Resolves: RHEL-107994 - squid does not work with post-quantum crypto
This commit is contained in:
Luboš Uhliarik
parent
d2145e08f6
commit
a376c7bce3
36
squid-6.10-provider-keys-digest.patch
Normal file
36
squid-6.10-provider-keys-digest.patch
Normal file
@ -0,0 +1,36 @@
|
||||
diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
|
||||
index 09bad6d..59171b7 100644
|
||||
--- a/src/ssl/gadgets.cc
|
||||
+++ b/src/ssl/gadgets.cc
|
||||
@@ -15,6 +15,19 @@
|
||||
#include "security/Io.h"
|
||||
#include "ssl/gadgets.h"
|
||||
|
||||
+/// whether the given key requires a digest when signing
|
||||
+static bool
|
||||
+keyNeedsDigest(const EVP_PKEY * const pkey) {
|
||||
+ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") ||
|
||||
+ EVP_PKEY_is_a(pkey, "ML-DSA-65") ||
|
||||
+ EVP_PKEY_is_a(pkey, "ML-DSA-87") ||
|
||||
+ EVP_PKEY_is_a(pkey, "ED25519") ||
|
||||
+ EVP_PKEY_is_a(pkey, "ED448"))
|
||||
+ return false; // no digest needed
|
||||
+
|
||||
+ return true; // require a digest for all other types
|
||||
+}
|
||||
+
|
||||
void
|
||||
Ssl::ForgetErrors()
|
||||
{
|
||||
@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu
|
||||
assert(hash);
|
||||
/*Now sign the request */
|
||||
if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get())
|
||||
- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash);
|
||||
+ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr);
|
||||
else //else sign with self key (self signed request)
|
||||
- ret = X509_sign(cert.get(), pkey.get(), hash);
|
||||
+ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr);
|
||||
|
||||
if (!ret)
|
||||
return false;
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 6.10
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -45,6 +45,8 @@ Patch207: squid-6.10-large-upload-buffer-dies.patch
|
||||
# Upstream commit: https://github.com/squid-cache/squid/commit/2e7dea3cedd3ef2f071dee82867c4147f17376dd
|
||||
# https://issues.redhat.com/browse/RHEL-86817
|
||||
Patch208: squid-6.10-cache-peer-connect-errors.patch
|
||||
# https://issues.redhat.com/browse/RHEL-107994
|
||||
Patch209: squid-6.10-provider-keys-digest.patch
|
||||
|
||||
# cache_swap.sh
|
||||
Requires: bash gawk
|
||||
@ -329,6 +331,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Sep 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-7
|
||||
- Resolves: RHEL-107994 - squid does not work with post-quantum crypto
|
||||
|
||||
* Thu Apr 10 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-6
|
||||
- Resolves: RHEL-86817 - ”TCP connection to XX.XX.XX.XX/XXXX failed” message is
|
||||
output frequently on RHEL10
|
||||
|
||||
Loading…
Reference in New Issue
Block a user