Enforce using EMS in FIPS mode - better alerts

Related: rhbz#2157951
2 years ago · 032dc0839c
parent 05bbcc9920
commit 032dc0839c
2 changed files with 59 additions and 1 deletions
--- a/0114-FIPS-enforce-EMS-support.patch
+++ b/0114-FIPS-enforce-EMS-support.patch
@ -417,3 +417,57 @@ diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx op
 KDF = TLS1-PRF
 Ctrl.digest = digest:SHA256
 Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c
+--- openssl-3.0.7/ssl/t1_enc.c.noems	2023-05-05 11:15:57.934415272 +0200
+++ openssl-3.0.7/ssl/t1_enc.c	2023-05-05 11:39:03.578163778 +0200
+@@ -20,6 +20,7 @@
+ #include <openssl/obj_mac.h>
+ #include <openssl/core_names.h>
+ #include <openssl/trace.h>
+#include <openssl/fips.h>
+ 
+ /* seed1 through seed5 are concatenated */
+ static int tls1_PRF(SSL *s,
+@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
+     }
+ 
+  err:
+-    if (fatal)
+-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+    if (fatal) {
+        /* The calls to this function are local so it's safe to implement the check */
+        if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
+            && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
+	else
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+    }
+     else
+         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+     EVP_KDF_CTX_free(kctx);
+diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c
+--- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems	2023-05-05 17:14:04.663800271 +0200
+++ openssl-3.0.7/ssl/statem/extensions_srvr.c	2023-05-05 17:20:33.764599507 +0200
+@@ -11,6 +11,7 @@
+ #include "../ssl_local.h"
+ #include "statem_local.h"
+ #include "internal/cryptlib.h"
+#include <openssl/fips.h>
+ 
+ #define COOKIE_STATE_FORMAT_VERSION     1
+ 
+@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s
+ EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
+                                   X509 *x, size_t chainidx)
+ {
+-    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
+    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
+        if (FIPS_mode()) {
+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
+            return EXT_RETURN_FAIL;
+        }
+         return EXT_RETURN_NOT_SENT;
+    }
+ 
+     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
+             || !WPACKET_put_bytes_u16(pkt, 0)) {
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.7
-Release: 16%{?dist}
+Release: 17%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -515,6 +515,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Tue May 09 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-17
+- Enforce using EMS in FIPS mode - better alerts
+  Related: rhbz#2157951
+
 * Tue May 02 2023 Sahana Prasad <sahana@redhat.com> - 1:3.0.7-16
 - Upload new upstream sources without manually hobbling them.
 - Remove the hobbling script as it is redundant. It is now allowed to ship