You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29 lines
1.2 KiB
29 lines
1.2 KiB
From 3f8a3b57cf0e057635e570d5038fb52c19ca5744 Mon Sep 17 00:00:00 2001
|
|
From: Julien Rische <jrische@redhat.com>
|
|
Date: Fri, 19 Aug 2022 10:34:52 +0200
|
|
Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for
|
|
PKINIT
|
|
|
|
An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if
|
|
CMS_verify is called to verify a SHA-1 signature. If this error is
|
|
caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
|
|
---
|
|
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
index 16edf15cb2..bfa3fe8e91 100644
|
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
@@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context,
|
|
if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
|
|
unsigned long err = ERR_peek_last_error();
|
|
switch(ERR_GET_REASON(err)) {
|
|
+ case EVP_R_INVALID_DIGEST:
|
|
case RSA_R_DIGEST_NOT_ALLOWED:
|
|
case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
|
|
case CMS_R_NO_MATCHING_DIGEST:
|
|
--
|
|
2.38.1
|
|
|