michal-grzedzicki / rpms / rpm

Forked from rpms/rpm 4 months ago
Clone

Blame SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch

69bb10
From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001
69bb10
From: Florian Festi <ffesti@redhat.com>
69bb10
Date: Tue, 28 Jun 2022 12:50:54 +0200
69bb10
Subject: [PATCH] Give warning on not supported hash for RSA keys
69bb10
69bb10
This can happen when old keys are used on systems that have disabled SHA1
69bb10
e.g. for FIPS requirements.
69bb10
69bb10
This is less than ideal but there is currently no way to pass a meaningful
69bb10
error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key
69bb10
or NULL.
69bb10
69bb10
See rhbz#2069877
69bb10
---
69bb10
 rpmio/digest_openssl.c | 2 ++
69bb10
 1 file changed, 2 insertions(+)
69bb10
69bb10
diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
69bb10
index a28a13acc..2ec5140f1 100644
69bb10
--- a/rpmio/digest_openssl.c
69bb10
+++ b/rpmio/digest_openssl.c
69bb10
@@ -4,6 +4,7 @@
69bb10
 #include <openssl/rsa.h>
69bb10
 #include <openssl/dsa.h>
69bb10
 #include <rpm/rpmpgp.h>
69bb10
+#include <rpm/rpmlog.h>
69bb10
 
69bb10
 #include "rpmio/digest.h"
69bb10
 
69bb10
@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,
69bb10
 
69bb10
     ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo));
69bb10
     if (ret < 0) {
69bb10
+	rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo));
69bb10
         rc = 1;
69bb10
         goto done;
69bb10
     }
69bb10
-- 
69bb10
2.36.1
69bb10