From 9c5cd8d86c4da8e538bb5b77b9072768174df376 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Mon, 8 Jul 2024 20:42:22 +0000 Subject: [PATCH 01/17] test removing the gating logic --- tests/unit/s2n_crypto_test.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/unit/s2n_crypto_test.c b/tests/unit/s2n_crypto_test.c index 5fc4dc1d798..b0e7b0bfbcc 100644 --- a/tests/unit/s2n_crypto_test.c +++ b/tests/unit/s2n_crypto_test.c @@ -127,9 +127,11 @@ int main() * Retrieving the master secret won't vary between FIPS and non-FIPS, * so this testing limitation is not a concern. */ - if (s2n_is_in_fips_mode() && version == S2N_SSLv3) { - continue; - } + + // remove this and build with ossl1.0.2-fips to replicate error + // if (s2n_is_in_fips_mode() && version == S2N_SSLv3) { + // continue; + // } DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); From a5ccfac3b7ac5950f0b0966398edeed4005d01a2 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Mon, 8 Jul 2024 20:46:31 +0000 Subject: [PATCH 02/17] remove comments --- tests/unit/s2n_crypto_test.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/unit/s2n_crypto_test.c b/tests/unit/s2n_crypto_test.c index b0e7b0bfbcc..9cfd431afbf 100644 --- a/tests/unit/s2n_crypto_test.c +++ b/tests/unit/s2n_crypto_test.c @@ -128,11 +128,6 @@ int main() * so this testing limitation is not a concern. */ - // remove this and build with ossl1.0.2-fips to replicate error - // if (s2n_is_in_fips_mode() && version == S2N_SSLv3) { - // continue; - // } - DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key)); From 105d84960777c53ffa52e7a2688840ad2213d89a Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 16 Jul 2024 00:13:45 +0000 Subject: [PATCH 03/17] throw error if fips + sslv3 + ossl-1.0.2 tries to handshake --- error/s2n_errno.c | 1 + error/s2n_errno.h | 1 + .../s2n_connection_protocol_versions_test.c | 4 +++ tests/unit/s2n_crypto_test.c | 28 +++++++++++++++++++ tls/s2n_handshake_io.c | 5 ++++ 5 files changed, 39 insertions(+) diff --git a/error/s2n_errno.c b/error/s2n_errno.c index 49aab545c09..4543dd21d7f 100644 --- a/error/s2n_errno.c +++ b/error/s2n_errno.c @@ -292,6 +292,7 @@ static const char *no_such_error = "Internal s2n error"; ERR_ENTRY(S2N_ERR_LIBCRYPTO_VERSION_NUMBER_MISMATCH, "The libcrypto major version number seen at compile-time is different from the major version number seen at run-time") \ ERR_ENTRY(S2N_ERR_LIBCRYPTO_VERSION_NAME_MISMATCH, "The libcrypto major version name seen at compile-time is different from the major version name seen at run-time") \ ERR_ENTRY(S2N_ERR_OSSL_PROVIDER, "Failed to load or unload an openssl provider") \ + ERR_ENTRY(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED, "SSLv3 handshake is not supported when built with OpenSSL 1.0.2-FIPS") \ ERR_ENTRY(S2N_ERR_CERT_OWNERSHIP, "The ownership of the certificate chain is incompatible with the operation") \ ERR_ENTRY(S2N_ERR_INTERNAL_LIBCRYPTO_ERROR, "An internal error has occurred in the libcrypto API") \ ERR_ENTRY(S2N_ERR_NO_RENEGOTIATION, "Only secure, server-initiated renegotiation is supported") \ diff --git a/error/s2n_errno.h b/error/s2n_errno.h index 838f7d10388..2b92a4dd5a5 100644 --- a/error/s2n_errno.h +++ b/error/s2n_errno.h @@ -237,6 +237,7 @@ typedef enum { S2N_ERR_LIBCRYPTO_VERSION_NUMBER_MISMATCH, S2N_ERR_LIBCRYPTO_VERSION_NAME_MISMATCH, S2N_ERR_OSSL_PROVIDER, + S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED, S2N_ERR_TEST_ASSERTION, S2N_ERR_T_INTERNAL_END, diff --git a/tests/unit/s2n_connection_protocol_versions_test.c b/tests/unit/s2n_connection_protocol_versions_test.c index ecd58666140..f8dd07ab5f8 100644 --- a/tests/unit/s2n_connection_protocol_versions_test.c +++ b/tests/unit/s2n_connection_protocol_versions_test.c @@ -14,6 +14,7 @@ */ #include "api/s2n.h" +#include "crypto/s2n_fips.h" #include "s2n_test.h" #include "testlib/s2n_testlib.h" #include "tls/s2n_tls.h" @@ -249,6 +250,9 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair)); EXPECT_SUCCESS(s2n_connections_set_io_pair(client, server, &io_pair)); + if (s2n_is_in_fips_mode() && client->client_protocol_version == S2N_SSLv3 && !S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 3)) { + EXPECT_ERROR_WITH_ERRNO(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT), S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED); + } EXPECT_OK(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT)); EXPECT_EQUAL(s2n_connection_get_server_protocol_version(client), server_version); diff --git a/tests/unit/s2n_crypto_test.c b/tests/unit/s2n_crypto_test.c index 9cfd431afbf..ef5d87ccea4 100644 --- a/tests/unit/s2n_crypto_test.c +++ b/tests/unit/s2n_crypto_test.c @@ -127,6 +127,34 @@ int main() * Retrieving the master secret won't vary between FIPS and non-FIPS, * so this testing limitation is not a concern. */ + if (s2n_is_in_fips_mode() && version == S2N_SSLv3 && !S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 3)) { + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_NOT_NULL(config); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key)); + EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "test_all")); + + DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT), + s2n_connection_ptr_free); + EXPECT_NOT_NULL(client); + EXPECT_SUCCESS(s2n_connection_set_config(client, config)); + client->client_protocol_version = version; + + DEFER_CLEANUP(struct s2n_connection *server = s2n_connection_new(S2N_SERVER), + s2n_connection_ptr_free); + EXPECT_NOT_NULL(server); + EXPECT_SUCCESS(s2n_connection_set_config(server, config)); + memset(server->secrets.version.tls12.master_secret, 1, S2N_TLS_SECRET_LEN); + + struct s2n_test_io_pair io_pair = { 0 }; + EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair)); + EXPECT_SUCCESS(s2n_connections_set_io_pair(client, server, &io_pair)); + + /* SSLv3 Handshake is not supported when built with OpenSSL-1.0.2-FIPS */ + EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server, client), + S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED); + continue; + } DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); diff --git a/tls/s2n_handshake_io.c b/tls/s2n_handshake_io.c index 33cb4b0f382..4861eb10fda 100644 --- a/tls/s2n_handshake_io.c +++ b/tls/s2n_handshake_io.c @@ -1608,6 +1608,11 @@ int s2n_negotiate_impl(struct s2n_connection *conn, s2n_blocked_status *blocked) POSIX_ENSURE_REF(conn); POSIX_ENSURE_REF(blocked); + /* SSLv3 handshake is not supported when built with openssl-1.0.2-fips */ + if (s2n_is_in_fips_mode() && conn->client_protocol_version == S2N_SSLv3 && !S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 3)) { + POSIX_BAIL(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED); + } + while (!s2n_handshake_is_complete(conn) && ACTIVE_MESSAGE(conn) != conn->handshake.end_of_messages) { errno = 0; s2n_errno = S2N_ERR_OK; From b71c053806a9941abc234f66253a29e78a2a268d Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 16 Jul 2024 17:54:13 +0000 Subject: [PATCH 04/17] modify gating logic --- error/s2n_errno.c | 2 +- error/s2n_errno.h | 2 +- tests/unit/s2n_connection_protocol_versions_test.c | 4 ++-- tests/unit/s2n_crypto_test.c | 4 ++-- tls/s2n_handshake_io.c | 6 +++--- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/error/s2n_errno.c b/error/s2n_errno.c index 4543dd21d7f..102bc07a3b5 100644 --- a/error/s2n_errno.c +++ b/error/s2n_errno.c @@ -292,7 +292,7 @@ static const char *no_such_error = "Internal s2n error"; ERR_ENTRY(S2N_ERR_LIBCRYPTO_VERSION_NUMBER_MISMATCH, "The libcrypto major version number seen at compile-time is different from the major version number seen at run-time") \ ERR_ENTRY(S2N_ERR_LIBCRYPTO_VERSION_NAME_MISMATCH, "The libcrypto major version name seen at compile-time is different from the major version name seen at run-time") \ ERR_ENTRY(S2N_ERR_OSSL_PROVIDER, "Failed to load or unload an openssl provider") \ - ERR_ENTRY(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED, "SSLv3 handshake is not supported when built with OpenSSL 1.0.2-FIPS") \ + ERR_ENTRY(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED, "SSLv3 handshake is not supported when built with OpenSSL-FIPS") \ ERR_ENTRY(S2N_ERR_CERT_OWNERSHIP, "The ownership of the certificate chain is incompatible with the operation") \ ERR_ENTRY(S2N_ERR_INTERNAL_LIBCRYPTO_ERROR, "An internal error has occurred in the libcrypto API") \ ERR_ENTRY(S2N_ERR_NO_RENEGOTIATION, "Only secure, server-initiated renegotiation is supported") \ diff --git a/error/s2n_errno.h b/error/s2n_errno.h index 2b92a4dd5a5..2dbce076b9e 100644 --- a/error/s2n_errno.h +++ b/error/s2n_errno.h @@ -237,7 +237,7 @@ typedef enum { S2N_ERR_LIBCRYPTO_VERSION_NUMBER_MISMATCH, S2N_ERR_LIBCRYPTO_VERSION_NAME_MISMATCH, S2N_ERR_OSSL_PROVIDER, - S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED, + S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED, S2N_ERR_TEST_ASSERTION, S2N_ERR_T_INTERNAL_END, diff --git a/tests/unit/s2n_connection_protocol_versions_test.c b/tests/unit/s2n_connection_protocol_versions_test.c index f8dd07ab5f8..11197ab6ea4 100644 --- a/tests/unit/s2n_connection_protocol_versions_test.c +++ b/tests/unit/s2n_connection_protocol_versions_test.c @@ -250,8 +250,8 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair)); EXPECT_SUCCESS(s2n_connections_set_io_pair(client, server, &io_pair)); - if (s2n_is_in_fips_mode() && client->client_protocol_version == S2N_SSLv3 && !S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 3)) { - EXPECT_ERROR_WITH_ERRNO(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT), S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED); + if (s2n_is_in_fips_mode() && client->client_protocol_version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { + EXPECT_ERROR_WITH_ERRNO(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT), S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); } EXPECT_OK(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT)); diff --git a/tests/unit/s2n_crypto_test.c b/tests/unit/s2n_crypto_test.c index ef5d87ccea4..45e8e0f67b6 100644 --- a/tests/unit/s2n_crypto_test.c +++ b/tests/unit/s2n_crypto_test.c @@ -127,7 +127,7 @@ int main() * Retrieving the master secret won't vary between FIPS and non-FIPS, * so this testing limitation is not a concern. */ - if (s2n_is_in_fips_mode() && version == S2N_SSLv3 && !S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 3)) { + if (s2n_is_in_fips_mode() && version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key)); @@ -152,7 +152,7 @@ int main() /* SSLv3 Handshake is not supported when built with OpenSSL-1.0.2-FIPS */ EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server, client), - S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED); + S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); continue; } diff --git a/tls/s2n_handshake_io.c b/tls/s2n_handshake_io.c index 4861eb10fda..0559e6cc4ba 100644 --- a/tls/s2n_handshake_io.c +++ b/tls/s2n_handshake_io.c @@ -1608,9 +1608,9 @@ int s2n_negotiate_impl(struct s2n_connection *conn, s2n_blocked_status *blocked) POSIX_ENSURE_REF(conn); POSIX_ENSURE_REF(blocked); - /* SSLv3 handshake is not supported when built with openssl-1.0.2-fips */ - if (s2n_is_in_fips_mode() && conn->client_protocol_version == S2N_SSLv3 && !S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 3)) { - POSIX_BAIL(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_1_0_2_FIPS_NOT_SUPPORTED); + /* SSLv3 handshake is not supported when built with openssl-fips */ + if (s2n_is_in_fips_mode() && conn->client_protocol_version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { + POSIX_BAIL(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); } while (!s2n_handshake_is_complete(conn) && ACTIVE_MESSAGE(conn) != conn->handshake.end_of_messages) { From f5ee8f8f932bf20022f697e29c149744e375607e Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 16 Jul 2024 17:57:32 +0000 Subject: [PATCH 05/17] cleanup --- tests/unit/s2n_connection_protocol_versions_test.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/unit/s2n_connection_protocol_versions_test.c b/tests/unit/s2n_connection_protocol_versions_test.c index 11197ab6ea4..21997c757d7 100644 --- a/tests/unit/s2n_connection_protocol_versions_test.c +++ b/tests/unit/s2n_connection_protocol_versions_test.c @@ -251,7 +251,8 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_connections_set_io_pair(client, server, &io_pair)); if (s2n_is_in_fips_mode() && client->client_protocol_version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { - EXPECT_ERROR_WITH_ERRNO(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT), S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); + EXPECT_ERROR_WITH_ERRNO(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT), + S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); } EXPECT_OK(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT)); From 3818d08ffcd8a436b3cb2aa228f9b58464d02013 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 16 Jul 2024 19:12:43 +0000 Subject: [PATCH 06/17] fix unit test --- tests/unit/s2n_connection_protocol_versions_test.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/unit/s2n_connection_protocol_versions_test.c b/tests/unit/s2n_connection_protocol_versions_test.c index 21997c757d7..eac88a58573 100644 --- a/tests/unit/s2n_connection_protocol_versions_test.c +++ b/tests/unit/s2n_connection_protocol_versions_test.c @@ -250,9 +250,11 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair)); EXPECT_SUCCESS(s2n_connections_set_io_pair(client, server, &io_pair)); + /* SSLv3 handshake is not supported when built with openssl-fips */ if (s2n_is_in_fips_mode() && client->client_protocol_version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { EXPECT_ERROR_WITH_ERRNO(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT), S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); + continue; } EXPECT_OK(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT)); From 2d7c8959d2af40198318d6cebf809a21c0fdb918 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Wed, 17 Jul 2024 19:14:58 +0000 Subject: [PATCH 07/17] move gating logic location --- tls/s2n_client_hello.c | 5 +++++ tls/s2n_handshake_io.c | 5 ----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tls/s2n_client_hello.c b/tls/s2n_client_hello.c index 6055bae3c99..2cc3103ddbe 100644 --- a/tls/s2n_client_hello.c +++ b/tls/s2n_client_hello.c @@ -712,6 +712,11 @@ int s2n_client_hello_send(struct s2n_connection *conn) conn->actual_protocol_version = MIN(conn->actual_protocol_version, S2N_TLS12); } + /* SSLv3 handshake is not supported when built with openssl-fips */ + if (s2n_is_in_fips_mode() && conn->client_protocol_version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { + POSIX_BAIL(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); + } + struct s2n_stuffer *out = &conn->handshake.io; uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN] = { 0 }; diff --git a/tls/s2n_handshake_io.c b/tls/s2n_handshake_io.c index 0559e6cc4ba..33cb4b0f382 100644 --- a/tls/s2n_handshake_io.c +++ b/tls/s2n_handshake_io.c @@ -1608,11 +1608,6 @@ int s2n_negotiate_impl(struct s2n_connection *conn, s2n_blocked_status *blocked) POSIX_ENSURE_REF(conn); POSIX_ENSURE_REF(blocked); - /* SSLv3 handshake is not supported when built with openssl-fips */ - if (s2n_is_in_fips_mode() && conn->client_protocol_version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { - POSIX_BAIL(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); - } - while (!s2n_handshake_is_complete(conn) && ACTIVE_MESSAGE(conn) != conn->handshake.end_of_messages) { errno = 0; s2n_errno = S2N_ERR_OK; From 8f309a312df4cfd7e6322675d447a97e98d8a38f Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Thu, 25 Jul 2024 23:02:51 +0000 Subject: [PATCH 08/17] allow sslv3 handshake for ossl-1.0.2-fips --- crypto/s2n_hmac.c | 4 ---- tls/s2n_prf.c | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/s2n_hmac.c b/crypto/s2n_hmac.c index 96466708194..90ab238e345 100644 --- a/crypto/s2n_hmac.c +++ b/crypto/s2n_hmac.c @@ -82,10 +82,6 @@ bool s2n_hmac_is_available(s2n_hmac_algorithm hmac_alg) case S2N_HMAC_MD5: case S2N_HMAC_SSLv3_MD5: case S2N_HMAC_SSLv3_SHA1: - /* Some libcryptos, such as OpenSSL, disable MD5 by default when in FIPS mode, which is - * required in order to negotiate SSLv3. However, this is supported in AWS-LC. - */ - return !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc(); case S2N_HMAC_NONE: case S2N_HMAC_SHA1: case S2N_HMAC_SHA224: diff --git a/tls/s2n_prf.c b/tls/s2n_prf.c index 8ae6602d61f..241feb2541b 100644 --- a/tls/s2n_prf.c +++ b/tls/s2n_prf.c @@ -157,6 +157,10 @@ static int s2n_sslv3_prf(struct s2n_connection *conn, struct s2n_blob *secret, s struct s2n_hash_state *md5 = workspace; POSIX_GUARD(s2n_hash_reset(md5)); + /* enable md5 flag in fips mode */ + if (s2n_is_in_fips_mode() && conn->actual_protocol_version < S2N_TLS12) { + POSIX_GUARD(s2n_hash_allow_md5_for_fips(workspace)); + } POSIX_GUARD(s2n_hash_init(md5, S2N_HASH_MD5)); POSIX_GUARD(s2n_hash_update(md5, secret->data, secret->size)); POSIX_GUARD(s2n_hash_update(md5, sha_digest, sizeof(sha_digest))); From 8297f40bdaddeacc40c3a766417f9c8f31a86421 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Thu, 25 Jul 2024 23:45:15 +0000 Subject: [PATCH 09/17] fix cbmc harness --- .../proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c b/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c index daa3a074812..6410f076f2b 100644 --- a/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c +++ b/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c @@ -34,7 +34,6 @@ void s2n_hmac_is_available_harness() case S2N_HASH_MD5: case S2N_HMAC_SSLv3_MD5: case S2N_HMAC_SSLv3_SHA1: - assert(is_available == !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc()); break; case S2N_HASH_NONE: case S2N_HASH_SHA1: case S2N_HASH_SHA224: From be3630d7ec444a6af26535f6edeaa504b11bdafd Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Fri, 26 Jul 2024 00:11:01 +0000 Subject: [PATCH 10/17] test: allow md5 for fips --- error/s2n_errno.c | 1 - error/s2n_errno.h | 1 - .../s2n_connection_protocol_versions_test.c | 7 ---- tests/unit/s2n_crypto_test.c | 33 ------------------- tls/s2n_client_hello.c | 5 --- 5 files changed, 47 deletions(-) diff --git a/error/s2n_errno.c b/error/s2n_errno.c index 77b4a596a3d..ebc5eca84a7 100644 --- a/error/s2n_errno.c +++ b/error/s2n_errno.c @@ -292,7 +292,6 @@ static const char *no_such_error = "Internal s2n error"; ERR_ENTRY(S2N_ERR_LIBCRYPTO_VERSION_NUMBER_MISMATCH, "The libcrypto major version number seen at compile-time is different from the major version number seen at run-time") \ ERR_ENTRY(S2N_ERR_LIBCRYPTO_VERSION_NAME_MISMATCH, "The libcrypto major version name seen at compile-time is different from the major version name seen at run-time") \ ERR_ENTRY(S2N_ERR_OSSL_PROVIDER, "Failed to load or unload an openssl provider") \ - ERR_ENTRY(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED, "SSLv3 handshake is not supported when built with OpenSSL-FIPS") \ ERR_ENTRY(S2N_ERR_CERT_OWNERSHIP, "The ownership of the certificate chain is incompatible with the operation") \ ERR_ENTRY(S2N_ERR_INTERNAL_LIBCRYPTO_ERROR, "An internal error has occurred in the libcrypto API") \ ERR_ENTRY(S2N_ERR_NO_RENEGOTIATION, "Only secure, server-initiated renegotiation is supported") \ diff --git a/error/s2n_errno.h b/error/s2n_errno.h index 0f52ce472b8..9e8a752e183 100644 --- a/error/s2n_errno.h +++ b/error/s2n_errno.h @@ -237,7 +237,6 @@ typedef enum { S2N_ERR_LIBCRYPTO_VERSION_NUMBER_MISMATCH, S2N_ERR_LIBCRYPTO_VERSION_NAME_MISMATCH, S2N_ERR_OSSL_PROVIDER, - S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED, S2N_ERR_BAD_HEX, S2N_ERR_TEST_ASSERTION, S2N_ERR_T_INTERNAL_END, diff --git a/tests/unit/s2n_connection_protocol_versions_test.c b/tests/unit/s2n_connection_protocol_versions_test.c index eac88a58573..ecd58666140 100644 --- a/tests/unit/s2n_connection_protocol_versions_test.c +++ b/tests/unit/s2n_connection_protocol_versions_test.c @@ -14,7 +14,6 @@ */ #include "api/s2n.h" -#include "crypto/s2n_fips.h" #include "s2n_test.h" #include "testlib/s2n_testlib.h" #include "tls/s2n_tls.h" @@ -250,12 +249,6 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair)); EXPECT_SUCCESS(s2n_connections_set_io_pair(client, server, &io_pair)); - /* SSLv3 handshake is not supported when built with openssl-fips */ - if (s2n_is_in_fips_mode() && client->client_protocol_version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { - EXPECT_ERROR_WITH_ERRNO(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT), - S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); - continue; - } EXPECT_OK(s2n_negotiate_test_server_and_client_until_message(server, client, SERVER_CERT)); EXPECT_EQUAL(s2n_connection_get_server_protocol_version(client), server_version); diff --git a/tests/unit/s2n_crypto_test.c b/tests/unit/s2n_crypto_test.c index 45e8e0f67b6..744f25c4b99 100644 --- a/tests/unit/s2n_crypto_test.c +++ b/tests/unit/s2n_crypto_test.c @@ -123,39 +123,6 @@ int main() for (size_t i = 0; i < s2n_array_len(supported_versions); i++) { const uint8_t version = supported_versions[i]; - /* See https://github.com/aws/s2n-tls/issues/4476 - * Retrieving the master secret won't vary between FIPS and non-FIPS, - * so this testing limitation is not a concern. - */ - if (s2n_is_in_fips_mode() && version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { - DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); - EXPECT_NOT_NULL(config); - EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "test_all")); - - DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT), - s2n_connection_ptr_free); - EXPECT_NOT_NULL(client); - EXPECT_SUCCESS(s2n_connection_set_config(client, config)); - client->client_protocol_version = version; - - DEFER_CLEANUP(struct s2n_connection *server = s2n_connection_new(S2N_SERVER), - s2n_connection_ptr_free); - EXPECT_NOT_NULL(server); - EXPECT_SUCCESS(s2n_connection_set_config(server, config)); - memset(server->secrets.version.tls12.master_secret, 1, S2N_TLS_SECRET_LEN); - - struct s2n_test_io_pair io_pair = { 0 }; - EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair)); - EXPECT_SUCCESS(s2n_connections_set_io_pair(client, server, &io_pair)); - - /* SSLv3 Handshake is not supported when built with OpenSSL-1.0.2-FIPS */ - EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server, client), - S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); - continue; - } - DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key)); diff --git a/tls/s2n_client_hello.c b/tls/s2n_client_hello.c index 2cc3103ddbe..6055bae3c99 100644 --- a/tls/s2n_client_hello.c +++ b/tls/s2n_client_hello.c @@ -712,11 +712,6 @@ int s2n_client_hello_send(struct s2n_connection *conn) conn->actual_protocol_version = MIN(conn->actual_protocol_version, S2N_TLS12); } - /* SSLv3 handshake is not supported when built with openssl-fips */ - if (s2n_is_in_fips_mode() && conn->client_protocol_version == S2N_SSLv3 && !s2n_libcrypto_is_awslc()) { - POSIX_BAIL(S2N_ERR_SSLV3_HANDSHAKE_WITH_OSSL_FIPS_NOT_SUPPORTED); - } - struct s2n_stuffer *out = &conn->handshake.io; uint8_t client_protocol_version[S2N_TLS_PROTOCOL_VERSION_LEN] = { 0 }; From bfb7f2c1b359b71fe48a35a833ec4a4741ac53e2 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Fri, 26 Jul 2024 00:51:08 +0000 Subject: [PATCH 11/17] enable md5 for hmac init --- tests/unit/s2n_hmac_test.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/unit/s2n_hmac_test.c b/tests/unit/s2n_hmac_test.c index 74fe6fc9033..9e2a0e5d4ce 100644 --- a/tests/unit/s2n_hmac_test.c +++ b/tests/unit/s2n_hmac_test.c @@ -52,6 +52,10 @@ int main(int argc, char **argv) uint8_t hmac_sslv3_md5_size = 0; POSIX_GUARD(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5, &hmac_sslv3_md5_size)); EXPECT_EQUAL(hmac_sslv3_md5_size, 16); + if (s2n_is_in_fips_mode()) { + POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.inner)); + POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.outer)); + } EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *) sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *) hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); From 217475887a3a0e22f18ac562df7b76380260c922 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Fri, 26 Jul 2024 20:38:00 +0000 Subject: [PATCH 12/17] fix hmac test --- tests/unit/s2n_hmac_test.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/unit/s2n_hmac_test.c b/tests/unit/s2n_hmac_test.c index 9e2a0e5d4ce..dc76e7eb516 100644 --- a/tests/unit/s2n_hmac_test.c +++ b/tests/unit/s2n_hmac_test.c @@ -54,7 +54,9 @@ int main(int argc, char **argv) EXPECT_EQUAL(hmac_sslv3_md5_size, 16); if (s2n_is_in_fips_mode()) { POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.inner)); + POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.inner_just_key)); POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.outer)); + POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.outer_just_key)); } EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *) sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *) hello))); From 0afd9d1486da639f4d6450fcc0ed01409f3cd87d Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Sat, 27 Jul 2024 00:06:21 +0000 Subject: [PATCH 13/17] address PR feedback --- tests/unit/s2n_hmac_test.c | 18 ++++++++++++------ tls/s2n_prf.c | 2 +- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/tests/unit/s2n_hmac_test.c b/tests/unit/s2n_hmac_test.c index dc76e7eb516..fdbab958abd 100644 --- a/tests/unit/s2n_hmac_test.c +++ b/tests/unit/s2n_hmac_test.c @@ -24,6 +24,17 @@ #include "testlib/s2n_testlib.h" #include "utils/s2n_safety.h" +static S2N_RESULT s2n_allow_md5_for_fips(struct s2n_hmac_state *hmac) +{ + if (s2n_is_in_fips_mode()) { + RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->inner)); + RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->inner_just_key)); + RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->outer)); + RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->outer_just_key)); + } + return S2N_RESULT_OK; +} + int main(int argc, char **argv) { uint8_t digest_pad[256]; @@ -52,12 +63,7 @@ int main(int argc, char **argv) uint8_t hmac_sslv3_md5_size = 0; POSIX_GUARD(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5, &hmac_sslv3_md5_size)); EXPECT_EQUAL(hmac_sslv3_md5_size, 16); - if (s2n_is_in_fips_mode()) { - POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.inner)); - POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.inner_just_key)); - POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.outer)); - POSIX_GUARD(s2n_hash_allow_md5_for_fips(&hmac.outer_just_key)); - } + EXPECT_OK(allow_md5_for_fips_if_needed(&hmac)); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *) sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *) hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); diff --git a/tls/s2n_prf.c b/tls/s2n_prf.c index c6daa5243d8..2a1aff3c73b 100644 --- a/tls/s2n_prf.c +++ b/tls/s2n_prf.c @@ -157,7 +157,7 @@ static int s2n_sslv3_prf(struct s2n_connection *conn, struct s2n_blob *secret, s struct s2n_hash_state *md5 = workspace; POSIX_GUARD(s2n_hash_reset(md5)); - /* enable md5 flag in fips mode */ + /* FIPS specifically allows MD5 for the legacy PRF */ if (s2n_is_in_fips_mode() && conn->actual_protocol_version < S2N_TLS12) { POSIX_GUARD(s2n_hash_allow_md5_for_fips(workspace)); } From 9b8647b174e7230ebbb29cd7c3b08e84e7a744e0 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Sat, 27 Jul 2024 00:08:56 +0000 Subject: [PATCH 14/17] address PR feedback --- tests/unit/s2n_hmac_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/s2n_hmac_test.c b/tests/unit/s2n_hmac_test.c index fdbab958abd..8b2120699ec 100644 --- a/tests/unit/s2n_hmac_test.c +++ b/tests/unit/s2n_hmac_test.c @@ -63,7 +63,7 @@ int main(int argc, char **argv) uint8_t hmac_sslv3_md5_size = 0; POSIX_GUARD(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5, &hmac_sslv3_md5_size)); EXPECT_EQUAL(hmac_sslv3_md5_size, 16); - EXPECT_OK(allow_md5_for_fips_if_needed(&hmac)); + EXPECT_OK(s2n_allow_md5_for_fips(&hmac)); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *) sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *) hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); From 67a41fa06166b73bf8b3d1f6ad919195b355e290 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Mon, 29 Jul 2024 19:24:48 +0000 Subject: [PATCH 15/17] remove duplicate flag activation --- tls/s2n_prf.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tls/s2n_prf.c b/tls/s2n_prf.c index 2a1aff3c73b..614a8818fa8 100644 --- a/tls/s2n_prf.c +++ b/tls/s2n_prf.c @@ -122,11 +122,6 @@ static int s2n_sslv3_prf(struct s2n_connection *conn, struct s2n_blob *secret, s POSIX_ENSURE_REF(conn->handshake.hashes); struct s2n_hash_state *workspace = &conn->handshake.hashes->hash_workspace; - /* FIPS specifically allows MD5 for the legacy PRF */ - if (s2n_is_in_fips_mode() && conn->actual_protocol_version < S2N_TLS12) { - POSIX_GUARD(s2n_hash_allow_md5_for_fips(workspace)); - } - uint32_t outputlen = out->size; uint8_t *output = out->data; uint8_t iteration = 1; From 7b3584bb460900a233158cc62a6755973a6a3a1c Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 30 Jul 2024 21:45:49 +0000 Subject: [PATCH 16/17] address PR feedback - fix s2n_hmac_is_available conditions --- crypto/s2n_hmac.c | 4 ++++ .../s2n_hmac_is_available_harness.c | 1 + tests/unit/s2n_hmac_test.c | 12 ------------ tests/unit/s2n_sslv3_test.c | 2 +- 4 files changed, 6 insertions(+), 13 deletions(-) diff --git a/crypto/s2n_hmac.c b/crypto/s2n_hmac.c index 90ab238e345..3b519c1f72a 100644 --- a/crypto/s2n_hmac.c +++ b/crypto/s2n_hmac.c @@ -81,6 +81,10 @@ bool s2n_hmac_is_available(s2n_hmac_algorithm hmac_alg) switch(hmac_alg) { case S2N_HMAC_MD5: case S2N_HMAC_SSLv3_MD5: + /* Some libcryptos, such as OpenSSL, disable MD5 by default when in FIPS mode, which is + * required in order to negotiate SSLv3. However, this is supported in AWS-LC. + */ + return !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc(); case S2N_HMAC_SSLv3_SHA1: case S2N_HMAC_NONE: case S2N_HMAC_SHA1: diff --git a/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c b/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c index 6410f076f2b..9c9fba4ec5a 100644 --- a/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c +++ b/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c @@ -33,6 +33,7 @@ void s2n_hmac_is_available_harness() switch (hmac_alg) { case S2N_HASH_MD5: case S2N_HMAC_SSLv3_MD5: + assert(is_available == !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc()); break; case S2N_HMAC_SSLv3_SHA1: case S2N_HASH_NONE: case S2N_HASH_SHA1: diff --git a/tests/unit/s2n_hmac_test.c b/tests/unit/s2n_hmac_test.c index 8b2120699ec..74fe6fc9033 100644 --- a/tests/unit/s2n_hmac_test.c +++ b/tests/unit/s2n_hmac_test.c @@ -24,17 +24,6 @@ #include "testlib/s2n_testlib.h" #include "utils/s2n_safety.h" -static S2N_RESULT s2n_allow_md5_for_fips(struct s2n_hmac_state *hmac) -{ - if (s2n_is_in_fips_mode()) { - RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->inner)); - RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->inner_just_key)); - RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->outer)); - RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->outer_just_key)); - } - return S2N_RESULT_OK; -} - int main(int argc, char **argv) { uint8_t digest_pad[256]; @@ -63,7 +52,6 @@ int main(int argc, char **argv) uint8_t hmac_sslv3_md5_size = 0; POSIX_GUARD(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5, &hmac_sslv3_md5_size)); EXPECT_EQUAL(hmac_sslv3_md5_size, 16); - EXPECT_OK(s2n_allow_md5_for_fips(&hmac)); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *) sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *) hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); diff --git a/tests/unit/s2n_sslv3_test.c b/tests/unit/s2n_sslv3_test.c index 58b194ac83e..03b7a919347 100644 --- a/tests/unit/s2n_sslv3_test.c +++ b/tests/unit/s2n_sslv3_test.c @@ -53,7 +53,7 @@ int main(int argc, char **argv) { BEGIN_TEST(); - if (!s2n_hmac_is_available(S2N_HMAC_SSLv3_MD5)) { + if (!s2n_hmac_is_available(S2N_HMAC_SSLv3_SHA1)) { /* AWS-LC should support SSLv3. */ EXPECT_FALSE(s2n_libcrypto_is_awslc()); From 2ce2a34195fbc29a3cab7628f26072a0bf94dc94 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 30 Jul 2024 22:45:43 +0000 Subject: [PATCH 17/17] address PR feedback - remove check for s2n_hmac_is_available(S2N_HMAC_SSLv3_SHA1) --- tests/unit/s2n_sslv3_test.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/tests/unit/s2n_sslv3_test.c b/tests/unit/s2n_sslv3_test.c index 03b7a919347..d0a5635f2dd 100644 --- a/tests/unit/s2n_sslv3_test.c +++ b/tests/unit/s2n_sslv3_test.c @@ -53,14 +53,6 @@ int main(int argc, char **argv) { BEGIN_TEST(); - if (!s2n_hmac_is_available(S2N_HMAC_SSLv3_SHA1)) { - /* AWS-LC should support SSLv3. */ - EXPECT_FALSE(s2n_libcrypto_is_awslc()); - - /* Other libcryptos may not support SSLv3, so the tests are skipped. */ - END_TEST(); - } - DEFER_CLEANUP(struct s2n_cert_chain_and_key *rsa_chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free); EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&rsa_chain_and_key, S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY));