#28 Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0
Merged 10 months ago by clang. Opened 10 months ago by clang.

@@ -1,4 +1,4 @@ 

- From f695f140255f9b564cac4d5e9e38ba27ec927256 Mon Sep 17 00:00:00 2001

+ From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001

  From: Clemens Lang <cllang@redhat.com>

  Date: Tue, 1 Mar 2022 15:44:18 +0100

  Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures =
@@ -26,14 +26,14 @@ 

  Related: rhbz#2055796

  Related: rhbz#2070977

  ---

-  crypto/x509/x509_vfy.c        | 19 ++++++++++-

+  crypto/x509/x509_vfy.c        | 20 ++++++++++-

   doc/man5/config.pod           |  7 ++++

-  ssl/t1_lib.c                  | 64 ++++++++++++++++++++++++++++-------

+  ssl/t1_lib.c                  | 67 ++++++++++++++++++++++++++++-------

   test/recipes/25-test_verify.t |  4 +--

-  4 files changed, 78 insertions(+), 16 deletions(-)

+  4 files changed, 82 insertions(+), 16 deletions(-)

  

  diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

- index 2f175ca517..60aa26f552 100644

+ index 2f175ca517..bf0c608839 100644

  --- a/crypto/x509/x509_vfy.c

  +++ b/crypto/x509/x509_vfy.c

  @@ -25,6 +25,7 @@
@@ -44,7 +44,7 @@ 

   #include "crypto/x509.h"

   #include "x509_local.h"

   

- @@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)

+ @@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)

   {

       int secbits = -1;

       int level = ctx->param->auth_level;
@@ -67,17 +67,18 @@ 

  +    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))

           return 0;

   

- +    if (nid == NID_sha1

+ +    if ((nid == NID_sha1 || nid == NID_md5_sha1)

  +            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)

  +            && ctx->param->auth_level < 2)

  +        /* When rh-allow-sha1-signatures = yes and security level <= 1,

- +         * explicitly allow SHA1 for backwards compatibility. */

+ +         * explicitly allow SHA1 for backwards compatibility. Also allow

+ +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        return 1;

  +

       return secbits >= minbits_table[level - 1];

   }

  diff --git a/doc/man5/config.pod b/doc/man5/config.pod

- index 0c9110d28a..02e7ca706f 100644

+ index 0c9110d28a..e0516d20b8 100644

  --- a/doc/man5/config.pod

  +++ b/doc/man5/config.pod

  @@ -309,6 +309,13 @@ this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as
@@ -86,16 +87,16 @@ 

   

  +Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature

  +algorithms that use SHA1 in security level 1, despite the definition of

- +security level 1 of 80 bits of security, which SHA1 does not meet.  This

- +allows using SHA1 in TLS in the LEGACY crypto-policy on Fedora without

- +requiring to set the security level to 0, which would include further insecure

- +algorithms.

+ +security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.

+ +This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on

+ +Fedora without requiring to set the security level to 0, which would include

+ +further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.

  +

   =item B<fips_mode> (deprecated)

   

   The value is a boolean that can be B<yes> or B<no>.  If the value is

  diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

- index dcd487ec2e..e47ddf56f1 100644

+ index dcd487ec2e..0b50266b69 100644

  --- a/ssl/t1_lib.c

  +++ b/ssl/t1_lib.c

  @@ -20,6 +20,7 @@
@@ -106,7 +107,7 @@ 

   #include "internal/sslconf.h"

   #include "internal/nelem.h"

   #include "internal/sizes.h"

- @@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)

+ @@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)

           SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);

           return 0;

       }
@@ -124,11 +125,12 @@ 

  -        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);

  -        return 0;

  +

- +    if (lu->hash == NID_sha1

+ +    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)

  +            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)

  +            && SSL_get_security_level(s) < 2) {

- +        /* when rh-allow-sha1-signatures = yes and security level <= 1,

- +         * explicitly allow SHA1 for backwards compatibility */

+ +        /* When rh-allow-sha1-signatures = yes and security level <= 1,

+ +         * explicitly allow SHA1 for backwards compatibility. Also allow

+ +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +    } else {

  +        /*

  +         * Make sure security callback allows algorithm. For historical
@@ -147,22 +149,23 @@ 

       }

       /* Store the sigalg the peer uses */

       s->s3.tmp.peer_sigalg = lu;

- @@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)

+ @@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)

           }

       }

   

- +    if (lu->hash == NID_sha1

+ +    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)

  +            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)

  +            && SSL_get_security_level(s) < 2) {

- +        /* when rh-allow-sha1-signatures = yes and security level <= 1,

- +         * explicitly allow SHA1 for backwards compatibility */

+ +        /* When rh-allow-sha1-signatures = yes and security level <= 1,

+ +         * explicitly allow SHA1 for backwards compatibility. Also allow

+ +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        return 1;

  +    }

  +

       /* Finally see if security callback allows it */

       secbits = sigalg_security_bits(s->ctx, lu);

       sigalgstr[0] = (lu->sigalg >> 8) & 0xff;

- @@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

+ @@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

   {

       /* Lookup signature algorithm digest */

       int secbits, nid, pknid;
@@ -171,7 +174,7 @@ 

       /* Don't check signature if self signed */

       if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)

           return 1;

- @@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

+ @@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

       /* If digest NID not defined use signature NID */

       if (nid == NID_undef)

           nid = pknid;
@@ -185,13 +188,14 @@ 

  +    else

  +        libctx = OSSL_LIB_CTX_get0_global_default();

  +

- +    if (nid == NID_sha1

+ +    if ((nid == NID_sha1 || nid == NID_md5_sha1)

  +            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)

  +            && ((s != NULL && SSL_get_security_level(s) < 2)

  +                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)

  +            ))

  +        /* When rh-allow-sha1-signatures = yes and security level <= 1,

- +         * explicitly allow SHA1 for backwards compatibility. */

+ +         * explicitly allow SHA1 for backwards compatibility. Also allow

+ +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        return 1;

  +

       if (s)

file modified
+50 -47
@@ -1,4 +1,4 @@ 

- From a1905af412163cf971107f51a33dff8b416ab690 Mon Sep 17 00:00:00 2001

+ From 428369896db1656af748a67bb36fba039e7b39ad Mon Sep 17 00:00:00 2001

  From: Clemens Lang <cllang@redhat.com>

  Date: Mon, 25 Apr 2022 15:21:46 +0200

  Subject: [PATCH] Instrument SHA-1 signatures with USDT probes
@@ -11,13 +11,13 @@ 

  in production so that they can be transitioned to more modern hash

  algorithms.

  ---

- crypto/evp/m_sigver.c                    | 13 +++++++++----

- crypto/evp/pmeth_lib.c                   | 13 +++++++++----

- crypto/x509/x509_vfy.c                   |  6 +++++-

- providers/common/securitycheck.c         | 22 +++++++++++++++-------

- providers/common/securitycheck_default.c | 13 +++++++++++--

- ssl/t1_lib.c                             |  8 +++++++-

- 6 files changed, 56 insertions(+), 19 deletions(-)

+  crypto/evp/m_sigver.c                    | 13 +++++++++----

+  crypto/evp/pmeth_lib.c                   | 13 +++++++++----

+  crypto/x509/x509_vfy.c                   |  6 +++++-

+  providers/common/securitycheck.c         | 22 +++++++++++++++-------

+  providers/common/securitycheck_default.c | 13 +++++++++++--

+  ssl/t1_lib.c                             |  8 +++++++-

+  6 files changed, 56 insertions(+), 19 deletions(-)

  

  diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c

  index 8da2183ce0..c17cdfa5d5 100644
@@ -26,7 +26,7 @@ 

  @@ -16,6 +16,8 @@

   #include "internal/numbers.h"   /* includes SIZE_MAX */

   #include "evp_local.h"

- 

+  

  +#include <sys/sdt.h>

  +

   typedef struct ossl_legacy_digest_signatures_st {
@@ -49,21 +49,21 @@ 

  +            }

           }

       }

- 

+  

  diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c

- index 3c5a1e6f5d..589a352974 100644

+ index b96f148c0d..54fcf24945 100644

  --- a/crypto/evp/pmeth_lib.c

  +++ b/crypto/evp/pmeth_lib.c

- @@ -36,6 +36,8 @@

+ @@ -37,6 +37,8 @@

   #include "internal/sslconf.h"

   #include "evp_local.h"

- 

+  

  +#include <sys/sdt.h>

  +

   #ifndef FIPS_MODULE

- 

+  

   static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,

- @@ -954,10 +956,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,

+ @@ -956,10 +958,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,

               && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)

               && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {

           int mdnid = EVP_MD_nid(md);
@@ -80,32 +80,33 @@ 

  +            }

           }

       }

- 

+  

  diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

- index 60aa26f552..d054acd5a7 100644

+ index bf0c608839..78638ce80e 100644

  --- a/crypto/x509/x509_vfy.c

  +++ b/crypto/x509/x509_vfy.c

  @@ -29,6 +29,8 @@

   #include "crypto/x509.h"

   #include "x509_local.h"

- 

+  

  +#include <sys/sdt.h>

  +

   /* CRL score values */

- 

+  

   #define CRL_SCORE_NOCRITICAL    0x100 /* No unhandled critical extensions */

- @@ -3462,10 +3464,12 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)

- 

-      if (nid == NID_sha1

+ @@ -3462,11 +3464,13 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)

+  

+      if ((nid == NID_sha1 || nid == NID_md5_sha1)

               && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)

  -            && ctx->param->auth_level < 2)

  +            && ctx->param->auth_level < 2) {

  +        DTRACE_PROBE1(libcrypto, fedora_check_sig_level_1, nid);

           /* When rh-allow-sha1-signatures = yes and security level <= 1,

-           * explicitly allow SHA1 for backwards compatibility. */

+           * explicitly allow SHA1 for backwards compatibility. Also allow

+           * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

           return 1;

  +    }

- 

+  

       return secbits >= minbits_table[level - 1];

   }

  diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
@@ -115,7 +116,7 @@ 

  @@ -21,6 +21,8 @@

   #include "prov/securitycheck.h"

   #include "internal/sslconf.h"

- 

+  

  +#include <sys/sdt.h>

  +

   /*
@@ -123,7 +124,7 @@ 

    * signing), and for legacy purposes 80 bits (for decryption or verifying).

  @@ -238,11 +240,14 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,

   # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */

- 

+  

   #ifndef FIPS_MODULE

  -    if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))

  -        /* SHA1 is globally disabled, check whether we want to locally allow
@@ -138,7 +139,7 @@ 

  +            DTRACE_PROBE1(libcrypto, fedora_ossl_digest_get_approved_nid_with_sha1_1, mdnid);

  +    }

   #endif

- 

+  

       return mdnid;

  @@ -258,9 +263,12 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)

   #ifndef FIPS_MODULE
@@ -155,22 +156,22 @@ 

  +        }

       }

   #endif

- 

+  

  diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c

- index ce54a94fbc..ecb3a9d4b6 100644

+ index ce54a94fbc..2d21e4a7df 100644

  --- a/providers/common/securitycheck_default.c

  +++ b/providers/common/securitycheck_default.c

  @@ -17,6 +17,8 @@

   #include "internal/nelem.h"

   #include "internal/sslconf.h"

- 

+  

  +#include <sys/sdt.h>

  +

   /* Disable the security checks in the default provider */

   int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)

   {

  @@ -40,9 +42,16 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,

- 

+  

       ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);

       mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);

  +    if (mdnid == NID_sha1)
@@ -189,47 +190,49 @@ 

       return mdnid;

   }

  diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

- index e47ddf56f1..a4b9ff749e 100644

+ index 0b50266b69..d05e696a28 100644

  --- a/ssl/t1_lib.c

  +++ b/ssl/t1_lib.c

  @@ -28,6 +28,8 @@

   #include "ssl_local.h"

   #include <openssl/ct.h>

- 

+  

  +#include <sys/sdt.h>

  +

   static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);

   static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);

- 

- @@ -1568,6 +1570,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)

-              && SSL_get_security_level(s) < 2) {

-          /* when rh-allow-sha1-signatures = yes and security level <= 1,

-           * explicitly allow SHA1 for backwards compatibility */

+  

+ @@ -1569,6 +1571,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)

+          /* When rh-allow-sha1-signatures = yes and security level <= 1,

+           * explicitly allow SHA1 for backwards compatibility. Also allow

+           * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        DTRACE_PROBE1(libssl, fedora_tls12_check_peer_sigalg_1, lu->hash);

       } else {

           /*

            * Make sure security callback allows algorithm. For historical

- @@ -2120,6 +2123,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)

-              && SSL_get_security_level(s) < 2) {

-          /* when rh-allow-sha1-signatures = yes and security level <= 1,

-           * explicitly allow SHA1 for backwards compatibility */

+ @@ -2122,6 +2125,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)

+          /* When rh-allow-sha1-signatures = yes and security level <= 1,

+           * explicitly allow SHA1 for backwards compatibility. Also allow

+           * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        DTRACE_PROBE1(libssl, fedora_tls12_sigalg_allowed_1, lu->hash);

           return 1;

       }

- 

- @@ -3018,10 +3022,12 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

+  

+ @@ -3020,11 +3024,13 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

               && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)

               && ((s != NULL && SSL_get_security_level(s) < 2)

                   || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)

  -            ))

  +            )) {

           /* When rh-allow-sha1-signatures = yes and security level <= 1,

-           * explicitly allow SHA1 for backwards compatibility. */

+           * explicitly allow SHA1 for backwards compatibility. Also allow

+           * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        DTRACE_PROBE1(libssl, fedora_ssl_security_cert_sig_1, nid);

           return 1;

  +    }

- 

+  

       if (s)

           return ssl_security(s, op, secbits, nid, x);

- --

+ -- 

  2.35.1

+ 

file modified
+5
@@ -410,6 +410,11 @@ 

  %ldconfig_scriptlets libs

  

  %changelog

+ * Wed Apr 27 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.2-4

+ - Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes

+   to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy.

+   Related: rhbz#2069239

+ 

  * Tue Apr 26 2022 Alexander Sosedkin <asosedkin@redhat.com> - 1:3.0.2-4

  - Instrument with USDT probes related to SHA-1 deprecation

  

Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.

Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.

Related: rhbz#2069239

Build succeeded.

Pull-Request has been merged by clang

10 months ago