diff options
| author | Daniel Salzman <daniel.salzman@nic.cz> | 2023-03-19 19:55:17 +0100 |
|---|---|---|
| committer | Daniel Salzman <daniel.salzman@nic.cz> | 2023-03-21 09:45:15 +0100 |
| commit | 4a47a3d1cfb2c5c093a6f5222540e426624ca39d (patch) | |
| tree | f81439a8f826ab89305a3fd692b563400b098ddc /distro/pkg | |
| parent | quic: rename 'xconn' to 'conn' (diff) | |
| download | knot-4a47a3d1cfb2c5c093a6f5222540e426624ca39d.tar.xz knot-4a47a3d1cfb2c5c093a6f5222540e426624ca39d.zip | |
distro/el-7: add patch for compilation fix by using SHA-1 for certificate PIN computation
Diffstat (limited to 'distro/pkg')
| -rw-r--r-- | distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch | 67 | ||||
| -rw-r--r-- | distro/pkg/el-7/knot.spec | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch b/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch new file mode 100644 index 000000000..cbc5aa254 --- /dev/null +++ b/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch @@ -0,0 +1,67 @@ +From: Daniel Salzman <daniel.salzman@nic.cz> +Date: Mon, 20 Mar 2023 14:57:54 +0100 +Subject: [PATCH] distro/el-7: fix compilation by using SHA-1 for PIN computation + +diff --git a/src/libknot/quic/quic.c b/src/libknot/quic/quic.c +index 5610865f6..555c495d9 100644 +--- a/src/libknot/quic/quic.c ++++ b/src/libknot/quic/quic.c +@@ -460,7 +460,7 @@ void knot_quic_conn_pin(knot_quic_conn_t *conn, uint8_t *pin, size_t *pin_size, + goto error; + } + +- ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256, pin, pin_size); ++ ret = gnutls_x509_crt_get_key_id(cert, 0, pin, pin_size); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_x509_crt_deinit(cert); + goto error; +diff --git a/src/utils/common/tls.c b/src/utils/common/tls.c +index 245dd3f96..6a2e7a986 100644 +--- a/src/utils/common/tls.c ++++ b/src/utils/common/tls.c +@@ -328,7 +328,7 @@ static int check_certificates(gnutls_session_t session, const list_t *pins) + + uint8_t cert_pin[CERT_PIN_LEN] = { 0 }; + size_t cert_pin_size = sizeof(cert_pin); +- ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256, ++ ret = gnutls_x509_crt_get_key_id(cert, 0, + cert_pin, &cert_pin_size); + if (ret != 0) { + gnutls_x509_crt_deinit(cert); +@@ -336,18 +336,18 @@ static int check_certificates(gnutls_session_t session, const list_t *pins) + } + + // Check if correspond to a specified PIN. +- bool match = check_pin(cert_pin, sizeof(cert_pin), pins); ++ bool match = check_pin(cert_pin, cert_pin_size, pins); + if (match) { + matches++; + } + + uint8_t *txt_pin; +- ret = knot_base64_encode_alloc(cert_pin, sizeof(cert_pin), &txt_pin); ++ ret = knot_base64_encode_alloc(cert_pin, cert_pin_size, &txt_pin); + if (ret < 0) { + gnutls_x509_crt_deinit(cert); + return ret; + } +- DBG(" SHA-256 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : ""); ++ DBG(" SHA-1 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : ""); + free(txt_pin); + + gnutls_x509_crt_deinit(cert); +diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c +index 359b8b596..8fd33b011 100644 +--- a/src/utils/kdig/kdig_params.c ++++ b/src/utils/kdig/kdig_params.c +@@ -707,8 +707,8 @@ static int opt_tls_pin(const char *arg, void *query) + if (ret < 0) { + ERR("invalid +tls-pin=%s", arg); + return ret; +- } else if (ret != CERT_PIN_LEN) { // Check for 256-bit value. +- ERR("invalid sha256 hash length +tls-pin=%s", arg); ++ } else if (ret != 20) { // Check for 256-bit value. ++ ERR("invalid sha1 hash length +tls-pin=%s", arg); + return KNOT_EINVAL; + } + diff --git a/distro/pkg/el-7/knot.spec b/distro/pkg/el-7/knot.spec index 0b1a3bfe0..92d1c3875 100644 --- a/distro/pkg/el-7/knot.spec +++ b/distro/pkg/el-7/knot.spec @@ -23,6 +23,7 @@ BuildRequires: gnupg2 %endif Patch1: 01-revert-AC_PROG_CC.patch +Patch2: 02-fix-compilation-by-using-SHA-1.patch # Required dependencies BuildRequires: autoconf |