2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/deprecated.h"
12 #include <openssl/rsa.h>
13 #include <openssl/dsa.h>
14 #include <openssl/dh.h>
15 #include <openssl/ec.h>
16 #include <openssl/err.h>
17 #include <openssl/core_names.h>
18 #include <openssl/obj_mac.h>
19 #include "prov/check.h"
20 #include "prov/providercommonerr.h"
23 * FIPS requires a minimum security strength of 112 bits (for encryption or
24 * signing), and for legacy purposes 80 bits (for decryption or verifying).
25 * Set protect = 1 for encryption or signing operations, or 0 otherwise.
27 int rsa_check_key(const RSA *rsa, int protect)
29 int sz = RSA_bits(rsa);
31 return protect ? (sz >= 2048) : (sz >= 1024);
37 * protect should be 1 for any operations that need 112 bits of security
38 * strength (such as signing, and key exchange), or 0 for operations that allow
39 * a lower security strength (such as verify).
41 * For ECDH key agreement refer to SP800-56A
42 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
45 * For ECDSA signatures refer to
46 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
49 int ec_check_key(const EC_KEY *ec, int protect)
52 const char *curve_name;
53 const EC_GROUP *group = EC_KEY_get0_group(ec);
56 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
59 nid = EC_GROUP_get_curve_name(group);
60 if (nid == NID_undef) {
61 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
62 "Explicit curves are not allowed in fips mode");
66 curve_name = EC_curve_nid2nist(nid);
67 if (curve_name == NULL) {
68 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
69 "Curve %s is not approved in FIPS mode", curve_name);
74 * For EC the security strength is the (order_bits / 2)
75 * e.g. P-224 is 112 bits.
77 strength = EC_GROUP_order_bits(group) / 2;
78 /* The min security strength allowed for legacy verification is 80 bits */
80 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
85 * For signing or key agreement only allow curves with at least 112 bits of
88 if (protect && strength < 112) {
89 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
90 "Curve %s cannot be used for signing", curve_name);
95 #endif /* OPENSSL_NO_EC */
97 #ifndef OPENSSL_NO_DSA
99 * Check for valid key sizes if fips mode. Refer to
100 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
103 int dsa_check_key(const DSA *dsa, int sign)
113 if (p == NULL || q == NULL)
120 * Valid sizes or verification - Note this could be a fips186-2 type
121 * key - so we allow 512 also. When this is no longer suppported the
122 * lower bound should be increased to 1024.
125 return (L >= 512 && N >= 160);
127 /* Valid sizes for both sign and verify */
128 if (L == 2048 && (N == 224 || N == 256))
130 return (L == 3072 && N == 256);
132 #endif /* OPENSSL_NO_DSA */
134 #ifndef OPENSSL_NO_DH
136 * For DH key agreement refer to SP800-56A
137 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
138 * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
139 * "Appendix D" FFC Safe-prime Groups
141 int dh_check_key(const DH *dh)
151 if (p == NULL || q == NULL)
158 /* If it is a safe prime group then it is ok */
162 /* If not then it must be FFC, which only allows certain sizes. */
165 return (L == 2048 && (N == 224 || N == 256));
167 #endif /* OPENSSL_NO_DH */
169 int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
171 int mdnid = digest_get_approved_nid(md);
173 if (mdnid == NID_sha1 && !sha1_allowed)
179 int digest_is_allowed(const EVP_MD *md)
181 return (digest_get_approved_nid(md) != NID_undef);
184 int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
186 return digest_get_approved_nid_with_sha1(md, sha1_allowed);