Merge pull request #118 from haydenroche5/fips_ctrl_cmd

cconlon · web-flow · commit 6499cab78718 · 2021-04-30T17:30:42.000-06:00
Add control command to enable/disable FIPS checks at runtime.
diff --git a/include/wolfengine/we_internal.h b/include/wolfengine/we_internal.h
@@ -78,6 +78,13 @@
 
 #include <wolfengine/we_logging.h>
 
+#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
+/*
+ * Global FIPS checks flag.
+ */
+extern int fipsChecks;
+#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
+
 /*
  * Global random
  */
diff --git a/src/we_internal.c b/src/we_internal.c
@@ -22,6 +22,10 @@
 #include <wolfengine/we_wolfengine.h>
 #include <wolfengine/we_internal.h>
 
+#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
+int fipsChecks = 1;
+#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
+
 /** Engine bound to. */
 static ENGINE *bound = NULL;
 
@@ -1054,6 +1058,7 @@ static int wolfengine_destroy(ENGINE *e)
 #define WOLFENGINE_CMD_SET_LOG_LEVEL         (ENGINE_CMD_BASE + 1)
 #define WOLFENGINE_CMD_SET_LOG_COMPONENTS    (ENGINE_CMD_BASE + 2)
 #define WOLFENGINE_CMD_SET_LOGGING_CB        (ENGINE_CMD_BASE + 3)
+#define WOLFENGINE_CMD_ENABLE_FIPS_CHECKS    (ENGINE_CMD_BASE + 4)
 
 /**
  * wolfEngine control command list.
@@ -1105,6 +1110,10 @@ static ENGINE_CMD_DEFN wolfengine_cmd_defns[] = {
       "set_logging_cb",
       "Set wolfEngine logging callback",
       ENGINE_CMD_FLAG_INTERNAL },
+    { WOLFENGINE_CMD_ENABLE_FIPS_CHECKS,
+      "enable_fips_checks",
+      "Enable wolfEngine FIPS checks (1=enable, 0=disable)",
+      ENGINE_CMD_FLAG_NUMERIC },
 
     /* last element MUST be NULL/0 entry, do not remove */
     {0, NULL, NULL, 0}
@@ -1147,7 +1156,8 @@ static int wolfengine_ctrl(ENGINE* e, int cmd, long i, void* p,
                 if (wolfEngine_Debugging_ON() < 0) {
                     ret = 0;
                 }
-            } else {
+            }
+            else {
                 wolfEngine_Debugging_OFF();
             }
             break;
@@ -1171,11 +1181,26 @@ static int wolfengine_ctrl(ENGINE* e, int cmd, long i, void* p,
                 WOLFENGINE_ERROR_MSG(WE_LOG_ENGINE, 
                         "Error registering wolfEngine logging callback");
                 ret = 0;
-            } else {
+            }
+            else {
                 WOLFENGINE_MSG(WE_LOG_ENGINE,
                                "wolfEngine user logging callback registered");
             }
             break;
+        case WOLFENGINE_CMD_ENABLE_FIPS_CHECKS:
+        #if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
+            if (i > 0) {
+                fipsChecks = 1;
+            }
+            else {
+                fipsChecks = 0;
+            }
+        #else
+            WOLFENGINE_MSG(WE_LOG_ENGINE, "Control command "
+                "WOLFENGINE_CMD_ENABLE_FIPS_CHECKS has no effect when "
+                "wolfCrypt isn't FIPS.");
+        #endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
+            break;
         default:
             XSNPRINTF(errBuff, sizeof(errBuff), "Unsupported ctrl type %d",
                       cmd);
diff --git a/src/we_rsa.c b/src/we_rsa.c
@@ -85,19 +85,23 @@ static int we_check_rsa_key_size(int size, int allow1024) {
     char errBuff[WOLFENGINE_MAX_LOG_WIDTH];
 
 #if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-    ret = size == 2048 || size == 3072 || size == 4096;
-    if (allow1024 == 1) {
-        ret |= size == 1024;
+    if (fipsChecks == 1) {
+        ret = size == 2048 || size == 3072 || size == 4096;
+        if (allow1024 == 1) {
+            ret |= size == 1024;
+        }
     }
-#else
-    (void)allow1024;
-    ret = size >= RSA_MIN_SIZE && size <= RSA_MAX_SIZE;
+    else 
 #endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
+    {
+        (void)allow1024;
+        ret = size >= RSA_MIN_SIZE && size <= RSA_MAX_SIZE;
 
-    if (ret == 0) {
-        XSNPRINTF(errBuff, sizeof(errBuff), "RSA key size %d not allowed.",
-                  size);
-        WOLFENGINE_ERROR_MSG(WE_LOG_PK, errBuff);
+        if (ret == 0) {
+            XSNPRINTF(errBuff, sizeof(errBuff), "RSA key size %d not allowed.",
+                      size);
+            WOLFENGINE_ERROR_MSG(WE_LOG_PK, errBuff);
+        }
     }
 
     return ret;
diff --git a/test/test_rsa.c b/test/test_rsa.c
@@ -597,6 +597,23 @@ int test_rsa_direct_key_gen(ENGINE *e, void *data)
                                       NULL) != 0;
         }
     }
+#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
+    if (err == 0) {
+        PRINT_MSG("Check that disabling FIPS checks allows 1024-bit key gen.");
+        err = ENGINE_ctrl_cmd(e, "enable_fips_checks", 0, NULL, NULL, 0) == 0;
+    }
+    if (err == 0) {
+        err = RSA_generate_key_ex(rsaKey, 1024, pubExp, NULL) == 0;
+    }
+    if (err == 0) {
+        PRINT_MSG("Check that re-enabling FIPS checks disallows 1024-bit key "
+            "gen.");
+        err = ENGINE_ctrl_cmd(e, "enable_fips_checks", 1, NULL, NULL, 0) == 0;
+    }
+    if (err == 0) {
+        err = RSA_generate_key_ex(rsaKey, 1024, pubExp, NULL) != 0;
+    }
+#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
 
     if (pubExp != NULL) {
         BN_free(pubExp);
