Update FIPS patches to remove SPAKE

2019-08-22 15:53:25 -04:00 · 2019-08-22 15:53:25 -04:00 · 2dabf02464
commit 2dabf02464
parent 4906d9dae9
16 changed files with 68 additions and 51 deletions
--- a/Add-soft-pkcs11-source-code.patch
+++ b/Add-soft-pkcs11-source-code.patch
@ -1,4 +1,4 @@
-From a8b987b3730214d568cc51ddc1b218677b17b799 Mon Sep 17 00:00:00 2001
+From a186597238ae40e167ce041857b5bd1f94ee2383 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 20 Jun 2019 10:45:18 -0400
 Subject: [PATCH] Add soft-pkcs11 source code
--- a/Don-t-error-on-invalid-enctypes-in-keytab.patch
+++ b/Don-t-error-on-invalid-enctypes-in-keytab.patch
@ -1,4 +1,4 @@
-From 56f59b21814cca0b68e1506d5d8bd15636812c0f Mon Sep 17 00:00:00 2001
+From 84bb2b804c69830ff2dc405b1a2bd7893291d8e6 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 10 Jul 2019 17:10:16 -0400
 Subject: [PATCH] Don't error on invalid enctypes in keytab
--- a/Filter-enctypes-in-gss_set_allowable_enctypes.patch
+++ b/Filter-enctypes-in-gss_set_allowable_enctypes.patch
@ -1,4 +1,4 @@
-From 6aeef2d2e19109cc97f6b1f4621fb97247edfa73 Mon Sep 17 00:00:00 2001
+From aa3b2bb07bf48375b2391b31e68d0abf7ba5e4ea Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 16 Jul 2019 00:15:42 -0400
 Subject: [PATCH] Filter enctypes in gss_set_allowable_enctypes()
--- a/Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
+++ b/Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
@ -1,4 +1,4 @@
-From 9fccdd784a639ffc9d4eae723a39e35cb7434fec Mon Sep 17 00:00:00 2001
+From 28db01445d2807d51b5045c0a04d5e49905de504 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sat, 20 Jul 2019 00:51:52 -0400
 Subject: [PATCH] Fix Coverity defects in soft-pkcs11 test code
--- a/Fix-KCM-client-time-offset-propagation.patch
+++ b/Fix-KCM-client-time-offset-propagation.patch
@ -1,4 +1,4 @@
-From e299c5e9442ade8c0b47d122809f76f03b64e497 Mon Sep 17 00:00:00 2001
+From 7e81b8077cf2cf186dadb96b064573f7c221fbf3 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 14 Aug 2019 13:52:27 -0400
 Subject: [PATCH] Fix KCM client time offset propagation
--- a/Fix-memory-leaks-in-soft-pkcs11-code.patch
+++ b/Fix-memory-leaks-in-soft-pkcs11-code.patch
@ -1,4 +1,4 @@
-From 26aa776c9ce531d4487c40ad6684afef74394bac Mon Sep 17 00:00:00 2001
+From 5cc80472e7a8b0fb3002f229ffb104dccf8bd120 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 5 Aug 2019 01:53:51 -0400
 Subject: [PATCH] Fix memory leaks in soft-pkcs11 code
--- a/Initialize-life-rlife-in-kdcpolicy-interface.patch
+++ b/Initialize-life-rlife-in-kdcpolicy-interface.patch
@ -1,4 +1,4 @@
-From a2065b41a6a89b273b455088a5df5304bfd1f663 Mon Sep 17 00:00:00 2001
+From b448801a1ab19d89cc069e63f5ce5acbc9f3cd8d Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Aug 2019 14:07:22 -0400
 Subject: [PATCH] Initialize life/rlife in kdcpolicy interface
--- a/Remove-3des-support.patch
+++ b/Remove-3des-support.patch
@ -1,4 +1,4 @@
-From c524c375aef17009e3dcca4a2001e102e022c24b Mon Sep 17 00:00:00 2001
+From 17365a6131488b518b0f50e08d24697acce79d44 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 26 Mar 2019 18:51:10 -0400
 Subject: [PATCH] Remove 3des support
--- a/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
+++ b/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
@ -1,4 +1,4 @@
-From fc909a6d2881c4b434c946023c5f581cec9e96c9 Mon Sep 17 00:00:00 2001
+From 054cd1bad9941e6936345da3e9a839c8fdbd9ba3 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 18 Jun 2019 11:40:48 -0400
 Subject: [PATCH] Remove PKINIT draft 9 ASN.1 code and types
--- a/Remove-PKINIT-draft-9-support.patch
+++ b/Remove-PKINIT-draft-9-support.patch
@ -1,4 +1,4 @@
-From b26cbaa597305c9e16b455e4bd310ac86b6221cc Mon Sep 17 00:00:00 2001
+From a3e44c1ab745535fe9e2c396a09ff8d713810cc4 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 18 Jun 2019 13:06:44 -0400
 Subject: [PATCH] Remove PKINIT draft 9 support
--- a/Remove-now-unused-checksum-functions.patch
+++ b/Remove-now-unused-checksum-functions.patch
@ -1,4 +1,4 @@
-From 3c132f6e129f3e4805ae44a8db749930f1e398b1 Mon Sep 17 00:00:00 2001
+From 25418e054868301e1a1a5824913b74f2479e1b15 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 28 Jun 2019 13:09:47 -0400
 Subject: [PATCH] Remove now-unused checksum functions
--- a/Remove-strerror-calls-from-k5_get_error.patch
+++ b/Remove-strerror-calls-from-k5_get_error.patch
@ -1,4 +1,4 @@
-From 80ce19337573b31c372251ea5af4e66f4b75e7ef Mon Sep 17 00:00:00 2001
+From bf8f84d2116af9aba33202f44fdaf04a76430410 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 6 Jun 2019 11:46:58 -0400
 Subject: [PATCH] Remove strerror() calls from k5_get_error()
--- a/Skip-URI-tests-when-using-asan.patch
+++ b/Skip-URI-tests-when-using-asan.patch
@ -1,4 +1,4 @@
-From 6099c5f17a25971defadde6f8fbc2abaa764462b Mon Sep 17 00:00:00 2001
+From 345ffa545ef85ae5c6384c931759cc5353f4d434 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sat, 3 Aug 2019 13:30:28 -0400
 Subject: [PATCH] Skip URI tests when using asan
--- a/Use-imported-soft-pkcs11-for-tests.patch
+++ b/Use-imported-soft-pkcs11-for-tests.patch
@ -1,4 +1,4 @@
-From 403e72295c80d3ec3343d50bf8f7b1e6525e1ea8 Mon Sep 17 00:00:00 2001
+From 47e66724b9d5cfef84965d99c83d29e4739932e3 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 20 Jun 2019 13:41:57 -0400
 Subject: [PATCH] Use imported soft-pkcs11 for tests
--- a/krb5-1.17post5-FIPS-with-PRNG-and-RADIUS-without-SPA.patch
+++ b/krb5-1.17post5-FIPS-with-PRNG-and-RADIUS-without-SPA.patch
@ -1,10 +1,9 @@
-From fd2088635e27ce571e2d98c40fea34db15243b7a Mon Sep 17 00:00:00 2001
+From ca3c0fc3fd80b3a9953da47f64beb8b24bd46f08 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
-Subject: [PATCH] krb5-1.17post4 FIPS with PRNG, SPAKE, and RADIUS
+Subject: [PATCH] krb5-1.17post5 FIPS with PRNG and RADIUS without SPAKE

-NB: Use openssl's PRNG in FIPS mode, be aware during SPAKE group
-negotiation, and taint within krad.
+NB: Use openssl's PRNG in FIPS mode and taint within krad.

 A lot of the FIPS error conditions from OpenSSL are incredibly
 mysterious (at best, things return NULL unexpectedly; at worst,
@ -14,10 +13,9 @@ awareness of what we can and can't safely call.

 This will slow down some calls slightly (FIPS_mode() takes multiple
 locks), but not for any ciphers we care about - which is to say that
-AES is fine.  Shame about the SPAKE groups though.
+AES is fine.  Shame about SPAKE though.

-post4 is on top of the 3DES removal.  (4 > 3; it makes sense this
-time!)
+post5 removes SPAKE entirely.
 ---
 src/lib/crypto/krb/prng.c                     | 11 ++++-
 .../crypto/openssl/enc_provider/camellia.c    |  6 +++
@ -31,8 +29,9 @@ time!)
 src/lib/krad/remote.c                         | 10 ++++-
 src/lib/krad/t_attr.c                         |  3 +-
 src/lib/krad/t_attrset.c                      |  4 +-
- src/plugins/preauth/spake/groups.c            |  8 ++++
- 13 files changed, 117 insertions(+), 33 deletions(-)
+ src/plugins/preauth/spake/spake_client.c      |  6 +++
+ src/plugins/preauth/spake/spake_kdc.c         |  6 +++
+ 14 files changed, 121 insertions(+), 33 deletions(-)

 diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
 index cb9ca9b98..f0e9984ca 100644
@ -502,36 +501,51 @@ index 7928335ca..0f9576253 100644
     krad_attrset_free(set);
 
     /* Manually encode User-Name. */
-diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
-index a195cc195..8a913cb5a 100644
--- a/src/plugins/preauth/spake/groups.c
-+++ b/src/plugins/preauth/spake/groups.c
-@@ -56,6 +56,8 @@
- #include "trace.h"
+diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c
+index 00734a13b..a3ce22b70 100644
+--- a/src/plugins/preauth/spake/spake_client.c
+++ b/src/plugins/preauth/spake/spake_client.c
+@@ -38,6 +38,8 @@
 #include "groups.h"
+ #include <krb5/clpreauth_plugin.h>
 
 +#include <openssl/crypto.h>
 +
- #define DEFAULT_GROUPS_CLIENT "edwards25519"
- #define DEFAULT_GROUPS_KDC ""
+ typedef struct reqstate_st {
+     krb5_pa_spake *msg;         /* set in prep_questions, used in process */
+     krb5_keyblock *initial_key;
+@@ -375,6 +377,10 @@ clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
 
-@@ -102,6 +104,9 @@ find_gdef(int32_t group)
- {
-     size_t i;
- 
-+    if (group == builtin_edwards25519.reg->id && FIPS_mode())
-+        return NULL;
+     if (maj_ver != 1)
+         return KRB5_PLUGIN_VER_NOTSUPP;
 +
-     for (i = 0; groupdefs[i] != NULL; i++) {
-         if (groupdefs[i]->reg->id == group)
-             return groupdefs[i];
-@@ -116,6 +121,9 @@ find_gnum(const char *name)
- {
-     size_t i;
- 
-+    if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
-+        return 0;
+    if (FIPS_mode())
+        return KRB5_CRYPTO_INTERNAL;
 +
-     for (i = 0; groupdefs[i] != NULL; i++) {
-         if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
-             return groupdefs[i]->reg->id;
+     vt = (krb5_clpreauth_vtable)vtable;
+     vt->name = "spake";
+     vt->pa_type_list = pa_types;
+diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
+index 59e88409e..1b3e569e9 100644
+--- a/src/plugins/preauth/spake/spake_kdc.c
+++ b/src/plugins/preauth/spake/spake_kdc.c
+@@ -41,6 +41,8 @@
+ 
+ #include <krb5/kdcpreauth_plugin.h>
+ 
+#include <openssl/crypto.h>
+
+ /*
+  * The SPAKE kdcpreauth module uses a secure cookie containing the following
+  * concatenated fields (all integer fields are big-endian):
+@@ -578,6 +580,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver,
+ 
+     if (maj_ver != 1)
+         return KRB5_PLUGIN_VER_NOTSUPP;
+
+    if (FIPS_mode())
+        return KRB5_CRYPTO_INTERNAL;
+
+     vt = (krb5_kdcpreauth_vtable)vtable;
+     vt->name = "spake";
+     vt->pa_type_list = pa_types;
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 41%{?dist}
+Release: 42%{?dist}

 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -105,7 +105,6 @@ Patch140: Display-unsupported-enctype-names.patch
 Patch142: Add-zapfreedata-convenience-function.patch
 Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch
 Patch144: Remove-krb5int_c_combine_keys.patch
-Patch146: krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
 Patch147: Remove-strerror-calls-from-k5_get_error.patch
 Patch148: Remove-PKINIT-draft-9-support.patch
 Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
@ -120,6 +119,7 @@ Patch157: Skip-URI-tests-when-using-asan.patch
 Patch158: Fix-memory-leaks-in-soft-pkcs11-code.patch
 Patch159: Initialize-life-rlife-in-kdcpolicy-interface.patch
 Patch160: Fix-KCM-client-time-offset-propagation.patch
+Patch161: krb5-1.17post5-FIPS-with-PRNG-and-RADIUS-without-SPA.patch

 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -726,6 +726,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Thu Aug 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-42
+- Update FIPS patches to remove SPAKE
+
 * Thu Aug 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-41
 - Fix KCM client time offset propagation