diff --git a/0049-Allow-disabling-of-SHA1-signatures.patch b/0049-Allow-disabling-of-SHA1-signatures.patch index 5c0087c..487d1d9 100644 --- a/0049-Allow-disabling-of-SHA1-signatures.patch +++ b/0049-Allow-disabling-of-SHA1-signatures.patch @@ -132,7 +132,7 @@ index 630d339c35..6e4e9f5ae7 100644 + /* Warning: This patch differs from the same patch in CentOS and RHEL here, + * because the default on Fedora is to allow SHA-1 and support disabling + * it, while CentOS/RHEL disable it by default and allow enabling it. */ -+ ldsigs->allowed = 1; ++ ldsigs->allowed = 0; + return ldsigs; +} + @@ -161,7 +161,7 @@ index 630d339c35..6e4e9f5ae7 100644 + /* Warning: This patch differs from the same patch in CentOS and RHEL here, + * because the default on Fedora is to allow SHA-1 and support disabling + * it, while CentOS/RHEL disable it by default and allow enabling it. */ -+ return ldsigs != NULL ? ldsigs->allowed : 1; ++ return ldsigs != NULL ? ldsigs->allowed : 0; +} + +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, diff --git a/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch b/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch deleted file mode 100644 index a147d8e..0000000 --- a/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch +++ /dev/null @@ -1,221 +0,0 @@ -From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Tue, 1 Mar 2022 15:44:18 +0100 -Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = - yes - -NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1 -in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because -on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level -to 2. - -On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security -level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and -we want the legacy crypto policy to allow SHA-1 in TLS, the only option -to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is -SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to -allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which -will allow SHA-1 in OpenSSL 3). - -The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because -rh-allow-sha1-signatures will default to yes in Fedora (according to our -current plans including until F38), and the security level in the -DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the -default configuration. - -Related: rhbz#2055796 -Related: rhbz#2070977 ---- - crypto/x509/x509_vfy.c | 20 ++++++++++- - doc/man5/config.pod | 7 ++++ - ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++------- - test/recipes/25-test_verify.t | 4 +-- - 4 files changed, 82 insertions(+), 16 deletions(-) - -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 2f175ca517..bf0c608839 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -25,6 +25,7 @@ - #include - #include - #include "internal/dane.h" -+#include "internal/sslconf.h" - #include "crypto/x509.h" - #include "x509_local.h" - -@@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) - { - int secbits = -1; - int level = ctx->param->auth_level; -+ int nid; -+ OSSL_LIB_CTX *libctx = NULL; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - -- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) -+ if (ctx->libctx) -+ libctx = ctx->libctx; -+ else if (cert->libctx) -+ libctx = cert->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) - return 0; - -+ if ((nid == NID_sha1 || nid == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ctx->param->auth_level < 2) -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ - return secbits >= minbits_table[level - 1]; - } -diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 0c9110d28a..e0516d20b8 100644 ---- a/doc/man5/config.pod -+++ b/doc/man5/config.pod -@@ -309,6 +309,13 @@ this option is set to B. Because TLS 1.1 or lower use MD5-SHA1 as - pseudorandom function (PRF) to derive key material, disabling - B requires the use of TLS 1.2 or newer. - -+Note that enabling B will allow TLS signature -+algorithms that use SHA1 in security level 1, despite the definition of -+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet. -+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on -+Fedora without requiring to set the security level to 0, which would include -+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1. -+ - =item B (deprecated) - - The value is a boolean that can be B or B. If the value is -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index dcd487ec2e..0b50266b69 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include "crypto/x509.h" - #include "internal/sslconf.h" - #include "internal/nelem.h" - #include "internal/sizes.h" -@@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); - return 0; - } -- /* -- * Make sure security callback allows algorithm. For historical -- * reasons we have to pass the sigalg as a two byte char array. -- */ -- sigalgstr[0] = (sig >> 8) & 0xff; -- sigalgstr[1] = sig & 0xff; -- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); -- if (secbits == 0 || -- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -- md != NULL ? EVP_MD_get_type(md) : NID_undef, -- (void *)sigalgstr)) { -- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -- return 0; -+ -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) -+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 2) { -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ } else { -+ /* -+ * Make sure security callback allows algorithm. For historical -+ * reasons we have to pass the sigalg as a two byte char array. -+ */ -+ sigalgstr[0] = (sig >> 8) & 0xff; -+ sigalgstr[1] = sig & 0xff; -+ secbits = sigalg_security_bits(s->session_ctx, lu); -+ if (secbits == 0 || -+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -+ md != NULL ? EVP_MD_get_type(md) : NID_undef, -+ (void *)sigalgstr)) { -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -+ return 0; -+ } - } - /* Store the sigalg the peer uses */ - s->s3.tmp.peer_sigalg = lu; -@@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) - } - } - -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) -+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 2) { -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ } -+ - /* Finally see if security callback allows it */ - secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); - sigalgstr[0] = (lu->sigalg >> 8) & 0xff; -@@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, - { - /* Lookup signature algorithm digest */ - int secbits, nid, pknid; -+ OSSL_LIB_CTX *libctx = NULL; -+ - - /* Don't check signature if self signed */ - if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) -@@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, - /* If digest NID not defined use signature NID */ - if (nid == NID_undef) - nid = pknid; -+ -+ if (x && x->libctx) -+ libctx = x->libctx; -+ else if (ctx && ctx->libctx) -+ libctx = ctx->libctx; -+ else if (s && s->session_ctx && s->session_ctx->libctx) -+ libctx = s->session_ctx->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if ((nid == NID_sha1 || nid == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 2) -+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2) -+ )) -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ - if (s != NULL) - return ssl_security(s, op, secbits, nid, x); - else -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 700bbd849c..280477bc9d 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -387,8 +387,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0" - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), - "CA with PSS signature using SHA256"); - --ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), -- "Reject PSS signature using SHA1 and auth level 1"); -+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), -+ "Reject PSS signature using SHA1 and auth level 2"); - - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), - "PSS signature using SHA256 and auth level 2"); --- -2.35.1 - diff --git a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch index c88588f..85f97c6 100644 --- a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch +++ b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch @@ -1,33 +1,62 @@ -From 34a709e89e0c43928d9353aca1fb0c82aaa7e6ab Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 12 Jun 2024 20:14:04 +0900 -Subject: [PATCH] kdf: Preserve backward compatibility with older providers +From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 17 Jun 2024 16:48:26 +0200 +Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older + providers -Suggested in: -https://github.com/openssl/openssl/issues/24611#issuecomment-2162560293 +If there is no get_ctx_params() implemented in the key exchange +provider implementation the fallback will not work. Instead +check the gettable_ctx_params() to see if the fallback should be +performed. + +Fixes #24611 + +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +(Merged from https://github.com/openssl/openssl/pull/24661) + +(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d) --- - crypto/evp/pmeth_lib.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) + crypto/evp/pmeth_lib.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 015f756..e776ea5 100644 +index 2caff2cd6d..d15e43be05 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c -@@ -1068,8 +1068,13 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, +@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + int datalen) + { + OSSL_PARAM os_params[2]; ++ const OSSL_PARAM *gettables; + unsigned char *info = NULL; + size_t info_len = 0; + size_t info_alloc = 0; +@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + return 1; + } + ++ /* Check for older provider that doesn't support getting this parameter */ ++ gettables = EVP_PKEY_CTX_gettable_params(ctx); ++ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL) ++ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, ++ data, datalen); ++ + /* Get the original value length */ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); os_params[1] = OSSL_PARAM_construct_end(); - -- if (!EVP_PKEY_CTX_get_params(ctx, os_params)) -+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) { -+ if (EVP_PKEY_CTX_gettable_params(ctx) == NULL) { -+ /* Older provider that doesn't support gettable parameters */ -+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); -+ } +@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + if (!EVP_PKEY_CTX_get_params(ctx, os_params)) return 0; -+ } - /* Older provider that doesn't support getting this parameter */ +- /* Older provider that doesn't support getting this parameter */ ++ /* This should not happen but check to be sure. */ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) +- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); ++ return 0; + + info_alloc = os_params[0].return_size + datalen; + if (info_alloc == 0) -- 2.45.1 diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..27a7838 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,12 @@ +--- !Policy +product_versions: + - rhel-10 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-disabled-tier1.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-disabled-tier2.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-disabled-explicitCI.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-enabled-tier1.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-enabled-tier2.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-enabled-explicitCI.functional} + # - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation} \ No newline at end of file diff --git a/openssl.spec b/openssl.spec index d7a6124..0425717 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.2.2 -Release: 3%{?dist}.alma.1 +Release: 7%{?dist}.alma.1 Epoch: 1 Source: openssl-%{version}.tar.gz Source2: Makefile.certificate @@ -89,8 +89,6 @@ Patch45: 0045-FIPS-services-minimize.patch Patch47: 0047-FIPS-early-KATS.patch # # Selectively disallow SHA1 signatures rhbz#2070977 Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch -# # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1) -Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch # Originally from https://github.com/openssl/openssl/pull/18103 # As we rebased to 3.0.7 and used the version of the function # not matching the upstream one, we have to use aliasing. @@ -434,12 +432,10 @@ basearch=sparc basearch=sparc64 %endif -# Next step of gradual disablement of SSL3. -# Make SSL3 disappear to newly built dependencies. -sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\ -#ifndef OPENSSL_NO_SSL3\ -# define OPENSSL_NO_SSL3\ -#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h +sed -i '/^\# ifndef OPENSSL_NO_STATIC_ENGINE/i\ +# ifndef OPENSSL_NO_ENGINE\ +# define OPENSSL_NO_ENGINE\ +# endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h %ifarch %{multilib_arches} # Do an configuration.h switcheroo to avoid file conflicts on systems where you @@ -489,8 +485,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %files devel %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el %{_prefix}/include/openssl +%exclude %{_prefix}/include/openssl/engine*.h %{_libdir}/*.so %{_mandir}/man3/* +%exclude %{_mandir}/man3/ENGINE* %{_libdir}/pkgconfig/*.pc %files perl @@ -508,9 +506,26 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog -* Fri Jul 26 2024 Eduard Abdullin - 1:3.2.2-3.alma.1 +* Fri Jul 26 2024 Eduard Abdullin - 1:3.2.2-7.alma.1 - Redefine sslarch for x86_64_v2 arch +* Wed Jul 10 2024 Dmitry Belyavskiy - 1:3.2.2-7 +- Disallow SHA1 at SECLEVEL2 in OpenSSL + Resolves: RHEL-39962 +- SHA-1 signature shouldn't work in normal mode + Resolves: RHEL-36677 + +* Mon Jul 01 2024 Dmitry Belyavskiy - 1:3.2.2-6 +- Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE + Resolves: RHEL-45704 + +* Mon Jul 1 2024 Daiki Ueno - 1:3.2.2-5 +- Replace HKDF backward compatibility patch with the official one + Related: RHEL-41261 + +* Mon Jun 24 2024 Troy Dawson - 1:3.2.2-4 +- Bump release for June 2024 mass rebuild + * Sat Jun 15 2024 Daiki Ueno - 1:3.2.2-3 - Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers Resolves: RHEL-41261 diff --git a/plans/ci.fmf b/plans/ci.fmf new file mode 100644 index 0000000..bdb273c --- /dev/null +++ b/plans/ci.fmf @@ -0,0 +1,40 @@ +/fips-disabled-tier1: + plan: + import: + url: https://pkgs.devel.redhat.com/git/tests/openssl + name: /Plans/ci/fips-disabled-tier1 + + +/fips-disabled-tier2: + plan: + import: + url: https://pkgs.devel.redhat.com/git/tests/openssl + name: /Plans/ci/fips-disabled-tier2 + + +/fips-disabled-explicitCI: + plan: + import: + url: https://pkgs.devel.redhat.com/git/tests/openssl + name: /Plans/ci/fips-disabled-explicitCI + + +/fips-enabled-tier1: + plan: + import: + url: https://pkgs.devel.redhat.com/git/tests/openssl + name: /Plans/ci/fips-enabled-tier1 + + +/fips-enabled-tier2: + plan: + import: + url: https://pkgs.devel.redhat.com/git/tests/openssl + name: /Plans/ci/fips-enabled-tier2 + + +/fips-enabled-explicitCI: + plan: + import: + url: https://pkgs.devel.redhat.com/git/tests/openssl + name: /Plans/ci/fips-enabled-explicitCI