xref: /src/crypto/openssl/providers/common/securitycheck.c (revision f25b8c9fb4f58cf61adb47d7570abe7caa6d385d) 
1 /*
2  * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include "internal/deprecated.h"
11 
12 #include <openssl/rsa.h>
13 #include <openssl/dsa.h>
14 #include <openssl/dh.h>
15 #include <openssl/ec.h>
16 #include <openssl/evp.h>
17 #include <openssl/err.h>
18 #include <openssl/proverr.h>
19 #include <openssl/core_names.h>
20 #include <openssl/obj_mac.h>
21 #include "prov/securitycheck.h"
22 
23 #define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112
24 
ossl_rsa_key_op_get_protect(const RSA * rsa,int operation,int * outprotect)25 int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
26 {
27     int protect = 0;
28 
29     switch (operation) {
30     case EVP_PKEY_OP_SIGN:
31     case EVP_PKEY_OP_SIGNMSG:
32         protect = 1;
33         /* fallthrough */
34     case EVP_PKEY_OP_VERIFY:
35     case EVP_PKEY_OP_VERIFYMSG:
36         break;
37     case EVP_PKEY_OP_ENCAPSULATE:
38     case EVP_PKEY_OP_ENCRYPT:
39         protect = 1;
40         /* fallthrough */
41     case EVP_PKEY_OP_VERIFYRECOVER:
42     case EVP_PKEY_OP_DECAPSULATE:
43     case EVP_PKEY_OP_DECRYPT:
44         if (RSA_test_flags(rsa,
45                 RSA_FLAG_TYPE_MASK)
46             == RSA_FLAG_TYPE_RSASSAPSS) {
47             ERR_raise_data(ERR_LIB_PROV,
48                 PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE,
49                 "operation: %d", operation);
50             return 0;
51         }
52         break;
53     default:
54         ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
55             "invalid operation: %d", operation);
56         return 0;
57     }
58     *outprotect = protect;
59     return 1;
60 }
61 
62 /*
63  * FIPS requires a minimum security strength of 112 bits (for encryption or
64  * signing), and for legacy purposes 80 bits (for decryption or verifying).
65  * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
66  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
67  */
ossl_rsa_check_key_size(const RSA * rsa,int protect)68 int ossl_rsa_check_key_size(const RSA *rsa, int protect)
69 {
70     int sz = RSA_bits(rsa);
71 
72     if (protect ? (sz < 2048) : (sz < 1024))
73         return 0;
74     return 1;
75 }
76 
77 /*
78  * FIPS requires a minimum security strength of 112 bits for key-derivation key.
79  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
80  */
ossl_kdf_check_key_size(size_t keylen)81 int ossl_kdf_check_key_size(size_t keylen)
82 {
83     return (keylen * 8) >= OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS;
84 }
85 
ossl_mac_check_key_size(size_t keylen)86 int ossl_mac_check_key_size(size_t keylen)
87 {
88     return ossl_kdf_check_key_size(keylen);
89 }
90 
91 #ifndef OPENSSL_NO_EC
92 
ossl_ec_check_curve_allowed(const EC_GROUP * group)93 int ossl_ec_check_curve_allowed(const EC_GROUP *group)
94 {
95     const char *curve_name;
96     int nid = EC_GROUP_get_curve_name(group);
97 
98     /* Explicit curves are not FIPS approved */
99     if (nid == NID_undef)
100         return 0;
101     /* Only NIST curves are FIPS approved */
102     curve_name = EC_curve_nid2nist(nid);
103     if (curve_name == NULL)
104         return 0;
105     return 1;
106 }
107 
108 /*
109  * In FIPS mode:
110  * protect should be 1 for any operations that need 112 bits of security
111  * strength (such as signing, and key exchange), or 0 for operations that allow
112  * a lower security strength (such as verify).
113  *
114  * For ECDH key agreement refer to SP800-56A
115  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
116  * "Appendix D"
117  *
118  * For ECDSA signatures refer to
119  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
120  * "Table 2"
121  */
ossl_ec_check_security_strength(const EC_GROUP * group,int protect)122 int ossl_ec_check_security_strength(const EC_GROUP *group, int protect)
123 {
124     /*
125      * For EC the security strength is the (order_bits / 2)
126      * e.g. P-224 is 112 bits.
127      */
128     int strength = EC_GROUP_order_bits(group) / 2;
129     /* The min security strength allowed for legacy verification is 80 bits */
130     if (strength < 80)
131         return 0;
132     /*
133      * For signing or key agreement only allow curves with at least 112 bits of
134      * security strength
135      */
136     if (protect && strength < OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS)
137         return 0;
138     return 1;
139 }
140 
141 #endif /* OPENSSL_NO_EC */
142 
143 #ifndef OPENSSL_NO_DSA
144 /*
145  * Check for valid key sizes if fips mode. Refer to
146  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
147  * "Table 2"
148  */
ossl_dsa_check_key(const DSA * dsa,int sign)149 int ossl_dsa_check_key(const DSA *dsa, int sign)
150 {
151     size_t L, N;
152     const BIGNUM *p, *q;
153 
154     if (dsa == NULL)
155         return 0;
156 
157     p = DSA_get0_p(dsa);
158     q = DSA_get0_q(dsa);
159     if (p == NULL || q == NULL)
160         return 0;
161 
162     L = BN_num_bits(p);
163     N = BN_num_bits(q);
164 
165     /*
166      * For Digital signature verification DSA keys with < 112 bits of
167      * security strength, are still allowed for legacy
168      * use. The bounds given in SP 800-131Ar2 - Table 2 are
169      * (512 <= L < 2048 or 160 <= N < 224).
170      *
171      * We are a little stricter and insist that both minimums are met.
172      * For example a L = 256, N = 160 key *would* be allowed by SP 800-131Ar2
173      * but we don't.
174      */
175     if (!sign) {
176         if (L < 512 || N < 160)
177             return 0;
178         if (L < 2048 || N < 224)
179             return 1;
180     }
181 
182     /* Valid sizes for both sign and verify */
183     if (L == 2048 && (N == 224 || N == 256)) /* 112 bits */
184         return 1;
185     return (L == 3072 && N == 256); /* 128 bits */
186 }
187 #endif /* OPENSSL_NO_DSA */
188 
189 #ifndef OPENSSL_NO_DH
190 /*
191  * For DH key agreement refer to SP800-56A
192  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
193  * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
194  * "Appendix D" FFC Safe-prime Groups
195  */
ossl_dh_check_key(const DH * dh)196 int ossl_dh_check_key(const DH *dh)
197 {
198     size_t L, N;
199     const BIGNUM *p, *q;
200 
201     if (dh == NULL)
202         return 0;
203 
204     p = DH_get0_p(dh);
205     q = DH_get0_q(dh);
206     if (p == NULL || q == NULL)
207         return 0;
208 
209     L = BN_num_bits(p);
210     if (L < 2048)
211         return 0;
212 
213     /* If it is a safe prime group then it is ok */
214     if (DH_get_nid(dh))
215         return 1;
216 
217     /* If not then it must be FFC, which only allows certain sizes. */
218     N = BN_num_bits(q);
219 
220     return (L == 2048 && (N == 224 || N == 256));
221 }
222 #endif /* OPENSSL_NO_DH */
223