PR#29: Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0 - rpms/openssl

rpms / openssl

#29 Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0

Merged 10 months ago by clang. Opened 10 months ago by clang.

rpms/ clang/openssl f36-rhbz2069239-md5sha1-in-legacy into f36

Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0

Clemens Lang • 10 months ago

bb28a35

0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch

file modified

+30 -26

		`@@ -1,4 +1,4 @@`
		`- From f695f140255f9b564cac4d5e9e38ba27ec927256 Mon Sep 17 00:00:00 2001`
		`+ From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Tue, 1 Mar 2022 15:44:18 +0100`
		`Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures =`
		`@@ -26,14 +26,14 @@`
		`Related: rhbz#2055796`
		`Related: rhbz#2070977`
		`---`
		`- crypto/x509/x509_vfy.c \| 19 ++++++++++-`
		`+ crypto/x509/x509_vfy.c \| 20 ++++++++++-`
		`doc/man5/config.pod \| 7 ++++`
		`- ssl/t1_lib.c \| 64 ++++++++++++++++++++++++++++-------`
		`+ ssl/t1_lib.c \| 67 ++++++++++++++++++++++++++++-------`
		`test/recipes/25-test_verify.t \| 4 +--`
		`- 4 files changed, 78 insertions(+), 16 deletions(-)`
		`+ 4 files changed, 82 insertions(+), 16 deletions(-)`

		`diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c`
		`- index 2f175ca517..60aa26f552 100644`
		`+ index 2f175ca517..bf0c608839 100644`
		`--- a/crypto/x509/x509_vfy.c`
		`+++ b/crypto/x509/x509_vfy.c`
		`@@ -25,6 +25,7 @@`
		`@@ -44,7 +44,7 @@`
		`#include "crypto/x509.h"`
		`#include "x509_local.h"`

		`- @@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`+ @@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`{`
		`int secbits = -1;`
		`int level = ctx->param->auth_level;`
		`@@ -67,17 +67,18 @@`
		`+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))`
		`return 0;`

		`- + if (nid == NID_sha1`
		`+ + if ((nid == NID_sha1 \|\| nid == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)`
		`+ && ctx->param->auth_level < 2)`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`- + * explicitly allow SHA1 for backwards compatibility. */`
		`+ + * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ return 1;`
		`+`
		`return secbits >= minbits_table[level - 1];`
		`}`
		`diff --git a/doc/man5/config.pod b/doc/man5/config.pod`
		`- index 0c9110d28a..02e7ca706f 100644`
		`+ index 0c9110d28a..e0516d20b8 100644`
		`--- a/doc/man5/config.pod`
		`+++ b/doc/man5/config.pod`
		`@@ -309,6 +309,13 @@ this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as`
		`@@ -86,16 +87,16 @@`

		`+Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature`
		`+algorithms that use SHA1 in security level 1, despite the definition of`
		`- +security level 1 of FIXME bits of security, which SHA1 does not meet. This`
		`- +allows using SHA1 in TLS in the LEGACY crypto-policy on Fedora without`
		`- +requiring to set the security level to 0, which would include further insecure`
		`- +algorithms.`
		`+ +security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.`
		`+ +This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on`
		`+ +Fedora without requiring to set the security level to 0, which would include`
		`+ +further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.`
		`+`
		`=item B<fips_mode> (deprecated)`

		`The value is a boolean that can be B<yes> or B<no>. If the value is`
		`diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c`
		`- index dcd487ec2e..e47ddf56f1 100644`
		`+ index dcd487ec2e..0b50266b69 100644`
		`--- a/ssl/t1_lib.c`
		`+++ b/ssl/t1_lib.c`
		`@@ -20,6 +20,7 @@`
		`@@ -106,7 +107,7 @@`
		`#include "internal/sslconf.h"`
		`#include "internal/nelem.h"`
		`#include "internal/sizes.h"`
		`- @@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`+ @@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);`
		`return 0;`
		`}`
		`@@ -124,11 +125,12 @@`
		`- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);`
		`- return 0;`
		`+`
		`- + if (lu->hash == NID_sha1`
		`+ + if ((lu->hash == NID_sha1 \|\| lu->hash == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)`
		`+ && SSL_get_security_level(s) < 2) {`
		`- + /* when rh-allow-sha1-signatures = yes and security level <= 1,`
		`- + * explicitly allow SHA1 for backwards compatibility */`
		`+ + /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ + * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ } else {`
		`+ /*`
		`+ * Make sure security callback allows algorithm. For historical`
		`@@ -147,22 +149,23 @@`
		`}`
		`/* Store the sigalg the peer uses */`
		`s->s3.tmp.peer_sigalg = lu;`
		`- @@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`+ @@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`}`
		`}`

		`- + if (lu->hash == NID_sha1`
		`+ + if ((lu->hash == NID_sha1 \|\| lu->hash == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)`
		`+ && SSL_get_security_level(s) < 2) {`
		`- + /* when rh-allow-sha1-signatures = yes and security level <= 1,`
		`- + * explicitly allow SHA1 for backwards compatibility */`
		`+ + /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ + * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ return 1;`
		`+ }`
		`+`
		`/* Finally see if security callback allows it */`
		`secbits = sigalg_security_bits(s->ctx, lu);`
		`sigalgstr[0] = (lu->sigalg >> 8) & 0xff;`
		`- @@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ @@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`{`
		`/* Lookup signature algorithm digest */`
		`int secbits, nid, pknid;`
		`@@ -171,7 +174,7 @@`
		`/* Don't check signature if self signed */`
		`if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)`
		`return 1;`
		`- @@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ @@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`/* If digest NID not defined use signature NID */`
		`if (nid == NID_undef)`
		`nid = pknid;`
		`@@ -185,13 +188,14 @@`
		`+ else`
		`+ libctx = OSSL_LIB_CTX_get0_global_default();`
		`+`
		`- + if (nid == NID_sha1`
		`+ + if ((nid == NID_sha1 \|\| nid == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)`
		`+ && ((s != NULL && SSL_get_security_level(s) < 2)`
		`+ \|\| (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)`
		`+ ))`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`- + * explicitly allow SHA1 for backwards compatibility. */`
		`+ + * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ return 1;`
		`+`
		`if (s)`

0057-strcasecmp-fix.patch

file added

+104

		`@@ -0,0 +1,104 @@`
		`+ From 68f23e3725d9639f5b27d868fee291cabb516677 Mon Sep 17 00:00:00 2001`
		`+ From: Dmitry Belyavskiy <beldmit@gmail.com>`
		`+ Date: Fri, 22 Apr 2022 18:16:56 +0200`
		`+ Subject: [PATCH 1/2] Ensure we initialized the locale before`
		`+ evp_pkey_name2type`
		`+`
		`+ Fixes #18158`
		`+ ---`
		`+ crypto/evp/pmeth_lib.c \| 2 ++`
		`+ 1 file changed, 2 insertions(+)`
		`+`
		`+ diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c`
		`+ index 2b9c6c2351da..92d25de44532 100644`
		`+ --- a/crypto/evp/pmeth_lib.c`
		`+ +++ b/crypto/evp/pmeth_lib.c`
		`+ @@ -27,6 +27,7 @@`
		`+ #ifndef FIPS_MODULE`
		`+ # include "crypto/asn1.h"`
		`+ #endif`
		`+ +#include "crypto/ctype.h"`
		`+ #include "crypto/evp.h"`
		`+ #include "crypto/dh.h"`
		`+ #include "crypto/ec.h"`
		`+ @@ -199,6 +200,7 @@ static EVP_PKEY_CTX int_ctx_new(OSSL_LIB_CTX libctx,`
		`+ }`
		`+ #ifndef FIPS_MODULE`
		`+ if (keytype != NULL) {`
		`+ + ossl_init_casecmp();`
		`+ id = evp_pkey_name2type(keytype);`
		`+ if (id == NID_undef)`
		`+ id = -1;`
		`+`
		`+ From 51c7b2d9c30b72aeb7e8eb69799dc039d5b23e58 Mon Sep 17 00:00:00 2001`
		`+ From: Dmitry Belyavskiy <beldmit@gmail.com>`
		`+ Date: Fri, 22 Apr 2022 19:26:08 +0200`
		`+ Subject: [PATCH 2/2] Testing the EVP_PKEY_CTX_new_from_name without`
		`+ preliminary init`
		`+`
		`+ ---`
		`+ test/build.info \| 6 +++++-`
		`+ test/evp_pkey_ctx_new_from_name.c \| 14 ++++++++++++++`
		`+ test/recipes/02-test_localetest.t \| 4 +++-`
		`+ 3 files changed, 22 insertions(+), 2 deletions(-)`
		`+ create mode 100644 test/evp_pkey_ctx_new_from_name.c`
		`+`
		`+ diff --git a/test/build.info b/test/build.info`
		`+ index 14a84f00a258..ee059973d31a 100644`
		`+ --- a/test/build.info`
		`+ +++ b/test/build.info`
		`+ @@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}]`
		`+ sanitytest rsa_complex exdatatest bntest \`
		`+ ecstresstest gmdifftest pbelutest \`
		`+ destest mdc2test sha_test \`
		`+ - exptest pbetest localetest \`
		`+ + exptest pbetest localetest evp_pkey_ctx_new_from_name\`
		`+ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \`
		`+ evp_fetch_prov_test evp_libctx_test ossl_store_test \`
		`+ v3nametest v3ext \`
		`+ @@ -139,6 +139,10 @@ IF[{- !$disabled{tests} -}]`
		`+ INCLUDE[localetest]=../include ../apps/include`
		`+ DEPEND[localetest]=../libcrypto libtestutil.a`
		`+`
		`+ + SOURCE[evp_pkey_ctx_new_from_name]=evp_pkey_ctx_new_from_name.c`
		`+ + INCLUDE[evp_pkey_ctx_new_from_name]=../include ../apps/include`
		`+ + DEPEND[evp_pkey_ctx_new_from_name]=../libcrypto`
		`+ +`
		`+ SOURCE[pbetest]=pbetest.c`
		`+ INCLUDE[pbetest]=../include ../apps/include`
		`+ DEPEND[pbetest]=../libcrypto libtestutil.a`
		`+ diff --git a/test/evp_pkey_ctx_new_from_name.c b/test/evp_pkey_ctx_new_from_name.c`
		`+ new file mode 100644`
		`+ index 000000000000..24063ea05ea5`
		`+ --- /dev/null`
		`+ +++ b/test/evp_pkey_ctx_new_from_name.c`
		`+ @@ -0,0 +1,14 @@`
		`+ +#include <stdio.h>`
		`+ +#include <openssl/ec.h>`
		`+ +#include <openssl/evp.h>`
		`+ +#include <openssl/err.h>`
		`+ +`
		`+ +int main(int argc, char *argv[])`
		`+ +{`
		`+ + EVP_PKEY_CTX *pctx = NULL;`
		`+ +`
		`+ + pctx = EVP_PKEY_CTX_new_from_name(NULL, "NO_SUCH_ALGORITHM", NULL);`
		`+ + EVP_PKEY_CTX_free(pctx);`
		`+ +`
		`+ + return 0;`
		`+ +}`
		`+ diff --git a/test/recipes/02-test_localetest.t b/test/recipes/02-test_localetest.t`
		`+ index 1bccd57d4c63..77fba7d819ab 100644`
		`+ --- a/test/recipes/02-test_localetest.t`
		`+ +++ b/test/recipes/02-test_localetest.t`
		`+ @@ -15,7 +15,9 @@ setup("locale tests");`
		`+ plan skip_all => "Locale tests not available on Windows or VMS"`
		`+ if $^O =~ /^(VMS\|MSWin32)$/;`
		`+`
		`+ -plan tests => 2;`
		`+ +plan tests => 3;`
		`+ +`
		`+ +ok(run(test(["evp_pkey_ctx_new_from_name"])), "running evp_pkey_ctx_new_from_name without explicit context init");`
		`+`
		`+ $ENV{LANG} = "C";`
		`+ ok(run(test(["localetest"])), "running localetest");`

openssl.spec

file modified

+9 -1

		`@@ -15,7 +15,7 @@`
		`Summary: Utilities from the general purpose cryptography library with TLS implementation`
		`Name: openssl`
		`Version: 3.0.2`
		`- Release: 3%{?dist}`
		`+ Release: 4%{?dist}`
		`Epoch: 1`
		`# We have to remove certain patented algorithms from the openssl source`
		`# tarball with the hobble-openssl script which is included below.`
		`@@ -65,6 +65,8 @@`
		`Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch`
		`# https://github.com/openssl/openssl/pull/18103`
		`Patch56: 0056-strcasecmp.patch`
		`+ # https://github.com/openssl/openssl/pull/18175`
		`+ Patch57: 0057-strcasecmp-fix.patch`

		`License: ASL 2.0`
		`URL: http://www.openssl.org/`
		`@@ -391,6 +393,12 @@`
		`%ldconfig_scriptlets libs`

		`%changelog`
		`+ * Wed Apr 27 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.2-4`
		`+ - Fix regression in evp_pkey_name2type caused by tr_TR locale fix`
		`+ - Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes`
		`+ to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy.`
		`+ Resolves: rhbz#2069239`
		`+`
		`* Thu Apr 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.2-3`
		`- Fixing Turkish locale issues`
		`Resolves: rhbz#2071343`

clang commented 10 months ago

Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.

Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.

Additionally, fix a regression in evp_pkey_name2type caused by the tr_TR
locale fix.

Resolves: rhbz#2069239
Signed-off-by: Clemens Lang cllang@redhat.com