From c1f39094ccde55dc4a51089b6dcdcb8afe4d8a7c Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Mar 25 2020 08:22:21 +0000 Subject: Handle unsupported digests the same as disabled ones (RhBug:1652529) A digest type unsupported by the underlying crypto library (whether technically or by configuration) does not mean the digest is invalid, it just cannot be used. Which for the purposes of verification is the same as if that digest didn't exist at all, and that's exactly how we handle digests and signatures disabled by configuration. One particular case is FIPS mode which globally disables the use of MD5, which we mishandled prior to this by showing it as OK in verification despite actually not verifying it at all. The exact place for handling this case is a bit subtle: the "obvious" place for checking for supported type is in rpmvsInitRange() but this doesn't work because of rpmDigestBundleAddID() return code semantics. The other "obvious" place would be rpmvsVerify(), but by that point we have even more funny cases to consider. So for now, it's actually easiest to check for this in rpmvsFiniRange() even if it's not the most obvious place for doing so. Might want to change the rpmDigestBundleAddID() semantics later, but this makes for a nicer backport (we'll need this in 4.14.x too). --- diff --git a/lib/rpmvs.c b/lib/rpmvs.c index 7b5b86f..622e480 100644 --- a/lib/rpmvs.c +++ b/lib/rpmvs.c @@ -388,6 +388,9 @@ void rpmvsFiniRange(struct rpmvs_s *sis, int range) if (sinfo->range == range && sinfo->rc == RPMRC_OK) { sinfo->ctx = rpmDigestBundleDupCtx(sis->bundle, sinfo->id); + /* Handle unsupported digests the same as disabled ones */ + if (sinfo->ctx == NULL) + sinfo->rc = RPMRC_NOTFOUND; rpmDigestBundleFinal(sis->bundle, sinfo->id, NULL, NULL, 0); } }