fix: SSLv3 handshake with openssl-1.0.2-fips fails (#4644)

crypto/s2n_hmac.c

@@ -81,11 +81,11 @@ bool s2n_hmac_is_available(s2n_hmac_algorithm hmac_alg)
     switch(hmac_alg) {
     case S2N_HMAC_MD5:
     case S2N_HMAC_SSLv3_MD5:
+         /* Some libcryptos, such as OpenSSL, disable MD5 by default when in FIPS mode, which is 
+          * required in order to negotiate SSLv3. However, this is supported in AWS-LC. 
+          */ 
+         return !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc(); 
     case S2N_HMAC_SSLv3_SHA1:
-        /* Some libcryptos, such as OpenSSL, disable MD5 by default when in FIPS mode, which is
-         * required in order to negotiate SSLv3. However, this is supported in AWS-LC.
-         */
-        return !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc();
     case S2N_HMAC_NONE:
     case S2N_HMAC_SHA1:
     case S2N_HMAC_SHA224:

tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c

@@ -33,8 +33,8 @@ void s2n_hmac_is_available_harness()
     switch (hmac_alg) {
         case S2N_HASH_MD5:
         case S2N_HMAC_SSLv3_MD5:
-        case S2N_HMAC_SSLv3_SHA1:
             assert(is_available == !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc()); break;
+        case S2N_HMAC_SSLv3_SHA1:
         case S2N_HASH_NONE:
         case S2N_HASH_SHA1:
         case S2N_HASH_SHA224:

tests/unit/s2n_crypto_test.c

@@ -123,14 +123,6 @@ int main()
         for (size_t i = 0; i < s2n_array_len(supported_versions); i++) {
             const uint8_t version = supported_versions[i];
 
-            /* See https://github.com/aws/s2n-tls/issues/4476
-             * Retrieving the master secret won't vary between FIPS and non-FIPS,
-             * so this testing limitation is not a concern.
-             */
-            if (s2n_is_in_fips_mode() && version == S2N_SSLv3) {
-                continue;
-            }
-
             DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
             EXPECT_NOT_NULL(config);
             EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key));

tests/unit/s2n_sslv3_test.c

@@ -53,14 +53,6 @@ int main(int argc, char **argv)
 {
     BEGIN_TEST();
 
-    if (!s2n_hmac_is_available(S2N_HMAC_SSLv3_MD5)) {
-        /* AWS-LC should support SSLv3. */
-        EXPECT_FALSE(s2n_libcrypto_is_awslc());
-
-        /* Other libcryptos may not support SSLv3, so the tests are skipped. */
-        END_TEST();
-    }
-
     DEFER_CLEANUP(struct s2n_cert_chain_and_key *rsa_chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free);
     EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&rsa_chain_and_key,
             S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY));

tls/s2n_prf.c

@@ -122,11 +122,6 @@ static int s2n_sslv3_prf(struct s2n_connection *conn, struct s2n_blob *secret, s
     POSIX_ENSURE_REF(conn->handshake.hashes);
     struct s2n_hash_state *workspace = &conn->handshake.hashes->hash_workspace;
 
-    /* FIPS specifically allows MD5 for the legacy PRF */
-    if (s2n_is_in_fips_mode() && conn->actual_protocol_version < S2N_TLS12) {
-        POSIX_GUARD(s2n_hash_allow_md5_for_fips(workspace));
-    }
-
     uint32_t outputlen = out->size;
     uint8_t *output = out->data;
     uint8_t iteration = 1;
@@ -157,6 +152,10 @@ static int s2n_sslv3_prf(struct s2n_connection *conn, struct s2n_blob *secret, s
 
         struct s2n_hash_state *md5 = workspace;
         POSIX_GUARD(s2n_hash_reset(md5));
+        /* FIPS specifically allows MD5 for the legacy PRF */
+        if (s2n_is_in_fips_mode() && conn->actual_protocol_version < S2N_TLS12) {
+            POSIX_GUARD(s2n_hash_allow_md5_for_fips(workspace));
+        }
         POSIX_GUARD(s2n_hash_init(md5, S2N_HASH_MD5));
         POSIX_GUARD(s2n_hash_update(md5, secret->data, secret->size));
         POSIX_GUARD(s2n_hash_update(md5, sha_digest, sizeof(sha_digest)));