ELN: fix SHA1 signature patch
The util/libcrypto.num patch did not apply cleanly. Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
parent
d1b1996624
commit
566546250b
@ -1,7 +1,7 @@
|
|||||||
From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001
|
From f6a2f59574788aadd0ce323ad8ebe4d0c470672e Mon Sep 17 00:00:00 2001
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
Date: Mon, 21 Feb 2022 17:24:44 +0100
|
Date: Wed, 17 Aug 2022 12:56:29 -0400
|
||||||
Subject: Selectively disallow SHA1 signatures
|
Subject: [PATCH] Selectively disallow SHA1 signatures
|
||||||
|
|
||||||
For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
|
For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
|
||||||
disabling SHA1 signatures. Introduce a new configuration option in the
|
disabling SHA1 signatures. Introduce a new configuration option in the
|
||||||
@ -35,6 +35,8 @@ implementation does not know that it is signing a SHA1 hash (it could be
|
|||||||
signing arbitrary data).
|
signing arbitrary data).
|
||||||
|
|
||||||
Resolves: rhbz#2031742
|
Resolves: rhbz#2031742
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
---
|
---
|
||||||
crypto/evp/evp_cnf.c | 13 ++++
|
crypto/evp/evp_cnf.c | 13 ++++
|
||||||
crypto/evp/m_sigver.c | 77 +++++++++++++++++++
|
crypto/evp/m_sigver.c | 77 +++++++++++++++++++
|
||||||
@ -52,7 +54,7 @@ Resolves: rhbz#2031742
|
|||||||
13 files changed, 188 insertions(+), 9 deletions(-)
|
13 files changed, 188 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
|
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
|
||||||
index 0e7fe64cf9..b9d3b6d226 100644
|
index 0e7fe64cf92e4b73b3bf873895e73fa9646df86d..b9d3b6d226ca07a65d972bb8505b7976a0d02572 100644
|
||||||
--- a/crypto/evp/evp_cnf.c
|
--- a/crypto/evp/evp_cnf.c
|
||||||
+++ b/crypto/evp/evp_cnf.c
|
+++ b/crypto/evp/evp_cnf.c
|
||||||
@@ -10,6 +10,7 @@
|
@@ -10,6 +10,7 @@
|
||||||
@ -83,7 +85,7 @@ index 0e7fe64cf9..b9d3b6d226 100644
|
|||||||
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
|
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
|
||||||
"name=%s, value=%s", oval->name, oval->value);
|
"name=%s, value=%s", oval->name, oval->value);
|
||||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
||||||
index 9188edbc21..db1a1d7bc3 100644
|
index 76a6814b424bec3479bdf61374f0178b9cd96ded..4b2f1fcfb886661d98460c240d542df2ccd5df13 100644
|
||||||
--- a/crypto/evp/m_sigver.c
|
--- a/crypto/evp/m_sigver.c
|
||||||
+++ b/crypto/evp/m_sigver.c
|
+++ b/crypto/evp/m_sigver.c
|
||||||
@@ -16,6 +16,71 @@
|
@@ -16,6 +16,71 @@
|
||||||
@ -178,7 +180,7 @@ index 9188edbc21..db1a1d7bc3 100644
|
|||||||
if (signature->digest_verify_init == NULL) {
|
if (signature->digest_verify_init == NULL) {
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
||||||
index 2b9c6c2351..3c5a1e6f5d 100644
|
index da367ed05fbe42abb328c6e23cafe99e76d26819..ee6edf1e85e71cdbe58bf7e9f443425dce100e43 100644
|
||||||
--- a/crypto/evp/pmeth_lib.c
|
--- a/crypto/evp/pmeth_lib.c
|
||||||
+++ b/crypto/evp/pmeth_lib.c
|
+++ b/crypto/evp/pmeth_lib.c
|
||||||
@@ -33,6 +33,7 @@
|
@@ -33,6 +33,7 @@
|
||||||
@ -211,7 +213,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644
|
|||||||
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
|
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
|
||||||
|
|
||||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||||
index 77a8055e81..aa1be5ca7f 100644
|
index a84113287c3d0edf6c67726aee7d8abb87401445..f1536258470563b4fe74f8d1e3db6d73ed316341 100644
|
||||||
--- a/doc/man5/config.pod
|
--- a/doc/man5/config.pod
|
||||||
+++ b/doc/man5/config.pod
|
+++ b/doc/man5/config.pod
|
||||||
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
|
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
|
||||||
@ -233,7 +235,7 @@ index 77a8055e81..aa1be5ca7f 100644
|
|||||||
|
|
||||||
The value is a boolean that can be B<yes> or B<no>. If the value is
|
The value is a boolean that can be B<yes> or B<no>. If the value is
|
||||||
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
||||||
index 1291299b6e..e234341e6a 100644
|
index 1291299b6e50ea129ba77c85bb0b21b0997e4494..e234341e6afd15f7108c7af453d6f2190c086b04 100644
|
||||||
--- a/include/internal/cryptlib.h
|
--- a/include/internal/cryptlib.h
|
||||||
+++ b/include/internal/cryptlib.h
|
+++ b/include/internal/cryptlib.h
|
||||||
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
|
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
|
||||||
@ -247,7 +249,7 @@ index 1291299b6e..e234341e6a 100644
|
|||||||
# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1
|
# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1
|
||||||
# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0
|
# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0
|
||||||
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
|
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
|
||||||
index fd7f7e3331..05464b0655 100644
|
index fd7f7e333183dde57a283dab7372f9afb38c0eb4..05464b0655b20da2035f6781f44ac577e895fc8a 100644
|
||||||
--- a/include/internal/sslconf.h
|
--- a/include/internal/sslconf.h
|
||||||
+++ b/include/internal/sslconf.h
|
+++ b/include/internal/sslconf.h
|
||||||
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
|
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
|
||||||
@ -260,7 +262,7 @@ index fd7f7e3331..05464b0655 100644
|
|||||||
+ int loadconfig);
|
+ int loadconfig);
|
||||||
#endif
|
#endif
|
||||||
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
||||||
index 699ada7c52..e534ad0a5f 100644
|
index 446ad6b4c11cf8dcad9dcb86df38816eff4bf772..9e47f5655957e661fa4f66f5e67a78c6c7d2fe5b 100644
|
||||||
--- a/providers/common/securitycheck.c
|
--- a/providers/common/securitycheck.c
|
||||||
+++ b/providers/common/securitycheck.c
|
+++ b/providers/common/securitycheck.c
|
||||||
@@ -19,6 +19,7 @@
|
@@ -19,6 +19,7 @@
|
||||||
@ -304,7 +306,7 @@ index 699ada7c52..e534ad0a5f 100644
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||||
index de7f0d3a0a..ce54a94fbc 100644
|
index de7f0d3a0a5718bd06a55d3d92236c27ffb7d0d5..ce54a94fbc9b3f48052c0bd5acf5b0aa349c4e91 100644
|
||||||
--- a/providers/common/securitycheck_default.c
|
--- a/providers/common/securitycheck_default.c
|
||||||
+++ b/providers/common/securitycheck_default.c
|
+++ b/providers/common/securitycheck_default.c
|
||||||
@@ -15,6 +15,7 @@
|
@@ -15,6 +15,7 @@
|
||||||
@ -341,7 +343,7 @@ index de7f0d3a0a..ce54a94fbc 100644
|
|||||||
return mdnid;
|
return mdnid;
|
||||||
}
|
}
|
||||||
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
||||||
index 28fd7c498e..fa3822f39f 100644
|
index 28fd7c498e9922b6fabd1fafa452afe7ca3734ec..fa3822f39fd14a16c761b316e276c68868f35c7d 100644
|
||||||
--- a/providers/implementations/signature/dsa_sig.c
|
--- a/providers/implementations/signature/dsa_sig.c
|
||||||
+++ b/providers/implementations/signature/dsa_sig.c
|
+++ b/providers/implementations/signature/dsa_sig.c
|
||||||
@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
||||||
@ -366,7 +368,7 @@ index 28fd7c498e..fa3822f39f 100644
|
|||||||
if (md == NULL || md_nid < 0) {
|
if (md == NULL || md_nid < 0) {
|
||||||
if (md == NULL)
|
if (md == NULL)
|
||||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||||
index 865d49d100..99b228e82c 100644
|
index 865d49d1004f0031c82c24c218828a7d9c7269c6..99b228e82c408171bb2458244d2cf763e32a19fb 100644
|
||||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||||
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
||||||
@ -382,10 +384,10 @@ index 865d49d100..99b228e82c 100644
|
|||||||
sha1_allowed);
|
sha1_allowed);
|
||||||
if (md_nid < 0) {
|
if (md_nid < 0) {
|
||||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||||
index 325e855333..bea397f0c1 100644
|
index 7023a866131e38c214ac7326fdd83274dab81833..f66d7705c35add553694c5808b51d5696f678ee7 100644
|
||||||
--- a/providers/implementations/signature/rsa_sig.c
|
--- a/providers/implementations/signature/rsa_sig.c
|
||||||
+++ b/providers/implementations/signature/rsa_sig.c
|
+++ b/providers/implementations/signature/rsa_sig.c
|
||||||
@@ -26,6 +26,7 @@
|
@@ -25,6 +25,7 @@
|
||||||
#include "internal/cryptlib.h"
|
#include "internal/cryptlib.h"
|
||||||
#include "internal/nelem.h"
|
#include "internal/nelem.h"
|
||||||
#include "internal/sizes.h"
|
#include "internal/sizes.h"
|
||||||
@ -393,7 +395,7 @@ index 325e855333..bea397f0c1 100644
|
|||||||
#include "crypto/rsa.h"
|
#include "crypto/rsa.h"
|
||||||
#include "prov/providercommon.h"
|
#include "prov/providercommon.h"
|
||||||
#include "prov/implementations.h"
|
#include "prov/implementations.h"
|
||||||
@@ -34,6 +35,7 @@
|
@@ -33,6 +34,7 @@
|
||||||
#include "prov/securitycheck.h"
|
#include "prov/securitycheck.h"
|
||||||
|
|
||||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||||
@ -401,7 +403,7 @@ index 325e855333..bea397f0c1 100644
|
|||||||
|
|
||||||
static OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
static OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
||||||
@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
@@ -288,10 +290,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||||
|
|
||||||
if (mdname != NULL) {
|
if (mdname != NULL) {
|
||||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||||
@ -419,7 +421,7 @@ index 325e855333..bea397f0c1 100644
|
|||||||
|
|
||||||
if (md == NULL
|
if (md == NULL
|
||||||
|| md_nid <= 0
|
|| md_nid <= 0
|
||||||
@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
@@ -1347,8 +1354,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||||
prsactx->pad_mode = pad_mode;
|
prsactx->pad_mode = pad_mode;
|
||||||
|
|
||||||
if (prsactx->md == NULL && pmdname == NULL
|
if (prsactx->md == NULL && pmdname == NULL
|
||||||
@ -437,7 +439,7 @@ index 325e855333..bea397f0c1 100644
|
|||||||
if (pmgf1mdname != NULL
|
if (pmgf1mdname != NULL
|
||||||
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
|
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
|
||||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||||
index fc32bb3556..4b74ee1a34 100644
|
index 48a0b7f6e5908e62b433a306c49a3f2ff7e8df76..909e38c2fe88324884a939b583fd7f43d01f3920 100644
|
||||||
--- a/ssl/t1_lib.c
|
--- a/ssl/t1_lib.c
|
||||||
+++ b/ssl/t1_lib.c
|
+++ b/ssl/t1_lib.c
|
||||||
@@ -20,6 +20,7 @@
|
@@ -20,6 +20,7 @@
|
||||||
@ -448,7 +450,7 @@ index fc32bb3556..4b74ee1a34 100644
|
|||||||
#include "internal/nelem.h"
|
#include "internal/nelem.h"
|
||||||
#include "internal/sizes.h"
|
#include "internal/sizes.h"
|
||||||
#include "internal/tlsgroups.h"
|
#include "internal/tlsgroups.h"
|
||||||
@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
@@ -1150,11 +1151,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
||||||
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
|
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
|
||||||
EVP_PKEY *tmpkey = EVP_PKEY_new();
|
EVP_PKEY *tmpkey = EVP_PKEY_new();
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
@ -462,7 +464,7 @@ index fc32bb3556..4b74ee1a34 100644
|
|||||||
for (i = 0, lu = sigalg_lookup_tbl;
|
for (i = 0, lu = sigalg_lookup_tbl;
|
||||||
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
|
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
|
||||||
EVP_PKEY_CTX *pctx;
|
EVP_PKEY_CTX *pctx;
|
||||||
@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
@@ -1174,6 +1177,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
||||||
cache[i].enabled = 0;
|
cache[i].enabled = 0;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -475,15 +477,15 @@ index fc32bb3556..4b74ee1a34 100644
|
|||||||
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
|
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
|
||||||
cache[i].enabled = 0;
|
cache[i].enabled = 0;
|
||||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||||
index 10b4e57d79..2d3c363bb0 100644
|
index d94f406606132690d4744e470d98eff377d87699..07ae9a21ec979028eb78feaee4cadb801b790caf 100644
|
||||||
--- a/util/libcrypto.num
|
--- a/util/libcrypto.num
|
||||||
+++ b/util/libcrypto.num
|
+++ b/util/libcrypto.num
|
||||||
@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
@@ -5428,3 +5428,5 @@ EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||||
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
|
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||||
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||||
--
|
--
|
||||||
2.35.1
|
2.37.2
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user