/[smecontribs]/rpms/openssl3/contribs10/0049-Selectively-disallow-SHA1-signatures.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0049-Selectively-disallow-SHA1-signatures.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:39 2024 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001
2     From: Clemens Lang <cllang@redhat.com>
3     Date: Mon, 21 Feb 2022 17:24:44 +0100
4     Subject: Selectively disallow SHA1 signatures
5    
6     For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
7     disabling SHA1 signatures. Introduce a new configuration option in the
8     alg_section named 'rh-allow-sha1-signatures'. This option defaults to
9     false. If set to false (or unset), any signature creation or
10     verification operations that involve SHA1 as digest will fail.
11    
12     This also affects TLS, where the signature_algorithms extension of any
13     ClientHello message sent by OpenSSL will no longer include signatures
14     with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
15     that request a client certificate, the same also applies for
16     CertificateRequest messages sent by them.
17    
18     For signatures created using the EVP_PKEY API, this is a best-effort
19     check that will deny signatures in cases where the digest algorithm is
20     known. This means, for example, that that following steps will still
21     work:
22    
23     $> openssl dgst -sha1 -binary -out sha1 infile
24     $> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig
25     $> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1
26    
27     whereas these will not:
28    
29     $> openssl dgst -sha1 -binary -out sha1 infile
30     $> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1
31     $> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1
32    
33     This happens because in the first case, OpenSSL's signature
34     implementation does not know that it is signing a SHA1 hash (it could be
35     signing arbitrary data).
36    
37     Resolves: rhbz#2031742
38     ---
39     crypto/evp/evp_cnf.c | 13 ++++
40     crypto/evp/m_sigver.c | 77 +++++++++++++++++++
41     crypto/evp/pmeth_lib.c | 15 ++++
42     doc/man5/config.pod | 11 +++
43     include/internal/cryptlib.h | 3 +-
44     include/internal/sslconf.h | 4 +
45     providers/common/securitycheck.c | 20 +++++
46     providers/common/securitycheck_default.c | 9 ++-
47     providers/implementations/signature/dsa_sig.c | 11 ++-
48     .../implementations/signature/ecdsa_sig.c | 4 +
49     providers/implementations/signature/rsa_sig.c | 20 ++++-
50     ssl/t1_lib.c | 8 ++
51     util/libcrypto.num | 2 +
52     13 files changed, 188 insertions(+), 9 deletions(-)
53    
54     diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
55     index 0e7fe64cf9..b9d3b6d226 100644
56     --- a/crypto/evp/evp_cnf.c
57     +++ b/crypto/evp/evp_cnf.c
58     @@ -10,6 +10,7 @@
59     #include <stdio.h>
60     #include <openssl/crypto.h>
61     #include "internal/cryptlib.h"
62     +#include "internal/sslconf.h"
63     #include <openssl/conf.h>
64     #include <openssl/x509.h>
65     #include <openssl/x509v3.h>
66     @@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
67     ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
68     return 0;
69     }
70     + } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
71     + int m;
72     +
73     + /* Detailed error already reported. */
74     + if (!X509V3_get_value_bool(oval, &m))
75     + return 0;
76     +
77     + if (!ossl_ctx_legacy_digest_signatures_allowed_set(
78     + NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
79     + ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
80     + return 0;
81     + }
82     } else {
83     ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
84     "name=%s, value=%s", oval->name, oval->value);
85     diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
86     index 9188edbc21..db1a1d7bc3 100644
87     --- a/crypto/evp/m_sigver.c
88     +++ b/crypto/evp/m_sigver.c
89     @@ -16,6 +16,71 @@
90     #include "internal/numbers.h" /* includes SIZE_MAX */
91     #include "evp_local.h"
92    
93     +typedef struct ossl_legacy_digest_signatures_st {
94     + int allowed;
95     +} OSSL_LEGACY_DIGEST_SIGNATURES;
96     +
97     +static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
98     +{
99     + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
100     +
101     + if (ldsigs != NULL) {
102     + OPENSSL_free(ldsigs);
103     + }
104     +}
105     +
106     +static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
107     +{
108     + return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
109     +}
110     +
111     +static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = {
112     + OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,
113     + ossl_ctx_legacy_digest_signatures_new,
114     + ossl_ctx_legacy_digest_signatures_free,
115     +};
116     +
117     +static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
118     + OSSL_LIB_CTX *libctx, int loadconfig)
119     +{
120     +#ifndef FIPS_MODULE
121     + if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
122     + return 0;
123     +#endif
124     +
125     + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES,
126     + &ossl_ctx_legacy_digest_signatures_method);
127     +}
128     +
129     +int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
130     +{
131     + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
132     + = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
133     +
134     +#ifndef FIPS_MODULE
135     + if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
136     + /* used in tests */
137     + return 1;
138     +#endif
139     +
140     + return ldsigs != NULL ? ldsigs->allowed : 0;
141     +}
142     +
143     +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
144     + int loadconfig)
145     +{
146     + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
147     + = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
148     +
149     + if (ldsigs == NULL) {
150     + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
151     + return 0;
152     + }
153     +
154     + ldsigs->allowed = allow;
155     + return 1;
156     +}
157     +
158     #ifndef FIPS_MODULE
159    
160     static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
161     @@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
162     }
163     }
164    
165     + if (ctx->reqdigest != NULL
166     + && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
167     + && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
168     + && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
169     + int mdnid = EVP_MD_nid(ctx->reqdigest);
170     + if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
171     + && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
172     + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
173     + goto err;
174     + }
175     + }
176     +
177     if (ver) {
178     if (signature->digest_verify_init == NULL) {
179     ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
180     diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
181     index 2b9c6c2351..3c5a1e6f5d 100644
182     --- a/crypto/evp/pmeth_lib.c
183     +++ b/crypto/evp/pmeth_lib.c
184     @@ -33,6 +33,7 @@
185     #include "internal/ffc.h"
186     #include "internal/numbers.h"
187     #include "internal/provider.h"
188     +#include "internal/sslconf.h"
189     #include "evp_local.h"
190    
191     #ifndef FIPS_MODULE
192     @@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
193     return -2;
194     }
195    
196     + if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
197     + && md != NULL
198     + && ctx->pkey != NULL
199     + && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
200     + && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
201     + && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
202     + int mdnid = EVP_MD_nid(md);
203     + if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
204     + && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
205     + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
206     + return -1;
207     + }
208     + }
209     +
210     if (fallback)
211     return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
212    
213     diff --git a/doc/man5/config.pod b/doc/man5/config.pod
214     index 77a8055e81..aa1be5ca7f 100644
215     --- a/doc/man5/config.pod
216     +++ b/doc/man5/config.pod
217     @@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
218     The value may be anything that is acceptable as a property query
219     string for EVP_set_default_properties().
220    
221     +=item B<rh-allow-sha1-signatures>
222     +
223     +The value is a boolean that can be B<yes> or B<no>. If the value is not set,
224     +it behaves as if it was set to B<no>.
225     +
226     +When set to B<no>, any attempt to create or verify a signature with a SHA1
227     +digest will fail. For compatibility with older versions of OpenSSL, set this
228     +option to B<yes>. This setting also affects TLS, where signature algorithms
229     +that use SHA1 as digest will no longer be supported if this option is set to
230     +B<no>.
231     +
232     =item B<fips_mode> (deprecated)
233    
234     The value is a boolean that can be B<yes> or B<no>. If the value is
235     diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
236     index 1291299b6e..e234341e6a 100644
237     --- a/include/internal/cryptlib.h
238     +++ b/include/internal/cryptlib.h
239     @@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
240     # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
241     # define OSSL_LIB_CTX_BIO_CORE_INDEX 17
242     # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
243     -# define OSSL_LIB_CTX_MAX_INDEXES 19
244     +# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19
245     +# define OSSL_LIB_CTX_MAX_INDEXES 20
246    
247     # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1
248     # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0
249     diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
250     index fd7f7e3331..05464b0655 100644
251     --- a/include/internal/sslconf.h
252     +++ b/include/internal/sslconf.h
253     @@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
254     void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
255     char **arg);
256    
257     +/* Methods to support disabling all signatures with legacy digests */
258     +int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
259     +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
260     + int loadconfig);
261     #endif
262     diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
263     index 699ada7c52..e534ad0a5f 100644
264     --- a/providers/common/securitycheck.c
265     +++ b/providers/common/securitycheck.c
266     @@ -19,6 +19,7 @@
267     #include <openssl/core_names.h>
268     #include <openssl/obj_mac.h>
269     #include "prov/securitycheck.h"
270     +#include "internal/sslconf.h"
271    
272     /*
273     * FIPS requires a minimum security strength of 112 bits (for encryption or
274     @@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
275     mdnid = -1; /* disallowed by security checks */
276     }
277     # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
278     +
279     +#ifndef FIPS_MODULE
280     + if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
281     + /* SHA1 is globally disabled, check whether we want to locally allow
282     + * it. */
283     + if (mdnid == NID_sha1 && !sha1_allowed)
284     + mdnid = -1;
285     +#endif
286     +
287     return mdnid;
288     }
289    
290     @@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
291     if (ossl_securitycheck_enabled(ctx))
292     return ossl_digest_get_approved_nid(md) != NID_undef;
293     # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
294     +
295     +#ifndef FIPS_MODULE
296     + {
297     + int mdnid = EVP_MD_nid(md);
298     + if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
299     + && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
300     + return 0;
301     + }
302     +#endif
303     +
304     return 1;
305     }
306     diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
307     index de7f0d3a0a..ce54a94fbc 100644
308     --- a/providers/common/securitycheck_default.c
309     +++ b/providers/common/securitycheck_default.c
310     @@ -15,6 +15,7 @@
311     #include <openssl/obj_mac.h>
312     #include "prov/securitycheck.h"
313     #include "internal/nelem.h"
314     +#include "internal/sslconf.h"
315    
316     /* Disable the security checks in the default provider */
317     int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
318     @@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
319     }
320    
321     int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
322     - ossl_unused int sha1_allowed)
323     + int sha1_allowed)
324     {
325     int mdnid;
326     + int ldsigs_allowed;
327    
328     static const OSSL_ITEM name_to_nid[] = {
329     { NID_md5, OSSL_DIGEST_NAME_MD5 },
330     @@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
331     { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
332     };
333    
334     - mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
335     + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
336     + mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
337     if (mdnid == NID_undef)
338     mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
339     + if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
340     + mdnid = -1;
341     return mdnid;
342     }
343     diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
344     index 28fd7c498e..fa3822f39f 100644
345     --- a/providers/implementations/signature/dsa_sig.c
346     +++ b/providers/implementations/signature/dsa_sig.c
347     @@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
348     mdprops = ctx->propq;
349    
350     if (mdname != NULL) {
351     - int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
352     WPACKET pkt;
353     EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
354     - int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
355     - sha1_allowed);
356     + int md_nid;
357     size_t mdname_len = strlen(mdname);
358     +#ifdef FIPS_MODULE
359     + int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
360     +#else
361     + int sha1_allowed = 0;
362     +#endif
363     + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
364     + sha1_allowed);
365    
366     if (md == NULL || md_nid < 0) {
367     if (md == NULL)
368     diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
369     index 865d49d100..99b228e82c 100644
370     --- a/providers/implementations/signature/ecdsa_sig.c
371     +++ b/providers/implementations/signature/ecdsa_sig.c
372     @@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
373     "%s could not be fetched", mdname);
374     return 0;
375     }
376     +#ifdef FIPS_MODULE
377     sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
378     +#else
379     + sha1_allowed = 0;
380     +#endif
381     md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
382     sha1_allowed);
383     if (md_nid < 0) {
384     diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
385     index 325e855333..bea397f0c1 100644
386     --- a/providers/implementations/signature/rsa_sig.c
387     +++ b/providers/implementations/signature/rsa_sig.c
388     @@ -26,6 +26,7 @@
389     #include "internal/cryptlib.h"
390     #include "internal/nelem.h"
391     #include "internal/sizes.h"
392     +#include "internal/sslconf.h"
393     #include "crypto/rsa.h"
394     #include "prov/providercommon.h"
395     #include "prov/implementations.h"
396     @@ -34,6 +35,7 @@
397     #include "prov/securitycheck.h"
398    
399     #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
400     +#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
401    
402     static OSSL_FUNC_signature_newctx_fn rsa_newctx;
403     static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
404     @@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
405    
406     if (mdname != NULL) {
407     EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
408     + int md_nid;
409     + size_t mdname_len = strlen(mdname);
410     +#ifdef FIPS_MODULE
411     int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
412     - int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
413     +#else
414     + int sha1_allowed = 0;
415     +#endif
416     + md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
417     sha1_allowed);
418     - size_t mdname_len = strlen(mdname);
419    
420     if (md == NULL
421     || md_nid <= 0
422     @@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
423     prsactx->pad_mode = pad_mode;
424    
425     if (prsactx->md == NULL && pmdname == NULL
426     - && pad_mode == RSA_PKCS1_PSS_PADDING)
427     + && pad_mode == RSA_PKCS1_PSS_PADDING) {
428     pmdname = RSA_DEFAULT_DIGEST_NAME;
429     +#ifndef FIPS_MODULE
430     + if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
431     + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
432     + }
433     +#endif
434     + }
435     +
436    
437     if (pmgf1mdname != NULL
438     && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
439     diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
440     index fc32bb3556..4b74ee1a34 100644
441     --- a/ssl/t1_lib.c
442     +++ b/ssl/t1_lib.c
443     @@ -20,6 +20,7 @@
444     #include <openssl/bn.h>
445     #include <openssl/provider.h>
446     #include <openssl/param_build.h>
447     +#include "internal/sslconf.h"
448     #include "internal/nelem.h"
449     #include "internal/sizes.h"
450     #include "internal/tlsgroups.h"
451     @@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
452     = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
453     EVP_PKEY *tmpkey = EVP_PKEY_new();
454     int ret = 0;
455     + int ldsigs_allowed;
456    
457     if (cache == NULL || tmpkey == NULL)
458     goto err;
459    
460     ERR_set_mark();
461     + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
462     for (i = 0, lu = sigalg_lookup_tbl;
463     i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
464     EVP_PKEY_CTX *pctx;
465     @@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
466     cache[i].enabled = 0;
467     continue;
468     }
469     + if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
470     + && !ldsigs_allowed) {
471     + cache[i].enabled = 0;
472     + continue;
473     + }
474    
475     if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
476     cache[i].enabled = 0;
477     diff --git a/util/libcrypto.num b/util/libcrypto.num
478     index 10b4e57d79..2d3c363bb0 100644
479     --- a/util/libcrypto.num
480     +++ b/util/libcrypto.num
481     @@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
482     OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
483     OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
484     ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
485     +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
486     +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
487     --
488     2.35.1
489    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed