Omit PA_FOR_USER if we can't compute its checksum

2020-06-08 16:01:55 -04:00 · 2020-06-08 16:01:55 -04:00 · 3c4e18f2f3
commit 3c4e18f2f3
parent 49849de329
2 changed files with 39 additions and 1 deletions
--- a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
+++ b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
@ -0,0 +1,34 @@
+From 086de78292b8ae89aba8a72926831124da44205d Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 6 Jun 2020 11:03:37 +0200
+Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum
+
+OpenSSL in FIPS mode will refuse to perform hmac-md5.  Omit the legacy
+PA_FOR_USER element in this case rather than failing out.
+
+[ghudson@mit.edu: minor code and comment edits; wrote commit message]
+
+ticket: 8912 (new)
+(cherry picked from commit 03f122bdb22cfa53c7d855ed929c9541e56365e0)
+---
+ src/lib/krb5/krb/s4u_creds.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
+index fc5c886d6..d8f486dc6 100644
+--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
+@@ -534,6 +534,13 @@ krb5_get_self_cred_from_kdc(krb5_context context,
+         if (s4u_user.user_id.user != NULL && s4u_user.user_id.user->length) {
+             code = build_pa_for_user(context, tgtptr, &s4u_user.user_id,
+                                      &in_padata[1]);
+            /*
+             * If we couldn't compute the hmac-md5 checksum, send only the
+             * KRB5_PADATA_S4U_X509_USER; this will still work against modern
+             * Windows and MIT KDCs.
+             */
+            if (code == KRB5_CRYPTO_INTERNAL)
+                code = 0;
+             if (code != 0) {
+                 krb5_free_pa_data(context, in_padata);
+                 goto cleanup;
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.2
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 5%{?dist}
+Release: 6%{?dist}

 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -63,6 +63,7 @@ Patch20: Pass-channel-bindings-through-SPNEGO.patch
 Patch21: Replace-gssrpc-tests-with-a-Python-script.patch
 Patch22: Default-dns_canonicalize_hostname-to-fallback.patch
 Patch23: Remove-resolver-test-utility.patch
+Patch24: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch

 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -635,6 +636,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Mon Jun 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-6
+- Omit PA_FOR_USER if we can't compute its checksum
+
 * Sat May 30 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-5
 - Replace gssrpc tests with a Python script