48 lines
1.9 KiB
Diff
48 lines
1.9 KiB
Diff
From fef5896463a50e94d3a68f59f7c78a6e943ac5ad Mon Sep 17 00:00:00 2001
|
|
From: Julien Rische <jrische@redhat.com>
|
|
Date: Tue, 23 May 2023 12:19:54 +0200
|
|
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
|
|
available in FIPS mode
|
|
|
|
We recommend using the SHA1 crypto-module in order to allow the
|
|
verification of SHA-1 signature for CMS messages. However, this module
|
|
does not work in FIPS mode, because the SHA-1 algorithm is absent from
|
|
the OpenSSL FIPS provider.
|
|
|
|
This commit enables the signature verification process to fetch the
|
|
algorithm from a non-FIPS OpenSSL provider.
|
|
|
|
Support for SHA-1 CMS signature is still required, especially in order
|
|
to interoperate with Active Directory. At least it is until elliptic
|
|
curve cryptography is implemented for PKINIT in MIT krb5.
|
|
---
|
|
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++-
|
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
index f41328763e..263ef7845e 100644
|
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
|
|
if (oid == NULL)
|
|
goto cleanup;
|
|
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+ /* Do not use FIPS provider (even in FIPS mode) because it keeps from
|
|
+ * allowing SHA-1 signature verification using the SHA1 crypto-module
|
|
+ */
|
|
+ cms = CMS_ContentInfo_new_ex(NULL, "-fips");
|
|
+ if (!cms)
|
|
+ goto cleanup;
|
|
+#endif
|
|
+
|
|
/* decode received CMS message */
|
|
- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
|
|
+ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) {
|
|
retval = oerr(context, 0, _("Failed to decode CMS message"));
|
|
goto cleanup;
|
|
}
|
|
--
|
|
2.41.0
|
|
|