Google Git
Sign in
pigweed / third_party / boringssl / boringssl / 7f4057ec106c5c2678866b364838cae72e55a9d7^! / .
commit7f4057ec106c5c2678866b364838cae72e55a9d7[log] [tgz]
authorAdam Langley <alangley@gmail.com>Fri Mar 18 10:57:09 2022 -0700
committerAdam Langley <agl@google.com>Mon Mar 21 19:31:15 2022 +0000
treeda057a09c527cba18866c31212e900b026610733
parentdcba84922c7e2881f7051c85fb5a40165ff29933 [diff]
Add a function to tell if an algorithm is FIPS approved.

Change-Id: I934376ead1bc3e4e8349540c4a3da99cd0b49181
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51985
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/crypto/crypto_test.cc b/crypto/crypto_test.cc
index 7f15a23..228aaf2 100644
--- a/crypto/crypto_test.cc
+++ b/crypto/crypto_test.cc

@@ -138,3 +138,17 @@
 }
 
 #endif  // BORINGSSL_FIPS_COUNTERS
+
+TEST(Crypto, QueryAlgorithmStatus) {
+#if defined(BORINGSSL_FIPS)
+  const bool is_fips_build = true;
+#else
+  const bool is_fips_build = false;
+#endif
+
+  EXPECT_EQ(FIPS_query_algorithm_status("AES-GCM"), is_fips_build);
+  EXPECT_EQ(FIPS_query_algorithm_status("AES-ECB"), is_fips_build);
+
+  EXPECT_FALSE(FIPS_query_algorithm_status("FakeEncrypt"));
+  EXPECT_FALSE(FIPS_query_algorithm_status(""));
+}

diff --git a/crypto/fipsmodule/self_check/fips.c b/crypto/fipsmodule/self_check/fips.c
index d55c493..2b9927f 100644
--- a/crypto/fipsmodule/self_check/fips.c
+++ b/crypto/fipsmodule/self_check/fips.c

@@ -28,6 +28,41 @@
 
 int FIPS_mode_set(int on) { return on == FIPS_mode(); }
 
+int FIPS_query_algorithm_status(const char *algorithm) {
+#if defined(BORINGSSL_FIPS)
+  static const char kApprovedAlgorithms[][13] = {
+    "AES-CBC",
+    "AES-CCM",
+    "AES-CTR",
+    "AES-ECB",
+    "AES-GCM",
+    "AES-KW",
+    "AES-KWP",
+    "ctrDRBG",
+    "ECC-SSC",
+    "ECDSA-sign",
+    "ECDSA-verify",
+    "FFC-SSC",
+    "HMAC",
+    "RSA-sign",
+    "RSA-verify",
+    "SHA-1",
+    "SHA2-224",
+    "SHA2-256",
+    "SHA2-384",
+    "SHA2-512",
+    "SHA2-512/256",
+  };
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kApprovedAlgorithms); i++) {
+    if (strcmp(algorithm, kApprovedAlgorithms[i]) == 0) {
+      return 1;
+    }
+  }
+#endif  // BORINGSSL_FIPS
+
+  return 0;
+}
+
 #if defined(BORINGSSL_FIPS_COUNTERS)
 
 size_t FIPS_read_counter(enum fips_counter_t counter) {

diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index 0824b93..ce1e5ce 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h

@@ -172,6 +172,10 @@
 // |BORINGSSL_FIPS| and zero otherwise.
 OPENSSL_EXPORT int FIPS_mode_set(int on);
 
+// FIPS_query_algorithm_status returns one if |algorithm| is FIPS validated in
+// the current BoringSSL and zero otherwise.
+OPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm);
+
 
 #if defined(__cplusplus)
 }  // extern C