cc/internal/fips_utils.h

*e7b1675dSTing-Kang Chang// Copyright 2021 Google LLC
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License");
*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License.
*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang//     http://www.apache.org/licenses/LICENSE-2.0
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software
*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS,
*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and
*e7b1675dSTing-Kang Chang// limitations under the License.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang///////////////////////////////////////////////////////////////////////////////
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#ifndef TINK_INTERNAL_FIPS_UTILS_H_
*e7b1675dSTing-Kang Chang#define TINK_INTERNAL_FIPS_UTILS_H_
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "absl/base/attributes.h"
*e7b1675dSTing-Kang Chang#include "tink/util/status.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace crypto {
*e7b1675dSTing-Kang Changnamespace tink {
*e7b1675dSTing-Kang Changnamespace internal {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// This flag indicates whether Tink was build in FIPS only mode. If the flag
*e7b1675dSTing-Kang Chang// is set, then usage of algorithms will be restricted to algorithms which
*e7b1675dSTing-Kang Chang// utilize the FIPS validated BoringCrypto module. TODO(kste): Check if this can
*e7b1675dSTing-Kang Chang// be removed.
*e7b1675dSTing-Kang ChangABSL_CONST_INIT extern const bool kUseOnlyFips;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// This function will return true if Tink has been built in FIPS mode or if
*e7b1675dSTing-Kang Chang// the FIPS restrictions have been enabled at runtime.
*e7b1675dSTing-Kang Changbool IsFipsModeEnabled();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Returns true if the Ssl layer (BoringSSL or OpenSSL) has FIPS mode enabled.
*e7b1675dSTing-Kang Changbool IsFipsEnabledInSsl();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Enable FIPS restrictions. If Tink has been built in FIPS mode this is
*e7b1675dSTing-Kang Chang// redundant.
*e7b1675dSTing-Kang Changvoid SetFipsRestricted();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Disable FIPS restrictions. Note that if Tink has been built in FIPS mode this
*e7b1675dSTing-Kang Chang// will have no effect.
*e7b1675dSTing-Kang Changvoid UnSetFipsRestricted();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Should be used to indicate whether an algorithm can be used in FIPS only
*e7b1675dSTing-Kang Chang// mode or not.
*e7b1675dSTing-Kang Changenum class FipsCompatibility {
*e7b1675dSTing-Kang Chang  kNotFips = 0,  // The algorithm can not use a FIPS validated implementation.
*e7b1675dSTing-Kang Chang  kRequiresBoringCrypto,  // The algorithm requires BoringCrypto to use a FIPS
*e7b1675dSTing-Kang Chang                          // validated implementation.
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Allows to check for a cryptographic algorithm whether it is available in
*e7b1675dSTing-Kang Chang// the FIPS only mode, based on it's FipsCompatibility flag. If FIPS only
*e7b1675dSTing-Kang Chang// mode is enabled this will return an INTERNAL error if:
*e7b1675dSTing-Kang Chang// 1) The algorithm has no FIPS support.
*e7b1675dSTing-Kang Chang// 2) The algorithm has FIPS support, but BoringSSL has not been compiled with
*e7b1675dSTing-Kang Chang//    the BoringCrypto module.
*e7b1675dSTing-Kang Changcrypto::tink::util::Status ChecksFipsCompatibility(
*e7b1675dSTing-Kang Chang    FipsCompatibility fips_status);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Utility function wich calls CheckFipsCompatibility(T::kFipsStatus).
*e7b1675dSTing-Kang Changtemplate <class T>
*e7b1675dSTing-Kang Changcrypto::tink::util::Status CheckFipsCompatibility() {
*e7b1675dSTing-Kang Chang  return ChecksFipsCompatibility(T::kFipsStatus);
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace internal
*e7b1675dSTing-Kang Chang}  // namespace tink
*e7b1675dSTing-Kang Chang}  // namespace crypto
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#endif  // TINK_INTERNAL_FIPS_UTILS_H_