Enforce using EMS in FIPS mode - better alerts

Related: rhbz#2157951
2023-05-09 12:44:49 +02:00 · 2023-05-09 12:44:49 +02:00 · 032dc0839c
commit 032dc0839c
parent 05bbcc9920
2 changed files with 59 additions and 1 deletions
--- a/0114-FIPS-enforce-EMS-support.patch
+++ b/0114-FIPS-enforce-EMS-support.patch
@ -417,3 +417,57 @@ diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx op
 KDF = TLS1-PRF
 Ctrl.digest = digest:SHA256
 Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
 diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c
 --- openssl-3.0.7/ssl/t1_enc.c.noems	2023-05-05 11:15:57.934415272 +0200
 +++ openssl-3.0.7/ssl/t1_enc.c	2023-05-05 11:39:03.578163778 +0200
@@ -20,6 +20,7 @@
 #include <openssl/obj_mac.h>
 #include <openssl/core_names.h>
 #include <openssl/trace.h>
 +#include <openssl/fips.h>
 /* seed1 through seed5 are concatenated */
 static int tls1_PRF(SSL *s,
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
     }
  err:
 -    if (fatal)
 -        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
 +    if (fatal) {
 +        /* The calls to this function are local so it's safe to implement the check */
 +        if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
 +            && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
 +            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
 +	else
 +            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
 +    }
     else
         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
     EVP_KDF_CTX_free(kctx);
 diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c
 --- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems	2023-05-05 17:14:04.663800271 +0200
 +++ openssl-3.0.7/ssl/statem/extensions_srvr.c	2023-05-05 17:20:33.764599507 +0200
@@ -11,6 +11,7 @@
 #include "../ssl_local.h"
 #include "statem_local.h"
 #include "internal/cryptlib.h"
 +#include <openssl/fips.h>
 #define COOKIE_STATE_FORMAT_VERSION     1
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s
 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
                                   X509 *x, size_t chainidx)
 {
 -    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
 +    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
 +        if (FIPS_mode()) {
 +            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
 +            return EXT_RETURN_FAIL;
 +        }
         return EXT_RETURN_NOT_SENT;
 +    }
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
             || !WPACKET_put_bytes_u16(pkt, 0)) {
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.7
-Release: 16%{?dist}
+Release: 17%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -515,6 +515,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 %changelog
 * Tue May 09 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-17
 - Enforce using EMS in FIPS mode - better alerts
  Related: rhbz#2157951
 * Tue May 02 2023 Sahana Prasad <sahana@redhat.com> - 1:3.0.7-16
 - Upload new upstream sources without manually hobbling them.
 - Remove the hobbling script as it is redundant. It is now allowed to ship