@ -36,9 +36,9 @@ signing arbitrary data).
Resolves: rhbz#2031742
---
crypto/evp/evp_cnf.c | 13 +++++
crypto/evp/m_sigver.c | 74 ++++++++++++++++++++++++
crypto/evp/pmeth_lib.c | 10 ++++
crypto/evp/evp_cnf.c | 13 ++++
crypto/evp/m_sigver.c | 77 ++++++++++++++++++++++++
crypto/evp/pmeth_lib.c | 15 + ++++
doc/man5/config.pod | 11 ++++
include/internal/cryptlib.h | 3 +-
include/internal/sslconf.h | 4 ++
@ -46,7 +46,7 @@ Resolves: rhbz#2031742
providers/common/securitycheck_default.c | 7 ++-
ssl/t1_lib.c | 8 +++
util/libcrypto.num | 2 +
10 files changed, 148 insertions(+), 2 deletions(-)
10 files changed, 156 insertions(+), 2 deletions(-)
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 0e7fe64cf9..b9d3b6d226 100644
@ -80,7 +80,7 @@ index 0e7fe64cf9..b9d3b6d226 100644
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 9188edbc21.. 67498b48c0 100644
index 9188edbc21.. db1a1d7bc3 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -16,6 +16,71 @@
@ -155,11 +155,14 @@ index 9188edbc21..67498b48c0 100644
#ifndef FIPS_MODULE
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
@@ -258,6 +323,1 5 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -258,6 +323,1 8 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
}
}
+ if (ctx->reqdigest != NULL) {
+ if (ctx->reqdigest != NULL
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
+ int mdnid = EVP_MD_nid(ctx->reqdigest);
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
@ -172,7 +175,7 @@ index 9188edbc21..67498b48c0 100644
if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 2b9c6c2351.. d7bf2de1b6 100644
index 2b9c6c2351.. 3c5a1e6f5d 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
@ -183,11 +186,16 @@ index 2b9c6c2351..d7bf2de1b6 100644
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -946,6 +947, 15 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
@@ -946,6 +947, 20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
return -2;
}
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) && md != NULL) {
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
+ && md != NULL
+ && ctx->pkey != NULL
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
+ int mdnid = EVP_MD_nid(md);
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {