From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Mon, 20 Mar 2023 14:57:54 +0100
Subject: [PATCH] distro/el-7: fix compilation by using SHA-1 for PIN computation

diff --git a/src/libknot/quic/quic.c b/src/libknot/quic/quic.c
index 5610865f6..555c495d9 100644
--- a/src/libknot/quic/quic.c
+++ b/src/libknot/quic/quic.c
@@ -460,7 +460,7 @@ void knot_quic_conn_pin(knot_quic_conn_t *conn, uint8_t *pin, size_t *pin_size,
 		goto error;
 	}
 
-	ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256, pin, pin_size);
+	ret = gnutls_x509_crt_get_key_id(cert, 0, pin, pin_size);
 	if (ret != GNUTLS_E_SUCCESS) {
 		gnutls_x509_crt_deinit(cert);
 		goto error;
diff --git a/src/utils/common/tls.c b/src/utils/common/tls.c
index 245dd3f96..6a2e7a986 100644
--- a/src/utils/common/tls.c
+++ b/src/utils/common/tls.c
@@ -328,7 +328,7 @@ static int check_certificates(gnutls_session_t session, const list_t *pins)
 
 		uint8_t cert_pin[CERT_PIN_LEN] = { 0 };
 		size_t cert_pin_size = sizeof(cert_pin);
-		ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256,
+		ret = gnutls_x509_crt_get_key_id(cert, 0,
 		                                 cert_pin, &cert_pin_size);
 		if (ret != 0) {
 			gnutls_x509_crt_deinit(cert);
@@ -336,18 +336,18 @@ static int check_certificates(gnutls_session_t session, const list_t *pins)
 		}
 
 		// Check if correspond to a specified PIN.
-		bool match = check_pin(cert_pin, sizeof(cert_pin), pins);
+		bool match = check_pin(cert_pin, cert_pin_size, pins);
 		if (match) {
 			matches++;
 		}
 
 		uint8_t *txt_pin;
-		ret = knot_base64_encode_alloc(cert_pin, sizeof(cert_pin), &txt_pin);
+		ret = knot_base64_encode_alloc(cert_pin, cert_pin_size, &txt_pin);
 		if (ret < 0) {
 			gnutls_x509_crt_deinit(cert);
 			return ret;
 		}
-		DBG("     SHA-256 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : "");
+		DBG("     SHA-1 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : "");
 		free(txt_pin);
 
 		gnutls_x509_crt_deinit(cert);
diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c
index 359b8b596..8fd33b011 100644
--- a/src/utils/kdig/kdig_params.c
+++ b/src/utils/kdig/kdig_params.c
@@ -707,8 +707,8 @@ static int opt_tls_pin(const char *arg, void *query)
 	if (ret < 0) {
 		ERR("invalid +tls-pin=%s", arg);
 		return ret;
-	} else if (ret != CERT_PIN_LEN) { // Check for 256-bit value.
-		ERR("invalid sha256 hash length +tls-pin=%s", arg);
+	} else if (ret != 20) { // Check for 256-bit value.
+		ERR("invalid sha1 hash length +tls-pin=%s", arg);
 		return KNOT_EINVAL;
 	}