||
{
|
|
||||||
return digest_get_approved_nid_with_sha1(md, sha1_allowed);
|
|
||||||
}
|
|
|
@ -11,7 +11,7 @@
|
||||||
#include <openssl/core_names.h>
|
#include <openssl/core_names.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/core.h>
|
#include <openssl/core.h>
|
||||||
#include "prov/check.h"
|
#include "prov/securitycheck.h"
|
||||||
#include "internal/nelem.h"
|
#include "internal/nelem.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
* https://www.openssl.org/source/license.html
|
* https://www.openssl.org/source/license.html
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* Functions that have different implementations for the FIPS_MODULE */
|
/* Functions that are common */
|
||||||
int rsa_check_key(const RSA *rsa, int protect);
|
int rsa_check_key(const RSA *rsa, int protect);
|
||||||
int ec_check_key(const EC_KEY *ec, int protect);
|
int ec_check_key(const EC_KEY *ec, int protect);
|
||||||
int dsa_check_key(const DSA *dsa, int sign);
|
int dsa_check_key(const DSA *dsa, int sign);
|
||||||
|
@ -15,8 +15,11 @@ int dh_check_key(const DH *dh);
|
||||||
|
|
||||||
int digest_is_allowed(const EVP_MD *md);
|
int digest_is_allowed(const EVP_MD *md);
|
||||||
int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
|
int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
|
||||||
int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed);
|
|
||||||
|
|
||||||
/* Functions that are common */
|
/* Functions that are common */
|
||||||
int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
|
int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
|
||||||
int digest_get_approved_nid(const EVP_MD *md);
|
int digest_get_approved_nid(const EVP_MD *md);
|
||||||
|
|
||||||
|
/* Functions that have different implementations for the FIPS_MODULE */
|
||||||
|
int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed);
|
||||||
|
int securitycheck_enabled(void);
|
|
@ -0,0 +1,209 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
* in the file LICENSE in the source distribution or at
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "internal/deprecated.h"
|
||||||
|
|
||||||
|
#include <openssl/rsa.h>
|
||||||
|
#include <openssl/dsa.h>
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
#include <openssl/ec.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include "prov/securitycheck.h"
|
||||||
|
#include "prov/providercommonerr.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* FIPS requires a minimum security strength of 112 bits (for encryption or
|
||||||
|
* signing), and for legacy purposes 80 bits (for decryption or verifying).
|
||||||
|
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
|
||||||
|
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
|
||||||
|
*/
|
||||||
|
int rsa_check_key(const RSA *rsa, int protect)
|
||||||
|
{
|
||||||
|
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
if (securitycheck_enabled()) {
|
||||||
|
int sz = RSA_bits(rsa);
|
||||||
|
|
||||||
|
return protect ? (sz >= 2048) : (sz >= 1024);
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
/*
|
||||||
|
* In FIPS mode:
|
||||||
|
* protect should be 1 for any operations that need 112 bits of security
|
||||||
|
* strength (such as signing, and key exchange), or 0 for operations that allow
|
||||||
|
* a lower security strength (such as verify).
|
||||||
|
*
|
||||||
|
* For ECDH key agreement refer to SP800-56A
|
||||||
|
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
|
||||||
|
* "Appendix D"
|
||||||
|
*
|
||||||
|
* For ECDSA signatures refer to
|
||||||
|
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
|
||||||
|
* "Table 2"
|
||||||
|
*/
|
||||||
|
int ec_check_key(const EC_KEY *ec, int protect)
|
||||||
|
{
|
||||||
|
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
if (securitycheck_enabled()) {
|
||||||
|
int nid, strength;
|
||||||
|
const char *curve_name;
|
||||||
|
const EC_GROUP *group = EC_KEY_get0_group(ec);
|
||||||
|
|
||||||
|
if (group == NULL) {
|
||||||
|
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
nid = EC_GROUP_get_curve_name(group);
|
||||||
|
if (nid == NID_undef) {
|
||||||
|
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
||||||
|
"Explicit curves are not allowed in fips mode");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
curve_name = EC_curve_nid2nist(nid);
|
||||||
|
if (curve_name == NULL) {
|
||||||
|
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
||||||
|
"Curve %s is not approved in FIPS mode", curve_name);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* For EC the security strength is the (order_bits / 2)
|
||||||
|
* e.g. P-224 is 112 bits.
|
||||||
|
*/
|
||||||
|
strength = EC_GROUP_order_bits(group) / 2;
|
||||||
|
/* The min security strength allowed for legacy verification is 80 bits */
|
||||||
|
if (strength < 80) {
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* For signing or key agreement only allow curves with at least 112 bits of
|
||||||
|
* security strength
|
||||||
|
*/
|
||||||
|
if (protect && strength < 112) {
|
||||||
|
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
||||||
|
"Curve %s cannot be used for signing", curve_name);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_NO_EC */
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
/*
|
||||||
|
* Check for valid key sizes if fips mode. Refer to
|
||||||
|
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
|
||||||
|
* "Table 2"
|
||||||
|
*/
|
||||||
|
int dsa_check_key(const DSA *dsa, int sign)
|
||||||
|
{
|
||||||
|
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
if (securitycheck_enabled()) {
|
||||||
|
size_t L, N;
|
||||||
|
const BIGNUM *p, *q;
|
||||||
|
|
||||||
|
if (dsa == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
p = DSA_get0_p(dsa);
|
||||||
|
q = DSA_get0_q(dsa);
|
||||||
|
if (p == NULL || q == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
L = BN_num_bits(p);
|
||||||
|
N = BN_num_bits(q);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Valid sizes or verification - Note this could be a fips186-2 type
|
||||||
|
* key - so we allow 512 also. When this is no longer suppported the
|
||||||
|
* lower bound should be increased to 1024.
|
||||||
|
*/
|
||||||
|
if (!sign)
|
||||||
|
return (L >= 512 && N >= 160);
|
||||||
|
|
||||||
|
/* Valid sizes for both sign and verify */
|
||||||
|
if (L == 2048 && (N == 224 || N == 256))
|
||||||
|
return 1;
|
||||||
|
return (L == 3072 && N == 256);
|
||||||
|
}
|
||||||
|
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_NO_DSA */
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
/*
|
||||||
|
* For DH key agreement refer to SP800-56A
|
||||||
|
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
|
||||||
|
* "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
|
||||||
|
* "Appendix D" FFC Safe-prime Groups
|
||||||
|
*/
|
||||||
|
int dh_check_key(const DH *dh)
|
||||||
|
{
|
||||||
|
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
if (securitycheck_enabled()) {
|
||||||
|
size_t L, N;
|
||||||
|
const BIGNUM *p, *q;
|
||||||
|
|
||||||
|
if (dh == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
p = DH_get0_p(dh);
|
||||||
|
q = DH_get0_q(dh);
|
||||||
|
if (p == NULL || q == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
L = BN_num_bits(p);
|
||||||
|
if (L < 2048)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* If it is a safe prime group then it is ok */
|
||||||
|
if (DH_get_nid(dh))
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
/* If not then it must be FFC, which only allows certain sizes. */
|
||||||
|
N = BN_num_bits(q);
|
||||||
|
|
||||||
|
return (L == 2048 && (N == 224 || N == 256));
|
||||||
|
}
|
||||||
|
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_NO_DH */
|
||||||
|
|
||||||
|
int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
|
||||||
|
{
|
||||||
|
int mdnid = digest_get_approved_nid(md);
|
||||||
|
|
||||||
|
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
if (securitycheck_enabled()) {
|
||||||
|
if (mdnid == NID_sha1 && !sha1_allowed)
|
||||||
|
mdnid = NID_undef;
|
||||||
|
}
|
||||||
|
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
return mdnid;
|
||||||
|
}
|
||||||
|
|
||||||
|
int digest_is_allowed(const EVP_MD *md)
|
||||||
|
{
|
||||||
|
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
if (securitycheck_enabled())
|
||||||
|
return (digest_get_approved_nid(md) != NID_undef);
|
||||||
|
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
return 1;
|
||||||
|
}
|
|
@ -13,44 +13,13 @@
|
||||||
#include <openssl/core.h>
|
#include <openssl/core.h>
|
||||||
#include <openssl/core_names.h>
|
#include <openssl/core_names.h>
|
||||||
#include <openssl/obj_mac.h>
|
#include <openssl/obj_mac.h>
|
||||||
#include "prov/check.h"
|
#include "prov/securitycheck.h"
|
||||||
#include "internal/nelem.h"
|
#include "internal/nelem.h"
|
||||||
|
|
||||||
int rsa_check_key(ossl_unused const RSA *rsa, ossl_unused int protect)
|
/* Disable the security checks in the default provider */
|
||||||
|
int securitycheck_enabled(void)
|
||||||
{
|
{
|
||||||
return 1;
|
return 0;
|
||||||
}
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
int ec_check_key(ossl_unused const EC_KEY *ec, ossl_unused int protect)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
int dsa_check_key(ossl_unused const DSA *dsa, ossl_unused int sign)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
int dh_check_key(const DH *dh)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
int digest_is_allowed(ossl_unused const EVP_MD *md)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
int digest_get_approved_nid_with_sha1(const EVP_MD *md,
|
|
||||||
ossl_unused int sha1_allowed)
|
|
||||||
{
|
|
||||||
return digest_get_approved_nid(md);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed)
|
int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed)
|
||||||
|
@ -65,8 +34,6 @@ int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed)
|
||||||
{ NID_mdc2, OSSL_DIGEST_NAME_MDC2 },
|
{ NID_mdc2, OSSL_DIGEST_NAME_MDC2 },
|
||||||
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
||||||
};
|
};
|
||||||
if (md == NULL)
|
|
||||||
return NID_undef;
|
|
||||||
|
|
||||||
mdnid = digest_get_approved_nid_with_sha1(md, 1);
|
mdnid = digest_get_approved_nid_with_sha1(md, 1);
|
||||||
if (mdnid == NID_undef)
|
if (mdnid == NID_undef)
|
|
@ -0,0 +1,39 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
* in the file LICENSE in the source distribution or at
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "internal/deprecated.h"
|
||||||
|
|
||||||
|
#include <openssl/rsa.h>
|
||||||
|
#include <openssl/dsa.h>
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
#include <openssl/ec.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include "prov/securitycheck.h"
|
||||||
|
#include "prov/providercommonerr.h"
|
||||||
|
|
||||||
|
int securitycheck_enabled(void)
|
||||||
|
{
|
||||||
|
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
/* TODO(3.0): make this configurable */
|
||||||
|
return 1;
|
||||||
|
#else
|
||||||
|
return 0;
|
||||||
|
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
}
|
||||||
|
|
||||||
|
int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
|
||||||
|
{
|
||||||
|
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
if (securitycheck_enabled())
|
||||||
|
return digest_get_approved_nid_with_sha1(md, sha1_allowed);
|
||||||
|
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
return digest_get_approved_nid(md);
|
||||||
|
}
|
|
@ -29,7 +29,7 @@
|
||||||
#include "prov/provider_ctx.h"
|
#include "prov/provider_ctx.h"
|
||||||
#include "prov/implementations.h"
|
#include "prov/implementations.h"
|
||||||
#include "prov/providercommon.h"
|
#include "prov/providercommon.h"
|
||||||
#include "prov/check.h"
|
#include "prov/securitycheck.h"
|
||||||
|
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,7 @@
|
||||||
#include "prov/providercommon.h"
|
#include "prov/providercommon.h"
|
||||||
#include "prov/implementations.h"
|
#include "prov/implementations.h"
|
||||||
#include "prov/provider_ctx.h"
|
#include "prov/provider_ctx.h"
|
||||||
#include "prov/check.h"
|
#include "prov/securitycheck.h"
|
||||||
#include "crypto/dh.h"
|
#include "crypto/dh.h"
|
||||||
|
|
||||||
static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
|
static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
|
||||||
|
|
|
@ -24,7 +24,7 @@
|
||||||
#include "prov/provider_ctx.h"
|
#include "prov/provider_ctx.h"
|
||||||
#include "prov/providercommon.h"
|
#include "prov/providercommon.h"
|
||||||
#include "prov/implementations.h"
|
#include "prov/implementations.h"
|
||||||
#include "prov/check.h"
|
#include "prov/securitycheck.h"
|
||||||
#include "crypto/ec.h" /* ecdh_KDF_X9_63() */
|
#include "crypto/ec.h" /* ecdh_KDF_X9_63() */
|
||||||
|
|
||||||
static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
|
static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
#include "prov/implementations.h"
|
#include "prov/implementations.h"
|
||||||
#include "prov/providercommonerr.h"
|
#include "prov/providercommonerr.h"
|
||||||
#include "prov/provider_ctx.h"
|
#include "prov/provider_ctx.h"
|
||||||
#include "prov/check.h"
|
#include "prov/securitycheck.h"
|
||||||
#include "crypto/dsa.h"
|
#include "crypto/dsa.h"
|
||||||
#include "prov/der_dsa.h"
|
#include "prov/der_dsa.h"
|
||||||
|
|
||||||
|
|
|
@ -28,7 +28,7 @@
|
||||||
#include "prov/providercommonerr.h"
|
#include "prov/providercommonerr.h"
|
||||||
#include "prov/implementations.h"
|
#include "prov/implementations.h"
|
||||||
#include "prov/provider_ctx.h"
|
#include "prov/provider_ctx.h"
|
||||||
#include "prov/check.h"
|
#include "prov/securitycheck.h"
|
||||||
#include "crypto/ec.h"
|
#include "crypto/ec.h"
|
||||||
#include "prov/der_ec.h"
|
#include "prov/der_ec.h"
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
#include "prov/implementations.h"
|
#include "prov/implementations.h"
|
||||||
#include "prov/provider_ctx.h"
|
#include "prov/provider_ctx.h"
|
||||||
#include "prov/der_rsa.h"
|
#include "prov/der_rsa.h"
|
||||||
#include "prov/check.h"
|
#include "prov/securitycheck.h"
|
||||||
|
|
||||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||||
|
|
||||||
|
|
|
@ -3443,7 +3443,14 @@ start:
|
||||||
}
|
}
|
||||||
|
|
||||||
for (pp++, i = 1; i < (t->s.numpairs - skip_availablein); pp++, i++) {
|
for (pp++, i = 1; i < (t->s.numpairs - skip_availablein); pp++, i++) {
|
||||||
if (strcmp(pp->key, "Availablein") == 0) {
|
if (strcmp(pp->key, "Securitycheck") == 0) {
|
||||||
|
#if defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
TEST_info("skipping, securitycheck is not available: %s:%d",
|
||||||
|
t->s.test_file, t->s.start);
|
||||||
|
t->skip = 1;
|
||||||
|
return 0;
|
||||||
|
#endif
|
||||||
|
} else if (strcmp(pp->key, "Availablein") == 0) {
|
||||||
TEST_info("Line %d: 'Availablein' should be the first option",
|
TEST_info("Line %d: 'Availablein' should be the first option",
|
||||||
t->s.curr);
|
t->s.curr);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -21,9 +21,10 @@ use lib bldtop_dir('.');
|
||||||
use platform;
|
use platform;
|
||||||
|
|
||||||
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
my $no_check = disabled('fips-securitychecks');
|
||||||
|
|
||||||
plan tests =>
|
plan tests =>
|
||||||
($no_fips ? 0 : 2) # FIPS install test
|
($no_fips ? 0 : 1 + ($no_check ? 0 : 1)) # FIPS install test
|
||||||
+ 9;
|
+ 9;
|
||||||
|
|
||||||
my @prov = ( );
|
my @prov = ( );
|
||||||
|
@ -49,17 +50,19 @@ unless ($no_fips) {
|
||||||
"fipsinstall");
|
"fipsinstall");
|
||||||
$ENV{OPENSSL_TEST_LIBCTX} = "1";
|
$ENV{OPENSSL_TEST_LIBCTX} = "1";
|
||||||
|
|
||||||
ok(!run(app(['openssl', 'pkeyutl',
|
unless ($no_check) {
|
||||||
@prov,
|
ok(!run(app(['openssl', 'pkeyutl',
|
||||||
'-encrypt',
|
@prov,
|
||||||
'-in', $msg_file,
|
'-encrypt',
|
||||||
'-inkey', $small_key_file,
|
'-in', $msg_file,
|
||||||
'-pkeyopt', 'pad-mode:oaep',
|
'-inkey', $small_key_file,
|
||||||
'-pkeyopt', 'oaep-label:123',
|
'-pkeyopt', 'pad-mode:oaep',
|
||||||
'-pkeyopt', 'digest:sha1',
|
'-pkeyopt', 'oaep-label:123',
|
||||||
'-pkeyopt', 'mgf1-digest:sha1',
|
'-pkeyopt', 'digest:sha1',
|
||||||
'-out', $enc1_file])),
|
'-pkeyopt', 'mgf1-digest:sha1',
|
||||||
"RSA OAEP Encryption with a key smaller than 2048 in fips mode should fail");
|
'-out', $enc1_file])),
|
||||||
|
"RSA OAEP Encryption with a key smaller than 2048 in fips mode should fail");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ok(run(app(['openssl', 'pkeyutl',
|
ok(run(app(['openssl', 'pkeyutl',
|
||||||
|
|
|
@ -294,6 +294,7 @@ Title = Fips Negative Tests (using different key sizes and digests)
|
||||||
# Test sign with a 1024 bit key is not allowed in fips mode
|
# Test sign with a 1024 bit key is not allowed in fips mode
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestSign = SHA256
|
DigestSign = SHA256
|
||||||
|
Securitycheck = 1
|
||||||
Key = DSA-1024-FIPS186-2
|
Key = DSA-1024-FIPS186-2
|
||||||
Input = "Hello"
|
Input = "Hello"
|
||||||
Result = DIGESTSIGNINIT_ERROR
|
Result = DIGESTSIGNINIT_ERROR
|
||||||
|
@ -301,6 +302,7 @@ Result = DIGESTSIGNINIT_ERROR
|
||||||
# Test sign with SHA1 is not allowed in fips mode
|
# Test sign with SHA1 is not allowed in fips mode
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestSign = SHA1
|
DigestSign = SHA1
|
||||||
|
Securitycheck = 1
|
||||||
Key = DSA-2048
|
Key = DSA-2048
|
||||||
Input = "Hello"
|
Input = "Hello"
|
||||||
Result = DIGESTSIGNINIT_ERROR
|
Result = DIGESTSIGNINIT_ERROR
|
||||||
|
@ -308,6 +310,7 @@ Result = DIGESTSIGNINIT_ERROR
|
||||||
# Test sign with a 3072 bit key with N == 224 is not allowed in fips mode
|
# Test sign with a 3072 bit key with N == 224 is not allowed in fips mode
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestSign = SHA256
|
DigestSign = SHA256
|
||||||
|
Securitycheck = 1
|
||||||
Key = DSA-3072-224
|
Key = DSA-3072-224
|
||||||
Input = "Hello"
|
Input = "Hello"
|
||||||
Result = DIGESTSIGNINIT_ERROR
|
Result = DIGESTSIGNINIT_ERROR
|
||||||
|
@ -315,6 +318,7 @@ Result = DIGESTSIGNINIT_ERROR
|
||||||
# Test sign with a 4096 bit key is not allowed in fips mode
|
# Test sign with a 4096 bit key is not allowed in fips mode
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestSign = SHA256
|
DigestSign = SHA256
|
||||||
|
Securitycheck = 1
|
||||||
Key = DSA-4096-256
|
Key = DSA-4096-256
|
||||||
Input = "Hello"
|
Input = "Hello"
|
||||||
Result = DIGESTSIGNINIT_ERROR
|
Result = DIGESTSIGNINIT_ERROR
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -172,6 +172,7 @@ Title = FIPS Negative tests (using different curves and digests)
|
||||||
# Test that a explicit curve is not allowed in fips mode
|
# Test that a explicit curve is not allowed in fips mode
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestVerify = SHA256
|
DigestVerify = SHA256
|
||||||
|
Securitycheck = 1
|
||||||
Key = EC_EXPLICIT
|
Key = EC_EXPLICIT
|
||||||
Input = "Hello World"
|
Input = "Hello World"
|
||||||
Result = DIGESTVERIFYINIT_ERROR
|
Result = DIGESTVERIFYINIT_ERROR
|
||||||
|
@ -179,6 +180,7 @@ Result = DIGESTVERIFYINIT_ERROR
|
||||||
# Test that a curve with < 112 bits is not allowed in fips mode for signing
|
# Test that a curve with < 112 bits is not allowed in fips mode for signing
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestSign = SHA3-512
|
DigestSign = SHA3-512
|
||||||
|
Securitycheck = 1
|
||||||
Key = B-163
|
Key = B-163
|
||||||
Input = "Hello World"
|
Input = "Hello World"
|
||||||
Result = DIGESTSIGNINIT_ERROR
|
Result = DIGESTSIGNINIT_ERROR
|
||||||
|
@ -186,6 +188,7 @@ Result = DIGESTSIGNINIT_ERROR
|
||||||
# Test that a non nist curve is not allowed in fips mode
|
# Test that a non nist curve is not allowed in fips mode
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestSign = SHA3-512
|
DigestSign = SHA3-512
|
||||||
|
Securitycheck = 1
|
||||||
Key = secp256k1
|
Key = secp256k1
|
||||||
Input = "Hello World"
|
Input = "Hello World"
|
||||||
Result = DIGESTSIGNINIT_ERROR
|
Result = DIGESTSIGNINIT_ERROR
|
||||||
|
|
|
@ -52,6 +52,7 @@ SharedSecret=803d8ab2e5b6e6fca715737c3a82f7ce3c783124f6d51cd0
|
||||||
|
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
Derive=KAS-ECC-CDH_P-192_C0
|
Derive=KAS-ECC-CDH_P-192_C0
|
||||||
|
Securitycheck = 1
|
||||||
PeerKey=KAS-ECC-CDH_P-192_C0-Peer-PUBLIC
|
PeerKey=KAS-ECC-CDH_P-192_C0-Peer-PUBLIC
|
||||||
Result = DERIVE_SET_PEER_ERROR
|
Result = DERIVE_SET_PEER_ERROR
|
||||||
|
|
||||||
|
|
|
@ -1297,6 +1297,7 @@ Output = 80382819f51b197c42f9fc02a85198683d918059afc013ae155992442563dd289700829
|
||||||
# Signing with SHA1 is not allowed in fips mode
|
# Signing with SHA1 is not allowed in fips mode
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestSign = SHA1
|
DigestSign = SHA1
|
||||||
|
Securitycheck = 1
|
||||||
Key = RSA-2048
|
Key = RSA-2048
|
||||||
Input = "Hello"
|
Input = "Hello"
|
||||||
Result = DIGESTSIGNINIT_ERROR
|
Result = DIGESTSIGNINIT_ERROR
|
||||||
|
@ -1304,6 +1305,7 @@ Result = DIGESTSIGNINIT_ERROR
|
||||||
# Signing with a 1024 bit key is not allowed in fips mode
|
# Signing with a 1024 bit key is not allowed in fips mode
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestSign = SHA256
|
DigestSign = SHA256
|
||||||
|
Securitycheck = 1
|
||||||
Key = RSA-1024
|
Key = RSA-1024
|
||||||
Input = "Hello"
|
Input = "Hello"
|
||||||
Result = DIGESTSIGNINIT_ERROR
|
Result = DIGESTSIGNINIT_ERROR
|
||||||
|
@ -1311,6 +1313,7 @@ Result = DIGESTSIGNINIT_ERROR
|
||||||
# Verifying with a legacy digest in fips mode is not allowed
|
# Verifying with a legacy digest in fips mode is not allowed
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestVerify = MD5
|
DigestVerify = MD5
|
||||||
|
Securitycheck = 1
|
||||||
Key = RSA-2048
|
Key = RSA-2048
|
||||||
Input = "Hello"
|
Input = "Hello"
|
||||||
Result = DIGESTVERIFYINIT_ERROR
|
Result = DIGESTVERIFYINIT_ERROR
|
||||||
|
@ -1318,6 +1321,7 @@ Result = DIGESTVERIFYINIT_ERROR
|
||||||
# Verifying with a key smaller than 1024 bits in fips mode is not allowed
|
# Verifying with a key smaller than 1024 bits in fips mode is not allowed
|
||||||
Availablein = fips
|
Availablein = fips
|
||||||
DigestVerify = SHA256
|
DigestVerify = SHA256
|
||||||
|
Securitycheck = 1
|
||||||
Key = RSA-512
|
Key = RSA-512
|
||||||
Input = "Hello"
|
Input = "Hello"
|
||||||
Result = DIGESTVERIFYINIT_ERROR
|
Result = DIGESTVERIFYINIT_ERROR
|
||||||
|
|
Loading…
Reference in New Issue