peterdelevoryas / rpms / qemu

Forked from rpms/qemu 2 years ago
Clone

Blame 1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch

Daniel P. Berrange a8c600
From 23c1595b0297e6ca8f37559af6f0b8533aa1fd99 Mon Sep 17 00:00:00 2001
Daniel P. Berrange a8c600
From: "Daniel P. Berrange" <berrange@redhat.com>
Daniel P. Berrange a8c600
Date: Tue, 29 Aug 2017 17:03:30 +0100
Daniel P. Berrange a8c600
Subject: [PATCH] crypto: fix test cert generation to not use SHA1 algorithm
Daniel P. Berrange a8c600
Daniel P. Berrange a8c600
GNUTLS 3.6.0 marked SHA1 as untrusted for certificates.
Daniel P. Berrange a8c600
Unfortunately the gnutls_x509_crt_sign() method we are
Daniel P. Berrange a8c600
using to create certificates in the test suite is fixed
Daniel P. Berrange a8c600
to always use SHA1. We must switch to a different method
Daniel P. Berrange a8c600
and explicitly ask for SHA256.
Daniel P. Berrange a8c600
Daniel P. Berrange a8c600
Reviewed-by: Eric Blake <eblake@redhat.com>
Daniel P. Berrange a8c600
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Daniel P. Berrange a8c600
---
Daniel P. Berrange a8c600
 tests/crypto-tls-x509-helpers.c | 3 ++-
Daniel P. Berrange a8c600
 1 file changed, 2 insertions(+), 1 deletion(-)
Daniel P. Berrange a8c600
Daniel P. Berrange a8c600
diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c
Daniel P. Berrange a8c600
index 64073d3bd3..173d4e28fb 100644
Daniel P. Berrange a8c600
--- a/tests/crypto-tls-x509-helpers.c
Daniel P. Berrange a8c600
+++ b/tests/crypto-tls-x509-helpers.c
Daniel P. Berrange a8c600
@@ -406,7 +406,8 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
Daniel P. Berrange a8c600
      * If no 'ca' is set then we are self signing
Daniel P. Berrange a8c600
      * the cert. This is done for the root CA certs
Daniel P. Berrange a8c600
      */
Daniel P. Berrange a8c600
-    err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey);
Daniel P. Berrange a8c600
+    err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey,
Daniel P. Berrange a8c600
+                                GNUTLS_DIG_SHA256, 0);
Daniel P. Berrange a8c600
     if (err < 0) {
Daniel P. Berrange a8c600
         g_critical("Failed to sign certificate %s",
Daniel P. Berrange a8c600
                    gnutls_strerror(err));
Daniel P. Berrange a8c600
-- 
Daniel P. Berrange a8c600
2.13.5
Daniel P. Berrange a8c600