diff --git a/0049-Selectively-disallow-SHA1-signatures.patch b/0049-Selectively-disallow-SHA1-signatures.patch index 8b180ce..d74dba3 100644 --- a/0049-Selectively-disallow-SHA1-signatures.patch +++ b/0049-Selectively-disallow-SHA1-signatures.patch @@ -36,9 +36,9 @@ signing arbitrary data). Resolves: rhbz#2031742 --- - crypto/evp/evp_cnf.c | 13 +++++ - crypto/evp/m_sigver.c | 74 ++++++++++++++++++++++++ - crypto/evp/pmeth_lib.c | 10 ++++ + crypto/evp/evp_cnf.c | 13 ++++ + crypto/evp/m_sigver.c | 77 ++++++++++++++++++++++++ + crypto/evp/pmeth_lib.c | 15 +++++ doc/man5/config.pod | 11 ++++ include/internal/cryptlib.h | 3 +- include/internal/sslconf.h | 4 ++ @@ -46,7 +46,7 @@ Resolves: rhbz#2031742 providers/common/securitycheck_default.c | 7 ++- ssl/t1_lib.c | 8 +++ util/libcrypto.num | 2 + - 10 files changed, 148 insertions(+), 2 deletions(-) + 10 files changed, 156 insertions(+), 2 deletions(-) diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c index 0e7fe64cf9..b9d3b6d226 100644 @@ -80,7 +80,7 @@ index 0e7fe64cf9..b9d3b6d226 100644 ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, "name=%s, value=%s", oval->name, oval->value); diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index 9188edbc21..67498b48c0 100644 +index 9188edbc21..db1a1d7bc3 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -16,6 +16,71 @@ @@ -155,11 +155,14 @@ index 9188edbc21..67498b48c0 100644 #ifndef FIPS_MODULE static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) -@@ -258,6 +323,15 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, } } -+ if (ctx->reqdigest != NULL) { ++ if (ctx->reqdigest != NULL ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) { + int mdnid = EVP_MD_nid(ctx->reqdigest); + if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0) + && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) { @@ -172,7 +175,7 @@ index 9188edbc21..67498b48c0 100644 if (signature->digest_verify_init == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 2b9c6c2351..d7bf2de1b6 100644 +index 2b9c6c2351..3c5a1e6f5d 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -33,6 +33,7 @@ @@ -183,11 +186,16 @@ index 2b9c6c2351..d7bf2de1b6 100644 #include "evp_local.h" #ifndef FIPS_MODULE -@@ -946,6 +947,15 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, +@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, return -2; } -+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) && md != NULL) { ++ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) ++ && md != NULL ++ && ctx->pkey != NULL ++ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac) ++ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf) ++ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) { + int mdnid = EVP_MD_nid(md); + if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) + && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) { diff --git a/openssl.spec b/openssl.spec index 38f26a0..b285a0e 100644 --- a/openssl.spec +++ b/openssl.spec @@ -410,6 +410,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue Feb 22 2022 Clemens Lang - 3.0.1-9 +- Allow SHA1 usage in HMAC in TLS +- Resolves: rhbz#2031742 + * Tue Feb 22 2022 Dmitry Belyavskiy - 1:3.0.1-8 - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters - Resolves: rhbz#1977867