53 lines
1.7 KiB
Diff
53 lines
1.7 KiB
Diff
From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
|
|
From: Daiki Ueno <dueno@redhat.com>
|
|
Date: Fri, 14 Apr 2023 14:10:47 +0900
|
|
Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
|
|
authby=rsa-sha1
|
|
|
|
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
---
|
|
lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
|
|
1 file changed, 24 insertions(+)
|
|
|
|
diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
|
|
index 38b44ab61d..9a7c0bc6a8 100644
|
|
--- a/lib/libswan/pubkey_rsa.c
|
|
+++ b/lib/libswan/pubkey_rsa.c
|
|
@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
|
|
* used to generate the signature.
|
|
*/
|
|
SECItem signature_result = {0};
|
|
+
|
|
+ /* ignore system crypto-policies for the hash algorithm */
|
|
+ PRUint32 saved_policy;
|
|
+
|
|
+ if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
|
|
+ /* PR_GetError() returns the thread-local error */
|
|
+ enum_buf tb;
|
|
+ llog_nss_error(RC_LOG_SERIOUS, logger,
|
|
+ "NSS_SetAlgorithmPolicy(%s) function failed",
|
|
+ str_nss_oid(hash_algo->nss.oid_tag, &tb));
|
|
+ return (struct hash_signature) { .len = 0, };
|
|
+ }
|
|
+
|
|
+ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
|
|
+ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
|
|
+ NSS_USE_ALG_IN_SIGNATURE, 0);
|
|
+ }
|
|
+
|
|
SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
|
|
hash_algo->nss.oid_tag,
|
|
&signature_result, &digest);
|
|
+
|
|
+ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
|
|
+ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
|
|
+ saved_policy, ~saved_policy);
|
|
+ }
|
|
+
|
|
if (s != SECSuccess) {
|
|
/* PR_GetError() returns the thread-local error */
|
|
enum_buf tb;
|
|
--
|
|
2.40.0
|
|
|