|
 |
1bb595 |
From 10366b4ee8c01ea20d908102e92d52fdeda168c3 Mon Sep 17 00:00:00 2001
|
|
|
1bb595 |
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
1bb595 |
Date: Tue, 18 Aug 2020 14:37:04 +0200
|
|
|
1bb595 |
Subject: [PATCH] p11_child: switch default ocsp_dgst to sha1
|
|
|
1bb595 |
|
|
|
1bb595 |
For details please see discussion at
|
|
|
1bb595 |
https://github.com/SSSD/sssd/pull/837#issuecomment-672831519
|
|
|
1bb595 |
|
|
|
1bb595 |
:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1
|
|
|
1bb595 |
|
|
|
1bb595 |
Resolves:
|
|
|
1bb595 |
https://github.com/SSSD/sssd/issues/5002
|
|
|
1bb595 |
|
|
|
1bb595 |
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
1bb595 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
1bb595 |
---
|
|
|
1bb595 |
src/man/sssd.conf.5.xml | 3 ++-
|
|
|
1bb595 |
src/p11_child/p11_child_common_utils.c | 6 +++---
|
|
|
1bb595 |
src/p11_child/p11_child_openssl.c | 4 ++--
|
|
|
1bb595 |
3 files changed, 7 insertions(+), 6 deletions(-)
|
|
|
1bb595 |
|
|
|
1bb595 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
1bb595 |
index 874a09c49..50692dfdd 100644
|
|
|
1bb595 |
--- a/src/man/sssd.conf.5.xml
|
|
|
1bb595 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
1bb595 |
@@ -507,7 +507,8 @@
|
|
|
1bb595 |
<listitem><para>sha512</para></listitem>
|
|
|
1bb595 |
</itemizedlist></para>
|
|
|
1bb595 |
<para>
|
|
|
1bb595 |
- Default: sha256
|
|
|
1bb595 |
+ Default: sha1 (to allow compatibility with
|
|
|
1bb595 |
+ RFC5019-compliant responder)
|
|
|
1bb595 |
</para>
|
|
|
1bb595 |
<para>(NSS Version) This option is
|
|
|
1bb595 |
ignored, because NSS uses sha1
|
|
|
1bb595 |
diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c
|
|
|
1bb595 |
index 6798752c7..95791b1f0 100644
|
|
|
1bb595 |
--- a/src/p11_child/p11_child_common_utils.c
|
|
|
1bb595 |
+++ b/src/p11_child/p11_child_common_utils.c
|
|
|
1bb595 |
@@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
|
|
|
1bb595 |
cert_verify_opts->ocsp_default_responder = NULL;
|
|
|
1bb595 |
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
|
|
|
1bb595 |
cert_verify_opts->crl_file = NULL;
|
|
|
1bb595 |
- cert_verify_opts->ocsp_dgst = CKM_SHA256;
|
|
|
1bb595 |
+ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
|
|
|
1bb595 |
cert_verify_opts->soft_ocsp = false;
|
|
|
1bb595 |
cert_verify_opts->soft_crl = false;
|
|
|
1bb595 |
|
|
|
1bb595 |
@@ -174,8 +174,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
|
1bb595 |
} else {
|
|
|
1bb595 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
1bb595 |
"Unsupported digest for OCSP [%s], "
|
|
|
1bb595 |
- "using default sha256.\n", &opts[c][OCSP_DGST_LEN]);
|
|
|
1bb595 |
- cert_verify_opts->ocsp_dgst = CKM_SHA256;
|
|
|
1bb595 |
+ "using default sha1.\n", &opts[c][OCSP_DGST_LEN]);
|
|
|
1bb595 |
+ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
|
|
|
1bb595 |
}
|
|
|
1bb595 |
#endif
|
|
|
1bb595 |
} else if (strcasecmp(opts[c], "soft_ocsp") == 0) {
|
|
|
1bb595 |
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
|
1bb595 |
index 321cf162e..04b3e1467 100644
|
|
|
1bb595 |
--- a/src/p11_child/p11_child_openssl.c
|
|
|
1bb595 |
+++ b/src/p11_child/p11_child_openssl.c
|
|
|
1bb595 |
@@ -372,8 +372,8 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
|
|
|
1bb595 |
ocsp_dgst = get_dgst(p11_ctx->cert_verify_opts->ocsp_dgst);
|
|
|
1bb595 |
if (ocsp_dgst == NULL) {
|
|
|
1bb595 |
DEBUG(SSSDBG_OP_FAILURE, "Cannot determine configured digest function "
|
|
|
1bb595 |
- "for OCSP, using default sha256.\n");
|
|
|
1bb595 |
- ocsp_dgst = EVP_sha256();
|
|
|
1bb595 |
+ "for OCSP, using default sha1.\n");
|
|
|
1bb595 |
+ ocsp_dgst = EVP_sha1();
|
|
|
1bb595 |
}
|
|
|
1bb595 |
cid = OCSP_cert_to_id(ocsp_dgst, cert, issuer);
|
|
|
1bb595 |
if (cid == NULL) {
|
|
|
1bb595 |
--
|
|
|
1bb595 |
2.21.3
|
|
|
1bb595 |
|