From 4eb630f7d5e644ffca3ecc224a00f296b033b809 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 17 Mar 2022 13:36:33 +0100 Subject: [PATCH] Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes Resolves: rhbz#2065400 Signed-off-by: Clemens Lang --- ...clevel-2-if-rh-allow-sha1-signatures.patch | 151 +++++++++++++++++- openssl.spec | 6 +- 2 files changed, 150 insertions(+), 7 deletions(-) diff --git a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch index 6c24e34..f9b2a43 100644 --- a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +++ b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch @@ -1,14 +1,60 @@ -From 1c6d5f6162a46bcde94e8ae9eaa0c41da1d7faa3 Mon Sep 17 00:00:00 2001 +From 47f5bc59dd63dc16574c5d3e09eea999095b556e Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Tue, 1 Mar 2022 15:44:18 +0100 Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes References: rhbz#2055796 --- - doc/man5/config.pod | 7 ++++++- - ssl/t1_lib.c | 8 ++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) + crypto/x509/x509_vfy.c | 19 +++++++++++- + doc/man5/config.pod | 7 ++++- + ssl/t1_lib.c | 55 ++++++++++++++++++++++++++--------- + test/recipes/25-test_verify.t | 7 +++-- + 4 files changed, 70 insertions(+), 18 deletions(-) +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index ff3ca83de6..a549c1c111 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -25,6 +25,7 @@ + #include + #include + #include "internal/dane.h" ++#include "internal/sslconf.h" + #include "crypto/x509.h" + #include "x509_local.h" + +@@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) + { + int secbits = -1; + int level = ctx->param->auth_level; ++ int nid; ++ OSSL_LIB_CTX *libctx = NULL; + + if (level <= 0) + return 1; + if (level > NUM_AUTH_LEVELS) + level = NUM_AUTH_LEVELS; + +- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) ++ if (ctx->libctx) ++ libctx = ctx->libctx; ++ else if (cert->libctx) ++ libctx = cert->libctx; ++ else ++ libctx = OSSL_LIB_CTX_get0_global_default(); ++ ++ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) + return 0; + ++ if (nid == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) ++ && ctx->param->auth_level < 3) ++ /* When rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility. */ ++ return 1; ++ + return secbits >= minbits_table[level - 1]; + } diff --git a/doc/man5/config.pod b/doc/man5/config.pod index aa1be5ca7f..aa69e2b844 100644 --- a/doc/man5/config.pod @@ -28,10 +74,59 @@ index aa1be5ca7f..aa69e2b844 100644 =item B (deprecated) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 4b74ee1a34..724ded67ba 100644 +index 4b74ee1a34..0638a51aff 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c -@@ -2106,6 +2106,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include "crypto/x509.h" + #include "internal/sslconf.h" + #include "internal/nelem.h" + #include "internal/sizes.h" +@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); + return 0; + } +- /* +- * Make sure security callback allows algorithm. For historical +- * reasons we have to pass the sigalg as a two byte char array. +- */ +- sigalgstr[0] = (sig >> 8) & 0xff; +- sigalgstr[1] = sig & 0xff; +- secbits = sigalg_security_bits(s->ctx, lu); +- if (secbits == 0 || +- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, +- md != NULL ? EVP_MD_get_type(md) : NID_undef, +- (void *)sigalgstr)) { +- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); +- return 0; ++ ++ if (lu->hash == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) ++ && SSL_get_security_level(s) < 3) { ++ /* when rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility */ ++ } else { ++ /* ++ * Make sure security callback allows algorithm. For historical ++ * reasons we have to pass the sigalg as a two byte char array. ++ */ ++ sigalgstr[0] = (sig >> 8) & 0xff; ++ sigalgstr[1] = sig & 0xff; ++ secbits = sigalg_security_bits(s->ctx, lu); ++ if (secbits == 0 || ++ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, ++ md != NULL ? EVP_MD_get_type(md) : NID_undef, ++ (void *)sigalgstr)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); ++ return 0; ++ } + } + /* Store the sigalg the peer uses */ + s->s3.tmp.peer_sigalg = lu; +@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) } } @@ -46,6 +141,50 @@ index 4b74ee1a34..724ded67ba 100644 /* Finally see if security callback allows it */ secbits = sigalg_security_bits(s->ctx, lu); sigalgstr[0] = (lu->sigalg >> 8) & 0xff; +@@ -2985,6 +3002,18 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) + /* If digest NID not defined use signature NID */ + if (nid == NID_undef) + nid = pknid; ++ ++ if (nid == NID_sha1 ++ && x != NULL ++ && x->libctx != NULL ++ && ossl_ctx_legacy_digest_signatures_allowed(x->libctx, 0) ++ && ((s != NULL && SSL_get_security_level(s) < 3) ++ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3) ++ )) ++ /* When rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility. */ ++ return 1; ++ + if (s) + return ssl_security(s, op, secbits, nid, x); + else +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index 700bbd849c..2de1d76b5e 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -29,7 +29,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 160; ++plan tests => 159; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0" + ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), + "CA with PSS signature using SHA256"); + +-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), +- "Reject PSS signature using SHA1 and auth level 1"); ++## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1 ++#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), ++# "Reject PSS signature using SHA1 and auth level 1"); + + ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), + "PSS signature using SHA256 and auth level 2"); -- 2.35.1 diff --git a/openssl.spec b/openssl.spec index 425955a..7b4dd5a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 18%{?dist} +Release: 19%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -416,6 +416,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Mar 18 2022 Clemens Lang - 1:3.0.1-19 +- Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes +- Resolves: rhbz#2065400 + * Wed Mar 16 2022 Dmitry Belyavskiy - 1:3.0.1-18 - CVE-2022-0778 fix - Resolves: rhbz#2062315