| 1 |
From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Clemens Lang <cllang@redhat.com> |
| 3 |
Date: Mon, 21 Feb 2022 17:24:44 +0100 |
| 4 |
Subject: Selectively disallow SHA1 signatures |
| 5 |
|
| 6 |
For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is |
| 7 |
disabling SHA1 signatures. Introduce a new configuration option in the |
| 8 |
alg_section named 'rh-allow-sha1-signatures'. This option defaults to |
| 9 |
false. If set to false (or unset), any signature creation or |
| 10 |
verification operations that involve SHA1 as digest will fail. |
| 11 |
|
| 12 |
This also affects TLS, where the signature_algorithms extension of any |
| 13 |
ClientHello message sent by OpenSSL will no longer include signatures |
| 14 |
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers |
| 15 |
that request a client certificate, the same also applies for |
| 16 |
CertificateRequest messages sent by them. |
| 17 |
|
| 18 |
For signatures created using the EVP_PKEY API, this is a best-effort |
| 19 |
check that will deny signatures in cases where the digest algorithm is |
| 20 |
known. This means, for example, that that following steps will still |
| 21 |
work: |
| 22 |
|
| 23 |
$> openssl dgst -sha1 -binary -out sha1 infile |
| 24 |
$> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig |
| 25 |
$> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1 |
| 26 |
|
| 27 |
whereas these will not: |
| 28 |
|
| 29 |
$> openssl dgst -sha1 -binary -out sha1 infile |
| 30 |
$> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1 |
| 31 |
$> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1 |
| 32 |
|
| 33 |
This happens because in the first case, OpenSSL's signature |
| 34 |
implementation does not know that it is signing a SHA1 hash (it could be |
| 35 |
signing arbitrary data). |
| 36 |
|
| 37 |
Resolves: rhbz#2031742 |
| 38 |
--- |
| 39 |
crypto/evp/evp_cnf.c | 13 ++++ |
| 40 |
crypto/evp/m_sigver.c | 77 +++++++++++++++++++ |
| 41 |
crypto/evp/pmeth_lib.c | 15 ++++ |
| 42 |
doc/man5/config.pod | 11 +++ |
| 43 |
include/internal/cryptlib.h | 3 +- |
| 44 |
include/internal/sslconf.h | 4 + |
| 45 |
providers/common/securitycheck.c | 20 +++++ |
| 46 |
providers/common/securitycheck_default.c | 9 ++- |
| 47 |
providers/implementations/signature/dsa_sig.c | 11 ++- |
| 48 |
.../implementations/signature/ecdsa_sig.c | 4 + |
| 49 |
providers/implementations/signature/rsa_sig.c | 20 ++++- |
| 50 |
ssl/t1_lib.c | 8 ++ |
| 51 |
util/libcrypto.num | 2 + |
| 52 |
13 files changed, 188 insertions(+), 9 deletions(-) |
| 53 |
|
| 54 |
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c |
| 55 |
index 0e7fe64cf9..b9d3b6d226 100644 |
| 56 |
--- a/crypto/evp/evp_cnf.c |
| 57 |
+++ b/crypto/evp/evp_cnf.c |
| 58 |
@@ -10,6 +10,7 @@ |
| 59 |
#include <stdio.h> |
| 60 |
#include <openssl/crypto.h> |
| 61 |
#include "internal/cryptlib.h" |
| 62 |
+#include "internal/sslconf.h" |
| 63 |
#include <openssl/conf.h> |
| 64 |
#include <openssl/x509.h> |
| 65 |
#include <openssl/x509v3.h> |
| 66 |
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) |
| 67 |
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); |
| 68 |
return 0; |
| 69 |
} |
| 70 |
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) { |
| 71 |
+ int m; |
| 72 |
+ |
| 73 |
+ /* Detailed error already reported. */ |
| 74 |
+ if (!X509V3_get_value_bool(oval, &m)) |
| 75 |
+ return 0; |
| 76 |
+ |
| 77 |
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set( |
| 78 |
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { |
| 79 |
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); |
| 80 |
+ return 0; |
| 81 |
+ } |
| 82 |
} else { |
| 83 |
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, |
| 84 |
"name=%s, value=%s", oval->name, oval->value); |
| 85 |
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c |
| 86 |
index 9188edbc21..db1a1d7bc3 100644 |
| 87 |
--- a/crypto/evp/m_sigver.c |
| 88 |
+++ b/crypto/evp/m_sigver.c |
| 89 |
@@ -16,6 +16,71 @@ |
| 90 |
#include "internal/numbers.h" /* includes SIZE_MAX */ |
| 91 |
#include "evp_local.h" |
| 92 |
|
| 93 |
+typedef struct ossl_legacy_digest_signatures_st { |
| 94 |
+ int allowed; |
| 95 |
+} OSSL_LEGACY_DIGEST_SIGNATURES; |
| 96 |
+ |
| 97 |
+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) |
| 98 |
+{ |
| 99 |
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; |
| 100 |
+ |
| 101 |
+ if (ldsigs != NULL) { |
| 102 |
+ OPENSSL_free(ldsigs); |
| 103 |
+ } |
| 104 |
+} |
| 105 |
+ |
| 106 |
+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) |
| 107 |
+{ |
| 108 |
+ return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); |
| 109 |
+} |
| 110 |
+ |
| 111 |
+static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = { |
| 112 |
+ OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, |
| 113 |
+ ossl_ctx_legacy_digest_signatures_new, |
| 114 |
+ ossl_ctx_legacy_digest_signatures_free, |
| 115 |
+}; |
| 116 |
+ |
| 117 |
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( |
| 118 |
+ OSSL_LIB_CTX *libctx, int loadconfig) |
| 119 |
+{ |
| 120 |
+#ifndef FIPS_MODULE |
| 121 |
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) |
| 122 |
+ return 0; |
| 123 |
+#endif |
| 124 |
+ |
| 125 |
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES, |
| 126 |
+ &ossl_ctx_legacy_digest_signatures_method); |
| 127 |
+} |
| 128 |
+ |
| 129 |
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) |
| 130 |
+{ |
| 131 |
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs |
| 132 |
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); |
| 133 |
+ |
| 134 |
+#ifndef FIPS_MODULE |
| 135 |
+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) |
| 136 |
+ /* used in tests */ |
| 137 |
+ return 1; |
| 138 |
+#endif |
| 139 |
+ |
| 140 |
+ return ldsigs != NULL ? ldsigs->allowed : 0; |
| 141 |
+} |
| 142 |
+ |
| 143 |
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, |
| 144 |
+ int loadconfig) |
| 145 |
+{ |
| 146 |
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs |
| 147 |
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); |
| 148 |
+ |
| 149 |
+ if (ldsigs == NULL) { |
| 150 |
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); |
| 151 |
+ return 0; |
| 152 |
+ } |
| 153 |
+ |
| 154 |
+ ldsigs->allowed = allow; |
| 155 |
+ return 1; |
| 156 |
+} |
| 157 |
+ |
| 158 |
#ifndef FIPS_MODULE |
| 159 |
|
| 160 |
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) |
| 161 |
@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, |
| 162 |
} |
| 163 |
} |
| 164 |
|
| 165 |
+ if (ctx->reqdigest != NULL |
| 166 |
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) |
| 167 |
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) |
| 168 |
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) { |
| 169 |
+ int mdnid = EVP_MD_nid(ctx->reqdigest); |
| 170 |
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0) |
| 171 |
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) { |
| 172 |
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); |
| 173 |
+ goto err; |
| 174 |
+ } |
| 175 |
+ } |
| 176 |
+ |
| 177 |
if (ver) { |
| 178 |
if (signature->digest_verify_init == NULL) { |
| 179 |
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); |
| 180 |
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c |
| 181 |
index 2b9c6c2351..3c5a1e6f5d 100644 |
| 182 |
--- a/crypto/evp/pmeth_lib.c |
| 183 |
+++ b/crypto/evp/pmeth_lib.c |
| 184 |
@@ -33,6 +33,7 @@ |
| 185 |
#include "internal/ffc.h" |
| 186 |
#include "internal/numbers.h" |
| 187 |
#include "internal/provider.h" |
| 188 |
+#include "internal/sslconf.h" |
| 189 |
#include "evp_local.h" |
| 190 |
|
| 191 |
#ifndef FIPS_MODULE |
| 192 |
@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, |
| 193 |
return -2; |
| 194 |
} |
| 195 |
|
| 196 |
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) |
| 197 |
+ && md != NULL |
| 198 |
+ && ctx->pkey != NULL |
| 199 |
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac) |
| 200 |
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf) |
| 201 |
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) { |
| 202 |
+ int mdnid = EVP_MD_nid(md); |
| 203 |
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) |
| 204 |
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) { |
| 205 |
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); |
| 206 |
+ return -1; |
| 207 |
+ } |
| 208 |
+ } |
| 209 |
+ |
| 210 |
if (fallback) |
| 211 |
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); |
| 212 |
|
| 213 |
diff --git a/doc/man5/config.pod b/doc/man5/config.pod |
| 214 |
index 77a8055e81..aa1be5ca7f 100644 |
| 215 |
--- a/doc/man5/config.pod |
| 216 |
+++ b/doc/man5/config.pod |
| 217 |
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning: |
| 218 |
The value may be anything that is acceptable as a property query |
| 219 |
string for EVP_set_default_properties(). |
| 220 |
|
| 221 |
+=item B<rh-allow-sha1-signatures> |
| 222 |
+ |
| 223 |
+The value is a boolean that can be B<yes> or B<no>. If the value is not set, |
| 224 |
+it behaves as if it was set to B<no>. |
| 225 |
+ |
| 226 |
+When set to B<no>, any attempt to create or verify a signature with a SHA1 |
| 227 |
+digest will fail. For compatibility with older versions of OpenSSL, set this |
| 228 |
+option to B<yes>. This setting also affects TLS, where signature algorithms |
| 229 |
+that use SHA1 as digest will no longer be supported if this option is set to |
| 230 |
+B<no>. |
| 231 |
+ |
| 232 |
=item B<fips_mode> (deprecated) |
| 233 |
|
| 234 |
The value is a boolean that can be B<yes> or B<no>. If the value is |
| 235 |
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h |
| 236 |
index 1291299b6e..e234341e6a 100644 |
| 237 |
--- a/include/internal/cryptlib.h |
| 238 |
+++ b/include/internal/cryptlib.h |
| 239 |
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st { |
| 240 |
# define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16 |
| 241 |
# define OSSL_LIB_CTX_BIO_CORE_INDEX 17 |
| 242 |
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 |
| 243 |
-# define OSSL_LIB_CTX_MAX_INDEXES 19 |
| 244 |
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19 |
| 245 |
+# define OSSL_LIB_CTX_MAX_INDEXES 20 |
| 246 |
|
| 247 |
# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1 |
| 248 |
# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0 |
| 249 |
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h |
| 250 |
index fd7f7e3331..05464b0655 100644 |
| 251 |
--- a/include/internal/sslconf.h |
| 252 |
+++ b/include/internal/sslconf.h |
| 253 |
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx); |
| 254 |
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, |
| 255 |
char **arg); |
| 256 |
|
| 257 |
+/* Methods to support disabling all signatures with legacy digests */ |
| 258 |
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig); |
| 259 |
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, |
| 260 |
+ int loadconfig); |
| 261 |
#endif |
| 262 |
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c |
| 263 |
index 699ada7c52..e534ad0a5f 100644 |
| 264 |
--- a/providers/common/securitycheck.c |
| 265 |
+++ b/providers/common/securitycheck.c |
| 266 |
@@ -19,6 +19,7 @@ |
| 267 |
#include <openssl/core_names.h> |
| 268 |
#include <openssl/obj_mac.h> |
| 269 |
#include "prov/securitycheck.h" |
| 270 |
+#include "internal/sslconf.h" |
| 271 |
|
| 272 |
/* |
| 273 |
* FIPS requires a minimum security strength of 112 bits (for encryption or |
| 274 |
@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, |
| 275 |
mdnid = -1; /* disallowed by security checks */ |
| 276 |
} |
| 277 |
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ |
| 278 |
+ |
| 279 |
+#ifndef FIPS_MODULE |
| 280 |
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) |
| 281 |
+ /* SHA1 is globally disabled, check whether we want to locally allow |
| 282 |
+ * it. */ |
| 283 |
+ if (mdnid == NID_sha1 && !sha1_allowed) |
| 284 |
+ mdnid = -1; |
| 285 |
+#endif |
| 286 |
+ |
| 287 |
return mdnid; |
| 288 |
} |
| 289 |
|
| 290 |
@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) |
| 291 |
if (ossl_securitycheck_enabled(ctx)) |
| 292 |
return ossl_digest_get_approved_nid(md) != NID_undef; |
| 293 |
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ |
| 294 |
+ |
| 295 |
+#ifndef FIPS_MODULE |
| 296 |
+ { |
| 297 |
+ int mdnid = EVP_MD_nid(md); |
| 298 |
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) |
| 299 |
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) |
| 300 |
+ return 0; |
| 301 |
+ } |
| 302 |
+#endif |
| 303 |
+ |
| 304 |
return 1; |
| 305 |
} |
| 306 |
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c |
| 307 |
index de7f0d3a0a..ce54a94fbc 100644 |
| 308 |
--- a/providers/common/securitycheck_default.c |
| 309 |
+++ b/providers/common/securitycheck_default.c |
| 310 |
@@ -15,6 +15,7 @@ |
| 311 |
#include <openssl/obj_mac.h> |
| 312 |
#include "prov/securitycheck.h" |
| 313 |
#include "internal/nelem.h" |
| 314 |
+#include "internal/sslconf.h" |
| 315 |
|
| 316 |
/* Disable the security checks in the default provider */ |
| 317 |
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) |
| 318 |
@@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) |
| 319 |
} |
| 320 |
|
| 321 |
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, |
| 322 |
- ossl_unused int sha1_allowed) |
| 323 |
+ int sha1_allowed) |
| 324 |
{ |
| 325 |
int mdnid; |
| 326 |
+ int ldsigs_allowed; |
| 327 |
|
| 328 |
static const OSSL_ITEM name_to_nid[] = { |
| 329 |
{ NID_md5, OSSL_DIGEST_NAME_MD5 }, |
| 330 |
@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, |
| 331 |
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, |
| 332 |
}; |
| 333 |
|
| 334 |
- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); |
| 335 |
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0); |
| 336 |
+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed); |
| 337 |
if (mdnid == NID_undef) |
| 338 |
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); |
| 339 |
+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed) |
| 340 |
+ mdnid = -1; |
| 341 |
return mdnid; |
| 342 |
} |
| 343 |
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c |
| 344 |
index 28fd7c498e..fa3822f39f 100644 |
| 345 |
--- a/providers/implementations/signature/dsa_sig.c |
| 346 |
+++ b/providers/implementations/signature/dsa_sig.c |
| 347 |
@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, |
| 348 |
mdprops = ctx->propq; |
| 349 |
|
| 350 |
if (mdname != NULL) { |
| 351 |
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); |
| 352 |
WPACKET pkt; |
| 353 |
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); |
| 354 |
- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, |
| 355 |
- sha1_allowed); |
| 356 |
+ int md_nid; |
| 357 |
size_t mdname_len = strlen(mdname); |
| 358 |
+#ifdef FIPS_MODULE |
| 359 |
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); |
| 360 |
+#else |
| 361 |
+ int sha1_allowed = 0; |
| 362 |
+#endif |
| 363 |
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, |
| 364 |
+ sha1_allowed); |
| 365 |
|
| 366 |
if (md == NULL || md_nid < 0) { |
| 367 |
if (md == NULL) |
| 368 |
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c |
| 369 |
index 865d49d100..99b228e82c 100644 |
| 370 |
--- a/providers/implementations/signature/ecdsa_sig.c |
| 371 |
+++ b/providers/implementations/signature/ecdsa_sig.c |
| 372 |
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, |
| 373 |
"%s could not be fetched", mdname); |
| 374 |
return 0; |
| 375 |
} |
| 376 |
+#ifdef FIPS_MODULE |
| 377 |
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); |
| 378 |
+#else |
| 379 |
+ sha1_allowed = 0; |
| 380 |
+#endif |
| 381 |
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, |
| 382 |
sha1_allowed); |
| 383 |
if (md_nid < 0) { |
| 384 |
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c |
| 385 |
index 325e855333..bea397f0c1 100644 |
| 386 |
--- a/providers/implementations/signature/rsa_sig.c |
| 387 |
+++ b/providers/implementations/signature/rsa_sig.c |
| 388 |
@@ -26,6 +26,7 @@ |
| 389 |
#include "internal/cryptlib.h" |
| 390 |
#include "internal/nelem.h" |
| 391 |
#include "internal/sizes.h" |
| 392 |
+#include "internal/sslconf.h" |
| 393 |
#include "crypto/rsa.h" |
| 394 |
#include "prov/providercommon.h" |
| 395 |
#include "prov/implementations.h" |
| 396 |
@@ -34,6 +35,7 @@ |
| 397 |
#include "prov/securitycheck.h" |
| 398 |
|
| 399 |
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 |
| 400 |
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 |
| 401 |
|
| 402 |
static OSSL_FUNC_signature_newctx_fn rsa_newctx; |
| 403 |
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; |
| 404 |
@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, |
| 405 |
|
| 406 |
if (mdname != NULL) { |
| 407 |
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); |
| 408 |
+ int md_nid; |
| 409 |
+ size_t mdname_len = strlen(mdname); |
| 410 |
+#ifdef FIPS_MODULE |
| 411 |
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); |
| 412 |
- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, |
| 413 |
+#else |
| 414 |
+ int sha1_allowed = 0; |
| 415 |
+#endif |
| 416 |
+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, |
| 417 |
sha1_allowed); |
| 418 |
- size_t mdname_len = strlen(mdname); |
| 419 |
|
| 420 |
if (md == NULL |
| 421 |
|| md_nid <= 0 |
| 422 |
@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) |
| 423 |
prsactx->pad_mode = pad_mode; |
| 424 |
|
| 425 |
if (prsactx->md == NULL && pmdname == NULL |
| 426 |
- && pad_mode == RSA_PKCS1_PSS_PADDING) |
| 427 |
+ && pad_mode == RSA_PKCS1_PSS_PADDING) { |
| 428 |
pmdname = RSA_DEFAULT_DIGEST_NAME; |
| 429 |
+#ifndef FIPS_MODULE |
| 430 |
+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { |
| 431 |
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; |
| 432 |
+ } |
| 433 |
+#endif |
| 434 |
+ } |
| 435 |
+ |
| 436 |
|
| 437 |
if (pmgf1mdname != NULL |
| 438 |
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) |
| 439 |
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c |
| 440 |
index fc32bb3556..4b74ee1a34 100644 |
| 441 |
--- a/ssl/t1_lib.c |
| 442 |
+++ b/ssl/t1_lib.c |
| 443 |
@@ -20,6 +20,7 @@ |
| 444 |
#include <openssl/bn.h> |
| 445 |
#include <openssl/provider.h> |
| 446 |
#include <openssl/param_build.h> |
| 447 |
+#include "internal/sslconf.h" |
| 448 |
#include "internal/nelem.h" |
| 449 |
#include "internal/sizes.h" |
| 450 |
#include "internal/tlsgroups.h" |
| 451 |
@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) |
| 452 |
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); |
| 453 |
EVP_PKEY *tmpkey = EVP_PKEY_new(); |
| 454 |
int ret = 0; |
| 455 |
+ int ldsigs_allowed; |
| 456 |
|
| 457 |
if (cache == NULL || tmpkey == NULL) |
| 458 |
goto err; |
| 459 |
|
| 460 |
ERR_set_mark(); |
| 461 |
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); |
| 462 |
for (i = 0, lu = sigalg_lookup_tbl; |
| 463 |
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { |
| 464 |
EVP_PKEY_CTX *pctx; |
| 465 |
@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) |
| 466 |
cache[i].enabled = 0; |
| 467 |
continue; |
| 468 |
} |
| 469 |
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) |
| 470 |
+ && !ldsigs_allowed) { |
| 471 |
+ cache[i].enabled = 0; |
| 472 |
+ continue; |
| 473 |
+ } |
| 474 |
|
| 475 |
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { |
| 476 |
cache[i].enabled = 0; |
| 477 |
diff --git a/util/libcrypto.num b/util/libcrypto.num |
| 478 |
index 10b4e57d79..2d3c363bb0 100644 |
| 479 |
--- a/util/libcrypto.num |
| 480 |
+++ b/util/libcrypto.num |
| 481 |
@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: |
| 482 |
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: |
| 483 |
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: |
| 484 |
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: |
| 485 |
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: |
| 486 |
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: |
| 487 |
-- |
| 488 |
2.35.1 |
| 489 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
