Merge pull request #128 from haydenroche5/fips_restrictions

cconlon · web-flow · commit ff4bde391be9 · 2021-05-14T15:04:21.000-06:00
Allow user to enable/disable individual FIPS checks.
diff --git a/include/include.am b/include/include.am
@@ -3,7 +3,8 @@
 #
 
 noinst_HEADERS += include/wolfengine/we_internal.h \
-                  include/wolfengine/we_logging.h \
-                  include/wolfengine/we_openssl_bc.h
+                  include/wolfengine/we_openssl_bc.h 
 
-pkginclude_HEADERS = include/wolfengine/we_wolfengine.h
+pkginclude_HEADERS = include/wolfengine/we_wolfengine.h \
+                     include/wolfengine/we_logging.h \
+                     include/wolfengine/we_fips.h
diff --git a/include/wolfengine/we_fips.h b/include/wolfengine/we_fips.h
@@ -0,0 +1,54 @@
+/* we_fips.h
+ *
+ * Copyright (C) 2019-2021 wolfSSL Inc.
+ *
+ * This file is part of wolfengine.
+ *
+ * wolfengine is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfengine is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WE_FIPS_H
+#define WE_FIPS_H
+
+#ifdef WOLFENGINE_USER_SETTINGS
+    #include "user_settings.h"
+#endif
+
+#include <wolfssl/options.h>
+
+enum wolfEngine_FipsCheck {
+    /* check that RSA key size is valid */
+    WE_FIPS_CHECK_RSA_KEY_SIZE   = 0x0001,
+    /* check that P-192 usage is valid */
+    WE_FIPS_CHECK_P192           = 0x0002,
+    /* check that RSA signature with SHA-1 digest is valid  */
+    WE_FIPS_CHECK_RSA_SHA1       = 0x0004,
+
+    /* default FIPS checks (all with wolfCrypt FIPS, none without) */
+#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
+    WE_FIPS_CHECKS_DEFAULT = (WE_FIPS_CHECK_RSA_KEY_SIZE
+                            | WE_FIPS_CHECK_P192
+                            | WE_FIPS_CHECK_RSA_SHA1)
+#else
+    WE_FIPS_CHECKS_DEFAULT = 0
+#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
+};
+
+/* Set FIPS checks, bitmask of wolfEngine_FipsCheck. */
+void wolfEngine_SetFipsChecks(long checksMask);
+/* Get FIPS checks mask. */
+long wolfEngine_GetFipsChecks(void);
+
+#endif /* WE_FIPS_H */
diff --git a/include/wolfengine/we_internal.h b/include/wolfengine/we_internal.h
@@ -79,6 +79,7 @@
 #include <wolfengine/we_openssl_bc.h>
 
 #include <wolfengine/we_logging.h>
+#include <wolfengine/we_fips.h>
 
 #if defined(__IAR_SYSTEMS_ICC__) || defined(__GNUC__)
     /* Function is a printf style function. Pretend parameter is string literal.
@@ -91,13 +92,6 @@
     #define WE_PRINTF_FUNC(s, v)
 #endif
 
-#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-/*
- * Global FIPS checks flag.
- */
-extern int fipsChecks;
-#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
-
 /*
  * Global random
  */
diff --git a/src/include.am b/src/include.am
@@ -22,4 +22,4 @@ libwolfengine_la_SOURCES += src/we_random.c
 libwolfengine_la_SOURCES += src/we_rsa.c
 libwolfengine_la_SOURCES += src/we_tls_prf.c
 libwolfengine_la_SOURCES += src/we_wolfengine.c
-
+libwolfengine_la_SOURCES += src/we_fips.c
diff --git a/src/we_ecc.c b/src/we_ecc.c
@@ -41,12 +41,11 @@ static int we_ecc_check_curve_usage(int curveId) {
 
     WOLFENGINE_ENTER(WE_LOG_PK, "we_ecc_check_curve_usage");
 
-#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-    if (fipsChecks == 1 && curveId == ECC_SECP192R1) {
+    if ((wolfEngine_GetFipsChecks() & WE_FIPS_CHECK_P192) &&
+        (curveId == ECC_SECP192R1)) {
         ret = 0;
         WOLFENGINE_ERROR_MSG(WE_LOG_PK, "P-192 isn't allowed in FIPS mode.");
     }
-#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
 
     WOLFENGINE_LEAVE(WE_LOG_PK, "we_ecc_check_curve_usage", ret);
 
diff --git a/src/we_fips.c b/src/we_fips.c
@@ -0,0 +1,49 @@
+/* we_fips.c
+ *
+ * Copyright (C) 2006-2021 wolfSSL Inc.
+ *
+ * This file is part of wolfengine.
+ *
+ * wolfengine is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfengine is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <wolfengine/we_fips.h>
+
+/* Bitmask of FIPS checks in wolfEngine_FipsCheck. Can be set by application
+ * through ENGINE_ctrl command. Defaults to all checks if using wolfCrypt FIPS
+ * and no checks if not. */
+static long fipsChecks = WE_FIPS_CHECKS_DEFAULT;
+
+/**
+ * Set wolfEngine FIPS checks.
+ * Default FIPS checks for wolfEngine is WE_FIPS_CHECKS_DEFAULT.
+ *
+ * @param checksMask  [in]  Bitmask of FIPS checks from wolfEngine_FipsCheck in
+ *                          we_fips.h.
+ */
+void wolfEngine_SetFipsChecks(long checksMask)
+{
+    fipsChecks = checksMask;
+}
+
+/**
+ * Get wolfEngine FIPS checks mask.
+ *
+ * @return  The FIPS checks mask.
+ */
+long wolfEngine_GetFipsChecks()
+{
+    return fipsChecks;
+}
diff --git a/src/we_internal.c b/src/we_internal.c
@@ -22,10 +22,6 @@
 #include <wolfengine/we_wolfengine.h>
 #include <wolfengine/we_internal.h>
 
-#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-int fipsChecks = 1;
-#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
-
 /** Engine bound to. */
 static ENGINE *bound = NULL;
 
@@ -1194,12 +1190,7 @@ static int wolfengine_ctrl(ENGINE* e, int cmd, long i, void* p,
             break;
         case WOLFENGINE_CMD_ENABLE_FIPS_CHECKS:
         #if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-            if (i > 0) {
-                fipsChecks = 1;
-            }
-            else {
-                fipsChecks = 0;
-            }
+            wolfEngine_SetFipsChecks(i);
         #else
             WOLFENGINE_MSG(WE_LOG_ENGINE, "Control command "
                 "WOLFENGINE_CMD_ENABLE_FIPS_CHECKS has no effect when "
diff --git a/src/we_logging.c b/src/we_logging.c
@@ -102,7 +102,7 @@ void wolfEngine_Debugging_OFF(void)
 
 /**
  * Set wolfEngine logging level.
- * Deafult logging level for wolfEngine is WE_LOG_LEVEL_DEFAULT.
+ * Default logging level for wolfEngine is WE_LOG_LEVEL_DEFAULT.
  *
  * @param levelMask [IN] Bitmask of logging levels from wolfEngine_LogType
  *                  in we_logging.h.
diff --git a/src/we_rsa.c b/src/we_rsa.c
@@ -84,16 +84,13 @@ static int we_check_rsa_key_size(int size, int allow1024) {
     int ret = 0;
     char errBuff[WOLFENGINE_MAX_LOG_WIDTH];
 
-#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-    if (fipsChecks == 1) {
+    if (wolfEngine_GetFipsChecks() & WE_FIPS_CHECK_RSA_KEY_SIZE) {
         ret = size == 2048 || size == 3072 || size == 4096;
         if (allow1024 == 1) {
             ret |= size == 1024;
         }
     }
-    else 
-#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
-    {
+    else {
         (void)allow1024;
         ret = size >= RSA_MIN_SIZE && size <= RSA_MAX_SIZE;
 
@@ -121,12 +118,11 @@ static int we_check_rsa_signing_md(int nid) {
 
     WOLFENGINE_ENTER(WE_LOG_PK, "we_check_rsa_md");
 
-#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-    if (fipsChecks == 1 && nid == NID_sha1) {
+    if ((wolfEngine_GetFipsChecks() & WE_FIPS_CHECK_RSA_SHA1) &&
+        (nid == NID_sha1)) {
         ret = 0;
         WOLFENGINE_ERROR_MSG(WE_LOG_PK, "SHA-1 isn't allowed in FIPS mode.");
     }
-#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
 
     WOLFENGINE_LEAVE(WE_LOG_PK, "we_check_rsa_md", ret);
 
diff --git a/test/test_rsa.c b/test/test_rsa.c
@@ -20,6 +20,7 @@
  */
 
 #include "unit.h"
+#include <wolfengine/we_fips.h>
 
 #ifdef WE_HAVE_RSA
 
@@ -608,11 +609,15 @@ int test_rsa_direct_key_gen(ENGINE *e, void *data)
     if (err == 0) {
         PRINT_MSG("Check that re-enabling FIPS checks disallows 1024-bit key "
             "gen.");
-        err = ENGINE_ctrl_cmd(e, "enable_fips_checks", 1, NULL, NULL, 0) == 0;
+        err = ENGINE_ctrl_cmd(e, "enable_fips_checks",
+                              WE_FIPS_CHECK_RSA_KEY_SIZE, NULL, NULL, 0) == 0;
     }
     if (err == 0) {
         err = RSA_generate_key_ex(rsaKey, 1024, pubExp, NULL) != 0;
     }
+    /* Restore all FIPS checks. */
+    ENGINE_ctrl_cmd(e, "enable_fips_checks", WE_FIPS_CHECKS_DEFAULT, NULL, NULL,
+                    0);
 #endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
 
     if (pubExp != NULL) {

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ void wolfEngine_Debugging_OFF(void)`
`102`	`102`
`103`	`103`	`/**`
`104`	`104`	`* Set wolfEngine logging level.`
`105`		`- * Deafult logging level for wolfEngine is WE_LOG_LEVEL_DEFAULT.`
	`105`	`+ * Default logging level for wolfEngine is WE_LOG_LEVEL_DEFAULT.`
`106`	`106`	`*`
`107`	`107`	`* @param levelMask [IN] Bitmask of logging levels from wolfEngine_LogType`
`108`	`108`	`* in we_logging.h.`