From 1dddaa3226fe1b71b68ec9665d93864a5ec69801 Mon Sep 17 00:00:00 2001

From: rpm-build <rpm-build>

Date: Mon, 9 Jan 2023 23:26:10 +0900

Subject: [PATCH] libreswan-3.32-1861360-nodefault-rsa-pss.patch

---

 lib/libipsecconf/confread.c | 5 +++++

 1 file changed, 5 insertions(+)

diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c

index 0444118..ec87646 100644

--- a/lib/libipsecconf/confread.c

+++ b/lib/libipsecconf/confread.c

@@ -1501,9 +1501,14 @@ static bool load_conn(struct starter_conn *conn,

 				   hunk_streq(val, "rsa")) {

 				conn->authby.rsasig = true;

 				conn->authby.rsasig_v1_5 = true;

+				/*

+				 * These cause failure with RSA 1024 bits because it uses RSA-PSS

+				 */

+#if 0

 				conn->sighash_policy |= POL_SIGHASH_SHA2_256;

 				conn->sighash_policy |= POL_SIGHASH_SHA2_384;

 				conn->sighash_policy |= POL_SIGHASH_SHA2_512;

+#endif

 			} else if (hunk_streq(val, "never")) {

 				conn->authby.never = true;

 			/* everything else is only supported for IKEv2 */

-- 

2.39.0