openssl/providers/common/include/prov/securitycheck.h

/*
 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "crypto/types.h"

/* Functions that are common */
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation);
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect);
int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign);
int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh);

int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md);
/* With security check enabled it can return -1 to indicate disallowed md */
int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
                                           int sha1_allowed);

/* Functions that are common */
int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
int ossl_digest_get_approved_nid(const EVP_MD *md);

/* Functions that have different implementations for the FIPS_MODULE */
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
                                    int sha1_allowed);
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx);
int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx);
Separate fips and non fips code for key operations Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745) 2020-08-29 15:59:07 +08:00			`/*`
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14512) 2021-03-11 21:27:36 +08:00			`* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.`
Separate fips and non fips code for key operations Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745) 2020-08-29 15:59:07 +08:00			`*`
			`* Licensed under the Apache License 2.0 (the "License"). You may not use`
			`* this file except in compliance with the License. You can obtain a copy`
			`* in the file LICENSE in the source distribution or at`
			`* https://www.openssl.org/source/license.html`
			`*/`

Deprecate RSA harder This deprecates all functions that deal with the types RSA and RSA_METHOD Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13096) 2020-10-04 22:34:31 +08:00			`#include "crypto/types.h"`

Add 'fips-securitychecks' option and plumb this into the actual fips checks Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745) 2020-09-04 15:55:28 +08:00			`/* Functions that are common */`
Store some FIPS global variables in the FIPS_GLOBAL structure We had some FIPS global variables that were based on values from the config file. In theory if two instances of the fips module are loaded they could be based on different config files which would cause this to fail. Instead we store them in the FIPS_GLOBAL structure. Fixes #14364 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14814) 2021-04-10 00:26:34 +08:00			`int ossl_rsa_check_key(OSSL_LIB_CTX ctx, const RSA rsa, int operation);`
			`int ossl_ec_check_key(OSSL_LIB_CTX ctx, const EC_KEY ec, int protect);`
			`int ossl_dsa_check_key(OSSL_LIB_CTX ctx, const DSA dsa, int sign);`
			`int ossl_dh_check_key(OSSL_LIB_CTX ctx, const DH dh);`
Separate fips and non fips code for key operations Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745) 2020-08-29 15:59:07 +08:00
Store some FIPS global variables in the FIPS_GLOBAL structure We had some FIPS global variables that were based on values from the config file. In theory if two instances of the fips module are loaded they could be based on different config files which would cause this to fail. Instead we store them in the FIPS_GLOBAL structure. Fixes #14364 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14814) 2021-04-10 00:26:34 +08:00			`int ossl_digest_is_allowed(OSSL_LIB_CTX ctx, const EVP_MD md);`
Allow arbitrary digests with ECDSA and DSA Unless the FIPS security check is enabled we allow arbitrary digests with ECDSA and DSA. Fixes #14696 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15220) 2021-05-10 22:51:39 +08:00			`/* With security check enabled it can return -1 to indicate disallowed md */`
Store some FIPS global variables in the FIPS_GLOBAL structure We had some FIPS global variables that were based on values from the config file. In theory if two instances of the fips module are loaded they could be based on different config files which would cause this to fail. Instead we store them in the FIPS_GLOBAL structure. Fixes #14364 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14814) 2021-04-10 00:26:34 +08:00			`int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX ctx, const EVP_MD md,`
			`int sha1_allowed);`
Separate fips and non fips code for key operations Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745) 2020-08-29 15:59:07 +08:00
			`/* Functions that are common */`
Fix external symbols related to provider related security checks for keys and digests. Partial fix for #12964 This adds ossl_ names for the following symbols: digest_get_approved_nid, digest_get_approved_nid_with_sha1 digest_is_allowed, digest_md_to_nid, digest_rsa_sign_get_md_nid, securitycheck_enabled, dh_check_key, dsa_check_key, ec_check_key, Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14211) 2021-02-17 18:01:34 +08:00			`int ossl_digest_md_to_nid(const EVP_MD md, const OSSL_ITEM it, size_t it_len);`
			`int ossl_digest_get_approved_nid(const EVP_MD *md);`
Add 'fips-securitychecks' option and plumb this into the actual fips checks Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745) 2020-09-04 15:55:28 +08:00
			`/* Functions that have different implementations for the FIPS_MODULE */`
Store some FIPS global variables in the FIPS_GLOBAL structure We had some FIPS global variables that were based on values from the config file. In theory if two instances of the fips module are loaded they could be based on different config files which would cause this to fail. Instead we store them in the FIPS_GLOBAL structure. Fixes #14364 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14814) 2021-04-10 00:26:34 +08:00			`int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX ctx, const EVP_MD md,`
			`int sha1_allowed);`
			`int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx);`
Add option to FIPS module to enforce EMS check during KDF TLS1_PRF. Fixes #19989 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20241) 2023-02-08 15:22:43 +08:00			`int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx);`