Fix RSA PSS padding with SHA-1 disabled

Invocations of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING)
before setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
would fail with SHA-1 use in signatures disabled, because OpenSSL's
internal default for the digest was SHA-1.

This isn't documented in any of the manpages, hence we expect users to
always call both EVP_PKEY_CTX_set_rsa_padding() and
EVP_PKEY_CTX_set_signature_md(). We do not want set_rsa_padding() to
fail if users set a non-SHA-1 signature algorithm after setting the
padding mode, though, so change the internal default to SHA-256 if SHA-1
is disabled.

Resolves: rhbz#2062640

0049-Selectively-disallow-SHA1-signatures.patch

@@ -1,4 +1,4 @@
-From b4b38e64dc322b8852f65b73e337517e1e1d651f Mon Sep 17 00:00:00 2001
+From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Mon, 21 Feb 2022 17:24:44 +0100
 Subject: Selectively disallow SHA1 signatures
@@ -46,10 +46,10 @@ Resolves: rhbz#2031742
  providers/common/securitycheck_default.c      |  9 ++-
  providers/implementations/signature/dsa_sig.c | 11 ++-
  .../implementations/signature/ecdsa_sig.c     |  4 +
- providers/implementations/signature/rsa_sig.c |  9 ++-
+ providers/implementations/signature/rsa_sig.c | 20 ++++-
  ssl/t1_lib.c                                  |  8 ++
  util/libcrypto.num                            |  2 +
- 13 files changed, 178 insertions(+), 8 deletions(-)
+ 13 files changed, 188 insertions(+), 9 deletions(-)
 
 diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
 index 0e7fe64cf9..b9d3b6d226 100644
@@ -382,10 +382,26 @@ index 865d49d100..99b228e82c 100644
                                                      sha1_allowed);
      if (md_nid < 0) {
 diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 325e855333..c96e7e218f 100644
+index 325e855333..bea397f0c1 100644
 --- a/providers/implementations/signature/rsa_sig.c
 +++ b/providers/implementations/signature/rsa_sig.c
-@@ -289,10 +289,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
+@@ -26,6 +26,7 @@
+ #include "internal/cryptlib.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
++#include "internal/sslconf.h"
+ #include "crypto/rsa.h"
+ #include "prov/providercommon.h"
+ #include "prov/implementations.h"
+@@ -34,6 +35,7 @@
+ #include "prov/securitycheck.h"
+ 
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
++#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
+ 
+ static OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
  
      if (mdname != NULL) {
          EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
@@ -403,6 +419,23 @@ index 325e855333..c96e7e218f 100644
  
          if (md == NULL
              || md_nid <= 0
+@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+     prsactx->pad_mode = pad_mode;
+ 
+     if (prsactx->md == NULL && pmdname == NULL
+-        && pad_mode == RSA_PKCS1_PSS_PADDING)
++        && pad_mode == RSA_PKCS1_PSS_PADDING) {
+         pmdname = RSA_DEFAULT_DIGEST_NAME;
++#ifndef FIPS_MODULE
++        if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
++            pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
++        }
++#endif
++    }
++
+ 
+     if (pmgf1mdname != NULL
+         && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
 index fc32bb3556..4b74ee1a34 100644
 --- a/ssl/t1_lib.c

openssl.spec

@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 15%{?dist}
+Release: 17%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -414,6 +414,12 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Mar 10 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-17
+- Fix invocation of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before
+  setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
+- Skipping 3.0.1-16 due to version numbering confusion with the RHEL-9.0 branch
+- Resolves: rhbz#2062640
+
 * Tue Mar 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-15
 - Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes
 - Resolves: rhbz#2060510