You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
200 lines
7.0 KiB
200 lines
7.0 KiB
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c |
|
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200 |
|
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200 |
|
@@ -13,6 +13,7 @@ |
|
#include <openssl/err.h> |
|
#include <openssl/obj_mac.h> |
|
#include <openssl/opensslconf.h> |
|
+#include <openssl/crypto.h> |
|
#include "internal/nelem.h" |
|
|
|
typedef struct { |
|
@@ -237,6 +238,7 @@ static const struct { |
|
|
|
typedef struct _ec_list_element_st { |
|
int nid; |
|
+ int fips_allowed; |
|
const EC_CURVE_DATA *data; |
|
const EC_METHOD *(*meth) (void); |
|
const char *comment; |
|
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[ |
|
/* prime field curves */ |
|
/* secg curves */ |
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 |
|
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, |
|
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, |
|
"NIST/SECG curve over a 224 bit prime field"}, |
|
#else |
|
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, |
|
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0, |
|
"NIST/SECG curve over a 224 bit prime field"}, |
|
#endif |
|
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, |
|
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0, |
|
"SECG curve over a 256 bit prime field"}, |
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ |
|
- {NID_secp384r1, &_EC_NIST_PRIME_384.h, |
|
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h, |
|
# if defined(S390X_EC_ASM) |
|
EC_GFp_s390x_nistp384_method, |
|
# else |
|
0, |
|
# endif |
|
"NIST/SECG curve over a 384 bit prime field"}, |
|
- {NID_secp521r1, &_EC_NIST_PRIME_521.h, |
|
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h, |
|
# if defined(S390X_EC_ASM) |
|
EC_GFp_s390x_nistp521_method, |
|
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) |
|
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[ |
|
# endif |
|
"NIST/SECG curve over a 521 bit prime field"}, |
|
/* X9.62 curves */ |
|
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, |
|
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h, |
|
#if defined(ECP_NISTZ256_ASM) |
|
EC_GFp_nistz256_method, |
|
# elif defined(S390X_EC_ASM) |
|
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int |
|
|
|
for (i = 0; i < curve_list_length; i++) |
|
if (curve_list[i].nid == nid) { |
|
+ if (!curve_list[i].fips_allowed && FIPS_mode()) { |
|
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME); |
|
+ return NULL; |
|
+ } |
|
ret = ec_group_new_from_data(curve_list[i]); |
|
break; |
|
} |
|
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int |
|
|
|
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) |
|
{ |
|
- size_t i, min; |
|
+ size_t i, j, num; |
|
+ int fips_mode = FIPS_mode(); |
|
|
|
- if (r == NULL || nitems == 0) |
|
- return curve_list_length; |
|
+ num = curve_list_length; |
|
+ if (fips_mode) |
|
+ for (i = 0; i < curve_list_length; i++) { |
|
+ if (!curve_list[i].fips_allowed) |
|
+ --num; |
|
+ } |
|
|
|
- min = nitems < curve_list_length ? nitems : curve_list_length; |
|
+ if (r == NULL || nitems == 0) { |
|
+ return num; |
|
+ } |
|
|
|
- for (i = 0; i < min; i++) { |
|
- r[i].nid = curve_list[i].nid; |
|
- r[i].comment = curve_list[i].comment; |
|
+ for (i = 0, j = 0; i < curve_list_length; i++) { |
|
+ if (j >= nitems) |
|
+ break; |
|
+ if (!fips_mode || curve_list[i].fips_allowed) { |
|
+ r[j].nid = curve_list[i].nid; |
|
+ r[j].comment = curve_list[i].comment; |
|
+ ++j; |
|
+ } |
|
} |
|
|
|
- return curve_list_length; |
|
+ return num; |
|
} |
|
|
|
/* Functions to translate between common NIST curve names and NIDs */ |
|
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c |
|
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200 |
|
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200 |
|
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] = |
|
#endif |
|
}; |
|
|
|
+static const uint16_t tls12_fips_sigalgs[] = { |
|
+#ifndef OPENSSL_NO_EC |
|
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256, |
|
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384, |
|
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512, |
|
+#endif |
|
+ |
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha256, |
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha384, |
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha512, |
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256, |
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384, |
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512, |
|
+ |
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha256, |
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha384, |
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha512, |
|
+ |
|
+#ifndef OPENSSL_NO_EC |
|
+ TLSEXT_SIGALG_ecdsa_sha224, |
|
+#endif |
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha224, |
|
+#ifndef OPENSSL_NO_DSA |
|
+ TLSEXT_SIGALG_dsa_sha224, |
|
+ TLSEXT_SIGALG_dsa_sha256, |
|
+ TLSEXT_SIGALG_dsa_sha384, |
|
+ TLSEXT_SIGALG_dsa_sha512, |
|
+#endif |
|
+}; |
|
+ |
|
#ifndef OPENSSL_NO_EC |
|
static const uint16_t suiteb_sigalgs[] = { |
|
TLSEXT_SIGALG_ecdsa_secp256r1_sha256, |
|
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg |
|
} |
|
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) |
|
return NULL; |
|
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */ |
|
+ return NULL; |
|
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { |
|
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]); |
|
|
|
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se |
|
} else if (s->cert->conf_sigalgs) { |
|
*psigs = s->cert->conf_sigalgs; |
|
return s->cert->conf_sigalgslen; |
|
+ } else if (FIPS_mode()) { |
|
+ *psigs = tls12_fips_sigalgs; |
|
+ return OSSL_NELEM(tls12_fips_sigalgs); |
|
} else { |
|
*psigs = tls12_sigalgs; |
|
return OSSL_NELEM(tls12_sigalgs); |
|
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s, |
|
if (s->cert->conf_sigalgs) { |
|
sigs = s->cert->conf_sigalgs; |
|
siglen = s->cert->conf_sigalgslen; |
|
+ } else if (FIPS_mode()) { |
|
+ sigs = tls12_fips_sigalgs; |
|
+ siglen = OSSL_NELEM(tls12_fips_sigalgs); |
|
} else { |
|
sigs = tls12_sigalgs; |
|
siglen = OSSL_NELEM(tls12_sigalgs); |
|
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS |
|
if (lu->sig == NID_id_GostR3410_2012_256 |
|
|| lu->sig == NID_id_GostR3410_2012_512 |
|
|| lu->sig == NID_id_GostR3410_2001) { |
|
+ if (FIPS_mode()) |
|
+ return 0; |
|
/* We never allow GOST sig algs on the server with TLSv1.3 */ |
|
if (s->server && SSL_IS_TLS13(s)) |
|
return 0; |
|
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale |
|
const uint16_t *sent_sigs; |
|
size_t sent_sigslen; |
|
|
|
+ if (fatalerrs && FIPS_mode()) { |
|
+ /* There are no suitable legacy algorithms in FIPS mode */ |
|
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, |
|
+ SSL_F_TLS_CHOOSE_SIGALG, |
|
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); |
|
+ return 0; |
|
+ } |
|
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { |
|
if (!fatalerrs) |
|
return 1;
|
|
|