Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2025-05-23 14:26:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.2732 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-3"
Fri May 23 14:26:45 2025 rev:41 rq:1278744 version:3.5.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2025-04-29
16:40:09.101613619 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.2732/openssl-3.changes
2025-05-23 14:26:52.963261674 +0200
@@ -1,0 +2,17 @@
+Thu May 15 09:41:20 UTC 2025 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Fix the speed command in FIPS mode for KMAC
+ * Add openssl-FIPS-Fix-openssl-speed-KMAC.patch
+
+-------------------------------------------------------------------
+Mon May 12 10:47:50 UTC 2025 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Restore the check to deny SHA1 signatures in FIPS mode and
+ the functionality to allow/deny via crypto-policies. [jsc#PED-12224]
+ * Remove openssl-rh-allow-sha1-signatures.patch
+ * Add patches:
+ - openssl-Allow-disabling-of-SHA1-signatures.patch
+ - openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
+ - openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
+
+-------------------------------------------------------------------
Old:
----
openssl-rh-allow-sha1-signatures.patch
New:
----
openssl-Allow-disabling-of-SHA1-signatures.patch
openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
openssl-FIPS-Fix-openssl-speed-KMAC.patch
BETA DEBUG BEGIN:
Old: the functionality to allow/deny via crypto-policies. [jsc#PED-12224]
* Remove openssl-rh-allow-sha1-signatures.patch
* Add patches:
BETA DEBUG END:
BETA DEBUG BEGIN:
New: * Add patches:
- openssl-Allow-disabling-of-SHA1-signatures.patch
- openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
New: - openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
New: - openssl-Allow-disabling-of-SHA1-signatures.patch
- openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
New:- FIPS: Fix the speed command in FIPS mode for KMAC
* Add openssl-FIPS-Fix-openssl-speed-KMAC.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-3.spec ++++++
--- /var/tmp/diff_new_pack.NjdDac/_old 2025-05-23 14:26:54.287317606 +0200
+++ /var/tmp/diff_new_pack.NjdDac/_new 2025-05-23 14:26:54.291317776 +0200
@@ -80,8 +80,6 @@
Patch16: openssl-FIPS-140-3-keychecks.patch
# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification
Patch17: openssl-FIPS-early-KATS.patch
-# PATCH-FIX-SUSE NOOP rh-allow-sha1-signatures from crypto-policies
-Patch18: openssl-rh-allow-sha1-signatures.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221824 FIPS: Service Level Indicator is
needed
Patch19: openssl-FIPS-limit-rsa-encrypt.patch
Patch20: openssl-FIPS-Expose-a-FIPS-indicator.patch
@@ -118,6 +116,14 @@
Patch39: openssl-disable-75-test_quicapi-test.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch40: openssl-FIPS-enforce-EMS-support.patch
+# PATCH-FIX-FEDORA bsc#1221787 FIPS: Selectively disallow SHA1 signatures
+Patch41: openssl-Allow-disabling-of-SHA1-signatures.patch
+# PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS
provider
+Patch42: openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
+# PATCH-FIX-FEDORA FIPS: Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures
= yes
+Patch43:
openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
+# PATCH-FIX-FEDORA FIPS: Fix the speed command in FIPS mode for KMAC
+Patch44: openssl-FIPS-Fix-openssl-speed-KMAC.patch
# ulp-macros is available according to SUSE version.
%ifarch x86_64
++++++ openssl-Allow-disabling-of-SHA1-signatures.patch ++++++
Index: openssl-3.5.0/crypto/context.c
===================================================================
--- openssl-3.5.0.orig/crypto/context.c
+++ openssl-3.5.0/crypto/context.c
@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st {
#endif
STACK_OF(SSL_COMP) *comp_methods;
+ void *legacy_digest_signatures;
+
int ischild;
int conf_diagnostics;
};
@@ -119,6 +121,23 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *
return ctx->ischild;
}
+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
+
+ if (ldsigs != NULL) {
+ OPENSSL_free(ldsigs);
+ }
+}
+
+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs =
OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
+ /* Default to allow SHA-1 and support disabling it via config. */
+ ldsigs->allowed = 1;
+ return ldsigs;
+}
+
static void context_deinit_objs(OSSL_LIB_CTX *ctx);
static int context_init(OSSL_LIB_CTX *ctx)
@@ -235,6 +256,10 @@ static int context_init(OSSL_LIB_CTX *ct
goto err;
#endif
+ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
+ if (ctx->legacy_digest_signatures == NULL)
+ goto err;
+
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
@@ -382,6 +407,11 @@ static void context_deinit_objs(OSSL_LIB
}
#endif
+ if (ctx->legacy_digest_signatures != NULL) {
+ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
+ ctx->legacy_digest_signatures = NULL;
+ }
+
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
@@ -660,6 +690,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX
case OSSL_LIB_CTX_COMP_METHODS:
return (void *)&ctx->comp_methods;
+ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
+ return ctx->legacy_digest_signatures;
+
default:
return NULL;
}
@@ -714,3 +747,44 @@ void OSSL_LIB_CTX_set_conf_diagnostics(O
return;
libctx->conf_diagnostics = value;
}
+
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
+ OSSL_LIB_CTX *libctx, int loadconfig)
+{
+#ifndef FIPS_MODULE
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
+ return NULL;
+#endif
+
+ return ossl_lib_ctx_get_data(libctx,
OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
+}
+
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int
loadconfig)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
+
+ #ifndef FIPS_MODULE
+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
+ /* This is to be used in tests if SHA-1 is disabled. */
+ return 1;
+ #endif
+
+ /* Default to allow SHA-1 and support disabling it via config. */
+ return ldsigs != NULL ? ldsigs->allowed : 1;
+}
+
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int
allow,
+ int loadconfig)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
+
+ if (ldsigs == NULL) {
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ ldsigs->allowed = allow;
+ return 1;
+}
Index: openssl-3.5.0/crypto/evp/evp_cnf.c
===================================================================
--- openssl-3.5.0.orig/crypto/evp/evp_cnf.c
+++ openssl-3.5.0/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
+#include "internal/sslconf.h"
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
return 0;
}
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
+ int m;
+
+ /* Detailed error already reported. */
+ if (!X509V3_get_value_bool(oval, &m))
+ return 0;
+
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+ return 0;
+ }
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
Index: openssl-3.5.0/crypto/evp/m_sigver.c
===================================================================
--- openssl-3.5.0.orig/crypto/evp/m_sigver.c
+++ openssl-3.5.0/crypto/evp/m_sigver.c
@@ -15,6 +15,7 @@
#include "internal/provider.h"
#include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h"
+#include "internal/sslconf.h"
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
{
@@ -251,6 +252,18 @@ static int do_sigver_init(EVP_MD_CTX *ct
}
}
+ if (ctx->reqdigest != NULL
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
+ int mdnid = EVP_MD_nid(ctx->reqdigest);
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+ goto err;
+ }
+ }
+
if (ver) {
if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
Index: openssl-3.5.0/crypto/evp/pmeth_lib.c
===================================================================
--- openssl-3.5.0.orig/crypto/evp/pmeth_lib.c
+++ openssl-3.5.0/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
#include "internal/ffc.h"
#include "internal/numbers.h"
#include "internal/provider.h"
+#include "internal/sslconf.h"
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -954,6 +955,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_
return -2;
}
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
+ && md != NULL
+ && ctx->pkey != NULL
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
+ int mdnid = EVP_MD_nid(md);
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0))
{
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+ return -1;
+ }
+ }
+
if (fallback)
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
Index: openssl-3.5.0/doc/man5/config.pod
===================================================================
--- openssl-3.5.0.orig/doc/man5/config.pod
+++ openssl-3.5.0/doc/man5/config.pod
@@ -315,6 +315,21 @@ Within the algorithm properties section,
The value may be anything that is acceptable as a property query
string for EVP_set_default_properties().
+=item B<rh-allow-sha1-signatures>
+
+The value is a boolean that can be B<yes> or B<no>. If the value is not set,
+it behaves as if it was set to B<yes>.
+
+When set to B<no>, any attempt to create or verify a signature with a SHA1
+digest will fail. To test whether your software will work with future versions
+of OpenSSL, set this option to B<no>. This setting also affects TLS, where
+signature algorithms that use SHA1 as digest will no longer be supported if
+this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as
+pseudorandom function (PRF) to derive key material, disabling
+B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+
+This is a downstream specific option, and normally it should be set up via
crypto-policies.
+
=item B<fips_mode> (deprecated)
The value is a boolean that can be B<yes> or B<no>. If the value is
Index: openssl-3.5.0/include/crypto/context.h
===================================================================
--- openssl-3.5.0.orig/include/crypto/context.h
+++ openssl-3.5.0/include/crypto/context.h
@@ -48,3 +48,11 @@ void ossl_release_default_drbg_ctx(void)
#if defined(OPENSSL_THREADS)
void ossl_threads_ctx_free(void *);
#endif
+
+#ifndef OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT
+#define OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT
+typedef struct ossl_legacy_digest_signatures_st {
+ int allowed;
+} OSSL_LEGACY_DIGEST_SIGNATURES;
+#endif
+
Index: openssl-3.5.0/include/internal/cryptlib.h
===================================================================
--- openssl-3.5.0.orig/include/internal/cryptlib.h
+++ openssl-3.5.0/include/internal/cryptlib.h
@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
# define OSSL_LIB_CTX_COMP_METHODS 21
# define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22
-# define OSSL_LIB_CTX_MAX_INDEXES 22
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23
+# define OSSL_LIB_CTX_MAX_INDEXES 23
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
Index: openssl-3.5.0/include/internal/sslconf.h
===================================================================
--- openssl-3.5.0.orig/include/internal/sslconf.h
+++ openssl-3.5.0/include/internal/sslconf.h
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name,
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
char **arg);
+/* Methods to support disabling all signatures with legacy digests */
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int
loadconfig);
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int
allow,
+ int loadconfig);
#endif
Index: openssl-3.5.0/providers/common/include/prov/securitycheck.h
===================================================================
--- openssl-3.5.0.orig/providers/common/include/prov/securitycheck.h
+++ openssl-3.5.0/providers/common/include/prov/securitycheck.h
@@ -37,3 +37,5 @@ int ossl_digest_get_approved_nid(const E
/* Functions that have different implementations for the FIPS_MODULE */
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md);
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx);
+
+int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid);
Index: openssl-3.5.0/providers/common/securitycheck.c
===================================================================
--- openssl-3.5.0.orig/providers/common/securitycheck.c
+++ openssl-3.5.0/providers/common/securitycheck.c
@@ -19,6 +19,7 @@
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
+#include "internal/sslconf.h"
#define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112
@@ -220,3 +221,16 @@ int ossl_dh_check_key(const DH *dh)
return (L == 2048 && (N == 224 || N == 256));
}
#endif /* OPENSSL_NO_DH */
+
+int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid)
+{
+#ifndef FIPS_MODULE
+ if (!ossl_ctx_legacy_digest_signatures_allowed(libctx, 0))
+ /* SHA1 is globally disabled, check whether we want to locally allow
+ * it. */
+#endif
+ if (mdnid == NID_sha1)
+ mdnid = -1;
+
+ return mdnid;
+}
Index: openssl-3.5.0/providers/common/securitycheck_default.c
===================================================================
--- openssl-3.5.0.orig/providers/common/securitycheck_default.c
+++ openssl-3.5.0/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
#include "internal/nelem.h"
+#include "internal/sslconf.h"
/* Disable the security checks in the default provider */
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
Index: openssl-3.5.0/providers/implementations/signature/dsa_sig.c
===================================================================
--- openssl-3.5.0.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/dsa_sig.c
@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
md_nid = ossl_digest_get_approved_nid(md);
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
if (md == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
Index: openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
===================================================================
--- openssl-3.5.0.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
@@ -197,13 +197,16 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
goto err;
}
md_nid = ossl_digest_get_approved_nid(md);
+
#ifdef FIPS_MODULE
- if (md_nid == NID_undef) {
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
+ if (md_nid <= 0) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
goto err;
}
#endif
+
/* XOF digests don't work */
if (EVP_MD_xof(md)) {
ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
Index: openssl-3.5.0/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.5.0.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/rsa_sig.c
@@ -26,6 +26,7 @@
#include "internal/cryptlib.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
+#include "internal/sslconf.h"
#include "crypto/rsa.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
@@ -34,6 +35,7 @@
#include "prov/securitycheck.h"
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
@@ -387,7 +389,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
goto err;
}
md_nid = ossl_digest_rsa_sign_get_md_nid(md);
- if (md_nid == NID_undef) {
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
+ if (md_nid <= 0) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
goto err;
@@ -475,8 +478,9 @@ static int rsa_setup_mgf1_md(PROV_RSA_CT
"%s could not be fetched", mdname);
return 0;
}
- /* The default for mgf1 is SHA1 - so allow SHA1 */
+ /* The default for mgf1 is SHA1 - so check if we allow SHA1 */
if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0
+ || (mdnid = rh_digest_signatures_allowed(ctx->libctx, mdnid)) <= 0
|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
if (mdnid <= 0)
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
@@ -1765,8 +1769,13 @@ static int rsa_set_ctx_params(void *vprs
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
- && pad_mode == RSA_PKCS1_PSS_PADDING)
- pmdname = RSA_DEFAULT_DIGEST_NAME;
+ && pad_mode == RSA_PKCS1_PSS_PADDING) {
+ if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+ pmdname = RSA_DEFAULT_DIGEST_NAME;
+ } else {
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+ }
+ }
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
Index: openssl-3.5.0/ssl/t1_lib.c
===================================================================
--- openssl-3.5.0.orig/ssl/t1_lib.c
+++ openssl-3.5.0/ssl/t1_lib.c
@@ -21,6 +21,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
@@ -2176,6 +2177,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
EVP_PKEY *tmpkey = EVP_PKEY_new();
int istls;
int ret = 0;
+ int ldsigs_allowed;
if (ctx == NULL)
goto err;
@@ -2193,6 +2195,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
goto err;
ERR_set_mark();
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
@@ -2213,6 +2216,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].available = 0;
continue;
}
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && !ldsigs_allowed) {
+ cache[i].available = 0;
+ continue;
+ }
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
cache[i].available = 0;
Index: openssl-3.5.0/util/libcrypto.num
===================================================================
--- openssl-3.5.0.orig/util/libcrypto.num
+++ openssl-3.5.0/util/libcrypto.num
@@ -5925,3 +5925,5 @@ OSSL_AA_DIST_POINT_free
OSSL_AA_DIST_POINT_new 6052 3_5_0 EXIST::FUNCTION:
OSSL_AA_DIST_POINT_it 6053 3_5_0 EXIST::FUNCTION:
PEM_ASN1_write_bio_ctx 6054 3_5_0 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
++++++ openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
++++++
>From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cll...@redhat.com>
Date: Tue, 1 Mar 2022 15:44:18 +0100
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
---
crypto/x509/x509_vfy.c | 19 ++++++++++-
doc/man5/config.pod | 7 +++-
ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++-------
test/recipes/25-test_verify.t | 7 ++--
4 files changed, 79 insertions(+), 18 deletions(-)
Index: openssl-3.5.0/crypto/x509/x509_vfy.c
===================================================================
--- openssl-3.5.0.orig/crypto/x509/x509_vfy.c
+++ openssl-3.5.0/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
#include <openssl/objects.h>
#include <openssl/core_names.h>
#include "internal/dane.h"
+#include "internal/sslconf.h"
#include "crypto/x509.h"
#include "x509_local.h"
@@ -3745,14 +3746,30 @@ static int check_sig_level(X509_STORE_CT
{
int secbits = -1;
int level = ctx->param->auth_level;
+ int nid;
+ OSSL_LIB_CTX *libctx = NULL;
if (level <= 0)
return 1;
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
+ if (ctx->libctx)
+ libctx = ctx->libctx;
+ else if (cert->libctx)
+ libctx = cert->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
return 0;
+ if (nid == NID_sha1
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ctx->param->auth_level < 3)
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
+ * explicitly allow SHA1 for backwards compatibility. */
+ return 1;
+
return secbits >= minbits_table[level - 1];
}
Index: openssl-3.5.0/ssl/t1_lib.c
===================================================================
--- openssl-3.5.0.orig/ssl/t1_lib.c
+++ openssl-3.5.0/ssl/t1_lib.c
@@ -21,6 +21,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include "crypto/x509.h"
#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
@@ -2807,19 +2808,27 @@ int tls12_check_peer_sigalg(SSL_CONNECTI
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
return 0;
}
- /*
- * Make sure security callback allows algorithm. For historical
- * reasons we have to pass the sigalg as a two byte char array.
- */
- sigalgstr[0] = (sig >> 8) & 0xff;
- sigalgstr[1] = sig & 0xff;
- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
- if (secbits == 0 ||
- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
- md != NULL ? EVP_MD_get_type(md) : NID_undef,
- (void *)sigalgstr)) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
- return 0;
+
+ if (lu->hash == NID_sha1
+ &&
ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
+ * explicitly allow SHA1 for backwards compatibility */
+ } else {
+ /*
+ * Make sure security callback allows algorithm. For historical
+ * reasons we have to pass the sigalg as a two byte char array.
+ */
+ sigalgstr[0] = (sig >> 8) & 0xff;
+ sigalgstr[1] = sig & 0xff;
+ secbits = sigalg_security_bits(s->session_ctx, lu);
+ if (secbits == 0 ||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
+ (void *)sigalgstr)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
}
/* Store the sigalg the peer uses */
s->s3.tmp.peer_sigalg = lu;
@@ -3391,6 +3400,14 @@ static int tls12_sigalg_allowed(const SS
}
}
+ if (lu->hash == NID_sha1
+ &&
ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
+ * explicitly allow SHA1 for backwards compatibility */
+ return 1;
+ }
+
/* Finally see if security callback allows it */
secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -4381,6 +4398,8 @@ static int ssl_security_cert_sig(SSL_CON
{
/* Lookup signature algorithm digest */
int secbits, nid, pknid;
+ OSSL_LIB_CTX *libctx = NULL;
+
/* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
@@ -4390,6 +4409,25 @@ static int ssl_security_cert_sig(SSL_CON
/* If digest NID not defined use signature NID */
if (nid == NID_undef)
nid = pknid;
+
+ if (x && x->libctx)
+ libctx = x->libctx;
+ else if (ctx && ctx->libctx)
+ libctx = ctx->libctx;
+ else if (s && s->session_ctx && s->session_ctx->libctx)
+ libctx = s->session_ctx->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if (nid == NID_sha1
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ((s != NULL &&
SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3)
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
+ ))
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
+ * explicitly allow SHA1 for backwards compatibility. */
+ return 1;
+
if (s != NULL)
return ssl_security(s, op, secbits, nid, x);
else
Index: openssl-3.5.0/test/recipes/25-test_verify.t
===================================================================
--- openssl-3.5.0.orig/test/recipes/25-test_verify.t
+++ openssl-3.5.0/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 194;
+plan tests => 193;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -484,8 +484,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level",
"1"),
- "Reject PSS signature using SHA1 and auth level 1");
+## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1
+#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level",
"1"),
+# "Reject PSS signature using SHA1 and auth level 1");
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level",
"2"),
"PSS signature using SHA256 and auth level 2");
++++++ openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch ++++++
++++ 993 lines (skipped)
++++++ openssl-FIPS-Fix-openssl-speed-KMAC.patch ++++++
>From e128762a1b1f047633e76022a6a8097cb88b49a6 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beld...@gmail.com>
Date: Fri, 9 May 2025 15:09:46 +0200
Subject: [PATCH 51/54] Make `openssl speed` run in FIPS mode
---
apps/speed.c | 44 ++++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 22 deletions(-)
Index: openssl-3.5.0/apps/speed.c
===================================================================
--- openssl-3.5.0.orig/apps/speed.c
+++ openssl-3.5.0/apps/speed.c
@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
(void *)key32, 16);
params[1] = OSSL_PARAM_construct_end();
- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
- goto end;
- for (testnum = 0; testnum < size_num; testnum++) {
- print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
- Time_F(START);
- count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
- d = Time_F(STOP);
- print_result(D_KMAC128, testnum, count, d);
- if (count < 0)
- break;
+ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) {
+ for (testnum = 0; testnum < size_num; testnum++) {
+ print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
+ Time_F(START);
+ count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
+ d = Time_F(STOP);
+ print_result(D_KMAC128, testnum, count, d);
+ if (count < 0)
+ break;
+ }
+ mac_teardown(&mac, loopargs, loopargs_len);
}
- mac_teardown(&mac, loopargs, loopargs_len);
}
if (doit[D_KMAC256]) {
@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
(void *)key32, 32);
params[1] = OSSL_PARAM_construct_end();
- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
- goto end;
- for (testnum = 0; testnum < size_num; testnum++) {
- print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
- Time_F(START);
- count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
- d = Time_F(STOP);
- print_result(D_KMAC256, testnum, count, d);
- if (count < 0)
- break;
+ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) {
+ for (testnum = 0; testnum < size_num; testnum++) {
+ print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
+ Time_F(START);
+ count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
+ d = Time_F(STOP);
+ print_result(D_KMAC256, testnum, count, d);
+ if (count < 0)
+ break;
+ }
+ mac_teardown(&mac, loopargs, loopargs_len);
}
- mac_teardown(&mac, loopargs, loopargs_len);
}
for (i = 0; i < loopargs_len; i++)
