Fix SHA1 certs in LEGACY without openssl lib ctxt

Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>

0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch

@@ -1,15 +1,15 @@
-From 47f5bc59dd63dc16574c5d3e09eea999095b556e Mon Sep 17 00:00:00 2001
+From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Tue, 1 Mar 2022 15:44:18 +0100
 Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
 
 References: rhbz#2055796
 ---
- crypto/x509/x509_vfy.c        | 19 +++++++++++-
- doc/man5/config.pod           |  7 ++++-
- ssl/t1_lib.c                  | 55 ++++++++++++++++++++++++++---------
- test/recipes/25-test_verify.t |  7 +++--
- 4 files changed, 70 insertions(+), 18 deletions(-)
+ crypto/x509/x509_vfy.c        | 19 ++++++++++-
+ doc/man5/config.pod           |  7 +++-
+ ssl/t1_lib.c                  | 64 ++++++++++++++++++++++++++++-------
+ test/recipes/25-test_verify.t |  7 ++--
+ 4 files changed, 79 insertions(+), 18 deletions(-)
 
 diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
 index ff3ca83de6..a549c1c111 100644
@@ -74,7 +74,7 @@ index aa1be5ca7f..aa69e2b844 100644
  =item B<fips_mode> (deprecated)
  
 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 4b74ee1a34..0638a51aff 100644
+index 4b74ee1a34..5f089de107 100644
 --- a/ssl/t1_lib.c
 +++ b/ssl/t1_lib.c
 @@ -20,6 +20,7 @@
@@ -141,15 +141,31 @@ index 4b74ee1a34..0638a51aff 100644
      /* Finally see if security callback allows it */
      secbits = sigalg_security_bits(s->ctx, lu);
      sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
-@@ -2985,6 +3002,18 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
+@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
+ {
+     /* Lookup signature algorithm digest */
+     int secbits, nid, pknid;
++    OSSL_LIB_CTX *libctx = NULL;
++
+     /* Don't check signature if self signed */
+     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
+         return 1;
+@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
      /* If digest NID not defined use signature NID */
      if (nid == NID_undef)
          nid = pknid;
 +
++    if (x && x->libctx)
++        libctx = x->libctx;
++    else if (ctx && ctx->libctx)
++        libctx = ctx->libctx;
++    else if (s && s->ctx && s->ctx->libctx)
++        libctx = s->ctx->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
 +    if (nid == NID_sha1
-+            && x != NULL
-+            && x->libctx != NULL
-+            && ossl_ctx_legacy_digest_signatures_allowed(x->libctx, 0)
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
 +            && ((s != NULL && SSL_get_security_level(s) < 3)
 +                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
 +            ))

openssl.spec

@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 19%{?dist}
+Release: 20%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -416,6 +416,11 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-20
+- Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when
+  no OpenSSL library context is set
+- Resolves: rhbz#2065400
+
 * Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-19
 - Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
 - Resolves: rhbz#2065400