Blame SOURCES/0049-Selectively-disallow-SHA1-signatures.patch

bf760f
From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001
bf760f
From: Clemens Lang <cllang@redhat.com>
bf760f
Date: Mon, 21 Feb 2022 17:24:44 +0100
bf760f
Subject: Selectively disallow SHA1 signatures
bf760f
bf760f
For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
bf760f
disabling SHA1 signatures. Introduce a new configuration option in the
bf760f
alg_section named 'rh-allow-sha1-signatures'. This option defaults to
bf760f
false. If set to false (or unset), any signature creation or
bf760f
verification operations that involve SHA1 as digest will fail.
bf760f
bf760f
This also affects TLS, where the signature_algorithms extension of any
bf760f
ClientHello message sent by OpenSSL will no longer include signatures
bf760f
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
bf760f
that request a client certificate, the same also applies for
bf760f
CertificateRequest messages sent by them.
bf760f
bf760f
For signatures created using the EVP_PKEY API, this is a best-effort
bf760f
check that will deny signatures in cases where the digest algorithm is
bf760f
known. This means, for example, that that following steps will still
bf760f
work:
bf760f
bf760f
 $> openssl dgst -sha1 -binary -out sha1 infile
bf760f
 $> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig
bf760f
 $> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1
bf760f
bf760f
whereas these will not:
bf760f
bf760f
 $> openssl dgst -sha1 -binary -out sha1 infile
bf760f
 $> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1
bf760f
 $> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1
bf760f
bf760f
This happens because in the first case, OpenSSL's signature
bf760f
implementation does not know that it is signing a SHA1 hash (it could be
bf760f
signing arbitrary data).
bf760f
bf760f
Resolves: rhbz#2031742
bf760f
---
bf760f
 crypto/evp/evp_cnf.c                          | 13 ++++
bf760f
 crypto/evp/m_sigver.c                         | 77 +++++++++++++++++++
bf760f
 crypto/evp/pmeth_lib.c                        | 15 ++++
bf760f
 doc/man5/config.pod                           | 11 +++
bf760f
 include/internal/cryptlib.h                   |  3 +-
bf760f
 include/internal/sslconf.h                    |  4 +
bf760f
 providers/common/securitycheck.c              | 20 +++++
bf760f
 providers/common/securitycheck_default.c      |  9 ++-
bf760f
 providers/implementations/signature/dsa_sig.c | 11 ++-
bf760f
 .../implementations/signature/ecdsa_sig.c     |  4 +
bf760f
 providers/implementations/signature/rsa_sig.c | 20 ++++-
bf760f
 ssl/t1_lib.c                                  |  8 ++
bf760f
 util/libcrypto.num                            |  2 +
bf760f
 13 files changed, 188 insertions(+), 9 deletions(-)
bf760f
bf760f
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
bf760f
index 0e7fe64cf9..b9d3b6d226 100644
bf760f
--- a/crypto/evp/evp_cnf.c
bf760f
+++ b/crypto/evp/evp_cnf.c
bf760f
@@ -10,6 +10,7 @@
bf760f
 #include <stdio.h>
bf760f
 #include <openssl/crypto.h>
bf760f
 #include "internal/cryptlib.h"
bf760f
+#include "internal/sslconf.h"
bf760f
 #include <openssl/conf.h>
bf760f
 #include <openssl/x509.h>
bf760f
 #include <openssl/x509v3.h>
bf760f
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
bf760f
                 ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
bf760f
                 return 0;
bf760f
             }
bf760f
+        } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
bf760f
+            int m;
bf760f
+
bf760f
+            /* Detailed error already reported. */
bf760f
+            if (!X509V3_get_value_bool(oval, &m))
bf760f
+                return 0;
bf760f
+
bf760f
+            if (!ossl_ctx_legacy_digest_signatures_allowed_set(
bf760f
+                    NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
bf760f
+                ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
bf760f
+                return 0;
bf760f
+            }
bf760f
         } else {
bf760f
             ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
bf760f
                            "name=%s, value=%s", oval->name, oval->value);
bf760f
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
bf760f
index 9188edbc21..db1a1d7bc3 100644
bf760f
--- a/crypto/evp/m_sigver.c
bf760f
+++ b/crypto/evp/m_sigver.c
bf760f
@@ -16,6 +16,71 @@
bf760f
 #include "internal/numbers.h"   /* includes SIZE_MAX */
bf760f
 #include "evp_local.h"
bf760f
 
bf760f
+typedef struct ossl_legacy_digest_signatures_st {
bf760f
+    int allowed;
bf760f
+} OSSL_LEGACY_DIGEST_SIGNATURES;
bf760f
+
bf760f
+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
bf760f
+{
bf760f
+    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
bf760f
+
bf760f
+    if (ldsigs != NULL) {
bf760f
+        OPENSSL_free(ldsigs);
bf760f
+    }
bf760f
+}
bf760f
+
bf760f
+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
bf760f
+{
bf760f
+    return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
bf760f
+}
bf760f
+
bf760f
+static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = {
bf760f
+    OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,
bf760f
+    ossl_ctx_legacy_digest_signatures_new,
bf760f
+    ossl_ctx_legacy_digest_signatures_free,
bf760f
+};
bf760f
+
bf760f
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
bf760f
+        OSSL_LIB_CTX *libctx, int loadconfig)
bf760f
+{
bf760f
+#ifndef FIPS_MODULE
bf760f
+    if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
bf760f
+        return 0;
bf760f
+#endif
bf760f
+
bf760f
+    return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES,
bf760f
+                                 &ossl_ctx_legacy_digest_signatures_method);
bf760f
+}
bf760f
+
bf760f
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
bf760f
+{
bf760f
+    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
bf760f
+        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
bf760f
+
bf760f
+#ifndef FIPS_MODULE
bf760f
+    if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
bf760f
+        /* used in tests */
bf760f
+        return 1;
bf760f
+#endif
bf760f
+
bf760f
+    return ldsigs != NULL ? ldsigs->allowed : 0;
bf760f
+}
bf760f
+
bf760f
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
bf760f
+                                                  int loadconfig)
bf760f
+{
bf760f
+    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
bf760f
+        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
bf760f
+
bf760f
+    if (ldsigs == NULL) {
bf760f
+        ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
bf760f
+        return 0;
bf760f
+    }
bf760f
+
bf760f
+    ldsigs->allowed = allow;
bf760f
+    return 1;
bf760f
+}
bf760f
+
bf760f
 #ifndef FIPS_MODULE
bf760f
 
bf760f
 static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
bf760f
@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
bf760f
         }
bf760f
     }
bf760f
 
bf760f
+    if (ctx->reqdigest != NULL
bf760f
+            && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
bf760f
+            && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
bf760f
+            && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
bf760f
+        int mdnid = EVP_MD_nid(ctx->reqdigest);
bf760f
+        if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
bf760f
+                && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
bf760f
+            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
bf760f
+            goto err;
bf760f
+        }
bf760f
+    }
bf760f
+
bf760f
     if (ver) {
bf760f
         if (signature->digest_verify_init == NULL) {
bf760f
             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
bf760f
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
bf760f
index 2b9c6c2351..3c5a1e6f5d 100644
bf760f
--- a/crypto/evp/pmeth_lib.c
bf760f
+++ b/crypto/evp/pmeth_lib.c
bf760f
@@ -33,6 +33,7 @@
bf760f
 #include "internal/ffc.h"
bf760f
 #include "internal/numbers.h"
bf760f
 #include "internal/provider.h"
bf760f
+#include "internal/sslconf.h"
bf760f
 #include "evp_local.h"
bf760f
 
bf760f
 #ifndef FIPS_MODULE
bf760f
@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
bf760f
         return -2;
bf760f
     }
bf760f
 
bf760f
+    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
bf760f
+            && md != NULL
bf760f
+            && ctx->pkey != NULL
bf760f
+            && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
bf760f
+            && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
bf760f
+            && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
bf760f
+        int mdnid = EVP_MD_nid(md);
bf760f
+        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
bf760f
+                && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
bf760f
+            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
bf760f
+            return -1;
bf760f
+        }
bf760f
+    }
bf760f
+
bf760f
     if (fallback)
bf760f
         return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
bf760f
 
bf760f
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
bf760f
index 77a8055e81..aa1be5ca7f 100644
bf760f
--- a/doc/man5/config.pod
bf760f
+++ b/doc/man5/config.pod
bf760f
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
bf760f
 The value may be anything that is acceptable as a property query
bf760f
 string for EVP_set_default_properties().
bf760f
 
bf760f
+=item B<rh-allow-sha1-signatures>
bf760f
+
bf760f
+The value is a boolean that can be B<yes> or B<no>.  If the value is not set,
bf760f
+it behaves as if it was set to B<no>.
bf760f
+
bf760f
+When set to B<no>, any attempt to create or verify a signature with a SHA1
bf760f
+digest will fail.  For compatibility with older versions of OpenSSL, set this
bf760f
+option to B<yes>.  This setting also affects TLS, where signature algorithms
bf760f
+that use SHA1 as digest will no longer be supported if this option is set to
bf760f
+B<no>.
bf760f
+
bf760f
 =item B<fips_mode> (deprecated)
bf760f
 
bf760f
 The value is a boolean that can be B<yes> or B<no>.  If the value is
bf760f
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
bf760f
index 1291299b6e..e234341e6a 100644
bf760f
--- a/include/internal/cryptlib.h
bf760f
+++ b/include/internal/cryptlib.h
bf760f
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
bf760f
 # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX           16
bf760f
 # define OSSL_LIB_CTX_BIO_CORE_INDEX                17
bf760f
 # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX          18
bf760f
-# define OSSL_LIB_CTX_MAX_INDEXES                   19
bf760f
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES      19
bf760f
+# define OSSL_LIB_CTX_MAX_INDEXES                   20
bf760f
 
bf760f
 # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY          -1
bf760f
 # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY       0
bf760f
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
bf760f
index fd7f7e3331..05464b0655 100644
bf760f
--- a/include/internal/sslconf.h
bf760f
+++ b/include/internal/sslconf.h
bf760f
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
bf760f
 void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
bf760f
                       char **arg);
bf760f
 
bf760f
+/* Methods to support disabling all signatures with legacy digests */
bf760f
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
bf760f
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
bf760f
+                                                  int loadconfig);
bf760f
 #endif
bf760f
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
bf760f
index 699ada7c52..e534ad0a5f 100644
bf760f
--- a/providers/common/securitycheck.c
bf760f
+++ b/providers/common/securitycheck.c
bf760f
@@ -19,6 +19,7 @@
bf760f
 #include <openssl/core_names.h>
bf760f
 #include <openssl/obj_mac.h>
bf760f
 #include "prov/securitycheck.h"
bf760f
+#include "internal/sslconf.h"
bf760f
 
bf760f
 /*
bf760f
  * FIPS requires a minimum security strength of 112 bits (for encryption or
bf760f
@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
bf760f
             mdnid = -1; /* disallowed by security checks */
bf760f
     }
bf760f
 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
bf760f
+
bf760f
+#ifndef FIPS_MODULE
bf760f
+    if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
bf760f
+        /* SHA1 is globally disabled, check whether we want to locally allow
bf760f
+         * it. */
bf760f
+        if (mdnid == NID_sha1 && !sha1_allowed)
bf760f
+            mdnid = -1;
bf760f
+#endif
bf760f
+
bf760f
     return mdnid;
bf760f
 }
bf760f
 
bf760f
@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
bf760f
     if (ossl_securitycheck_enabled(ctx))
bf760f
         return ossl_digest_get_approved_nid(md) != NID_undef;
bf760f
 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
bf760f
+
bf760f
+#ifndef FIPS_MODULE
bf760f
+    {
bf760f
+        int mdnid = EVP_MD_nid(md);
bf760f
+        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
bf760f
+                && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
bf760f
+            return 0;
bf760f
+    }
bf760f
+#endif
bf760f
+
bf760f
     return 1;
bf760f
 }
bf760f
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
bf760f
index de7f0d3a0a..ce54a94fbc 100644
bf760f
--- a/providers/common/securitycheck_default.c
bf760f
+++ b/providers/common/securitycheck_default.c
bf760f
@@ -15,6 +15,7 @@
bf760f
 #include <openssl/obj_mac.h>
bf760f
 #include "prov/securitycheck.h"
bf760f
 #include "internal/nelem.h"
bf760f
+#include "internal/sslconf.h"
bf760f
 
bf760f
 /* Disable the security checks in the default provider */
bf760f
 int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
bf760f
@@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
bf760f
 }
bf760f
 
bf760f
 int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
bf760f
-                                    ossl_unused int sha1_allowed)
bf760f
+                                    int sha1_allowed)
bf760f
 {
bf760f
     int mdnid;
bf760f
+    int ldsigs_allowed;
bf760f
 
bf760f
     static const OSSL_ITEM name_to_nid[] = {
bf760f
         { NID_md5,       OSSL_DIGEST_NAME_MD5       },
bf760f
@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
bf760f
         { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
bf760f
     };
bf760f
 
bf760f
-    mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
bf760f
+    ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
bf760f
+    mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
bf760f
     if (mdnid == NID_undef)
bf760f
         mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
bf760f
+    if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
bf760f
+        mdnid = -1;
bf760f
     return mdnid;
bf760f
 }
bf760f
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
bf760f
index 28fd7c498e..fa3822f39f 100644
bf760f
--- a/providers/implementations/signature/dsa_sig.c
bf760f
+++ b/providers/implementations/signature/dsa_sig.c
bf760f
@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
bf760f
         mdprops = ctx->propq;
bf760f
 
bf760f
     if (mdname != NULL) {
bf760f
-        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
bf760f
         WPACKET pkt;
bf760f
         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
bf760f
-        int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
bf760f
-                                                            sha1_allowed);
bf760f
+        int md_nid;
bf760f
         size_t mdname_len = strlen(mdname);
bf760f
+#ifdef FIPS_MODULE
bf760f
+        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
bf760f
+#else
bf760f
+        int sha1_allowed = 0;
bf760f
+#endif
bf760f
+        md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
bf760f
+                                                            sha1_allowed);
bf760f
 
bf760f
         if (md == NULL || md_nid < 0) {
bf760f
             if (md == NULL)
bf760f
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
bf760f
index 865d49d100..99b228e82c 100644
bf760f
--- a/providers/implementations/signature/ecdsa_sig.c
bf760f
+++ b/providers/implementations/signature/ecdsa_sig.c
bf760f
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
bf760f
                        "%s could not be fetched", mdname);
bf760f
         return 0;
bf760f
     }
bf760f
+#ifdef FIPS_MODULE
bf760f
     sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
bf760f
+#else
bf760f
+    sha1_allowed = 0;
bf760f
+#endif
bf760f
     md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
bf760f
                                                     sha1_allowed);
bf760f
     if (md_nid < 0) {
bf760f
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
bf760f
index 325e855333..bea397f0c1 100644
bf760f
--- a/providers/implementations/signature/rsa_sig.c
bf760f
+++ b/providers/implementations/signature/rsa_sig.c
bf760f
@@ -26,6 +26,7 @@
bf760f
 #include "internal/cryptlib.h"
bf760f
 #include "internal/nelem.h"
bf760f
 #include "internal/sizes.h"
bf760f
+#include "internal/sslconf.h"
bf760f
 #include "crypto/rsa.h"
bf760f
 #include "prov/providercommon.h"
bf760f
 #include "prov/implementations.h"
bf760f
@@ -34,6 +35,7 @@
bf760f
 #include "prov/securitycheck.h"
bf760f
 
bf760f
 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
bf760f
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
bf760f
 
bf760f
 static OSSL_FUNC_signature_newctx_fn rsa_newctx;
bf760f
 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
bf760f
@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
bf760f
 
bf760f
     if (mdname != NULL) {
bf760f
         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
bf760f
+        int md_nid;
bf760f
+        size_t mdname_len = strlen(mdname);
bf760f
+#ifdef FIPS_MODULE
bf760f
         int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
bf760f
-        int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
bf760f
+#else
bf760f
+        int sha1_allowed = 0;
bf760f
+#endif
bf760f
+        md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
bf760f
                                                      sha1_allowed);
bf760f
-        size_t mdname_len = strlen(mdname);
bf760f
 
bf760f
         if (md == NULL
bf760f
             || md_nid <= 0
bf760f
@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
bf760f
     prsactx->pad_mode = pad_mode;
bf760f
 
bf760f
     if (prsactx->md == NULL && pmdname == NULL
bf760f
-        && pad_mode == RSA_PKCS1_PSS_PADDING)
bf760f
+        && pad_mode == RSA_PKCS1_PSS_PADDING) {
bf760f
         pmdname = RSA_DEFAULT_DIGEST_NAME;
bf760f
+#ifndef FIPS_MODULE
bf760f
+        if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
bf760f
+            pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
bf760f
+        }
bf760f
+#endif
bf760f
+    }
bf760f
+
bf760f
 
bf760f
     if (pmgf1mdname != NULL
bf760f
         && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
bf760f
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
bf760f
index fc32bb3556..4b74ee1a34 100644
bf760f
--- a/ssl/t1_lib.c
bf760f
+++ b/ssl/t1_lib.c
bf760f
@@ -20,6 +20,7 @@
bf760f
 #include <openssl/bn.h>
bf760f
 #include <openssl/provider.h>
bf760f
 #include <openssl/param_build.h>
bf760f
+#include "internal/sslconf.h"
bf760f
 #include "internal/nelem.h"
bf760f
 #include "internal/sizes.h"
bf760f
 #include "internal/tlsgroups.h"
bf760f
@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
bf760f
         = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
bf760f
     EVP_PKEY *tmpkey = EVP_PKEY_new();
bf760f
     int ret = 0;
bf760f
+    int ldsigs_allowed;
bf760f
 
bf760f
     if (cache == NULL || tmpkey == NULL)
bf760f
         goto err;
bf760f
 
bf760f
     ERR_set_mark();
bf760f
+    ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
bf760f
     for (i = 0, lu = sigalg_lookup_tbl;
bf760f
          i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
bf760f
         EVP_PKEY_CTX *pctx;
bf760f
@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
bf760f
             cache[i].enabled = 0;
bf760f
             continue;
bf760f
         }
bf760f
+        if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
bf760f
+                && !ldsigs_allowed) {
bf760f
+            cache[i].enabled = 0;
bf760f
+            continue;
bf760f
+        }
bf760f
 
bf760f
         if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
bf760f
             cache[i].enabled = 0;
bf760f
diff --git a/util/libcrypto.num b/util/libcrypto.num
bf760f
index 10b4e57d79..2d3c363bb0 100644
bf760f
--- a/util/libcrypto.num
bf760f
+++ b/util/libcrypto.num
bf760f
@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex                      5553	3_0_0	EXIST::FUNCTION:
bf760f
 EVP_PKEY_get0_provider                  5554	3_0_0	EXIST::FUNCTION:
bf760f
 EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
bf760f
 ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
bf760f
+ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
bf760f
+ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
bf760f
-- 
bf760f
2.35.1
bf760f