Add md5 override to krad
This commit is contained in:
Robbie Harwood
parent
c06ba2920a
commit
501e298072
@ -1,4 +1,4 @@
|
||||
From 3e92520c1417f22447751cd9172d5ab30c2e0ad8 Mon Sep 17 00:00:00 2001
|
||||
From 6d36ea6fcfe281a8ce73fc5aa5c133f435d93fa4 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Fri, 20 Mar 2020 00:17:28 +0100
|
||||
Subject: [PATCH] Add channel bindings tests
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 2a08fe3d2d1972df4ffe37d4bb64b161889ff988 Mon Sep 17 00:00:00 2001
|
||||
From 46ec975eb8f33b6d42c440758fc0deb826f87313 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Tue, 10 Mar 2020 13:13:17 +0100
|
||||
Subject: [PATCH] Add client_aware_channel_bindings option
|
||||
@ -20,10 +20,10 @@ ticket: 8900
|
||||
3 files changed, 98 insertions(+), 86 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index a7e7a29d1..7f2879640 100644
|
||||
index 38f450367..da5ad00f2 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -382,6 +382,12 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -388,6 +388,12 @@ The libdefaults section may contain any of the following relations:
|
||||
credentials will fail if the client machine does not have a
|
||||
keytab. The default value is false.
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 9b28e9bbadb775cf790092bc0b0fe9f6c880d215 Mon Sep 17 00:00:00 2001
|
||||
From 96a36ef54aecb48b71c1ae0cc85b83ef644c3bd0 Mon Sep 17 00:00:00 2001
|
||||
From: Jiri Sasek <Jiri.Sasek@Oracle.COM>
|
||||
Date: Fri, 13 Mar 2020 19:02:58 +0100
|
||||
Subject: [PATCH] Add finalization safety check to com_err
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 5413039348c612716fb5e33347814b7608778646 Mon Sep 17 00:00:00 2001
|
||||
From 5b62f6f6a960e5a428a39a3e83e0a16dba5a914a Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 24 Feb 2020 15:58:59 -0500
|
||||
Subject: [PATCH] Allow certauth modules to set hw-authent flag
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From bedbb5ee1ad821b91f00d30361985e6863c0e6ba Mon Sep 17 00:00:00 2001
|
||||
From 594c9d225f470e73a46dd2a85c5e50571e90598c Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 11 Jul 2020 21:57:30 -0400
|
||||
Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From e8c6f76079bac021e30e89e12b547cc73f71ec36 Mon Sep 17 00:00:00 2001
|
||||
From f56afbeb7848322f3208edd55f2c12a9e32127f0 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 30 Mar 2020 15:26:02 -0400
|
||||
Subject: [PATCH] Correctly import "service@" GSS host-based name
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 07179e38e5ee72e82ebc77a1c8d73e34905268b7 Mon Sep 17 00:00:00 2001
|
||||
From c3d2c3bcafe0ac87d9cbbf37f1488ad642627fc3 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 27 May 2020 18:48:35 -0400
|
||||
Subject: [PATCH] Default dns_canonicalize_hostname to "fallback"
|
||||
@ -54,7 +54,7 @@ index 5232db9af..afdf30297 100644
|
||||
|
||||
Configuration of hostnames varies by operating system. On the
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index 1d2aa7f68..a7e7a29d1 100644
|
||||
index 3a8b9cf47..38f450367 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -188,11 +188,10 @@ The libdefaults section may contain any of the following relations:
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 0083381a1dc008c6a1a437393045f82ec06423f8 Mon Sep 17 00:00:00 2001
|
||||
From 51a9f8e7498591b22558a7a61d42a821030f9c4e Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 28 Feb 2020 10:11:49 +0100
|
||||
Subject: [PATCH] Do expiration warnings for all init_creds APIs
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 43d09ed10d495e78c786f5468455f16a63a99532 Mon Sep 17 00:00:00 2001
|
||||
From b27a2f1f330afed53b034a66031f9a801b4568b7 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 23 Mar 2020 19:10:03 -0400
|
||||
Subject: [PATCH] Eliminate redundant PKINIT responder invocation
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 9504dd4de49938e4cdd56ce6df635b76eaf37e96 Mon Sep 17 00:00:00 2001
|
||||
From 5b42970afea248889fd3350448a40045d467ff3f Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 28 Jul 2020 12:58:26 -0400
|
||||
Subject: [PATCH] Fix input length checking in SPNEGO DER decoding
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 044e2209586fd1935d9a637df76d52f48c4f3e6e Mon Sep 17 00:00:00 2001
|
||||
From ff47523d7d812fba24106f416aafa5d1f2c433a2 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 24 Jul 2020 16:05:24 -0400
|
||||
Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 8de669742ae4190542741f0dc61119a6a0dad666 Mon Sep 17 00:00:00 2001
|
||||
From bf8567ed95991628f198e88403e30f78e2d74e15 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 14 May 2020 15:01:18 -0400
|
||||
Subject: [PATCH] Fix typo ("in in") in the ksu man page
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 3f873868fb08b77da2d30e164a0ef6c71c17c607 Mon Sep 17 00:00:00 2001
|
||||
From e74f9424e47ab914c46e549fc5a2cbdf2615ef93 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 15 Jul 2020 15:42:20 -0400
|
||||
Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 3ea1d6296ced3a998e79356f9be212e4c5e6a5d5 Mon Sep 17 00:00:00 2001
|
||||
From 651b9b8084ecff5553b7ef6ee723ce7c4438a9d8 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Jul 2017 11:38:30 -0400
|
||||
Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 6407bf087fe53088d91efd09df736e979cd4e8db Mon Sep 17 00:00:00 2001
|
||||
From bc89c6c720c4170d43010fead23550b80499c32a Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Mon, 9 Mar 2020 16:04:21 +0100
|
||||
Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From c726a72c68244129eb08b840b92144acfa776573 Mon Sep 17 00:00:00 2001
|
||||
From 4c96c8fef146337b7d3c0ebb4118a18818dd1f4e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 9 Jun 2020 16:23:37 -0400
|
||||
Subject: [PATCH] Improve negoex_parse_token() code hygiene
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 6d132f1019b2f1b6f54bae25ed0ea9122c87a190 Mon Sep 17 00:00:00 2001
|
||||
From f0ac5c1efef5401f669dc176e62c09b0b01fa2d0 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 6 May 2020 16:03:13 -0400
|
||||
Subject: [PATCH] Omit KDC indicator check for S4U2Self requests
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From c36e826c70cb5b3bff8bd4371d47884cea30b3f4 Mon Sep 17 00:00:00 2001
|
||||
From 5251097c927f476fe83ffe544b73fd2d785aaf2a Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Sat, 6 Jun 2020 11:03:37 +0200
|
||||
Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From ee79bd43005245d3e5a2d3ec6d61146945e77717 Mon Sep 17 00:00:00 2001
|
||||
From 17d9b74328f247de5f9d820ae008726632d11d2a Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Tue, 28 Apr 2020 18:15:55 +0200
|
||||
Subject: [PATCH] Pass channel bindings through SPNEGO
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From dce745bbdf95ddfa733bc306c57afe5fcab74479 Mon Sep 17 00:00:00 2001
|
||||
From cec820485e8b854fe3ee42d0a67a77e7ad20595e Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 26 Apr 2020 19:55:54 -0400
|
||||
Subject: [PATCH] Pass gss_localname() through SPNEGO
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a34b7c50e62c19f80d39ece6a72017dac781df64 Mon Sep 17 00:00:00 2001
|
||||
From c90cef2ebfbefc595798dd5dbb805575e1be0fbf Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 30 Jun 2017 16:03:01 -0400
|
||||
Subject: [PATCH] Refactor krb5 GSS checksum handling
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 13e085a996ac53484fa308f3ef7a2b66c05ccdfa Mon Sep 17 00:00:00 2001
|
||||
From 7316aaa0e9249a88e919f2596d881f78970548bc Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 26 Feb 2020 18:27:17 -0500
|
||||
Subject: [PATCH] Refresh manually acquired creds from client keytab
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 85bb5fe5a11708b78e9f0bd3a3b34999b6c888a7 Mon Sep 17 00:00:00 2001
|
||||
From 3e75969e0c0a52ec3ca8195200fcdadaa63b324f Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 28 May 2020 18:41:02 -0400
|
||||
Subject: [PATCH] Remove resolver test utility
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a12fc355a034e5b1d23bdb23db9735d4eaa396d8 Mon Sep 17 00:00:00 2001
|
||||
From 404cc1152880a567fc27bb7c691a1a732692bbf9 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 15 Feb 2020 20:34:23 -0500
|
||||
Subject: [PATCH] Replace gssrpc tests with a Python script
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 8e08f01d73ddca1b828788710ec6bb3e0354727a Mon Sep 17 00:00:00 2001
|
||||
From 3e0d464f55320b393e32285f31710c24758a9101 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 4 Mar 2020 17:18:51 -0500
|
||||
Subject: [PATCH] Use two queues for concurrent t_otp.py daemons
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 15056939ae1e52b9c0b4e0f4ac59772b0d942647 Mon Sep 17 00:00:00 2001
|
||||
From bf8521bfaa4a4d54f6eb94f785c68942f4afa055 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
|
||||
@ -17,24 +17,44 @@ AES is fine. Shame about SPAKE though.
|
||||
|
||||
post6 restores MD4 (and therefore keygen-only RC4).
|
||||
|
||||
post7 restores MD5 and adds radius_md5_fips_override.
|
||||
|
||||
Last-updated: krb5-1.17
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 6 +++
|
||||
src/lib/crypto/krb/prng.c | 11 ++++-
|
||||
.../crypto/openssl/enc_provider/camellia.c | 6 +++
|
||||
src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++-
|
||||
.../crypto/openssl/hash_provider/hash_evp.c | 12 +++++
|
||||
src/lib/crypto/openssl/hmac.c | 6 ++-
|
||||
src/lib/krad/attr.c | 45 ++++++++++++++-----
|
||||
src/lib/krad/attrset.c | 5 ++-
|
||||
src/lib/krad/internal.h | 13 +++++-
|
||||
src/lib/krad/packet.c | 22 ++++-----
|
||||
src/lib/krad/remote.c | 10 ++++-
|
||||
src/lib/krad/attr.c | 46 ++++++++++++++-----
|
||||
src/lib/krad/attrset.c | 5 +-
|
||||
src/lib/krad/internal.h | 28 ++++++++++-
|
||||
src/lib/krad/packet.c | 22 +++++----
|
||||
src/lib/krad/remote.c | 10 +++-
|
||||
src/lib/krad/t_attr.c | 3 +-
|
||||
src/lib/krad/t_attrset.c | 4 +-
|
||||
src/plugins/preauth/spake/spake_client.c | 6 +++
|
||||
src/plugins/preauth/spake/spake_kdc.c | 6 +++
|
||||
14 files changed, 129 insertions(+), 33 deletions(-)
|
||||
15 files changed, 151 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index 1d2aa7f68..3a8b9cf47 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -331,6 +331,12 @@ The libdefaults section may contain any of the following relations:
|
||||
qualification of shortnames, set this relation to the empty string
|
||||
with ``qualify_shortname = ""``. (New in release 1.18.)
|
||||
|
||||
+**radius_md5_fips_override**
|
||||
+ Downstream-only option to enable use of MD5 in RADIUS
|
||||
+ communication (libkrad). This allows for local (or protected
|
||||
+ tunnel) communication with a RADIUS server that doesn't use krad
|
||||
+ (e.g., freeradius) while in FIPS mode.
|
||||
+
|
||||
**rdns**
|
||||
If this flag is true, reverse name lookup will be used in addition
|
||||
to forward name lookup to canonicalizing hostnames for use in
|
||||
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||
index cb9ca9b98..f0e9984ca 100644
|
||||
--- a/src/lib/crypto/krb/prng.c
|
||||
@ -129,15 +149,15 @@ index a65d57b7a..6ccaca94a 100644
|
||||
* The cipher state here is a saved pointer to a struct arcfour_state
|
||||
* object, rather than a flat byte array as in most enc providers. The
|
||||
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
index 1e0fb8fc3..feb5eda99 100644
|
||||
index 1e0fb8fc3..2eb5139c0 100644
|
||||
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
@@ -49,6 +49,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
|
||||
if (ctx == NULL)
|
||||
return ENOMEM;
|
||||
|
||||
+ if (type == EVP_md4()) {
|
||||
+ /* See comment below in hash_md4(). */
|
||||
+ if (type == EVP_md4() || type == EVP_md5()) {
|
||||
+ /* See comments below in hash_md4() and hash_md5(). */
|
||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
+ }
|
||||
+
|
||||
@ -159,8 +179,8 @@ index 1e0fb8fc3..feb5eda99 100644
|
||||
static krb5_error_code
|
||||
hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
|
||||
{
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+ /* MD5 is needed in FIPS mode for communication with RADIUS servers. This
|
||||
+ * is gated in libkrad by libdefaults->radius_md5_fips_override. */
|
||||
return hash_evp(EVP_md5(), data, num_data, output);
|
||||
}
|
||||
|
||||
@ -182,18 +202,10 @@ index 7dc59dcc0..769a50c00 100644
|
||||
else if (!strncmp(hash->hash_name, "MD4", 3))
|
||||
return EVP_md4();
|
||||
diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c
|
||||
index 9c13d9d75..275327e67 100644
|
||||
index 9c13d9d75..42d354a3b 100644
|
||||
--- a/src/lib/krad/attr.c
|
||||
+++ b/src/lib/krad/attr.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#include <k5-int.h>
|
||||
#include "internal.h"
|
||||
|
||||
+#include <openssl/crypto.h>
|
||||
#include <string.h>
|
||||
|
||||
/* RFC 2865 */
|
||||
@@ -38,7 +39,8 @@
|
||||
@@ -38,7 +38,8 @@
|
||||
typedef krb5_error_code
|
||||
(*attribute_transform_fn)(krb5_context ctx, const char *secret,
|
||||
const unsigned char *auth, const krb5_data *in,
|
||||
@ -203,7 +215,7 @@ index 9c13d9d75..275327e67 100644
|
||||
|
||||
typedef struct {
|
||||
const char *name;
|
||||
@@ -51,12 +53,14 @@ typedef struct {
|
||||
@@ -51,12 +52,14 @@ typedef struct {
|
||||
static krb5_error_code
|
||||
user_password_encode(krb5_context ctx, const char *secret,
|
||||
const unsigned char *auth, const krb5_data *in,
|
||||
@ -220,7 +232,7 @@ index 9c13d9d75..275327e67 100644
|
||||
|
||||
static const attribute_record attributes[UCHAR_MAX] = {
|
||||
{"User-Name", 1, MAX_ATTRSIZE, NULL, NULL},
|
||||
@@ -128,7 +132,8 @@ static const attribute_record attributes[UCHAR_MAX] = {
|
||||
@@ -128,7 +131,8 @@ static const attribute_record attributes[UCHAR_MAX] = {
|
||||
static krb5_error_code
|
||||
user_password_encode(krb5_context ctx, const char *secret,
|
||||
const unsigned char *auth, const krb5_data *in,
|
||||
@ -230,20 +242,21 @@ index 9c13d9d75..275327e67 100644
|
||||
{
|
||||
const unsigned char *indx;
|
||||
krb5_error_code retval;
|
||||
@@ -154,8 +159,14 @@ user_password_encode(krb5_context ctx, const char *secret,
|
||||
@@ -154,8 +158,15 @@ user_password_encode(krb5_context ctx, const char *secret,
|
||||
for (blck = 0, indx = auth; blck * BLOCKSIZE < len; blck++) {
|
||||
memcpy(tmp.data + seclen, indx, BLOCKSIZE);
|
||||
|
||||
- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp,
|
||||
- &sum);
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (kr_use_fips(ctx)) {
|
||||
+ /* Skip encryption here. Taint so that we won't pass it out of
|
||||
+ * the machine by accident. */
|
||||
+ *is_fips = TRUE;
|
||||
+ sum.contents = calloc(1, BLOCKSIZE);
|
||||
+ } else
|
||||
+ } else {
|
||||
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp,
|
||||
+ &sum);
|
||||
+ }
|
||||
if (retval != 0) {
|
||||
zap(tmp.data, tmp.length);
|
||||
zap(outbuf, len);
|
||||
@ -257,24 +270,25 @@ index 9c13d9d75..275327e67 100644
|
||||
{
|
||||
const unsigned char *indx;
|
||||
krb5_error_code retval;
|
||||
@@ -204,8 +216,14 @@ user_password_decode(krb5_context ctx, const char *secret,
|
||||
@@ -204,8 +216,15 @@ user_password_decode(krb5_context ctx, const char *secret,
|
||||
for (blck = 0, indx = auth; blck * BLOCKSIZE < in->length; blck++) {
|
||||
memcpy(tmp.data + seclen, indx, BLOCKSIZE);
|
||||
|
||||
- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0,
|
||||
- &tmp, &sum);
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (kr_use_fips(ctx)) {
|
||||
+ /* Skip encryption here. Taint so that we won't pass it out of
|
||||
+ * the machine by accident. */
|
||||
+ *is_fips = TRUE;
|
||||
+ sum.contents = calloc(1, BLOCKSIZE);
|
||||
+ } else
|
||||
+ } else {
|
||||
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0,
|
||||
+ &tmp, &sum);
|
||||
+ }
|
||||
if (retval != 0) {
|
||||
zap(tmp.data, tmp.length);
|
||||
zap(outbuf, in->length);
|
||||
@@ -248,7 +266,7 @@ krb5_error_code
|
||||
@@ -248,7 +267,7 @@ krb5_error_code
|
||||
kr_attr_encode(krb5_context ctx, const char *secret,
|
||||
const unsigned char *auth, krad_attr type,
|
||||
const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE],
|
||||
@ -283,7 +297,7 @@ index 9c13d9d75..275327e67 100644
|
||||
{
|
||||
krb5_error_code retval;
|
||||
|
||||
@@ -265,7 +283,8 @@ kr_attr_encode(krb5_context ctx, const char *secret,
|
||||
@@ -265,7 +284,8 @@ kr_attr_encode(krb5_context ctx, const char *secret,
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -293,7 +307,7 @@ index 9c13d9d75..275327e67 100644
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
@@ -274,6 +293,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||
@@ -274,6 +294,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||
unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
@ -301,7 +315,7 @@ index 9c13d9d75..275327e67 100644
|
||||
|
||||
retval = kr_attr_valid(type, in);
|
||||
if (retval != 0)
|
||||
@@ -288,7 +308,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||
@@ -288,7 +309,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -335,10 +349,19 @@ index 03c613716..d89982a13 100644
|
||||
return retval;
|
||||
|
||||
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
|
||||
index 996a89372..a53ce31ce 100644
|
||||
index 996a89372..312dc8258 100644
|
||||
--- a/src/lib/krad/internal.h
|
||||
+++ b/src/lib/krad/internal.h
|
||||
@@ -49,6 +49,13 @@
|
||||
@@ -39,6 +39,8 @@
|
||||
#include <sys/socket.h>
|
||||
#include <netdb.h>
|
||||
|
||||
+#include <openssl/crypto.h>
|
||||
+
|
||||
#ifndef UCHAR_MAX
|
||||
#define UCHAR_MAX 255
|
||||
#endif
|
||||
@@ -49,6 +51,13 @@
|
||||
|
||||
typedef struct krad_remote_st krad_remote;
|
||||
|
||||
@ -352,7 +375,7 @@ index 996a89372..a53ce31ce 100644
|
||||
/* Validate constraints of an attribute. */
|
||||
krb5_error_code
|
||||
kr_attr_valid(krad_attr type, const krb5_data *data);
|
||||
@@ -57,7 +64,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data);
|
||||
@@ -57,7 +66,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data);
|
||||
krb5_error_code
|
||||
kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||
krad_attr type, const krb5_data *in,
|
||||
@ -362,7 +385,7 @@ index 996a89372..a53ce31ce 100644
|
||||
|
||||
/* Decode an attribute. */
|
||||
krb5_error_code
|
||||
@@ -69,7 +77,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||
@@ -69,7 +79,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
||||
krb5_error_code
|
||||
kr_attrset_encode(const krad_attrset *set, const char *secret,
|
||||
const unsigned char *auth,
|
||||
@ -372,19 +395,29 @@ index 996a89372..a53ce31ce 100644
|
||||
|
||||
/* Decode attributes from a buffer. */
|
||||
krb5_error_code
|
||||
@@ -152,4 +163,17 @@ gai_error_code(int err)
|
||||
}
|
||||
}
|
||||
|
||||
+static inline krb5_boolean
|
||||
+kr_use_fips(krb5_context ctx)
|
||||
+{
|
||||
+ int val = 0;
|
||||
+
|
||||
+ if (!FIPS_mode())
|
||||
+ return 0;
|
||||
+
|
||||
+ profile_get_boolean(ctx->profile, "libdefaults",
|
||||
+ "radius_md5_fips_override", NULL, 0, &val);
|
||||
+ return !val;
|
||||
+}
|
||||
+
|
||||
#endif /* INTERNAL_H_ */
|
||||
diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
|
||||
index c597174b6..794ac84c4 100644
|
||||
index c597174b6..fc2d24800 100644
|
||||
--- a/src/lib/krad/packet.c
|
||||
+++ b/src/lib/krad/packet.c
|
||||
@@ -32,6 +32,7 @@
|
||||
#include <string.h>
|
||||
|
||||
#include <arpa/inet.h>
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
typedef unsigned char uchar;
|
||||
|
||||
@@ -53,12 +54,6 @@ typedef unsigned char uchar;
|
||||
@@ -53,12 +53,6 @@ typedef unsigned char uchar;
|
||||
#define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH))
|
||||
#define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR))
|
||||
|
||||
@ -397,19 +430,20 @@ index c597174b6..794ac84c4 100644
|
||||
typedef struct {
|
||||
uchar x[(UCHAR_MAX + 1) / 8];
|
||||
} idmap;
|
||||
@@ -187,8 +182,13 @@ auth_generate_response(krb5_context ctx, const char *secret,
|
||||
@@ -187,8 +181,14 @@ auth_generate_response(krb5_context ctx, const char *secret,
|
||||
memcpy(data.data + response->pkt.length, secret, strlen(secret));
|
||||
|
||||
/* Hash it. */
|
||||
- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data,
|
||||
- &hash);
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (kr_use_fips(ctx)) {
|
||||
+ /* This checksum does very little security-wise anyway, so don't
|
||||
+ * taint. */
|
||||
+ hash.contents = calloc(1, AUTH_FIELD_SIZE);
|
||||
+ } else
|
||||
+ } else {
|
||||
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data,
|
||||
+ &hash);
|
||||
+ }
|
||||
free(data.data);
|
||||
if (retval != 0)
|
||||
return retval;
|
||||
|
||||
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.18.2
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 23%{?dist}
|
||||
Release: 24%{?dist}
|
||||
|
||||
# rharwood has trust path to signing key and verifies on check-in
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -633,6 +633,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Fri Oct 02 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-24
|
||||
- Add md5 override to krad
|
||||
|
||||
* Thu Sep 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-23
|
||||
- Use `systemctl reload` to HUP the KDC during logrotate
|
||||
- Resolves: #1877692
|
||||
|
||||
Loading…
Reference in New Issue
Block a user