xref: /aosp_15_r20/external/tink/cc/internal/fips_utils.h (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #ifndef TINK_INTERNAL_FIPS_UTILS_H_
18 #define TINK_INTERNAL_FIPS_UTILS_H_
19 
20 #include "absl/base/attributes.h"
21 #include "tink/util/status.h"
22 
23 namespace crypto {
24 namespace tink {
25 namespace internal {
26 
27 // This flag indicates whether Tink was build in FIPS only mode. If the flag
28 // is set, then usage of algorithms will be restricted to algorithms which
29 // utilize the FIPS validated BoringCrypto module. TODO(kste): Check if this can
30 // be removed.
31 ABSL_CONST_INIT extern const bool kUseOnlyFips;
32 
33 // This function will return true if Tink has been built in FIPS mode or if
34 // the FIPS restrictions have been enabled at runtime.
35 bool IsFipsModeEnabled();
36 
37 // Returns true if the Ssl layer (BoringSSL or OpenSSL) has FIPS mode enabled.
38 bool IsFipsEnabledInSsl();
39 
40 // Enable FIPS restrictions. If Tink has been built in FIPS mode this is
41 // redundant.
42 void SetFipsRestricted();
43 
44 // Disable FIPS restrictions. Note that if Tink has been built in FIPS mode this
45 // will have no effect.
46 void UnSetFipsRestricted();
47 
48 // Should be used to indicate whether an algorithm can be used in FIPS only
49 // mode or not.
50 enum class FipsCompatibility {
51   kNotFips = 0,  // The algorithm can not use a FIPS validated implementation.
52   kRequiresBoringCrypto,  // The algorithm requires BoringCrypto to use a FIPS
53                           // validated implementation.
54 };
55 
56 // Allows to check for a cryptographic algorithm whether it is available in
57 // the FIPS only mode, based on it's FipsCompatibility flag. If FIPS only
58 // mode is enabled this will return an INTERNAL error if:
59 // 1) The algorithm has no FIPS support.
60 // 2) The algorithm has FIPS support, but BoringSSL has not been compiled with
61 //    the BoringCrypto module.
62 crypto::tink::util::Status ChecksFipsCompatibility(
63     FipsCompatibility fips_status);
64 
65 // Utility function wich calls CheckFipsCompatibility(T::kFipsStatus).
66 template <class T>
CheckFipsCompatibility()67 crypto::tink::util::Status CheckFipsCompatibility() {
68   return ChecksFipsCompatibility(T::kFipsStatus);
69 }
70 
71 
72 }  // namespace internal
73 }  // namespace tink
74 }  // namespace crypto
75 
76 #endif  // TINK_INTERNAL_FIPS_UTILS_H_
77