forked from rpms/openssl
efdb8c60a3
Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0 defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default. However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of security do not meet SECLEVEL=1's requirement of 80 bits. Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which would include all algorithms, regardless of their security level), allow MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1. Related: rhbz#2069239
239 lines
9.3 KiB
Diff
239 lines
9.3 KiB
Diff
From 428369896db1656af748a67bb36fba039e7b39ad Mon Sep 17 00:00:00 2001
|
|
From: Clemens Lang <cllang@redhat.com>
|
|
Date: Mon, 25 Apr 2022 15:21:46 +0200
|
|
Subject: [PATCH] Instrument SHA-1 signatures with USDT probes
|
|
|
|
In order to discover remaining uses of SHA-1 in signatures without
|
|
forcefully breaking the code paths, add USDT probes that can be queried
|
|
with systemtap at runtime.
|
|
|
|
This should allow identifying components that still use SHA-1 signatures
|
|
in production so that they can be transitioned to more modern hash
|
|
algorithms.
|
|
---
|
|
crypto/evp/m_sigver.c | 13 +++++++++----
|
|
crypto/evp/pmeth_lib.c | 13 +++++++++----
|
|
crypto/x509/x509_vfy.c | 6 +++++-
|
|
providers/common/securitycheck.c | 22 +++++++++++++++-------
|
|
providers/common/securitycheck_default.c | 13 +++++++++++--
|
|
ssl/t1_lib.c | 8 +++++++-
|
|
6 files changed, 56 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
|
index 8da2183ce0..c17cdfa5d5 100644
|
|
--- a/crypto/evp/m_sigver.c
|
|
+++ b/crypto/evp/m_sigver.c
|
|
@@ -16,6 +16,8 @@
|
|
#include "internal/numbers.h" /* includes SIZE_MAX */
|
|
#include "evp_local.h"
|
|
|
|
+#include <sys/sdt.h>
|
|
+
|
|
typedef struct ossl_legacy_digest_signatures_st {
|
|
int allowed;
|
|
} OSSL_LEGACY_DIGEST_SIGNATURES;
|
|
@@ -336,10 +338,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
|
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
|
|
int mdnid = EVP_MD_nid(ctx->reqdigest);
|
|
- if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
|
|
- && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
|
|
- ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
|
- goto err;
|
|
+ if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
|
|
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)) {
|
|
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
|
+ goto err;
|
|
+ } else {
|
|
+ DTRACE_PROBE1(libcrypto, fedora_do_sigver_init_1, mdnid);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
|
index b96f148c0d..54fcf24945 100644
|
|
--- a/crypto/evp/pmeth_lib.c
|
|
+++ b/crypto/evp/pmeth_lib.c
|
|
@@ -37,6 +37,8 @@
|
|
#include "internal/sslconf.h"
|
|
#include "evp_local.h"
|
|
|
|
+#include <sys/sdt.h>
|
|
+
|
|
#ifndef FIPS_MODULE
|
|
|
|
static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,
|
|
@@ -956,10 +958,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
|
|
&& !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
|
|
&& !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
|
|
int mdnid = EVP_MD_nid(md);
|
|
- if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
|
- && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
|
|
- ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
|
- return -1;
|
|
+ if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
|
|
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
|
|
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
|
+ return -1;
|
|
+ } else {
|
|
+ DTRACE_PROBE1(libcrypto, fedora_evp_pkey_ctx_set_md_1, mdnid);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
|
index bf0c608839..78638ce80e 100644
|
|
--- a/crypto/x509/x509_vfy.c
|
|
+++ b/crypto/x509/x509_vfy.c
|
|
@@ -29,6 +29,8 @@
|
|
#include "crypto/x509.h"
|
|
#include "x509_local.h"
|
|
|
|
+#include <sys/sdt.h>
|
|
+
|
|
/* CRL score values */
|
|
|
|
#define CRL_SCORE_NOCRITICAL 0x100 /* No unhandled critical extensions */
|
|
@@ -3462,11 +3464,13 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
|
|
|
|
if ((nid == NID_sha1 || nid == NID_md5_sha1)
|
|
&& ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
|
|
- && ctx->param->auth_level < 2)
|
|
+ && ctx->param->auth_level < 2) {
|
|
+ DTRACE_PROBE1(libcrypto, fedora_check_sig_level_1, nid);
|
|
/* When rh-allow-sha1-signatures = yes and security level <= 1,
|
|
* explicitly allow SHA1 for backwards compatibility. Also allow
|
|
* MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
|
|
return 1;
|
|
+ }
|
|
|
|
return secbits >= minbits_table[level - 1];
|
|
}
|
|
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
|
index e534ad0a5f..bf496450cf 100644
|
|
--- a/providers/common/securitycheck.c
|
|
+++ b/providers/common/securitycheck.c
|
|
@@ -21,6 +21,8 @@
|
|
#include "prov/securitycheck.h"
|
|
#include "internal/sslconf.h"
|
|
|
|
+#include <sys/sdt.h>
|
|
+
|
|
/*
|
|
* FIPS requires a minimum security strength of 112 bits (for encryption or
|
|
* signing), and for legacy purposes 80 bits (for decryption or verifying).
|
|
@@ -238,11 +240,14 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
|
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
|
|
|
#ifndef FIPS_MODULE
|
|
- if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
|
- /* SHA1 is globally disabled, check whether we want to locally allow
|
|
- * it. */
|
|
- if (mdnid == NID_sha1 && !sha1_allowed)
|
|
+ if (mdnid == NID_sha1 && !sha1_allowed) {
|
|
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
|
+ /* SHA1 is globally disabled, check whether we want to locally allow
|
|
+ * it. */
|
|
mdnid = -1;
|
|
+ else
|
|
+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_get_approved_nid_with_sha1_1, mdnid);
|
|
+ }
|
|
#endif
|
|
|
|
return mdnid;
|
|
@@ -258,9 +263,12 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
|
|
#ifndef FIPS_MODULE
|
|
{
|
|
int mdnid = EVP_MD_nid(md);
|
|
- if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
|
- && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
|
- return 0;
|
|
+ if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
|
|
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
|
+ return 0;
|
|
+ else
|
|
+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_is_allowed_1, mdnid);
|
|
+ }
|
|
}
|
|
#endif
|
|
|
|
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
|
index ce54a94fbc..2d21e4a7df 100644
|
|
--- a/providers/common/securitycheck_default.c
|
|
+++ b/providers/common/securitycheck_default.c
|
|
@@ -17,6 +17,8 @@
|
|
#include "internal/nelem.h"
|
|
#include "internal/sslconf.h"
|
|
|
|
+#include <sys/sdt.h>
|
|
+
|
|
/* Disable the security checks in the default provider */
|
|
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
|
{
|
|
@@ -40,9 +42,16 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
|
|
|
ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
|
|
mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
|
|
+ if (mdnid == NID_sha1)
|
|
+ /* This will only happen if SHA1 is allowed, otherwise mdnid is -1. */
|
|
+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_rsa_sign_get_md_nid_1, mdnid);
|
|
if (mdnid == NID_undef)
|
|
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
|
- if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
|
|
- mdnid = -1;
|
|
+ if (mdnid == NID_md5_sha1) {
|
|
+ if (ldsigs_allowed)
|
|
+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_rsa_sign_get_md_nid_2, mdnid);
|
|
+ else
|
|
+ mdnid = -1;
|
|
+ }
|
|
return mdnid;
|
|
}
|
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
|
index 0b50266b69..d05e696a28 100644
|
|
--- a/ssl/t1_lib.c
|
|
+++ b/ssl/t1_lib.c
|
|
@@ -28,6 +28,8 @@
|
|
#include "ssl_local.h"
|
|
#include <openssl/ct.h>
|
|
|
|
+#include <sys/sdt.h>
|
|
+
|
|
static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
|
|
static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
|
|
|
|
@@ -1569,6 +1571,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
|
|
/* When rh-allow-sha1-signatures = yes and security level <= 1,
|
|
* explicitly allow SHA1 for backwards compatibility. Also allow
|
|
* MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
|
|
+ DTRACE_PROBE1(libssl, fedora_tls12_check_peer_sigalg_1, lu->hash);
|
|
} else {
|
|
/*
|
|
* Make sure security callback allows algorithm. For historical
|
|
@@ -2122,6 +2125,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
|
|
/* When rh-allow-sha1-signatures = yes and security level <= 1,
|
|
* explicitly allow SHA1 for backwards compatibility. Also allow
|
|
* MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
|
|
+ DTRACE_PROBE1(libssl, fedora_tls12_sigalg_allowed_1, lu->hash);
|
|
return 1;
|
|
}
|
|
|
|
@@ -3020,11 +3024,13 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
|
&& ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
|
|
&& ((s != NULL && SSL_get_security_level(s) < 2)
|
|
|| (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
|
|
- ))
|
|
+ )) {
|
|
/* When rh-allow-sha1-signatures = yes and security level <= 1,
|
|
* explicitly allow SHA1 for backwards compatibility. Also allow
|
|
* MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
|
|
+ DTRACE_PROBE1(libssl, fedora_ssl_security_cert_sig_1, nid);
|
|
return 1;
|
|
+ }
|
|
|
|
if (s)
|
|
return ssl_security(s, op, secbits, nid, x);
|
|
--
|
|
2.35.1
|
|
|