Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes

We want legacy policy to be able to talk to older RHEL that only supports SHA1 signature algorithms, so allow SHA1 signatures even in seclevel 2 if rh-allow-sha1-signatures is set to yes. Resolves: rhbz#2060510 Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-01 15:58:48 +01:00 · 2022-03-01 15:58:48 +01:00 · 3c66c99bd5
commit 3c66c99bd5
parent ede38fcb54
2 changed files with 58 additions and 1 deletions
--- a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
+++ b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
@ -0,0 +1,51 @@
 From 1c6d5f6162a46bcde94e8ae9eaa0c41da1d7faa3 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Tue, 1 Mar 2022 15:44:18 +0100
 Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
 References: rhbz#2055796
 ---
 doc/man5/config.pod | 7 ++++++-
 ssl/t1_lib.c        | 8 ++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 diff --git a/doc/man5/config.pod b/doc/man5/config.pod
 index aa1be5ca7f..aa69e2b844 100644
 --- a/doc/man5/config.pod
 +++ b/doc/man5/config.pod
@@ -305,7 +305,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1
 digest will fail.  For compatibility with older versions of OpenSSL, set this
 option to B<yes>.  This setting also affects TLS, where signature algorithms
 that use SHA1 as digest will no longer be supported if this option is set to
 -B<no>.
 +B<no>.  Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
 +algorithms that use SHA1 in security level 2, despite the definition of
 +security level 2 of 112 bits of security, which SHA1 does not meet.  Because
 +TLS 1.1 or lower use MD5-SHA1 as pseudorandom function (PRF) to derive key
 +material, disabling B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or
 +newer.
 =item B<fips_mode> (deprecated)
 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
 index 4b74ee1a34..724ded67ba 100644
 --- a/ssl/t1_lib.c
 +++ b/ssl/t1_lib.c
@@ -2106,6 +2106,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
         }
     }
 +    if (lu->hash == NID_sha1
 +            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
 +            && SSL_get_security_level(s) < 3) {
 +        /* when rh-allow-sha1-signatures = yes and security level <= 2,
 +         * explicitly allow SHA1 for backwards compatibility */
 +        return 1;
 +    }
 +
     /* Finally see if security callback allows it */
     secbits = sigalg_security_bits(s->ctx, lu);
     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
 -- 
 2.35.1
--- a/openssl.spec
+++ b/openssl.spec
@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 14%{?dist}
+Release: 15%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -82,6 +82,8 @@ Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
 Patch50: 0050-FIPS-enable-pkcs12-mac.patch
 # Backport of patch for RHEL for Edge rhbz #2027261
 Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
 # Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
 Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
 License: ASL 2.0
 URL: http://www.openssl.org/
@ -412,6 +414,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 %changelog
 * Tue Mar 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-15
 - Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes
 - Resolves: rhbz#2060510
 * Fri Feb 25 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-14
 - Prevent use of SHA1 with ECDSA
 - Resolves: rhbz#2031742