41 lines
1.2 KiB
Diff
41 lines
1.2 KiB
Diff
From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001
|
|
From: Florian Festi <ffesti@redhat.com>
|
|
Date: Tue, 28 Jun 2022 12:50:54 +0200
|
|
Subject: [PATCH] Give warning on not supported hash for RSA keys
|
|
|
|
This can happen when old keys are used on systems that have disabled SHA1
|
|
e.g. for FIPS requirements.
|
|
|
|
This is less than ideal but there is currently no way to pass a meaningful
|
|
error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key
|
|
or NULL.
|
|
|
|
See rhbz#2069877
|
|
---
|
|
rpmio/digest_openssl.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
|
|
index a28a13acc..2ec5140f1 100644
|
|
--- a/rpmio/digest_openssl.c
|
|
+++ b/rpmio/digest_openssl.c
|
|
@@ -4,6 +4,7 @@
|
|
#include <openssl/rsa.h>
|
|
#include <openssl/dsa.h>
|
|
#include <rpm/rpmpgp.h>
|
|
+#include <rpm/rpmlog.h>
|
|
|
|
#include "rpmio/digest.h"
|
|
|
|
@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,
|
|
|
|
ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo));
|
|
if (ret < 0) {
|
|
+ rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo));
|
|
rc = 1;
|
|
goto done;
|
|
}
|
|
--
|
|
2.36.1
|
|
|