File openssl-1_1-ossl-sli-019-Enforce-KDF.patch of Package openssl-1_1
Index: openssl-1.1.1w/crypto/fips/fips_sli.c
===================================================================
--- openssl-1.1.1w.orig/crypto/fips/fips_sli.c
+++ openssl-1.1.1w/crypto/fips/fips_sli.c
@@ -1,3 +1,4 @@
+#include <openssl/crypto.h>
#include <openssl/dsa.h>
#include <openssl/ec.h>
#include <openssl/rsa.h>
@@ -5,6 +6,7 @@
#include "../evp/evp_local.h"
#include "../hmac/hmac_local.h"
#include "../rsa/rsa_local.h"
+#include "../ssl/ssl_local.h"
#include <openssl/tls1.h>
#include "internal/fips_sli_local.h"
@@ -54,6 +56,7 @@ fips_sli_define_for(EVP_KDF_CTX)
fips_sli_define_for(EVP_MD_CTX)
fips_sli_define_for(EVP_PKEY_CTX)
fips_sli_define_for(HMAC_CTX)
+fips_sli_define_for(SSL)
typedef enum curve_usage_e {
CURVE_KEYGEN,
@@ -470,3 +473,11 @@ void fips_sli_check_padding_rsa_sigver_E
fips_sli_fsm_EVP_MD_CTX(ctx, FIPS_ERROR);
}
}
+
+void fips_sli_check_prf_label_SSL(SSL * s, const void * label) {
+ if (CRYPTO_memcmp(label, TLS_MD_EXTENDED_MASTER_SECRET_CONST,
+ TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0)
+ fips_sli_approve_SSL(s);
+ else
+ fips_sli_disapprove_SSL(s);
+}
Index: openssl-1.1.1w/doc/man3/FIPS_service_level_indicator.pod
===================================================================
--- openssl-1.1.1w.orig/doc/man3/FIPS_service_level_indicator.pod
+++ openssl-1.1.1w/doc/man3/FIPS_service_level_indicator.pod
@@ -2,7 +2,7 @@
=head1 NAME
-C<int fips_sli_is_approved_*_CTX> - get status of the FIPS Service Level Indicator (SLI) for context operations
+C<int fips_sli_is_approved_*> - get status of the FIPS Service Level Indicator (SLI) for context operations
C<int fips_sli_*_is_approved> - get status of the FIPS SLI for standalone operations
@@ -22,6 +22,8 @@ C<int fips_sli_*_is_approved> - get stat
int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx);
+ int fips_sli_is_approved_SSL(const SSL *ssl);
+
int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md);
int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len,
@@ -42,7 +44,7 @@ The service level indicator has two diff
=over 1
-=item C<int fips_sli_is_approved_*_CTX(...)>
+=item C<int fips_sli_is_approved_*(...)>
Most operations happen on some form of a context, which also holds the SLI.
This function returns whether the FIPS SLI indicates an approved operation or not.
@@ -86,7 +88,7 @@ Swapping out OPENSSL's RNG implementatio
=head1 RETURN VALUES
-C<fips_sli_is_approved_*_CTX()> returns 0 if the previous operation(s) was unapproved or B<ctx> was B<NULL>, and returns 1
+C<fips_sli_is_approved_*()> returns 0 if the previous operation(s) was unapproved or B<ctx> was B<NULL>, and returns 1
if the previous operation(s) were approved (or rather, no non-approved operations happened).
C<fips_sli_*_is_approved()> returns 0 if an operation with a given set of parameters was unapproved, and returns 1
@@ -100,7 +102,7 @@ The FIPS SLI was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2022
+Copyright 2024
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Index: openssl-1.1.1w/ssl/ssl_local.h
===================================================================
--- openssl-1.1.1w.orig/ssl/ssl_local.h
+++ openssl-1.1.1w/ssl/ssl_local.h
@@ -32,6 +32,7 @@
# include "statem/statem.h"
# include "packet_local.h"
# include "internal/dane.h"
+# include "internal/fips_sli_local.h"
# include "internal/refcount.h"
# include "internal/tsan_assist.h"
@@ -1479,6 +1480,7 @@ struct ssl_st {
*/
const struct sigalg_lookup_st **shared_sigalgs;
size_t shared_sigalgslen;
+ FIPS_STATUS sli; /* Service Level Indicator */
};
/*
Index: openssl-1.1.1w/ssl/t1_enc.c
===================================================================
--- openssl-1.1.1w.orig/ssl/t1_enc.c
+++ openssl-1.1.1w/ssl/t1_enc.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include "ssl_local.h"
+#include "internal/fips_sli_local.h"
#include <openssl/comp.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
@@ -56,6 +57,8 @@ static int tls1_PRF(SSL *s,
goto err;
}
+ //seed1 is the label
+ fips_sli_check_prf_label_SSL(s, seed1);
ret = 1;
err:
Index: openssl-1.1.1w/include/openssl/fips_sli.h
===================================================================
--- openssl-1.1.1w.orig/include/openssl/fips_sli.h
+++ openssl-1.1.1w/include/openssl/fips_sli.h
@@ -15,6 +15,7 @@ int fips_sli_is_approved_EVP_MD_CTX(cons
int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx);
int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx);
int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx);
+int fips_sli_is_approved_SSL(const SSL *s);
int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md);
int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len,
@@ -26,6 +27,8 @@ int fips_sli_PKCS5_PBKDF2_HMAC_is_approv
int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num);
int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num);
+void fips_sli_check_prf_label_SSL(SSL * ctx, const void * label);
+
# ifdef __cplusplus
}
# endif
Index: openssl-1.1.1w/util/libcrypto.num
===================================================================
--- openssl-1.1.1w.orig/util/libcrypto.num
+++ openssl-1.1.1w/util/libcrypto.num
@@ -4651,3 +4651,5 @@ FIPS_entropy_init
FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION:
OCSP_RESPONSE_check_status 6613 1_1_1l EXIST::FUNCTION:OCSP
FIPS_drbg_lock_cleanup 6614 1_1_1w EXIST::FUNCTION:
+fips_sli_is_approved_SSL 6615 1_1_1w EXIST::FUNCTION:
+fips_sli_check_prf_label_SSL 6616 1_1_1w EXIST::FUNCTION:
