Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes

Resolves: rhbz#2065400 Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-17 13:36:33 +01:00 · 2022-03-17 13:36:33 +01:00 · 4eb630f7d5
commit 4eb630f7d5
parent 03697fff80
2 changed files with 150 additions and 7 deletions
--- a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
+++ b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
@ -1,14 +1,60 @@
-From 1c6d5f6162a46bcde94e8ae9eaa0c41da1d7faa3 Mon Sep 17 00:00:00 2001
+From 47f5bc59dd63dc16574c5d3e09eea999095b556e Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Tue, 1 Mar 2022 15:44:18 +0100
 Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
 References: rhbz#2055796
 ---
- doc/man5/config.pod | 7 ++++++-
+ crypto/x509/x509_vfy.c        | 19 +++++++++++-
- ssl/t1_lib.c        | 8 ++++++++
+ doc/man5/config.pod           |  7 ++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
+ ssl/t1_lib.c                  | 55 ++++++++++++++++++++++++++---------
 test/recipes/25-test_verify.t |  7 +++--
 4 files changed, 70 insertions(+), 18 deletions(-)
 diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
 index ff3ca83de6..a549c1c111 100644
 --- a/crypto/x509/x509_vfy.c
 +++ b/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
 #include <openssl/objects.h>
 #include <openssl/core_names.h>
 #include "internal/dane.h"
 +#include "internal/sslconf.h"
 #include "crypto/x509.h"
 #include "x509_local.h"
@@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
 {
     int secbits = -1;
     int level = ctx->param->auth_level;
 +    int nid;
 +    OSSL_LIB_CTX *libctx = NULL;
     if (level <= 0)
         return 1;
     if (level > NUM_AUTH_LEVELS)
         level = NUM_AUTH_LEVELS;
 -    if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
 +    if (ctx->libctx)
 +        libctx = ctx->libctx;
 +    else if (cert->libctx)
 +        libctx = cert->libctx;
 +    else
 +        libctx = OSSL_LIB_CTX_get0_global_default();
 +
 +    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
         return 0;
 +    if (nid == NID_sha1
 +            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
 +            && ctx->param->auth_level < 3)
 +        /* When rh-allow-sha1-signatures = yes and security level <= 2,
 +         * explicitly allow SHA1 for backwards compatibility. */
 +        return 1;
 +
     return secbits >= minbits_table[level - 1];
 }
 diff --git a/doc/man5/config.pod b/doc/man5/config.pod
 index aa1be5ca7f..aa69e2b844 100644
 --- a/doc/man5/config.pod
@ -28,10 +74,59 @@ index aa1be5ca7f..aa69e2b844 100644
 =item B<fips_mode> (deprecated)
 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 4b74ee1a34..724ded67ba 100644
+index 4b74ee1a34..0638a51aff 100644
 --- a/ssl/t1_lib.c
 +++ b/ssl/t1_lib.c
-@@ -2106,6 +2106,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
+@@ -20,6 +20,7 @@
 #include <openssl/bn.h>
 #include <openssl/provider.h>
 #include <openssl/param_build.h>
 +#include "crypto/x509.h"
 #include "internal/sslconf.h"
 #include "internal/nelem.h"
 #include "internal/sizes.h"
@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
         return 0;
     }
 -    /*
 -     * Make sure security callback allows algorithm. For historical
 -     * reasons we have to pass the sigalg as a two byte char array.
 -     */
 -    sigalgstr[0] = (sig >> 8) & 0xff;
 -    sigalgstr[1] = sig & 0xff;
 -    secbits = sigalg_security_bits(s->ctx, lu);
 -    if (secbits == 0 ||
 -        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
 -                      md != NULL ? EVP_MD_get_type(md) : NID_undef,
 -                      (void *)sigalgstr)) {
 -        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
 -        return 0;
 +
 +    if (lu->hash == NID_sha1
 +            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
 +            && SSL_get_security_level(s) < 3) {
 +        /* when rh-allow-sha1-signatures = yes and security level <= 2,
 +         * explicitly allow SHA1 for backwards compatibility */
 +    } else {
 +        /*
 +         * Make sure security callback allows algorithm. For historical
 +         * reasons we have to pass the sigalg as a two byte char array.
 +         */
 +        sigalgstr[0] = (sig >> 8) & 0xff;
 +        sigalgstr[1] = sig & 0xff;
 +        secbits = sigalg_security_bits(s->ctx, lu);
 +        if (secbits == 0 ||
 +            !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
 +                          md != NULL ? EVP_MD_get_type(md) : NID_undef,
 +                          (void *)sigalgstr)) {
 +            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
 +            return 0;
 +        }
     }
     /* Store the sigalg the peer uses */
     s->s3.tmp.peer_sigalg = lu;
@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
         }
     }
@ -46,6 +141,50 @@ index 4b74ee1a34..724ded67ba 100644
     /* Finally see if security callback allows it */
     secbits = sigalg_security_bits(s->ctx, lu);
     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -2985,6 +3002,18 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
     /* If digest NID not defined use signature NID */
     if (nid == NID_undef)
         nid = pknid;
 +
 +    if (nid == NID_sha1
 +            && x != NULL
 +            && x->libctx != NULL
 +            && ossl_ctx_legacy_digest_signatures_allowed(x->libctx, 0)
 +            && ((s != NULL && SSL_get_security_level(s) < 3)
 +                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
 +            ))
 +        /* When rh-allow-sha1-signatures = yes and security level <= 2,
 +         * explicitly allow SHA1 for backwards compatibility. */
 +        return 1;
 +
     if (s)
         return ssl_security(s, op, secbits, nid, x);
     else
 diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
 index 700bbd849c..2de1d76b5e 100644
 --- a/test/recipes/25-test_verify.t
 +++ b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
     run(app([@args]));
 }
 -plan tests => 160;
 +plan tests => 159;
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
     "CA with PSS signature using SHA256");
 -ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
 -    "Reject PSS signature using SHA1 and auth level 1");
 +## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1
 +#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
 +#    "Reject PSS signature using SHA1 and auth level 1");
 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
     "PSS signature using SHA256 and auth level 2");
 -- 
 2.35.1
--- a/openssl.spec
+++ b/openssl.spec
@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 18%{?dist}
+Release: 19%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -416,6 +416,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 %changelog
 * Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-19
 - Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
 - Resolves: rhbz#2065400
 * Wed Mar 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-18
 - CVE-2022-0778 fix
 - Resolves: rhbz#2062315