diff --git a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch index f9b2a43..c7cb9b7 100644 --- a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +++ b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch @@ -1,15 +1,15 @@ -From 47f5bc59dd63dc16574c5d3e09eea999095b556e Mon Sep 17 00:00:00 2001 +From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Tue, 1 Mar 2022 15:44:18 +0100 Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes References: rhbz#2055796 --- - crypto/x509/x509_vfy.c | 19 +++++++++++- - doc/man5/config.pod | 7 ++++- - ssl/t1_lib.c | 55 ++++++++++++++++++++++++++--------- - test/recipes/25-test_verify.t | 7 +++-- - 4 files changed, 70 insertions(+), 18 deletions(-) + crypto/x509/x509_vfy.c | 19 ++++++++++- + doc/man5/config.pod | 7 +++- + ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++------- + test/recipes/25-test_verify.t | 7 ++-- + 4 files changed, 79 insertions(+), 18 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ff3ca83de6..a549c1c111 100644 @@ -74,7 +74,7 @@ index aa1be5ca7f..aa69e2b844 100644 =item B (deprecated) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 4b74ee1a34..0638a51aff 100644 +index 4b74ee1a34..5f089de107 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -20,6 +20,7 @@ @@ -141,15 +141,31 @@ index 4b74ee1a34..0638a51aff 100644 /* Finally see if security callback allows it */ secbits = sigalg_security_bits(s->ctx, lu); sigalgstr[0] = (lu->sigalg >> 8) & 0xff; -@@ -2985,6 +3002,18 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) +@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) + { + /* Lookup signature algorithm digest */ + int secbits, nid, pknid; ++ OSSL_LIB_CTX *libctx = NULL; ++ + /* Don't check signature if self signed */ + if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) + return 1; +@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) /* If digest NID not defined use signature NID */ if (nid == NID_undef) nid = pknid; + ++ if (x && x->libctx) ++ libctx = x->libctx; ++ else if (ctx && ctx->libctx) ++ libctx = ctx->libctx; ++ else if (s && s->ctx && s->ctx->libctx) ++ libctx = s->ctx->libctx; ++ else ++ libctx = OSSL_LIB_CTX_get0_global_default(); ++ + if (nid == NID_sha1 -+ && x != NULL -+ && x->libctx != NULL -+ && ossl_ctx_legacy_digest_signatures_allowed(x->libctx, 0) ++ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) + && ((s != NULL && SSL_get_security_level(s) < 3) + || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3) + )) diff --git a/openssl.spec b/openssl.spec index 7b4dd5a..e88f880 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 19%{?dist} +Release: 20%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -416,6 +416,11 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Mar 18 2022 Clemens Lang - 1:3.0.1-20 +- Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when + no OpenSSL library context is set +- Resolves: rhbz#2065400 + * Fri Mar 18 2022 Clemens Lang - 1:3.0.1-19 - Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes - Resolves: rhbz#2065400