| |
@@ -0,0 +1,489 @@
|
| |
+ From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001
|
| |
+ From: Clemens Lang <cllang@redhat.com>
|
| |
+ Date: Mon, 21 Feb 2022 17:24:44 +0100
|
| |
+ Subject: Selectively disallow SHA1 signatures
|
| |
+
|
| |
+ For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
|
| |
+ disabling SHA1 signatures. Introduce a new configuration option in the
|
| |
+ alg_section named 'rh-allow-sha1-signatures'. This option defaults to
|
| |
+ false. If set to false (or unset), any signature creation or
|
| |
+ verification operations that involve SHA1 as digest will fail.
|
| |
+
|
| |
+ This also affects TLS, where the signature_algorithms extension of any
|
| |
+ ClientHello message sent by OpenSSL will no longer include signatures
|
| |
+ with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
|
| |
+ that request a client certificate, the same also applies for
|
| |
+ CertificateRequest messages sent by them.
|
| |
+
|
| |
+ For signatures created using the EVP_PKEY API, this is a best-effort
|
| |
+ check that will deny signatures in cases where the digest algorithm is
|
| |
+ known. This means, for example, that that following steps will still
|
| |
+ work:
|
| |
+
|
| |
+ $> openssl dgst -sha1 -binary -out sha1 infile
|
| |
+ $> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig
|
| |
+ $> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1
|
| |
+
|
| |
+ whereas these will not:
|
| |
+
|
| |
+ $> openssl dgst -sha1 -binary -out sha1 infile
|
| |
+ $> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1
|
| |
+ $> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1
|
| |
+
|
| |
+ This happens because in the first case, OpenSSL's signature
|
| |
+ implementation does not know that it is signing a SHA1 hash (it could be
|
| |
+ signing arbitrary data).
|
| |
+
|
| |
+ Resolves: rhbz#2031742
|
| |
+ ---
|
| |
+ crypto/evp/evp_cnf.c | 13 ++++
|
| |
+ crypto/evp/m_sigver.c | 77 +++++++++++++++++++
|
| |
+ crypto/evp/pmeth_lib.c | 15 ++++
|
| |
+ doc/man5/config.pod | 11 +++
|
| |
+ include/internal/cryptlib.h | 3 +-
|
| |
+ include/internal/sslconf.h | 4 +
|
| |
+ providers/common/securitycheck.c | 20 +++++
|
| |
+ providers/common/securitycheck_default.c | 9 ++-
|
| |
+ providers/implementations/signature/dsa_sig.c | 11 ++-
|
| |
+ .../implementations/signature/ecdsa_sig.c | 4 +
|
| |
+ providers/implementations/signature/rsa_sig.c | 20 ++++-
|
| |
+ ssl/t1_lib.c | 8 ++
|
| |
+ util/libcrypto.num | 2 +
|
| |
+ 13 files changed, 188 insertions(+), 9 deletions(-)
|
| |
+
|
| |
+ diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
|
| |
+ index 0e7fe64cf9..b9d3b6d226 100644
|
| |
+ --- a/crypto/evp/evp_cnf.c
|
| |
+ +++ b/crypto/evp/evp_cnf.c
|
| |
+ @@ -10,6 +10,7 @@
|
| |
+ #include <stdio.h>
|
| |
+ #include <openssl/crypto.h>
|
| |
+ #include "internal/cryptlib.h"
|
| |
+ +#include "internal/sslconf.h"
|
| |
+ #include <openssl/conf.h>
|
| |
+ #include <openssl/x509.h>
|
| |
+ #include <openssl/x509v3.h>
|
| |
+ @@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
|
| |
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
| |
+ return 0;
|
| |
+ }
|
| |
+ + } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
|
| |
+ + int m;
|
| |
+ +
|
| |
+ + /* Detailed error already reported. */
|
| |
+ + if (!X509V3_get_value_bool(oval, &m))
|
| |
+ + return 0;
|
| |
+ +
|
| |
+ + if (!ossl_ctx_legacy_digest_signatures_allowed_set(
|
| |
+ + NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
|
| |
+ + ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
| |
+ + return 0;
|
| |
+ + }
|
| |
+ } else {
|
| |
+ ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
|
| |
+ "name=%s, value=%s", oval->name, oval->value);
|
| |
+ diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
| |
+ index 9188edbc21..db1a1d7bc3 100644
|
| |
+ --- a/crypto/evp/m_sigver.c
|
| |
+ +++ b/crypto/evp/m_sigver.c
|
| |
+ @@ -16,6 +16,71 @@
|
| |
+ #include "internal/numbers.h" /* includes SIZE_MAX */
|
| |
+ #include "evp_local.h"
|
| |
+
|
| |
+ +typedef struct ossl_legacy_digest_signatures_st {
|
| |
+ + int allowed;
|
| |
+ +} OSSL_LEGACY_DIGEST_SIGNATURES;
|
| |
+ +
|
| |
+ +static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
| |
+ +{
|
| |
+ + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
|
| |
+ +
|
| |
+ + if (ldsigs != NULL) {
|
| |
+ + OPENSSL_free(ldsigs);
|
| |
+ + }
|
| |
+ +}
|
| |
+ +
|
| |
+ +static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
| |
+ +{
|
| |
+ + return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
| |
+ +}
|
| |
+ +
|
| |
+ +static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = {
|
| |
+ + OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,
|
| |
+ + ossl_ctx_legacy_digest_signatures_new,
|
| |
+ + ossl_ctx_legacy_digest_signatures_free,
|
| |
+ +};
|
| |
+ +
|
| |
+ +static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
|
| |
+ + OSSL_LIB_CTX *libctx, int loadconfig)
|
| |
+ +{
|
| |
+ +#ifndef FIPS_MODULE
|
| |
+ + if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
|
| |
+ + return 0;
|
| |
+ +#endif
|
| |
+ +
|
| |
+ + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES,
|
| |
+ + &ossl_ctx_legacy_digest_signatures_method);
|
| |
+ +}
|
| |
+ +
|
| |
+ +int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
|
| |
+ +{
|
| |
+ + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
| |
+ + = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
| |
+ +
|
| |
+ +#ifndef FIPS_MODULE
|
| |
+ + if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
|
| |
+ + /* used in tests */
|
| |
+ + return 1;
|
| |
+ +#endif
|
| |
+ +
|
| |
+ + return ldsigs != NULL ? ldsigs->allowed : 0;
|
| |
+ +}
|
| |
+ +
|
| |
+ +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
| |
+ + int loadconfig)
|
| |
+ +{
|
| |
+ + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
| |
+ + = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
| |
+ +
|
| |
+ + if (ldsigs == NULL) {
|
| |
+ + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
| |
+ + return 0;
|
| |
+ + }
|
| |
+ +
|
| |
+ + ldsigs->allowed = allow;
|
| |
+ + return 1;
|
| |
+ +}
|
| |
+ +
|
| |
+ #ifndef FIPS_MODULE
|
| |
+
|
| |
+ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
| |
+ @@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
| |
+ }
|
| |
+ }
|
| |
+
|
| |
+ + if (ctx->reqdigest != NULL
|
| |
+ + && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
| |
+ + && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
| |
+ + && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
|
| |
+ + int mdnid = EVP_MD_nid(ctx->reqdigest);
|
| |
+ + if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
|
| |
+ + && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
|
| |
+ + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
| |
+ + goto err;
|
| |
+ + }
|
| |
+ + }
|
| |
+ +
|
| |
+ if (ver) {
|
| |
+ if (signature->digest_verify_init == NULL) {
|
| |
+ ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
| |
+ diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
| |
+ index 2b9c6c2351..3c5a1e6f5d 100644
|
| |
+ --- a/crypto/evp/pmeth_lib.c
|
| |
+ +++ b/crypto/evp/pmeth_lib.c
|
| |
+ @@ -33,6 +33,7 @@
|
| |
+ #include "internal/ffc.h"
|
| |
+ #include "internal/numbers.h"
|
| |
+ #include "internal/provider.h"
|
| |
+ +#include "internal/sslconf.h"
|
| |
+ #include "evp_local.h"
|
| |
+
|
| |
+ #ifndef FIPS_MODULE
|
| |
+ @@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
|
| |
+ return -2;
|
| |
+ }
|
| |
+
|
| |
+ + if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
|
| |
+ + && md != NULL
|
| |
+ + && ctx->pkey != NULL
|
| |
+ + && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
|
| |
+ + && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
|
| |
+ + && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
|
| |
+ + int mdnid = EVP_MD_nid(md);
|
| |
+ + if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
| |
+ + && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
|
| |
+ + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
| |
+ + return -1;
|
| |
+ + }
|
| |
+ + }
|
| |
+ +
|
| |
+ if (fallback)
|
| |
+ return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
|
| |
+
|
| |
+ diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
| |
+ index 77a8055e81..aa1be5ca7f 100644
|
| |
+ --- a/doc/man5/config.pod
|
| |
+ +++ b/doc/man5/config.pod
|
| |
+ @@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
|
| |
+ The value may be anything that is acceptable as a property query
|
| |
+ string for EVP_set_default_properties().
|
| |
+
|
| |
+ +=item B<rh-allow-sha1-signatures>
|
| |
+ +
|
| |
+ +The value is a boolean that can be B<yes> or B<no>. If the value is not set,
|
| |
+ +it behaves as if it was set to B<no>.
|
| |
+ +
|
| |
+ +When set to B<no>, any attempt to create or verify a signature with a SHA1
|
| |
+ +digest will fail. For compatibility with older versions of OpenSSL, set this
|
| |
+ +option to B<yes>. This setting also affects TLS, where signature algorithms
|
| |
+ +that use SHA1 as digest will no longer be supported if this option is set to
|
| |
+ +B<no>.
|
| |
+ +
|
| |
+ =item B<fips_mode> (deprecated)
|
| |
+
|
| |
+ The value is a boolean that can be B<yes> or B<no>. If the value is
|
| |
+ diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
| |
+ index 1291299b6e..e234341e6a 100644
|
| |
+ --- a/include/internal/cryptlib.h
|
| |
+ +++ b/include/internal/cryptlib.h
|
| |
+ @@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
|
| |
+ # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
|
| |
+ # define OSSL_LIB_CTX_BIO_CORE_INDEX 17
|
| |
+ # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
|
| |
+ -# define OSSL_LIB_CTX_MAX_INDEXES 19
|
| |
+ +# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19
|
| |
+ +# define OSSL_LIB_CTX_MAX_INDEXES 20
|
| |
+
|
| |
+ # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1
|
| |
+ # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0
|
| |
+ diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
|
| |
+ index fd7f7e3331..05464b0655 100644
|
| |
+ --- a/include/internal/sslconf.h
|
| |
+ +++ b/include/internal/sslconf.h
|
| |
+ @@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
|
| |
+ void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
|
| |
+ char **arg);
|
| |
+
|
| |
+ +/* Methods to support disabling all signatures with legacy digests */
|
| |
+ +int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
|
| |
+ +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
| |
+ + int loadconfig);
|
| |
+ #endif
|
| |
+ diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
| |
+ index 699ada7c52..e534ad0a5f 100644
|
| |
+ --- a/providers/common/securitycheck.c
|
| |
+ +++ b/providers/common/securitycheck.c
|
| |
+ @@ -19,6 +19,7 @@
|
| |
+ #include <openssl/core_names.h>
|
| |
+ #include <openssl/obj_mac.h>
|
| |
+ #include "prov/securitycheck.h"
|
| |
+ +#include "internal/sslconf.h"
|
| |
+
|
| |
+ /*
|
| |
+ * FIPS requires a minimum security strength of 112 bits (for encryption or
|
| |
+ @@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
| |
+ mdnid = -1; /* disallowed by security checks */
|
| |
+ }
|
| |
+ # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
| |
+ +
|
| |
+ +#ifndef FIPS_MODULE
|
| |
+ + if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
| |
+ + /* SHA1 is globally disabled, check whether we want to locally allow
|
| |
+ + * it. */
|
| |
+ + if (mdnid == NID_sha1 && !sha1_allowed)
|
| |
+ + mdnid = -1;
|
| |
+ +#endif
|
| |
+ +
|
| |
+ return mdnid;
|
| |
+ }
|
| |
+
|
| |
+ @@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
|
| |
+ if (ossl_securitycheck_enabled(ctx))
|
| |
+ return ossl_digest_get_approved_nid(md) != NID_undef;
|
| |
+ # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
| |
+ +
|
| |
+ +#ifndef FIPS_MODULE
|
| |
+ + {
|
| |
+ + int mdnid = EVP_MD_nid(md);
|
| |
+ + if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
| |
+ + && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
| |
+ + return 0;
|
| |
+ + }
|
| |
+ +#endif
|
| |
+ +
|
| |
+ return 1;
|
| |
+ }
|
| |
+ diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
| |
+ index de7f0d3a0a..ce54a94fbc 100644
|
| |
+ --- a/providers/common/securitycheck_default.c
|
| |
+ +++ b/providers/common/securitycheck_default.c
|
| |
+ @@ -15,6 +15,7 @@
|
| |
+ #include <openssl/obj_mac.h>
|
| |
+ #include "prov/securitycheck.h"
|
| |
+ #include "internal/nelem.h"
|
| |
+ +#include "internal/sslconf.h"
|
| |
+
|
| |
+ /* Disable the security checks in the default provider */
|
| |
+ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
| |
+ @@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
| |
+ }
|
| |
+
|
| |
+ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
| |
+ - ossl_unused int sha1_allowed)
|
| |
+ + int sha1_allowed)
|
| |
+ {
|
| |
+ int mdnid;
|
| |
+ + int ldsigs_allowed;
|
| |
+
|
| |
+ static const OSSL_ITEM name_to_nid[] = {
|
| |
+ { NID_md5, OSSL_DIGEST_NAME_MD5 },
|
| |
+ @@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
| |
+ { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
| |
+ };
|
| |
+
|
| |
+ - mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
|
| |
+ + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
|
| |
+ + mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
|
| |
+ if (mdnid == NID_undef)
|
| |
+ mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
| |
+ + if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
|
| |
+ + mdnid = -1;
|
| |
+ return mdnid;
|
| |
+ }
|
| |
+ diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
| |
+ index 28fd7c498e..fa3822f39f 100644
|
| |
+ --- a/providers/implementations/signature/dsa_sig.c
|
| |
+ +++ b/providers/implementations/signature/dsa_sig.c
|
| |
+ @@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
| |
+ mdprops = ctx->propq;
|
| |
+
|
| |
+ if (mdname != NULL) {
|
| |
+ - int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
| |
+ WPACKET pkt;
|
| |
+ EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
| |
+ - int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
| |
+ - sha1_allowed);
|
| |
+ + int md_nid;
|
| |
+ size_t mdname_len = strlen(mdname);
|
| |
+ +#ifdef FIPS_MODULE
|
| |
+ + int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
| |
+ +#else
|
| |
+ + int sha1_allowed = 0;
|
| |
+ +#endif
|
| |
+ + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
| |
+ + sha1_allowed);
|
| |
+
|
| |
+ if (md == NULL || md_nid < 0) {
|
| |
+ if (md == NULL)
|
| |
+ diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
| |
+ index 865d49d100..99b228e82c 100644
|
| |
+ --- a/providers/implementations/signature/ecdsa_sig.c
|
| |
+ +++ b/providers/implementations/signature/ecdsa_sig.c
|
| |
+ @@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
| |
+ "%s could not be fetched", mdname);
|
| |
+ return 0;
|
| |
+ }
|
| |
+ +#ifdef FIPS_MODULE
|
| |
+ sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
| |
+ +#else
|
| |
+ + sha1_allowed = 0;
|
| |
+ +#endif
|
| |
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
| |
+ sha1_allowed);
|
| |
+ if (md_nid < 0) {
|
| |
+ diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
| |
+ index 325e855333..bea397f0c1 100644
|
| |
+ --- a/providers/implementations/signature/rsa_sig.c
|
| |
+ +++ b/providers/implementations/signature/rsa_sig.c
|
| |
+ @@ -26,6 +26,7 @@
|
| |
+ #include "internal/cryptlib.h"
|
| |
+ #include "internal/nelem.h"
|
| |
+ #include "internal/sizes.h"
|
| |
+ +#include "internal/sslconf.h"
|
| |
+ #include "crypto/rsa.h"
|
| |
+ #include "prov/providercommon.h"
|
| |
+ #include "prov/implementations.h"
|
| |
+ @@ -34,6 +35,7 @@
|
| |
+ #include "prov/securitycheck.h"
|
| |
+
|
| |
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
| |
+ +#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
|
| |
+
|
| |
+ static OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
| |
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
| |
+ @@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
| |
+
|
| |
+ if (mdname != NULL) {
|
| |
+ EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
| |
+ + int md_nid;
|
| |
+ + size_t mdname_len = strlen(mdname);
|
| |
+ +#ifdef FIPS_MODULE
|
| |
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
| |
+ - int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
| |
+ +#else
|
| |
+ + int sha1_allowed = 0;
|
| |
+ +#endif
|
| |
+ + md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
| |
+ sha1_allowed);
|
| |
+ - size_t mdname_len = strlen(mdname);
|
| |
+
|
| |
+ if (md == NULL
|
| |
+ || md_nid <= 0
|
| |
+ @@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
| |
+ prsactx->pad_mode = pad_mode;
|
| |
+
|
| |
+ if (prsactx->md == NULL && pmdname == NULL
|
| |
+ - && pad_mode == RSA_PKCS1_PSS_PADDING)
|
| |
+ + && pad_mode == RSA_PKCS1_PSS_PADDING) {
|
| |
+ pmdname = RSA_DEFAULT_DIGEST_NAME;
|
| |
+ +#ifndef FIPS_MODULE
|
| |
+ + if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
|
| |
+ + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
| |
+ + }
|
| |
+ +#endif
|
| |
+ + }
|
| |
+ +
|
| |
+
|
| |
+ if (pmgf1mdname != NULL
|
| |
+ && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
|
| |
+ diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
| |
+ index fc32bb3556..4b74ee1a34 100644
|
| |
+ --- a/ssl/t1_lib.c
|
| |
+ +++ b/ssl/t1_lib.c
|
| |
+ @@ -20,6 +20,7 @@
|
| |
+ #include <openssl/bn.h>
|
| |
+ #include <openssl/provider.h>
|
| |
+ #include <openssl/param_build.h>
|
| |
+ +#include "internal/sslconf.h"
|
| |
+ #include "internal/nelem.h"
|
| |
+ #include "internal/sizes.h"
|
| |
+ #include "internal/tlsgroups.h"
|
| |
+ @@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
| |
+ = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
|
| |
+ EVP_PKEY *tmpkey = EVP_PKEY_new();
|
| |
+ int ret = 0;
|
| |
+ + int ldsigs_allowed;
|
| |
+
|
| |
+ if (cache == NULL || tmpkey == NULL)
|
| |
+ goto err;
|
| |
+
|
| |
+ ERR_set_mark();
|
| |
+ + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
|
| |
+ for (i = 0, lu = sigalg_lookup_tbl;
|
| |
+ i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
|
| |
+ EVP_PKEY_CTX *pctx;
|
| |
+ @@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
| |
+ cache[i].enabled = 0;
|
| |
+ continue;
|
| |
+ }
|
| |
+ + if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
|
| |
+ + && !ldsigs_allowed) {
|
| |
+ + cache[i].enabled = 0;
|
| |
+ + continue;
|
| |
+ + }
|
| |
+
|
| |
+ if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
|
| |
+ cache[i].enabled = 0;
|
| |
+ diff --git a/util/libcrypto.num b/util/libcrypto.num
|
| |
+ index 10b4e57d79..2d3c363bb0 100644
|
| |
+ --- a/util/libcrypto.num
|
| |
+ +++ b/util/libcrypto.num
|
| |
+ @@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
| |
+ EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
|
| |
+ EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
| |
+ ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
| |
+ +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
| |
+ +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
| |
+ --
|
| |
+ 2.35.1
|
| |
+
|
| |
ELN: Disable SHA-1 by default using CentOS patches
ELN should ideally be ahead of CentOS and RHEL with policy changes, but
due to time constraints was not. Fix that by bringing the current CentOS
9 / RHEL 9 state of SHA-1 disabling to ELN.
Due to differences in their lifecycles, Fedora's packages will stay at
allowing SHA-1 by default for now. There is a plan to gradually catch up
to the ELN state over the next few releases.
Additionally, fix a FIXME in the openssl.cnf(5) manpage on Fedora.