openvpn/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch

From 9e2c742b2d8ffc31db7590cfc4f29d2012dd8de1 Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@openvpn.net>
Date: Thu, 23 Mar 2017 01:34:06 +0100
Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora

This patch hard codes an alternative mbed TLS profile to allow
RSA keys >= 1024 bits as well as SHA1 and RIPEMD160 hashing.

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 src/openvpn/ssl_mbedtls.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ba8dadf..05f8a48 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -932,6 +932,29 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
                                           MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
 
+    /* Fedora adoption - allow legacy certificates
+     * Taken from the OpenVPN 3 Core code base
+     */
+    const static mbedtls_x509_crt_profile crt_profile_legacy = {
+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+	-1, /* Any PK alg    */
+	-1, /* Any curve     */
+	1024,      /* Minimum size for RSA keys */
+    };
+    mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &crt_profile_legacy);
+    static bool fedora_mod_info = false;
+    if (!fedora_mod_info) {
+	msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode");
+	fedora_mod_info = true;
+    }
+
+    /* End of Fedora adoption */
+
     /* Initialise authentication information */
     if (is_server)
     {
-- 
2.11.0