aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHans Nilsson <[email protected]>2016-10-11 16:01:24 +0200
committerHans Nilsson <[email protected]>2016-10-11 16:01:24 +0200
commitfec3e5165d2583969770114cc14d0e39a422d61a (patch)
treef6e8dff23a24e3ba32a05af739ef28220aecd6ca
parent301c8e78a1445c0d0080fdb758a3b9e8140fb626 (diff)
parent0411d5492319a5bc555247a3f783aaa421b4f31c (diff)
downloadotp-fec3e5165d2583969770114cc14d0e39a422d61a.tar.gz
otp-fec3e5165d2583969770114cc14d0e39a422d61a.tar.bz2
otp-fec3e5165d2583969770114cc14d0e39a422d61a.zip
Merge branch 'legoscia/ssl_in_fips_mode/PR-1180/OTP-13921'
Conflicts: lib/crypto/c_src/crypto.c lib/ssl/src/ssl_cipher.erl
-rw-r--r--configure.in4
-rw-r--r--erts/configure.in26
-rw-r--r--lib/crypto/c_src/Makefile.in2
-rw-r--r--lib/crypto/c_src/crypto.c122
-rw-r--r--lib/crypto/doc/src/Makefile2
-rw-r--r--lib/crypto/doc/src/crypto.xml22
-rw-r--r--lib/crypto/doc/src/crypto_app.xml24
-rw-r--r--lib/crypto/doc/src/fips.xml211
-rw-r--r--lib/crypto/doc/src/usersguide.xml1
-rw-r--r--lib/crypto/src/crypto.app.src2
-rw-r--r--lib/crypto/src/crypto.erl51
-rw-r--r--lib/crypto/src/crypto_ec_curves.erl25
-rw-r--r--lib/crypto/test/blowfish_SUITE.erl76
-rw-r--r--lib/crypto/test/crypto_SUITE.erl329
14 files changed, 798 insertions, 99 deletions
diff --git a/configure.in b/configure.in
index 6db83124be..9c21265dc8 100644
--- a/configure.in
+++ b/configure.in
@@ -280,6 +280,10 @@ AC_ARG_ENABLE(dynamic-ssl-lib,
AS_HELP_STRING([--disable-dynamic-ssl-lib],
[disable using dynamic openssl libraries]))
+AC_ARG_ENABLE(fips,
+AS_HELP_STRING([--enable-fips], [enable OpenSSL FIPS mode support])
+AS_HELP_STRING([--disable-fips], [disable OpenSSL FIPS mode support (default)]))
+
AC_ARG_ENABLE(builtin-zlib,
AS_HELP_STRING([--enable-builtin-zlib],
[force use of our own built-in zlib]))
diff --git a/erts/configure.in b/erts/configure.in
index dc85b2eafc..b276f8bdfb 100644
--- a/erts/configure.in
+++ b/erts/configure.in
@@ -3921,6 +3921,7 @@ dnl use "PATH/include" and "PATH/lib".
AC_SUBST(SSL_INCLUDE)
AC_SUBST(SSL_INCDIR)
AC_SUBST(SSL_LIBDIR)
+AC_SUBST(SSL_FLAGS)
AC_SUBST(SSL_CRYPTO_LIBNAME)
AC_SUBST(SSL_SSL_LIBNAME)
AC_SUBST(SSL_CC_RUNTIME_LIBRARY_PATH)
@@ -4610,6 +4611,31 @@ no) # Use no ssl runtime library path
esac
+AC_ARG_ENABLE(fips,
+AS_HELP_STRING([--enable-fips], [enable OpenSSL FIPS mode support])
+AS_HELP_STRING([--disable-fips], [disable OpenSSL FIPS mode support (default)]),
+[ case "$enableval" in
+ yes) enable_fips_support=yes ;;
+ *) enable_fips_support=no ;;
+ esac ], enable_fips_support=no)
+
+if test "x$enable_fips_support" = "xyes" && test "$CRYPTO_APP" != ""; then
+ saveCFLAGS="$CFLAGS"
+ saveLDFLAGS="$LDFLAGS"
+ saveLIBS="$LIBS"
+ CFLAGS="$CFLAGS $SSL_INCLUDE"
+ LDFLAGS="$LDFLAGS $SSL_LD_RUNTIME_LIBRARY_PATH -L$SSL_LIBDIR"
+ LIBS="-lcrypto"
+ AC_CHECK_FUNC([FIPS_mode_set],
+ [SSL_FLAGS="-DFIPS_SUPPORT"],
+ [SSL_FLAGS=])
+ CFLAGS="$saveCFLAGS"
+ LDFLAGS="$saveLDFLAGS"
+ LIBS="$saveLIBS"
+else
+ SSL_FLAGS=
+fi
+
#--------------------------------------------------------------------
# Os mon stuff.
#--------------------------------------------------------------------
diff --git a/lib/crypto/c_src/Makefile.in b/lib/crypto/c_src/Makefile.in
index c62f25b3ee..af7c209c75 100644
--- a/lib/crypto/c_src/Makefile.in
+++ b/lib/crypto/c_src/Makefile.in
@@ -43,9 +43,11 @@ SSL_LIBDIR = @SSL_LIBDIR@
SSL_INCLUDE = @SSL_INCLUDE@
SSL_CRYPTO_LIBNAME = @SSL_CRYPTO_LIBNAME@
SSL_SSL_LIBNAME = @SSL_SSL_LIBNAME@
+SSL_FLAGS = @SSL_FLAGS@
INCLUDES = $(SSL_INCLUDE) $(DED_INCLUDES)
+CFLAGS += $(SSL_FLAGS)
ifeq ($(TYPE),debug)
TYPEMARKER = .debug
diff --git a/lib/crypto/c_src/crypto.c b/lib/crypto/c_src/crypto.c
index 73f22b127b..c835f6dcf4 100644
--- a/lib/crypto/c_src/crypto.c
+++ b/lib/crypto/c_src/crypto.c
@@ -226,6 +226,8 @@ static void unload(ErlNifEnv* env, void* priv_data);
/* The NIFs: */
static ERL_NIF_TERM info_lib(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
+static ERL_NIF_TERM info_fips(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
+static ERL_NIF_TERM enable_fips_mode(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
static ERL_NIF_TERM algorithms(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
static ERL_NIF_TERM hash_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
static ERL_NIF_TERM hash_init_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
@@ -295,6 +297,8 @@ static int library_refc = 0; /* number of users of this dynamic library */
static ErlNifFunc nif_funcs[] = {
{"info_lib", 0, info_lib},
+ {"info_fips", 0, info_fips},
+ {"enable_fips_mode", 1, enable_fips_mode},
{"algorithms", 0, algorithms},
{"hash_nif", 2, hash_nif},
{"hash_init_nif", 1, hash_init_nif},
@@ -382,6 +386,12 @@ static ERL_NIF_TERM atom_unknown;
static ERL_NIF_TERM atom_none;
static ERL_NIF_TERM atom_notsup;
static ERL_NIF_TERM atom_digest;
+#ifdef FIPS_SUPPORT
+static ERL_NIF_TERM atom_enabled;
+static ERL_NIF_TERM atom_not_enabled;
+#else
+static ERL_NIF_TERM atom_not_supported;
+#endif
#if defined(HAVE_EC)
static ERL_NIF_TERM atom_ec;
@@ -562,6 +572,13 @@ static int verify_lib_version(void)
return 1;
}
+#ifdef FIPS_SUPPORT
+/* In FIPS mode non-FIPS algorithms are disabled and return badarg. */
+#define CHECK_NO_FIPS_MODE() { if (FIPS_mode()) return atom_notsup; }
+#else
+#define CHECK_NO_FIPS_MODE()
+#endif
+
#ifdef HAVE_DYNAMIC_CRYPTO_LIB
# if defined(DEBUG)
@@ -612,11 +629,11 @@ static int initialize(ErlNifEnv* env, ERL_NIF_TERM load_info)
if (!verify_lib_version())
return __LINE__;
- /* load_info: {301, <<"/full/path/of/this/library">>} */
+ /* load_info: {302, <<"/full/path/of/this/library">>,true|false} */
if (!enif_get_tuple(env, load_info, &tpl_arity, &tpl_array)
- || tpl_arity != 2
+ || tpl_arity != 3
|| !enif_get_int(env, tpl_array[0], &vernum)
- || vernum != 301
+ || vernum != 302
|| !enif_inspect_binary(env, tpl_array[1], &lib_bin)) {
PRINTF_ERR1("CRYPTO: Invalid load_info '%T'", load_info);
@@ -660,6 +677,21 @@ static int initialize(ErlNifEnv* env, ERL_NIF_TERM load_info)
atom_true = enif_make_atom(env,"true");
atom_false = enif_make_atom(env,"false");
+ /* Enter FIPS mode */
+ if (tpl_array[2] == atom_true) {
+#ifdef FIPS_SUPPORT
+ if (!FIPS_mode_set(1)) {
+#else
+ {
+#endif
+ PRINTF_ERR0("CRYPTO: Could not setup FIPS mode");
+ return 0;
+ }
+ } else if (tpl_array[2] != atom_false) {
+ PRINTF_ERR1("CRYPTO: Invalid load_info '%T'", load_info);
+ return 0;
+ }
+
atom_sha = enif_make_atom(env,"sha");
atom_error = enif_make_atom(env,"error");
atom_rsa_pkcs1_padding = enif_make_atom(env,"rsa_pkcs1_padding");
@@ -693,6 +725,13 @@ static int initialize(ErlNifEnv* env, ERL_NIF_TERM load_info)
atom_blowfish_ecb = enif_make_atom(env, "blowfish_ecb");
#endif
+#ifdef FIPS_SUPPORT
+ atom_enabled = enif_make_atom(env,"enabled");
+ atom_not_enabled = enif_make_atom(env,"not_enabled");
+#else
+ atom_not_supported = enif_make_atom(env,"not_supported");
+#endif
+
init_digest_types(env);
init_cipher_types(env);
init_algorithms_types(env);
@@ -779,15 +818,16 @@ static void unload(ErlNifEnv* env, void* priv_data)
--library_refc;
}
-static int algo_hash_cnt;
+static int algo_hash_cnt, algo_hash_fips_cnt;
static ERL_NIF_TERM algo_hash[8]; /* increase when extending the list */
-static int algo_pubkey_cnt;
+static int algo_pubkey_cnt, algo_pubkey_fips_cnt;
static ERL_NIF_TERM algo_pubkey[7]; /* increase when extending the list */
-static int algo_cipher_cnt;
+static int algo_cipher_cnt, algo_cipher_fips_cnt;
static ERL_NIF_TERM algo_cipher[23]; /* increase when extending the list */
static void init_algorithms_types(ErlNifEnv* env)
{
+ // Validated algorithms first
algo_hash_cnt = 0;
algo_hash[algo_hash_cnt++] = atom_sha;
#ifdef HAVE_SHA224
@@ -802,6 +842,8 @@ static void init_algorithms_types(ErlNifEnv* env)
#ifdef HAVE_SHA512
algo_hash[algo_hash_cnt++] = enif_make_atom(env, "sha512");
#endif
+ // Non-validated algorithms follow
+ algo_hash_fips_cnt = algo_hash_cnt;
algo_hash[algo_hash_cnt++] = enif_make_atom(env, "md4");
algo_hash[algo_hash_cnt++] = enif_make_atom(env, "md5");
algo_hash[algo_hash_cnt++] = enif_make_atom(env, "ripemd160");
@@ -817,8 +859,11 @@ static void init_algorithms_types(ErlNifEnv* env)
algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "ecdsa");
algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "ecdh");
#endif
+ // Non-validated algorithms follow
+ algo_pubkey_fips_cnt = algo_pubkey_cnt;
algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "srp");
+ // Validated algorithms first
algo_cipher_cnt = 0;
#ifndef OPENSSL_NO_DES
algo_cipher[algo_cipher_cnt++] = enif_make_atom(env, "des3_cbc");
@@ -835,6 +880,11 @@ static void init_algorithms_types(ErlNifEnv* env)
algo_cipher[algo_cipher_cnt++] = enif_make_atom(env, "aes_cbc256");
algo_cipher[algo_cipher_cnt++] = enif_make_atom(env, "aes_ctr");
algo_cipher[algo_cipher_cnt++] = enif_make_atom(env, "aes_ecb");
+#if defined(HAVE_GCM)
+ algo_cipher[algo_cipher_cnt++] = enif_make_atom(env,"aes_gcm");
+#endif
+ // Non-validated algorithms follow
+ algo_cipher_fips_cnt = algo_cipher_cnt;
#ifdef HAVE_AES_IGE
algo_cipher[algo_cipher_cnt++] = enif_make_atom(env,"aes_ige256");
#endif
@@ -867,9 +917,16 @@ static void init_algorithms_types(ErlNifEnv* env)
static ERL_NIF_TERM algorithms(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
{
+#ifdef FIPS_SUPPORT
+ int fips_mode = FIPS_mode();
+ int hash_cnt = fips_mode ? algo_hash_fips_cnt : algo_hash_cnt;
+ int pubkey_cnt = fips_mode ? algo_pubkey_fips_cnt : algo_pubkey_cnt;
+ int cipher_cnt = fips_mode ? algo_cipher_fips_cnt : algo_cipher_cnt;
+#else
int hash_cnt = algo_hash_cnt;
int pubkey_cnt = algo_pubkey_cnt;
int cipher_cnt = algo_cipher_cnt;
+#endif
return enif_make_tuple3(env,
enif_make_list_from_array(env, algo_hash, hash_cnt),
enif_make_list_from_array(env, algo_pubkey, pubkey_cnt),
@@ -903,6 +960,37 @@ static ERL_NIF_TERM info_lib(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
ver_term));
}
+static ERL_NIF_TERM info_fips(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
+{
+#ifdef FIPS_SUPPORT
+ return FIPS_mode() ? atom_enabled : atom_not_enabled;
+#else
+ return atom_not_supported;
+#endif
+}
+
+static ERL_NIF_TERM enable_fips_mode(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
+{/* (Boolean) */
+ if (argv[0] == atom_true) {
+#ifdef FIPS_SUPPORT
+ if (FIPS_mode_set(1)) {
+ return atom_true;
+ }
+#endif
+ PRINTF_ERR0("CRYPTO: Could not setup FIPS mode");
+ return atom_false;
+ } else if (argv[0] == atom_false) {
+#ifdef FIPS_SUPPORT
+ if (!FIPS_mode_set(0)) {
+ return atom_false;
+ }
+#endif
+ return atom_true;
+ } else {
+ return enif_make_badarg(env);
+ }
+}
+
static ERL_NIF_TERM make_badarg_maybe(ErlNifEnv* env)
{
ERL_NIF_TERM reason;
@@ -1459,7 +1547,11 @@ static ERL_NIF_TERM block_crypt_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
}
if ((argv[0] == atom_aes_cfb8 || argv[0] == atom_aes_cfb128)
- && (key.size == 24 || key.size == 32)) {
+ && (key.size == 24 || key.size == 32)
+#ifdef FIPS_SUPPORT
+ && !FIPS_mode()
+#endif
+ ) {
/* Why do EVP_CIPHER_CTX_set_key_length() fail on these key sizes?
* Fall back on low level API
*/
@@ -1521,6 +1613,8 @@ static ERL_NIF_TERM aes_cfb_8_crypt(ErlNifEnv* env, int argc, const ERL_NIF_TERM
int new_ivlen = 0;
ERL_NIF_TERM ret;
+ CHECK_NO_FIPS_MODE();
+
if (!enif_inspect_iolist_as_binary(env, argv[0], &key)
|| !(key.size == 16 || key.size == 24 || key.size == 32)
|| !enif_inspect_binary(env, argv[1], &ivec) || ivec.size != 16
@@ -1548,6 +1642,8 @@ static ERL_NIF_TERM aes_ige_crypt_nif(ErlNifEnv* env, int argc, const ERL_NIF_TE
unsigned char* ret_ptr;
ERL_NIF_TERM ret;
+ CHECK_NO_FIPS_MODE();
+
if (!enif_inspect_iolist_as_binary(env, argv[0], &key_bin)
|| (key_bin.size != 16 && key_bin.size != 32)
|| !enif_inspect_binary(env, argv[1], &ivec_bin)
@@ -2403,6 +2499,8 @@ static ERL_NIF_TERM rc4_encrypt(ErlNifEnv* env, int argc, const ERL_NIF_TERM arg
RC4_KEY rc4_key;
ERL_NIF_TERM ret;
+ CHECK_NO_FIPS_MODE();
+
if (!enif_inspect_iolist_as_binary(env,argv[0], &key)
|| !enif_inspect_iolist_as_binary(env,argv[1], &data)) {
return enif_make_badarg(env);
@@ -2423,6 +2521,8 @@ static ERL_NIF_TERM rc4_set_key(ErlNifEnv* env, int argc, const ERL_NIF_TERM arg
ErlNifBinary key;
ERL_NIF_TERM ret;
+ CHECK_NO_FIPS_MODE();
+
if (!enif_inspect_iolist_as_binary(env,argv[0], &key)) {
return enif_make_badarg(env);
}
@@ -2441,6 +2541,8 @@ static ERL_NIF_TERM rc4_encrypt_with_state(ErlNifEnv* env, int argc, const ERL_N
RC4_KEY* rc4_key;
ERL_NIF_TERM new_state, new_data;
+ CHECK_NO_FIPS_MODE();
+
if (!enif_inspect_iolist_as_binary(env,argv[0], &state)
|| state.size != sizeof(RC4_KEY)
|| !enif_inspect_iolist_as_binary(env,argv[1], &data)) {
@@ -2872,6 +2974,8 @@ static ERL_NIF_TERM srp_value_B_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
unsigned dlen;
ERL_NIF_TERM ret;
+ CHECK_NO_FIPS_MODE();
+
if (!get_bn_from_bin(env, argv[0], &bn_multiplier)
|| !get_bn_from_bin(env, argv[1], &bn_verifier)
|| !get_bn_from_bin(env, argv[2], &bn_generator)
@@ -2932,6 +3036,8 @@ static ERL_NIF_TERM srp_user_secret_nif(ErlNifEnv* env, int argc, const ERL_NIF_
unsigned dlen;
ERL_NIF_TERM ret;
+ CHECK_NO_FIPS_MODE();
+
if (!get_bn_from_bin(env, argv[0], &bn_a)
|| !get_bn_from_bin(env, argv[1], &bn_u)
|| !get_bn_from_bin(env, argv[2], &bn_B)
@@ -3011,6 +3117,8 @@ static ERL_NIF_TERM srp_host_secret_nif(ErlNifEnv* env, int argc, const ERL_NIF_
unsigned dlen;
ERL_NIF_TERM ret;
+ CHECK_NO_FIPS_MODE();
+
if (!get_bn_from_bin(env, argv[0], &bn_verifier)
|| !get_bn_from_bin(env, argv[1], &bn_b)
|| !get_bn_from_bin(env, argv[2], &bn_u)
diff --git a/lib/crypto/doc/src/Makefile b/lib/crypto/doc/src/Makefile
index e55242d255..9c503b8fe0 100644
--- a/lib/crypto/doc/src/Makefile
+++ b/lib/crypto/doc/src/Makefile
@@ -39,7 +39,7 @@ XML_REF3_FILES = crypto.xml
XML_REF6_FILES = crypto_app.xml
XML_PART_FILES = release_notes.xml usersguide.xml
-XML_CHAPTER_FILES = notes.xml licenses.xml
+XML_CHAPTER_FILES = notes.xml licenses.xml fips.xml
BOOK_FILES = book.xml
diff --git a/lib/crypto/doc/src/crypto.xml b/lib/crypto/doc/src/crypto.xml
index ce8bf2216a..cbf141b3b0 100644
--- a/lib/crypto/doc/src/crypto.xml
+++ b/lib/crypto/doc/src/crypto.xml
@@ -475,6 +475,28 @@
</func>
<func>
+ <name>info_fips() -> Status</name>
+ <fsummary>Provides information about the FIPS operating status.</fsummary>
+ <type>
+ <v>Status = enabled | not_enabled | not_supported</v>
+ </type>
+ <desc>
+ <p>Provides information about the FIPS operating status of
+ crypto and the underlying OpenSSL library. If crypto was built
+ with FIPS support this can be either <c>enabled</c> (when
+ running in FIPS mode) or <c>not_enabled</c>. For other builds
+ this value is always <c>not_supported</c>.</p>
+ <warning>
+ <p>In FIPS mode all non-FIPS compliant algorithms are
+ disabled and throw exception <c>not_supported</c>. Check
+ <seealso marker="#supports-0">supports</seealso> that in
+ FIPS mode returns the restricted list of available
+ algorithms.</p>
+ </warning>
+ </desc>
+ </func>
+
+ <func>
<name>info_lib() -> [{Name,VerNum,VerStr}]</name>
<fsummary>Provides information about the libraries used by crypto.</fsummary>
<type>
diff --git a/lib/crypto/doc/src/crypto_app.xml b/lib/crypto/doc/src/crypto_app.xml
index 2b9e505988..a958bdfcb7 100644
--- a/lib/crypto/doc/src/crypto_app.xml
+++ b/lib/crypto/doc/src/crypto_app.xml
@@ -41,14 +41,34 @@
<section>
<title>DEPENDENCIES</title>
- <p>The current crypto implementation uses nifs to interface OpenSSLs crypto library
- and requires <em>OpenSSL</em> package version 0.9.8 or higher.</p>
+ <p>The current crypto implementation uses nifs to interface
+ OpenSSLs crypto library and requires <em>OpenSSL</em> package
+ version 0.9.8 or higher. FIPS mode support requires at least
+ version 1.0.1 and a FIPS capable OpenSSL installation.</p>
+
<p>Source releases of OpenSSL can be downloaded from the <url href="http://www.openssl.org">OpenSSL</url> project home page,
or mirror sites listed there.
</p>
</section>
<section>
+ <title>CONFIGURATION</title>
+ <p>The following configuration parameters are defined for the
+ crypto application. See <c>app(3)</c> for more information about
+ configuration parameters.</p>
+ <taglist>
+ <tag><c>fips_mode = boolean()</c></tag>
+ <item>
+ <p>Specifies whether to run crypto in FIPS mode. This setting
+ will take effect when the nif module is loaded. If FIPS mode
+ is requested but not available at run time the nif module and
+ thus the crypto module will fail to load. This mechanism
+ prevents the accidental use of non-validated algorithms.</p>
+ </item>
+ </taglist>
+ </section>
+
+ <section>
<title>SEE ALSO</title>
<p>application(3)</p>
</section>
diff --git a/lib/crypto/doc/src/fips.xml b/lib/crypto/doc/src/fips.xml
new file mode 100644
index 0000000000..a6ed95bf5e
--- /dev/null
+++ b/lib/crypto/doc/src/fips.xml
@@ -0,0 +1,211 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE chapter SYSTEM "chapter.dtd">
+
+<chapter>
+ <header>
+ <copyright>
+ <year>2014</year>
+ <holder>Ericsson AB. All Rights Reserved.</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ </legalnotice>
+
+ <title>FIPS mode</title>
+ <prepared>D&aacute;niel Szoboszlay</prepared>
+ <docno></docno>
+ <date>2014-05-12</date>
+ <rev>A</rev>
+ <file>fips.xml</file>
+ </header>
+ <p>
+ <marker id="fips"></marker>
+ This chapter describes FIPS mode support in the crypto application.
+ </p>
+
+ <section>
+ <title>Background</title>
+ <p>OpenSSL can be built to provide FIPS 140-2 validated
+ cryptographic services. It is not the OpenSSL application that is
+ validated, but a special software component called the OpenSSL
+ FIPS Object Module. However applications do not use this Object
+ Module directly, but through the regular API of the OpenSSL
+ library.</p>
+ <p>The crypto application supports using OpenSSL in FIPS mode. In
+ this scenario only the validated algorithms provided by the Object
+ Module are accessible, other algorithms usually available in
+ OpenSSL (like md5) or implemented in the Erlang code (like SRP)
+ are disabled.</p>
+ </section>
+
+ <section>
+ <title>Enabling FIPS mode</title>
+ <list type="ordered">
+ <item>
+ <p>Build or install the FIPS Object Module and a FIPS enabled
+ OpenSSL library.</p>
+ <p>You should read and precisely follow the instructions of
+ the <url
+ href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf">Security
+ Policy</url> and <url
+ href="https://www.openssl.org/docs/fips/UserGuide-2.0.pdf">User
+ Guide</url>.</p>
+ <warning><p>It is very easy to build a working OpenSSL FIPS
+ Object Module and library from the source. However it <em>does
+ not</em> qualify as FIPS 140-2 validated if the numerous
+ restrictions in the Security Policy are not properly
+ followed.</p></warning>
+ </item>
+ <item>
+ <p>Configure and build Erlang/OTP with FIPS support:</p>
+ <pre>
+$ <input>cd $ERL_TOP</input>
+$ <input>./otp_build configure --enable-fips</input>
+...
+checking for FIPS_mode_set... yes
+...
+$ <input>make</input>
+ </pre>
+ <p>If <c>FIPS_mode_set</c> returns <c>no</c> the OpenSSL
+ library is not FIPS enabled and crypto won't support FIPS mode
+ either.</p>
+ </item>
+ <item>
+ <p>Set the <c>fips_mode</c> configuration setting of the
+ crypto application to <c>true</c> <em>before loading the
+ crypto module</em>.</p>
+ <p>The best place is in the <c>sys.config</c> system
+ configuration file of the release.</p>
+ </item>
+ <item>
+ Start and use the crypto application as usual. However take
+ care to avoid the non-FIPS validated algorithms, they will all
+ throw exception <c>not_supported</c>.
+ </item>
+ </list>
+ <p>Entering and leaving FIPS mode on a node already running crypto
+ is not supported. The reason is that OpenSSL is designed to
+ prevent an application requesting FIPS mode to end up accidentally
+ running in non-FIPS mode. If entering FIPS mode fails (e.g. the
+ Object Module is not found or is compromised) any subsequent use
+ of the OpenSSL API would terminate the emulator.</p>
+ <p>An on-the-fly FIPS mode change would thus have to be performed
+ in a critical section protected from any concurrently running
+ crypto operations. Furthermore in case of failure all crypto calls
+ would have to be disabled from the Erlang or nif code. This would
+ be too much effort put into this not too important feature.</p>
+ </section>
+
+ <section>
+ <title>Incompatibilities with regular builds</title>
+ <p>The Erlang API of the crypto application is identical
+ regardless of building with or without FIPS support. However the
+ nif code internally uses a different OpenSSL API.</p>
+ <p>This means that the context (an opaque type) returned from
+ streaming crypto functions (<c>hash_(init|update|final)</c>,
+ <c>hmac_(init|update|final)</c> and
+ <c>stream_(init|encrypt|decrypt)</c>) is different and
+ incompatible with regular builds when compiling crypto with FIPS
+ support.</p>
+ </section>
+
+ <section>
+ <title>Common caveats</title>
+ <p>In FIPS mode non-validated algorithms are disabled. This may
+ cause some unexpected problems in application relying on
+ crypto.</p>
+ <warning><p>Do not try to work around these problems by using
+ alternative implementations of the missing algorithms! An
+ application can only claim to be using a FIPS 140-2 validated
+ cryptographic module if it uses it exclusively for every
+ cryptographic operation.</p></warning>
+
+ <section>
+ <title>Restrictions on key sizes</title>
+ <p>Although public key algorithms are supported in FIPS mode
+ they can only be used with secure key sizes. The Security Policy
+ requires the following minimum values:
+ </p>
+ <taglist>
+ <tag>RSA</tag><item>1024 bit</item>
+ <tag>DSS</tag><item>1024 bit</item>
+ <tag>EC algorithms</tag><item>160 bit</item>
+ </taglist>
+ </section>
+
+ <section>
+ <title>Restrictions on elliptic curves</title>
+ <p>The Erlang API allows using arbitrary curve parameters, but
+ in FIPS mode only those allowed by the Security Policy shall be
+ used.</p>
+ </section>
+
+ <section>
+ <title>Avoid md5 for hashing</title>
+ <p>Md5 is a popular choice as a hash function, but it is not
+ secure enough to be validated. Try to use sha instead wherever
+ possible.</p>
+ <p>For exceptional, non-cryptographic use cases one may consider
+ switching to <c>erlang:md5/1</c> as well.</p>
+ </section>
+
+ <section>
+ <title>Certificates and encrypted keys</title>
+ <p>As md5 is not available in FIPS mode it is only possible to
+ use certificates that were signed using sha hashing. When
+ validating an entire certificate chain all certificates
+ (including the root CA's) must comply with this rule.</p>
+ <p>For similar dependency on the md5 and des algorithms most
+ encrypted private keys in PEM format do not work
+ either. However, the PBES2 encryption scheme allows the use of
+ stronger FIPS verified algorithms which is a viable
+ alternative.</p>
+ </section>
+
+ <section>
+ <title>SNMP v3 limitations</title>
+ <p>It is only possible to use <c>usmHMACSHAAuthProtocol</c> and
+ <c>usmAesCfb128Protocol</c> for authentication and privacy
+ respectively in FIPS mode. The snmp application however won't
+ restrict selecting disabled protocols in any way, and using them
+ would result in run time crashes.</p>
+ </section>
+
+ <section>
+ <title>TLS 1.2 is required</title>
+ <p>All SSL and TLS versions prior to TLS 1.2 use a combination
+ of md5 and sha1 hashes in the handshake for various purposes:</p>
+ <list>
+ <item>Authenticating the integrity of the handshake
+ messages.</item>
+ <item>In the exchange of DH parameters in cipher suites
+ providing non-anonymous PFS (perfect forward secrecy).</item>
+ <item>In the PRF (pseud-random function) to generate keying
+ materials in cipher suites not using PFS.</item>
+ </list>
+ <p>OpenSSL handles these corner cases in FIPS mode, however the
+ Erlang crypto and ssl applications are not prepared for them and
+ therefore you are limited to TLS 1.2 in FIPS mode.</p>
+ <p>On the other hand it worth mentioning that at least all
+ cipher suites that would rely on non-validated algorithms are
+ automatically disabled in FIPS mode.</p>
+ <note><p>Certificates using weak (md5) digests may also cause
+ problems in TLS. Although TLS 1.2 has an extension for
+ specifying which type of signatures are accepted, and in FIPS
+ mode the ssl application will use it properly, most TLS
+ implementations ignore this extension and simply send whatever
+ certificates they were configured with.</p></note>
+ </section>
+
+ </section>
+</chapter>
diff --git a/lib/crypto/doc/src/usersguide.xml b/lib/crypto/doc/src/usersguide.xml
index fb088a8285..7971aefff4 100644
--- a/lib/crypto/doc/src/usersguide.xml
+++ b/lib/crypto/doc/src/usersguide.xml
@@ -47,5 +47,6 @@
</p>
</description>
<xi:include href="licenses.xml"/>
+ <xi:include href="fips.xml"/>
</part>
diff --git a/lib/crypto/src/crypto.app.src b/lib/crypto/src/crypto.app.src
index 8a47b8a78b..460894c012 100644
--- a/lib/crypto/src/crypto.app.src
+++ b/lib/crypto/src/crypto.app.src
@@ -24,7 +24,7 @@
crypto_ec_curves]},
{registered, []},
{applications, [kernel, stdlib]},
- {env, []},
+ {env, [{fips_mode, false}]},
{runtime_dependencies, ["erts-6.0","stdlib-2.0","kernel-3.0"]}]}.
diff --git a/lib/crypto/src/crypto.erl b/lib/crypto/src/crypto.erl
index da024cf74c..43f9a0f9e7 100644
--- a/lib/crypto/src/crypto.erl
+++ b/lib/crypto/src/crypto.erl
@@ -22,7 +22,8 @@
-module(crypto).
--export([start/0, stop/0, info_lib/0, supports/0, version/0, bytes_to_integer/1]).
+-export([start/0, stop/0, info_lib/0, info_fips/0, supports/0, enable_fips_mode/1,
+ version/0, bytes_to_integer/1]).
-export([hash/2, hash_init/1, hash_update/2, hash_final/1]).
-export([sign/4, verify/5]).
-export([generate_key/2, generate_key/3, compute_key/4]).
@@ -190,7 +191,7 @@
%%-type ec_key() :: {Curve :: ec_curve(), PrivKey :: binary() | undefined, PubKey :: ec_point() | undefined}.
-on_load(on_load/0).
--define(CRYPTO_NIF_VSN,301).
+-define(CRYPTO_NIF_VSN,302).
-define(nif_stub,nif_stub_error(?LINE)).
nif_stub_error(Line) ->
@@ -220,6 +221,14 @@ supports()->
info_lib() -> ?nif_stub.
+-spec info_fips() -> not_supported | not_enabled | enabled.
+
+info_fips() -> ?nif_stub.
+
+-spec enable_fips_mode(boolean()) -> boolean().
+
+enable_fips_mode(_) -> ?nif_stub.
+
-spec hash(_, iodata()) -> binary().
hash(Hash, Data0) ->
@@ -314,7 +323,7 @@ block_encrypt(des3_cfb, Key0, Ivec, Data) ->
Key = check_des3_key(Key0),
block_crypt_nif(des_ede3_cfb, Key, Ivec, Data, true);
block_encrypt(aes_ige256, Key, Ivec, Data) ->
- aes_ige_crypt_nif(Key, Ivec, Data, true);
+ notsup_to_error(aes_ige_crypt_nif(Key, Ivec, Data, true));
block_encrypt(aes_gcm, Key, Ivec, {AAD, Data}) ->
aes_gcm_encrypt(Key, Ivec, AAD, Data);
block_encrypt(aes_gcm, Key, Ivec, {AAD, Data, TagLength}) ->
@@ -484,17 +493,17 @@ sign(Alg, Type, Data, Key) when is_binary(Data) ->
sign(Alg, Type, {digest, hash(Type, Data)}, Key);
sign(rsa, Type, {digest, Digest}, Key) ->
case rsa_sign_nif(Type, Digest, map_ensure_int_as_bin(Key)) of
- error -> erlang:error(badkey, [Type,Digest,Key]);
+ error -> erlang:error(badkey, [rsa, Type, {digest, Digest}, Key]);
Sign -> Sign
end;
sign(dss, Type, {digest, Digest}, Key) ->
case dss_sign_nif(Type, Digest, map_ensure_int_as_bin(Key)) of
- error -> erlang:error(badkey, [Digest, Key]);
+ error -> erlang:error(badkey, [dss, Type, {digest, Digest}, Key]);
Sign -> Sign
end;
sign(ecdsa, Type, {digest, Digest}, [Key, Curve]) ->
case ecdsa_sign_nif(Type, Digest, nif_curve_params(Curve), ensure_int_as_bin(Key)) of
- error -> erlang:error(badkey, [Type,Digest,Key]);
+ error -> erlang:error(badkey, [ecdsa, Type, {digest, Digest}, [Key, Curve]]);
Sign -> Sign
end.
@@ -510,7 +519,7 @@ sign(ecdsa, Type, {digest, Digest}, [Key, Curve]) ->
public_encrypt(rsa, BinMesg, Key, Padding) ->
case rsa_public_crypt(BinMesg, map_ensure_int_as_bin(Key), Padding, true) of
error ->
- erlang:error(encrypt_failed, [BinMesg,Key, Padding]);
+ erlang:error(encrypt_failed, [rsa, BinMesg,Key, Padding]);
Sign -> Sign
end.
@@ -518,7 +527,7 @@ public_encrypt(rsa, BinMesg, Key, Padding) ->
private_decrypt(rsa, BinMesg, Key, Padding) ->
case rsa_private_crypt(BinMesg, map_ensure_int_as_bin(Key), Padding, false) of
error ->
- erlang:error(decrypt_failed, [BinMesg,Key, Padding]);
+ erlang:error(decrypt_failed, [rsa, BinMesg,Key, Padding]);
Sign -> Sign
end.
@@ -527,7 +536,7 @@ private_decrypt(rsa, BinMesg, Key, Padding) ->
private_encrypt(rsa, BinMesg, Key, Padding) ->
case rsa_private_crypt(BinMesg, map_ensure_int_as_bin(Key), Padding, true) of
error ->
- erlang:error(encrypt_failed, [BinMesg,Key, Padding]);
+ erlang:error(encrypt_failed, [rsa, BinMesg,Key, Padding]);
Sign -> Sign
end.
@@ -535,7 +544,7 @@ private_encrypt(rsa, BinMesg, Key, Padding) ->
public_decrypt(rsa, BinMesg, Key, Padding) ->
case rsa_public_crypt(BinMesg, map_ensure_int_as_bin(Key), Padding, false) of
error ->
- erlang:error(decrypt_failed, [BinMesg,Key, Padding]);
+ erlang:error(decrypt_failed, [rsa, BinMesg,Key, Padding]);
Sign -> Sign
end.
@@ -583,7 +592,7 @@ compute_key(dh, OthersPublicKey, MyPrivateKey, DHParameters) ->
ensure_int_as_bin(MyPrivateKey),
map_ensure_int_as_bin(DHParameters)) of
error -> erlang:error(computation_failed,
- [OthersPublicKey,MyPrivateKey,DHParameters]);
+ [dh,OthersPublicKey,MyPrivateKey,DHParameters]);
Ret -> Ret
end;
@@ -651,7 +660,8 @@ on_load() ->
end,
Lib = filename:join([PrivDir, "lib", LibName]),
LibBin = path2bin(Lib),
- Status = case erlang:load_nif(Lib, {?CRYPTO_NIF_VSN,LibBin}) of
+ FipsMode = application:get_env(crypto, fips_mode, false) == true,
+ Status = case erlang:load_nif(Lib, {?CRYPTO_NIF_VSN,LibBin,FipsMode}) of
ok -> ok;
{error, {load_failed, _}}=Error1 ->
ArchLibDir =
@@ -664,7 +674,7 @@ on_load() ->
_ ->
ArchLib = filename:join([ArchLibDir, LibName]),
ArchBin = path2bin(ArchLib),
- erlang:load_nif(ArchLib, {?CRYPTO_NIF_VSN,ArchBin})
+ erlang:load_nif(ArchLib, {?CRYPTO_NIF_VSN,ArchBin,FipsMode})
end;
Error1 -> Error1
end,
@@ -1096,24 +1106,29 @@ rc4_encrypt_with_state(_State, _Data) -> ?nif_stub.
%% RC2 block cipher
rc2_cbc_encrypt(Key, IVec, Data) ->
- block_encrypt(rc2_cbc, Key, IVec, Data).
+ notsup_to_error(block_encrypt(rc2_cbc, Key, IVec, Data)).
rc2_cbc_decrypt(Key, IVec, Data) ->
- block_decrypt(rc2_cbc, Key, IVec, Data).
+ notsup_to_error(block_decrypt(rc2_cbc, Key, IVec, Data)).
%%
%% RC2 - 40 bits block cipher - Backwards compatibility not documented.
%%
rc2_40_cbc_encrypt(Key, IVec, Data) when erlang:byte_size(Key) == 5 ->
- block_encrypt(rc2_cbc, Key, IVec, Data).
+ notsup_to_error(block_encrypt(rc2_cbc, Key, IVec, Data)).
rc2_40_cbc_decrypt(Key, IVec, Data) when erlang:byte_size(Key) == 5 ->
- block_decrypt(rc2_cbc, Key, IVec, Data).
+ notsup_to_error(block_decrypt(rc2_cbc, Key, IVec, Data)).
%% Secure remote password -------------------------------------------------------------------
user_srp_gen_key(Private, Generator, Prime) ->
+ %% Ensure the SRP algorithm is disabled in FIPS mode
+ case info_fips() of
+ enabled -> erlang:error(notsup);
+ _ -> ok
+ end,
case mod_pow(Generator, Private, Prime) of
error ->
error;
@@ -1532,6 +1547,6 @@ mod_exp_nif(_Base,_Exp,_Mod,_bin_hdr) -> ?nif_stub.
des_cbc_ivec, des_cfb_ivec,
info,
%%
- info_lib, supports]).
+ info_lib, info_fips, supports]).
info() ->
?FUNC_LIST.
diff --git a/lib/crypto/src/crypto_ec_curves.erl b/lib/crypto/src/crypto_ec_curves.erl
index 002b03b80c..9602a7e24b 100644
--- a/lib/crypto/src/crypto_ec_curves.erl
+++ b/lib/crypto/src/crypto_ec_curves.erl
@@ -7,29 +7,36 @@ curves() ->
PubKeys = proplists:get_value(public_keys, CryptoSupport),
HasEC = proplists:get_bool(ecdh, PubKeys),
HasGF2m = proplists:get_bool(ec_gf2m, PubKeys),
- prime_curves(HasEC) ++ characteristic_two_curves(HasGF2m).
+ FIPSMode = crypto:info_fips() == enabled,
+ prime_curves(HasEC, FIPSMode) ++ characteristic_two_curves(HasGF2m, FIPSMode).
-prime_curves(true) ->
- [secp112r1,secp112r2,secp128r1,secp128r2,secp160k1,secp160r1,secp160r2,
+prime_curves(true, true) ->
+ [secp160k1,secp160r1,secp160r2,
secp192r1,secp192k1,secp224k1,secp224r1,secp256k1,secp256r1,secp384r1,
secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,
- prime256v1,wtls6,wtls7,wtls8,wtls9,wtls12,
+ prime256v1,wtls7,wtls9,wtls12,
brainpoolP160r1,brainpoolP160t1,brainpoolP192r1,brainpoolP192t1,
brainpoolP224r1,brainpoolP224t1,brainpoolP256r1,brainpoolP256t1,
brainpoolP320r1,brainpoolP320t1,brainpoolP384r1,brainpoolP384t1,
brainpoolP512r1,brainpoolP512t1];
-prime_curves(_) ->
+prime_curves(true, false) ->
+ [secp112r1,secp112r2,secp128r1,secp128r2,wtls6,wtls8]
+ ++ prime_curves(true, true);
+prime_curves(_, _) ->
[].
-characteristic_two_curves(true) ->
- [sect113r1,sect113r2,sect131r1,sect131r2,sect163k1,sect163r1,
+characteristic_two_curves(true, true) ->
+ [sect163k1,sect163r1,
sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,
sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,c2pnb163v1,c2pnb163v2,
c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,
c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359v1,c2pnb368w1,c2tnb431r1,
- wtls1,wtls3,wtls4,wtls5,wtls10,wtls11,ipsec3,ipsec4];
-characteristic_two_curves(_) ->
+ wtls3,wtls5,wtls10,wtls11];
+characteristic_two_curves(true, _) ->
+ [sect113r1,sect113r2,sect131r1,sect131r2,wtls1,wtls4,ipsec3,ipsec4]
+ ++ characteristic_two_curves(true, true);
+characteristic_two_curves(_, _) ->
[].
curve(secp112r1) ->
diff --git a/lib/crypto/test/blowfish_SUITE.erl b/lib/crypto/test/blowfish_SUITE.erl
index d7c50dc6de..a78f8fe39a 100644
--- a/lib/crypto/test/blowfish_SUITE.erl
+++ b/lib/crypto/test/blowfish_SUITE.erl
@@ -107,11 +107,37 @@ end_per_testcase(_TestCase, Config) ->
suite() -> [{ct_hooks,[ts_install_cth]}].
all() ->
-[ecb, cbc, cfb64, ofb64].
+[{group, fips},
+ {group, non_fips}].
groups() ->
- [].
+ [{fips, [], [no_ecb, no_cbc, no_cfb64, no_ofb64]},
+ {non_fips, [], [ecb, cbc, cfb64, ofb64]}].
+init_per_group(fips, Config) ->
+ case crypto:info_fips() of
+ enabled ->
+ Config;
+ not_enabled ->
+ case crypto:enable_fips_mode(true) of
+ true ->
+ enabled = crypto:info_fips(),
+ Config;
+ false ->
+ {skip, "Failed to enable FIPS mode"}
+ end;
+ not_supported ->
+ {skip, "FIPS mode not supported"}
+ end;
+init_per_group(non_fips, Config) ->
+ case crypto:info_fips() of
+ enabled ->
+ true = crypto:enable_fips_mode(false),
+ not_enabled = crypto:info_fips(),
+ Config;
+ _NotEnabled ->
+ Config
+ end;
init_per_group(_GroupName, Config) ->
Config.
@@ -196,8 +222,54 @@ ofb64(Config) when is_list(Config) ->
to_bin("E73214A2822139CA62B343CC5B65587310DD908D0C241B2263C2CF80DA"),
ok.
+no_ecb(doc) ->
+ "Test that ECB mode is disabled";
+no_ecb(suite) ->
+ [];
+no_ecb(Config) when is_list(Config) ->
+ notsup(fun crypto:blowfish_ecb_encrypt/2,
+ [to_bin("0000000000000000"),
+ to_bin("FFFFFFFFFFFFFFFF")]).
+
+no_cbc(doc) ->
+ "Test that CBC mode is disabled";
+no_cbc(suite) ->
+ [];
+no_cbc(Config) when is_list(Config) ->
+ notsup(fun crypto:blowfish_cbc_encrypt/3,
+ [?KEY, ?IVEC, ?DATA_PADDED]).
+
+no_cfb64(doc) ->
+ "Test that CFB64 mode is disabled";
+no_cfb64(suite) ->
+ [];
+no_cfb64(Config) when is_list(Config) ->
+ notsup(fun crypto:blowfish_cfb64_encrypt/3,
+ [?KEY, ?IVEC, ?DATA]),
+ ok.
+
+no_ofb64(doc) ->
+ "Test that OFB64 mode is disabled";
+no_ofb64(suite) ->
+ [];
+no_ofb64(Config) when is_list(Config) ->
+ notsup(fun crypto:blowfish_ofb64_encrypt/3,
+ [?KEY, ?IVEC, ?DATA]).
+
%% Helper functions
+%% Assert function fails with notsup error
+notsup(Fun, Args) ->
+ ok = try
+ {error, {return, apply(Fun, Args)}}
+ catch
+ error:notsup ->
+ ok;
+ Class:Error ->
+ {error, {Class, Error}}
+ end.
+
+
%% Convert a hexadecimal string to a binary.
-spec(to_bin(L::string()) -> binary()).
to_bin(L) ->
diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
index f0811c3e4f..0c3b7a0445 100644
--- a/lib/crypto/test/crypto_SUITE.erl
+++ b/lib/crypto/test/crypto_SUITE.erl
@@ -29,52 +29,88 @@
suite() -> [{ct_hooks,[ts_install_cth]}].
-all() ->
+all() ->
[app,
appup,
- {group, md4},
- {group, md5},
- {group, ripemd160},
- {group, sha},
- {group, sha224},
- {group, sha256},
- {group, sha384},
- {group, sha512},
- {group, rsa},
- {group, dss},
- {group, ecdsa},
- {group, dh},
- {group, ecdh},
- {group, srp},
- {group, des_cbc},
- {group, des_cfb},
- {group, des3_cbc},
- {group, des3_cbf},
- {group, des3_cfb},
- {group, des_ede3},
- {group, blowfish_cbc},
- {group, blowfish_ecb},
- {group, blowfish_cfb64},
- {group, blowfish_ofb64},
- {group, aes_cbc128},
- {group, aes_cfb8},
- {group, aes_cfb128},
- {group, aes_cbc256},
- {group, aes_ecb},
- {group, aes_ige256},
- {group, rc2_cbc},
- {group, rc4},
- {group, aes_ctr},
- {group, aes_gcm},
- {group, chacha20_poly1305},
- {group, aes_cbc},
+ {group, fips},
+ {group, non_fips},
mod_pow,
exor,
rand_uniform
].
-groups() ->
- [{md4, [], [hash]},
+groups() ->
+ [{non_fips, [], [{group, md4},
+ {group, md5},
+ {group, ripemd160},
+ {group, sha},
+ {group, sha224},
+ {group, sha256},
+ {group, sha384},
+ {group, sha512},
+ {group, rsa},
+ {group, dss},
+ {group, ecdsa},
+ {group, dh},
+ {group, ecdh},
+ {group, srp},
+ {group, des_cbc},
+ {group, des_cfb},
+ {group, des3_cbc},
+ {group, des3_cbf},
+ {group, des3_cfb},
+ {group, des_ede3},
+ {group, blowfish_cbc},
+ {group, blowfish_ecb},
+ {group, blowfish_cfb64},
+ {group, blowfish_ofb64},
+ {group, aes_cbc128},
+ {group, aes_cfb8},
+ {group, aes_cfb128},
+ {group, aes_cbc256},
+ {group, aes_ige256},
+ {group, rc2_cbc},
+ {group, rc4},
+ {group, aes_ctr},
+ {group, aes_gcm},
+ {group, chacha20_poly1305},
+ {group, aes_cbc}]},
+ {fips, [], [{group, no_md4},
+ {group, no_md5},
+ {group, no_ripemd160},
+ {group, sha},
+ {group, sha224},
+ {group, sha256},
+ {group, sha384},
+ {group, sha512},
+ {group, rsa},
+ {group, dss},
+ {group, ecdsa},
+ {group, dh},
+ {group, ecdh},
+ {group, no_srp},
+ {group, no_des_cbc},
+ {group, no_des_cfb},
+ {group, des3_cbc},
+ {group, des3_cbf},
+ {group, des3_cfb},
+ {group, des_ede3},
+ {group, no_blowfish_cbc},
+ {group, no_blowfish_ecb},
+ {group, no_blowfish_cfb64},
+ {group, no_blowfish_ofb64},
+ {group, aes_cbc128},
+ {group, aes_cfb8},
+ {group, aes_cfb128},
+ {group, aes_cbc256},
+ {group, no_aes_ige256},
+ {group, no_rc2_cbc},
+ {group, no_rc4},
+ {group, aes_ctr},
+ {group, aes_gcm},
+ {group, no_chacha20_poly1305},
+ {group, aes_cbc}]},
+ {md4, [], [hash]},
{md5, [], [hash, hmac]},
{ripemd160, [], [hash]},
{sha, [], [hash, hmac]},
@@ -82,9 +118,9 @@ groups() ->
{sha256, [], [hash, hmac]},
{sha384, [], [hash, hmac]},
{sha512, [], [hash, hmac]},
- {rsa, [], [sign_verify,
- public_encrypt
- ]},
+ {rsa, [], [sign_verify,
+ public_encrypt
+ ]},
{dss, [], [sign_verify]},
{ecdsa, [], [sign_verify]},
{dh, [], [generate_compute]},
@@ -107,11 +143,25 @@ groups() ->
{blowfish_ecb, [], [block]},
{blowfish_cfb64, [], [block]},
{blowfish_ofb64,[], [block]},
- {rc4, [], [stream]},
+ {rc4, [], [stream]},
{aes_ctr, [], [stream]},
{aes_gcm, [], [aead]},
{chacha20_poly1305, [], [aead]},
- {aes_cbc, [], [block]}
+ {aes_cbc, [], [block]},
+ {no_md4, [], [no_support, no_hash]},
+ {no_md5, [], [no_support, no_hash, no_hmac]},
+ {no_ripemd160, [], [no_support, no_hash]},
+ {no_srp, [], [no_support, no_generate_compute]},
+ {no_des_cbc, [], [no_support, no_block]},
+ {no_des_cfb, [], [no_support, no_block]},
+ {no_blowfish_cbc, [], [no_support, no_block]},
+ {no_blowfish_ecb, [], [no_support, no_block]},
+ {no_blowfish_cfb64, [], [no_support, no_block]},
+ {no_blowfish_ofb64, [], [no_support, no_block]},
+ {no_aes_ige256, [], [no_support, no_block]},
+ {no_chacha20_poly1305, [], [no_support, no_aead]},
+ {no_rc2_cbc, [], [no_support, no_block]},
+ {no_rc4, [], [no_support, no_stream]}
].
%%-------------------------------------------------------------------
@@ -141,12 +191,47 @@ end_per_suite(_Config) ->
application:stop(crypto).
%%-------------------------------------------------------------------
+init_per_group(fips, Config) ->
+ FIPSConfig = [{fips, true} | Config],
+ case crypto:info_fips() of
+ enabled ->
+ FIPSConfig;
+ not_enabled ->
+ case crypto:enable_fips_mode(true) of
+ true ->
+ enabled = crypto:info_fips(),
+ FIPSConfig;
+ false ->
+ {skip, "Failed to enable FIPS mode"}
+ end;
+ not_supported ->
+ {skip, "FIPS mode not supported"}
+ end;
+init_per_group(non_fips, Config) ->
+ NonFIPSConfig = [{fips, false} | Config],
+ case crypto:info_fips() of
+ enabled ->
+ true = crypto:enable_fips_mode(false),
+ not_enabled = crypto:info_fips(),
+ NonFIPSConfig;
+ _NotEnabled ->
+ NonFIPSConfig
+ end;
init_per_group(GroupName, Config) ->
- case is_supported(GroupName) of
- true ->
- group_config(GroupName, Config);
- false ->
- {skip, "Group not supported"}
+ case atom_to_list(GroupName) of
+ "no_" ++ TypeStr ->
+ %% Negated test case: check the algorithm is not supported
+ %% (e.g. due to FIPS mode limitations)
+ TypeAtom = list_to_atom(TypeStr),
+ [{type, TypeAtom} | group_config(TypeAtom, Config)];
+ _Other ->
+ %% Regular test case: skip if the algorithm is not supported
+ case is_supported(GroupName) of
+ true ->
+ [{type, GroupName} | group_config(GroupName, Config)];
+ false ->
+ {skip, "Group not supported"}
+ end
end.
end_per_group(_GroupName, Config) ->
@@ -183,6 +268,12 @@ appup() ->
appup(Config) when is_list(Config) ->
ok = ?t:appup_test(crypto).
%%--------------------------------------------------------------------
+no_support() ->
+ [{doc, "Test an algorithm is not reported in the supported list"}].
+no_support(Config) when is_list(Config) ->
+ Type = ?config(type, Config),
+ false = is_supported(Type).
+%%--------------------------------------------------------------------
hash() ->
[{doc, "Test all different hash functions"}].
hash(Config) when is_list(Config) ->
@@ -194,7 +285,14 @@ hash(Config) when is_list(Config) ->
hash(Type, Msgs, Digests),
hash(Type, lists:map(fun iolistify/1, Msgs), Digests),
hash_increment(Type, Inc, IncrDigest).
-%%--------------------------------------------------------------------
+%%--------------------------------------------------------------------
+no_hash() ->
+ [{doc, "Test all disabled hash functions"}].
+no_hash(Config) when is_list(Config) ->
+ Type = ?config(type, Config),
+ notsup(fun crypto:hash/2, [Type, <<"Hi There">>]),
+ notsup(fun crypto:hash_init/1, [Type]).
+%%--------------------------------------------------------------------
hmac() ->
[{doc, "Test all different hmac functions"}].
hmac(Config) when is_list(Config) ->
@@ -204,6 +302,13 @@ hmac(Config) when is_list(Config) ->
hmac(Type, lists:map(fun iolistify/1, Keys), lists:map(fun iolistify/1, Data), Expected),
hmac_increment(Type).
%%--------------------------------------------------------------------
+no_hmac() ->
+ [{doc, "Test all disabled hmac functions"}].
+no_hmac(Config) when is_list(Config) ->
+ Type = ?config(type, Config),
+ notsup(fun crypto:hmac/3, [Type, <<"Key">>, <<"Hi There">>]),
+ notsup(fun crypto:hmac_init/2, [Type, <<"Key">>]).
+%%--------------------------------------------------------------------
cmac() ->
[{doc, "Test all different cmac functions"}].
cmac(Config) when is_list(Config) ->
@@ -214,12 +319,51 @@ cmac(Config) when is_list(Config) ->
block() ->
[{doc, "Test block ciphers"}].
block(Config) when is_list(Config) ->
+ Fips = proplists:get_bool(fips, Config),
+ Type = ?config(type, Config),
+ %% See comment about EVP_CIPHER_CTX_set_key_length in
+ %% block_crypt_nif in crypto.c.
+ case {Fips, Type} of
+ {true, aes_cfb8} ->
+ throw({skip, "Cannot test aes_cfb8 in FIPS mode because of key length issue"});
+ {true, aes_cfb128} ->
+ throw({skip, "Cannot test aes_cfb128 in FIPS mode because of key length issue"});
+ _ ->
+ ok
+ end,
+
Blocks = proplists:get_value(block, Config),
lists:foreach(fun block_cipher/1, Blocks),
lists:foreach(fun block_cipher/1, block_iolistify(Blocks)),
lists:foreach(fun block_cipher_increment/1, block_iolistify(Blocks)).
%%--------------------------------------------------------------------
+no_block() ->
+ [{doc, "Test disabled block ciphers"}].
+no_block(Config) when is_list(Config) ->
+ Blocks = proplists:get_value(block, Config),
+ Args = case Blocks of
+ [{_Type, _Key, _PlainText} = A | _] ->
+ tuple_to_list(A);
+ [{_Type, _Key, _IV, _PlainText} = A | _] ->
+ tuple_to_list(A);
+ [{Type, Key, IV, PlainText, _CipherText} | _] ->
+ [Type, Key, IV, PlainText]
+ end,
+ N = length(Args),
+ notsup(fun crypto:block_encrypt/N, Args),
+ notsup(fun crypto:block_decrypt/N, Args).
+%%--------------------------------------------------------------------
+no_aead() ->
+ [{doc, "Test disabled aead ciphers"}].
+no_aead(Config) when is_list(Config) ->
+ [{Type, Key, PlainText, Nonce, AAD, CipherText, CipherTag} | _] =
+ proplists:get_value(aead, Config),
+ EncryptArgs = [Type, Key, Nonce, {AAD, PlainText}],
+ DecryptArgs = [Type, Key, Nonce, {AAD, CipherText, CipherTag}],
+ notsup(fun crypto:block_encrypt/4, EncryptArgs),
+ notsup(fun crypto:block_decrypt/4, DecryptArgs).
+%%--------------------------------------------------------------------
stream() ->
[{doc, "Test stream ciphers"}].
stream(Config) when is_list(Config) ->
@@ -228,6 +372,12 @@ stream(Config) when is_list(Config) ->
lists:foreach(fun stream_cipher/1, Streams),
lists:foreach(fun stream_cipher/1, stream_iolistify(Streams)),
lists:foreach(fun stream_cipher_incment/1, stream_iolistify(Streams)).
+%%--------------------------------------------------------------------
+no_stream() ->
+ [{doc, "Test disabled stream ciphers"}].
+no_stream(Config) when is_list(Config) ->
+ Type = ?config(type, Config),
+ notsup(fun crypto:stream_init/2, [Type, <<"Key">>]).
%%--------------------------------------------------------------------
aead() ->
@@ -235,7 +385,20 @@ aead() ->
aead(Config) when is_list(Config) ->
AEADs = lazy_eval(proplists:get_value(aead, Config)),
- lists:foreach(fun aead_cipher/1, AEADs).
+ FilteredAEADs =
+ case proplists:get_bool(fips, Config) of
+ false ->
+ AEADs;
+ true ->
+ %% In FIPS mode, the IV length must be at least 12 bytes.
+ lists:filter(
+ fun(Tuple) ->
+ IVLen = byte_size(element(4, Tuple)),
+ IVLen >= 12
+ end, AEADs)
+ end,
+
+ lists:foreach(fun aead_cipher/1, FilteredAEADs).
%%--------------------------------------------------------------------
sign_verify() ->
@@ -259,6 +422,24 @@ generate_compute(Config) when is_list(Config) ->
GenCom = proplists:get_value(generate_compute, Config),
lists:foreach(fun do_generate_compute/1, GenCom).
%%--------------------------------------------------------------------
+no_generate_compute() ->
+ [{doc, "Test crypto:genarate_key and crypto:compute_key "
+ "for disabled algorithms"}].
+no_generate_compute(Config) when is_list(Config) ->
+ %% This test is specific to the SRP protocol
+ srp = ?config(type, Config),
+ {srp,
+ UserPrivate, UserGenParams, UserComParams,
+ HostPublic, HostPrivate, HostGenParams, HostComParams,
+ _SessionKey} = srp3(),
+ UserPublic = HostPublic, % use a fake public key
+ notsup(fun crypto:generate_key/3, [srp, UserGenParams, UserPrivate]),
+ notsup(fun crypto:generate_key/3, [srp, HostGenParams, HostPrivate]),
+ notsup(fun crypto:compute_key/4,
+ [srp, HostPublic, {UserPublic, UserPrivate}, UserComParams]),
+ notsup(fun crypto:compute_key/4,
+ [srp, UserPublic, {HostPublic, HostPrivate}, HostComParams]).
+%%--------------------------------------------------------------------
compute() ->
[{doc, " Test crypto:compute_key"}].
compute(Config) when is_list(Config) ->
@@ -577,6 +758,25 @@ do_generate({ecdh = Type, Curve, Priv, Pub}) ->
ct:fail({{crypto, generate_key, [Type, Priv, Curve]}, {expected, Pub}, {got, Other}})
end.
+notsup(Fun, Args) ->
+ Result =
+ try
+ {error, {return, apply(Fun, Args)}}
+ catch
+ error:notsup ->
+ ok;
+ Class:Error ->
+ {error, {Class, Error}}
+ end,
+ case Result of
+ ok ->
+ ok;
+ {error, Value} ->
+ {module, Module} = erlang:fun_info(Fun, module),
+ {name, Name} = erlang:fun_info(Fun, name),
+ ct:fail({{Module, Name, Args}, {expected, {error, notsup}}, {got, Value}})
+ end.
+
hexstr2point(X, Y) ->
<<4:8, (hexstr2bin(X))/binary, (hexstr2bin(Y))/binary>>.
@@ -791,12 +991,23 @@ group_config(rsa = Type, Config) ->
Private = rsa_private(),
PublicS = rsa_public_stronger(),
PrivateS = rsa_private_stronger(),
- SignVerify = sign_verify_tests(Type, Msg, Public, Private, PublicS, PrivateS),
+ SignVerify =
+ case ?config(fips, Config) of
+ true ->
+ %% Use only the strong keys in FIPS mode
+ sign_verify_tests(Type, Msg,
+ PublicS, PrivateS,
+ PublicS, PrivateS);
+ false ->
+ sign_verify_tests(Type, Msg,
+ Public, Private,
+ PublicS, PrivateS)
+ end,
MsgPubEnc = <<"7896345786348 Asldi">>,
- PubPrivEnc = [{rsa, Public, Private, MsgPubEnc, rsa_pkcs1_padding},
- rsa_oaep(),
- no_padding()
- ],
+ PubPrivEnc = [{rsa, PublicS, PrivateS, MsgPubEnc, rsa_pkcs1_padding},
+ rsa_oaep(),
+ no_padding()
+ ],
[{sign_verify, SignVerify}, {pub_priv_encrypt, PubPrivEnc} | Config];
group_config(dss = Type, Config) ->
Msg = dss_plain(),
@@ -2335,7 +2546,7 @@ ecdh() ->
TestCases).
dh() ->
- {dh, 0087761979513264537414556992123116644042638206717762626089877284926656954974893442000747478454809111207351620687968672207938731607963470779396984752680274820156266685080223616226905101126463253150237669547023934604953898814222890239130021414026118792251620881355456432549881723310342870016961804255746630219, 2}.
+ {dh, 90970053988169282502023478715631717259407236400413906591937635666709823903223997309250405131675572047545403771567755831138144089197560332757755059848492919215391041119286178688014693040542889497092308638580104031455627238700168892909539193174537248629499995652186913900511641708112112482297874449292467498403, 2}.
rsa_oaep() ->
%% ftp://ftp.rsa.com/pub/rsalabs/tmp/pkcs1v15crypt-vectors.txt
@@ -2423,8 +2634,8 @@ cmac_nist(aes_cbc256 = Type) ->
no_padding() ->
- Public = [_, Mod] = rsa_public(),
- Private = rsa_private(),
+ Public = [_, Mod] = rsa_public_stronger(),
+ Private = rsa_private_stronger(),
MsgLen = erlang:byte_size(int_to_bin(Mod)),
Msg = list_to_binary(lists:duplicate(MsgLen, $X)),
{rsa, Public, Private, Msg, rsa_no_padding}.