From 4ded906f6c3d69ca48419f1284dcb37a78d000aa Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 30 Mar 2021 08:11:34 -0400 Subject: [PATCH] import krb5-1.18.2-8.el8 --- SOURCES/Add-channel-bindings-tests.patch | 2 +- ...client_aware_channel_bindings-option.patch | 6 +- ...finalization-safety-check-to-com_err.patch | 2 +- ...n-limit-for-ASN.1-indefinite-lengths.patch | 97 ++++++++++++ ...tauth-modules-to-set-hw-authent-flag.patch | 2 +- ...y-import-service-GSS-host-based-name.patch | 2 +- ...ion-warnings-for-all-init_creds-APIs.patch | 2 +- ...Document-k-option-in-kvno-1-synopsis.patch | 39 +++++ ...edundant-PKINIT-responder-invocation.patch | 2 +- ...n-KERB_AP_OPTIONS_CBT-server-support.patch | 60 ++++++++ .../Fix-typo-in-in-in-the-ksu-man-page.patch | 2 +- ...-enctypes-in-krb5_string_to_keysalts.patch | 38 +++++ .../Implement-GSS_C_CHANNEL_BOUND_FLAG.patch | 2 +- ...ment-KERB_AP_OPTIONS_CBT-server-side.patch | 2 +- ...rove-negoex_parse_token-code-hygiene.patch | 2 +- ...ndicator-check-for-S4U2Self-requests.patch | 2 +- ...SER-if-we-can-t-compute-its-checksum.patch | 2 +- ...Pass-channel-bindings-through-SPNEGO.patch | 2 +- .../Pass-gss_localname-through-SPNEGO.patch | 2 +- .../Refactor-krb5-GSS-checksum-handling.patch | 2 +- ...ly-acquired-creds-from-client-keytab.patch | 2 +- SOURCES/Unify-kvno-option-documentation.patch | 142 ++++++++++++++++++ ...FIPS-with-PRNG-and-RADIUS-and-MD4-5.patch} | 140 ++++++++++------- SPECS/krb5.spec | 41 ++++- 24 files changed, 519 insertions(+), 76 deletions(-) create mode 100644 SOURCES/Add-recursion-limit-for-ASN.1-indefinite-lengths.patch create mode 100644 SOURCES/Document-k-option-in-kvno-1-synopsis.patch create mode 100644 SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch create mode 100644 SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch create mode 100644 SOURCES/Unify-kvno-option-documentation.patch rename SOURCES/{downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch => downstream-FIPS-with-PRNG-and-RADIUS-and-MD4-5.patch} (85%) diff --git a/SOURCES/Add-channel-bindings-tests.patch b/SOURCES/Add-channel-bindings-tests.patch index 92c803d..6af0949 100644 --- a/SOURCES/Add-channel-bindings-tests.patch +++ b/SOURCES/Add-channel-bindings-tests.patch @@ -1,4 +1,4 @@ -From 6af3fd382e99a9724413929af7eee7c86326ffd9 Mon Sep 17 00:00:00 2001 +From 8182f9f08b2593ff8749078ffd3daef9bf39a7fe Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 20 Mar 2020 00:17:28 +0100 Subject: [PATCH] Add channel bindings tests diff --git a/SOURCES/Add-client_aware_channel_bindings-option.patch b/SOURCES/Add-client_aware_channel_bindings-option.patch index b8faf33..9d0531e 100644 --- a/SOURCES/Add-client_aware_channel_bindings-option.patch +++ b/SOURCES/Add-client_aware_channel_bindings-option.patch @@ -1,4 +1,4 @@ -From fe50c57f6428d7512868663bd226bdc9007148a9 Mon Sep 17 00:00:00 2001 +From 64f643a7f798c5528182dc068f15dca7b3f2d8a1 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 10 Mar 2020 13:13:17 +0100 Subject: [PATCH] Add client_aware_channel_bindings option @@ -21,10 +21,10 @@ ticket: 8900 3 files changed, 98 insertions(+), 86 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 1d2aa7f68..1d8ffc1e4 100644 +index 3a8b9cf47..315253e37 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst -@@ -383,6 +383,12 @@ The libdefaults section may contain any of the following relations: +@@ -389,6 +389,12 @@ The libdefaults section may contain any of the following relations: credentials will fail if the client machine does not have a keytab. The default value is false. diff --git a/SOURCES/Add-finalization-safety-check-to-com_err.patch b/SOURCES/Add-finalization-safety-check-to-com_err.patch index f7c9d54..e2740b0 100644 --- a/SOURCES/Add-finalization-safety-check-to-com_err.patch +++ b/SOURCES/Add-finalization-safety-check-to-com_err.patch @@ -1,4 +1,4 @@ -From 2ea85d8228663c9592705a13edecbd4d3c70aac1 Mon Sep 17 00:00:00 2001 +From 9a9ab4b2cad1597cbafbae756483aefa6e36f1eb Mon Sep 17 00:00:00 2001 From: Jiri Sasek Date: Fri, 13 Mar 2020 19:02:58 +0100 Subject: [PATCH] Add finalization safety check to com_err diff --git a/SOURCES/Add-recursion-limit-for-ASN.1-indefinite-lengths.patch b/SOURCES/Add-recursion-limit-for-ASN.1-indefinite-lengths.patch new file mode 100644 index 0000000..0c4a4d0 --- /dev/null +++ b/SOURCES/Add-recursion-limit-for-ASN.1-indefinite-lengths.patch @@ -0,0 +1,97 @@ +From 3a5576fab22ecd21bbf72cccec5be2096e0e05c4 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 31 Oct 2020 17:07:05 -0400 +Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths + +The libkrb5 ASN.1 decoder supports BER indefinite lengths. It +computes the tag length using recursion; the lack of a recursion limit +allows an attacker to overrun the stack and cause the process to +crash. Reported by Demi Obenour. + +CVE-2020-28196: + +In MIT krb5 releases 1.11 and later, an unauthenticated attacker can +cause a denial of service for any client or server to which it can +send an ASN.1-encoded Kerberos message of sufficient length. + +(cherry picked from commit 57415dda6cf04e73ffc3723be518eddfae599bfd) + +ticket: 8959 +version_fixed: 1.18.3 + +(cherry picked from commit 207ad69c87cf1b5c047d6c0c0165e5afe29700a6) +--- + src/lib/krb5/asn.1/asn1_encode.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c +index a160cf4fe..cd6b879f7 100644 +--- a/src/lib/krb5/asn.1/asn1_encode.c ++++ b/src/lib/krb5/asn.1/asn1_encode.c +@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len) + static krb5_error_code + get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, + const uint8_t **contents_out, size_t *clen_out, +- const uint8_t **remainder_out, size_t *rlen_out) ++ const uint8_t **remainder_out, size_t *rlen_out, int recursion) + { + krb5_error_code ret; + uint8_t o; +@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, + /* Indefinite form (should not be present in DER, but we accept it). */ + if (tag_out->construction != CONSTRUCTED) + return ASN1_MISMATCH_INDEF; ++ if (recursion >= 32) ++ return ASN1_OVERFLOW; + p = asn1; + while (!(len >= 2 && p[0] == 0 && p[1] == 0)) { +- ret = get_tag(p, len, &t, &c, &clen, &p, &len); ++ ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1); + if (ret) + return ret; + } +@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out) + const uint8_t *contents, *remainder; + size_t clen, rlen; + +- ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen); ++ ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0); + if (ret) + return ret; + if (rlen != 0) +@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, size_t len, + const uint8_t *rem; + size_t rlen; + if (!tag->implicit) { +- ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen); ++ ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0); + if (ret) + return ret; + /* Note: we don't check rlen (it should be 0). */ +@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq, + for (i = 0; i < seq->n_fields; i++) { + if (len == 0) + break; +- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len); ++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0); + if (ret) + goto error; + /* +@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len, + *seq_out = NULL; + *count_out = 0; + while (len > 0) { +- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len); ++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0); + if (ret) + goto error; + if (!check_atype_tag(elemtype, &t)) { +@@ -1584,7 +1586,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a, + + *retrep = NULL; + ret = get_tag((uint8_t *)code->data, code->length, &t, &contents, +- &clen, &remainder, &rlen); ++ &clen, &remainder, &rlen, 0); + if (ret) + return ret; + /* rlen should be 0, but we don't check it (and due to padding in diff --git a/SOURCES/Allow-certauth-modules-to-set-hw-authent-flag.patch b/SOURCES/Allow-certauth-modules-to-set-hw-authent-flag.patch index f728c1c..a4f4af0 100644 --- a/SOURCES/Allow-certauth-modules-to-set-hw-authent-flag.patch +++ b/SOURCES/Allow-certauth-modules-to-set-hw-authent-flag.patch @@ -1,4 +1,4 @@ -From b4dba5a4c16b2585c38445e3067b5e3399f38a10 Mon Sep 17 00:00:00 2001 +From ab814a990f109357fc4b505169792f9d4d5b5155 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 24 Feb 2020 15:58:59 -0500 Subject: [PATCH] Allow certauth modules to set hw-authent flag diff --git a/SOURCES/Correctly-import-service-GSS-host-based-name.patch b/SOURCES/Correctly-import-service-GSS-host-based-name.patch index 5c03863..ddc671f 100644 --- a/SOURCES/Correctly-import-service-GSS-host-based-name.patch +++ b/SOURCES/Correctly-import-service-GSS-host-based-name.patch @@ -1,4 +1,4 @@ -From abcbd3d12b0c92aa37384627edb6e1e6fad9b47a Mon Sep 17 00:00:00 2001 +From cbdae9a9dc2a6af5551d26b32c8d473e1e0ce773 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 30 Mar 2020 15:26:02 -0400 Subject: [PATCH] Correctly import "service@" GSS host-based name diff --git a/SOURCES/Do-expiration-warnings-for-all-init_creds-APIs.patch b/SOURCES/Do-expiration-warnings-for-all-init_creds-APIs.patch index d4cb2c4..1e1bece 100644 --- a/SOURCES/Do-expiration-warnings-for-all-init_creds-APIs.patch +++ b/SOURCES/Do-expiration-warnings-for-all-init_creds-APIs.patch @@ -1,4 +1,4 @@ -From 640ba4fe0c5d7423431d649f8e5e6ac72341f4ab Mon Sep 17 00:00:00 2001 +From ff6cf2a0545d12a020572dd137fd22d1edc726e4 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 28 Feb 2020 10:11:49 +0100 Subject: [PATCH] Do expiration warnings for all init_creds APIs diff --git a/SOURCES/Document-k-option-in-kvno-1-synopsis.patch b/SOURCES/Document-k-option-in-kvno-1-synopsis.patch new file mode 100644 index 0000000..85fb523 --- /dev/null +++ b/SOURCES/Document-k-option-in-kvno-1-synopsis.patch @@ -0,0 +1,39 @@ +From e9200e874f33defec7193c11a093675b70e588b6 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 24 Nov 2020 12:52:02 -0500 +Subject: [PATCH] Document -k option in kvno(1) synopsis + +becd1ad6830b526d08ddaf5b2b6f213154c6446c attempted to unify the +synopsis, option descriptions, and xusage(), but missed one option. + +(cherry picked from commit d81e76d9ddab9e880bcf54eabf07119af91d28c7) +(cherry picked from commit 588d964f59356373353dfd31d4fdcba95e508385) +--- + doc/user/user_commands/kvno.rst | 1 + + src/man/kvno.man | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst +index 53e569651..00689ab4c 100644 +--- a/doc/user/user_commands/kvno.rst ++++ b/doc/user/user_commands/kvno.rst +@@ -9,6 +9,7 @@ SYNOPSIS + **kvno** + [**-c** *ccache*] + [**-e** *etype*] ++[**-k** *keytab*] + [**-q**] + [**-u** | **-S** *sname*] + [**-P**] +diff --git a/src/man/kvno.man b/src/man/kvno.man +index e156df723..3eeab41b2 100644 +--- a/src/man/kvno.man ++++ b/src/man/kvno.man +@@ -35,6 +35,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] + \fBkvno\fP + [\fB\-c\fP \fIccache\fP] + [\fB\-e\fP \fIetype\fP] ++[\fB\-k\fP \fIkeytab\fP] + [\fB\-q\fP] + [\fB\-u\fP | \fB\-S\fP \fIsname\fP] + [\fB\-P\fP] diff --git a/SOURCES/Eliminate-redundant-PKINIT-responder-invocation.patch b/SOURCES/Eliminate-redundant-PKINIT-responder-invocation.patch index 7e70423..bf45de8 100644 --- a/SOURCES/Eliminate-redundant-PKINIT-responder-invocation.patch +++ b/SOURCES/Eliminate-redundant-PKINIT-responder-invocation.patch @@ -1,4 +1,4 @@ -From fa5d09798a56960c34f28296726ed4525e6950d9 Mon Sep 17 00:00:00 2001 +From e2cc7a04f0dbfbf1a8bc6cd70f639c56a203af28 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 23 Mar 2020 19:10:03 -0400 Subject: [PATCH] Eliminate redundant PKINIT responder invocation diff --git a/SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch b/SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch new file mode 100644 index 0000000..a0785b9 --- /dev/null +++ b/SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch @@ -0,0 +1,60 @@ +From ce6defae3595fc3d9980bcf5ddc4f1a6ee90d391 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 24 Jul 2020 16:05:24 -0400 +Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support + +In check_cbt(), use a local variable to hold the retrieved authdata +list, and free it before returning. + +ticket: 8900 +(cherry picked from commit bf2ddff13c178e0c291f8fb382b040080d159e4f) +(cherry picked from commit 044e2209586fd1935d9a637df76d52f48c4f3e6e) +--- + src/lib/gssapi/krb5/accept_sec_context.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c +index 175a24c4e..3d5b84b15 100644 +--- a/src/lib/gssapi/krb5/accept_sec_context.c ++++ b/src/lib/gssapi/krb5/accept_sec_context.c +@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN]; + /* Look for AP_OPTIONS in authdata. If present and the options include + * KERB_AP_OPTIONS_CBT, set *cbt_out to true. */ + static krb5_error_code +-check_cbt(krb5_context context, krb5_authdata **authdata, ++check_cbt(krb5_context context, krb5_authdata *const *authdata, + krb5_boolean *cbt_out) + { + krb5_error_code code; ++ krb5_authdata **ad; + uint32_t ad_ap_options; + const uint32_t KERB_AP_OPTIONS_CBT = 0x4000; + + *cbt_out = FALSE; + + code = krb5_find_authdata(context, NULL, authdata, +- KRB5_AUTHDATA_AP_OPTIONS, &authdata); +- if (code || authdata == NULL) ++ KRB5_AUTHDATA_AP_OPTIONS, &ad); ++ if (code || ad == NULL) + return code; +- if (authdata[1] != NULL || authdata[0]->length != 4) +- return KRB5KRB_AP_ERR_MSG_TYPE; ++ if (ad[1] != NULL || ad[0]->length != 4) { ++ code = KRB5KRB_AP_ERR_MSG_TYPE; ++ } else { ++ ad_ap_options = load_32_le(ad[0]->contents); ++ if (ad_ap_options & KERB_AP_OPTIONS_CBT) ++ *cbt_out = TRUE; ++ } + +- ad_ap_options = load_32_le(authdata[0]->contents); +- if (ad_ap_options & KERB_AP_OPTIONS_CBT) +- *cbt_out = TRUE; +- +- return 0; ++ krb5_free_authdata(context, ad); ++ return code; + } + + /* diff --git a/SOURCES/Fix-typo-in-in-in-the-ksu-man-page.patch b/SOURCES/Fix-typo-in-in-in-the-ksu-man-page.patch index 0d2f2ef..29aee7d 100644 --- a/SOURCES/Fix-typo-in-in-in-the-ksu-man-page.patch +++ b/SOURCES/Fix-typo-in-in-in-the-ksu-man-page.patch @@ -1,4 +1,4 @@ -From 117681ff995f7a271ded83ff4615e7945c72a942 Mon Sep 17 00:00:00 2001 +From 5a0833a3f3b1c44edd08425d98f682b96ad7a01e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 14 May 2020 15:01:18 -0400 Subject: [PATCH] Fix typo ("in in") in the ksu man page diff --git a/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch new file mode 100644 index 0000000..da1503e --- /dev/null +++ b/SOURCES/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch @@ -0,0 +1,38 @@ +From 087794ce6a9a529f4e6b0474fbfe3b6be3bc01b2 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 15 Jul 2020 15:42:20 -0400 +Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts() + +Fixes a problem where the presence of legacy/unrecognized keysalts in +supported_enctypes would prevent the kadmin programs from starting. + +[ghudson@mit.edu: ideally we would put a warning in the kadmind log, +but that is difficult to do when the parsing is done inside a library. +Even adding a trace log is difficult because the kadm5 str_conv +functions do not accept contexts.] + +ticket: 8929 (new) +(cherry picked from commit be5396ada0e8dabd68bd0aceb733cfca39a609bc) +(cherry picked from commit 3f873868fb08b77da2d30e164a0ef6c71c17c607) +--- + src/lib/kadm5/str_conv.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c +index 7cf51d316..798295606 100644 +--- a/src/lib/kadm5/str_conv.c ++++ b/src/lib/kadm5/str_conv.c +@@ -340,9 +340,10 @@ krb5_string_to_keysalts(const char *string, const char *tupleseps, + while ((ksp = strtok_r(p, tseps, &tlasts)) != NULL) { + /* Pass a null pointer to subsequent calls to strtok_r(). */ + p = NULL; +- ret = string_to_keysalt(ksp, ksaltseps, &etype, &stype); +- if (ret) +- goto cleanup; ++ ++ /* Discard unrecognized keysalts. */ ++ if (string_to_keysalt(ksp, ksaltseps, &etype, &stype) != 0) ++ continue; + + /* Ignore duplicate keysalts if caller asks. */ + if (!dups && krb5_keysalt_is_present(ksalts, nksalts, etype, stype)) diff --git a/SOURCES/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch b/SOURCES/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch index 347c0fb..2b077d9 100644 --- a/SOURCES/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch +++ b/SOURCES/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch @@ -1,4 +1,4 @@ -From 3c15e9724dae95a4bf0899a8b8efc3e9e3f486ab Mon Sep 17 00:00:00 2001 +From b8bff4973a6642af80cbbc1bc03a52cb0d4e6247 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 5 Jul 2017 11:38:30 -0400 Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG diff --git a/SOURCES/Implement-KERB_AP_OPTIONS_CBT-server-side.patch b/SOURCES/Implement-KERB_AP_OPTIONS_CBT-server-side.patch index 156088b..4accf9a 100644 --- a/SOURCES/Implement-KERB_AP_OPTIONS_CBT-server-side.patch +++ b/SOURCES/Implement-KERB_AP_OPTIONS_CBT-server-side.patch @@ -1,4 +1,4 @@ -From 7aea9fc73fb508e3168581990eb2e2ff7a1aea31 Mon Sep 17 00:00:00 2001 +From b37714a1b9138c0258d357931215fbd5ca7fa72b Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 9 Mar 2020 16:04:21 +0100 Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side) diff --git a/SOURCES/Improve-negoex_parse_token-code-hygiene.patch b/SOURCES/Improve-negoex_parse_token-code-hygiene.patch index c7136e1..c605076 100644 --- a/SOURCES/Improve-negoex_parse_token-code-hygiene.patch +++ b/SOURCES/Improve-negoex_parse_token-code-hygiene.patch @@ -1,4 +1,4 @@ -From ca72aa3a2e4ca8bc1b1c33e46ca59ed4b3f20393 Mon Sep 17 00:00:00 2001 +From 01b93a5522fd0e402401bf6ed3c1ebfde613965e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 9 Jun 2020 16:23:37 -0400 Subject: [PATCH] Improve negoex_parse_token() code hygiene diff --git a/SOURCES/Omit-KDC-indicator-check-for-S4U2Self-requests.patch b/SOURCES/Omit-KDC-indicator-check-for-S4U2Self-requests.patch index c1d53b3..b9c2a37 100644 --- a/SOURCES/Omit-KDC-indicator-check-for-S4U2Self-requests.patch +++ b/SOURCES/Omit-KDC-indicator-check-for-S4U2Self-requests.patch @@ -1,4 +1,4 @@ -From 61f3943f9fc237936ed9fd098edcd8dcc43b8da7 Mon Sep 17 00:00:00 2001 +From f7b6d43533d1d9ec3960e3d7f375995896768aef Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 6 May 2020 16:03:13 -0400 Subject: [PATCH] Omit KDC indicator check for S4U2Self requests diff --git a/SOURCES/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch b/SOURCES/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch index a852fa7..76420e7 100644 --- a/SOURCES/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch +++ b/SOURCES/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch @@ -1,4 +1,4 @@ -From 4c4c22639eb2794e563370a2ee48a34dbdddc639 Mon Sep 17 00:00:00 2001 +From e1b2c967266b14bc37e5ed11e6c0525bd259e0bb Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 6 Jun 2020 11:03:37 +0200 Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum diff --git a/SOURCES/Pass-channel-bindings-through-SPNEGO.patch b/SOURCES/Pass-channel-bindings-through-SPNEGO.patch index 8ab4bbf..f802aca 100644 --- a/SOURCES/Pass-channel-bindings-through-SPNEGO.patch +++ b/SOURCES/Pass-channel-bindings-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From d98f8867f8245b3c9dd506271897d0f03d69ae49 Mon Sep 17 00:00:00 2001 +From 6265b0fbc59e13756364b97a5e3e8672514f8302 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 28 Apr 2020 18:15:55 +0200 Subject: [PATCH] Pass channel bindings through SPNEGO diff --git a/SOURCES/Pass-gss_localname-through-SPNEGO.patch b/SOURCES/Pass-gss_localname-through-SPNEGO.patch index 90804e0..fd47b3f 100644 --- a/SOURCES/Pass-gss_localname-through-SPNEGO.patch +++ b/SOURCES/Pass-gss_localname-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From 64b1fdf0732b094e174b484fd9aac29f06e482bd Mon Sep 17 00:00:00 2001 +From e57cdf6610f0b7c8ac38f9b2342b74b8c9e5bc54 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 26 Apr 2020 19:55:54 -0400 Subject: [PATCH] Pass gss_localname() through SPNEGO diff --git a/SOURCES/Refactor-krb5-GSS-checksum-handling.patch b/SOURCES/Refactor-krb5-GSS-checksum-handling.patch index 8e97028..d952f41 100644 --- a/SOURCES/Refactor-krb5-GSS-checksum-handling.patch +++ b/SOURCES/Refactor-krb5-GSS-checksum-handling.patch @@ -1,4 +1,4 @@ -From c4a49f5b42916fdbb34c72a11adb42ff879c50c3 Mon Sep 17 00:00:00 2001 +From 4f14a2f48b52e59c472847a5522fd0cf52927755 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 30 Jun 2017 16:03:01 -0400 Subject: [PATCH] Refactor krb5 GSS checksum handling diff --git a/SOURCES/Refresh-manually-acquired-creds-from-client-keytab.patch b/SOURCES/Refresh-manually-acquired-creds-from-client-keytab.patch index c8c6cd8..f709148 100644 --- a/SOURCES/Refresh-manually-acquired-creds-from-client-keytab.patch +++ b/SOURCES/Refresh-manually-acquired-creds-from-client-keytab.patch @@ -1,4 +1,4 @@ -From fdd97fe6c9f0a3a6ff8d2580ca9f3c46826449b7 Mon Sep 17 00:00:00 2001 +From cb8c8af56d306267d6964da217c65e129fe83c82 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 26 Feb 2020 18:27:17 -0500 Subject: [PATCH] Refresh manually acquired creds from client keytab diff --git a/SOURCES/Unify-kvno-option-documentation.patch b/SOURCES/Unify-kvno-option-documentation.patch new file mode 100644 index 0000000..0a1c522 --- /dev/null +++ b/SOURCES/Unify-kvno-option-documentation.patch @@ -0,0 +1,142 @@ +From 54dade355262fafab54572384c4215cc6c63ecfb Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 20 Aug 2020 17:49:29 -0400 +Subject: [PATCH] Unify kvno option documentation + +Add missing kvno options to the kvno.rst synopsis and option +descriptions, and to the kvno usage message. Remove mention of '-h' +(help text), from kvno.rst as it is an implicit option. Note that the +three new caching options were added in release 1.19. + +Indicate the two exclusions (-u/-S and --u2u with the S4U2Self options) +and dependency (-P on S4U2Self) where they are missing. + +Switch xusage() to print only a single localized string, rather than +running each line of output through localization separately. + +Leave kvno -C undocumented for now, as the semantics of +KRB5_GC_CANONICALIZE are minimally useful and likely to change. + +[ghudson@mit.edu: edited documentation and commit message] + +ticket: 7476 +tags: pullup +target_version: 1.18-next + +(cherry picked from commit becd1ad6830b526d08ddaf5b2b6f213154c6446c) +(cherry picked from commit 52e3695cc5ef00766e12adfe8ed276c2885e71bb) +[rharwood@redhat.com: backport around added kvno options] +--- + doc/user/user_commands/kvno.rst | 17 +++++++++-------- + src/clients/kvno/kvno.c | 12 ++++++++---- + src/man/kvno.man | 17 +++++++++-------- + 3 files changed, 26 insertions(+), 20 deletions(-) + +diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst +index 3892f0ca5..53e569651 100644 +--- a/doc/user/user_commands/kvno.rst ++++ b/doc/user/user_commands/kvno.rst +@@ -10,13 +10,9 @@ SYNOPSIS + [**-c** *ccache*] + [**-e** *etype*] + [**-q**] +-[**-h**] ++[**-u** | **-S** *sname*] + [**-P**] +-[**-S** *sname*] +-[**-I** *for_user*] +-[**-U** *for_user*] +-[**-F** *cert_file*] +-[**--u2u** *ccache*] ++[[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*] + *service1 service2* ... + + +@@ -39,13 +35,18 @@ OPTIONS + of all the services named on the command line. This is useful in + certain backward compatibility situations. + ++**-k** *keytab* ++ Decrypt the acquired tickets using *keytab* to confirm their ++ validity. ++ + **-q** + Suppress printing output when successful. If a service ticket + cannot be obtained, an error message will still be printed and + kvno will exit with nonzero status. + +-**-h** +- Prints a usage statement and exits. ++**-u** ++ Use the unknown name type in requested service principal names. ++ This option Cannot be used with *-S*. + + **-P** + Specifies that the *service1 service2* ... arguments are to be +diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c +index 2472c0cfe..8edd97361 100644 +--- a/src/clients/kvno/kvno.c ++++ b/src/clients/kvno/kvno.c +@@ -38,13 +38,17 @@ + static char *prog; + static int quiet = 0; + ++#define XUSAGE_BREAK "\n\t" ++ + static void + xusage() + { +- fprintf(stderr, _("usage: %s [-C] [-u] [-c ccache] [-e etype]\n"), prog); +- fprintf(stderr, _("\t[-k keytab] [-S sname] [{-I | -U} for_user | " +- "[-F cert_file] [-P]]\n")); +- fprintf(stderr, _("\t[--u2u ccache] service1 service2 ...\n")); ++ fprintf(stderr, _("usage: %s [-c ccache] [-e etype] [-k keytab] [-q] " ++ "[-u | -S sname]" XUSAGE_BREAK ++ "[[{-F cert_file | {-I | -U} for_user} [-P]] | " ++ "--u2u ccache]" XUSAGE_BREAK ++ "service1 service2 ...\n"), ++ prog); + exit(1); + } + +diff --git a/src/man/kvno.man b/src/man/kvno.man +index 005a2ec97..e156df723 100644 +--- a/src/man/kvno.man ++++ b/src/man/kvno.man +@@ -36,13 +36,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] + [\fB\-c\fP \fIccache\fP] + [\fB\-e\fP \fIetype\fP] + [\fB\-q\fP] +-[\fB\-h\fP] ++[\fB\-u\fP | \fB\-S\fP \fIsname\fP] + [\fB\-P\fP] +-[\fB\-S\fP \fIsname\fP] +-[\fB\-I\fP \fIfor_user\fP] +-[\fB\-U\fP \fIfor_user\fP] +-[\fB\-F\fP \fIcert_file\fP] +-[\fB\-\-u2u\fP \fIccache\fP] ++[[{\fB\-F\fP \fIcert_file\fP | {\fB\-I\fP | \fB\-U\fP} \fIfor_user\fP} [\fB\-P\fP]] | \fB\-\-u2u\fP \fIccache\fP] + \fIservice1 service2\fP ... + .SH DESCRIPTION + .sp +@@ -60,13 +56,18 @@ Specifies the enctype which will be requested for the session key + of all the services named on the command line. This is useful in + certain backward compatibility situations. + .TP ++\fB\-k\fP \fIkeytab\fP ++Decrypt the acquired tickets using \fIkeytab\fP to confirm their ++validity. ++.TP + \fB\-q\fP + Suppress printing output when successful. If a service ticket + cannot be obtained, an error message will still be printed and + kvno will exit with nonzero status. + .TP +-\fB\-h\fP +-Prints a usage statement and exits. ++\fB\-u\fP ++Use the unknown name type in requested service principal names. ++This option Cannot be used with \fI\-S\fP\&. + .TP + \fB\-P\fP + Specifies that the \fIservice1 service2\fP ... arguments are to be diff --git a/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4-5.patch similarity index 85% rename from SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch rename to SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4-5.patch index 913c6c3..80a54ad 100644 --- a/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4-5.patch @@ -1,7 +1,7 @@ -From a3f9d8f66a7f2e01aa7b12ef4e2a289d867bb276 Mon Sep 17 00:00:00 2001 +From f87e8a6734726bdd166f33757232a8c7cf9a9058 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 -Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 +Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4+5 NB: Use openssl's PRNG in FIPS mode and taint within krad. @@ -17,25 +17,45 @@ AES is fine. Shame about SPAKE though. post6 restores MD4 (and therefore keygen-only RC4). +post7 restores MD5 and adds radius_md5_fips_override. + Last-updated: krb5-1.17 -(cherry picked from commit a721df13d09b5fdad32de15e6aa973b732727aa9) +(cherry picked from commit bf8521bfaa4a4d54f6eb94f785c68942f4afa055) --- + doc/admin/conf_files/krb5_conf.rst | 6 +++ src/lib/crypto/krb/prng.c | 11 ++++- .../crypto/openssl/enc_provider/camellia.c | 6 +++ src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++- .../crypto/openssl/hash_provider/hash_evp.c | 12 +++++ src/lib/crypto/openssl/hmac.c | 6 ++- - src/lib/krad/attr.c | 45 ++++++++++++++----- - src/lib/krad/attrset.c | 5 ++- - src/lib/krad/internal.h | 13 +++++- - src/lib/krad/packet.c | 22 ++++----- - src/lib/krad/remote.c | 10 ++++- + src/lib/krad/attr.c | 46 ++++++++++++++----- + src/lib/krad/attrset.c | 5 +- + src/lib/krad/internal.h | 28 ++++++++++- + src/lib/krad/packet.c | 22 +++++---- + src/lib/krad/remote.c | 10 +++- src/lib/krad/t_attr.c | 3 +- src/lib/krad/t_attrset.c | 4 +- src/plugins/preauth/spake/spake_client.c | 6 +++ src/plugins/preauth/spake/spake_kdc.c | 6 +++ - 14 files changed, 129 insertions(+), 33 deletions(-) + 15 files changed, 151 insertions(+), 33 deletions(-) +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 1d2aa7f68..3a8b9cf47 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -331,6 +331,12 @@ The libdefaults section may contain any of the following relations: + qualification of shortnames, set this relation to the empty string + with ``qualify_shortname = ""``. (New in release 1.18.) + ++**radius_md5_fips_override** ++ Downstream-only option to enable use of MD5 in RADIUS ++ communication (libkrad). This allows for local (or protected ++ tunnel) communication with a RADIUS server that doesn't use krad ++ (e.g., freeradius) while in FIPS mode. ++ + **rdns** + If this flag is true, reverse name lookup will be used in addition + to forward name lookup to canonicalizing hostnames for use in diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c index cb9ca9b98..f0e9984ca 100644 --- a/src/lib/crypto/krb/prng.c @@ -130,15 +150,15 @@ index a65d57b7a..6ccaca94a 100644 * The cipher state here is a saved pointer to a struct arcfour_state * object, rather than a flat byte array as in most enc providers. The diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c -index 1e0fb8fc3..feb5eda99 100644 +index 1e0fb8fc3..2eb5139c0 100644 --- a/src/lib/crypto/openssl/hash_provider/hash_evp.c +++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c @@ -49,6 +49,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, if (ctx == NULL) return ENOMEM; -+ if (type == EVP_md4()) { -+ /* See comment below in hash_md4(). */ ++ if (type == EVP_md4() || type == EVP_md5()) { ++ /* See comments below in hash_md4() and hash_md5(). */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } + @@ -160,8 +180,8 @@ index 1e0fb8fc3..feb5eda99 100644 static krb5_error_code hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) { -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; ++ /* MD5 is needed in FIPS mode for communication with RADIUS servers. This ++ * is gated in libkrad by libdefaults->radius_md5_fips_override. */ return hash_evp(EVP_md5(), data, num_data, output); } @@ -183,18 +203,10 @@ index 7dc59dcc0..769a50c00 100644 else if (!strncmp(hash->hash_name, "MD4", 3)) return EVP_md4(); diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c -index 9c13d9d75..275327e67 100644 +index 9c13d9d75..42d354a3b 100644 --- a/src/lib/krad/attr.c +++ b/src/lib/krad/attr.c -@@ -30,6 +30,7 @@ - #include - #include "internal.h" - -+#include - #include - - /* RFC 2865 */ -@@ -38,7 +39,8 @@ +@@ -38,7 +38,8 @@ typedef krb5_error_code (*attribute_transform_fn)(krb5_context ctx, const char *secret, const unsigned char *auth, const krb5_data *in, @@ -204,7 +216,7 @@ index 9c13d9d75..275327e67 100644 typedef struct { const char *name; -@@ -51,12 +53,14 @@ typedef struct { +@@ -51,12 +52,14 @@ typedef struct { static krb5_error_code user_password_encode(krb5_context ctx, const char *secret, const unsigned char *auth, const krb5_data *in, @@ -221,7 +233,7 @@ index 9c13d9d75..275327e67 100644 static const attribute_record attributes[UCHAR_MAX] = { {"User-Name", 1, MAX_ATTRSIZE, NULL, NULL}, -@@ -128,7 +132,8 @@ static const attribute_record attributes[UCHAR_MAX] = { +@@ -128,7 +131,8 @@ static const attribute_record attributes[UCHAR_MAX] = { static krb5_error_code user_password_encode(krb5_context ctx, const char *secret, const unsigned char *auth, const krb5_data *in, @@ -231,20 +243,21 @@ index 9c13d9d75..275327e67 100644 { const unsigned char *indx; krb5_error_code retval; -@@ -154,8 +159,14 @@ user_password_encode(krb5_context ctx, const char *secret, +@@ -154,8 +158,15 @@ user_password_encode(krb5_context ctx, const char *secret, for (blck = 0, indx = auth; blck * BLOCKSIZE < len; blck++) { memcpy(tmp.data + seclen, indx, BLOCKSIZE); - retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, - &sum); -+ if (FIPS_mode()) { ++ if (kr_use_fips(ctx)) { + /* Skip encryption here. Taint so that we won't pass it out of + * the machine by accident. */ + *is_fips = TRUE; + sum.contents = calloc(1, BLOCKSIZE); -+ } else ++ } else { + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, + &sum); ++ } if (retval != 0) { zap(tmp.data, tmp.length); zap(outbuf, len); @@ -258,24 +271,25 @@ index 9c13d9d75..275327e67 100644 { const unsigned char *indx; krb5_error_code retval; -@@ -204,8 +216,14 @@ user_password_decode(krb5_context ctx, const char *secret, +@@ -204,8 +216,15 @@ user_password_decode(krb5_context ctx, const char *secret, for (blck = 0, indx = auth; blck * BLOCKSIZE < in->length; blck++) { memcpy(tmp.data + seclen, indx, BLOCKSIZE); - retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, - &tmp, &sum); -+ if (FIPS_mode()) { ++ if (kr_use_fips(ctx)) { + /* Skip encryption here. Taint so that we won't pass it out of + * the machine by accident. */ + *is_fips = TRUE; + sum.contents = calloc(1, BLOCKSIZE); -+ } else ++ } else { + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, + &tmp, &sum); ++ } if (retval != 0) { zap(tmp.data, tmp.length); zap(outbuf, in->length); -@@ -248,7 +266,7 @@ krb5_error_code +@@ -248,7 +267,7 @@ krb5_error_code kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, krad_attr type, const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE], @@ -284,7 +298,7 @@ index 9c13d9d75..275327e67 100644 { krb5_error_code retval; -@@ -265,7 +283,8 @@ kr_attr_encode(krb5_context ctx, const char *secret, +@@ -265,7 +284,8 @@ kr_attr_encode(krb5_context ctx, const char *secret, return 0; } @@ -294,7 +308,7 @@ index 9c13d9d75..275327e67 100644 } krb5_error_code -@@ -274,6 +293,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, +@@ -274,6 +294,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) { krb5_error_code retval; @@ -302,7 +316,7 @@ index 9c13d9d75..275327e67 100644 retval = kr_attr_valid(type, in); if (retval != 0) -@@ -288,7 +308,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, +@@ -288,7 +309,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, return 0; } @@ -336,10 +350,19 @@ index 03c613716..d89982a13 100644 return retval; diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h -index 996a89372..a53ce31ce 100644 +index 996a89372..312dc8258 100644 --- a/src/lib/krad/internal.h +++ b/src/lib/krad/internal.h -@@ -49,6 +49,13 @@ +@@ -39,6 +39,8 @@ + #include + #include + ++#include ++ + #ifndef UCHAR_MAX + #define UCHAR_MAX 255 + #endif +@@ -49,6 +51,13 @@ typedef struct krad_remote_st krad_remote; @@ -353,7 +376,7 @@ index 996a89372..a53ce31ce 100644 /* Validate constraints of an attribute. */ krb5_error_code kr_attr_valid(krad_attr type, const krb5_data *data); -@@ -57,7 +64,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); +@@ -57,7 +66,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); krb5_error_code kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, krad_attr type, const krb5_data *in, @@ -363,7 +386,7 @@ index 996a89372..a53ce31ce 100644 /* Decode an attribute. */ krb5_error_code -@@ -69,7 +77,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, +@@ -69,7 +79,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, krb5_error_code kr_attrset_encode(const krad_attrset *set, const char *secret, const unsigned char *auth, @@ -373,19 +396,29 @@ index 996a89372..a53ce31ce 100644 /* Decode attributes from a buffer. */ krb5_error_code +@@ -152,4 +163,17 @@ gai_error_code(int err) + } + } + ++static inline krb5_boolean ++kr_use_fips(krb5_context ctx) ++{ ++ int val = 0; ++ ++ if (!FIPS_mode()) ++ return 0; ++ ++ profile_get_boolean(ctx->profile, "libdefaults", ++ "radius_md5_fips_override", NULL, 0, &val); ++ return !val; ++} ++ + #endif /* INTERNAL_H_ */ diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c -index c597174b6..794ac84c4 100644 +index c597174b6..fc2d24800 100644 --- a/src/lib/krad/packet.c +++ b/src/lib/krad/packet.c -@@ -32,6 +32,7 @@ - #include - - #include -+#include - - typedef unsigned char uchar; - -@@ -53,12 +54,6 @@ typedef unsigned char uchar; +@@ -53,12 +53,6 @@ typedef unsigned char uchar; #define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH)) #define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR)) @@ -398,19 +431,20 @@ index c597174b6..794ac84c4 100644 typedef struct { uchar x[(UCHAR_MAX + 1) / 8]; } idmap; -@@ -187,8 +182,13 @@ auth_generate_response(krb5_context ctx, const char *secret, +@@ -187,8 +181,14 @@ auth_generate_response(krb5_context ctx, const char *secret, memcpy(data.data + response->pkt.length, secret, strlen(secret)); /* Hash it. */ - retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, - &hash); -+ if (FIPS_mode()) { ++ if (kr_use_fips(ctx)) { + /* This checksum does very little security-wise anyway, so don't + * taint. */ + hash.contents = calloc(1, AUTH_FIELD_SIZE); -+ } else ++ } else { + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, + &hash); ++ } free(data.data); if (retval != 0) return retval; diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 3f0049c..15caa13 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -18,12 +18,12 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 3%{?dist} +Release: 8%{?dist} # lookaside-cached sources; two downloads and a build artifact -Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz +Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz # rharwood has trust path to signing key and verifies on check-in -Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz.asc +Source1: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz.asc # This source is generated during the build because it is documentation. # To override this behavior (e.g., new upstream version), do: # tar cfT krb5-1.15.2-pdfs.tar /dev/null @@ -53,7 +53,7 @@ Patch4: downstream-netlib-and-dns.patch Patch5: downstream-fix-debuginfo-with-y.tab.c.patch Patch6: downstream-Remove-3des-support.patch Patch7: rhel-Use-backported-version-of-OpenSSL-3-KDF-interfa.patch -Patch108: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +Patch8: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4-5.patch Patch110: Allow-certauth-modules-to-set-hw-authent-flag.patch Patch112: Refresh-manually-acquired-creds-from-client-keytab.patch Patch114: Add-finalization-safety-check-to-com_err.patch @@ -71,6 +71,11 @@ Patch125: Implement-KERB_AP_OPTIONS_CBT-server-side.patch Patch126: Add-client_aware_channel_bindings-option.patch Patch127: Pass-channel-bindings-through-SPNEGO.patch Patch128: Add-channel-bindings-tests.patch +Patch129: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch +Patch130: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch +Patch131: Unify-kvno-option-documentation.patch +Patch132: Document-k-option-in-kvno-1-synopsis.patch +Patch133: Add-recursion-limit-for-ASN.1-indefinite-lengths.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -681,6 +686,34 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Dec 16 2020 Robbie Harwood - 1.18.2-8 +- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196) +- Resolves: #1906492 + +* Tue Nov 24 2020 Robbie Harwood - 1.18.2-7 +- Document -k option in kvno(1) synopsis +- Resolves: #1869055 + +* Wed Oct 21 2020 Robbie Harwood - 1.18.2-6 +- Enable MD5 override for FIPS RADIUS +- Resolves: #1872689 + +* Thu Oct 15 2020 Robbie Harwood - 1.18.2-5.2 +- Unify kvno option documentation +- Resolves: #1869055 + +* Wed Oct 14 2020 Robbie Harwood - 1.18.2-5.1 +- Fix upstream URLs in spec file +- Resolves: #1868039 + +* Tue Aug 04 2020 Robbie Harwood - 1.18.2-5 +- Fix leak in KERB_AP_OPTIONS_CBT server support +- Resolves: #1860831 + +* Tue Jul 28 2020 Robbie Harwood - 1.18.2-4 +- Ignore bad enctypes in krb5_string_to_keysalts() +- Resolves: #1858322 + * Mon Jun 15 2020 Robbie Harwood - 1.18.2-3 - Match Heimdal behavior for channel bindings - Code hygiene + test stability fix included