From 58aefe30f22eff11bb311b15b59b0ef99311261b Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Fri, 2 May 2025 16:46:23 +0200
Subject: [PATCH] OpenSSL ignores "rh-allow-sha1-signatures = yes" option on
 RHEL-9

Resolves: RHEL-88910
---
 ...clevel-2-if-rh-allow-sha1-signatures.patch | 187 ++++++++++++++++++
 openssl.spec                                  |   8 +-
 2 files changed, 194 insertions(+), 1 deletion(-)
 create mode 100644 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch

diff --git a/0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
new file mode 100644
index 0000000..26eddbb
--- /dev/null
+++ b/0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
@@ -0,0 +1,187 @@
+From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Tue, 1 Mar 2022 15:44:18 +0100
+Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
+
+References: rhbz#2055796
+---
+ crypto/x509/x509_vfy.c        | 19 ++++++++++-
+ doc/man5/config.pod           |  7 +++-
+ ssl/t1_lib.c                  | 64 ++++++++++++++++++++++++++++-------
+ test/recipes/25-test_verify.t |  7 ++--
+ 4 files changed, 79 insertions(+), 18 deletions(-)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index ff3ca83de6..a549c1c111 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -25,6 +25,7 @@
+ #include <openssl/objects.h>
+ #include <openssl/core_names.h>
+ #include "internal/dane.h"
++#include "internal/sslconf.h"
+ #include "crypto/x509.h"
+ #include "x509_local.h"
+ 
+@@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
+ {
+     int secbits = -1;
+     int level = ctx->param->auth_level;
++    int nid;
++    OSSL_LIB_CTX *libctx = NULL;
+ 
+     if (level <= 0)
+         return 1;
+     if (level > NUM_AUTH_LEVELS)
+         level = NUM_AUTH_LEVELS;
+ 
+-    if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
++    if (ctx->libctx)
++        libctx = ctx->libctx;
++    else if (cert->libctx)
++        libctx = cert->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
++    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
+         return 0;
+ 
++    if (nid == NID_sha1
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
++            && ctx->param->auth_level < 3)
++        /* When rh-allow-sha1-signatures = yes and security level <= 2,
++         * explicitly allow SHA1 for backwards compatibility. */
++        return 1;
++
+     return secbits >= minbits_table[level - 1];
+ }
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 4b74ee1a34..5f089de107 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -20,6 +20,7 @@
+ #include <openssl/bn.h>
+ #include <openssl/provider.h>
+ #include <openssl/param_build.h>
++#include "crypto/x509.h"
+ #include "internal/sslconf.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
+@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
+         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
+         return 0;
+     }
+-    /*
+-     * Make sure security callback allows algorithm. For historical
+-     * reasons we have to pass the sigalg as a two byte char array.
+-     */
+-    sigalgstr[0] = (sig >> 8) & 0xff;
+-    sigalgstr[1] = sig & 0xff;
+-    secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
+-    if (secbits == 0 ||
+-        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+-                      md != NULL ? EVP_MD_get_type(md) : NID_undef,
+-                      (void *)sigalgstr)) {
+-        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+-        return 0;
++
++    if (lu->hash == NID_sha1
++            && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
++            && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
++        /* when rh-allow-sha1-signatures = yes and security level <= 2,
++         * explicitly allow SHA1 for backwards compatibility */
++    } else {
++        /*
++         * Make sure security callback allows algorithm. For historical
++         * reasons we have to pass the sigalg as a two byte char array.
++         */
++        sigalgstr[0] = (sig >> 8) & 0xff;
++        sigalgstr[1] = sig & 0xff;
++        secbits = sigalg_security_bits(s->session_ctx, lu);
++        if (secbits == 0 ||
++            !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
++                          md != NULL ? EVP_MD_get_type(md) : NID_undef,
++                          (void *)sigalgstr)) {
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
++            return 0;
++        }
+     }
+     /* Store the sigalg the peer uses */
+     s->s3.tmp.peer_sigalg = lu;
+@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
+         }
+     }
+ 
++    if (lu->hash == NID_sha1
++            && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
++            && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
++        /* when rh-allow-sha1-signatures = yes and security level <= 2,
++         * explicitly allow SHA1 for backwards compatibility */
++        return 1;
++    }
++
+     /* Finally see if security callback allows it */
+     secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
+     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
+@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
+ {
+     /* Lookup signature algorithm digest */
+     int secbits, nid, pknid;
++    OSSL_LIB_CTX *libctx = NULL;
++
+ 
+     /* Don't check signature if self signed */
+     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
+@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
+     /* If digest NID not defined use signature NID */
+     if (nid == NID_undef)
+         nid = pknid;
++
++    if (x && x->libctx)
++        libctx = x->libctx;
++    else if (ctx && ctx->libctx)
++        libctx = ctx->libctx;
++    else if (s && s->session_ctx && s->session_ctx->libctx)
++        libctx = s->session_ctx->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
++    if (nid == NID_sha1
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
++            && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3)
++                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
++            ))
++        /* When rh-allow-sha1-signatures = yes and security level <= 2,
++         * explicitly allow SHA1 for backwards compatibility. */
++        return 1;
++
+     if (s != NULL)
+         return ssl_security(s, op, secbits, nid, x);
+     else
+diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
+index 700bbd849c..2de1d76b5e 100644
+--- a/test/recipes/25-test_verify.t
++++ b/test/recipes/25-test_verify.t
+@@ -29,7 +29,7 @@ sub verify {
+     run(app([@args]));
+ }
+ 
+-plan tests => 194;
++plan tests => 193;
+ 
+ # Canonical success
+ ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
+@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
+ ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
+     "CA with PSS signature using SHA256");
+ 
+-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
+-    "Reject PSS signature using SHA1 and auth level 1");
++## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1
++#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
++#    "Reject PSS signature using SHA1 and auth level 1");
+ 
+ ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+     "PSS signature using SHA256 and auth level 2");
+-- 
+2.35.1
diff --git a/openssl.spec b/openssl.spec
index c5640ad..68ee944 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.5.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@@ -89,6 +89,8 @@ Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
 Patch0048: 0048-Current-Rebase-status.patch
 Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
 Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
+#The patches that are different for RHEL9 and 10 start here
+Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -421,6 +423,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs
 
 %changelog
+* Fri May 02 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-2
+- OpenSSL ignores "rh-allow-sha1-signatures = yes" option on RHEL-9
+  Resolves: RHEL-88910
+
 * Wed Apr 16 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-1
 - Rebasing OpenSSL to 3.5
   Resolves: RHEL-80854