| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 |
- /*
- * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
- #include "internal/deprecated.h"
- #include <openssl/rsa.h>
- #include <openssl/dsa.h>
- #include <openssl/dh.h>
- #include <openssl/ec.h>
- #include <openssl/err.h>
- #include <openssl/proverr.h>
- #include <openssl/core_names.h>
- #include <openssl/obj_mac.h>
- #include "prov/securitycheck.h"
- int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
- {
- #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- return ossl_fips_config_security_checks(libctx);
- #else
- return 0;
- #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
- }
- int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)
- {
- return ossl_digest_get_approved_nid(md);
- }
- int ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND *ind, int id,
- OSSL_LIB_CTX *libctx,
- const RSA *rsa, const char *desc, int protect)
- {
- int key_approved = ossl_rsa_check_key_size(rsa, protect);
- if (!key_approved) {
- if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size",
- ossl_fips_config_securitycheck_enabled)) {
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
- "operation: %s", desc);
- return 0;
- }
- }
- return 1;
- }
- # ifndef OPENSSL_NO_EC
- int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id,
- OSSL_LIB_CTX *libctx,
- const EC_GROUP *group, const char *desc,
- int protect)
- {
- int curve_allowed, strength_allowed;
- if (group == NULL)
- return 0;
- curve_allowed = ossl_ec_check_curve_allowed(group);
- strength_allowed = ossl_ec_check_security_strength(group, protect);
- if (!strength_allowed || !curve_allowed) {
- if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key",
- ossl_fips_config_securitycheck_enabled)) {
- if (!curve_allowed)
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
- if (!strength_allowed)
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
- return 0;
- }
- }
- return 1;
- }
- #endif
- int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id,
- OSSL_LIB_CTX *libctx,
- const EVP_MD *md, const char *desc)
- {
- int nid = ossl_digest_get_approved_nid(md);
- int approved = (nid != NID_undef && nid != NID_sha1);
- if (!approved) {
- if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest",
- ossl_fips_config_securitycheck_enabled)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
- return 0;
- }
- }
- return 1;
- }
- int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id,
- OSSL_LIB_CTX *libctx,
- int nid, int sha1_allowed,
- int sha512_trunc_allowed,
- const char *desc,
- OSSL_FIPS_IND_CHECK_CB *config_check_f)
- {
- int approved;
- const char *op = "none";
- switch (nid) {
- case NID_undef:
- approved = 0;
- break;
- case NID_sha512_224:
- case NID_sha512_256:
- approved = sha512_trunc_allowed;
- op = "Digest Truncated SHA512";
- break;
- case NID_sha1:
- approved = sha1_allowed;
- op = "Digest SHA1";
- break;
- default:
- approved = 1;
- break;
- }
- if (!approved) {
- if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, op,
- config_check_f)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
- return 0;
- }
- }
- return 1;
- }
|
