Omit PA_FOR_USER if we can't compute its checksum
This commit is contained in:
		
							parent
							
								
									49849de329
								
							
						
					
					
						commit
						3c4e18f2f3
					
				
							
								
								
									
										34
									
								
								Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,34 @@ | |||||||
|  | From 086de78292b8ae89aba8a72926831124da44205d Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Isaac Boukris <iboukris@gmail.com> | ||||||
|  | Date: Sat, 6 Jun 2020 11:03:37 +0200 | ||||||
|  | Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum | ||||||
|  | 
 | ||||||
|  | OpenSSL in FIPS mode will refuse to perform hmac-md5.  Omit the legacy | ||||||
|  | PA_FOR_USER element in this case rather than failing out. | ||||||
|  | 
 | ||||||
|  | [ghudson@mit.edu: minor code and comment edits; wrote commit message] | ||||||
|  | 
 | ||||||
|  | ticket: 8912 (new) | ||||||
|  | (cherry picked from commit 03f122bdb22cfa53c7d855ed929c9541e56365e0) | ||||||
|  | ---
 | ||||||
|  |  src/lib/krb5/krb/s4u_creds.c | 7 +++++++ | ||||||
|  |  1 file changed, 7 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
 | ||||||
|  | index fc5c886d6..d8f486dc6 100644
 | ||||||
|  | --- a/src/lib/krb5/krb/s4u_creds.c
 | ||||||
|  | +++ b/src/lib/krb5/krb/s4u_creds.c
 | ||||||
|  | @@ -534,6 +534,13 @@ krb5_get_self_cred_from_kdc(krb5_context context,
 | ||||||
|  |          if (s4u_user.user_id.user != NULL && s4u_user.user_id.user->length) { | ||||||
|  |              code = build_pa_for_user(context, tgtptr, &s4u_user.user_id, | ||||||
|  |                                       &in_padata[1]); | ||||||
|  | +            /*
 | ||||||
|  | +             * If we couldn't compute the hmac-md5 checksum, send only the
 | ||||||
|  | +             * KRB5_PADATA_S4U_X509_USER; this will still work against modern
 | ||||||
|  | +             * Windows and MIT KDCs.
 | ||||||
|  | +             */
 | ||||||
|  | +            if (code == KRB5_CRYPTO_INTERNAL)
 | ||||||
|  | +                code = 0;
 | ||||||
|  |              if (code != 0) { | ||||||
|  |                  krb5_free_pa_data(context, in_padata); | ||||||
|  |                  goto cleanup; | ||||||
| @ -18,7 +18,7 @@ Summary: The Kerberos network authentication system | |||||||
| Name: krb5 | Name: krb5 | ||||||
| Version: 1.18.2 | Version: 1.18.2 | ||||||
| # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) | # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) | ||||||
| Release: 5%{?dist} | Release: 6%{?dist} | ||||||
| 
 | 
 | ||||||
| # rharwood has trust path to signing key and verifies on check-in | # rharwood has trust path to signing key and verifies on check-in | ||||||
| Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz | Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz | ||||||
| @ -63,6 +63,7 @@ Patch20: Pass-channel-bindings-through-SPNEGO.patch | |||||||
| Patch21: Replace-gssrpc-tests-with-a-Python-script.patch | Patch21: Replace-gssrpc-tests-with-a-Python-script.patch | ||||||
| Patch22: Default-dns_canonicalize_hostname-to-fallback.patch | Patch22: Default-dns_canonicalize_hostname-to-fallback.patch | ||||||
| Patch23: Remove-resolver-test-utility.patch | Patch23: Remove-resolver-test-utility.patch | ||||||
|  | Patch24: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch | ||||||
| 
 | 
 | ||||||
| License: MIT | License: MIT | ||||||
| URL: https://web.mit.edu/kerberos/www/ | URL: https://web.mit.edu/kerberos/www/ | ||||||
| @ -635,6 +636,9 @@ exit 0 | |||||||
| %{_libdir}/libkadm5srv_mit.so.* | %{_libdir}/libkadm5srv_mit.so.* | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Mon Jun 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-6 | ||||||
|  | - Omit PA_FOR_USER if we can't compute its checksum | ||||||
|  | 
 | ||||||
| * Sat May 30 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-5 | * Sat May 30 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-5 | ||||||
| - Replace gssrpc tests with a Python script | - Replace gssrpc tests with a Python script | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user