#29 Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0
Merged 10 months ago by clang. Opened 10 months ago by clang.
rpms/ clang/openssl f36-rhbz2069239-md5sha1-in-legacy  into  f36

@@ -1,4 +1,4 @@ 

- From f695f140255f9b564cac4d5e9e38ba27ec927256 Mon Sep 17 00:00:00 2001

+ From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001

  From: Clemens Lang <cllang@redhat.com>

  Date: Tue, 1 Mar 2022 15:44:18 +0100

  Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures =
@@ -26,14 +26,14 @@ 

  Related: rhbz#2055796

  Related: rhbz#2070977

  ---

-  crypto/x509/x509_vfy.c        | 19 ++++++++++-

+  crypto/x509/x509_vfy.c        | 20 ++++++++++-

   doc/man5/config.pod           |  7 ++++

-  ssl/t1_lib.c                  | 64 ++++++++++++++++++++++++++++-------

+  ssl/t1_lib.c                  | 67 ++++++++++++++++++++++++++++-------

   test/recipes/25-test_verify.t |  4 +--

-  4 files changed, 78 insertions(+), 16 deletions(-)

+  4 files changed, 82 insertions(+), 16 deletions(-)

  

  diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

- index 2f175ca517..60aa26f552 100644

+ index 2f175ca517..bf0c608839 100644

  --- a/crypto/x509/x509_vfy.c

  +++ b/crypto/x509/x509_vfy.c

  @@ -25,6 +25,7 @@
@@ -44,7 +44,7 @@ 

   #include "crypto/x509.h"

   #include "x509_local.h"

   

- @@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)

+ @@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)

   {

       int secbits = -1;

       int level = ctx->param->auth_level;
@@ -67,17 +67,18 @@ 

  +    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))

           return 0;

   

- +    if (nid == NID_sha1

+ +    if ((nid == NID_sha1 || nid == NID_md5_sha1)

  +            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)

  +            && ctx->param->auth_level < 2)

  +        /* When rh-allow-sha1-signatures = yes and security level <= 1,

- +         * explicitly allow SHA1 for backwards compatibility. */

+ +         * explicitly allow SHA1 for backwards compatibility. Also allow

+ +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        return 1;

  +

       return secbits >= minbits_table[level - 1];

   }

  diff --git a/doc/man5/config.pod b/doc/man5/config.pod

- index 0c9110d28a..02e7ca706f 100644

+ index 0c9110d28a..e0516d20b8 100644

  --- a/doc/man5/config.pod

  +++ b/doc/man5/config.pod

  @@ -309,6 +309,13 @@ this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as
@@ -86,16 +87,16 @@ 

   

  +Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature

  +algorithms that use SHA1 in security level 1, despite the definition of

- +security level 1 of FIXME bits of security, which SHA1 does not meet.  This

- +allows using SHA1 in TLS in the LEGACY crypto-policy on Fedora without

- +requiring to set the security level to 0, which would include further insecure

- +algorithms.

+ +security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.

+ +This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on

+ +Fedora without requiring to set the security level to 0, which would include

+ +further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.

  +

   =item B<fips_mode> (deprecated)

   

   The value is a boolean that can be B<yes> or B<no>.  If the value is

  diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

- index dcd487ec2e..e47ddf56f1 100644

+ index dcd487ec2e..0b50266b69 100644

  --- a/ssl/t1_lib.c

  +++ b/ssl/t1_lib.c

  @@ -20,6 +20,7 @@
@@ -106,7 +107,7 @@ 

   #include "internal/sslconf.h"

   #include "internal/nelem.h"

   #include "internal/sizes.h"

- @@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)

+ @@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)

           SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);

           return 0;

       }
@@ -124,11 +125,12 @@ 

  -        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);

  -        return 0;

  +

- +    if (lu->hash == NID_sha1

+ +    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)

  +            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)

  +            && SSL_get_security_level(s) < 2) {

- +        /* when rh-allow-sha1-signatures = yes and security level <= 1,

- +         * explicitly allow SHA1 for backwards compatibility */

+ +        /* When rh-allow-sha1-signatures = yes and security level <= 1,

+ +         * explicitly allow SHA1 for backwards compatibility. Also allow

+ +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +    } else {

  +        /*

  +         * Make sure security callback allows algorithm. For historical
@@ -147,22 +149,23 @@ 

       }

       /* Store the sigalg the peer uses */

       s->s3.tmp.peer_sigalg = lu;

- @@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)

+ @@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)

           }

       }

   

- +    if (lu->hash == NID_sha1

+ +    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)

  +            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)

  +            && SSL_get_security_level(s) < 2) {

- +        /* when rh-allow-sha1-signatures = yes and security level <= 1,

- +         * explicitly allow SHA1 for backwards compatibility */

+ +        /* When rh-allow-sha1-signatures = yes and security level <= 1,

+ +         * explicitly allow SHA1 for backwards compatibility. Also allow

+ +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        return 1;

  +    }

  +

       /* Finally see if security callback allows it */

       secbits = sigalg_security_bits(s->ctx, lu);

       sigalgstr[0] = (lu->sigalg >> 8) & 0xff;

- @@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

+ @@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

   {

       /* Lookup signature algorithm digest */

       int secbits, nid, pknid;
@@ -171,7 +174,7 @@ 

       /* Don't check signature if self signed */

       if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)

           return 1;

- @@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

+ @@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)

       /* If digest NID not defined use signature NID */

       if (nid == NID_undef)

           nid = pknid;
@@ -185,13 +188,14 @@ 

  +    else

  +        libctx = OSSL_LIB_CTX_get0_global_default();

  +

- +    if (nid == NID_sha1

+ +    if ((nid == NID_sha1 || nid == NID_md5_sha1)

  +            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)

  +            && ((s != NULL && SSL_get_security_level(s) < 2)

  +                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)

  +            ))

  +        /* When rh-allow-sha1-signatures = yes and security level <= 1,

- +         * explicitly allow SHA1 for backwards compatibility. */

+ +         * explicitly allow SHA1 for backwards compatibility. Also allow

+ +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */

  +        return 1;

  +

       if (s)

@@ -0,0 +1,104 @@ 

+ From 68f23e3725d9639f5b27d868fee291cabb516677 Mon Sep 17 00:00:00 2001

+ From: Dmitry Belyavskiy <beldmit@gmail.com>

+ Date: Fri, 22 Apr 2022 18:16:56 +0200

+ Subject: [PATCH 1/2] Ensure we initialized the locale before

+  evp_pkey_name2type

+ 

+ Fixes #18158

+ ---

+  crypto/evp/pmeth_lib.c | 2 ++

+  1 file changed, 2 insertions(+)

+ 

+ diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c

+ index 2b9c6c2351da..92d25de44532 100644

+ --- a/crypto/evp/pmeth_lib.c

+ +++ b/crypto/evp/pmeth_lib.c

+ @@ -27,6 +27,7 @@

+  #ifndef FIPS_MODULE

+  # include "crypto/asn1.h"

+  #endif

+ +#include "crypto/ctype.h"

+  #include "crypto/evp.h"

+  #include "crypto/dh.h"

+  #include "crypto/ec.h"

+ @@ -199,6 +200,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,

+              }

+  #ifndef FIPS_MODULE

+              if (keytype != NULL) {

+ +                ossl_init_casecmp();

+                  id = evp_pkey_name2type(keytype);

+                  if (id == NID_undef)

+                      id = -1;

+ 

+ From 51c7b2d9c30b72aeb7e8eb69799dc039d5b23e58 Mon Sep 17 00:00:00 2001

+ From: Dmitry Belyavskiy <beldmit@gmail.com>

+ Date: Fri, 22 Apr 2022 19:26:08 +0200

+ Subject: [PATCH 2/2] Testing the EVP_PKEY_CTX_new_from_name without

+  preliminary init

+ 

+ ---

+  test/build.info                   |  6 +++++-

+  test/evp_pkey_ctx_new_from_name.c | 14 ++++++++++++++

+  test/recipes/02-test_localetest.t |  4 +++-

+  3 files changed, 22 insertions(+), 2 deletions(-)

+  create mode 100644 test/evp_pkey_ctx_new_from_name.c

+ 

+ diff --git a/test/build.info b/test/build.info

+ index 14a84f00a258..ee059973d31a 100644

+ --- a/test/build.info

+ +++ b/test/build.info

+ @@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}]

+            sanitytest rsa_complex exdatatest bntest \

+            ecstresstest gmdifftest pbelutest \

+            destest mdc2test sha_test \

+ -          exptest pbetest localetest \

+ +          exptest pbetest localetest evp_pkey_ctx_new_from_name\

+            evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \

+            evp_fetch_prov_test evp_libctx_test ossl_store_test \

+            v3nametest v3ext \

+ @@ -139,6 +139,10 @@ IF[{- !$disabled{tests} -}]

+    INCLUDE[localetest]=../include ../apps/include

+    DEPEND[localetest]=../libcrypto libtestutil.a

+  

+ +  SOURCE[evp_pkey_ctx_new_from_name]=evp_pkey_ctx_new_from_name.c

+ +  INCLUDE[evp_pkey_ctx_new_from_name]=../include ../apps/include

+ +  DEPEND[evp_pkey_ctx_new_from_name]=../libcrypto

+ +

+    SOURCE[pbetest]=pbetest.c

+    INCLUDE[pbetest]=../include ../apps/include

+    DEPEND[pbetest]=../libcrypto libtestutil.a

+ diff --git a/test/evp_pkey_ctx_new_from_name.c b/test/evp_pkey_ctx_new_from_name.c

+ new file mode 100644

+ index 000000000000..24063ea05ea5

+ --- /dev/null

+ +++ b/test/evp_pkey_ctx_new_from_name.c

+ @@ -0,0 +1,14 @@

+ +#include <stdio.h>

+ +#include <openssl/ec.h>

+ +#include <openssl/evp.h>

+ +#include <openssl/err.h>

+ +

+ +int main(int argc, char *argv[])

+ +{

+ +    EVP_PKEY_CTX *pctx = NULL;

+ +

+ +    pctx = EVP_PKEY_CTX_new_from_name(NULL, "NO_SUCH_ALGORITHM", NULL);

+ +    EVP_PKEY_CTX_free(pctx);

+ +

+ +    return 0;

+ +}

+ diff --git a/test/recipes/02-test_localetest.t b/test/recipes/02-test_localetest.t

+ index 1bccd57d4c63..77fba7d819ab 100644

+ --- a/test/recipes/02-test_localetest.t

+ +++ b/test/recipes/02-test_localetest.t

+ @@ -15,7 +15,9 @@ setup("locale tests");

+  plan skip_all => "Locale tests not available on Windows or VMS"

+      if $^O =~ /^(VMS|MSWin32)$/;

+  

+ -plan tests => 2;

+ +plan tests => 3;

+ +

+ +ok(run(test(["evp_pkey_ctx_new_from_name"])), "running evp_pkey_ctx_new_from_name without explicit context init");

+  

+  $ENV{LANG} = "C";

+  ok(run(test(["localetest"])), "running localetest");

file modified
+9 -1
@@ -15,7 +15,7 @@ 

  Summary: Utilities from the general purpose cryptography library with TLS implementation

  Name: openssl

  Version: 3.0.2

- Release: 3%{?dist}

+ Release: 4%{?dist}

  Epoch: 1

  # We have to remove certain patented algorithms from the openssl source

  # tarball with the hobble-openssl script which is included below.
@@ -65,6 +65,8 @@ 

  Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch

  # https://github.com/openssl/openssl/pull/18103

  Patch56: 0056-strcasecmp.patch

+ # https://github.com/openssl/openssl/pull/18175

+ Patch57: 0057-strcasecmp-fix.patch

  

  License: ASL 2.0

  URL: http://www.openssl.org/
@@ -391,6 +393,12 @@ 

  %ldconfig_scriptlets libs

  

  %changelog

+ * Wed Apr 27 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.2-4

+ - Fix regression in evp_pkey_name2type caused by tr_TR locale fix

+ - Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes

+   to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy.

+   Resolves: rhbz#2069239

+ 

  * Thu Apr 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.2-3

  - Fixing Turkish locale issues

    Resolves: rhbz#2071343

Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.

Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.

Additionally, fix a regression in evp_pkey_name2type caused by the tr_TR
locale fix.

Resolves: rhbz#2069239
Signed-off-by: Clemens Lang cllang@redhat.com

Build succeeded.

Pull-Request has been merged by clang

10 months ago