You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 lines
1.9 KiB
48 lines
1.9 KiB
1 month ago
|
From 31b9debcf2cbd558f8f315fefb69fc8206b115b4 Mon Sep 17 00:00:00 2001
|
||
|
From: Julien Rische <jrische@redhat.com>
|
||
|
Date: Tue, 23 May 2023 12:19:54 +0200
|
||
|
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature
|
||
|
verification available in FIPS mode
|
||
|
|
||
|
We recommend using the SHA1 crypto-module in order to allow the
|
||
|
verification of SHA-1 signature for CMS messages. However, this module
|
||
|
does not work in FIPS mode, because the SHA-1 algorithm is absent from
|
||
|
the OpenSSL FIPS provider.
|
||
|
|
||
|
This commit enables the signature verification process to fetch the
|
||
|
algorithm from a non-FIPS OpenSSL provider.
|
||
|
|
||
|
Support for SHA-1 CMS signature is still required, especially in order
|
||
|
to interoperate with Active Directory. At least it is until elliptic
|
||
|
curve cryptography is implemented for PKINIT in MIT krb5.
|
||
|
---
|
||
|
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++-
|
||
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||
|
index cb9c79626c..17dd18e37d 100644
|
||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||
|
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
|
||
|
if (oid == NULL)
|
||
|
goto cleanup;
|
||
|
|
||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||
|
+ /* Do not use FIPS provider (even in FIPS mode) because it keeps from
|
||
|
+ * allowing SHA-1 signature verification using the SHA1 crypto-module
|
||
|
+ */
|
||
|
+ cms = CMS_ContentInfo_new_ex(NULL, "-fips");
|
||
|
+ if (!cms)
|
||
|
+ goto cleanup;
|
||
|
+#endif
|
||
|
+
|
||
|
/* decode received CMS message */
|
||
|
- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
|
||
|
+ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) {
|
||
|
retval = oerr(context, 0, _("Failed to decode CMS message"));
|
||
|
goto cleanup;
|
||
|
}
|
||
|
--
|
||
|
2.45.1
|
||
|
|