From 1fba75a6203d3ea2037d2fc2e1846f1b514c3d1d Mon Sep 17 00:00:00 2001

From: rpm-build <rpm-build>

Date: Wed, 6 Mar 2024 19:17:15 +0100

Subject: [PATCH 23/49] 

 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch

Patch-name: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch

Patch-id: 52

Patch-status: |

    # # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)

From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce

---

 crypto/x509/x509_vfy.c        | 20 ++++++++++-

 doc/man5/config.pod           |  7 ++++

 ssl/t1_lib.c                  | 67 ++++++++++++++++++++++++++++-------

 test/recipes/25-test_verify.t |  4 +--

 4 files changed, 82 insertions(+), 16 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index 1794c14e99..1dfbe58a4a 100644

--- a/crypto/x509/x509_vfy.c

+++ b/crypto/x509/x509_vfy.c

@@ -25,6 +25,7 @@

 #include <openssl/objects.h>

 #include <openssl/core_names.h>

 #include "internal/dane.h"

+#include "internal/sslconf.h"

 #include "crypto/x509.h"

 #include "x509_local.h"

@@ -3668,14 +3669,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)

 {

     int secbits = -1;

     int level = ctx->param->auth_level;

+    int nid;

+    OSSL_LIB_CTX *libctx = NULL;

     if (level <= 0)

         return 1;

     if (level > NUM_AUTH_LEVELS)

         level = NUM_AUTH_LEVELS;

-    if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))

+    if (ctx->libctx)

+        libctx = ctx->libctx;

+    else if (cert->libctx)

+        libctx = cert->libctx;

+    else

+        libctx = OSSL_LIB_CTX_get0_global_default();

+

+    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))

         return 0;

+    if ((nid == NID_sha1 || nid == NID_md5_sha1)

+            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)

+            && ctx->param->auth_level < 2)

+        /* When rh-allow-sha1-signatures = yes and security level <= 1,

+         * explicitly allow SHA1 for backwards compatibility. Also allow

+         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

+        return 1;

+

     return secbits >= minbits_table[level - 1];

 }

diff --git a/doc/man5/config.pod b/doc/man5/config.pod

index ed34ff4b9c..8ab5456c99 100644

--- a/doc/man5/config.pod

+++ b/doc/man5/config.pod

@@ -317,6 +317,13 @@ this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as

 pseudorandom function (PRF) to derive key material, disabling

 B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.

+Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature

+algorithms that use SHA1 in security level 1, despite the definition of

+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.

+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on

+Fedora without requiring to set the security level to 0, which would include

+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.

+

 =item B<fips_mode> (deprecated)

 The value is a boolean that can be B<yes> or B<no>.  If the value is

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index 05dd7c5595..056aae3863 100644

--- a/ssl/t1_lib.c

+++ b/ssl/t1_lib.c

@@ -20,6 +20,7 @@

 #include <openssl/bn.h>

 #include <openssl/provider.h>

 #include <openssl/param_build.h>

+#include "crypto/x509.h"

 #include "internal/sslconf.h"

 #include "internal/nelem.h"

 #include "internal/sizes.h"

@@ -1977,19 +1978,28 @@ int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey)

         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);

         return 0;

     }

-    /*

-     * Make sure security callback allows algorithm. For historical

-     * reasons we have to pass the sigalg as a two byte char array.

-     */

-    sigalgstr[0] = (sig >> 8) & 0xff;

-    sigalgstr[1] = sig & 0xff;

-    secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);

-    if (secbits == 0 ||

-        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,

-                      md != NULL ? EVP_MD_get_type(md) : NID_undef,

-                      (void *)sigalgstr)) {

-        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);

-        return 0;

+

+    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)

+            && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)

+            && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 2) {

+        /* When rh-allow-sha1-signatures = yes and security level <= 1,

+         * explicitly allow SHA1 for backwards compatibility. Also allow

+         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

+    } else {

+        /*

+         * Make sure security callback allows algorithm. For historical

+         * reasons we have to pass the sigalg as a two byte char array.

+         */

+        sigalgstr[0] = (sig >> 8) & 0xff;

+        sigalgstr[1] = sig & 0xff;

+        secbits = sigalg_security_bits(s->session_ctx, lu);

+        if (secbits == 0 ||

+            !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,

+                          md != NULL ? EVP_MD_get_type(md) : NID_undef,

+                          (void *)sigalgstr)) {

+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);

+            return 0;

+        }

     }

     /* Store the sigalg the peer uses */

     s->s3.tmp.peer_sigalg = lu;

@@ -2563,6 +2573,15 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op,

         }

     }

+    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)

+            && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)

+            && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 2) {

+        /* When rh-allow-sha1-signatures = yes and security level <= 1,

+         * explicitly allow SHA1 for backwards compatibility. Also allow

+         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

+        return 1;

+    }

+

     /* Finally see if security callback allows it */

     secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);

     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;

@@ -3467,6 +3486,8 @@ static int ssl_security_cert_sig(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x,

 {

     /* Lookup signature algorithm digest */

     int secbits, nid, pknid;

+    OSSL_LIB_CTX *libctx = NULL;

+

     /* Don't check signature if self signed */

     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)

@@ -3476,6 +3497,26 @@ static int ssl_security_cert_sig(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x,

     /* If digest NID not defined use signature NID */

     if (nid == NID_undef)

         nid = pknid;

+

+    if (x && x->libctx)

+        libctx = x->libctx;

+    else if (ctx && ctx->libctx)

+        libctx = ctx->libctx;

+    else if (s && s->session_ctx && s->session_ctx->libctx)

+        libctx = s->session_ctx->libctx;

+    else

+        libctx = OSSL_LIB_CTX_get0_global_default();

+

+    if ((nid == NID_sha1 || nid == NID_md5_sha1)

+            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)

+            && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 2)

+                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)

+            ))

+        /* When rh-allow-sha1-signatures = yes and security level <= 1,

+         * explicitly allow SHA1 for backwards compatibility. Also allow

+         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

+        return 1;

+

     if (s != NULL)

         return ssl_security(s, op, secbits, nid, x);

     else

diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t

index 1c8fce86fd..a584629062 100644

--- a/test/recipes/25-test_verify.t

+++ b/test/recipes/25-test_verify.t

@@ -481,8 +481,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"

 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),

     "CA with PSS signature using SHA256");

-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),

-    "Reject PSS signature using SHA1 and auth level 1");

+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),

+    "Reject PSS signature using SHA1 and auth level 2");

 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),

     "PSS signature using SHA256 and auth level 2");

-- 

2.44.0