SHA-1 signature shouldn't work in normal mode

Resolves: RHEL-36677
This commit is contained in:
Dmitry Belyavskiy 2024-07-10 11:43:37 +02:00
parent 09b4e34fcf
commit 7d3d9af0c8
2 changed files with 4 additions and 2 deletions

View File

@ -132,7 +132,7 @@ index 630d339c35..6e4e9f5ae7 100644
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here, + /* Warning: This patch differs from the same patch in CentOS and RHEL here,
+ * because the default on Fedora is to allow SHA-1 and support disabling + * because the default on Fedora is to allow SHA-1 and support disabling
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */ + * it, while CentOS/RHEL disable it by default and allow enabling it. */
+ ldsigs->allowed = 1; + ldsigs->allowed = 0;
+ return ldsigs; + return ldsigs;
+} +}
+ +
@ -161,7 +161,7 @@ index 630d339c35..6e4e9f5ae7 100644
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here, + /* Warning: This patch differs from the same patch in CentOS and RHEL here,
+ * because the default on Fedora is to allow SHA-1 and support disabling + * because the default on Fedora is to allow SHA-1 and support disabling
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */ + * it, while CentOS/RHEL disable it by default and allow enabling it. */
+ return ldsigs != NULL ? ldsigs->allowed : 1; + return ldsigs != NULL ? ldsigs->allowed : 0;
+} +}
+ +
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,

View File

@ -506,6 +506,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
* Wed Jul 10 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-7 * Wed Jul 10 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-7
- Disallow SHA1 at SECLEVEL2 in OpenSSL - Disallow SHA1 at SECLEVEL2 in OpenSSL
Resolves: RHEL-39962 Resolves: RHEL-39962
- SHA-1 signature shouldn't work in normal mode
Resolves: RHEL-36677
* Mon Jul 01 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-6 * Mon Jul 01 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-6
- Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE - Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE