rpms/krb5
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove 3des support

Browse Source
This commit is contained in:
Robbie Harwood 2019-06-03 17:25:49 -04:00
parent 48af99c1f7
commit 19e2656c15
6 changed files with 6471 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Add-zapfreedata-convenience-function.patch
View File

@ -1,4 +1,4 @@
From c83490ced3ef77d1933caa893efbc4a54d03a1ad Mon Sep 17 00:00:00 2001 From 7fb0b432d9192360ec3439a7f5c33ad8366064f1 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 14 Mar 2019 11:26:44 -0400 Date: Thu, 14 Mar 2019 11:26:44 -0400
Subject: [PATCH] Add zapfreedata() convenience function Subject: [PATCH] Add zapfreedata() convenience function

6457
Remove-3des-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2
Remove-krb5int_c_combine_keys.patch
View File

@ -1,4 +1,4 @@
From 320f2d5b0f2671e41b383161093a73d9dea5cbf7 Mon Sep 17 00:00:00 2001 From 343e236ed2637a826f4d53ff60d2b2bc349100d6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 18 Apr 2019 17:27:07 -0400 Date: Thu, 18 Apr 2019 17:27:07 -0400
Subject: [PATCH] Remove krb5int_c_combine_keys() Subject: [PATCH] Remove krb5int_c_combine_keys()

2
Remove-support-for-no-flags-SAM-2-preauth.patch
View File

@ -1,4 +1,4 @@
From 2c6a5bea4319b6b1705d6c9c6a2bb78c9999089f Mon Sep 17 00:00:00 2001 From 9e71fcd5db98fb7ace02e8684486cc7f092d82ad Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 17 Apr 2019 17:07:46 -0400 Date: Wed, 17 Apr 2019 17:07:46 -0400
Subject: [PATCH] Remove support for no-flags SAM-2 preauth Subject: [PATCH] Remove support for no-flags SAM-2 preauth

34
krb5-1.17post3-FIPS-with-PRNG-SPAKE-and-RADIUS.patch → krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
View File

@ -1,7 +1,7 @@
From b52fa25acec9c0302532e1610ffe390d714e8f7a Mon Sep 17 00:00:00 2001 From ebcc57122e6f2325c9b0b3cb7c600d38c013a05a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500 Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17post3 FIPS with PRNG, SPAKE, and RADIUS Subject: [PATCH] krb5-1.17post4 FIPS with PRNG, SPAKE, and RADIUS
NB: Use openssl's PRNG in FIPS mode, be aware during SPAKE group NB: Use openssl's PRNG in FIPS mode, be aware during SPAKE group
negotiation, and taint within krad. negotiation, and taint within krad.
@ -16,11 +16,11 @@ This will slow down some calls slightly (FIPS_mode() takes multiple
locks), but not for any ciphers we care about - which is to say that locks), but not for any ciphers we care about - which is to say that
AES is fine. Shame about the SPAKE groups though. AES is fine. Shame about the SPAKE groups though.
post3 is (confusingly) on top of the 1DES removal. post4 is on top of the 3DES removal. (4 > 3; it makes sense this
time!)
--- ---
src/lib/crypto/krb/prng.c | 11 ++++- src/lib/crypto/krb/prng.c | 11 ++++-
.../crypto/openssl/enc_provider/camellia.c | 6 +++ .../crypto/openssl/enc_provider/camellia.c | 6 +++
src/lib/crypto/openssl/enc_provider/des3.c | 6 +++
src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++- src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++-
.../crypto/openssl/hash_provider/hash_evp.c | 4 ++ .../crypto/openssl/hash_provider/hash_evp.c | 4 ++
src/lib/crypto/openssl/hmac.c | 6 ++- src/lib/crypto/openssl/hmac.c | 6 ++-
@ -32,7 +32,7 @@ post3 is (confusingly) on top of the 1DES removal.
src/lib/krad/t_attr.c | 3 +- src/lib/krad/t_attr.c | 3 +-
src/lib/krad/t_attrset.c | 4 +- src/lib/krad/t_attrset.c | 4 +-
src/plugins/preauth/spake/groups.c | 8 ++++ src/plugins/preauth/spake/groups.c | 8 ++++
14 files changed, 123 insertions(+), 33 deletions(-) 13 files changed, 117 insertions(+), 33 deletions(-)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index cb9ca9b98..f0e9984ca 100644 index cb9ca9b98..f0e9984ca 100644
@ -89,30 +89,6 @@ index 2da691329..f79679a0b 100644
state->length = 16; state->length = 16;
state->data = (void *) malloc(16); state->data = (void *) malloc(16);
if (state->data == NULL) if (state->data == NULL)
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
index 1c439c2cd..8be555a8d 100644
--- a/src/lib/crypto/openssl/enc_provider/des3.c
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index a65d57b7a..6ccaca94a 100644 index a65d57b7a..6ccaca94a 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c --- a/src/lib/crypto/openssl/enc_provider/rc4.c

8
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.17 Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 27%{?dist} Release: 28%{?dist}
# lookaside-cached sources; two downloads and a build artifact # lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -102,10 +102,11 @@ Patch137: Remove-the-v4-and-afs3-salt-types.patch
Patch138: Update-test-suite-to-avoid-single-DES-enctypes.patch Patch138: Update-test-suite-to-avoid-single-DES-enctypes.patch
Patch139: Remove-support-for-single-DES-and-CRC.patch Patch139: Remove-support-for-single-DES-and-CRC.patch
Patch140: Display-unsupported-enctype-names.patch Patch140: Display-unsupported-enctype-names.patch
Patch141: krb5-1.17post3-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
Patch142: Add-zapfreedata-convenience-function.patch Patch142: Add-zapfreedata-convenience-function.patch
Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch
Patch144: Remove-krb5int_c_combine_keys.patch Patch144: Remove-krb5int_c_combine_keys.patch
Patch145: Remove-3des-support.patch
Patch146: krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
License: MIT License: MIT
URL: https://web.mit.edu/kerberos/www/ URL: https://web.mit.edu/kerberos/www/
@ -715,6 +716,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Mon Jun 03 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-28
- Remove 3des support
* Thu May 30 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-27 * Thu May 30 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-27
- Remove krb5int_c_combine_keys() and no-flags SAM-2 preauth - Remove krb5int_c_combine_keys() and no-flags SAM-2 preauth