feat: Add additional EC key validation for FIPS

aws · Mar 12, 2024 · 24afd67 · 24afd67
1 parent 770d3f3
commit 24afd67
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 1 deletion.
diff --git a/crypto/s2n_ecc_evp.c b/crypto/s2n_ecc_evp.c
@@ -23,6 +23,8 @@
 
 #include <stdint.h>
 
+#include "crypto/s2n_fips.h"
+#include "crypto/s2n_libcrypto.h"
 #include "tls/s2n_connection.h"
 #include "tls/s2n_ecc_preferences.h"
 #include "tls/s2n_tls_parameters.h"
@@ -163,6 +165,22 @@ static int s2n_ecc_evp_generate_own_key(const struct s2n_ecc_named_curve *named_
     return named_curve->generate_key(named_curve, evp_pkey);
 }
 
+static S2N_RESULT s2n_ecc_check_key(EC_KEY *ec_key)
+{
+    RESULT_ENSURE_REF(ec_key);
+
+#ifdef S2N_LIBCRYPTO_SUPPORTS_EC_KEY_CHECK_FIPS
+    if (s2n_is_in_fips_mode()) {
+        RESULT_GUARD_OSSL(EC_KEY_check_fips(ec_key), S2N_ERR_ECDHE_SHARED_SECRET);
+        return S2N_RESULT_OK;
+    }
+#endif
+
+    RESULT_GUARD_OSSL(EC_KEY_check_key(ec_key), S2N_ERR_ECDHE_SHARED_SECRET);
+
+    return S2N_RESULT_OK;
+}
+
 static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_public, uint16_t iana_id, struct s2n_blob *shared_secret)
 {
     POSIX_ENSURE_REF(peer_public);
@@ -180,7 +198,7 @@ static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_p
     if (iana_id != TLS_EC_CURVE_ECDH_X25519 && iana_id != TLS_EC_CURVE_ECDH_X448) {
         DEFER_CLEANUP(EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(peer_public), EC_KEY_free_pointer);
         S2N_ERROR_IF(ec_key == NULL, S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
-        POSIX_GUARD_OSSL(EC_KEY_check_key(ec_key), S2N_ERR_ECDHE_SHARED_SECRET);
+        POSIX_GUARD_RESULT(s2n_ecc_check_key(ec_key));
     }
 
     size_t shared_secret_size;

diff --git a/tests/features/S2N_LIBCRYPTO_SUPPORTS_EC_KEY_CHECK_FIPS.c b/tests/features/S2N_LIBCRYPTO_SUPPORTS_EC_KEY_CHECK_FIPS.c
@@ -0,0 +1,23 @@
+/*
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*
+* Licensed under the Apache License, Version 2.0 (the "License").
+* You may not use this file except in compliance with the License.
+* A copy of the License is located at
+*
+*  http://aws.amazon.com/apache2.0
+*
+* or in the "license" file accompanying this file. This file is distributed
+* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+* express or implied. See the License for the specific language governing
+* permissions and limitations under the License.
+*/
+
+#include <openssl/ec.h>
+
+int main()
+{
+    EC_KEY *ec_key = NULL;
+    EC_KEY_check_fips(ec_key);
+    return 0;
+}
diff --git a/tests/features/S2N_LIBCRYPTO_SUPPORTS_EC_KEY_CHECK_FIPS.flags b/tests/features/S2N_LIBCRYPTO_SUPPORTS_EC_KEY_CHECK_FIPS.flags
diff --git a/tests/unit/s2n_ecc_evp_test.c b/tests/unit/s2n_ecc_evp_test.c
@@ -16,6 +16,7 @@
 #include "crypto/s2n_ecc_evp.h"
 
 #include "api/s2n.h"
+#include "crypto/s2n_libcrypto.h"
 #include "s2n_test.h"
 #include "stuffer/s2n_stuffer.h"
 #include "testlib/s2n_testlib.h"
@@ -27,10 +28,25 @@
 
 extern const struct s2n_ecc_named_curve s2n_unsupported_curve;
 
+bool s2n_libcrypto_supports_ec_key_check_fips()
+{
+#ifdef S2N_LIBCRYPTO_SUPPORTS_EC_KEY_CHECK_FIPS
+    return true;
+#else
+    return false;
+#endif
+}
+
 int main(int argc, char** argv)
 {
     BEGIN_TEST();
     EXPECT_SUCCESS(s2n_disable_tls13_in_test());
+
+    /* Test the EC_KEY_CHECK_FIPS feature probe. AWS-LC is a libcrypto known to support this feature. */
+    if (s2n_libcrypto_is_awslc()) {
+        EXPECT_TRUE(s2n_libcrypto_supports_ec_key_check_fips());
+    }
+
     {
         /* Test generate ephemeral keys for all supported curves */
         for (size_t i = 0; i < s2n_all_supported_curves_list_len; i++) {