Branch data     Line data    Source code

       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include "crypto/s2n_fips.h"
      17                 :            : 
      18                 :            : #include <openssl/crypto.h>
      19                 :            : 
      20                 :            : #include "crypto/s2n_libcrypto.h"
      21                 :            : #include "crypto/s2n_openssl.h"
      22                 :            : #include "utils/s2n_init.h"
      23                 :            : #include "utils/s2n_safety.h"
      24                 :            : 
      25                 :            : #if defined(S2N_INTERN_LIBCRYPTO) && defined(OPENSSL_FIPS)
      26                 :            :     #error "Interning with OpenSSL fips-validated libcrypto is not currently supported. See https://github.com/aws/s2n-tls/issues/2741"
      27                 :            : #endif
      28                 :            : 
      29                 :            : static bool s2n_fips_mode_enabled = false;
      30                 :            : 
      31                 :            : /* Check if the linked libcrypto has FIPS mode enabled.
      32                 :            :  *
      33                 :            :  * This method indicates the state of the libcrypto, NOT the state
      34                 :            :  * of s2n-tls and should ONLY be called during library initialization (i.e.
      35                 :            :  * s2n_init()). This distinction is important because in the past,
      36                 :            :  * if s2n-tls was using Openssl-1.0.2-fips and FIPS_mode_set(1)
      37                 :            :  * was called after s2n_init() was called, then this method would return true
      38                 :            :  * while s2n_is_in_fips_mode() would return false and s2n-tls would not operate
      39                 :            :  * in FIPS mode.
      40                 :            :  *
      41                 :            :  * For AWS-LC, the FIPS_mode() method is always defined. If AWS-LC was built to
      42                 :            :  * support FIPS, FIPS_mode() always returns 1.
      43                 :            :  */
      44                 :            : bool s2n_libcrypto_is_fips(void)
      45                 :        546 : {
      46                 :            : #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
      47                 :            :     if (FIPS_mode() == 1) {
      48                 :            :         return true;
      49                 :            :     }
      50                 :            : #elif S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)
      51                 :            :     return EVP_default_properties_is_fips_enabled(NULL);
      52                 :          0 : #endif
      53                 :          0 :     return false;
      54                 :        546 : }
      55                 :            : 
      56                 :            : int s2n_fips_init(void)
      57                 :        545 : {
      58                 :        545 :     s2n_fips_mode_enabled = s2n_libcrypto_is_fips();
      59                 :            : 
      60                 :            :     /* When using Openssl, ONLY 3.0 currently supports FIPS.
      61                 :            :      * openssl-1.0.2-fips is no longer supported.
      62                 :            :      * openssl >= 3.5 will likely have a FIPS 140-3 certificate instead of a
      63                 :            :      * FIPS 140-2 certificate, which will require additional review in order
      64                 :            :      * to properly integrate.
      65                 :            :      */
      66                 :            : #if defined(OPENSSL_FIPS) || S2N_OPENSSL_VERSION_AT_LEAST(3, 5, 0)
      67                 :            :     POSIX_ENSURE(!s2n_fips_mode_enabled, S2N_ERR_FIPS_MODE_UNSUPPORTED);
      68                 :            : #endif
      69                 :            : 
      70                 :        545 :     return S2N_SUCCESS;
      71                 :        545 : }
      72                 :            : 
      73                 :            : /* Return 1 if FIPS mode is enabled, 0 otherwise. FIPS mode must be enabled prior to calling s2n_init(). */
      74                 :            : bool s2n_is_in_fips_mode(void)
      75                 :    2777873 : {
      76                 :    2777873 :     return s2n_fips_mode_enabled;
      77                 :    2777873 : }
      78                 :            : 
      79                 :            : int s2n_get_fips_mode(s2n_fips_mode *fips_mode)
      80                 :          3 : {
      81 [ +  + ][ +  - ]:          3 :     POSIX_ENSURE_REF(fips_mode);
      82                 :          2 :     *fips_mode = S2N_FIPS_MODE_DISABLED;
      83 [ +  + ][ +  - ]:          2 :     POSIX_ENSURE(s2n_is_initialized(), S2N_ERR_NOT_INITIALIZED);
      84                 :            : 
      85         [ -  + ]:          1 :     if (s2n_is_in_fips_mode()) {
      86                 :          0 :         *fips_mode = S2N_FIPS_MODE_ENABLED;
      87                 :          0 :     }
      88                 :            : 
      89                 :          1 :     return S2N_SUCCESS;
      90                 :          2 : }