ELN: fix SHA1 signature patch

The util/libcrypto.num patch did not apply cleanly.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher 2022-08-17 13:00:02 -04:00
parent d1b1996624
commit 566546250b

View File

@ -1,7 +1,7 @@
From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001 From f6a2f59574788aadd0ce323ad8ebe4d0c470672e Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com> From: Clemens Lang <cllang@redhat.com>
Date: Mon, 21 Feb 2022 17:24:44 +0100 Date: Wed, 17 Aug 2022 12:56:29 -0400
Subject: Selectively disallow SHA1 signatures Subject: [PATCH] Selectively disallow SHA1 signatures
For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
disabling SHA1 signatures. Introduce a new configuration option in the disabling SHA1 signatures. Introduce a new configuration option in the
@ -35,6 +35,8 @@ implementation does not know that it is signing a SHA1 hash (it could be
signing arbitrary data). signing arbitrary data).
Resolves: rhbz#2031742 Resolves: rhbz#2031742
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
--- ---
crypto/evp/evp_cnf.c | 13 ++++ crypto/evp/evp_cnf.c | 13 ++++
crypto/evp/m_sigver.c | 77 +++++++++++++++++++ crypto/evp/m_sigver.c | 77 +++++++++++++++++++
@ -52,7 +54,7 @@ Resolves: rhbz#2031742
13 files changed, 188 insertions(+), 9 deletions(-) 13 files changed, 188 insertions(+), 9 deletions(-)
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 0e7fe64cf9..b9d3b6d226 100644 index 0e7fe64cf92e4b73b3bf873895e73fa9646df86d..b9d3b6d226ca07a65d972bb8505b7976a0d02572 100644
--- a/crypto/evp/evp_cnf.c --- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c +++ b/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@ @@ -10,6 +10,7 @@
@ -83,7 +85,7 @@ index 0e7fe64cf9..b9d3b6d226 100644
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value); "name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 9188edbc21..db1a1d7bc3 100644 index 76a6814b424bec3479bdf61374f0178b9cd96ded..4b2f1fcfb886661d98460c240d542df2ccd5df13 100644
--- a/crypto/evp/m_sigver.c --- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c
@@ -16,6 +16,71 @@ @@ -16,6 +16,71 @@
@ -178,7 +180,7 @@ index 9188edbc21..db1a1d7bc3 100644
if (signature->digest_verify_init == NULL) { if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 2b9c6c2351..3c5a1e6f5d 100644 index da367ed05fbe42abb328c6e23cafe99e76d26819..ee6edf1e85e71cdbe58bf7e9f443425dce100e43 100644
--- a/crypto/evp/pmeth_lib.c --- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@ @@ -33,6 +33,7 @@
@ -211,7 +213,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
diff --git a/doc/man5/config.pod b/doc/man5/config.pod diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 77a8055e81..aa1be5ca7f 100644 index a84113287c3d0edf6c67726aee7d8abb87401445..f1536258470563b4fe74f8d1e3db6d73ed316341 100644
--- a/doc/man5/config.pod --- a/doc/man5/config.pod
+++ b/doc/man5/config.pod +++ b/doc/man5/config.pod
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning: @@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
@ -233,7 +235,7 @@ index 77a8055e81..aa1be5ca7f 100644
The value is a boolean that can be B<yes> or B<no>. If the value is The value is a boolean that can be B<yes> or B<no>. If the value is
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
index 1291299b6e..e234341e6a 100644 index 1291299b6e50ea129ba77c85bb0b21b0997e4494..e234341e6afd15f7108c7af453d6f2190c086b04 100644
--- a/include/internal/cryptlib.h --- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st { @@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
@ -247,7 +249,7 @@ index 1291299b6e..e234341e6a 100644
# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1 # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1
# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0 # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
index fd7f7e3331..05464b0655 100644 index fd7f7e333183dde57a283dab7372f9afb38c0eb4..05464b0655b20da2035f6781f44ac577e895fc8a 100644
--- a/include/internal/sslconf.h --- a/include/internal/sslconf.h
+++ b/include/internal/sslconf.h +++ b/include/internal/sslconf.h
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx); @@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
@ -260,7 +262,7 @@ index fd7f7e3331..05464b0655 100644
+ int loadconfig); + int loadconfig);
#endif #endif
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index 699ada7c52..e534ad0a5f 100644 index 446ad6b4c11cf8dcad9dcb86df38816eff4bf772..9e47f5655957e661fa4f66f5e67a78c6c7d2fe5b 100644
--- a/providers/common/securitycheck.c --- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c
@@ -19,6 +19,7 @@ @@ -19,6 +19,7 @@
@ -304,7 +306,7 @@ index 699ada7c52..e534ad0a5f 100644
return 1; return 1;
} }
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index de7f0d3a0a..ce54a94fbc 100644 index de7f0d3a0a5718bd06a55d3d92236c27ffb7d0d5..ce54a94fbc9b3f48052c0bd5acf5b0aa349c4e91 100644
--- a/providers/common/securitycheck_default.c --- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@ @@ -15,6 +15,7 @@
@ -341,7 +343,7 @@ index de7f0d3a0a..ce54a94fbc 100644
return mdnid; return mdnid;
} }
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index 28fd7c498e..fa3822f39f 100644 index 28fd7c498e9922b6fabd1fafa452afe7ca3734ec..fa3822f39fd14a16c761b316e276c68868f35c7d 100644
--- a/providers/implementations/signature/dsa_sig.c --- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c
@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, @@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
@ -366,7 +368,7 @@ index 28fd7c498e..fa3822f39f 100644
if (md == NULL || md_nid < 0) { if (md == NULL || md_nid < 0) {
if (md == NULL) if (md == NULL)
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 865d49d100..99b228e82c 100644 index 865d49d1004f0031c82c24c218828a7d9c7269c6..99b228e82c408171bb2458244d2cf763e32a19fb 100644
--- a/providers/implementations/signature/ecdsa_sig.c --- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, @@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
@ -382,10 +384,10 @@ index 865d49d100..99b228e82c 100644
sha1_allowed); sha1_allowed);
if (md_nid < 0) { if (md_nid < 0) {
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 325e855333..bea397f0c1 100644 index 7023a866131e38c214ac7326fdd83274dab81833..f66d7705c35add553694c5808b51d5696f678ee7 100644
--- a/providers/implementations/signature/rsa_sig.c --- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c
@@ -26,6 +26,7 @@ @@ -25,6 +25,7 @@
#include "internal/cryptlib.h" #include "internal/cryptlib.h"
#include "internal/nelem.h" #include "internal/nelem.h"
#include "internal/sizes.h" #include "internal/sizes.h"
@ -393,7 +395,7 @@ index 325e855333..bea397f0c1 100644
#include "crypto/rsa.h" #include "crypto/rsa.h"
#include "prov/providercommon.h" #include "prov/providercommon.h"
#include "prov/implementations.h" #include "prov/implementations.h"
@@ -34,6 +35,7 @@ @@ -33,6 +34,7 @@
#include "prov/securitycheck.h" #include "prov/securitycheck.h"
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
@ -401,7 +403,7 @@ index 325e855333..bea397f0c1 100644
static OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, @@ -288,10 +290,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
if (mdname != NULL) { if (mdname != NULL) {
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
@ -419,7 +421,7 @@ index 325e855333..bea397f0c1 100644
if (md == NULL if (md == NULL
|| md_nid <= 0 || md_nid <= 0
@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) @@ -1347,8 +1354,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->pad_mode = pad_mode; prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL if (prsactx->md == NULL && pmdname == NULL
@ -437,7 +439,7 @@ index 325e855333..bea397f0c1 100644
if (pmgf1mdname != NULL if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index fc32bb3556..4b74ee1a34 100644 index 48a0b7f6e5908e62b433a306c49a3f2ff7e8df76..909e38c2fe88324884a939b583fd7f43d01f3920 100644
--- a/ssl/t1_lib.c --- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c +++ b/ssl/t1_lib.c
@@ -20,6 +20,7 @@ @@ -20,6 +20,7 @@
@ -448,7 +450,7 @@ index fc32bb3556..4b74ee1a34 100644
#include "internal/nelem.h" #include "internal/nelem.h"
#include "internal/sizes.h" #include "internal/sizes.h"
#include "internal/tlsgroups.h" #include "internal/tlsgroups.h"
@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) @@ -1150,11 +1151,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
EVP_PKEY *tmpkey = EVP_PKEY_new(); EVP_PKEY *tmpkey = EVP_PKEY_new();
int ret = 0; int ret = 0;
@ -462,7 +464,7 @@ index fc32bb3556..4b74ee1a34 100644
for (i = 0, lu = sigalg_lookup_tbl; for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
EVP_PKEY_CTX *pctx; EVP_PKEY_CTX *pctx;
@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) @@ -1174,6 +1177,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
cache[i].enabled = 0; cache[i].enabled = 0;
continue; continue;
} }
@ -475,15 +477,15 @@ index fc32bb3556..4b74ee1a34 100644
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
cache[i].enabled = 0; cache[i].enabled = 0;
diff --git a/util/libcrypto.num b/util/libcrypto.num diff --git a/util/libcrypto.num b/util/libcrypto.num
index 10b4e57d79..2d3c363bb0 100644 index d94f406606132690d4744e470d98eff377d87699..07ae9a21ec979028eb78feaee4cadb801b790caf 100644
--- a/util/libcrypto.num --- a/util/libcrypto.num
+++ b/util/libcrypto.num +++ b/util/libcrypto.num
@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: @@ -5428,3 +5428,5 @@ EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
-- --
2.35.1 2.37.2