Blame SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch
|
|
69bb10 |
From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001
|
|
|
69bb10 |
From: Florian Festi <ffesti@redhat.com>
|
|
|
69bb10 |
Date: Tue, 28 Jun 2022 12:50:54 +0200
|
|
|
69bb10 |
Subject: [PATCH] Give warning on not supported hash for RSA keys
|
|
|
69bb10 |
|
|
|
69bb10 |
This can happen when old keys are used on systems that have disabled SHA1
|
|
|
69bb10 |
e.g. for FIPS requirements.
|
|
|
69bb10 |
|
|
|
69bb10 |
This is less than ideal but there is currently no way to pass a meaningful
|
|
|
69bb10 |
error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key
|
|
|
69bb10 |
or NULL.
|
|
|
69bb10 |
|
|
|
69bb10 |
See rhbz#2069877
|
|
|
69bb10 |
---
|
|
|
69bb10 |
rpmio/digest_openssl.c | 2 ++
|
|
|
69bb10 |
1 file changed, 2 insertions(+)
|
|
|
69bb10 |
|
|
|
69bb10 |
diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
|
|
|
69bb10 |
index a28a13acc..2ec5140f1 100644
|
|
|
69bb10 |
--- a/rpmio/digest_openssl.c
|
|
|
69bb10 |
+++ b/rpmio/digest_openssl.c
|
|
|
69bb10 |
@@ -4,6 +4,7 @@
|
|
|
69bb10 |
#include <openssl/rsa.h>
|
|
|
69bb10 |
#include <openssl/dsa.h>
|
|
|
69bb10 |
#include <rpm/rpmpgp.h>
|
|
|
69bb10 |
+#include <rpm/rpmlog.h>
|
|
|
69bb10 |
|
|
|
69bb10 |
#include "rpmio/digest.h"
|
|
|
69bb10 |
|
|
|
69bb10 |
@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,
|
|
|
69bb10 |
|
|
|
69bb10 |
ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo));
|
|
|
69bb10 |
if (ret < 0) {
|
|
|
69bb10 |
+ rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo));
|
|
|
69bb10 |
rc = 1;
|
|
|
69bb10 |
goto done;
|
|
|
69bb10 |
}
|
|
|
69bb10 |
--
|
|
|
69bb10 |
2.36.1
|
|
|
69bb10 |
|