From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:40:56 +0200
Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch

Patch-name: 0114-FIPS-enforce-EMS-support.patch
Patch-id: 114
Patch-status: |
    # We believe that some changes present in CentOS are not necessary
    # because ustream has a check for FIPS version
---
 doc/man3/SSL_CONF_cmd.pod                     |  3 +++
 doc/man5/fips_config.pod                      | 13 +++++++++++
 include/openssl/fips_names.h                  |  8 +++++++
 include/openssl/ssl.h.in                      |  1 +
 providers/fips/fipsprov.c                     |  2 +-
 providers/implementations/kdfs/tls1_prf.c     | 22 +++++++++++++++++++
 ssl/ssl_conf.c                                |  1 +
 ssl/statem/extensions_srvr.c                  |  8 ++++++-
 ssl/t1_enc.c                                  | 11 ++++++++--
 .../30-test_evp_data/evpkdf_tls12_prf.txt     | 10 +++++++++
 test/sslapitest.c                             |  2 +-
 11 files changed, 76 insertions(+), 5 deletions(-)

diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index ae6ca43282..b83c04a308 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
 default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
 B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
 
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
+
 B<CANames>: use CA names extension, enabled by
 default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
 B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
index 1c15e32a5c..f2cedaf88d 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
@@ -15,6 +15,19 @@ for more information.
 
 This functionality was added in OpenSSL 3.0.
 
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
+OpenSSL configuration directory and managed by crypto policies. If present, it
+should have format
+
+ [fips_sect]
+ tls1-prf-ems-check = 0
+ activate = 1
+
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
+presence of extended master secret or not.
+
+The B<activate> option enforces FIPS provider activation.
+
 =head1 COPYRIGHT
 
 Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
index 5c77f6d691..8cdd5a6bf7 100644
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
@@ -70,6 +70,14 @@ extern "C" {
  */
 # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST  "drbg-no-trunc-md"
 
+/*
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
+ * This is disabled by default.
+ *
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
+
 # ifdef __cplusplus
 }
 # endif
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 0b6de603e2..26a69ca282 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
      * interoperability with CryptoPro CSP 3.x
      */
 # define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     SSL_OP_BIT(31)
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS                     SSL_OP_BIT(48)
 /*
  * Disable RFC8879 certificate compression
  * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 5ff9872bd8..eb9653a9df 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
     if (fgbl == NULL)
         return NULL;
     init_fips_option(&fgbl->fips_security_checks, 1);
-    init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
+    init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
     init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
     return fgbl;
 }
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
index 25a6c79a2e..79bc7a9719 100644
--- a/providers/implementations/kdfs/tls1_prf.c
+++ b/providers/implementations/kdfs/tls1_prf.c
@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
 static void kdf_tls1_prf_free(void *vctx)
 {
     TLS1_PRF *ctx = (TLS1_PRF *)vctx;
+    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
 
     if (ctx != NULL) {
         kdf_tls1_prf_reset(ctx);
@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
         }
     }
 
+    /*
+     * The seed buffer is prepended with a label.
+     * If EMS mode is enforced then the label "master secret" is not allowed,
+     * We do the check this way since the PRF is used for other purposes, as well
+     * as "extended master secret".
+     */
+#ifdef FIPS_MODULE
+    if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
+            && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
+                      TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
+    ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+    if (ossl_tls1_prf_ems_check_enabled(libctx)) {
+        if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
+                && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
+                          TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
+            return 0;
+        }
+    }
+
     return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
                         ctx->sec, ctx->seclen,
                         ctx->seed, ctx->seedlen,
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 5146cedb96..086db98c33 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
         SSL_FLAG_TBL("ClientRenegotiation",
                      SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
         SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
+        SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
         SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
         SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
         SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 00b1ee531e..22cdabb308 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -11,6 +11,7 @@
 #include "../ssl_local.h"
 #include "statem_local.h"
 #include "internal/cryptlib.h"
+#include <openssl/fips.h>
 
 #define COOKIE_STATE_FORMAT_VERSION     1
 
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
                                   unsigned int context,
                                   X509 *x, size_t chainidx)
 {
-    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
+    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
+        if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
+            return EXT_RETURN_FAIL;
+        }
         return EXT_RETURN_NOT_SENT;
+    }
 
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
             || !WPACKET_put_bytes_u16(pkt, 0)) {
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 91238e6457..e8ad8ecd9e 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -20,6 +20,7 @@
 #include <openssl/obj_mac.h>
 #include <openssl/core_names.h>
 #include <openssl/trace.h>
+#include <openssl/fips.h>
 
 /* seed1 through seed5 are concatenated */
 static int tls1_PRF(SSL_CONNECTION *s,
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
     }
 
  err:
-    if (fatal)
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+    if (fatal) {
+        /* The calls to this function are local so it's safe to implement the check */
+        if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
+            && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
+	else
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+    }
     else
         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
     EVP_KDF_CTX_free(kctx);
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
index 44040ff66b..deb6bf3fcb 100644
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
 Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
 Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
 
+Availablein = fips
+KDF = TLS1-PRF
+Ctrl.digest = digest:SHA256
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
+Ctrl.label = seed:master secret
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+Result = KDF_DERIVE_ERROR
+
 FIPSversion = <=3.1.0
 KDF = TLS1-PRF
 Ctrl.digest = digest:SHA256
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 169e3c7466..e67b5bb44c 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
     STACK_OF(X509) *server_chain;
     SSL_CTX *cctx = NULL, *sctx = NULL;
     SSL *clientssl = NULL, *serverssl = NULL;
-    int testresult = 0;
+    int testresult = 0, status;
 
     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                        TLS_client_method(), TLS1_VERSION, 0,
-- 
2.41.0