From bb28a358c89b1eb90d3f98d1ee87f1f9ca3a28d8 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Apr 27 2022 10:53:08 +0000 Subject: Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0 Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0 defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default. However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of security do not meet SECLEVEL=1's requirement of 80 bits. Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which would include all algorithms, regardless of their security level), allow MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1. Additionally, fix a regression in evp_pkey_name2type caused by the tr_TR locale fix. Resolves: rhbz#2069239 Signed-off-by: Clemens Lang --- diff --git a/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch b/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch index eea02f8..256cdc8 100644 --- a/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch +++ b/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch @@ -1,4 +1,4 @@ -From f695f140255f9b564cac4d5e9e38ba27ec927256 Mon Sep 17 00:00:00 2001 +From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Tue, 1 Mar 2022 15:44:18 +0100 Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = @@ -26,14 +26,14 @@ default configuration. Related: rhbz#2055796 Related: rhbz#2070977 --- - crypto/x509/x509_vfy.c | 19 ++++++++++- + crypto/x509/x509_vfy.c | 20 ++++++++++- doc/man5/config.pod | 7 ++++ - ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++------- + ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++------- test/recipes/25-test_verify.t | 4 +-- - 4 files changed, 78 insertions(+), 16 deletions(-) + 4 files changed, 82 insertions(+), 16 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 2f175ca517..60aa26f552 100644 +index 2f175ca517..bf0c608839 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -25,6 +25,7 @@ @@ -44,7 +44,7 @@ index 2f175ca517..60aa26f552 100644 #include "crypto/x509.h" #include "x509_local.h" -@@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) +@@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) { int secbits = -1; int level = ctx->param->auth_level; @@ -67,17 +67,18 @@ index 2f175ca517..60aa26f552 100644 + if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) return 0; -+ if (nid == NID_sha1 ++ if ((nid == NID_sha1 || nid == NID_md5_sha1) + && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) + && ctx->param->auth_level < 2) + /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. */ ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + return 1; + return secbits >= minbits_table[level - 1]; } diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 0c9110d28a..02e7ca706f 100644 +index 0c9110d28a..e0516d20b8 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -309,6 +309,13 @@ this option is set to B. Because TLS 1.1 or lower use MD5-SHA1 as @@ -86,16 +87,16 @@ index 0c9110d28a..02e7ca706f 100644 +Note that enabling B will allow TLS signature +algorithms that use SHA1 in security level 1, despite the definition of -+security level 1 of FIXME bits of security, which SHA1 does not meet. This -+allows using SHA1 in TLS in the LEGACY crypto-policy on Fedora without -+requiring to set the security level to 0, which would include further insecure -+algorithms. ++security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet. ++This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on ++Fedora without requiring to set the security level to 0, which would include ++further insecure algorithms, and thus restores support for TLS 1.0 and 1.1. + =item B (deprecated) The value is a boolean that can be B or B. If the value is diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index dcd487ec2e..e47ddf56f1 100644 +index dcd487ec2e..0b50266b69 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -20,6 +20,7 @@ @@ -106,7 +107,7 @@ index dcd487ec2e..e47ddf56f1 100644 #include "internal/sslconf.h" #include "internal/nelem.h" #include "internal/sizes.h" -@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) +@@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); return 0; } @@ -124,11 +125,12 @@ index dcd487ec2e..e47ddf56f1 100644 - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); - return 0; + -+ if (lu->hash == NID_sha1 ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) + && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) + && SSL_get_security_level(s) < 2) { -+ /* when rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility */ ++ /* When rh-allow-sha1-signatures = yes and security level <= 1, ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + } else { + /* + * Make sure security callback allows algorithm. For historical @@ -147,22 +149,23 @@ index dcd487ec2e..e47ddf56f1 100644 } /* Store the sigalg the peer uses */ s->s3.tmp.peer_sigalg = lu; -@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) +@@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) } } -+ if (lu->hash == NID_sha1 ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) + && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) + && SSL_get_security_level(s) < 2) { -+ /* when rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility */ ++ /* When rh-allow-sha1-signatures = yes and security level <= 1, ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + return 1; + } + /* Finally see if security callback allows it */ secbits = sigalg_security_bits(s->ctx, lu); sigalgstr[0] = (lu->sigalg >> 8) & 0xff; -@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) +@@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) { /* Lookup signature algorithm digest */ int secbits, nid, pknid; @@ -171,7 +174,7 @@ index dcd487ec2e..e47ddf56f1 100644 /* Don't check signature if self signed */ if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) return 1; -@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) +@@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) /* If digest NID not defined use signature NID */ if (nid == NID_undef) nid = pknid; @@ -185,13 +188,14 @@ index dcd487ec2e..e47ddf56f1 100644 + else + libctx = OSSL_LIB_CTX_get0_global_default(); + -+ if (nid == NID_sha1 ++ if ((nid == NID_sha1 || nid == NID_md5_sha1) + && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) + && ((s != NULL && SSL_get_security_level(s) < 2) + || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2) + )) + /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. */ ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + return 1; + if (s) diff --git a/0057-strcasecmp-fix.patch b/0057-strcasecmp-fix.patch new file mode 100644 index 0000000..f5c59b5 --- /dev/null +++ b/0057-strcasecmp-fix.patch @@ -0,0 +1,104 @@ +From 68f23e3725d9639f5b27d868fee291cabb516677 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 22 Apr 2022 18:16:56 +0200 +Subject: [PATCH 1/2] Ensure we initialized the locale before + evp_pkey_name2type + +Fixes #18158 +--- + crypto/evp/pmeth_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c +index 2b9c6c2351da..92d25de44532 100644 +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -27,6 +27,7 @@ + #ifndef FIPS_MODULE + # include "crypto/asn1.h" + #endif ++#include "crypto/ctype.h" + #include "crypto/evp.h" + #include "crypto/dh.h" + #include "crypto/ec.h" +@@ -199,6 +200,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, + } + #ifndef FIPS_MODULE + if (keytype != NULL) { ++ ossl_init_casecmp(); + id = evp_pkey_name2type(keytype); + if (id == NID_undef) + id = -1; + +From 51c7b2d9c30b72aeb7e8eb69799dc039d5b23e58 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 22 Apr 2022 19:26:08 +0200 +Subject: [PATCH 2/2] Testing the EVP_PKEY_CTX_new_from_name without + preliminary init + +--- + test/build.info | 6 +++++- + test/evp_pkey_ctx_new_from_name.c | 14 ++++++++++++++ + test/recipes/02-test_localetest.t | 4 +++- + 3 files changed, 22 insertions(+), 2 deletions(-) + create mode 100644 test/evp_pkey_ctx_new_from_name.c + +diff --git a/test/build.info b/test/build.info +index 14a84f00a258..ee059973d31a 100644 +--- a/test/build.info ++++ b/test/build.info +@@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}] + sanitytest rsa_complex exdatatest bntest \ + ecstresstest gmdifftest pbelutest \ + destest mdc2test sha_test \ +- exptest pbetest localetest \ ++ exptest pbetest localetest evp_pkey_ctx_new_from_name\ + evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ + evp_fetch_prov_test evp_libctx_test ossl_store_test \ + v3nametest v3ext \ +@@ -139,6 +139,10 @@ IF[{- !$disabled{tests} -}] + INCLUDE[localetest]=../include ../apps/include + DEPEND[localetest]=../libcrypto libtestutil.a + ++ SOURCE[evp_pkey_ctx_new_from_name]=evp_pkey_ctx_new_from_name.c ++ INCLUDE[evp_pkey_ctx_new_from_name]=../include ../apps/include ++ DEPEND[evp_pkey_ctx_new_from_name]=../libcrypto ++ + SOURCE[pbetest]=pbetest.c + INCLUDE[pbetest]=../include ../apps/include + DEPEND[pbetest]=../libcrypto libtestutil.a +diff --git a/test/evp_pkey_ctx_new_from_name.c b/test/evp_pkey_ctx_new_from_name.c +new file mode 100644 +index 000000000000..24063ea05ea5 +--- /dev/null ++++ b/test/evp_pkey_ctx_new_from_name.c +@@ -0,0 +1,14 @@ ++#include ++#include ++#include ++#include ++ ++int main(int argc, char *argv[]) ++{ ++ EVP_PKEY_CTX *pctx = NULL; ++ ++ pctx = EVP_PKEY_CTX_new_from_name(NULL, "NO_SUCH_ALGORITHM", NULL); ++ EVP_PKEY_CTX_free(pctx); ++ ++ return 0; ++} +diff --git a/test/recipes/02-test_localetest.t b/test/recipes/02-test_localetest.t +index 1bccd57d4c63..77fba7d819ab 100644 +--- a/test/recipes/02-test_localetest.t ++++ b/test/recipes/02-test_localetest.t +@@ -15,7 +15,9 @@ setup("locale tests"); + plan skip_all => "Locale tests not available on Windows or VMS" + if $^O =~ /^(VMS|MSWin32)$/; + +-plan tests => 2; ++plan tests => 3; ++ ++ok(run(test(["evp_pkey_ctx_new_from_name"])), "running evp_pkey_ctx_new_from_name without explicit context init"); + + $ENV{LANG} = "C"; + ok(run(test(["localetest"])), "running localetest"); diff --git a/openssl.spec b/openssl.spec index 75dac9a..c5a264a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.2 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -65,6 +65,8 @@ Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch # https://github.com/openssl/openssl/pull/18103 Patch56: 0056-strcasecmp.patch +# https://github.com/openssl/openssl/pull/18175 +Patch57: 0057-strcasecmp-fix.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -391,6 +393,12 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Wed Apr 27 2022 Clemens Lang - 1:3.0.2-4 +- Fix regression in evp_pkey_name2type caused by tr_TR locale fix +- Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes + to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy. + Resolves: rhbz#2069239 + * Thu Apr 21 2022 Dmitry Belyavskiy - 1:3.0.2-3 - Fixing Turkish locale issues Resolves: rhbz#2071343