rpms/mingw-openssl
5
0
Fork 0
Code Issues Pull Requests Releases Activity
37532b3c5d
mingw-openssl/0053-Add-SHA1-probes.patch
Sandro Mani 37532b3c5d Update to 3.0.9
2023-05-31 15:21:45 +02:00

209 lines
8.7 KiB
Diff
Raw Blame History

diff -rupN --no-dereference openssl-3.0.9/crypto/evp/m_sigver.c openssl-3.0.9-new/crypto/evp/m_sigver.c
--- openssl-3.0.9/crypto/evp/m_sigver.c 2023-05-31 14:33:14.946113797 +0200
+++ openssl-3.0.9-new/crypto/evp/m_sigver.c 2023-05-31 14:33:15.503113557 +0200
@@ -16,6 +16,8 @@
#include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h"
+#include <sys/sdt.h>
+
typedef struct ossl_legacy_digest_signatures_st {
int allowed;
} OSSL_LEGACY_DIGEST_SIGNATURES;
@@ -336,10 +338,13 @@ static int do_sigver_init(EVP_MD_CTX *ct
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
int mdnid = EVP_MD_nid(ctx->reqdigest);
- if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
- && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
- ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
- goto err;
+ if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+ goto err;
+ } else {
+ DTRACE_PROBE1(libcrypto, fedora_do_sigver_init_1, mdnid);
+ }
}
}
diff -rupN --no-dereference openssl-3.0.9/crypto/evp/pmeth_lib.c openssl-3.0.9-new/crypto/evp/pmeth_lib.c
--- openssl-3.0.9/crypto/evp/pmeth_lib.c 2023-05-31 14:33:14.946113797 +0200
+++ openssl-3.0.9-new/crypto/evp/pmeth_lib.c 2023-05-31 14:33:15.504113556 +0200
@@ -36,6 +36,8 @@
#include "internal/sslconf.h"
#include "evp_local.h"
+#include <sys/sdt.h>
+
#ifndef FIPS_MODULE
static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,
@@ -966,10 +968,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_
&& !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
&& !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
int mdnid = EVP_MD_nid(md);
- if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
- && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
- ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
- return -1;
+ if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+ return -1;
+ } else {
+ DTRACE_PROBE1(libcrypto, fedora_evp_pkey_ctx_set_md_1, mdnid);
+ }
}
}
diff -rupN --no-dereference openssl-3.0.9/crypto/x509/x509_vfy.c openssl-3.0.9-new/crypto/x509/x509_vfy.c
--- openssl-3.0.9/crypto/x509/x509_vfy.c 2023-05-31 14:33:15.498113559 +0200
+++ openssl-3.0.9-new/crypto/x509/x509_vfy.c 2023-05-31 14:33:15.504113556 +0200
@@ -29,6 +29,8 @@
#include "crypto/x509.h"
#include "x509_local.h"
+#include <sys/sdt.h>
+
/* CRL score values */
#define CRL_SCORE_NOCRITICAL 0x100 /* No unhandled critical extensions */
@@ -3459,11 +3461,13 @@ static int check_sig_level(X509_STORE_CT
if ((nid == NID_sha1 || nid == NID_md5_sha1)
&& ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
- && ctx->param->auth_level < 2)
+ && ctx->param->auth_level < 2) {
+ DTRACE_PROBE1(libcrypto, fedora_check_sig_level_1, nid);
/* When rh-allow-sha1-signatures = yes and security level <= 1,
* explicitly allow SHA1 for backwards compatibility. Also allow
* MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
return 1;
+ }
return secbits >= minbits_table[level - 1];
}
diff -rupN --no-dereference openssl-3.0.9/providers/common/securitycheck.c openssl-3.0.9-new/providers/common/securitycheck.c
--- openssl-3.0.9/providers/common/securitycheck.c 2023-05-31 14:33:14.948113796 +0200
+++ openssl-3.0.9-new/providers/common/securitycheck.c 2023-05-31 14:33:15.504113556 +0200
@@ -21,6 +21,8 @@
#include "prov/securitycheck.h"
#include "internal/sslconf.h"
+#include <sys/sdt.h>
+
/*
* FIPS requires a minimum security strength of 112 bits (for encryption or
* signing), and for legacy purposes 80 bits (for decryption or verifying).
@@ -238,11 +240,14 @@ int ossl_digest_get_approved_nid_with_sh
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
#ifndef FIPS_MODULE
- if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
- /* SHA1 is globally disabled, check whether we want to locally allow
- * it. */
- if (mdnid == NID_sha1 && !sha1_allowed)
+ if (mdnid == NID_sha1 && !sha1_allowed) {
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
+ /* SHA1 is globally disabled, check whether we want to locally allow
+ * it. */
mdnid = -1;
+ else
+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_get_approved_nid_with_sha1_1, mdnid);
+ }
#endif
return mdnid;
@@ -258,9 +263,12 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX
#ifndef FIPS_MODULE
{
int mdnid = EVP_MD_nid(md);
- if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
- && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
- return 0;
+ if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
+ return 0;
+ else
+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_is_allowed_1, mdnid);
+ }
}
#endif
diff -rupN --no-dereference openssl-3.0.9/providers/common/securitycheck_default.c openssl-3.0.9-new/providers/common/securitycheck_default.c
--- openssl-3.0.9/providers/common/securitycheck_default.c 2023-05-31 14:33:14.948113796 +0200
+++ openssl-3.0.9-new/providers/common/securitycheck_default.c 2023-05-31 14:33:15.505113556 +0200
@@ -17,6 +17,8 @@
#include "internal/nelem.h"
#include "internal/sslconf.h"
+#include <sys/sdt.h>
+
/* Disable the security checks in the default provider */
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
{
@@ -40,9 +42,16 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL
ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
+ if (mdnid == NID_sha1)
+ /* This will only happen if SHA1 is allowed, otherwise mdnid is -1. */
+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_rsa_sign_get_md_nid_1, mdnid);
if (mdnid == NID_undef)
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
- if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
- mdnid = -1;
+ if (mdnid == NID_md5_sha1) {
+ if (ldsigs_allowed)
+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_rsa_sign_get_md_nid_2, mdnid);
+ else
+ mdnid = -1;
+ }
return mdnid;
}
diff -rupN --no-dereference openssl-3.0.9/ssl/t1_lib.c openssl-3.0.9-new/ssl/t1_lib.c
--- openssl-3.0.9/ssl/t1_lib.c 2023-05-31 14:33:15.499113558 +0200
+++ openssl-3.0.9-new/ssl/t1_lib.c 2023-05-31 14:33:15.505113556 +0200
@@ -28,6 +28,8 @@
#include "ssl_local.h"
#include <openssl/ct.h>
+#include <sys/sdt.h>
+
static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
@@ -1575,6 +1577,7 @@ int tls12_check_peer_sigalg(SSL *s, uint
/* When rh-allow-sha1-signatures = yes and security level <= 1,
* explicitly allow SHA1 for backwards compatibility. Also allow
* MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ DTRACE_PROBE1(libssl, fedora_tls12_check_peer_sigalg_1, lu->hash);
} else {
/*
* Make sure security callback allows algorithm. For historical
@@ -2133,6 +2136,7 @@ static int tls12_sigalg_allowed(const SS
/* When rh-allow-sha1-signatures = yes and security level <= 1,
* explicitly allow SHA1 for backwards compatibility. Also allow
* MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ DTRACE_PROBE1(libssl, fedora_tls12_sigalg_allowed_1, lu->hash);
return 1;
}
@@ -3029,11 +3033,13 @@ static int ssl_security_cert_sig(SSL *s,
&& ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
&& ((s != NULL && SSL_get_security_level(s) < 2)
|| (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
- ))
+ )) {
/* When rh-allow-sha1-signatures = yes and security level <= 1,
* explicitly allow SHA1 for backwards compatibility. Also allow
* MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ DTRACE_PROBE1(libssl, fedora_ssl_security_cert_sig_1, nid);
return 1;
+ }
if (s)
return ssl_security(s, op, secbits, nid, x);
Reference in New Issue View Git Blame Copy Permalink