rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c9
  2.   SOURCES
  3.   0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch
Blob History Raw
d1ad9f 
From 3f8a3b57cf0e057635e570d5038fb52c19ca5744 Mon Sep 17 00:00:00 2001
d1ad9f 
From: Julien Rische <jrische@redhat.com>
d1ad9f 
Date: Fri, 19 Aug 2022 10:34:52 +0200
d1ad9f 
Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for
d1ad9f 
 PKINIT
d1ad9f
d1ad9f 
An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if
d1ad9f 
CMS_verify is called to verify a SHA-1 signature. If this error is
d1ad9f 
caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
d1ad9f 
---
d1ad9f 
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 +
d1ad9f 
 1 file changed, 1 insertion(+)
d1ad9f
d1ad9f 
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
d1ad9f 
index 16edf15cb2..bfa3fe8e91 100644
d1ad9f 
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
d1ad9f 
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
d1ad9f 
@@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context,
d1ad9f 
         if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
d1ad9f 
             unsigned long err = ERR_peek_last_error();
d1ad9f 
             switch(ERR_GET_REASON(err)) {
d1ad9f 
+            case EVP_R_INVALID_DIGEST:
d1ad9f 
             case RSA_R_DIGEST_NOT_ALLOWED:
d1ad9f 
             case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
d1ad9f 
             case CMS_R_NO_MATCHING_DIGEST:
d1ad9f 
--
d1ad9f 
2.38.1
d1ad9f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation