fips: enable %FORCE_SESSION_HASH by default under FIPS mode

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/priority.c b/lib/priority.c
index 15cb133894e540ed50c7187a5f05c6d5ae75bea2..4b5eb7c77d94a441a5a7adfb0bb5e7886e0adaf2 100644 (file)
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -3234,6 +3234,10 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
        (*priority_cache)->min_record_version = 1;
        gnutls_atomic_init(&(*priority_cache)->usage_cnt);
 
+       if (_gnutls_fips_mode_enabled()) {
+               (*priority_cache)->force_ext_master_secret = true;
+       }
+
        if (system_wide_config.allowlisting && !priorities) {
                priorities = "@" LEVEL_SYSTEM;
        }

diff --git a/tests/tls-force-ems.c b/tests/tls-force-ems.c
index 18aa2329941bbdd3918a3aca65ab5fa4cc8ec92e..89b5acf62e543d7ff1ddfd268a46522372d64960 100644 (file)
--- a/tests/tls-force-ems.c
+++ b/tests/tls-force-ems.c
@@ -102,11 +102,30 @@ void doit(void)
            AES_GCM ":%FORCE_SESSION_HASH", 0, 0);
        try("both force EMS", AES_GCM ":%FORCE_SESSION_HASH",
            AES_GCM ":%FORCE_SESSION_HASH", 0, 0);
-       try("neither negotiates EMS", AES_GCM ":%NO_SESSION_HASH",
-           AES_GCM ":%NO_SESSION_HASH", 0, 0);
-       try("server doesn't negotiate EMS, client forces EMS",
-           AES_GCM ":%NO_SESSION_HASH", AES_GCM ":%FORCE_SESSION_HASH",
-           GNUTLS_E_AGAIN, GNUTLS_E_INSUFFICIENT_SECURITY);
+       if (gnutls_fips140_mode_enabled()) {
+               try("neither negotiates EMS", AES_GCM ":%NO_SESSION_HASH",
+                   AES_GCM ":%NO_SESSION_HASH", GNUTLS_E_INSUFFICIENT_SECURITY,
+                   GNUTLS_E_AGAIN);
+       } else {
+               try("neither negotiates EMS", AES_GCM ":%NO_SESSION_HASH",
+                   AES_GCM ":%NO_SESSION_HASH", 0, 0);
+       }
+       /* Note that the error codes are swapped based on FIPS mode:
+        * in FIPS mode, the server doesn't send the extension which
+        * causes the client to not send the one either, and then the
+        * server doesn't like the situation.  On the other hand, in
+        * non-FIPS mode, it's the client to decide to abort the
+        * connection.
+        */
+       if (gnutls_fips140_mode_enabled()) {
+               try("server doesn't negotiate EMS, client forces EMS",
+                   AES_GCM ":%NO_SESSION_HASH", AES_GCM ":%FORCE_SESSION_HASH",
+                   GNUTLS_E_INSUFFICIENT_SECURITY, GNUTLS_E_AGAIN);
+       } else {
+               try("server doesn't negotiate EMS, client forces EMS",
+                   AES_GCM ":%NO_SESSION_HASH", AES_GCM ":%FORCE_SESSION_HASH",
+                   GNUTLS_E_AGAIN, GNUTLS_E_INSUFFICIENT_SECURITY);
+       }
        try("server forces EMS, client doesn't negotiate EMS",
            AES_GCM ":%FORCE_SESSION_HASH", AES_GCM ":%NO_SESSION_HASH",
            GNUTLS_E_INSUFFICIENT_SECURITY, GNUTLS_E_AGAIN);