Remove 3des support

2019-06-03 17:25:49 -04:00 · 2019-06-03 17:25:49 -04:00 · 19e2656c15
commit 19e2656c15
parent 48af99c1f7
6 changed files with 6471 additions and 34 deletions
--- a/Add-zapfreedata-convenience-function.patch
+++ b/Add-zapfreedata-convenience-function.patch
@ -1,4 +1,4 @@
-From c83490ced3ef77d1933caa893efbc4a54d03a1ad Mon Sep 17 00:00:00 2001
+From 7fb0b432d9192360ec3439a7f5c33ad8366064f1 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 14 Mar 2019 11:26:44 -0400
 Subject: [PATCH] Add zapfreedata() convenience function
--- a/Remove-3des-support.patch
+++ b/Remove-3des-support.patch
--- a/Remove-krb5int_c_combine_keys.patch
+++ b/Remove-krb5int_c_combine_keys.patch
@ -1,4 +1,4 @@
-From 320f2d5b0f2671e41b383161093a73d9dea5cbf7 Mon Sep 17 00:00:00 2001
+From 343e236ed2637a826f4d53ff60d2b2bc349100d6 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 18 Apr 2019 17:27:07 -0400
 Subject: [PATCH] Remove krb5int_c_combine_keys()
--- a/Remove-support-for-no-flags-SAM-2-preauth.patch
+++ b/Remove-support-for-no-flags-SAM-2-preauth.patch
@ -1,4 +1,4 @@
-From 2c6a5bea4319b6b1705d6c9c6a2bb78c9999089f Mon Sep 17 00:00:00 2001
+From 9e71fcd5db98fb7ace02e8684486cc7f092d82ad Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 17 Apr 2019 17:07:46 -0400
 Subject: [PATCH] Remove support for no-flags SAM-2 preauth
--- a/krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
+++ b/krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
@ -1,7 +1,7 @@
-From b52fa25acec9c0302532e1610ffe390d714e8f7a Mon Sep 17 00:00:00 2001
+From ebcc57122e6f2325c9b0b3cb7c600d38c013a05a Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
-Subject: [PATCH] krb5-1.17post3 FIPS with PRNG, SPAKE, and RADIUS
+Subject: [PATCH] krb5-1.17post4 FIPS with PRNG, SPAKE, and RADIUS

 NB: Use openssl's PRNG in FIPS mode, be aware during SPAKE group
 negotiation, and taint within krad.
@ -16,11 +16,11 @@ This will slow down some calls slightly (FIPS_mode() takes multiple
 locks), but not for any ciphers we care about - which is to say that
 AES is fine.  Shame about the SPAKE groups though.

-post3 is (confusingly) on top of the 1DES removal.
+post4 is on top of the 3DES removal.  (4 > 3; it makes sense this
+time!)
 ---
 src/lib/crypto/krb/prng.c                     | 11 ++++-
 .../crypto/openssl/enc_provider/camellia.c    |  6 +++
- src/lib/crypto/openssl/enc_provider/des3.c    |  6 +++
 src/lib/crypto/openssl/enc_provider/rc4.c     | 13 +++++-
 .../crypto/openssl/hash_provider/hash_evp.c   |  4 ++
 src/lib/crypto/openssl/hmac.c                 |  6 ++-
@ -32,7 +32,7 @@ post3 is (confusingly) on top of the 1DES removal.
 src/lib/krad/t_attr.c                         |  3 +-
 src/lib/krad/t_attrset.c                      |  4 +-
 src/plugins/preauth/spake/groups.c            |  8 ++++
- 14 files changed, 123 insertions(+), 33 deletions(-)
+ 13 files changed, 117 insertions(+), 33 deletions(-)

 diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
 index cb9ca9b98..f0e9984ca 100644
@ -89,30 +89,6 @@ index 2da691329..f79679a0b 100644
     state->length = 16;
     state->data = (void *) malloc(16);
     if (state->data == NULL)
-diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
-index 1c439c2cd..8be555a8d 100644
--- a/src/lib/crypto/openssl/enc_provider/des3.c
-+++ b/src/lib/crypto/openssl/enc_provider/des3.c
-@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-     EVP_CIPHER_CTX *ctx;
-     krb5_boolean empty;
- 
-+    if (FIPS_mode())
-+        return KRB5_CRYPTO_INTERNAL;
-+
-     ret = validate(key, ivec, data, num_data, &empty);
-     if (ret != 0 || empty)
-         return ret;
-@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-     EVP_CIPHER_CTX *ctx;
-     krb5_boolean empty;
- 
-+    if (FIPS_mode())
-+        return KRB5_CRYPTO_INTERNAL;
-+
-     ret = validate(key, ivec, data, num_data, &empty);
-     if (ret != 0 || empty)
-         return ret;
 diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
 index a65d57b7a..6ccaca94a 100644
 --- a/src/lib/crypto/openssl/enc_provider/rc4.c
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 27%{?dist}
+Release: 28%{?dist}

 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -102,10 +102,11 @@ Patch137: Remove-the-v4-and-afs3-salt-types.patch
 Patch138: Update-test-suite-to-avoid-single-DES-enctypes.patch
 Patch139: Remove-support-for-single-DES-and-CRC.patch
 Patch140: Display-unsupported-enctype-names.patch
-Patch141: krb5-1.17post3-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
 Patch142: Add-zapfreedata-convenience-function.patch
 Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch
 Patch144: Remove-krb5int_c_combine_keys.patch
+Patch145: Remove-3des-support.patch
+Patch146: krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch

 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -715,6 +716,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Mon Jun 03 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-28
+- Remove 3des support
+
 * Thu May 30 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-27
 - Remove krb5int_c_combine_keys() and no-flags SAM-2 preauth