rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0 

Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.

Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.

Additionally, fix a regression in evp_pkey_name2type caused by the tr_TR
locale fix.

Resolves: rhbz#2069239
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2022-04-27 12:43:20 +02:00
parent ef4b6b1e25
commit bb28a358c8
3 changed files with 143 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
View File

@ -1,4 +1,4 @@
From f695f140255f9b564cac4d5e9e38ba27ec927256 Mon Sep 17 00:00:00 2001
From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 1 Mar 2022 15:44:18 +0100
Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures =
@ -26,14 +26,14 @@ default configuration.
Related: rhbz#2055796
Related: rhbz#2070977
---
crypto/x509/x509_vfy.c | 19 ++++++++++-
crypto/x509/x509_vfy.c | 20 ++++++++++-
doc/man5/config.pod | 7 ++++
ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++-------
ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++-------
test/recipes/25-test_verify.t | 4 +--
4 files changed, 78 insertions(+), 16 deletions(-)
4 files changed, 82 insertions(+), 16 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 2f175ca517..60aa26f552 100644
index 2f175ca517..bf0c608839 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
@ -44,7 +44,7 @@ index 2f175ca517..60aa26f552 100644
#include "crypto/x509.h"
#include "x509_local.h"
@@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
@@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
{
int secbits = -1;
int level = ctx->param->auth_level;
@ -67,17 +67,18 @@ index 2f175ca517..60aa26f552 100644
+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
return 0;
+ if (nid == NID_sha1
+ if ((nid == NID_sha1 || nid == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ctx->param->auth_level < 2)
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. */
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+
return secbits >= minbits_table[level - 1];
}
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 0c9110d28a..02e7ca706f 100644
index 0c9110d28a..e0516d20b8 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -309,6 +309,13 @@ this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as
@ -86,16 +87,16 @@ index 0c9110d28a..02e7ca706f 100644
+Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
+algorithms that use SHA1 in security level 1, despite the definition of
+security level 1 of FIXME bits of security, which SHA1 does not meet. This
+allows using SHA1 in TLS in the LEGACY crypto-policy on Fedora without
+requiring to set the security level to 0, which would include further insecure
+algorithms.
+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.
+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on
+Fedora without requiring to set the security level to 0, which would include
+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.
+
=item B<fips_mode> (deprecated)
The value is a boolean that can be B<yes> or B<no>. If the value is
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index dcd487ec2e..e47ddf56f1 100644
index dcd487ec2e..0b50266b69 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -20,6 +20,7 @@
@ -106,7 +107,7 @@ index dcd487ec2e..e47ddf56f1 100644
#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
@@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
return 0;
}
@ -124,11 +125,12 @@ index dcd487ec2e..e47ddf56f1 100644
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
- return 0;
+
+ if (lu->hash == NID_sha1
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
+ && SSL_get_security_level(s) < 2) {
+ /* when rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility */
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ } else {
+ /*
+ * Make sure security callback allows algorithm. For historical
@ -147,22 +149,23 @@ index dcd487ec2e..e47ddf56f1 100644
}
/* Store the sigalg the peer uses */
s->s3.tmp.peer_sigalg = lu;
@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
@@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
}
}
+ if (lu->hash == NID_sha1
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
+ && SSL_get_security_level(s) < 2) {
+ /* when rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility */
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+ }
+
/* Finally see if security callback allows it */
secbits = sigalg_security_bits(s->ctx, lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
@@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
{
/* Lookup signature algorithm digest */
int secbits, nid, pknid;
@ -171,7 +174,7 @@ index dcd487ec2e..e47ddf56f1 100644
/* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
return 1;
@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
@@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
/* If digest NID not defined use signature NID */
if (nid == NID_undef)
nid = pknid;
@ -185,13 +188,14 @@ index dcd487ec2e..e47ddf56f1 100644
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if (nid == NID_sha1
+ if ((nid == NID_sha1 || nid == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ((s != NULL && SSL_get_security_level(s) < 2)
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
+ ))
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. */
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+
if (s)

104
0057-strcasecmp-fix.patch Normal file
View File

@ -0,0 +1,104 @@
From 68f23e3725d9639f5b27d868fee291cabb516677 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 22 Apr 2022 18:16:56 +0200
Subject: [PATCH 1/2] Ensure we initialized the locale before
evp_pkey_name2type
Fixes #18158
---
crypto/evp/pmeth_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 2b9c6c2351da..92d25de44532 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -27,6 +27,7 @@
#ifndef FIPS_MODULE
# include "crypto/asn1.h"
#endif
+#include "crypto/ctype.h"
#include "crypto/evp.h"
#include "crypto/dh.h"
#include "crypto/ec.h"
@@ -199,6 +200,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,
}
#ifndef FIPS_MODULE
if (keytype != NULL) {
+ ossl_init_casecmp();
id = evp_pkey_name2type(keytype);
if (id == NID_undef)
id = -1;
From 51c7b2d9c30b72aeb7e8eb69799dc039d5b23e58 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 22 Apr 2022 19:26:08 +0200
Subject: [PATCH 2/2] Testing the EVP_PKEY_CTX_new_from_name without
preliminary init
---
test/build.info | 6 +++++-
test/evp_pkey_ctx_new_from_name.c | 14 ++++++++++++++
test/recipes/02-test_localetest.t | 4 +++-
3 files changed, 22 insertions(+), 2 deletions(-)
create mode 100644 test/evp_pkey_ctx_new_from_name.c
diff --git a/test/build.info b/test/build.info
index 14a84f00a258..ee059973d31a 100644
--- a/test/build.info
+++ b/test/build.info
@@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}]
sanitytest rsa_complex exdatatest bntest \
ecstresstest gmdifftest pbelutest \
destest mdc2test sha_test \
- exptest pbetest localetest \
+ exptest pbetest localetest evp_pkey_ctx_new_from_name\
evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
evp_fetch_prov_test evp_libctx_test ossl_store_test \
v3nametest v3ext \
@@ -139,6 +139,10 @@ IF[{- !$disabled{tests} -}]
INCLUDE[localetest]=../include ../apps/include
DEPEND[localetest]=../libcrypto libtestutil.a
+ SOURCE[evp_pkey_ctx_new_from_name]=evp_pkey_ctx_new_from_name.c
+ INCLUDE[evp_pkey_ctx_new_from_name]=../include ../apps/include
+ DEPEND[evp_pkey_ctx_new_from_name]=../libcrypto
+
SOURCE[pbetest]=pbetest.c
INCLUDE[pbetest]=../include ../apps/include
DEPEND[pbetest]=../libcrypto libtestutil.a
diff --git a/test/evp_pkey_ctx_new_from_name.c b/test/evp_pkey_ctx_new_from_name.c
new file mode 100644
index 000000000000..24063ea05ea5
--- /dev/null
+++ b/test/evp_pkey_ctx_new_from_name.c
@@ -0,0 +1,14 @@
+#include <stdio.h>
+#include <openssl/ec.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+
+int main(int argc, char *argv[])
+{
+ EVP_PKEY_CTX *pctx = NULL;
+
+ pctx = EVP_PKEY_CTX_new_from_name(NULL, "NO_SUCH_ALGORITHM", NULL);
+ EVP_PKEY_CTX_free(pctx);
+
+ return 0;
+}
diff --git a/test/recipes/02-test_localetest.t b/test/recipes/02-test_localetest.t
index 1bccd57d4c63..77fba7d819ab 100644
--- a/test/recipes/02-test_localetest.t
+++ b/test/recipes/02-test_localetest.t
@@ -15,7 +15,9 @@ setup("locale tests");
plan skip_all => "Locale tests not available on Windows or VMS"
if $^O =~ /^(VMS|MSWin32)$/;
-plan tests => 2;
+plan tests => 3;
+
+ok(run(test(["evp_pkey_ctx_new_from_name"])), "running evp_pkey_ctx_new_from_name without explicit context init");
$ENV{LANG} = "C";
ok(run(test(["localetest"])), "running localetest");

10
openssl.spec
View File

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.2
Release: 3%{?dist}
Release: 4%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -65,6 +65,8 @@ Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
# https://github.com/openssl/openssl/pull/18103
Patch56: 0056-strcasecmp.patch
# https://github.com/openssl/openssl/pull/18175
Patch57: 0057-strcasecmp-fix.patch
License: ASL 2.0
URL: http://www.openssl.org/
@ -391,6 +393,12 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Wed Apr 27 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.2-4
- Fix regression in evp_pkey_name2type caused by tr_TR locale fix
- Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes
to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy.
Resolves: rhbz#2069239
* Thu Apr 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.2-3
- Fixing Turkish locale issues
Resolves: rhbz#2071343