From 566546250bf288983c52bcc51769312df4f72289 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Wed, 17 Aug 2022 13:00:02 -0400 Subject: [PATCH] ELN: fix SHA1 signature patch The util/libcrypto.num patch did not apply cleanly. Signed-off-by: Stephen Gallagher --- ...Selectively-disallow-SHA1-signatures.patch | 54 ++++++++++--------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/0049-Selectively-disallow-SHA1-signatures.patch b/0049-Selectively-disallow-SHA1-signatures.patch index 18b0183..df0404c 100644 --- a/0049-Selectively-disallow-SHA1-signatures.patch +++ b/0049-Selectively-disallow-SHA1-signatures.patch @@ -1,7 +1,7 @@ -From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001 +From f6a2f59574788aadd0ce323ad8ebe4d0c470672e Mon Sep 17 00:00:00 2001 From: Clemens Lang -Date: Mon, 21 Feb 2022 17:24:44 +0100 -Subject: Selectively disallow SHA1 signatures +Date: Wed, 17 Aug 2022 12:56:29 -0400 +Subject: [PATCH] Selectively disallow SHA1 signatures For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is disabling SHA1 signatures. Introduce a new configuration option in the @@ -35,6 +35,8 @@ implementation does not know that it is signing a SHA1 hash (it could be signing arbitrary data). Resolves: rhbz#2031742 + +Signed-off-by: Stephen Gallagher --- crypto/evp/evp_cnf.c | 13 ++++ crypto/evp/m_sigver.c | 77 +++++++++++++++++++ @@ -52,7 +54,7 @@ Resolves: rhbz#2031742 13 files changed, 188 insertions(+), 9 deletions(-) diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c -index 0e7fe64cf9..b9d3b6d226 100644 +index 0e7fe64cf92e4b73b3bf873895e73fa9646df86d..b9d3b6d226ca07a65d972bb8505b7976a0d02572 100644 --- a/crypto/evp/evp_cnf.c +++ b/crypto/evp/evp_cnf.c @@ -10,6 +10,7 @@ @@ -83,7 +85,7 @@ index 0e7fe64cf9..b9d3b6d226 100644 ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, "name=%s, value=%s", oval->name, oval->value); diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index 9188edbc21..db1a1d7bc3 100644 +index 76a6814b424bec3479bdf61374f0178b9cd96ded..4b2f1fcfb886661d98460c240d542df2ccd5df13 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -16,6 +16,71 @@ @@ -178,7 +180,7 @@ index 9188edbc21..db1a1d7bc3 100644 if (signature->digest_verify_init == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 2b9c6c2351..3c5a1e6f5d 100644 +index da367ed05fbe42abb328c6e23cafe99e76d26819..ee6edf1e85e71cdbe58bf7e9f443425dce100e43 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -33,6 +33,7 @@ @@ -211,7 +213,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644 return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 77a8055e81..aa1be5ca7f 100644 +index a84113287c3d0edf6c67726aee7d8abb87401445..f1536258470563b4fe74f8d1e3db6d73ed316341 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning: @@ -233,7 +235,7 @@ index 77a8055e81..aa1be5ca7f 100644 The value is a boolean that can be B or B. If the value is diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index 1291299b6e..e234341e6a 100644 +index 1291299b6e50ea129ba77c85bb0b21b0997e4494..e234341e6afd15f7108c7af453d6f2190c086b04 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h @@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st { @@ -247,7 +249,7 @@ index 1291299b6e..e234341e6a 100644 # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1 # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0 diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h -index fd7f7e3331..05464b0655 100644 +index fd7f7e333183dde57a283dab7372f9afb38c0eb4..05464b0655b20da2035f6781f44ac577e895fc8a 100644 --- a/include/internal/sslconf.h +++ b/include/internal/sslconf.h @@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx); @@ -260,7 +262,7 @@ index fd7f7e3331..05464b0655 100644 + int loadconfig); #endif diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index 699ada7c52..e534ad0a5f 100644 +index 446ad6b4c11cf8dcad9dcb86df38816eff4bf772..9e47f5655957e661fa4f66f5e67a78c6c7d2fe5b 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -19,6 +19,7 @@ @@ -304,7 +306,7 @@ index 699ada7c52..e534ad0a5f 100644 return 1; } diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c -index de7f0d3a0a..ce54a94fbc 100644 +index de7f0d3a0a5718bd06a55d3d92236c27ffb7d0d5..ce54a94fbc9b3f48052c0bd5acf5b0aa349c4e91 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -15,6 +15,7 @@ @@ -341,7 +343,7 @@ index de7f0d3a0a..ce54a94fbc 100644 return mdnid; } diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c -index 28fd7c498e..fa3822f39f 100644 +index 28fd7c498e9922b6fabd1fafa452afe7ca3734ec..fa3822f39fd14a16c761b316e276c68868f35c7d 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, @@ -366,7 +368,7 @@ index 28fd7c498e..fa3822f39f 100644 if (md == NULL || md_nid < 0) { if (md == NULL) diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index 865d49d100..99b228e82c 100644 +index 865d49d1004f0031c82c24c218828a7d9c7269c6..99b228e82c408171bb2458244d2cf763e32a19fb 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c @@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, @@ -382,10 +384,10 @@ index 865d49d100..99b228e82c 100644 sha1_allowed); if (md_nid < 0) { diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 325e855333..bea397f0c1 100644 +index 7023a866131e38c214ac7326fdd83274dab81833..f66d7705c35add553694c5808b51d5696f678ee7 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c -@@ -26,6 +26,7 @@ +@@ -25,6 +25,7 @@ #include "internal/cryptlib.h" #include "internal/nelem.h" #include "internal/sizes.h" @@ -393,7 +395,7 @@ index 325e855333..bea397f0c1 100644 #include "crypto/rsa.h" #include "prov/providercommon.h" #include "prov/implementations.h" -@@ -34,6 +35,7 @@ +@@ -33,6 +34,7 @@ #include "prov/securitycheck.h" #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 @@ -401,7 +403,7 @@ index 325e855333..bea397f0c1 100644 static OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; -@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, +@@ -288,10 +290,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); @@ -419,7 +421,7 @@ index 325e855333..bea397f0c1 100644 if (md == NULL || md_nid <= 0 -@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) +@@ -1347,8 +1354,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) prsactx->pad_mode = pad_mode; if (prsactx->md == NULL && pmdname == NULL @@ -437,7 +439,7 @@ index 325e855333..bea397f0c1 100644 if (pmgf1mdname != NULL && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fc32bb3556..4b74ee1a34 100644 +index 48a0b7f6e5908e62b433a306c49a3f2ff7e8df76..909e38c2fe88324884a939b583fd7f43d01f3920 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -20,6 +20,7 @@ @@ -448,7 +450,7 @@ index fc32bb3556..4b74ee1a34 100644 #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/tlsgroups.h" -@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) +@@ -1150,11 +1151,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); EVP_PKEY *tmpkey = EVP_PKEY_new(); int ret = 0; @@ -462,7 +464,7 @@ index fc32bb3556..4b74ee1a34 100644 for (i = 0, lu = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { EVP_PKEY_CTX *pctx; -@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) +@@ -1174,6 +1177,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) cache[i].enabled = 0; continue; } @@ -475,15 +477,15 @@ index fc32bb3556..4b74ee1a34 100644 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { cache[i].enabled = 0; diff --git a/util/libcrypto.num b/util/libcrypto.num -index 10b4e57d79..2d3c363bb0 100644 +index d94f406606132690d4744e470d98eff377d87699..07ae9a21ec979028eb78feaee4cadb801b790caf 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num -@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: - EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: - EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: +@@ -5428,3 +5428,5 @@ EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: -- -2.35.1 +2.37.2