1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Mon, 20 Mar 2023 14:57:54 +0100
Subject: [PATCH] distro/el-7: fix compilation by using SHA-1 for PIN computation
diff --git a/src/libknot/quic/quic.c b/src/libknot/quic/quic.c
index 5610865f6..555c495d9 100644
--- a/src/libknot/quic/quic.c
+++ b/src/libknot/quic/quic.c
@@ -460,7 +460,7 @@ void knot_quic_conn_pin(knot_quic_conn_t *conn, uint8_t *pin, size_t *pin_size,
goto error;
}
- ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256, pin, pin_size);
+ ret = gnutls_x509_crt_get_key_id(cert, 0, pin, pin_size);
if (ret != GNUTLS_E_SUCCESS) {
gnutls_x509_crt_deinit(cert);
goto error;
diff --git a/src/utils/common/tls.c b/src/utils/common/tls.c
index 245dd3f96..6a2e7a986 100644
--- a/src/utils/common/tls.c
+++ b/src/utils/common/tls.c
@@ -328,7 +328,7 @@ static int check_certificates(gnutls_session_t session, const list_t *pins)
uint8_t cert_pin[CERT_PIN_LEN] = { 0 };
size_t cert_pin_size = sizeof(cert_pin);
- ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256,
+ ret = gnutls_x509_crt_get_key_id(cert, 0,
cert_pin, &cert_pin_size);
if (ret != 0) {
gnutls_x509_crt_deinit(cert);
@@ -336,18 +336,18 @@ static int check_certificates(gnutls_session_t session, const list_t *pins)
}
// Check if correspond to a specified PIN.
- bool match = check_pin(cert_pin, sizeof(cert_pin), pins);
+ bool match = check_pin(cert_pin, cert_pin_size, pins);
if (match) {
matches++;
}
uint8_t *txt_pin;
- ret = knot_base64_encode_alloc(cert_pin, sizeof(cert_pin), &txt_pin);
+ ret = knot_base64_encode_alloc(cert_pin, cert_pin_size, &txt_pin);
if (ret < 0) {
gnutls_x509_crt_deinit(cert);
return ret;
}
- DBG(" SHA-256 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : "");
+ DBG(" SHA-1 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : "");
free(txt_pin);
gnutls_x509_crt_deinit(cert);
diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c
index 359b8b596..8fd33b011 100644
--- a/src/utils/kdig/kdig_params.c
+++ b/src/utils/kdig/kdig_params.c
@@ -707,8 +707,8 @@ static int opt_tls_pin(const char *arg, void *query)
if (ret < 0) {
ERR("invalid +tls-pin=%s", arg);
return ret;
- } else if (ret != CERT_PIN_LEN) { // Check for 256-bit value.
- ERR("invalid sha256 hash length +tls-pin=%s", arg);
+ } else if (ret != 20) { // Check for 256-bit value.
+ ERR("invalid sha1 hash length +tls-pin=%s", arg);
return KNOT_EINVAL;
}
|
