pkeyutl ecdsa signature with sha1 shouldn't work by default
Resolves: RHEL-88911
This commit is contained in:
parent
b5cbb03855
commit
1934b43ef1
58
0052-Fixup-forbid-SHA1.patch
Normal file
58
0052-Fixup-forbid-SHA1.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From a6b4af9d39e07457189147bd50fe6ee3e8e88b6d Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Mon, 12 May 2025 14:28:00 +0200
|
||||
Subject: [PATCH 52/54] Fixup - forbid SHA1
|
||||
|
||||
---
|
||||
crypto/context.c | 6 ------
|
||||
providers/implementations/signature/ecdsa_sig.c | 5 ++---
|
||||
2 files changed, 2 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index 6859146510..323615e300 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -133,9 +133,6 @@ static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
||||
static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
||||
{
|
||||
OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
||||
- /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
||||
- * because the default on Fedora is to allow SHA-1 and support disabling
|
||||
- * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
||||
ldsigs->allowed = 0;
|
||||
return ldsigs;
|
||||
}
|
||||
@@ -770,9 +767,6 @@ int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconf
|
||||
return 1;
|
||||
#endif
|
||||
|
||||
- /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
||||
- * because the default on Fedora is to allow SHA-1 and support disabling
|
||||
- * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
||||
return ldsigs != NULL ? ldsigs->allowed : 0;
|
||||
}
|
||||
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index 34fb3aa56e..4d7c25728a 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -198,14 +198,13 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
|
||||
}
|
||||
md_nid = ossl_digest_get_approved_nid(md);
|
||||
|
||||
-#ifdef FIPS_MODULE
|
||||
md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
|
||||
- if (md_nid <= 0) {
|
||||
+ /* KECCAK-256 is explicitly allowed for ECDSA despite it doesn't have a NID*/
|
||||
+ if (md_nid <= 0 && !(EVP_MD_is_a(md, "KECCAK-256"))) {
|
||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
|
||||
"digest=%s", mdname);
|
||||
goto err;
|
||||
}
|
||||
-#endif
|
||||
|
||||
/* XOF digests don't work */
|
||||
if (EVP_MD_xof(md)) {
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -91,6 +91,7 @@ Patch0048: 0048-Current-Rebase-status.patch
|
||||
Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
|
||||
Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
|
||||
Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch
|
||||
Patch0052: 0052-Fixup-forbid-SHA1.patch
|
||||
|
||||
License: Apache-2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -432,6 +433,8 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
|
||||
* Wed May 14 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-3
|
||||
- Fix `openssl speed` running in FIPS mode
|
||||
Resolves: RHEL-88908
|
||||
- pkeyutl ecdsa signature with sha1 shouldn't work by default
|
||||
Resolves: RHEL-88911
|
||||
|
||||
* Thu Apr 17 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-2
|
||||
- Update depencency on crypto-policies
|
||||
|
||||
Loading…
Reference in New Issue
Block a user