dcavalca / rpms / rpm

Forked from rpms/rpm 2 years ago
Clone
Blob Blame History Raw
From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001
From: Florian Festi <ffesti@redhat.com>
Date: Tue, 28 Jun 2022 12:50:54 +0200
Subject: [PATCH] Give warning on not supported hash for RSA keys

This can happen when old keys are used on systems that have disabled SHA1
e.g. for FIPS requirements.

This is less than ideal but there is currently no way to pass a meaningful
error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key
or NULL.

See rhbz#2069877
---
 rpmio/digest_openssl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
index a28a13acc..2ec5140f1 100644
--- a/rpmio/digest_openssl.c
+++ b/rpmio/digest_openssl.c
@@ -4,6 +4,7 @@
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
 #include <rpm/rpmpgp.h>
+#include <rpm/rpmlog.h>
 
 #include "rpmio/digest.h"
 
@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,
 
     ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo));
     if (ret < 0) {
+	rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo));
         rc = 1;
         goto done;
     }
-- 
2.36.1