From 238d85eec7050be5573190c519c1c8eaacae5359 Mon Sep 17 00:00:00 2001 From: Joerg Schmidbauer Date: Mon, 28 Oct 2024 13:44:11 +0100 Subject: [PATCH] fips update: Change service indicator implementation Perform checks for non-approved algorithms / parameters directly into the APIs that perform the services. Signed-off-by: Joerg Schmidbauer --- src/ica_api.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/ica_api.c b/src/ica_api.c index 0826af8..d071f61 100644 --- a/src/ica_api.c +++ b/src/ica_api.c @@ -1052,6 +1052,8 @@ unsigned int ica_rsa_key_generate_mod_expo(ica_adapter_handle_t adapter_handle, #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(RSA_ME) && !fips_override(RSA_ME)) + return EPERM; #endif /* ICA_FIPS */ if (public_key->key_length != private_key->key_length) @@ -1094,6 +1096,8 @@ unsigned int ica_rsa_key_generate_crt(ica_adapter_handle_t adapter_handle, #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) + return EPERM; #endif /* ICA_FIPS */ if (public_key->key_length != private_key->key_length) @@ -1130,6 +1134,8 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle, #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(RSA_ME) && !fips_override(RSA_ME)) + return EPERM; #endif /* ICA_FIPS */ /* check for obvious errors in parms */ @@ -1193,6 +1199,8 @@ unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key) #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) + return EPERM; #endif /* ICA_FIPS */ /* check if p > q */ @@ -1266,6 +1274,8 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle, #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(RSA_CRT) && !fips_override(RSA_CRT)) + return EPERM; #endif /* ICA_FIPS */ /* check for obvious errors in parms */ @@ -1337,6 +1347,8 @@ ICA_EC_KEY* ica_ec_key_new(unsigned int nid, unsigned int *privlen) #ifdef ICA_FIPS if (fips >> 1) return NULL; + if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) + return NULL; #endif /* ICA_FIPS */ if ((key = malloc(sizeof(ICA_EC_KEY))) == NULL) @@ -1375,6 +1387,8 @@ int ica_ec_key_init(const unsigned char *X, const unsigned char *Y, #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) + return EPERM; if (fips & ICA_FIPS_MODE) { if (!curve_supported_via_openssl(key->nid) || !curve_supported_via_cpacf(key->nid)) { @@ -1421,6 +1435,8 @@ int ica_ec_key_generate(ica_adapter_handle_t adapter_handle, ICA_EC_KEY *key) #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(EC_KGEN) && !fips_override(EC_KGEN)) + return EPERM; if (fips & ICA_FIPS_MODE) { if (!curve_supported_via_openssl(key->nid) || !curve_supported_via_cpacf(key->nid)) @@ -1494,6 +1510,8 @@ int ica_ecdh_derive_secret(ica_adapter_handle_t adapter_handle, #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(EC_DH) && !fips_override(EC_DH)) + return EPERM; if (fips & ICA_FIPS_MODE) { if (!curve_supported_via_openssl(privkey_A->nid) || !curve_supported_via_cpacf(privkey_A->nid)) @@ -1567,6 +1585,8 @@ int ica_ecdsa_sign_ex_internal(ica_adapter_handle_t adapter_handle, if (!curve_supported_via_openssl(privkey->nid) || !curve_supported_via_cpacf(privkey->nid)) return EPERM; + if (!fips_approved(EC_DSA_SIGN) && !fips_override(EC_DSA_SIGN)) + return EPERM; } #endif /* ICA_FIPS */ @@ -1654,6 +1674,8 @@ int ica_ecdsa_verify(ica_adapter_handle_t adapter_handle, #ifdef ICA_FIPS if (fips >> 1) return EACCES; + if (!fips_approved(EC_DSA_VERIFY) && !fips_override(EC_DSA_VERIFY)) + return EPERM; if (fips & ICA_FIPS_MODE) { if (!curve_supported_via_openssl(pubkey->nid) || !curve_supported_via_cpacf(pubkey->nid))