specified, defaults to the four banks <literal>sha1</literal>, <literal>sha256</literal>,
<literal>sha384</literal>, <literal>sha512</literal>.</para>
+ <para>Note that some operating systems disable support for SHA1-based signatures, in which case this
+ operation will fail. Please consult your OS' documentation for details on how to override the OS
+ security policy around this.</para>
+
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
size_t ss = 0;
if (privkey) {
r = digest_and_sign(p->md, privkey, pcr_policy_digest.buffer, pcr_policy_digest.size, &sig, &ss);
+ if (r == -EADDRNOTAVAIL)
+ return log_error_errno(r, "Hash algorithm '%s' not available while signing. (Maybe OS security policy disables this algorithm?)", EVP_MD_name(p->md));
if (r < 0)
- return log_error_errno(r, "Failed to sign PCR policy: %m");
+ return log_error_errno(r, "Failed to sign PCR policy with hash algorithm '%s': %m", EVP_MD_name(p->md));
}
_cleanup_free_ void *pubkey_fp = NULL;
const void *data, size_t size,
void **ret, size_t *ret_size) {
+ int r;
+
assert(privkey);
assert(ret);
assert(ret_size);
if (!mdctx)
return log_openssl_errors("Failed to create new EVP_MD_CTX");
- if (EVP_DigestSignInit(mdctx, NULL, md, NULL, privkey) != 1)
- return log_openssl_errors("Failed to initialize signature context");
+ if (EVP_DigestSignInit(mdctx, NULL, md, NULL, privkey) != 1) {
+ /* Distro security policies often disable support for SHA-1. Let's return a recognizable
+ * error for that case. */
+ bool invalid_digest = ERR_GET_REASON(ERR_peek_last_error()) == EVP_R_INVALID_DIGEST;
+ r = log_openssl_errors("Failed to initialize signature context");
+ return invalid_digest ? -EADDRNOTAVAIL : r;
+}
/* Determine signature size */
size_t ss;
projects / thirdparty / systemd.git / commitdiff
