cc/internal/fips_utils.cc

*e7b1675dSTing-Kang Chang// Copyright 2021 Google LLC
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License");
*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License.
*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang//     http://www.apache.org/licenses/LICENSE-2.0
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software
*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS,
*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and
*e7b1675dSTing-Kang Chang// limitations under the License.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang///////////////////////////////////////////////////////////////////////////////
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "tink/internal/fips_utils.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include <atomic>
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "absl/base/attributes.h"
*e7b1675dSTing-Kang Chang#include "absl/status/status.h"
*e7b1675dSTing-Kang Chang#include "openssl/crypto.h"
*e7b1675dSTing-Kang Chang#include "tink/util/status.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace crypto {
*e7b1675dSTing-Kang Changnamespace tink {
*e7b1675dSTing-Kang Changnamespace internal {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#ifdef TINK_USE_ONLY_FIPS
*e7b1675dSTing-Kang ChangABSL_CONST_INIT const bool kUseOnlyFips = true;
*e7b1675dSTing-Kang Chang#else
*e7b1675dSTing-Kang ChangABSL_CONST_INIT const bool kUseOnlyFips = false;
*e7b1675dSTing-Kang Chang#endif
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changstatic std::atomic<bool> is_fips_restricted(false);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changvoid SetFipsRestricted() { is_fips_restricted = true; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changvoid UnSetFipsRestricted() { is_fips_restricted = false; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changbool IsFipsModeEnabled() { return kUseOnlyFips || is_fips_restricted; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changbool IsFipsEnabledInSsl() {
*e7b1675dSTing-Kang Chang#ifdef OPENSSL_IS_BORINGSSL
*e7b1675dSTing-Kang Chang  return FIPS_mode();
*e7b1675dSTing-Kang Chang#else
*e7b1675dSTing-Kang Chang  return false;
*e7b1675dSTing-Kang Chang#endif
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changutil::Status ChecksFipsCompatibility(FipsCompatibility fips_status) {
*e7b1675dSTing-Kang Chang  switch (fips_status) {
*e7b1675dSTing-Kang Chang    case FipsCompatibility::kNotFips:
*e7b1675dSTing-Kang Chang      if (IsFipsModeEnabled()) {
*e7b1675dSTing-Kang Chang        return util::Status(absl::StatusCode::kInternal,
*e7b1675dSTing-Kang Chang                            "Primitive not available in FIPS only mode.");
*e7b1675dSTing-Kang Chang      } else {
*e7b1675dSTing-Kang Chang        return util::OkStatus();
*e7b1675dSTing-Kang Chang      }
*e7b1675dSTing-Kang Chang    case FipsCompatibility::kRequiresBoringCrypto:
*e7b1675dSTing-Kang Chang      if ((IsFipsModeEnabled()) && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang        return util::Status(
*e7b1675dSTing-Kang Chang            absl::StatusCode::kInternal,
*e7b1675dSTing-Kang Chang            "BoringSSL not built with the BoringCrypto module. If you want to "
*e7b1675dSTing-Kang Chang            "use FIPS only mode you have to build BoringSSL in FIPS Mode.");
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang      } else {
*e7b1675dSTing-Kang Chang        return util::OkStatus();
*e7b1675dSTing-Kang Chang      }
*e7b1675dSTing-Kang Chang    default:
*e7b1675dSTing-Kang Chang      return util::Status(absl::StatusCode::kInternal,
*e7b1675dSTing-Kang Chang                          "Could not determine FIPS status.");
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace internal
*e7b1675dSTing-Kang Chang}  // namespace tink
*e7b1675dSTing-Kang Chang}  // namespace crypto