Allow SHA1 usage in HMAC in TLS

The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is OK from our point of view, but was blocked so far. Modify 0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases. Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does not work with rh-allow-sha1-signatures = no, so the minimum TLS version will be TLS 1.2. Resolves: rhbz#2031742 Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 19:34:36 +01:00 · 2022-02-22 19:34:36 +01:00 · 5a9ab1160e
commit 5a9ab1160e
parent 53b85f538c
2 changed files with 22 additions and 10 deletions
--- a/0049-Selectively-disallow-SHA1-signatures.patch
+++ b/0049-Selectively-disallow-SHA1-signatures.patch
@ -36,9 +36,9 @@ signing arbitrary data).

 Resolves: rhbz#2031742
 ---
- crypto/evp/evp_cnf.c                     | 13 +++++
- crypto/evp/m_sigver.c                    | 74 ++++++++++++++++++++++++
- crypto/evp/pmeth_lib.c                   | 10 ++++
+ crypto/evp/evp_cnf.c                     | 13 ++++
+ crypto/evp/m_sigver.c                    | 77 ++++++++++++++++++++++++
+ crypto/evp/pmeth_lib.c                   | 15 +++++
 doc/man5/config.pod                      | 11 ++++
 include/internal/cryptlib.h              |  3 +-
 include/internal/sslconf.h               |  4 ++
@ -46,7 +46,7 @@ Resolves: rhbz#2031742
 providers/common/securitycheck_default.c |  7 ++-
 ssl/t1_lib.c                             |  8 +++
 util/libcrypto.num                       |  2 +
- 10 files changed, 148 insertions(+), 2 deletions(-)
+ 10 files changed, 156 insertions(+), 2 deletions(-)

 diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
 index 0e7fe64cf9..b9d3b6d226 100644
@ -80,7 +80,7 @@ index 0e7fe64cf9..b9d3b6d226 100644
             ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
                            "name=%s, value=%s", oval->name, oval->value);
 diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
-index 9188edbc21..67498b48c0 100644
+index 9188edbc21..db1a1d7bc3 100644
 --- a/crypto/evp/m_sigver.c
 +++ b/crypto/evp/m_sigver.c
@@ -16,6 +16,71 @@
@ -155,11 +155,14 @@ index 9188edbc21..67498b48c0 100644
 #ifndef FIPS_MODULE
 
 static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
-@@ -258,6 +323,15 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
         }
     }
 
-+    if (ctx->reqdigest != NULL) {
+    if (ctx->reqdigest != NULL
+            && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+            && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
+            && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
 +        int mdnid = EVP_MD_nid(ctx->reqdigest);
 +        if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
 +                && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
@ -172,7 +175,7 @@ index 9188edbc21..67498b48c0 100644
         if (signature->digest_verify_init == NULL) {
             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
 diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index 2b9c6c2351..d7bf2de1b6 100644
+index 2b9c6c2351..3c5a1e6f5d 100644
 --- a/crypto/evp/pmeth_lib.c
 +++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
@ -183,11 +186,16 @@ index 2b9c6c2351..d7bf2de1b6 100644
 #include "evp_local.h"
 
 #ifndef FIPS_MODULE
-@@ -946,6 +947,15 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
+@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
         return -2;
     }
 
-+    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) && md != NULL) {
+    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
+            && md != NULL
+            && ctx->pkey != NULL
+            && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
+            && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
+            && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
 +        int mdnid = EVP_MD_nid(md);
 +        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
 +                && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
--- a/openssl.spec
+++ b/openssl.spec
@ -410,6 +410,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 3.0.1-9
+- Allow SHA1 usage in HMAC in TLS
+- Resolves: rhbz#2031742
+
 * Tue Feb 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-8
 - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
 - Resolves: rhbz#1977867