From ede38fcb549e6658ee42dc21d0956a4e8846ff8c Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 25 Feb 2022 14:36:41 +0100 Subject: [PATCH] Prevent use of SHA1 with ECDSA providers/implementations/signature/{ec,}dsa_sig.c accept a NID_undef digest, so to prevent SHA1 from working with ECDSA and DSA, we must return a negative value in securitycheck.c. Resolves: rhbz#2031742 --- 0049-Selectively-disallow-SHA1-signatures.patch | 4 ++-- openssl.spec | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/0049-Selectively-disallow-SHA1-signatures.patch b/0049-Selectively-disallow-SHA1-signatures.patch index bce8c96..e5973ce 100644 --- a/0049-Selectively-disallow-SHA1-signatures.patch +++ b/0049-Selectively-disallow-SHA1-signatures.patch @@ -260,7 +260,7 @@ index fd7f7e3331..05464b0655 100644 + int loadconfig); #endif diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index 699ada7c52..f3af62325d 100644 +index 699ada7c52..e534ad0a5f 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -19,6 +19,7 @@ @@ -281,7 +281,7 @@ index 699ada7c52..f3af62325d 100644 + /* SHA1 is globally disabled, check whether we want to locally allow + * it. */ + if (mdnid == NID_sha1 && !sha1_allowed) -+ mdnid = NID_undef; ++ mdnid = -1; +#endif + return mdnid; diff --git a/openssl.spec b/openssl.spec index 81356fe..9fcbfe5 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 13%{?dist} +Release: 14%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -412,6 +412,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Feb 25 2022 Clemens Lang - 1:3.0.1-14 +- Prevent use of SHA1 with ECDSA +- Resolves: rhbz#2031742 + * Fri Feb 25 2022 Dmitry Belyavskiy - 1:3.0.1-13 - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters - Resolves: rhbz#1977867