From 5a9ab1160e53ec9b72fe824fe17595a8c93b6f25 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 22 Feb 2022 19:34:36 +0100
Subject: [PATCH] Allow SHA1 usage in HMAC in TLS

The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.

Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
 ...Selectively-disallow-SHA1-signatures.patch | 28 ++++++++++++-------
 openssl.spec                                  |  4 +++
 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/0049-Selectively-disallow-SHA1-signatures.patch b/0049-Selectively-disallow-SHA1-signatures.patch
index 8b180ce..d74dba3 100644
--- a/0049-Selectively-disallow-SHA1-signatures.patch
+++ b/0049-Selectively-disallow-SHA1-signatures.patch
@@ -36,9 +36,9 @@ signing arbitrary data).
 
 Resolves: rhbz#2031742
 ---
- crypto/evp/evp_cnf.c                     | 13 +++++
- crypto/evp/m_sigver.c                    | 74 ++++++++++++++++++++++++
- crypto/evp/pmeth_lib.c                   | 10 ++++
+ crypto/evp/evp_cnf.c                     | 13 ++++
+ crypto/evp/m_sigver.c                    | 77 ++++++++++++++++++++++++
+ crypto/evp/pmeth_lib.c                   | 15 +++++
  doc/man5/config.pod                      | 11 ++++
  include/internal/cryptlib.h              |  3 +-
  include/internal/sslconf.h               |  4 ++
@@ -46,7 +46,7 @@ Resolves: rhbz#2031742
  providers/common/securitycheck_default.c |  7 ++-
  ssl/t1_lib.c                             |  8 +++
  util/libcrypto.num                       |  2 +
- 10 files changed, 148 insertions(+), 2 deletions(-)
+ 10 files changed, 156 insertions(+), 2 deletions(-)
 
 diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
 index 0e7fe64cf9..b9d3b6d226 100644
@@ -80,7 +80,7 @@ index 0e7fe64cf9..b9d3b6d226 100644
              ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
                             "name=%s, value=%s", oval->name, oval->value);
 diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
-index 9188edbc21..67498b48c0 100644
+index 9188edbc21..db1a1d7bc3 100644
 --- a/crypto/evp/m_sigver.c
 +++ b/crypto/evp/m_sigver.c
 @@ -16,6 +16,71 @@
@@ -155,11 +155,14 @@ index 9188edbc21..67498b48c0 100644
  #ifndef FIPS_MODULE
  
  static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
-@@ -258,6 +323,15 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
          }
      }
  
-+    if (ctx->reqdigest != NULL) {
++    if (ctx->reqdigest != NULL
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
 +        int mdnid = EVP_MD_nid(ctx->reqdigest);
 +        if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
 +                && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
@@ -172,7 +175,7 @@ index 9188edbc21..67498b48c0 100644
          if (signature->digest_verify_init == NULL) {
              ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
 diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index 2b9c6c2351..d7bf2de1b6 100644
+index 2b9c6c2351..3c5a1e6f5d 100644
 --- a/crypto/evp/pmeth_lib.c
 +++ b/crypto/evp/pmeth_lib.c
 @@ -33,6 +33,7 @@
@@ -183,11 +186,16 @@ index 2b9c6c2351..d7bf2de1b6 100644
  #include "evp_local.h"
  
  #ifndef FIPS_MODULE
-@@ -946,6 +947,15 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
+@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
          return -2;
      }
  
-+    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) && md != NULL) {
++    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
++            && md != NULL
++            && ctx->pkey != NULL
++            && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
++            && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
++            && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
 +        int mdnid = EVP_MD_nid(md);
 +        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
 +                && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
diff --git a/openssl.spec b/openssl.spec
index 38f26a0..b285a0e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -410,6 +410,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 3.0.1-9
+- Allow SHA1 usage in HMAC in TLS
+- Resolves: rhbz#2031742
+
 * Tue Feb 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-8
 - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
 - Resolves: rhbz#1977867