Rebase ELN/RHEL patch for OpenSSL 3.0.8

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher 2023-02-13 13:36:19 -05:00
parent 167e0dd694
commit e198b69ab5
No known key found for this signature in database
GPG Key ID: 45DB85A568286D11

View File

@ -1,7 +1,8 @@
From dbd1021466572be733dfc6f7ae484f1adf467f40 Mon Sep 17 00:00:00 2001 From b9e2912acb72837b2fdef5cd8f96dc4e0d2a8fea Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com> From: Clemens Lang <cllang@redhat.com>
Date: Tue, 1 Mar 2022 15:44:18 +0100 Date: Tue, 1 Mar 2022 15:44:18 +0100
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes Subject: [PATCH 23/38] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures =
yes
References: rhbz#2055796 References: rhbz#2055796
--- ---
@ -12,7 +13,7 @@ References: rhbz#2055796
4 files changed, 79 insertions(+), 18 deletions(-) 4 files changed, 79 insertions(+), 18 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 2f175ca517f5dd8f8e7d79e5d562981b74c8f987..d1c7d0ce204ca31021a4497ddaa8e7dee45ff6f6 100644 index 9384f1da9bad9e104550ff270d9ae8dc61da073d..859d5caf4529e193336022bc8a4bdd640df26066 100644
--- a/crypto/x509/x509_vfy.c --- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@ @@ -25,6 +25,7 @@
@ -23,7 +24,7 @@ index 2f175ca517f5dd8f8e7d79e5d562981b74c8f987..d1c7d0ce204ca31021a4497ddaa8e7de
#include "crypto/x509.h" #include "crypto/x509.h"
#include "x509_local.h" #include "x509_local.h"
@@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) @@ -3430,14 +3431,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
{ {
int secbits = -1; int secbits = -1;
int level = ctx->param->auth_level; int level = ctx->param->auth_level;
@ -56,7 +57,7 @@ index 2f175ca517f5dd8f8e7d79e5d562981b74c8f987..d1c7d0ce204ca31021a4497ddaa8e7de
return secbits >= minbits_table[level - 1]; return secbits >= minbits_table[level - 1];
} }
diff --git a/doc/man5/config.pod b/doc/man5/config.pod diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index f1536258470563b4fe74f8d1e3db6d73ed316341..29ca805ea7152aa9d39bb14e74cc7fd704ec7acf 100644 index f7ac6a743b44c786cf18ccf2ed28105855ceb3ac..f850075d2d0da73e2ab8fc402b1884d3ef6254a8 100644
--- a/doc/man5/config.pod --- a/doc/man5/config.pod
+++ b/doc/man5/config.pod +++ b/doc/man5/config.pod
@@ -313,7 +313,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1 @@ -313,7 +313,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1
@ -74,7 +75,7 @@ index f1536258470563b4fe74f8d1e3db6d73ed316341..29ca805ea7152aa9d39bb14e74cc7fd7
=item B<fips_mode> (deprecated) =item B<fips_mode> (deprecated)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6a8b1b641 100644 index 89c1dd31c72271b1923ab972e3d3359b6c8e1a03..831e594c00f1c048c9cd920b6c7e62cd6d7a06ed 100644
--- a/ssl/t1_lib.c --- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c +++ b/ssl/t1_lib.c
@@ -20,6 +20,7 @@ @@ -20,6 +20,7 @@
@ -126,7 +127,7 @@ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6
} }
/* Store the sigalg the peer uses */ /* Store the sigalg the peer uses */
s->s3.tmp.peer_sigalg = lu; s->s3.tmp.peer_sigalg = lu;
@@ -2111,6 +2120,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) @@ -2116,6 +2125,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
} }
} }
@ -141,7 +142,7 @@ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6
/* Finally see if security callback allows it */ /* Finally see if security callback allows it */
secbits = sigalg_security_bits(s->ctx, lu); secbits = sigalg_security_bits(s->ctx, lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff; sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -2980,6 +2997,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) @@ -2985,6 +3002,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
{ {
/* Lookup signature algorithm digest */ /* Lookup signature algorithm digest */
int secbits, nid, pknid; int secbits, nid, pknid;
@ -150,7 +151,7 @@ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6
/* Don't check signature if self signed */ /* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
return 1; return 1;
@@ -2988,6 +3007,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) @@ -2993,6 +3012,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
/* If digest NID not defined use signature NID */ /* If digest NID not defined use signature NID */
if (nid == NID_undef) if (nid == NID_undef)
nid = pknid; nid = pknid;
@ -177,19 +178,19 @@ index 909e38c2fe88324884a939b583fd7f43d01f3920..860c7a81d1eaa834e72f81e433e7a0a6
return ssl_security(s, op, secbits, nid, x); return ssl_security(s, op, secbits, nid, x);
else else
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index bf85ba57c1cf51fe4e8e54654890121bac6738fe..d5665434aaef1ca2b5f2f37b2499f40b1405fd9d 100644 index 2a4c36e86daff04f87ad4726a9fb359d958189bf..309cda877d15ff18f5e492c05372f5c9f1393525 100644
--- a/test/recipes/25-test_verify.t --- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify { @@ -29,7 +29,7 @@ sub verify {
run(app([@args])); run(app([@args]));
} }
-plan tests => 163; -plan tests => 164;
+plan tests => 162; +plan tests => 163;
# Canonical success # Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -410,8 +410,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0" @@ -419,8 +419,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256"); "CA with PSS signature using SHA256");
@ -202,5 +203,5 @@ index bf85ba57c1cf51fe4e8e54654890121bac6738fe..d5665434aaef1ca2b5f2f37b2499f40b
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2"); "PSS signature using SHA256 and auth level 2");
-- --
2.37.2 2.39.1