Disable SHA1 signature creation and verification by default

Set rh-allow-sha1-signatures = yes to re-enable

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>

0049-Selectively-disallow-SHA1-signatures.patch

@@ -0,0 +1,376 @@
+From 8cf6c9fce2446340f361138dfb55cb7cdcb4b776 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Mon, 21 Feb 2022 17:24:44 +0100
+Subject: Selectively disallow SHA1 signatures
+
+For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
+disabling SHA1 signatures. Introduce a new configuration option in the
+alg_section named 'rh-allow-sha1-signatures'. This option defaults to
+false. If set to false (or unset), any signature creation or
+verification operations that involve SHA1 as digest will fail.
+
+This also affects TLS, where the signature_algorithms extension of any
+ClientHello message sent by OpenSSL will no longer include signatures
+with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
+that request a client certificate, the same also applies for
+CertificateRequest messages sent by them.
+
+For signatures created using the EVP_PKEY API, this is a best-effort
+check that will deny signatures in cases where the digest algorithm is
+known. This means, for example, that that following steps will still
+work:
+
+ $> openssl dgst -sha1 -binary -out sha1 infile
+ $> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig
+ $> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1
+
+whereas these will not:
+
+ $> openssl dgst -sha1 -binary -out sha1 infile
+ $> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1
+ $> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1
+
+This happens because in the first case, OpenSSL's signature
+implementation does not know that it is signing a SHA1 hash (it could be
+signing arbitrary data).
+
+Resolves: rhbz#2031742
+---
+ crypto/evp/evp_cnf.c                     | 13 +++++
+ crypto/evp/m_sigver.c                    | 74 ++++++++++++++++++++++++
+ crypto/evp/pmeth_lib.c                   | 10 ++++
+ doc/man5/config.pod                      | 11 ++++
+ include/internal/cryptlib.h              |  3 +-
+ include/internal/sslconf.h               |  4 ++
+ providers/common/securitycheck.c         | 18 ++++++
+ providers/common/securitycheck_default.c |  7 ++-
+ ssl/t1_lib.c                             |  8 +++
+ util/libcrypto.num                       |  2 +
+ 10 files changed, 148 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
+index 0e7fe64cf9..b9d3b6d226 100644
+--- a/crypto/evp/evp_cnf.c
++++ b/crypto/evp/evp_cnf.c
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include <openssl/crypto.h>
+ #include "internal/cryptlib.h"
++#include "internal/sslconf.h"
+ #include <openssl/conf.h>
+ #include <openssl/x509.h>
+ #include <openssl/x509v3.h>
+@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
+                 ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+                 return 0;
+             }
++        } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
++            int m;
++
++            /* Detailed error already reported. */
++            if (!X509V3_get_value_bool(oval, &m))
++                return 0;
++
++            if (!ossl_ctx_legacy_digest_signatures_allowed_set(
++                    NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
++                ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
++                return 0;
++            }
+         } else {
+             ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
+                            "name=%s, value=%s", oval->name, oval->value);
+diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
+index 9188edbc21..67498b48c0 100644
+--- a/crypto/evp/m_sigver.c
++++ b/crypto/evp/m_sigver.c
+@@ -16,6 +16,71 @@
+ #include "internal/numbers.h"   /* includes SIZE_MAX */
+ #include "evp_local.h"
+ 
++typedef struct ossl_legacy_digest_signatures_st {
++    int allowed;
++} OSSL_LEGACY_DIGEST_SIGNATURES;
++
++static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
++
++    if (ldsigs != NULL) {
++        OPENSSL_free(ldsigs);
++    }
++}
++
++static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
++{
++    return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
++}
++
++static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = {
++    OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,
++    ossl_ctx_legacy_digest_signatures_new,
++    ossl_ctx_legacy_digest_signatures_free,
++};
++
++static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
++        OSSL_LIB_CTX *libctx, int loadconfig)
++{
++#ifndef FIPS_MODULE
++    if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
++        return 0;
++#endif
++
++    return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES,
++                                 &ossl_ctx_legacy_digest_signatures_method);
++}
++
++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
++        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
++
++#ifndef FIPS_MODULE
++    if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
++        /* used in tests */
++        return 1;
++#endif
++
++    return ldsigs != NULL ? ldsigs->allowed : 0;
++}
++
++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
++                                                  int loadconfig)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
++        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
++
++    if (ldsigs == NULL) {
++        ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
++        return 0;
++    }
++
++    ldsigs->allowed = allow;
++    return 1;
++}
++
+ #ifndef FIPS_MODULE
+ 
+ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
+@@ -258,6 +323,15 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+         }
+     }
+ 
++    if (ctx->reqdigest != NULL) {
++        int mdnid = EVP_MD_nid(ctx->reqdigest);
++        if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
++                && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
++            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
++            goto err;
++        }
++    }
++
+     if (ver) {
+         if (signature->digest_verify_init == NULL) {
+             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
+index 2b9c6c2351..d7bf2de1b6 100644
+--- a/crypto/evp/pmeth_lib.c
++++ b/crypto/evp/pmeth_lib.c
+@@ -33,6 +33,7 @@
+ #include "internal/ffc.h"
+ #include "internal/numbers.h"
+ #include "internal/provider.h"
++#include "internal/sslconf.h"
+ #include "evp_local.h"
+ 
+ #ifndef FIPS_MODULE
+@@ -946,6 +947,15 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
+         return -2;
+     }
+ 
++    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) && md != NULL) {
++        int mdnid = EVP_MD_nid(md);
++        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
++                && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
++            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
++            return -1;
++        }
++    }
++
+     if (fallback)
+         return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
+ 
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index 77a8055e81..aa1be5ca7f 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
+ The value may be anything that is acceptable as a property query
+ string for EVP_set_default_properties().
+ 
++=item B<rh-allow-sha1-signatures>
++
++The value is a boolean that can be B<yes> or B<no>.  If the value is not set,
++it behaves as if it was set to B<no>.
++
++When set to B<no>, any attempt to create or verify a signature with a SHA1
++digest will fail.  For compatibility with older versions of OpenSSL, set this
++option to B<yes>.  This setting also affects TLS, where signature algorithms
++that use SHA1 as digest will no longer be supported if this option is set to
++B<no>.
++
+ =item B<fips_mode> (deprecated)
+ 
+ The value is a boolean that can be B<yes> or B<no>.  If the value is
+diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
+index 1291299b6e..e234341e6a 100644
+--- a/include/internal/cryptlib.h
++++ b/include/internal/cryptlib.h
+@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
+ # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX           16
+ # define OSSL_LIB_CTX_BIO_CORE_INDEX                17
+ # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX          18
+-# define OSSL_LIB_CTX_MAX_INDEXES                   19
++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES      19
++# define OSSL_LIB_CTX_MAX_INDEXES                   20
+ 
+ # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY          -1
+ # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY       0
+diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
+index fd7f7e3331..05464b0655 100644
+--- a/include/internal/sslconf.h
++++ b/include/internal/sslconf.h
+@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
+ void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                       char **arg);
+ 
++/* Methods to support disabling all signatures with legacy digests */
++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
++                                                  int loadconfig);
+ #endif
+diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
+index 699ada7c52..c501466cdc 100644
+--- a/providers/common/securitycheck.c
++++ b/providers/common/securitycheck.c
+@@ -19,6 +19,7 @@
+ #include <openssl/core_names.h>
+ #include <openssl/obj_mac.h>
+ #include "prov/securitycheck.h"
++#include "internal/sslconf.h"
+ 
+ /*
+  * FIPS requires a minimum security strength of 112 bits (for encryption or
+@@ -235,6 +236,13 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
+             mdnid = -1; /* disallowed by security checks */
+     }
+ # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
++
++#ifndef FIPS_MODULE
++    if (mdnid == NID_sha1
++            && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
++        mdnid = -1; /* disallowed by security checks */
++#endif
++
+     return mdnid;
+ }
+ 
+@@ -244,5 +252,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
+     if (ossl_securitycheck_enabled(ctx))
+         return ossl_digest_get_approved_nid(md) != NID_undef;
+ # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
++
++#ifndef FIPS_MODULE
++    {
++        int mdnid = EVP_MD_nid(md);
++        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
++                && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
++            return 0;
++    }
++#endif
++
+     return 1;
+ }
+diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
+index de7f0d3a0a..0ba8285fbb 100644
+--- a/providers/common/securitycheck_default.c
++++ b/providers/common/securitycheck_default.c
+@@ -15,6 +15,7 @@
+ #include <openssl/obj_mac.h>
+ #include "prov/securitycheck.h"
+ #include "internal/nelem.h"
++#include "internal/sslconf.h"
+ 
+ /* Disable the security checks in the default provider */
+ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
+@@ -26,6 +27,7 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
+                                     ossl_unused int sha1_allowed)
+ {
+     int mdnid;
++    int ldsigs_allowed;
+ 
+     static const OSSL_ITEM name_to_nid[] = {
+         { NID_md5,       OSSL_DIGEST_NAME_MD5       },
+@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
+         { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
+     };
+ 
+-    mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
++    ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
++    mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, ldsigs_allowed);
+     if (mdnid == NID_undef)
+         mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
++    if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
++        mdnid = -1;
+     return mdnid;
+ }
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index fc32bb3556..4b74ee1a34 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -20,6 +20,7 @@
+ #include <openssl/bn.h>
+ #include <openssl/provider.h>
+ #include <openssl/param_build.h>
++#include "internal/sslconf.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
+ #include "internal/tlsgroups.h"
+@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
+         = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
+     EVP_PKEY *tmpkey = EVP_PKEY_new();
+     int ret = 0;
++    int ldsigs_allowed;
+ 
+     if (cache == NULL || tmpkey == NULL)
+         goto err;
+ 
+     ERR_set_mark();
++    ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
+     for (i = 0, lu = sigalg_lookup_tbl;
+          i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
+         EVP_PKEY_CTX *pctx;
+@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
+             cache[i].enabled = 0;
+             continue;
+         }
++        if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
++                && !ldsigs_allowed) {
++            cache[i].enabled = 0;
++            continue;
++        }
+ 
+         if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
+             cache[i].enabled = 0;
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index 10b4e57d79..2d3c363bb0 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex                      5553	3_0_0	EXIST::FUNCTION:
+ EVP_PKEY_get0_provider                  5554	3_0_0	EXIST::FUNCTION:
+ EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
+ ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
++ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
++ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
+-- 
+2.35.1
+

openssl.spec

@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -73,6 +73,8 @@ Patch46: 0046-FIPS-s390x-hardening.patch
 Patch47: 0047-FIPS-early-KATS.patch
 # Backport of correctly handle 2^14 byte long records #17538
 Patch48: 0048-correctly-handle-records.patch
+# Selectively disallow SHA1 signatures
+Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -245,6 +247,8 @@ patch -p1 < %{SOURCE14}
 
 OPENSSL_ENABLE_MD5_VERIFY=
 export OPENSSL_ENABLE_MD5_VERIFY
+OPENSSL_ENABLE_SHA1_SIGNATURES=
+export OPENSSL_ENABLE_SHA1_SIGNATURES
 OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
 #embed HMAC into fips provider for test run
@@ -401,6 +405,11 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-8
+- Disable SHA1 signature creation and verification by default
+- Set rh-allow-sha1-signatures = yes to re-enable
+- Resolves: rhbz#2031742
+
 * Thu Feb 03 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-7
 - s_server: correctly handle 2^14 byte long records
 - Resolves: rhbz#2042011