You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
252 lines
10 KiB
252 lines
10 KiB
1 month ago
|
From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
|
||
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||
|
Date: Mon, 21 Aug 2023 16:40:56 +0200
|
||
|
Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
|
||
|
|
||
|
Patch-name: 0114-FIPS-enforce-EMS-support.patch
|
||
|
Patch-id: 114
|
||
|
Patch-status: |
|
||
|
# We believe that some changes present in CentOS are not necessary
|
||
|
# because ustream has a check for FIPS version
|
||
|
---
|
||
|
doc/man3/SSL_CONF_cmd.pod | 3 +++
|
||
|
doc/man5/fips_config.pod | 13 +++++++++++
|
||
|
include/openssl/fips_names.h | 8 +++++++
|
||
|
include/openssl/ssl.h.in | 1 +
|
||
|
providers/fips/fipsprov.c | 2 +-
|
||
|
providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++
|
||
|
ssl/ssl_conf.c | 1 +
|
||
|
ssl/statem/extensions_srvr.c | 8 ++++++-
|
||
|
ssl/t1_enc.c | 11 ++++++++--
|
||
|
.../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++
|
||
|
test/sslapitest.c | 2 +-
|
||
|
11 files changed, 76 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
|
||
|
index ae6ca43282..b83c04a308 100644
|
||
|
--- a/doc/man3/SSL_CONF_cmd.pod
|
||
|
+++ b/doc/man3/SSL_CONF_cmd.pod
|
||
|
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
|
||
|
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
|
||
|
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
|
||
|
|
||
|
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
|
||
|
+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
|
||
|
+
|
||
|
B<CANames>: use CA names extension, enabled by
|
||
|
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
|
||
|
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
|
||
|
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
|
||
|
index 1c15e32a5c..f2cedaf88d 100644
|
||
|
--- a/doc/man5/fips_config.pod
|
||
|
+++ b/doc/man5/fips_config.pod
|
||
|
@@ -15,6 +15,19 @@ for more information.
|
||
|
|
||
|
This functionality was added in OpenSSL 3.0.
|
||
|
|
||
|
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
|
||
|
+OpenSSL configuration directory and managed by crypto policies. If present, it
|
||
|
+should have format
|
||
|
+
|
||
|
+ [fips_sect]
|
||
|
+ tls1-prf-ems-check = 0
|
||
|
+ activate = 1
|
||
|
+
|
||
|
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
|
||
|
+presence of extended master secret or not.
|
||
|
+
|
||
|
+The B<activate> option enforces FIPS provider activation.
|
||
|
+
|
||
|
=head1 COPYRIGHT
|
||
|
|
||
|
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||
|
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
|
||
|
index 5c77f6d691..8cdd5a6bf7 100644
|
||
|
--- a/include/openssl/fips_names.h
|
||
|
+++ b/include/openssl/fips_names.h
|
||
|
@@ -70,6 +70,14 @@ extern "C" {
|
||
|
*/
|
||
|
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
|
||
|
|
||
|
+/*
|
||
|
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
|
||
|
+ * This is disabled by default.
|
||
|
+ *
|
||
|
+ * Type: OSSL_PARAM_UTF8_STRING
|
||
|
+ */
|
||
|
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
|
||
|
+
|
||
|
# ifdef __cplusplus
|
||
|
}
|
||
|
# endif
|
||
|
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||
|
index 0b6de603e2..26a69ca282 100644
|
||
|
--- a/include/openssl/ssl.h.in
|
||
|
+++ b/include/openssl/ssl.h.in
|
||
|
@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
|
||
|
* interoperability with CryptoPro CSP 3.x
|
||
|
*/
|
||
|
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
|
||
|
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
|
||
|
/*
|
||
|
* Disable RFC8879 certificate compression
|
||
|
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
|
||
|
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
||
|
index 5ff9872bd8..eb9653a9df 100644
|
||
|
--- a/providers/fips/fipsprov.c
|
||
|
+++ b/providers/fips/fipsprov.c
|
||
|
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||
|
if (fgbl == NULL)
|
||
|
return NULL;
|
||
|
init_fips_option(&fgbl->fips_security_checks, 1);
|
||
|
- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
|
||
|
+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
|
||
|
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
|
||
|
return fgbl;
|
||
|
}
|
||
|
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||
|
index 25a6c79a2e..79bc7a9719 100644
|
||
|
--- a/providers/implementations/kdfs/tls1_prf.c
|
||
|
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||
|
@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
|
||
|
static void kdf_tls1_prf_free(void *vctx)
|
||
|
{
|
||
|
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
|
||
|
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
|
||
|
|
||
|
if (ctx != NULL) {
|
||
|
kdf_tls1_prf_reset(ctx);
|
||
|
@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+ /*
|
||
|
+ * The seed buffer is prepended with a label.
|
||
|
+ * If EMS mode is enforced then the label "master secret" is not allowed,
|
||
|
+ * We do the check this way since the PRF is used for other purposes, as well
|
||
|
+ * as "extended master secret".
|
||
|
+ */
|
||
|
+#ifdef FIPS_MODULE
|
||
|
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||
|
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
||
|
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||
|
+#endif /* defined(FIPS_MODULE) */
|
||
|
+ if (ossl_tls1_prf_ems_check_enabled(libctx)) {
|
||
|
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||
|
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
||
|
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
|
||
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
|
||
|
ctx->sec, ctx->seclen,
|
||
|
ctx->seed, ctx->seedlen,
|
||
|
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
|
||
|
index 5146cedb96..086db98c33 100644
|
||
|
--- a/ssl/ssl_conf.c
|
||
|
+++ b/ssl/ssl_conf.c
|
||
|
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
|
||
|
SSL_FLAG_TBL("ClientRenegotiation",
|
||
|
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
|
||
|
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
|
||
|
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
|
||
|
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
|
||
|
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
|
||
|
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
|
||
|
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
||
|
index 00b1ee531e..22cdabb308 100644
|
||
|
--- a/ssl/statem/extensions_srvr.c
|
||
|
+++ b/ssl/statem/extensions_srvr.c
|
||
|
@@ -11,6 +11,7 @@
|
||
|
#include "../ssl_local.h"
|
||
|
#include "statem_local.h"
|
||
|
#include "internal/cryptlib.h"
|
||
|
+#include <openssl/fips.h>
|
||
|
|
||
|
#define COOKIE_STATE_FORMAT_VERSION 1
|
||
|
|
||
|
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
||
|
unsigned int context,
|
||
|
X509 *x, size_t chainidx)
|
||
|
{
|
||
|
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
|
||
|
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
|
||
|
+ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
|
||
|
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||
|
+ return EXT_RETURN_FAIL;
|
||
|
+ }
|
||
|
return EXT_RETURN_NOT_SENT;
|
||
|
+ }
|
||
|
|
||
|
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
||
|
|| !WPACKET_put_bytes_u16(pkt, 0)) {
|
||
|
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
|
||
|
index 91238e6457..e8ad8ecd9e 100644
|
||
|
--- a/ssl/t1_enc.c
|
||
|
+++ b/ssl/t1_enc.c
|
||
|
@@ -20,6 +20,7 @@
|
||
|
#include <openssl/obj_mac.h>
|
||
|
#include <openssl/core_names.h>
|
||
|
#include <openssl/trace.h>
|
||
|
+#include <openssl/fips.h>
|
||
|
|
||
|
/* seed1 through seed5 are concatenated */
|
||
|
static int tls1_PRF(SSL_CONNECTION *s,
|
||
|
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
|
||
|
}
|
||
|
|
||
|
err:
|
||
|
- if (fatal)
|
||
|
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||
|
+ if (fatal) {
|
||
|
+ /* The calls to this function are local so it's safe to implement the check */
|
||
|
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||
|
+ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
||
|
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||
|
+ else
|
||
|
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||
|
+ }
|
||
|
else
|
||
|
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
|
||
|
EVP_KDF_CTX_free(kctx);
|
||
|
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||
|
index 44040ff66b..deb6bf3fcb 100644
|
||
|
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||
|
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||
|
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
|
||
|
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||
|
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||
|
|
||
|
+Availablein = fips
|
||
|
+KDF = TLS1-PRF
|
||
|
+Ctrl.digest = digest:SHA256
|
||
|
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
||
|
+Ctrl.label = seed:master secret
|
||
|
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
|
||
|
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||
|
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||
|
+Result = KDF_DERIVE_ERROR
|
||
|
+
|
||
|
FIPSversion = <=3.1.0
|
||
|
KDF = TLS1-PRF
|
||
|
Ctrl.digest = digest:SHA256
|
||
|
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||
|
index 169e3c7466..e67b5bb44c 100644
|
||
|
--- a/test/sslapitest.c
|
||
|
+++ b/test/sslapitest.c
|
||
|
@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
|
||
|
STACK_OF(X509) *server_chain;
|
||
|
SSL_CTX *cctx = NULL, *sctx = NULL;
|
||
|
SSL *clientssl = NULL, *serverssl = NULL;
|
||
|
- int testresult = 0;
|
||
|
+ int testresult = 0, status;
|
||
|
|
||
|
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||
|
TLS_client_method(), TLS1_VERSION, 0,
|
||
|
--
|
||
|
2.41.0
|
||
|
|