From 10366b4ee8c01ea20d908102e92d52fdeda168c3 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 18 Aug 2020 14:37:04 +0200
Subject: [PATCH] p11_child: switch default ocsp_dgst to sha1
For details please see discussion at
https://github.com/SSSD/sssd/pull/837#issuecomment-672831519
:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1
Resolves:
https://github.com/SSSD/sssd/issues/5002
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/man/sssd.conf.5.xml | 3 ++-
src/p11_child/p11_child_common_utils.c | 6 +++---
src/p11_child/p11_child_openssl.c | 4 ++--
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 874a09c49..50692dfdd 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -507,7 +507,8 @@
<listitem><para>sha512</para></listitem>
</itemizedlist></para>
<para>
- Default: sha256
+ Default: sha1 (to allow compatibility with
+ RFC5019-compliant responder)
</para>
<para>(NSS Version) This option is
ignored, because NSS uses sha1
diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c
index 6798752c7..95791b1f0 100644
--- a/src/p11_child/p11_child_common_utils.c
+++ b/src/p11_child/p11_child_common_utils.c
@@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
cert_verify_opts->ocsp_default_responder = NULL;
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
cert_verify_opts->crl_file = NULL;
- cert_verify_opts->ocsp_dgst = CKM_SHA256;
+ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
cert_verify_opts->soft_ocsp = false;
cert_verify_opts->soft_crl = false;
@@ -174,8 +174,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unsupported digest for OCSP [%s], "
- "using default sha256.\n", &opts[c][OCSP_DGST_LEN]);
- cert_verify_opts->ocsp_dgst = CKM_SHA256;
+ "using default sha1.\n", &opts[c][OCSP_DGST_LEN]);
+ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
}
#endif
} else if (strcasecmp(opts[c], "soft_ocsp") == 0) {
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 321cf162e..04b3e1467 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -372,8 +372,8 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
ocsp_dgst = get_dgst(p11_ctx->cert_verify_opts->ocsp_dgst);
if (ocsp_dgst == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot determine configured digest function "
- "for OCSP, using default sha256.\n");
- ocsp_dgst = EVP_sha256();
+ "for OCSP, using default sha1.\n");
+ ocsp_dgst = EVP_sha1();
}
cid = OCSP_cert_to_id(ocsp_dgst, cert, issuer);
if (cid == NULL) {
--
2.21.3