From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 14 Apr 2023 14:10:47 +0900
Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
 authby=rsa-sha1

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
index 38b44ab61d..9a7c0bc6a8 100644
--- a/lib/libswan/pubkey_rsa.c
+++ b/lib/libswan/pubkey_rsa.c
@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
 	 * used to generate the signature.
 	 */
 	SECItem signature_result = {0};
+
+	/* ignore system crypto-policies for the hash algorithm */
+	PRUint32 saved_policy;
+
+	if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
+		/* PR_GetError() returns the thread-local error */
+		enum_buf tb;
+		llog_nss_error(RC_LOG_SERIOUS, logger,
+			       "NSS_SetAlgorithmPolicy(%s) function failed",
+			       str_nss_oid(hash_algo->nss.oid_tag, &tb));
+		return (struct hash_signature) { .len = 0, };
+	}
+
+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
+					     NSS_USE_ALG_IN_SIGNATURE, 0);
+	}
+
 	SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
 				 hash_algo->nss.oid_tag,
 				 &signature_result, &digest);
+
+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
+					     saved_policy, ~saved_policy);
+	}
+
 	if (s != SECSuccess) {
 		/* PR_GetError() returns the thread-local error */
 		enum_buf tb;
-- 
2.40.0