rpms / libreswan

Clone
Source Code
GIT

Blame SOURCES/libreswan-4.9-2176248-authby-rsasig.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c8
  2.   SOURCES
  3.   libreswan-4.9-2176248-authby-rsasig.patch
Blob History Raw
1ea45c 
From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
1ea45c 
From: Daiki Ueno <dueno@redhat.com>
1ea45c 
Date: Fri, 14 Apr 2023 14:10:47 +0900
1ea45c 
Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
1ea45c 
 authby=rsa-sha1
1ea45c
1ea45c 
Signed-off-by: Daiki Ueno <dueno@redhat.com>
1ea45c 
---
1ea45c 
 lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
1ea45c 
 1 file changed, 24 insertions(+)
1ea45c
1ea45c 
diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
1ea45c 
index 38b44ab61d..9a7c0bc6a8 100644
1ea45c 
--- a/lib/libswan/pubkey_rsa.c
1ea45c 
+++ b/lib/libswan/pubkey_rsa.c
1ea45c 
@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
1ea45c 
 	 * used to generate the signature.
1ea45c 
 	 */
1ea45c 
 	SECItem signature_result = {0};
1ea45c 
+
1ea45c 
+	/* ignore system crypto-policies for the hash algorithm */
1ea45c 
+	PRUint32 saved_policy;
1ea45c 
+
1ea45c 
+	if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
1ea45c 
+		/* PR_GetError() returns the thread-local error */
1ea45c 
+		enum_buf tb;
1ea45c 
+		llog_nss_error(RC_LOG_SERIOUS, logger,
1ea45c 
+			       "NSS_SetAlgorithmPolicy(%s) function failed",
1ea45c 
+			       str_nss_oid(hash_algo->nss.oid_tag, &tb);;
1ea45c 
+		return (struct hash_signature) { .len = 0, };
1ea45c 
+	}
1ea45c 
+
1ea45c 
+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
1ea45c 
+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
1ea45c 
+					     NSS_USE_ALG_IN_SIGNATURE, 0);
1ea45c 
+	}
1ea45c 
+
1ea45c 
 	SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
1ea45c 
 				 hash_algo->nss.oid_tag,
1ea45c 
 				 &signature_result, &digest);
1ea45c 
+
1ea45c 
+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
1ea45c 
+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
1ea45c 
+					     saved_policy, ~saved_policy);
1ea45c 
+	}
1ea45c 
+
1ea45c 
 	if (s != SECSuccess) {
1ea45c 
 		/* PR_GetError() returns the thread-local error */
1ea45c 
 		enum_buf tb;
1ea45c 
--
1ea45c 
2.40.0
1ea45c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation