|
| 1 | +From 4a0dc44dc83cc86f92feac65175fa1370c30efc2 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Tobias Brick <tobiasb@microsoft.com> |
| 3 | +Date: Fri, 26 Jun 2026 14:54:02 +0000 |
| 4 | +Subject: [PATCH 2/2] Skip SHA-1 RSA sign/verify smoke tests disabled by crypto |
| 5 | + policy |
| 6 | + |
| 7 | +Azure Linux ships the Red Hat "allow disabling of SHA-1 signatures" |
| 8 | +OpenSSL patch, and its default crypto policy disables SHA-1 signature |
| 9 | +creation and verification. The SslPlay smoke test exercised RSA-PKCS1 |
| 10 | +sign/verify with SHA-1, which now fails with |
| 11 | +"evp_pkey_ctx_set_md: invalid digest" even under the default provider. |
| 12 | + |
| 13 | +Remove the two SHA-1 RSA sign/verify cases so the smoke test reflects |
| 14 | +what the platform actually permits. SHA-1 used purely as a hash (the |
| 15 | +digest state-export and SSH-KDF cases) is unaffected, as the policy |
| 16 | +only restricts SHA-1 signatures. |
| 17 | + |
| 18 | +Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
| 19 | +--- |
| 20 | + SslPlay/SslPlay.cpp | 8 ++++++-- |
| 21 | + 1 file changed, 6 insertions(+), 2 deletions(-) |
| 22 | + |
| 23 | +diff --git a/SslPlay/SslPlay.cpp b/SslPlay/SslPlay.cpp |
| 24 | +index cb822a5..8cc626f 100644 |
| 25 | +--- a/SslPlay/SslPlay.cpp |
| 26 | ++++ b/SslPlay/SslPlay.cpp |
| 27 | +@@ -1059,7 +1059,9 @@ void TestRsaEvp(int modulus, uint32_t exponent) |
| 28 | + |
| 29 | + TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_MD5", EVP_md5(), 16); |
| 30 | + #endif |
| 31 | +- TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha1", EVP_sha1(), 20); |
| 32 | ++ // SHA-1 signature creation and verification are disabled by the default |
| 33 | ++ // crypto policy on Azure Linux (which ships the Red Hat "allow disabling of |
| 34 | ++ // SHA-1 signatures" OpenSSL patch), so this case is omitted. |
| 35 | + TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha256", EVP_sha256(), 32); |
| 36 | + TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha384", EVP_sha384(), 48); |
| 37 | + TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha512", EVP_sha512(), 64); |
| 38 | +@@ -1079,7 +1081,9 @@ void TestRsaEvp(int modulus, uint32_t exponent) |
| 39 | + #if OPENSSL_VERSION_MAJOR == 1 |
| 40 | + TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_MD5", EVP_md5()); |
| 41 | + #endif |
| 42 | +- TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha1", EVP_sha1()); |
| 43 | ++ // SHA-1 signature creation and verification are disabled by the default |
| 44 | ++ // crypto policy on Azure Linux (which ships the Red Hat "allow disabling of |
| 45 | ++ // SHA-1 signatures" OpenSSL patch), so this case is omitted. |
| 46 | + TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha256", EVP_sha256()); |
| 47 | + TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha384", EVP_sha384()); |
| 48 | + TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha512", EVP_sha512()); |
| 49 | +-- |
| 50 | +2.52.0 |
| 51 | + |
0 commit comments