Blame SOURCES/openssl-1.1.1-fips-curves.patch

b63792
diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1c/crypto/ec/ec_curve.c
b63792
--- openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves	2019-11-25 13:18:40.719532357 +0100
b63792
+++ openssl-1.1.1c/crypto/ec/ec_curve.c	2019-11-25 13:18:40.765531559 +0100
b63792
@@ -13,6 +13,7 @@
b63792
 #include <openssl/err.h>
b63792
 #include <openssl/obj_mac.h>
b63792
 #include <openssl/opensslconf.h>
b63792
+#include <openssl/crypto.h>
b63792
 #include "internal/nelem.h"
b63792
 
b63792
 typedef struct {
b63792
@@ -237,6 +238,7 @@ static const struct {
b63792
 
b63792
 typedef struct _ec_list_element_st {
b63792
     int nid;
b63792
+    int fips_allowed;
b63792
     const EC_CURVE_DATA *data;
b63792
     const EC_METHOD *(*meth) (void);
b63792
     const char *comment;
b63792
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
b63792
     /* prime field curves */
b63792
     /* secg curves */
b63792
 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
b63792
-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
b63792
+    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
b63792
      "NIST/SECG curve over a 224 bit prime field"},
b63792
 #else
b63792
-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
b63792
+    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
b63792
      "NIST/SECG curve over a 224 bit prime field"},
b63792
 #endif
b63792
-    {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
b63792
+    {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
b63792
      "SECG curve over a 256 bit prime field"},
b63792
     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
b63792
-    {NID_secp384r1, &_EC_NIST_PRIME_384.h,
b63792
+    {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
b63792
 # if defined(S390X_EC_ASM)
b63792
      EC_GFp_s390x_nistp384_method,
b63792
 # else
b63792
      0,
b63792
 # endif
b63792
      "NIST/SECG curve over a 384 bit prime field"},
b63792
-    {NID_secp521r1, &_EC_NIST_PRIME_521.h,
b63792
+    {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
b63792
 # if defined(S390X_EC_ASM)
b63792
      EC_GFp_s390x_nistp521_method,
b63792
 # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
b63792
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
b63792
 # endif
b63792
      "NIST/SECG curve over a 521 bit prime field"},
b63792
     /* X9.62 curves */
b63792
-    {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
b63792
+    {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
b63792
 #if defined(ECP_NISTZ256_ASM)
b63792
      EC_GFp_nistz256_method,
b63792
 # elif defined(S390X_EC_ASM)
b63792
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
b63792
 
b63792
     for (i = 0; i < curve_list_length; i++)
b63792
         if (curve_list[i].nid == nid) {
b63792
+            if (!curve_list[i].fips_allowed && FIPS_mode()) {
b63792
+                ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
b63792
+                return NULL;
b63792
+            }
b63792
             ret = ec_group_new_from_data(curve_list[i]);
b63792
             break;
b63792
         }
b63792
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
b63792
 
b63792
 size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
b63792
 {
b63792
-    size_t i, min;
b63792
+    size_t i, j, num;
b63792
+    int fips_mode = FIPS_mode();
b63792
 
b63792
-    if (r == NULL || nitems == 0)
b63792
-        return curve_list_length;
b63792
+    num = curve_list_length;
b63792
+    if (fips_mode)
b63792
+        for (i = 0; i < curve_list_length; i++) {
b63792
+            if (!curve_list[i].fips_allowed)
b63792
+                --num;
b63792
+        }
b63792
 
b63792
-    min = nitems < curve_list_length ? nitems : curve_list_length;
b63792
+    if (r == NULL || nitems == 0) {
b63792
+        return num;
b63792
+    }
b63792
 
b63792
-    for (i = 0; i < min; i++) {
b63792
-        r[i].nid = curve_list[i].nid;
b63792
-        r[i].comment = curve_list[i].comment;
b63792
+    for (i = 0, j = 0; i < curve_list_length; i++) {
b63792
+        if (j >= nitems)
b63792
+            break;
b63792
+        if (!fips_mode || curve_list[i].fips_allowed) {
b63792
+            r[j].nid = curve_list[i].nid;
b63792
+            r[j].comment = curve_list[i].comment;
b63792
+            ++j;
b63792
+        }
b63792
     }
b63792
 
b63792
-    return curve_list_length;
b63792
+    return num;
b63792
 }
b63792
 
b63792
 /* Functions to translate between common NIST curve names and NIDs */
b63792
diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
b63792
--- openssl-1.1.1c/ssl/t1_lib.c.fips-curves	2019-11-25 13:18:40.658533416 +0100
b63792
+++ openssl-1.1.1c/ssl/t1_lib.c	2019-11-26 17:57:15.014742428 +0100
b63792
@@ -20,6 +20,7 @@
b63792
 #include "internal/nelem.h"
b63792
 #include "ssl_locl.h"
b63792
 #include <openssl/ct.h>
b63792
+#include <openssl/crypto.h>
b63792
 
b63792
 SSL3_ENC_METHOD const TLSv1_enc_data = {
b63792
     tls1_enc,
b63792
@@ -676,6 +677,36 @@ static const uint16_t tls12_sigalgs[] =
b63792
 #endif
b63792
 };
b63792
 
b63792
+static const uint16_t tls12_fips_sigalgs[] = {
b63792
+#ifndef OPENSSL_NO_EC
b63792
+    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
b63792
+    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
b63792
+    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
b63792
+#endif
b63792
+
b63792
+    TLSEXT_SIGALG_rsa_pss_pss_sha256,
b63792
+    TLSEXT_SIGALG_rsa_pss_pss_sha384,
b63792
+    TLSEXT_SIGALG_rsa_pss_pss_sha512,
b63792
+    TLSEXT_SIGALG_rsa_pss_rsae_sha256,
b63792
+    TLSEXT_SIGALG_rsa_pss_rsae_sha384,
b63792
+    TLSEXT_SIGALG_rsa_pss_rsae_sha512,
b63792
+
b63792
+    TLSEXT_SIGALG_rsa_pkcs1_sha256,
b63792
+    TLSEXT_SIGALG_rsa_pkcs1_sha384,
b63792
+    TLSEXT_SIGALG_rsa_pkcs1_sha512,
b63792
+
b63792
+#ifndef OPENSSL_NO_EC
b63792
+    TLSEXT_SIGALG_ecdsa_sha224,
b63792
+#endif
b63792
+    TLSEXT_SIGALG_rsa_pkcs1_sha224,
b63792
+#ifndef OPENSSL_NO_DSA
b63792
+    TLSEXT_SIGALG_dsa_sha224,
b63792
+    TLSEXT_SIGALG_dsa_sha256,
b63792
+    TLSEXT_SIGALG_dsa_sha384,
b63792
+    TLSEXT_SIGALG_dsa_sha512,
b63792
+#endif
b63792
+};
b63792
+
b63792
 #ifndef OPENSSL_NO_EC
b63792
 static const uint16_t suiteb_sigalgs[] = {
b63792
     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
b63792
@@ -890,8 +921,11 @@ static const SIGALG_LOOKUP *tls1_get_leg
b63792
     if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
b63792
         return NULL;
b63792
     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
b63792
-        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
b63792
+        const SIGALG_LOOKUP *lu;
b63792
 
b63792
+        if (FIPS_mode()) /* We do not allow SHA1 signatures in FIPS mode */
b63792
+            return NULL;
b63792
+        lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
b63792
         if (!tls1_lookup_md(lu, NULL))
b63792
             return NULL;
b63792
         return lu;
b63792
@@ -945,6 +979,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
b63792
     } else if (s->cert->conf_sigalgs) {
b63792
         *psigs = s->cert->conf_sigalgs;
b63792
         return s->cert->conf_sigalgslen;
b63792
+    } else if (FIPS_mode()) {
b63792
+        *psigs = tls12_fips_sigalgs;
b63792
+        return OSSL_NELEM(tls12_fips_sigalgs);
b63792
     } else {
b63792
         *psigs = tls12_sigalgs;
b63792
         return OSSL_NELEM(tls12_sigalgs);
b63792
@@ -964,6 +1001,9 @@ int tls_check_sigalg_curve(const SSL *s,
b63792
     if (s->cert->conf_sigalgs) {
b63792
         sigs = s->cert->conf_sigalgs;
b63792
         siglen = s->cert->conf_sigalgslen;
b63792
+    } else if (FIPS_mode()) {
b63792
+        sigs = tls12_fips_sigalgs;
b63792
+        siglen = OSSL_NELEM(tls12_fips_sigalgs);
b63792
     } else {
b63792
         sigs = tls12_sigalgs;
b63792
         siglen = OSSL_NELEM(tls12_sigalgs);
b63792
@@ -1582,6 +1622,8 @@ static int tls12_sigalg_allowed(SSL *s,
b63792
     if (lu->sig == NID_id_GostR3410_2012_256
b63792
             || lu->sig == NID_id_GostR3410_2012_512
b63792
             || lu->sig == NID_id_GostR3410_2001) {
b63792
+        if (FIPS_mode())
b63792
+            return 0;
b63792
         /* We never allow GOST sig algs on the server with TLSv1.3 */
b63792
         if (s->server && SSL_IS_TLS13(s))
b63792
             return 0;
b63792
@@ -2720,6 +2762,13 @@ int tls_choose_sigalg(SSL *s, int fatale
b63792
                 const uint16_t *sent_sigs;
b63792
                 size_t sent_sigslen;
b63792
 
b63792
+                if (fatalerrs && FIPS_mode()) {
b63792
+                    /* There are no suitable legacy algorithms in FIPS mode */
b63792
+                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
b63792
+                             SSL_F_TLS_CHOOSE_SIGALG,
b63792
+                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
b63792
+                    return 0;
b63792
+                }
b63792
                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
b63792
                     if (!fatalerrs)
b63792
                         return 1;