From 40a05d03472a1bcc7aa57f32273357732b2fe895 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 10 Jul 2018 17:34:02 -0400 Subject: [PATCH] Use SHA-256 instead of MD5 for audit ticket IDs --- ...-instead-of-MD5-for-audit-ticket-IDs.patch | 53 +++++++++++++++++++ krb5.spec | 6 ++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch diff --git a/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch b/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch new file mode 100644 index 0000000..26df25a --- /dev/null +++ b/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch @@ -0,0 +1,53 @@ +From a9bc03fe03ef4b00bcdad13c99bb4c376a8b9964 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 10 Jul 2018 16:17:15 -0400 +Subject: [PATCH] Use SHA-256 instead of MD5 for audit ticket IDs + +ticket: 8711 (new) +(cherry picked from commit c1e1bfa26bd2f045e88e6013c500fca9428c98f3) +--- + src/kdc/kdc_audit.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/src/kdc/kdc_audit.c b/src/kdc/kdc_audit.c +index c9a7f9f9d..f40913dc8 100644 +--- a/src/kdc/kdc_audit.c ++++ b/src/kdc/kdc_audit.c +@@ -146,7 +146,7 @@ kau_make_tkt_id(krb5_context context, + { + krb5_error_code ret = 0; + char *hash = NULL, *ptr; +- krb5_checksum cksum; ++ uint8_t hashbytes[K5_SHA256_HASHLEN]; + unsigned int i; + + *out = NULL; +@@ -154,19 +154,18 @@ kau_make_tkt_id(krb5_context context, + if (ticket == NULL) + return EINVAL; + +- ret = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, NULL, 0, +- &ticket->enc_part.ciphertext, &cksum); ++ ret = k5_sha256(&ticket->enc_part.ciphertext, 1, hashbytes); + if (ret) + return ret; + +- hash = k5alloc(cksum.length * 2 + 1, &ret); +- if (hash != NULL) { +- for (i = 0, ptr = hash; i < cksum.length; i++, ptr += 2) +- snprintf(ptr, 3, "%02X", cksum.contents[i]); +- *ptr = '\0'; +- *out = hash; +- } +- krb5_free_checksum_contents(context, &cksum); ++ hash = k5alloc(sizeof(hashbytes) * 2 + 1, &ret); ++ if (hash == NULL) ++ return ret; ++ ++ for (i = 0, ptr = hash; i < sizeof(hashbytes); i++, ptr += 2) ++ snprintf(ptr, 3, "%02X", hashbytes[i]); ++ *ptr = '\0'; ++ *out = hash; + + return 0; + } diff --git a/krb5.spec b/krb5.spec index b022c73..0a258c1 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.16.1 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 9%{?dist} +Release: 10%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -93,6 +93,7 @@ Patch73: Process-profile-includedir-in-sorted-order.patch Patch74: Make-docs-build-python3-compatible.patch Patch75: Add-flag-to-disable-encrypted-timestamp-on-client.patch Patch76: Explicitly-look-for-python2-in-configure.in.patch +Patch77: Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -740,6 +741,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Jul 10 2018 Robbie Harwood - 1.16.1-10 +- Use SHA-256 instead of MD5 for audit ticket IDs + * Fri Jul 06 2018 Robbie Harwood - 1.16.1-9 - Add BuildRequires on python2 so we can run tests at build-time