From 3c4e18f2f31ae7d1bfd5a7721a067c3d21bea99c Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 8 Jun 2020 16:01:55 -0400 Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum --- ...SER-if-we-can-t-compute-its-checksum.patch | 34 +++++++++++++++++++ krb5.spec | 6 +++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch diff --git a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch new file mode 100644 index 0000000..0d6b9e9 --- /dev/null +++ b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch @@ -0,0 +1,34 @@ +From 086de78292b8ae89aba8a72926831124da44205d Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 6 Jun 2020 11:03:37 +0200 +Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum + +OpenSSL in FIPS mode will refuse to perform hmac-md5. Omit the legacy +PA_FOR_USER element in this case rather than failing out. + +[ghudson@mit.edu: minor code and comment edits; wrote commit message] + +ticket: 8912 (new) +(cherry picked from commit 03f122bdb22cfa53c7d855ed929c9541e56365e0) +--- + src/lib/krb5/krb/s4u_creds.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c +index fc5c886d6..d8f486dc6 100644 +--- a/src/lib/krb5/krb/s4u_creds.c ++++ b/src/lib/krb5/krb/s4u_creds.c +@@ -534,6 +534,13 @@ krb5_get_self_cred_from_kdc(krb5_context context, + if (s4u_user.user_id.user != NULL && s4u_user.user_id.user->length) { + code = build_pa_for_user(context, tgtptr, &s4u_user.user_id, + &in_padata[1]); ++ /* ++ * If we couldn't compute the hmac-md5 checksum, send only the ++ * KRB5_PADATA_S4U_X509_USER; this will still work against modern ++ * Windows and MIT KDCs. ++ */ ++ if (code == KRB5_CRYPTO_INTERNAL) ++ code = 0; + if (code != 0) { + krb5_free_pa_data(context, in_padata); + goto cleanup; diff --git a/krb5.spec b/krb5.spec index 3c2201e..f485b6b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 5%{?dist} +Release: 6%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -63,6 +63,7 @@ Patch20: Pass-channel-bindings-through-SPNEGO.patch Patch21: Replace-gssrpc-tests-with-a-Python-script.patch Patch22: Default-dns_canonicalize_hostname-to-fallback.patch Patch23: Remove-resolver-test-utility.patch +Patch24: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -635,6 +636,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Jun 08 2020 Robbie Harwood - 1.18.2-6 +- Omit PA_FOR_USER if we can't compute its checksum + * Sat May 30 2020 Robbie Harwood - 1.18.2-5 - Replace gssrpc tests with a Python script