From 3f8a3b57cf0e057635e570d5038fb52c19ca5744 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 19 Aug 2022 10:34:52 +0200
Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for
 PKINIT

An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if
CMS_verify is called to verify a SHA-1 signature. If this error is
caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
---
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 16edf15cb2..bfa3fe8e91 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context,
         if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
             unsigned long err = ERR_peek_last_error();
             switch(ERR_GET_REASON(err)) {
+            case EVP_R_INVALID_DIGEST:
             case RSA_R_DIGEST_NOT_ALLOWED:
             case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
             case CMS_R_NO_MATCHING_DIGEST:
-- 
2.38.1