rpms / openssl

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_strcasecmp main minimize_test_skip no_engine openssl_rebase_308to311 rawhide
  1.   f38
  2.   0053-Add-SHA1-probes.patch
Blob Blame History Raw 
From 428369896db1656af748a67bb36fba039e7b39ad Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 25 Apr 2022 15:21:46 +0200
Subject: [PATCH] Instrument SHA-1 signatures with USDT probes

In order to discover remaining uses of SHA-1 in signatures without
forcefully breaking the code paths, add USDT probes that can be queried
with systemtap at runtime.

This should allow identifying components that still use SHA-1 signatures
in production so that they can be transitioned to more modern hash
algorithms.
---
 crypto/evp/m_sigver.c                    | 13 +++++++++----
 crypto/evp/pmeth_lib.c                   | 13 +++++++++----
 crypto/x509/x509_vfy.c                   |  6 +++++-
 providers/common/securitycheck.c         | 22 +++++++++++++++-------
 providers/common/securitycheck_default.c | 13 +++++++++++--
 ssl/t1_lib.c                             |  8 +++++++-
 6 files changed, 56 insertions(+), 19 deletions(-)

diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 8da2183ce0..c17cdfa5d5 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -16,6 +16,8 @@
 #include "internal/numbers.h"   /* includes SIZE_MAX */
 #include "evp_local.h"
 
+#include <sys/sdt.h>
+
 typedef struct ossl_legacy_digest_signatures_st {
     int allowed;
 } OSSL_LEGACY_DIGEST_SIGNATURES;
@@ -336,10 +338,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
             && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
             && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
         int mdnid = EVP_MD_nid(ctx->reqdigest);
-        if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
-                && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
-            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
-            goto err;
+        if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
+            if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)) {
+                ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+                goto err;
+            } else {
+                DTRACE_PROBE1(libcrypto, fedora_do_sigver_init_1, mdnid);
+            }
         }
     }
 
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index b96f148c0d..54fcf24945 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -37,6 +37,8 @@
 #include "internal/sslconf.h"
 #include "evp_local.h"
 
+#include <sys/sdt.h>
+
 #ifndef FIPS_MODULE
 
 static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,
@@ -956,10 +958,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
             && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
             && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
         int mdnid = EVP_MD_nid(md);
-        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
-                && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
-            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
-            return -1;
+        if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
+            if (!ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
+                ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+                return -1;
+            } else {
+                DTRACE_PROBE1(libcrypto, fedora_evp_pkey_ctx_set_md_1, mdnid);
+            }
         }
     }
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index bf0c608839..78638ce80e 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -29,6 +29,8 @@
 #include "crypto/x509.h"
 #include "x509_local.h"
 
+#include <sys/sdt.h>
+
 /* CRL score values */
 
 #define CRL_SCORE_NOCRITICAL    0x100 /* No unhandled critical extensions */
@@ -3462,11 +3464,13 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
 
     if ((nid == NID_sha1 || nid == NID_md5_sha1)
             && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
-            && ctx->param->auth_level < 2)
+            && ctx->param->auth_level < 2) {
+        DTRACE_PROBE1(libcrypto, fedora_check_sig_level_1, nid);
         /* When rh-allow-sha1-signatures = yes and security level <= 1,
          * explicitly allow SHA1 for backwards compatibility. Also allow
          * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
         return 1;
+    }
 
     return secbits >= minbits_table[level - 1];
 }
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index e534ad0a5f..bf496450cf 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -21,6 +21,8 @@
 #include "prov/securitycheck.h"
 #include "internal/sslconf.h"
 
+#include <sys/sdt.h>
+
 /*
  * FIPS requires a minimum security strength of 112 bits (for encryption or
  * signing), and for legacy purposes 80 bits (for decryption or verifying).
@@ -238,11 +240,14 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
 
 #ifndef FIPS_MODULE
-    if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
-        /* SHA1 is globally disabled, check whether we want to locally allow
-         * it. */
-        if (mdnid == NID_sha1 && !sha1_allowed)
+    if (mdnid == NID_sha1 && !sha1_allowed) {
+        if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
+            /* SHA1 is globally disabled, check whether we want to locally allow
+             * it. */
             mdnid = -1;
+        else
+            DTRACE_PROBE1(libcrypto, fedora_ossl_digest_get_approved_nid_with_sha1_1, mdnid);
+    }
 #endif
 
     return mdnid;
@@ -258,9 +263,12 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
 #ifndef FIPS_MODULE
     {
         int mdnid = EVP_MD_nid(md);
-        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
-                && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
-            return 0;
+        if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
+            if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
+                return 0;
+            else
+                DTRACE_PROBE1(libcrypto, fedora_ossl_digest_is_allowed_1, mdnid);
+        }
     }
 #endif
 
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index ce54a94fbc..2d21e4a7df 100644
--- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c
@@ -17,6 +17,8 @@
 #include "internal/nelem.h"
 #include "internal/sslconf.h"
 
+#include <sys/sdt.h>
+
 /* Disable the security checks in the default provider */
 int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
 {
@@ -40,9 +42,16 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
 
     ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
     mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
+    if (mdnid == NID_sha1)
+        /* This will only happen if SHA1 is allowed, otherwise mdnid is -1. */
+        DTRACE_PROBE1(libcrypto, fedora_ossl_digest_rsa_sign_get_md_nid_1, mdnid);
     if (mdnid == NID_undef)
         mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
-    if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
-        mdnid = -1;
+    if (mdnid == NID_md5_sha1) {
+        if (ldsigs_allowed)
+            DTRACE_PROBE1(libcrypto, fedora_ossl_digest_rsa_sign_get_md_nid_2, mdnid);
+        else
+            mdnid = -1;
+    }
     return mdnid;
 }
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 0b50266b69..d05e696a28 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -28,6 +28,8 @@
 #include "ssl_local.h"
 #include <openssl/ct.h>
 
+#include <sys/sdt.h>
+
 static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
 static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
 
@@ -1569,6 +1571,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
         /* When rh-allow-sha1-signatures = yes and security level <= 1,
          * explicitly allow SHA1 for backwards compatibility. Also allow
          * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+        DTRACE_PROBE1(libssl, fedora_tls12_check_peer_sigalg_1, lu->hash);
     } else {
         /*
          * Make sure security callback allows algorithm. For historical
@@ -2122,6 +2125,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
         /* When rh-allow-sha1-signatures = yes and security level <= 1,
          * explicitly allow SHA1 for backwards compatibility. Also allow
          * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+        DTRACE_PROBE1(libssl, fedora_tls12_sigalg_allowed_1, lu->hash);
         return 1;
     }
 
@@ -3020,11 +3024,13 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
             && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
             && ((s != NULL && SSL_get_security_level(s) < 2)
                 || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
-            ))
+            )) {
         /* When rh-allow-sha1-signatures = yes and security level <= 1,
          * explicitly allow SHA1 for backwards compatibility. Also allow
          * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+        DTRACE_PROBE1(libssl, fedora_ssl_security_cert_sig_1, nid);
         return 1;
+    }
 
     if (s)
         return ssl_security(s, op, secbits, nid, x);
-- 
2.35.1
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.