Blame SOURCES/openssl-1.1.1-seclevel.patch

9f6ef3
diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
9f6ef3
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel	2020-04-21 14:22:39.000000000 +0200
9f6ef3
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c	2020-06-05 17:16:54.835536823 +0200
9f6ef3
@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
3a273b
 }
3a273b
 
3a273b
 static const int minbits_table[] = { 80, 112, 128, 192, 256 };
3a273b
+static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
3a273b
 static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
3a273b
 
3a273b
 /*
9f6ef3
@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
3a273b
 
3a273b
     if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
3a273b
         return 0;
3a273b
-
3a273b
-    return secbits >= minbits_table[level - 1];
9f6ef3
+    /*
9f6ef3
+     * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
9f6ef3
+     * disable SHA1 flag is not set.
9f6ef3
+     */
9f6ef3
+    if ((ctx->param->flags & 0x40000000) || FIPS_mode())
3a273b
+        return secbits >= minbits_table[level - 1];
3a273b
+    return secbits >= minbits_digest_table[level - 1];
3a273b
 }
9f6ef3
diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
9f6ef3
--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel	2020-04-21 14:22:39.000000000 +0200
9f6ef3
+++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod	2020-06-04 15:48:01.608178833 +0200
3a273b
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
3a273b
 
3a273b
 =item B<Level 2>
3a273b
 
3a273b
-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
3a273b
-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
3a273b
+Security level set to 112 bits of security with the exception of SHA1 allowed
3a273b
+for signatures.
3a273b
+As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
3a273b
+shorter than 224 bits are prohibited.
3a273b
 In addition to the level 1 exclusions any cipher suite using RC4 is also
3a273b
 prohibited. SSL version 3 is also not allowed. Compression is disabled.
3a273b
 
9f6ef3
diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
9f6ef3
--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel	2020-04-21 14:22:39.000000000 +0200
9f6ef3
+++ openssl-1.1.1g/ssl/ssl_cert.c	2020-06-05 17:10:11.842198401 +0200
9f6ef3
@@ -27,6 +27,7 @@
9f6ef3
 static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
9f6ef3
                                          int op, int bits, int nid, void *other,
9f6ef3
                                          void *ex);
9f6ef3
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
9f6ef3
 
9f6ef3
 static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
9f6ef3
 static volatile int ssl_x509_store_ctx_idx = -1;
9f6ef3
@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
9f6ef3
     X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
9f6ef3
 
9f6ef3
     /* Set suite B flags if needed */
9f6ef3
-    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
9f6ef3
+    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
9f6ef3
     if (!X509_STORE_CTX_set_ex_data
9f6ef3
         (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
9f6ef3
         goto end;
9f6ef3
@@ -953,12 +954,33 @@ static int ssl_security_default_callback
3a273b
             return 0;
3a273b
         break;
3a273b
     default:
3a273b
+        /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
9f6ef3
+        if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
3a273b
+            break;
3a273b
         if (bits < minbits)
3a273b
             return 0;
3a273b
     }
9f6ef3
     return 1;
9f6ef3
 }
9f6ef3
 
9f6ef3
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
9f6ef3
+{
9f6ef3
+    unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
9f6ef3
+    const CERT *c;
9f6ef3
+
9f6ef3
+    if (FIPS_mode())
9f6ef3
+        return ret;
9f6ef3
+
9f6ef3
+    if (ctx != NULL) {
9f6ef3
+       c = ctx->cert;
9f6ef3
+    } else {
9f6ef3
+       c = s->cert;
9f6ef3
+    }
9f6ef3
+    if (tls1_cert_sigalgs_have_sha1(c))
9f6ef3
+        return 0;
9f6ef3
+    return ret;
9f6ef3
+}
9f6ef3
+
9f6ef3
 int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
9f6ef3
 {
9f6ef3
     return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
9f6ef3
diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
9f6ef3
--- openssl-1.1.1g/ssl/ssl_local.h.seclevel	2020-06-04 15:48:01.602178783 +0200
9f6ef3
+++ openssl-1.1.1g/ssl/ssl_local.h	2020-06-05 17:02:22.666313410 +0200
9f6ef3
@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
9f6ef3
 __owur int tls1_process_sigalgs(SSL *s);
9f6ef3
 __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
9f6ef3
 __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
9f6ef3
+int tls1_cert_sigalgs_have_sha1(const CERT *c);
9f6ef3
 __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
9f6ef3
 #  ifndef OPENSSL_NO_EC
9f6ef3
 __owur int tls_check_sigalg_curve(const SSL *s, int curve);
9f6ef3
diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
9f6ef3
--- openssl-1.1.1g/ssl/t1_lib.c.seclevel	2020-06-04 15:48:01.654179221 +0200
9f6ef3
+++ openssl-1.1.1g/ssl/t1_lib.c	2020-06-05 17:02:40.268459157 +0200
9f6ef3
@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
9f6ef3
     return 0;
9f6ef3
 }
9f6ef3
 
9f6ef3
+static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
9f6ef3
+{
9f6ef3
+    size_t i;
9f6ef3
+
9f6ef3
+    for (i = 0; i < sigalgslen; i++, sigalgs++) {
9f6ef3
+        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
9f6ef3
+
9f6ef3
+        if (lu == NULL)
9f6ef3
+            continue;
9f6ef3
+        if (lu->hash == NID_sha1)
9f6ef3
+            return 1;
9f6ef3
+    }
9f6ef3
+    return 0;
9f6ef3
+}
9f6ef3
+
9f6ef3
+
9f6ef3
+int tls1_cert_sigalgs_have_sha1(const CERT *c)
9f6ef3
+{
9f6ef3
+    if (c->client_sigalgs != NULL) {
9f6ef3
+        if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
9f6ef3
+            return 1;
9f6ef3
+    }
9f6ef3
+    if (c->conf_sigalgs != NULL) {
9f6ef3
+        if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
9f6ef3
+            return 1;
9f6ef3
+        return 0;
9f6ef3
+    }
9f6ef3
+    return 1;
9f6ef3
+}
9f6ef3
+
9f6ef3
 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
9f6ef3
 {
9f6ef3
     int sig_nid, use_pc_sigalgs = 0;
9f6ef3
diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
9f6ef3
--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel	2020-04-21 14:22:39.000000000 +0200
9f6ef3
+++ openssl-1.1.1g/test/recipes/25-test_verify.t	2020-06-04 15:48:01.608178833 +0200
9f6ef3
@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
3a273b
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
3a273b
     "CA with PSS signature using SHA256");
3a273b
 
3a273b
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
3a273b
-    "Reject PSS signature using SHA1 and auth level 2");
3a273b
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
3a273b
+    "Reject PSS signature using SHA1 and auth level 3");
3a273b
 
3a273b
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
3a273b
     "PSS signature using SHA256 and auth level 2");