1 files changed, 200 insertions, 0 deletions

diff --git a/openssl-1.1.1-fips-curves.patch b/openssl-1.1.1-fips-curves.patch
new file mode 100644
index 0000000..33e9fc5
--- /dev/null
+++ b/openssl-1.1.1-fips-curves.patch
@@ -0,0 +1,200 @@
+diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
+--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves	2020-05-18 12:59:54.839643980 +0200
++++ openssl-1.1.1g/crypto/ec/ec_curve.c	2020-05-18 12:59:54.852644093 +0200
+@@ -13,6 +13,7 @@
+ #include <openssl/err.h>
+ #include <openssl/obj_mac.h>
+ #include <openssl/opensslconf.h>
++#include <openssl/crypto.h>
+ #include "internal/nelem.h"
+ 
+ typedef struct {
+@@ -237,6 +238,7 @@ static const struct {
+ 
+ typedef struct _ec_list_element_st {
+     int nid;
++    int fips_allowed;
+     const EC_CURVE_DATA *data;
+     const EC_METHOD *(*meth) (void);
+     const char *comment;
+@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
+     /* prime field curves */
+     /* secg curves */
+ #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
++    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
+      "NIST/SECG curve over a 224 bit prime field"},
+ #else
+-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
++    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
+      "NIST/SECG curve over a 224 bit prime field"},
+ #endif
+-    {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
++    {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
+      "SECG curve over a 256 bit prime field"},
+     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+-    {NID_secp384r1, &_EC_NIST_PRIME_384.h,
++    {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
+ # if defined(S390X_EC_ASM)
+      EC_GFp_s390x_nistp384_method,
+ # else
+      0,
+ # endif
+      "NIST/SECG curve over a 384 bit prime field"},
+-    {NID_secp521r1, &_EC_NIST_PRIME_521.h,
++    {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
+ # if defined(S390X_EC_ASM)
+      EC_GFp_s390x_nistp521_method,
+ # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
+ # endif
+      "NIST/SECG curve over a 521 bit prime field"},
+     /* X9.62 curves */
+-    {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
++    {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
+ #if defined(ECP_NISTZ256_ASM)
+      EC_GFp_nistz256_method,
+ # elif defined(S390X_EC_ASM)
+@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
+ 
+     for (i = 0; i < curve_list_length; i++)
+         if (curve_list[i].nid == nid) {
++            if (!curve_list[i].fips_allowed && FIPS_mode()) {
++                ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
++                return NULL;
++            }
+             ret = ec_group_new_from_data(curve_list[i]);
+             break;
+         }
+@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
+ 
+ size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
+ {
+-    size_t i, min;
++    size_t i, j, num;
++    int fips_mode = FIPS_mode();
+ 
+-    if (r == NULL || nitems == 0)
+-        return curve_list_length;
++    num = curve_list_length;
++    if (fips_mode)
++        for (i = 0; i < curve_list_length; i++) {
++            if (!curve_list[i].fips_allowed)
++                --num;
++        }
+ 
+-    min = nitems < curve_list_length ? nitems : curve_list_length;
++    if (r == NULL || nitems == 0) {
++        return num;
++    }
+ 
+-    for (i = 0; i < min; i++) {
+-        r[i].nid = curve_list[i].nid;
+-        r[i].comment = curve_list[i].comment;
++    for (i = 0, j = 0; i < curve_list_length; i++) {
++        if (j >= nitems)
++            break;
++        if (!fips_mode || curve_list[i].fips_allowed) {
++            r[j].nid = curve_list[i].nid;
++            r[j].comment = curve_list[i].comment;
++            ++j;
++        }
+     }
+ 
+-    return curve_list_length;
++    return num;
+ }
+ 
+ /* Functions to translate between common NIST curve names and NIDs */
+diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves	2020-05-18 12:59:54.797643616 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c	2020-05-18 13:03:54.748725463 +0200
+@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
+ #endif
+ };
+ 
++static const uint16_t tls12_fips_sigalgs[] = {
++#ifndef OPENSSL_NO_EC
++    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
++    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
++    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
++#endif
++
++    TLSEXT_SIGALG_rsa_pss_pss_sha256,
++    TLSEXT_SIGALG_rsa_pss_pss_sha384,
++    TLSEXT_SIGALG_rsa_pss_pss_sha512,
++    TLSEXT_SIGALG_rsa_pss_rsae_sha256,
++    TLSEXT_SIGALG_rsa_pss_rsae_sha384,
++    TLSEXT_SIGALG_rsa_pss_rsae_sha512,
++
++    TLSEXT_SIGALG_rsa_pkcs1_sha256,
++    TLSEXT_SIGALG_rsa_pkcs1_sha384,
++    TLSEXT_SIGALG_rsa_pkcs1_sha512,
++
++#ifndef OPENSSL_NO_EC
++    TLSEXT_SIGALG_ecdsa_sha224,
++#endif
++    TLSEXT_SIGALG_rsa_pkcs1_sha224,
++#ifndef OPENSSL_NO_DSA
++    TLSEXT_SIGALG_dsa_sha224,
++    TLSEXT_SIGALG_dsa_sha256,
++    TLSEXT_SIGALG_dsa_sha384,
++    TLSEXT_SIGALG_dsa_sha512,
++#endif
++};
++
+ #ifndef OPENSSL_NO_EC
+ static const uint16_t suiteb_sigalgs[] = {
+     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
+@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
+     }
+     if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
+         return NULL;
++    if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
++        return NULL;
+     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
+         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
+ 
+@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
+     } else if (s->cert->conf_sigalgs) {
+         *psigs = s->cert->conf_sigalgs;
+         return s->cert->conf_sigalgslen;
++    } else if (FIPS_mode()) {
++        *psigs = tls12_fips_sigalgs;
++        return OSSL_NELEM(tls12_fips_sigalgs);
+     } else {
+         *psigs = tls12_sigalgs;
+         return OSSL_NELEM(tls12_sigalgs);
+@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
+     if (s->cert->conf_sigalgs) {
+         sigs = s->cert->conf_sigalgs;
+         siglen = s->cert->conf_sigalgslen;
++    } else if (FIPS_mode()) {
++        sigs = tls12_fips_sigalgs;
++        siglen = OSSL_NELEM(tls12_fips_sigalgs);
+     } else {
+         sigs = tls12_sigalgs;
+         siglen = OSSL_NELEM(tls12_sigalgs);
+@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
+     if (lu->sig == NID_id_GostR3410_2012_256
+             || lu->sig == NID_id_GostR3410_2012_512
+             || lu->sig == NID_id_GostR3410_2001) {
++        if (FIPS_mode())
++            return 0;
+         /* We never allow GOST sig algs on the server with TLSv1.3 */
+         if (s->server && SSL_IS_TLS13(s))
+             return 0;
+@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
+                 const uint16_t *sent_sigs;
+                 size_t sent_sigslen;
+ 
++                if (fatalerrs && FIPS_mode()) {
++                    /* There are no suitable legacy algorithms in FIPS mode */
++                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
++                             SSL_F_TLS_CHOOSE_SIGALG,
++                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
++                    return 0;
++                }
+                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
+                     if (!fatalerrs)
+                         return 1;