diff options
Diffstat (limited to 'distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch')
| -rw-r--r-- | distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch b/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch new file mode 100644 index 0000000..cbc5aa2 --- /dev/null +++ b/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch @@ -0,0 +1,67 @@ +From: Daniel Salzman <daniel.salzman@nic.cz> +Date: Mon, 20 Mar 2023 14:57:54 +0100 +Subject: [PATCH] distro/el-7: fix compilation by using SHA-1 for PIN computation + +diff --git a/src/libknot/quic/quic.c b/src/libknot/quic/quic.c +index 5610865f6..555c495d9 100644 +--- a/src/libknot/quic/quic.c ++++ b/src/libknot/quic/quic.c +@@ -460,7 +460,7 @@ void knot_quic_conn_pin(knot_quic_conn_t *conn, uint8_t *pin, size_t *pin_size, + goto error; + } + +- ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256, pin, pin_size); ++ ret = gnutls_x509_crt_get_key_id(cert, 0, pin, pin_size); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_x509_crt_deinit(cert); + goto error; +diff --git a/src/utils/common/tls.c b/src/utils/common/tls.c +index 245dd3f96..6a2e7a986 100644 +--- a/src/utils/common/tls.c ++++ b/src/utils/common/tls.c +@@ -328,7 +328,7 @@ static int check_certificates(gnutls_session_t session, const list_t *pins) + + uint8_t cert_pin[CERT_PIN_LEN] = { 0 }; + size_t cert_pin_size = sizeof(cert_pin); +- ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256, ++ ret = gnutls_x509_crt_get_key_id(cert, 0, + cert_pin, &cert_pin_size); + if (ret != 0) { + gnutls_x509_crt_deinit(cert); +@@ -336,18 +336,18 @@ static int check_certificates(gnutls_session_t session, const list_t *pins) + } + + // Check if correspond to a specified PIN. +- bool match = check_pin(cert_pin, sizeof(cert_pin), pins); ++ bool match = check_pin(cert_pin, cert_pin_size, pins); + if (match) { + matches++; + } + + uint8_t *txt_pin; +- ret = knot_base64_encode_alloc(cert_pin, sizeof(cert_pin), &txt_pin); ++ ret = knot_base64_encode_alloc(cert_pin, cert_pin_size, &txt_pin); + if (ret < 0) { + gnutls_x509_crt_deinit(cert); + return ret; + } +- DBG(" SHA-256 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : ""); ++ DBG(" SHA-1 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : ""); + free(txt_pin); + + gnutls_x509_crt_deinit(cert); +diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c +index 359b8b596..8fd33b011 100644 +--- a/src/utils/kdig/kdig_params.c ++++ b/src/utils/kdig/kdig_params.c +@@ -707,8 +707,8 @@ static int opt_tls_pin(const char *arg, void *query) + if (ret < 0) { + ERR("invalid +tls-pin=%s", arg); + return ret; +- } else if (ret != CERT_PIN_LEN) { // Check for 256-bit value. +- ERR("invalid sha256 hash length +tls-pin=%s", arg); ++ } else if (ret != 20) { // Check for 256-bit value. ++ ERR("invalid sha1 hash length +tls-pin=%s", arg); + return KNOT_EINVAL; + } + |