summaryrefslogtreecommitdiff
path: root/openssl-1.1.1-seclevel.patch
blob: c6751a5431d20a0d052b080c65497e9c87b47e61 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel	2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c	2020-06-05 17:16:54.835536823 +0200
@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
 }
 
 static const int minbits_table[] = { 80, 112, 128, 192, 256 };
+static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
 static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
 
 /*
@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
 
     if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
         return 0;
-
-    return secbits >= minbits_table[level - 1];
+    /*
+     * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
+     * disable SHA1 flag is not set.
+     */
+    if ((ctx->param->flags & 0x40000000) || FIPS_mode())
+        return secbits >= minbits_table[level - 1];
+    return secbits >= minbits_digest_table[level - 1];
 }
diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel	2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod	2020-06-04 15:48:01.608178833 +0200
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
 
 =item B<Level 2>
 
-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
+Security level set to 112 bits of security with the exception of SHA1 allowed
+for signatures.
+As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
+shorter than 224 bits are prohibited.
 In addition to the level 1 exclusions any cipher suite using RC4 is also
 prohibited. SSL version 3 is also not allowed. Compression is disabled.
 
diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel	2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/ssl/ssl_cert.c	2020-06-05 17:10:11.842198401 +0200
@@ -27,6 +27,7 @@
 static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
                                          int op, int bits, int nid, void *other,
                                          void *ex);
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
 
 static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
 static volatile int ssl_x509_store_ctx_idx = -1;
@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
     X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
 
     /* Set suite B flags if needed */
-    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
+    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
     if (!X509_STORE_CTX_set_ex_data
         (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
         goto end;
@@ -953,12 +954,33 @@ static int ssl_security_default_callback
             return 0;
         break;
     default:
+        /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
+        if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
+            break;
         if (bits < minbits)
             return 0;
     }
     return 1;
 }
 
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
+{
+    unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
+    const CERT *c;
+
+    if (FIPS_mode())
+        return ret;
+
+    if (ctx != NULL) {
+       c = ctx->cert;
+    } else {
+       c = s->cert;
+    }
+    if (tls1_cert_sigalgs_have_sha1(c))
+        return 0;
+    return ret;
+}
+
 int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
 {
     return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
--- openssl-1.1.1g/ssl/ssl_local.h.seclevel	2020-06-04 15:48:01.602178783 +0200
+++ openssl-1.1.1g/ssl/ssl_local.h	2020-06-05 17:02:22.666313410 +0200
@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
 __owur int tls1_process_sigalgs(SSL *s);
 __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
 __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
+int tls1_cert_sigalgs_have_sha1(const CERT *c);
 __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
 #  ifndef OPENSSL_NO_EC
 __owur int tls_check_sigalg_curve(const SSL *s, int curve);
diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1g/ssl/t1_lib.c.seclevel	2020-06-04 15:48:01.654179221 +0200
+++ openssl-1.1.1g/ssl/t1_lib.c	2020-06-05 17:02:40.268459157 +0200
@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
     return 0;
 }
 
+static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
+{
+    size_t i;
+
+    for (i = 0; i < sigalgslen; i++, sigalgs++) {
+        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
+
+        if (lu == NULL)
+            continue;
+        if (lu->hash == NID_sha1)
+            return 1;
+    }
+    return 0;
+}
+
+
+int tls1_cert_sigalgs_have_sha1(const CERT *c)
+{
+    if (c->client_sigalgs != NULL) {
+        if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
+            return 1;
+    }
+    if (c->conf_sigalgs != NULL) {
+        if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
+            return 1;
+        return 0;
+    }
+    return 1;
+}
+
 static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
 {
     int sig_nid, use_pc_sigalgs = 0;
diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel	2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/test/recipes/25-test_verify.t	2020-06-04 15:48:01.608178833 +0200
@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
     "CA with PSS signature using SHA256");
 
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
-    "Reject PSS signature using SHA1 and auth level 2");
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
+    "Reject PSS signature using SHA1 and auth level 3");
 
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
     "PSS signature using SHA256 and auth level 2");
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 12:23:08 +0000