Rebase ELN/RHEL patch for OpenSSL 3.0.8
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher
parent
167e0dd694
commit
e198b69ab5
|
|
@ -1,7 +1,8 @@
|
|||
From dbd1021466572be733dfc6f7ae484f1adf467f40 Mon Sep 17 00:00:00 2001
|
||||
From b9e2912acb72837b2fdef5cd8f96dc4e0d2a8fea Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Tue, 1 Mar 2022 15:44:18 +0100
|
||||
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
|
||||
Subject: [PATCH 23/38] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures =
|
||||
yes
|
||||
|
||||
References: rhbz#2055796
|
||||
---
|
||||
|
|
@ -12,7 +13,7 @@ References: rhbz#2055796
|
|||
4 files changed, 79 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
||||
index 2f175ca517f5dd8f8e7d79e5d562981b74c8f987..d1c7d0ce204ca31021a4497ddaa8e7dee45ff6f6 100644
|
||||
index 9384f1da9bad9e104550ff270d9ae8dc61da073d..859d5caf4529e193336022bc8a4bdd640df26066 100644
|
||||
--- a/crypto/x509/x509_vfy.c
|
||||
+++ b/crypto/x509/x509_vfy.c
|
||||
@@ -25,6 +25,7 @@
|
||||
|
|
@ -23,7 +24,7 @@ index 2f175ca517f5dd8f8e7d79e5d562981b74c8f987..d1c7d0ce204ca31021a4497ddaa8e7de
|
|||
#include "crypto/x509.h"
|
||||
#include "x509_local.h"
|
||||
|
||||
@@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
|
||||
@@ -3430,14 +3431,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
|
||||
{
|
||||
int secbits = -1;
|
||||
int level = ctx->param->auth_level;
|
||||
|
|
@ -56,7 +57,7 @@ index 2f175ca517f5dd8f8e7d79e5d562981b74c8f987..d1c7d0ce204ca31021a4497ddaa8e7de
|
|||
return secbits >= minbits_table[level - 1];
|
||||
}
|
||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||
index f1536258470563b4fe74f8d1e3db6d73ed316341..29ca805ea7152aa9d39bb14e74cc7fd704ec7acf 100644
|
||||
index f7ac6a743b44c786cf18ccf2ed28105855ceb3ac..f850075d2d0da73e2ab8fc402b1884d3ef6254a8 100644
|
||||
--- a/doc/man5/config.pod
|
||||
+++ b/doc/man5/config.pod
|
||||
@@ -313,7 +313,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1
|
||||
|
|
@ -74,7 +75,7 @@ index f1536258470563b4fe74f8d1e3db6d73ed316341..29ca805ea7152aa9d39bb14e74cc7fd7
|
|||
=item B<fips_mode> (deprecated)
|
||||
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6a8b1b641 100644
|
||||
index 89c1dd31c72271b1923ab972e3d3359b6c8e1a03..831e594c00f1c048c9cd920b6c7e62cd6d7a06ed 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -20,6 +20,7 @@
|
||||
|
|
@ -126,7 +127,7 @@ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6
|
|||
}
|
||||
/* Store the sigalg the peer uses */
|
||||
s->s3.tmp.peer_sigalg = lu;
|
||||
@@ -2111,6 +2120,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
|
||||
@@ -2116,6 +2125,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -141,7 +142,7 @@ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6
|
|||
/* Finally see if security callback allows it */
|
||||
secbits = sigalg_security_bits(s->ctx, lu);
|
||||
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
|
||||
@@ -2980,6 +2997,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||
@@ -2985,6 +3002,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||
{
|
||||
/* Lookup signature algorithm digest */
|
||||
int secbits, nid, pknid;
|
||||
|
|
@ -150,7 +151,7 @@ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6
|
|||
/* Don't check signature if self signed */
|
||||
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
|
||||
return 1;
|
||||
@@ -2988,6 +3007,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||
@@ -2993,6 +3012,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||
/* If digest NID not defined use signature NID */
|
||||
if (nid == NID_undef)
|
||||
nid = pknid;
|
||||
|
|
@ -177,19 +178,19 @@ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6
|
|||
return ssl_security(s, op, secbits, nid, x);
|
||||
else
|
||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||
index bf85ba57c1cf51fe4e8e54654890121bac6738fe..d5665434aaef1ca2b5f2f37b2499f40b1405fd9d 100644
|
||||
index 2a4c36e86daff04f87ad4726a9fb359d958189bf..309cda877d15ff18f5e492c05372f5c9f1393525 100644
|
||||
--- a/test/recipes/25-test_verify.t
|
||||
+++ b/test/recipes/25-test_verify.t
|
||||
@@ -29,7 +29,7 @@ sub verify {
|
||||
run(app([@args]));
|
||||
}
|
||||
|
||||
-plan tests => 163;
|
||||
+plan tests => 162;
|
||||
-plan tests => 164;
|
||||
+plan tests => 163;
|
||||
|
||||
# Canonical success
|
||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||
@@ -410,8 +410,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
|
||||
@@ -419,8 +419,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
|
||||
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
|
||||
"CA with PSS signature using SHA256");
|
||||
|
||||
|
|
@ -202,5 +203,5 @@ index bf85ba57c1cf51fe4e8e54654890121bac6738fe..d5665434aaef1ca2b5f2f37b2499f40b
|
|||
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
|
||||
"PSS signature using SHA256 and auth level 2");
|
||||
--
|
||||
2.37.2
|
||||
2.39.1
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue