forked from rpms/openssl
Fix SHA1 certs in LEGACY without openssl lib ctxt
Resolves: rhbz#2065400 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
4eb630f7d5
commit
153f593fa6
@ -1,15 +1,15 @@
|
|||||||
From 47f5bc59dd63dc16574c5d3e09eea999095b556e Mon Sep 17 00:00:00 2001
|
From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
Date: Tue, 1 Mar 2022 15:44:18 +0100
|
Date: Tue, 1 Mar 2022 15:44:18 +0100
|
||||||
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
|
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
|
||||||
|
|
||||||
References: rhbz#2055796
|
References: rhbz#2055796
|
||||||
---
|
---
|
||||||
crypto/x509/x509_vfy.c | 19 +++++++++++-
|
crypto/x509/x509_vfy.c | 19 ++++++++++-
|
||||||
doc/man5/config.pod | 7 ++++-
|
doc/man5/config.pod | 7 +++-
|
||||||
ssl/t1_lib.c | 55 ++++++++++++++++++++++++++---------
|
ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++-------
|
||||||
test/recipes/25-test_verify.t | 7 +++--
|
test/recipes/25-test_verify.t | 7 ++--
|
||||||
4 files changed, 70 insertions(+), 18 deletions(-)
|
4 files changed, 79 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
||||||
index ff3ca83de6..a549c1c111 100644
|
index ff3ca83de6..a549c1c111 100644
|
||||||
@ -74,7 +74,7 @@ index aa1be5ca7f..aa69e2b844 100644
|
|||||||
=item B<fips_mode> (deprecated)
|
=item B<fips_mode> (deprecated)
|
||||||
|
|
||||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||||
index 4b74ee1a34..0638a51aff 100644
|
index 4b74ee1a34..5f089de107 100644
|
||||||
--- a/ssl/t1_lib.c
|
--- a/ssl/t1_lib.c
|
||||||
+++ b/ssl/t1_lib.c
|
+++ b/ssl/t1_lib.c
|
||||||
@@ -20,6 +20,7 @@
|
@@ -20,6 +20,7 @@
|
||||||
@ -141,15 +141,31 @@ index 4b74ee1a34..0638a51aff 100644
|
|||||||
/* Finally see if security callback allows it */
|
/* Finally see if security callback allows it */
|
||||||
secbits = sigalg_security_bits(s->ctx, lu);
|
secbits = sigalg_security_bits(s->ctx, lu);
|
||||||
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
|
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
|
||||||
@@ -2985,6 +3002,18 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||||
|
{
|
||||||
|
/* Lookup signature algorithm digest */
|
||||||
|
int secbits, nid, pknid;
|
||||||
|
+ OSSL_LIB_CTX *libctx = NULL;
|
||||||
|
+
|
||||||
|
/* Don't check signature if self signed */
|
||||||
|
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
|
||||||
|
return 1;
|
||||||
|
@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||||
/* If digest NID not defined use signature NID */
|
/* If digest NID not defined use signature NID */
|
||||||
if (nid == NID_undef)
|
if (nid == NID_undef)
|
||||||
nid = pknid;
|
nid = pknid;
|
||||||
+
|
+
|
||||||
|
+ if (x && x->libctx)
|
||||||
|
+ libctx = x->libctx;
|
||||||
|
+ else if (ctx && ctx->libctx)
|
||||||
|
+ libctx = ctx->libctx;
|
||||||
|
+ else if (s && s->ctx && s->ctx->libctx)
|
||||||
|
+ libctx = s->ctx->libctx;
|
||||||
|
+ else
|
||||||
|
+ libctx = OSSL_LIB_CTX_get0_global_default();
|
||||||
|
+
|
||||||
+ if (nid == NID_sha1
|
+ if (nid == NID_sha1
|
||||||
+ && x != NULL
|
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
|
||||||
+ && x->libctx != NULL
|
|
||||||
+ && ossl_ctx_legacy_digest_signatures_allowed(x->libctx, 0)
|
|
||||||
+ && ((s != NULL && SSL_get_security_level(s) < 3)
|
+ && ((s != NULL && SSL_get_security_level(s) < 3)
|
||||||
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
|
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
|
||||||
+ ))
|
+ ))
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.0.1
|
Version: 3.0.1
|
||||||
Release: 19%{?dist}
|
Release: 20%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -416,6 +416,11 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-20
|
||||||
|
- Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when
|
||||||
|
no OpenSSL library context is set
|
||||||
|
- Resolves: rhbz#2065400
|
||||||
|
|
||||||
* Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-19
|
* Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-19
|
||||||
- Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
|
- Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
|
||||||
- Resolves: rhbz#2065400
|
- Resolves: rhbz#2065400
|
||||||
|
Loading…
Reference in New Issue
Block a user