From c7d2d7c090bc000acd67b358150b9487f606ff20 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Fri, 19 Aug 2022 10:34:52 +0200 Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for PKINIT An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if CMS_verify is called to verify a SHA-1 signature. If this error is caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 16edf15cb2..bfa3fe8e91 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context, if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) { unsigned long err = ERR_peek_last_error(); switch(ERR_GET_REASON(err)) { + case EVP_R_INVALID_DIGEST: case RSA_R_DIGEST_NOT_ALLOWED: case CMS_R_UNKNOWN_DIGEST_ALGORITHM: case CMS_R_NO_MATCHING_DIGEST: -- 2.38.1