PR#36: ELN: fix SHA1 signature patches - rpms/openssl

rpms / openssl

#36 ELN: fix SHA1 signature patches

Merged 2 years ago by dbelyavs. Opened 2 years ago by sgallagh.

rpms/ sgallagh/openssl eln into rawhide

ELN: fix SHA1 signature patch

Stephen Gallagher • 2 years ago

43e576f

ELN: fix SHA1 signature patch

Stephen Gallagher • 2 years ago

5665462

0049-Selectively-disallow-SHA1-signatures.patch

file modified

+28 -26

		`@@ -1,7 +1,7 @@`
		`- From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001`
		`+ From f6a2f59574788aadd0ce323ad8ebe4d0c470672e Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`- Date: Mon, 21 Feb 2022 17:24:44 +0100`
		`- Subject: Selectively disallow SHA1 signatures`
		`+ Date: Wed, 17 Aug 2022 12:56:29 -0400`
		`+ Subject: [PATCH] Selectively disallow SHA1 signatures`

		`For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is`
		`disabling SHA1 signatures. Introduce a new configuration option in the`
		`@@ -35,6 +35,8 @@`
		`signing arbitrary data).`

		`Resolves: rhbz#2031742`
		`+`
		`+ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>`
		`---`
		`crypto/evp/evp_cnf.c \| 13 ++++`
		`crypto/evp/m_sigver.c \| 77 +++++++++++++++++++`
		`@@ -52,7 +54,7 @@`
		`13 files changed, 188 insertions(+), 9 deletions(-)`

		`diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c`
		`- index 0e7fe64cf9..b9d3b6d226 100644`
		`+ index 0e7fe64cf92e4b73b3bf873895e73fa9646df86d..b9d3b6d226ca07a65d972bb8505b7976a0d02572 100644`
		`--- a/crypto/evp/evp_cnf.c`
		`+++ b/crypto/evp/evp_cnf.c`
		`@@ -10,6 +10,7 @@`
		`@@ -83,7 +85,7 @@`
		`ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,`
		`"name=%s, value=%s", oval->name, oval->value);`
		`diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c`
		`- index 9188edbc21..db1a1d7bc3 100644`
		`+ index 76a6814b424bec3479bdf61374f0178b9cd96ded..4b2f1fcfb886661d98460c240d542df2ccd5df13 100644`
		`--- a/crypto/evp/m_sigver.c`
		`+++ b/crypto/evp/m_sigver.c`
		`@@ -16,6 +16,71 @@`
		`@@ -178,7 +180,7 @@`
		`if (signature->digest_verify_init == NULL) {`
		`ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);`
		`diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c`
		`- index 2b9c6c2351..3c5a1e6f5d 100644`
		`+ index da367ed05fbe42abb328c6e23cafe99e76d26819..ee6edf1e85e71cdbe58bf7e9f443425dce100e43 100644`
		`--- a/crypto/evp/pmeth_lib.c`
		`+++ b/crypto/evp/pmeth_lib.c`
		`@@ -33,6 +33,7 @@`
		`@@ -211,7 +213,7 @@`
		`return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));`

		`diff --git a/doc/man5/config.pod b/doc/man5/config.pod`
		`- index 77a8055e81..aa1be5ca7f 100644`
		`+ index a84113287c3d0edf6c67726aee7d8abb87401445..f1536258470563b4fe74f8d1e3db6d73ed316341 100644`
		`--- a/doc/man5/config.pod`
		`+++ b/doc/man5/config.pod`
		`@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:`
		`@@ -233,7 +235,7 @@`

		`The value is a boolean that can be B<yes> or B<no>. If the value is`
		`diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h`
		`- index 1291299b6e..e234341e6a 100644`
		`+ index 1291299b6e50ea129ba77c85bb0b21b0997e4494..e234341e6afd15f7108c7af453d6f2190c086b04 100644`
		`--- a/include/internal/cryptlib.h`
		`+++ b/include/internal/cryptlib.h`
		`@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {`
		`@@ -247,7 +249,7 @@`
		`# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1`
		`# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0`
		`diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h`
		`- index fd7f7e3331..05464b0655 100644`
		`+ index fd7f7e333183dde57a283dab7372f9afb38c0eb4..05464b0655b20da2035f6781f44ac577e895fc8a 100644`
		`--- a/include/internal/sslconf.h`
		`+++ b/include/internal/sslconf.h`
		`@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char name, size_t idx);`
		`@@ -260,7 +262,7 @@`
		`+ int loadconfig);`
		`#endif`
		`diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c`
		`- index 699ada7c52..e534ad0a5f 100644`
		`+ index 446ad6b4c11cf8dcad9dcb86df38816eff4bf772..9e47f5655957e661fa4f66f5e67a78c6c7d2fe5b 100644`
		`--- a/providers/common/securitycheck.c`
		`+++ b/providers/common/securitycheck.c`
		`@@ -19,6 +19,7 @@`
		`@@ -304,7 +306,7 @@`
		`return 1;`
		`}`
		`diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c`
		`- index de7f0d3a0a..ce54a94fbc 100644`
		`+ index de7f0d3a0a5718bd06a55d3d92236c27ffb7d0d5..ce54a94fbc9b3f48052c0bd5acf5b0aa349c4e91 100644`
		`--- a/providers/common/securitycheck_default.c`
		`+++ b/providers/common/securitycheck_default.c`
		`@@ -15,6 +15,7 @@`
		`@@ -341,7 +343,7 @@`
		`return mdnid;`
		`}`
		`diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c`
		`- index 28fd7c498e..fa3822f39f 100644`
		`+ index 28fd7c498e9922b6fabd1fafa452afe7ca3734ec..fa3822f39fd14a16c761b316e276c68868f35c7d 100644`
		`--- a/providers/implementations/signature/dsa_sig.c`
		`+++ b/providers/implementations/signature/dsa_sig.c`
		`@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,`
		`@@ -366,7 +368,7 @@`
		`if (md == NULL \|\| md_nid < 0) {`
		`if (md == NULL)`
		`diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c`
		`- index 865d49d100..99b228e82c 100644`
		`+ index 865d49d1004f0031c82c24c218828a7d9c7269c6..99b228e82c408171bb2458244d2cf763e32a19fb 100644`
		`--- a/providers/implementations/signature/ecdsa_sig.c`
		`+++ b/providers/implementations/signature/ecdsa_sig.c`
		`@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX ctx, const char mdname,`
		`@@ -382,10 +384,10 @@`
		`sha1_allowed);`
		`if (md_nid < 0) {`
		`diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c`
		`- index 325e855333..bea397f0c1 100644`
		`+ index 7023a866131e38c214ac7326fdd83274dab81833..f66d7705c35add553694c5808b51d5696f678ee7 100644`
		`--- a/providers/implementations/signature/rsa_sig.c`
		`+++ b/providers/implementations/signature/rsa_sig.c`
		`- @@ -26,6 +26,7 @@`
		`+ @@ -25,6 +25,7 @@`
		`#include "internal/cryptlib.h"`
		`#include "internal/nelem.h"`
		`#include "internal/sizes.h"`
		`@@ -393,7 +395,7 @@`
		`#include "crypto/rsa.h"`
		`#include "prov/providercommon.h"`
		`#include "prov/implementations.h"`
		`- @@ -34,6 +35,7 @@`
		`+ @@ -33,6 +34,7 @@`
		`#include "prov/securitycheck.h"`

		`#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1`
		`@@ -401,7 +403,7 @@`

		`static OSSL_FUNC_signature_newctx_fn rsa_newctx;`
		`static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;`
		`- @@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX ctx, const char mdname,`
		`+ @@ -288,10 +290,15 @@ static int rsa_setup_md(PROV_RSA_CTX ctx, const char mdname,`

		`if (mdname != NULL) {`
		`EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);`
		`@@ -419,7 +421,7 @@`

		`if (md == NULL`
		`\|\| md_nid <= 0`
		`- @@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`+ @@ -1347,8 +1354,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`prsactx->pad_mode = pad_mode;`

		`if (prsactx->md == NULL && pmdname == NULL`
		`@@ -437,7 +439,7 @@`
		`if (pmgf1mdname != NULL`
		`&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))`
		`diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c`
		`- index fc32bb3556..4b74ee1a34 100644`
		`+ index 48a0b7f6e5908e62b433a306c49a3f2ff7e8df76..909e38c2fe88324884a939b583fd7f43d01f3920 100644`
		`--- a/ssl/t1_lib.c`
		`+++ b/ssl/t1_lib.c`
		`@@ -20,6 +20,7 @@`
		`@@ -448,7 +450,7 @@`
		`#include "internal/nelem.h"`
		`#include "internal/sizes.h"`
		`#include "internal/tlsgroups.h"`
		`- @@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)`
		`+ @@ -1150,11 +1151,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)`
		`= OPENSSL_malloc(sizeof(lu) OSSL_NELEM(sigalg_lookup_tbl));`
		`EVP_PKEY *tmpkey = EVP_PKEY_new();`
		`int ret = 0;`
		`@@ -462,7 +464,7 @@`
		`for (i = 0, lu = sigalg_lookup_tbl;`
		`i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {`
		`EVP_PKEY_CTX *pctx;`
		`- @@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)`
		`+ @@ -1174,6 +1177,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)`
		`cache[i].enabled = 0;`
		`continue;`
		`}`
		`@@ -475,15 +477,15 @@`
		`if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {`
		`cache[i].enabled = 0;`
		`diff --git a/util/libcrypto.num b/util/libcrypto.num`
		`- index 10b4e57d79..2d3c363bb0 100644`
		`+ index d94f406606132690d4744e470d98eff377d87699..07ae9a21ec979028eb78feaee4cadb801b790caf 100644`
		`--- a/util/libcrypto.num`
		`+++ b/util/libcrypto.num`
		`- @@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:`
		`- EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:`
		`- EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:`
		`+ @@ -5428,3 +5428,5 @@ EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:`
		`+ OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:`
		`+ OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:`
		`ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:`
		`+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:`
		`+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:`
		`--`
		`- 2.35.1`
		`+ 2.37.2`

0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch

file modified

+15 -15

		`@@ -1,4 +1,4 @@`
		`- From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001`
		`+ From dbd1021466572be733dfc6f7ae484f1adf467f40 Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Tue, 1 Mar 2022 15:44:18 +0100`
		`Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes`
		`@@ -12,7 +12,7 @@`
		`4 files changed, 79 insertions(+), 18 deletions(-)`

		`diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c`
		`- index ff3ca83de6..a549c1c111 100644`
		`+ index 2f175ca517f5dd8f8e7d79e5d562981b74c8f987..d1c7d0ce204ca31021a4497ddaa8e7dee45ff6f6 100644`
		`--- a/crypto/x509/x509_vfy.c`
		`+++ b/crypto/x509/x509_vfy.c`
		`@@ -25,6 +25,7 @@`
		`@@ -23,7 +23,7 @@`
		`#include "crypto/x509.h"`
		`#include "x509_local.h"`

		`- @@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`+ @@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`{`
		`int secbits = -1;`
		`int level = ctx->param->auth_level;`
		`@@ -56,10 +56,10 @@`
		`return secbits >= minbits_table[level - 1];`
		`}`
		`diff --git a/doc/man5/config.pod b/doc/man5/config.pod`
		`- index aa1be5ca7f..aa69e2b844 100644`
		`+ index f1536258470563b4fe74f8d1e3db6d73ed316341..29ca805ea7152aa9d39bb14e74cc7fd704ec7acf 100644`
		`--- a/doc/man5/config.pod`
		`+++ b/doc/man5/config.pod`
		`- @@ -305,7 +305,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1`
		`+ @@ -313,7 +313,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1`
		`digest will fail. For compatibility with older versions of OpenSSL, set this`
		`option to B<yes>. This setting also affects TLS, where signature algorithms`
		`that use SHA1 as digest will no longer be supported if this option is set to`
		`@@ -74,7 +74,7 @@`
		`=item B<fips_mode> (deprecated)`

		`diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c`
		`- index 4b74ee1a34..5f089de107 100644`
		`+ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6a8b1b641 100644`
		`--- a/ssl/t1_lib.c`
		`+++ b/ssl/t1_lib.c`
		`@@ -20,6 +20,7 @@`
		`@@ -85,7 +85,7 @@`
		`#include "internal/sslconf.h"`
		`#include "internal/nelem.h"`
		`#include "internal/sizes.h"`
		`- @@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`+ @@ -1566,19 +1567,27 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);`
		`return 0;`
		`}`
		`@@ -126,7 +126,7 @@`
		`}`
		`/* Store the sigalg the peer uses */`
		`s->s3.tmp.peer_sigalg = lu;`
		`- @@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`+ @@ -2111,6 +2120,14 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`}`
		`}`

		`@@ -141,7 +141,7 @@`
		`/* Finally see if security callback allows it */`
		`secbits = sigalg_security_bits(s->ctx, lu);`
		`sigalgstr[0] = (lu->sigalg >> 8) & 0xff;`
		`- @@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ @@ -2980,6 +2997,8 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`{`
		`/* Lookup signature algorithm digest */`
		`int secbits, nid, pknid;`
		`@@ -150,7 +150,7 @@`
		`/* Don't check signature if self signed */`
		`if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)`
		`return 1;`
		`- @@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ @@ -2988,6 +3007,25 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`/* If digest NID not defined use signature NID */`
		`if (nid == NID_undef)`
		`nid = pknid;`
		`@@ -177,19 +177,19 @@`
		`return ssl_security(s, op, secbits, nid, x);`
		`else`
		`diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t`
		`- index 700bbd849c..2de1d76b5e 100644`
		`+ index bf85ba57c1cf51fe4e8e54654890121bac6738fe..d5665434aaef1ca2b5f2f37b2499f40b1405fd9d 100644`
		`--- a/test/recipes/25-test_verify.t`
		`+++ b/test/recipes/25-test_verify.t`
		`@@ -29,7 +29,7 @@ sub verify {`
		`run(app([@args]));`
		`}`

		`- -plan tests => 160;`
		`- +plan tests => 159;`
		`+ -plan tests => 163;`
		`+ +plan tests => 162;`

		`# Canonical success`
		`ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),`
		`- @@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"`
		`+ @@ -410,8 +410,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"`
		`ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),`
		`"CA with PSS signature using SHA256");`

		`@@ -202,5 +202,5 @@`
		`ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),`
		`"PSS signature using SHA256 and auth level 2");`
		`--`
		`- 2.35.1`
		`+ 2.37.2`