PR#28: Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0 - rpms/openssl

rpms / openssl

#28 Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0

Merged 2 years ago by clang. Opened 2 years ago by clang.

rpms/ clang/openssl rawhide-rhbz2069239-md5sha1-in-legacy into rawhide

Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0

Clemens Lang • 2 years ago

efdb8c6

0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch

file modified

+30 -26

		`@@ -1,4 +1,4 @@`
		`- From f695f140255f9b564cac4d5e9e38ba27ec927256 Mon Sep 17 00:00:00 2001`
		`+ From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Tue, 1 Mar 2022 15:44:18 +0100`
		`Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures =`
		`@@ -26,14 +26,14 @@`
		`Related: rhbz#2055796`
		`Related: rhbz#2070977`
		`---`
		`- crypto/x509/x509_vfy.c \| 19 ++++++++++-`
		`+ crypto/x509/x509_vfy.c \| 20 ++++++++++-`
		`doc/man5/config.pod \| 7 ++++`
		`- ssl/t1_lib.c \| 64 ++++++++++++++++++++++++++++-------`
		`+ ssl/t1_lib.c \| 67 ++++++++++++++++++++++++++++-------`
		`test/recipes/25-test_verify.t \| 4 +--`
		`- 4 files changed, 78 insertions(+), 16 deletions(-)`
		`+ 4 files changed, 82 insertions(+), 16 deletions(-)`

		`diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c`
		`- index 2f175ca517..60aa26f552 100644`
		`+ index 2f175ca517..bf0c608839 100644`
		`--- a/crypto/x509/x509_vfy.c`
		`+++ b/crypto/x509/x509_vfy.c`
		`@@ -25,6 +25,7 @@`
		`@@ -44,7 +44,7 @@`
		`#include "crypto/x509.h"`
		`#include "x509_local.h"`

		`- @@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`+ @@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`{`
		`int secbits = -1;`
		`int level = ctx->param->auth_level;`
		`@@ -67,17 +67,18 @@`
		`+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))`
		`return 0;`

		`- + if (nid == NID_sha1`
		`+ + if ((nid == NID_sha1 \|\| nid == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)`
		`+ && ctx->param->auth_level < 2)`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`- + * explicitly allow SHA1 for backwards compatibility. */`
		`+ + * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ return 1;`
		`+`
		`return secbits >= minbits_table[level - 1];`
		`}`
		`diff --git a/doc/man5/config.pod b/doc/man5/config.pod`
		`- index 0c9110d28a..02e7ca706f 100644`
		`+ index 0c9110d28a..e0516d20b8 100644`
		`--- a/doc/man5/config.pod`
		`+++ b/doc/man5/config.pod`
		`@@ -309,6 +309,13 @@ this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as`
		`@@ -86,16 +87,16 @@`

		`+Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature`
		`+algorithms that use SHA1 in security level 1, despite the definition of`
		`- +security level 1 of 80 bits of security, which SHA1 does not meet. This`
		`- +allows using SHA1 in TLS in the LEGACY crypto-policy on Fedora without`
		`- +requiring to set the security level to 0, which would include further insecure`
		`- +algorithms.`
		`+ +security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.`
		`+ +This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on`
		`+ +Fedora without requiring to set the security level to 0, which would include`
		`+ +further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.`
		`+`
		`=item B<fips_mode> (deprecated)`

		`The value is a boolean that can be B<yes> or B<no>. If the value is`
		`diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c`
		`- index dcd487ec2e..e47ddf56f1 100644`
		`+ index dcd487ec2e..0b50266b69 100644`
		`--- a/ssl/t1_lib.c`
		`+++ b/ssl/t1_lib.c`
		`@@ -20,6 +20,7 @@`
		`@@ -106,7 +107,7 @@`
		`#include "internal/sslconf.h"`
		`#include "internal/nelem.h"`
		`#include "internal/sizes.h"`
		`- @@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`+ @@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);`
		`return 0;`
		`}`
		`@@ -124,11 +125,12 @@`
		`- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);`
		`- return 0;`
		`+`
		`- + if (lu->hash == NID_sha1`
		`+ + if ((lu->hash == NID_sha1 \|\| lu->hash == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)`
		`+ && SSL_get_security_level(s) < 2) {`
		`- + /* when rh-allow-sha1-signatures = yes and security level <= 1,`
		`- + * explicitly allow SHA1 for backwards compatibility */`
		`+ + /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ + * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ } else {`
		`+ /*`
		`+ * Make sure security callback allows algorithm. For historical`
		`@@ -147,22 +149,23 @@`
		`}`
		`/* Store the sigalg the peer uses */`
		`s->s3.tmp.peer_sigalg = lu;`
		`- @@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`+ @@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`}`
		`}`

		`- + if (lu->hash == NID_sha1`
		`+ + if ((lu->hash == NID_sha1 \|\| lu->hash == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)`
		`+ && SSL_get_security_level(s) < 2) {`
		`- + /* when rh-allow-sha1-signatures = yes and security level <= 1,`
		`- + * explicitly allow SHA1 for backwards compatibility */`
		`+ + /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ + * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ return 1;`
		`+ }`
		`+`
		`/* Finally see if security callback allows it */`
		`secbits = sigalg_security_bits(s->ctx, lu);`
		`sigalgstr[0] = (lu->sigalg >> 8) & 0xff;`
		`- @@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ @@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`{`
		`/* Lookup signature algorithm digest */`
		`int secbits, nid, pknid;`
		`@@ -171,7 +174,7 @@`
		`/* Don't check signature if self signed */`
		`if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)`
		`return 1;`
		`- @@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ @@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`/* If digest NID not defined use signature NID */`
		`if (nid == NID_undef)`
		`nid = pknid;`
		`@@ -185,13 +188,14 @@`
		`+ else`
		`+ libctx = OSSL_LIB_CTX_get0_global_default();`
		`+`
		`- + if (nid == NID_sha1`
		`+ + if ((nid == NID_sha1 \|\| nid == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)`
		`+ && ((s != NULL && SSL_get_security_level(s) < 2)`
		`+ \|\| (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)`
		`+ ))`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`- + * explicitly allow SHA1 for backwards compatibility. */`
		`+ + * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ return 1;`
		`+`
		`if (s)`

0053-Add-SHA1-probes.patch

file modified

+50 -47

		`@@ -1,4 +1,4 @@`
		`- From a1905af412163cf971107f51a33dff8b416ab690 Mon Sep 17 00:00:00 2001`
		`+ From 428369896db1656af748a67bb36fba039e7b39ad Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Mon, 25 Apr 2022 15:21:46 +0200`
		`Subject: [PATCH] Instrument SHA-1 signatures with USDT probes`
		`@@ -11,13 +11,13 @@`
		`in production so that they can be transitioned to more modern hash`
		`algorithms.`
		`---`
		`- crypto/evp/m_sigver.c \| 13 +++++++++----`
		`- crypto/evp/pmeth_lib.c \| 13 +++++++++----`
		`- crypto/x509/x509_vfy.c \| 6 +++++-`
		`- providers/common/securitycheck.c \| 22 +++++++++++++++-------`
		`- providers/common/securitycheck_default.c \| 13 +++++++++++--`
		`- ssl/t1_lib.c \| 8 +++++++-`
		`- 6 files changed, 56 insertions(+), 19 deletions(-)`
		`+ crypto/evp/m_sigver.c \| 13 +++++++++----`
		`+ crypto/evp/pmeth_lib.c \| 13 +++++++++----`
		`+ crypto/x509/x509_vfy.c \| 6 +++++-`
		`+ providers/common/securitycheck.c \| 22 +++++++++++++++-------`
		`+ providers/common/securitycheck_default.c \| 13 +++++++++++--`
		`+ ssl/t1_lib.c \| 8 +++++++-`
		`+ 6 files changed, 56 insertions(+), 19 deletions(-)`

		`diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c`
		`index 8da2183ce0..c17cdfa5d5 100644`
		`@@ -26,7 +26,7 @@`
		`@@ -16,6 +16,8 @@`
		`#include "internal/numbers.h" /* includes SIZE_MAX */`
		`#include "evp_local.h"`
		`-`
		`+`
		`+#include <sys/sdt.h>`
		`+`
		`typedef struct ossl_legacy_digest_signatures_st {`
		`@@ -49,21 +49,21 @@`
		`+ }`
		`}`
		`}`
		`-`
		`+`
		`diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c`
		`- index 3c5a1e6f5d..589a352974 100644`
		`+ index b96f148c0d..54fcf24945 100644`
		`--- a/crypto/evp/pmeth_lib.c`
		`+++ b/crypto/evp/pmeth_lib.c`
		`- @@ -36,6 +36,8 @@`
		`+ @@ -37,6 +37,8 @@`
		`#include "internal/sslconf.h"`
		`#include "evp_local.h"`
		`-`
		`+`
		`+#include <sys/sdt.h>`
		`+`
		`#ifndef FIPS_MODULE`
		`-`
		`+`
		`static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,`
		`- @@ -954,10 +956,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX ctx, const EVP_MD md,`
		`+ @@ -956,10 +958,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX ctx, const EVP_MD md,`
		`&& !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)`
		`&& !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {`
		`int mdnid = EVP_MD_nid(md);`
		`@@ -80,32 +80,33 @@`
		`+ }`
		`}`
		`}`
		`-`
		`+`
		`diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c`
		`- index 60aa26f552..d054acd5a7 100644`
		`+ index bf0c608839..78638ce80e 100644`
		`--- a/crypto/x509/x509_vfy.c`
		`+++ b/crypto/x509/x509_vfy.c`
		`@@ -29,6 +29,8 @@`
		`#include "crypto/x509.h"`
		`#include "x509_local.h"`
		`-`
		`+`
		`+#include <sys/sdt.h>`
		`+`
		`/* CRL score values */`
		`-`
		`+`
		`#define CRL_SCORE_NOCRITICAL 0x100 /* No unhandled critical extensions */`
		`- @@ -3462,10 +3464,12 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`-`
		`- if (nid == NID_sha1`
		`+ @@ -3462,11 +3464,13 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`+`
		`+ if ((nid == NID_sha1 \|\| nid == NID_md5_sha1)`
		`&& ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)`
		`- && ctx->param->auth_level < 2)`
		`+ && ctx->param->auth_level < 2) {`
		`+ DTRACE_PROBE1(libcrypto, fedora_check_sig_level_1, nid);`
		`/* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`- * explicitly allow SHA1 for backwards compatibility. */`
		`+ * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`return 1;`
		`+ }`
		`-`
		`+`
		`return secbits >= minbits_table[level - 1];`
		`}`
		`diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c`
		`@@ -115,7 +116,7 @@`
		`@@ -21,6 +21,8 @@`
		`#include "prov/securitycheck.h"`
		`#include "internal/sslconf.h"`
		`-`
		`+`
		`+#include <sys/sdt.h>`
		`+`
		`/*`
		`@@ -123,7 +124,7 @@`
		`* signing), and for legacy purposes 80 bits (for decryption or verifying).`
		`@@ -238,11 +240,14 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX ctx, const EVP_MD md,`
		`# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */`
		`-`
		`+`
		`#ifndef FIPS_MODULE`
		`- if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))`
		`- /* SHA1 is globally disabled, check whether we want to locally allow`
		`@@ -138,7 +139,7 @@`
		`+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_get_approved_nid_with_sha1_1, mdnid);`
		`+ }`
		`#endif`
		`-`
		`+`
		`return mdnid;`
		`@@ -258,9 +263,12 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX ctx, const EVP_MD md)`
		`#ifndef FIPS_MODULE`
		`@@ -155,22 +156,22 @@`
		`+ }`
		`}`
		`#endif`
		`-`
		`+`
		`diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c`
		`- index ce54a94fbc..ecb3a9d4b6 100644`
		`+ index ce54a94fbc..2d21e4a7df 100644`
		`--- a/providers/common/securitycheck_default.c`
		`+++ b/providers/common/securitycheck_default.c`
		`@@ -17,6 +17,8 @@`
		`#include "internal/nelem.h"`
		`#include "internal/sslconf.h"`
		`-`
		`+`
		`+#include <sys/sdt.h>`
		`+`
		`/* Disable the security checks in the default provider */`
		`int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)`
		`{`
		`@@ -40,9 +42,16 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX ctx, const EVP_MD md,`
		`-`
		`+`
		`ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);`
		`mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed \|\| ldsigs_allowed);`
		`+ if (mdnid == NID_sha1)`
		`@@ -189,47 +190,49 @@`
		`return mdnid;`
		`}`
		`diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c`
		`- index e47ddf56f1..a4b9ff749e 100644`
		`+ index 0b50266b69..d05e696a28 100644`
		`--- a/ssl/t1_lib.c`
		`+++ b/ssl/t1_lib.c`
		`@@ -28,6 +28,8 @@`
		`#include "ssl_local.h"`
		`#include <openssl/ct.h>`
		`-`
		`+`
		`+#include <sys/sdt.h>`
		`+`
		`static const SIGALG_LOOKUP find_sig_alg(SSL s, X509 x, EVP_PKEY pkey);`
		`static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu);`
		`-`
		`- @@ -1568,6 +1570,7 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`- && SSL_get_security_level(s) < 2) {`
		`- /* when rh-allow-sha1-signatures = yes and security level <= 1,`
		`- * explicitly allow SHA1 for backwards compatibility */`
		`+`
		`+ @@ -1569,6 +1571,7 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ DTRACE_PROBE1(libssl, fedora_tls12_check_peer_sigalg_1, lu->hash);`
		`} else {`
		`/*`
		`* Make sure security callback allows algorithm. For historical`
		`- @@ -2120,6 +2123,7 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`- && SSL_get_security_level(s) < 2) {`
		`- /* when rh-allow-sha1-signatures = yes and security level <= 1,`
		`- * explicitly allow SHA1 for backwards compatibility */`
		`+ @@ -2122,6 +2125,7 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ DTRACE_PROBE1(libssl, fedora_tls12_sigalg_allowed_1, lu->hash);`
		`return 1;`
		`}`
		`-`
		`- @@ -3018,10 +3022,12 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+`
		`+ @@ -3020,11 +3024,13 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`&& ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)`
		`&& ((s != NULL && SSL_get_security_level(s) < 2)`
		`\|\| (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)`
		`- ))`
		`+ )) {`
		`/* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`- * explicitly allow SHA1 for backwards compatibility. */`
		`+ * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ DTRACE_PROBE1(libssl, fedora_ssl_security_cert_sig_1, nid);`
		`return 1;`
		`+ }`
		`-`
		`+`
		`if (s)`
		`return ssl_security(s, op, secbits, nid, x);`
		`- --`
		`+ --`
		`2.35.1`
		`+`

openssl.spec

file modified

		`@@ -410,6 +410,11 @@`
		`%ldconfig_scriptlets libs`

		`%changelog`
		`+ * Wed Apr 27 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.2-4`
		`+ - Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes`
		`+ to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy.`
		`+ Related: rhbz#2069239`
		`+`
		`* Tue Apr 26 2022 Alexander Sosedkin <asosedkin@redhat.com> - 1:3.0.2-4`
		`- Instrument with USDT probes related to SHA-1 deprecation`

clang commented 2 years ago

Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.

Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.

Related: rhbz#2069239