From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001

From: Dmitry Belyavskiy <dbelyavs@redhat.com>

Date: Mon, 21 Aug 2023 16:40:56 +0200

Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch

Patch-name: 0114-FIPS-enforce-EMS-support.patch

Patch-id: 114

Patch-status: |

    # We believe that some changes present in CentOS are not necessary

    # because ustream has a check for FIPS version

---

 doc/man3/SSL_CONF_cmd.pod                     |  3 +++

 doc/man5/fips_config.pod                      | 13 +++++++++++

 include/openssl/fips_names.h                  |  8 +++++++

 include/openssl/ssl.h.in                      |  1 +

 providers/fips/fipsprov.c                     |  2 +-

 providers/implementations/kdfs/tls1_prf.c     | 22 +++++++++++++++++++

 ssl/ssl_conf.c                                |  1 +

 ssl/statem/extensions_srvr.c                  |  8 ++++++-

 ssl/t1_enc.c                                  | 11 ++++++++--

 .../30-test_evp_data/evpkdf_tls12_prf.txt     | 10 +++++++++

 test/sslapitest.c                             |  2 +-

 11 files changed, 76 insertions(+), 5 deletions(-)

diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod

index ae6ca43282..b83c04a308 100644

--- a/doc/man3/SSL_CONF_cmd.pod

+++ b/doc/man3/SSL_CONF_cmd.pod

@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by

 default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,

 B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.

+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.

+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.

+

 B<CANames>: use CA names extension, enabled by

 default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,

 B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.

diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod

index 1c15e32a5c..f2cedaf88d 100644

--- a/doc/man5/fips_config.pod

+++ b/doc/man5/fips_config.pod

@@ -15,6 +15,19 @@ for more information.

 This functionality was added in OpenSSL 3.0.

+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in

+OpenSSL configuration directory and managed by crypto policies. If present, it

+should have format

+

+ [fips_sect]

+ tls1-prf-ems-check = 0

+ activate = 1

+

+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the

+presence of extended master secret or not.

+

+The B<activate> option enforces FIPS provider activation.

+

 =head1 COPYRIGHT

 Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h

index 5c77f6d691..8cdd5a6bf7 100644

--- a/include/openssl/fips_names.h

+++ b/include/openssl/fips_names.h

@@ -70,6 +70,14 @@ extern "C" {

  */

 # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST  "drbg-no-trunc-md"

+/*

+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.

+ * This is disabled by default.

+ *

+ * Type: OSSL_PARAM_UTF8_STRING

+ */

+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"

+

 # ifdef __cplusplus

 }

 # endif

diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in

index 0b6de603e2..26a69ca282 100644

--- a/include/openssl/ssl.h.in

+++ b/include/openssl/ssl.h.in

@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);

      * interoperability with CryptoPro CSP 3.x

      */

 # define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     SSL_OP_BIT(31)

+# define SSL_OP_RH_PERMIT_NOEMS_FIPS                     SSL_OP_BIT(48)

 /*

  * Disable RFC8879 certificate compression

  * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c

index 5ff9872bd8..eb9653a9df 100644

--- a/providers/fips/fipsprov.c

+++ b/providers/fips/fipsprov.c

@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)

     if (fgbl == NULL)

         return NULL;

     init_fips_option(&fgbl->fips_security_checks, 1);

-    init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */

+    init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */

     init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);

     return fgbl;

 }

diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c

index 25a6c79a2e..79bc7a9719 100644

--- a/providers/implementations/kdfs/tls1_prf.c

+++ b/providers/implementations/kdfs/tls1_prf.c

@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)

 static void kdf_tls1_prf_free(void *vctx)

 {

     TLS1_PRF *ctx = (TLS1_PRF *)vctx;

+    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);

     if (ctx != NULL) {

         kdf_tls1_prf_reset(ctx);

@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,

         }

     }

+    /*

+     * The seed buffer is prepended with a label.

+     * If EMS mode is enforced then the label "master secret" is not allowed,

+     * We do the check this way since the PRF is used for other purposes, as well

+     * as "extended master secret".

+     */

+#ifdef FIPS_MODULE

+    if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE

+            && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,

+                      TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)

+    ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;

+#endif /* defined(FIPS_MODULE) */

+    if (ossl_tls1_prf_ems_check_enabled(libctx)) {

+        if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE

+                && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,

+                          TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {

+            ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);

+            return 0;

+        }

+    }

+

     return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,

                         ctx->sec, ctx->seclen,

                         ctx->seed, ctx->seedlen,

diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c

index 5146cedb96..086db98c33 100644

--- a/ssl/ssl_conf.c

+++ b/ssl/ssl_conf.c

@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)

         SSL_FLAG_TBL("ClientRenegotiation",

                      SSL_OP_ALLOW_CLIENT_RENEGOTIATION),

         SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),

+        SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),

         SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),

         SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),

         SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c

index 00b1ee531e..22cdabb308 100644

--- a/ssl/statem/extensions_srvr.c

+++ b/ssl/statem/extensions_srvr.c

@@ -11,6 +11,7 @@

 #include "../ssl_local.h"

 #include "statem_local.h"

 #include "internal/cryptlib.h"

+#include <openssl/fips.h>

 #define COOKIE_STATE_FORMAT_VERSION     1

@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,

                                   unsigned int context,

                                   X509 *x, size_t chainidx)

 {

-    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)

+    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {

+        if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {

+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);

+            return EXT_RETURN_FAIL;

+        }

         return EXT_RETURN_NOT_SENT;

+    }

     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)

             || !WPACKET_put_bytes_u16(pkt, 0)) {

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c

index 91238e6457..e8ad8ecd9e 100644

--- a/ssl/t1_enc.c

+++ b/ssl/t1_enc.c

@@ -20,6 +20,7 @@

 #include <openssl/obj_mac.h>

 #include <openssl/core_names.h>

 #include <openssl/trace.h>

+#include <openssl/fips.h>

 /* seed1 through seed5 are concatenated */

 static int tls1_PRF(SSL_CONNECTION *s,

@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,

     }

  err:

-    if (fatal)

-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

+    if (fatal) {

+        /* The calls to this function are local so it's safe to implement the check */

+        if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE

+            && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)

+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);

+	else

+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);

+    }

     else

         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);

     EVP_KDF_CTX_free(kctx);

diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt

index 44040ff66b..deb6bf3fcb 100644

--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt

+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt

@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c

 Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce

 Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf

+Availablein = fips

+KDF = TLS1-PRF

+Ctrl.digest = digest:SHA256

+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc

+Ctrl.label = seed:master secret

+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c

+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce

+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf

+Result = KDF_DERIVE_ERROR

+

 FIPSversion = <=3.1.0

 KDF = TLS1-PRF

 Ctrl.digest = digest:SHA256

diff --git a/test/sslapitest.c b/test/sslapitest.c

index 169e3c7466..e67b5bb44c 100644

--- a/test/sslapitest.c

+++ b/test/sslapitest.c

@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)

     STACK_OF(X509) *server_chain;

     SSL_CTX *cctx = NULL, *sctx = NULL;

     SSL *clientssl = NULL, *serverssl = NULL;

-    int testresult = 0;

+    int testresult = 0, status;

     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),

                                        TLS_client_method(), TLS1_VERSION, 0,

-- 

2.41.0