From 9d00094935c797e4fae0a8b98fc18b114eec5e27 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 21 Feb 2023 15:35:37 +0900
Subject: fips: enable %FORCE_SESSION_HASH by default under FIPS mode

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/priority.c        |  4 ++++
 tests/tls-force-ems.c | 29 ++++++++++++++++++++++++-----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/lib/priority.c b/lib/priority.c
index 15cb133894..4b5eb7c77d 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -3234,6 +3234,10 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 	(*priority_cache)->min_record_version = 1;
 	gnutls_atomic_init(&(*priority_cache)->usage_cnt);
 
+	if (_gnutls_fips_mode_enabled()) {
+		(*priority_cache)->force_ext_master_secret = true;
+	}
+
 	if (system_wide_config.allowlisting && !priorities) {
 		priorities = "@" LEVEL_SYSTEM;
 	}
diff --git a/tests/tls-force-ems.c b/tests/tls-force-ems.c
index 18aa232994..89b5acf62e 100644
--- a/tests/tls-force-ems.c
+++ b/tests/tls-force-ems.c
@@ -102,11 +102,30 @@ void doit(void)
 	    AES_GCM ":%FORCE_SESSION_HASH", 0, 0);
 	try("both force EMS", AES_GCM ":%FORCE_SESSION_HASH",
 	    AES_GCM ":%FORCE_SESSION_HASH", 0, 0);
-	try("neither negotiates EMS", AES_GCM ":%NO_SESSION_HASH",
-	    AES_GCM ":%NO_SESSION_HASH", 0, 0);
-	try("server doesn't negotiate EMS, client forces EMS",
-	    AES_GCM ":%NO_SESSION_HASH", AES_GCM ":%FORCE_SESSION_HASH",
-	    GNUTLS_E_AGAIN, GNUTLS_E_INSUFFICIENT_SECURITY);
+	if (gnutls_fips140_mode_enabled()) {
+		try("neither negotiates EMS", AES_GCM ":%NO_SESSION_HASH",
+		    AES_GCM ":%NO_SESSION_HASH", GNUTLS_E_INSUFFICIENT_SECURITY,
+		    GNUTLS_E_AGAIN);
+	} else {
+		try("neither negotiates EMS", AES_GCM ":%NO_SESSION_HASH",
+		    AES_GCM ":%NO_SESSION_HASH", 0, 0);
+	}
+	/* Note that the error codes are swapped based on FIPS mode:
+	 * in FIPS mode, the server doesn't send the extension which
+	 * causes the client to not send the one either, and then the
+	 * server doesn't like the situation.  On the other hand, in
+	 * non-FIPS mode, it's the client to decide to abort the
+	 * connection.
+	 */
+	if (gnutls_fips140_mode_enabled()) {
+		try("server doesn't negotiate EMS, client forces EMS",
+		    AES_GCM ":%NO_SESSION_HASH", AES_GCM ":%FORCE_SESSION_HASH",
+		    GNUTLS_E_INSUFFICIENT_SECURITY, GNUTLS_E_AGAIN);
+	} else {
+		try("server doesn't negotiate EMS, client forces EMS",
+		    AES_GCM ":%NO_SESSION_HASH", AES_GCM ":%FORCE_SESSION_HASH",
+		    GNUTLS_E_AGAIN, GNUTLS_E_INSUFFICIENT_SECURITY);
+	}
 	try("server forces EMS, client doesn't negotiate EMS",
 	    AES_GCM ":%FORCE_SESSION_HASH", AES_GCM ":%NO_SESSION_HASH",
 	    GNUTLS_E_INSUFFICIENT_SECURITY, GNUTLS_E_AGAIN);
-- 
cgit v1.2.1