|
|
cf3dd1 |
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
|
|
|
cf3dd1 |
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
|
|
|
cf3dd1 |
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
|
|
|
b63792 |
@@ -13,6 +13,7 @@
|
|
|
b63792 |
#include <openssl/err.h>
|
|
|
b63792 |
#include <openssl/obj_mac.h>
|
|
|
b63792 |
#include <openssl/opensslconf.h>
|
|
|
b63792 |
+#include <openssl/crypto.h>
|
|
|
b63792 |
#include "internal/nelem.h"
|
|
|
b63792 |
|
|
|
b63792 |
typedef struct {
|
|
|
b63792 |
@@ -237,6 +238,7 @@ static const struct {
|
|
|
b63792 |
|
|
|
b63792 |
typedef struct _ec_list_element_st {
|
|
|
b63792 |
int nid;
|
|
|
b63792 |
+ int fips_allowed;
|
|
|
b63792 |
const EC_CURVE_DATA *data;
|
|
|
b63792 |
const EC_METHOD *(*meth) (void);
|
|
|
b63792 |
const char *comment;
|
|
|
b63792 |
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
|
|
|
b63792 |
/* prime field curves */
|
|
|
b63792 |
/* secg curves */
|
|
|
b63792 |
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
|
|
b63792 |
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
|
|
b63792 |
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
|
|
b63792 |
"NIST/SECG curve over a 224 bit prime field"},
|
|
|
b63792 |
#else
|
|
|
b63792 |
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
|
|
b63792 |
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
|
|
|
b63792 |
"NIST/SECG curve over a 224 bit prime field"},
|
|
|
b63792 |
#endif
|
|
|
b63792 |
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
|
|
b63792 |
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
|
|
|
b63792 |
"SECG curve over a 256 bit prime field"},
|
|
|
b63792 |
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
|
|
b63792 |
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
|
|
b63792 |
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
|
|
|
b63792 |
# if defined(S390X_EC_ASM)
|
|
|
b63792 |
EC_GFp_s390x_nistp384_method,
|
|
|
b63792 |
# else
|
|
|
b63792 |
0,
|
|
|
b63792 |
# endif
|
|
|
b63792 |
"NIST/SECG curve over a 384 bit prime field"},
|
|
|
b63792 |
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
|
|
b63792 |
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
|
|
|
b63792 |
# if defined(S390X_EC_ASM)
|
|
|
b63792 |
EC_GFp_s390x_nistp521_method,
|
|
|
b63792 |
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
|
b63792 |
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
|
|
|
b63792 |
# endif
|
|
|
b63792 |
"NIST/SECG curve over a 521 bit prime field"},
|
|
|
b63792 |
/* X9.62 curves */
|
|
|
b63792 |
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
|
|
b63792 |
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
|
|
|
b63792 |
#if defined(ECP_NISTZ256_ASM)
|
|
|
b63792 |
EC_GFp_nistz256_method,
|
|
|
b63792 |
# elif defined(S390X_EC_ASM)
|
|
|
b63792 |
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
|
|
b63792 |
|
|
|
b63792 |
for (i = 0; i < curve_list_length; i++)
|
|
|
b63792 |
if (curve_list[i].nid == nid) {
|
|
|
b63792 |
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
|
|
|
b63792 |
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
|
|
|
b63792 |
+ return NULL;
|
|
|
b63792 |
+ }
|
|
|
b63792 |
ret = ec_group_new_from_data(curve_list[i]);
|
|
|
b63792 |
break;
|
|
|
b63792 |
}
|
|
|
b63792 |
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
|
|
b63792 |
|
|
|
b63792 |
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
|
|
b63792 |
{
|
|
|
b63792 |
- size_t i, min;
|
|
|
b63792 |
+ size_t i, j, num;
|
|
|
b63792 |
+ int fips_mode = FIPS_mode();
|
|
|
b63792 |
|
|
|
b63792 |
- if (r == NULL || nitems == 0)
|
|
|
b63792 |
- return curve_list_length;
|
|
|
b63792 |
+ num = curve_list_length;
|
|
|
b63792 |
+ if (fips_mode)
|
|
|
b63792 |
+ for (i = 0; i < curve_list_length; i++) {
|
|
|
b63792 |
+ if (!curve_list[i].fips_allowed)
|
|
|
b63792 |
+ --num;
|
|
|
b63792 |
+ }
|
|
|
b63792 |
|
|
|
b63792 |
- min = nitems < curve_list_length ? nitems : curve_list_length;
|
|
|
b63792 |
+ if (r == NULL || nitems == 0) {
|
|
|
b63792 |
+ return num;
|
|
|
b63792 |
+ }
|
|
|
b63792 |
|
|
|
b63792 |
- for (i = 0; i < min; i++) {
|
|
|
b63792 |
- r[i].nid = curve_list[i].nid;
|
|
|
b63792 |
- r[i].comment = curve_list[i].comment;
|
|
|
b63792 |
+ for (i = 0, j = 0; i < curve_list_length; i++) {
|
|
|
b63792 |
+ if (j >= nitems)
|
|
|
b63792 |
+ break;
|
|
|
b63792 |
+ if (!fips_mode || curve_list[i].fips_allowed) {
|
|
|
b63792 |
+ r[j].nid = curve_list[i].nid;
|
|
|
b63792 |
+ r[j].comment = curve_list[i].comment;
|
|
|
b63792 |
+ ++j;
|
|
|
b63792 |
+ }
|
|
|
b63792 |
}
|
|
|
b63792 |
|
|
|
b63792 |
- return curve_list_length;
|
|
|
b63792 |
+ return num;
|
|
|
b63792 |
}
|
|
|
b63792 |
|
|
|
b63792 |
/* Functions to translate between common NIST curve names and NIDs */
|
|
|
cf3dd1 |
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
|
|
|
cf3dd1 |
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
|
|
|
cf3dd1 |
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
|
|
|
cf3dd1 |
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
|
|
|
b63792 |
#endif
|
|
|
b63792 |
};
|
|
|
b63792 |
|
|
|
b63792 |
+static const uint16_t tls12_fips_sigalgs[] = {
|
|
|
b63792 |
+#ifndef OPENSSL_NO_EC
|
|
|
b63792 |
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
|
|
b63792 |
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
|
|
|
b63792 |
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
|
|
|
b63792 |
+#endif
|
|
|
b63792 |
+
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
|
|
|
b63792 |
+
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
|
|
|
b63792 |
+
|
|
|
b63792 |
+#ifndef OPENSSL_NO_EC
|
|
|
b63792 |
+ TLSEXT_SIGALG_ecdsa_sha224,
|
|
|
b63792 |
+#endif
|
|
|
b63792 |
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
|
|
|
b63792 |
+#ifndef OPENSSL_NO_DSA
|
|
|
b63792 |
+ TLSEXT_SIGALG_dsa_sha224,
|
|
|
b63792 |
+ TLSEXT_SIGALG_dsa_sha256,
|
|
|
b63792 |
+ TLSEXT_SIGALG_dsa_sha384,
|
|
|
b63792 |
+ TLSEXT_SIGALG_dsa_sha512,
|
|
|
b63792 |
+#endif
|
|
|
b63792 |
+};
|
|
|
b63792 |
+
|
|
|
b63792 |
#ifndef OPENSSL_NO_EC
|
|
|
b63792 |
static const uint16_t suiteb_sigalgs[] = {
|
|
|
b63792 |
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
|
|
cf3dd1 |
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
|
|
|
cf3dd1 |
}
|
|
|
b63792 |
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
|
|
|
b63792 |
return NULL;
|
|
|
cf3dd1 |
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
|
|
|
cf3dd1 |
+ return NULL;
|
|
|
b63792 |
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
|
|
|
cf3dd1 |
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
|
|
b63792 |
|
|
|
cf3dd1 |
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
|
|
|
b63792 |
} else if (s->cert->conf_sigalgs) {
|
|
|
b63792 |
*psigs = s->cert->conf_sigalgs;
|
|
|
b63792 |
return s->cert->conf_sigalgslen;
|
|
|
b63792 |
+ } else if (FIPS_mode()) {
|
|
|
b63792 |
+ *psigs = tls12_fips_sigalgs;
|
|
|
b63792 |
+ return OSSL_NELEM(tls12_fips_sigalgs);
|
|
|
b63792 |
} else {
|
|
|
b63792 |
*psigs = tls12_sigalgs;
|
|
|
b63792 |
return OSSL_NELEM(tls12_sigalgs);
|
|
|
cf3dd1 |
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
|
|
|
b63792 |
if (s->cert->conf_sigalgs) {
|
|
|
b63792 |
sigs = s->cert->conf_sigalgs;
|
|
|
b63792 |
siglen = s->cert->conf_sigalgslen;
|
|
|
b63792 |
+ } else if (FIPS_mode()) {
|
|
|
b63792 |
+ sigs = tls12_fips_sigalgs;
|
|
|
b63792 |
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
|
|
|
b63792 |
} else {
|
|
|
b63792 |
sigs = tls12_sigalgs;
|
|
|
b63792 |
siglen = OSSL_NELEM(tls12_sigalgs);
|
|
|
cf3dd1 |
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
|
|
|
b63792 |
if (lu->sig == NID_id_GostR3410_2012_256
|
|
|
b63792 |
|| lu->sig == NID_id_GostR3410_2012_512
|
|
|
b63792 |
|| lu->sig == NID_id_GostR3410_2001) {
|
|
|
b63792 |
+ if (FIPS_mode())
|
|
|
b63792 |
+ return 0;
|
|
|
b63792 |
/* We never allow GOST sig algs on the server with TLSv1.3 */
|
|
|
b63792 |
if (s->server && SSL_IS_TLS13(s))
|
|
|
b63792 |
return 0;
|
|
|
cf3dd1 |
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
|
|
|
b63792 |
const uint16_t *sent_sigs;
|
|
|
b63792 |
size_t sent_sigslen;
|
|
|
b63792 |
|
|
|
b63792 |
+ if (fatalerrs && FIPS_mode()) {
|
|
|
b63792 |
+ /* There are no suitable legacy algorithms in FIPS mode */
|
|
|
b63792 |
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
|
|
b63792 |
+ SSL_F_TLS_CHOOSE_SIGALG,
|
|
|
b63792 |
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
|
|
b63792 |
+ return 0;
|
|
|
b63792 |
+ }
|
|
|
b63792 |
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
|
|
b63792 |
if (!fatalerrs)
|
|
|
b63792 |
return 1;
|