From 501e2980728bcbd0c757fd9bb2b6274342420d2a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 2 Oct 2020 16:36:12 -0400 Subject: [PATCH] Add md5 override to krad --- Add-channel-bindings-tests.patch | 2 +- ...client_aware_channel_bindings-option.patch | 6 +- ...finalization-safety-check-to-com_err.patch | 2 +- ...tauth-modules-to-set-hw-authent-flag.patch | 2 +- ...ss_unwrap_iov-of-unpadded-RC4-tokens.patch | 2 +- ...y-import-service-GSS-host-based-name.patch | 2 +- ...ns_canonicalize_hostname-to-fallback.patch | 4 +- ...ion-warnings-for-all-init_creds-APIs.patch | 2 +- ...edundant-PKINIT-responder-invocation.patch | 2 +- ...ngth-checking-in-SPNEGO-DER-decoding.patch | 2 +- ...n-KERB_AP_OPTIONS_CBT-server-support.patch | 2 +- Fix-typo-in-in-in-the-ksu-man-page.patch | 2 +- ...-enctypes-in-krb5_string_to_keysalts.patch | 2 +- Implement-GSS_C_CHANNEL_BOUND_FLAG.patch | 2 +- ...ment-KERB_AP_OPTIONS_CBT-server-side.patch | 2 +- Improve-negoex_parse_token-code-hygiene.patch | 2 +- ...ndicator-check-for-S4U2Self-requests.patch | 2 +- ...SER-if-we-can-t-compute-its-checksum.patch | 2 +- Pass-channel-bindings-through-SPNEGO.patch | 2 +- Pass-gss_localname-through-SPNEGO.patch | 2 +- Refactor-krb5-GSS-checksum-handling.patch | 2 +- ...ly-acquired-creds-from-client-keytab.patch | 2 +- Remove-resolver-test-utility.patch | 2 +- ...ce-gssrpc-tests-with-a-Python-script.patch | 2 +- ...eues-for-concurrent-t_otp.py-daemons.patch | 2 +- ...am-FIPS-with-PRNG-and-RADIUS-and-MD4.patch | 136 +++++++++++------- krb5.spec | 5 +- 27 files changed, 117 insertions(+), 80 deletions(-) diff --git a/Add-channel-bindings-tests.patch b/Add-channel-bindings-tests.patch index b758c79..2eb0f1c 100644 --- a/Add-channel-bindings-tests.patch +++ b/Add-channel-bindings-tests.patch @@ -1,4 +1,4 @@ -From 3e92520c1417f22447751cd9172d5ab30c2e0ad8 Mon Sep 17 00:00:00 2001 +From 6d36ea6fcfe281a8ce73fc5aa5c133f435d93fa4 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 20 Mar 2020 00:17:28 +0100 Subject: [PATCH] Add channel bindings tests diff --git a/Add-client_aware_channel_bindings-option.patch b/Add-client_aware_channel_bindings-option.patch index 012ce8d..bd3bcba 100644 --- a/Add-client_aware_channel_bindings-option.patch +++ b/Add-client_aware_channel_bindings-option.patch @@ -1,4 +1,4 @@ -From 2a08fe3d2d1972df4ffe37d4bb64b161889ff988 Mon Sep 17 00:00:00 2001 +From 46ec975eb8f33b6d42c440758fc0deb826f87313 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 10 Mar 2020 13:13:17 +0100 Subject: [PATCH] Add client_aware_channel_bindings option @@ -20,10 +20,10 @@ ticket: 8900 3 files changed, 98 insertions(+), 86 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index a7e7a29d1..7f2879640 100644 +index 38f450367..da5ad00f2 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst -@@ -382,6 +382,12 @@ The libdefaults section may contain any of the following relations: +@@ -388,6 +388,12 @@ The libdefaults section may contain any of the following relations: credentials will fail if the client machine does not have a keytab. The default value is false. diff --git a/Add-finalization-safety-check-to-com_err.patch b/Add-finalization-safety-check-to-com_err.patch index 531bbf5..a7ebd53 100644 --- a/Add-finalization-safety-check-to-com_err.patch +++ b/Add-finalization-safety-check-to-com_err.patch @@ -1,4 +1,4 @@ -From 9b28e9bbadb775cf790092bc0b0fe9f6c880d215 Mon Sep 17 00:00:00 2001 +From 96a36ef54aecb48b71c1ae0cc85b83ef644c3bd0 Mon Sep 17 00:00:00 2001 From: Jiri Sasek Date: Fri, 13 Mar 2020 19:02:58 +0100 Subject: [PATCH] Add finalization safety check to com_err diff --git a/Allow-certauth-modules-to-set-hw-authent-flag.patch b/Allow-certauth-modules-to-set-hw-authent-flag.patch index ebadb9b..94ff5dd 100644 --- a/Allow-certauth-modules-to-set-hw-authent-flag.patch +++ b/Allow-certauth-modules-to-set-hw-authent-flag.patch @@ -1,4 +1,4 @@ -From 5413039348c612716fb5e33347814b7608778646 Mon Sep 17 00:00:00 2001 +From 5b62f6f6a960e5a428a39a3e83e0a16dba5a914a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 24 Feb 2020 15:58:59 -0500 Subject: [PATCH] Allow certauth modules to set hw-authent flag diff --git a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch index 4698963..3824646 100644 --- a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch +++ b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch @@ -1,4 +1,4 @@ -From bedbb5ee1ad821b91f00d30361985e6863c0e6ba Mon Sep 17 00:00:00 2001 +From 594c9d225f470e73a46dd2a85c5e50571e90598c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 11 Jul 2020 21:57:30 -0400 Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens diff --git a/Correctly-import-service-GSS-host-based-name.patch b/Correctly-import-service-GSS-host-based-name.patch index 754bc89..f56aed4 100644 --- a/Correctly-import-service-GSS-host-based-name.patch +++ b/Correctly-import-service-GSS-host-based-name.patch @@ -1,4 +1,4 @@ -From e8c6f76079bac021e30e89e12b547cc73f71ec36 Mon Sep 17 00:00:00 2001 +From f56afbeb7848322f3208edd55f2c12a9e32127f0 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 30 Mar 2020 15:26:02 -0400 Subject: [PATCH] Correctly import "service@" GSS host-based name diff --git a/Default-dns_canonicalize_hostname-to-fallback.patch b/Default-dns_canonicalize_hostname-to-fallback.patch index ef80329..1c46562 100644 --- a/Default-dns_canonicalize_hostname-to-fallback.patch +++ b/Default-dns_canonicalize_hostname-to-fallback.patch @@ -1,4 +1,4 @@ -From 07179e38e5ee72e82ebc77a1c8d73e34905268b7 Mon Sep 17 00:00:00 2001 +From c3d2c3bcafe0ac87d9cbbf37f1488ad642627fc3 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 27 May 2020 18:48:35 -0400 Subject: [PATCH] Default dns_canonicalize_hostname to "fallback" @@ -54,7 +54,7 @@ index 5232db9af..afdf30297 100644 Configuration of hostnames varies by operating system. On the diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 1d2aa7f68..a7e7a29d1 100644 +index 3a8b9cf47..38f450367 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -188,11 +188,10 @@ The libdefaults section may contain any of the following relations: diff --git a/Do-expiration-warnings-for-all-init_creds-APIs.patch b/Do-expiration-warnings-for-all-init_creds-APIs.patch index 24062a0..4f642f4 100644 --- a/Do-expiration-warnings-for-all-init_creds-APIs.patch +++ b/Do-expiration-warnings-for-all-init_creds-APIs.patch @@ -1,4 +1,4 @@ -From 0083381a1dc008c6a1a437393045f82ec06423f8 Mon Sep 17 00:00:00 2001 +From 51a9f8e7498591b22558a7a61d42a821030f9c4e Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 28 Feb 2020 10:11:49 +0100 Subject: [PATCH] Do expiration warnings for all init_creds APIs diff --git a/Eliminate-redundant-PKINIT-responder-invocation.patch b/Eliminate-redundant-PKINIT-responder-invocation.patch index 4234ffd..48e6e89 100644 --- a/Eliminate-redundant-PKINIT-responder-invocation.patch +++ b/Eliminate-redundant-PKINIT-responder-invocation.patch @@ -1,4 +1,4 @@ -From 43d09ed10d495e78c786f5468455f16a63a99532 Mon Sep 17 00:00:00 2001 +From b27a2f1f330afed53b034a66031f9a801b4568b7 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 23 Mar 2020 19:10:03 -0400 Subject: [PATCH] Eliminate redundant PKINIT responder invocation diff --git a/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch b/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch index 4bad883..ae01c8d 100644 --- a/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch +++ b/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch @@ -1,4 +1,4 @@ -From 9504dd4de49938e4cdd56ce6df635b76eaf37e96 Mon Sep 17 00:00:00 2001 +From 5b42970afea248889fd3350448a40045d467ff3f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 28 Jul 2020 12:58:26 -0400 Subject: [PATCH] Fix input length checking in SPNEGO DER decoding diff --git a/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch b/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch index 54f2550..c5ec79a 100644 --- a/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch +++ b/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch @@ -1,4 +1,4 @@ -From 044e2209586fd1935d9a637df76d52f48c4f3e6e Mon Sep 17 00:00:00 2001 +From ff47523d7d812fba24106f416aafa5d1f2c433a2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 24 Jul 2020 16:05:24 -0400 Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support diff --git a/Fix-typo-in-in-in-the-ksu-man-page.patch b/Fix-typo-in-in-in-the-ksu-man-page.patch index 5196a90..040355c 100644 --- a/Fix-typo-in-in-in-the-ksu-man-page.patch +++ b/Fix-typo-in-in-in-the-ksu-man-page.patch @@ -1,4 +1,4 @@ -From 8de669742ae4190542741f0dc61119a6a0dad666 Mon Sep 17 00:00:00 2001 +From bf8567ed95991628f198e88403e30f78e2d74e15 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 14 May 2020 15:01:18 -0400 Subject: [PATCH] Fix typo ("in in") in the ksu man page diff --git a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch index 2bdd0a3..14e27a9 100644 --- a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch +++ b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch @@ -1,4 +1,4 @@ -From 3f873868fb08b77da2d30e164a0ef6c71c17c607 Mon Sep 17 00:00:00 2001 +From e74f9424e47ab914c46e549fc5a2cbdf2615ef93 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 15 Jul 2020 15:42:20 -0400 Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts() diff --git a/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch b/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch index 649caa4..2b41b6b 100644 --- a/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch +++ b/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch @@ -1,4 +1,4 @@ -From 3ea1d6296ced3a998e79356f9be212e4c5e6a5d5 Mon Sep 17 00:00:00 2001 +From 651b9b8084ecff5553b7ef6ee723ce7c4438a9d8 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 5 Jul 2017 11:38:30 -0400 Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG diff --git a/Implement-KERB_AP_OPTIONS_CBT-server-side.patch b/Implement-KERB_AP_OPTIONS_CBT-server-side.patch index 41cf5f0..eadc695 100644 --- a/Implement-KERB_AP_OPTIONS_CBT-server-side.patch +++ b/Implement-KERB_AP_OPTIONS_CBT-server-side.patch @@ -1,4 +1,4 @@ -From 6407bf087fe53088d91efd09df736e979cd4e8db Mon Sep 17 00:00:00 2001 +From bc89c6c720c4170d43010fead23550b80499c32a Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 9 Mar 2020 16:04:21 +0100 Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side) diff --git a/Improve-negoex_parse_token-code-hygiene.patch b/Improve-negoex_parse_token-code-hygiene.patch index f6b42a6..a58c2e6 100644 --- a/Improve-negoex_parse_token-code-hygiene.patch +++ b/Improve-negoex_parse_token-code-hygiene.patch @@ -1,4 +1,4 @@ -From c726a72c68244129eb08b840b92144acfa776573 Mon Sep 17 00:00:00 2001 +From 4c96c8fef146337b7d3c0ebb4118a18818dd1f4e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 9 Jun 2020 16:23:37 -0400 Subject: [PATCH] Improve negoex_parse_token() code hygiene diff --git a/Omit-KDC-indicator-check-for-S4U2Self-requests.patch b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch index 6ca7931..d5eacc1 100644 --- a/Omit-KDC-indicator-check-for-S4U2Self-requests.patch +++ b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch @@ -1,4 +1,4 @@ -From 6d132f1019b2f1b6f54bae25ed0ea9122c87a190 Mon Sep 17 00:00:00 2001 +From f0ac5c1efef5401f669dc176e62c09b0b01fa2d0 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 6 May 2020 16:03:13 -0400 Subject: [PATCH] Omit KDC indicator check for S4U2Self requests diff --git a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch index d0db74b..8e1c248 100644 --- a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch +++ b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch @@ -1,4 +1,4 @@ -From c36e826c70cb5b3bff8bd4371d47884cea30b3f4 Mon Sep 17 00:00:00 2001 +From 5251097c927f476fe83ffe544b73fd2d785aaf2a Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 6 Jun 2020 11:03:37 +0200 Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum diff --git a/Pass-channel-bindings-through-SPNEGO.patch b/Pass-channel-bindings-through-SPNEGO.patch index 5ab5c07..0e307c3 100644 --- a/Pass-channel-bindings-through-SPNEGO.patch +++ b/Pass-channel-bindings-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From ee79bd43005245d3e5a2d3ec6d61146945e77717 Mon Sep 17 00:00:00 2001 +From 17d9b74328f247de5f9d820ae008726632d11d2a Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 28 Apr 2020 18:15:55 +0200 Subject: [PATCH] Pass channel bindings through SPNEGO diff --git a/Pass-gss_localname-through-SPNEGO.patch b/Pass-gss_localname-through-SPNEGO.patch index eff3733..e641a91 100644 --- a/Pass-gss_localname-through-SPNEGO.patch +++ b/Pass-gss_localname-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From dce745bbdf95ddfa733bc306c57afe5fcab74479 Mon Sep 17 00:00:00 2001 +From cec820485e8b854fe3ee42d0a67a77e7ad20595e Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 26 Apr 2020 19:55:54 -0400 Subject: [PATCH] Pass gss_localname() through SPNEGO diff --git a/Refactor-krb5-GSS-checksum-handling.patch b/Refactor-krb5-GSS-checksum-handling.patch index 392d929..c80426b 100644 --- a/Refactor-krb5-GSS-checksum-handling.patch +++ b/Refactor-krb5-GSS-checksum-handling.patch @@ -1,4 +1,4 @@ -From a34b7c50e62c19f80d39ece6a72017dac781df64 Mon Sep 17 00:00:00 2001 +From c90cef2ebfbefc595798dd5dbb805575e1be0fbf Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 30 Jun 2017 16:03:01 -0400 Subject: [PATCH] Refactor krb5 GSS checksum handling diff --git a/Refresh-manually-acquired-creds-from-client-keytab.patch b/Refresh-manually-acquired-creds-from-client-keytab.patch index d67d9b4..ff28434 100644 --- a/Refresh-manually-acquired-creds-from-client-keytab.patch +++ b/Refresh-manually-acquired-creds-from-client-keytab.patch @@ -1,4 +1,4 @@ -From 13e085a996ac53484fa308f3ef7a2b66c05ccdfa Mon Sep 17 00:00:00 2001 +From 7316aaa0e9249a88e919f2596d881f78970548bc Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 26 Feb 2020 18:27:17 -0500 Subject: [PATCH] Refresh manually acquired creds from client keytab diff --git a/Remove-resolver-test-utility.patch b/Remove-resolver-test-utility.patch index 6602185..e5dd78d 100644 --- a/Remove-resolver-test-utility.patch +++ b/Remove-resolver-test-utility.patch @@ -1,4 +1,4 @@ -From 85bb5fe5a11708b78e9f0bd3a3b34999b6c888a7 Mon Sep 17 00:00:00 2001 +From 3e75969e0c0a52ec3ca8195200fcdadaa63b324f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 28 May 2020 18:41:02 -0400 Subject: [PATCH] Remove resolver test utility diff --git a/Replace-gssrpc-tests-with-a-Python-script.patch b/Replace-gssrpc-tests-with-a-Python-script.patch index 17fee61..ced6543 100644 --- a/Replace-gssrpc-tests-with-a-Python-script.patch +++ b/Replace-gssrpc-tests-with-a-Python-script.patch @@ -1,4 +1,4 @@ -From a12fc355a034e5b1d23bdb23db9735d4eaa396d8 Mon Sep 17 00:00:00 2001 +From 404cc1152880a567fc27bb7c691a1a732692bbf9 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 15 Feb 2020 20:34:23 -0500 Subject: [PATCH] Replace gssrpc tests with a Python script diff --git a/Use-two-queues-for-concurrent-t_otp.py-daemons.patch b/Use-two-queues-for-concurrent-t_otp.py-daemons.patch index 33da6f5..4e81cd0 100644 --- a/Use-two-queues-for-concurrent-t_otp.py-daemons.patch +++ b/Use-two-queues-for-concurrent-t_otp.py-daemons.patch @@ -1,4 +1,4 @@ -From 8e08f01d73ddca1b828788710ec6bb3e0354727a Mon Sep 17 00:00:00 2001 +From 3e0d464f55320b393e32285f31710c24758a9101 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 4 Mar 2020 17:18:51 -0500 Subject: [PATCH] Use two queues for concurrent t_otp.py daemons diff --git a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index b304c47..08b78b1 100644 --- a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From 15056939ae1e52b9c0b4e0f4ac59772b0d942647 Mon Sep 17 00:00:00 2001 +From bf8521bfaa4a4d54f6eb94f785c68942f4afa055 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 @@ -17,24 +17,44 @@ AES is fine. Shame about SPAKE though. post6 restores MD4 (and therefore keygen-only RC4). +post7 restores MD5 and adds radius_md5_fips_override. + Last-updated: krb5-1.17 --- + doc/admin/conf_files/krb5_conf.rst | 6 +++ src/lib/crypto/krb/prng.c | 11 ++++- .../crypto/openssl/enc_provider/camellia.c | 6 +++ src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++- .../crypto/openssl/hash_provider/hash_evp.c | 12 +++++ src/lib/crypto/openssl/hmac.c | 6 ++- - src/lib/krad/attr.c | 45 ++++++++++++++----- - src/lib/krad/attrset.c | 5 ++- - src/lib/krad/internal.h | 13 +++++- - src/lib/krad/packet.c | 22 ++++----- - src/lib/krad/remote.c | 10 ++++- + src/lib/krad/attr.c | 46 ++++++++++++++----- + src/lib/krad/attrset.c | 5 +- + src/lib/krad/internal.h | 28 ++++++++++- + src/lib/krad/packet.c | 22 +++++---- + src/lib/krad/remote.c | 10 +++- src/lib/krad/t_attr.c | 3 +- src/lib/krad/t_attrset.c | 4 +- src/plugins/preauth/spake/spake_client.c | 6 +++ src/plugins/preauth/spake/spake_kdc.c | 6 +++ - 14 files changed, 129 insertions(+), 33 deletions(-) + 15 files changed, 151 insertions(+), 33 deletions(-) +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 1d2aa7f68..3a8b9cf47 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -331,6 +331,12 @@ The libdefaults section may contain any of the following relations: + qualification of shortnames, set this relation to the empty string + with ``qualify_shortname = ""``. (New in release 1.18.) + ++**radius_md5_fips_override** ++ Downstream-only option to enable use of MD5 in RADIUS ++ communication (libkrad). This allows for local (or protected ++ tunnel) communication with a RADIUS server that doesn't use krad ++ (e.g., freeradius) while in FIPS mode. ++ + **rdns** + If this flag is true, reverse name lookup will be used in addition + to forward name lookup to canonicalizing hostnames for use in diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c index cb9ca9b98..f0e9984ca 100644 --- a/src/lib/crypto/krb/prng.c @@ -129,15 +149,15 @@ index a65d57b7a..6ccaca94a 100644 * The cipher state here is a saved pointer to a struct arcfour_state * object, rather than a flat byte array as in most enc providers. The diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c -index 1e0fb8fc3..feb5eda99 100644 +index 1e0fb8fc3..2eb5139c0 100644 --- a/src/lib/crypto/openssl/hash_provider/hash_evp.c +++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c @@ -49,6 +49,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, if (ctx == NULL) return ENOMEM; -+ if (type == EVP_md4()) { -+ /* See comment below in hash_md4(). */ ++ if (type == EVP_md4() || type == EVP_md5()) { ++ /* See comments below in hash_md4() and hash_md5(). */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } + @@ -159,8 +179,8 @@ index 1e0fb8fc3..feb5eda99 100644 static krb5_error_code hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) { -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; ++ /* MD5 is needed in FIPS mode for communication with RADIUS servers. This ++ * is gated in libkrad by libdefaults->radius_md5_fips_override. */ return hash_evp(EVP_md5(), data, num_data, output); } @@ -182,18 +202,10 @@ index 7dc59dcc0..769a50c00 100644 else if (!strncmp(hash->hash_name, "MD4", 3)) return EVP_md4(); diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c -index 9c13d9d75..275327e67 100644 +index 9c13d9d75..42d354a3b 100644 --- a/src/lib/krad/attr.c +++ b/src/lib/krad/attr.c -@@ -30,6 +30,7 @@ - #include - #include "internal.h" - -+#include - #include - - /* RFC 2865 */ -@@ -38,7 +39,8 @@ +@@ -38,7 +38,8 @@ typedef krb5_error_code (*attribute_transform_fn)(krb5_context ctx, const char *secret, const unsigned char *auth, const krb5_data *in, @@ -203,7 +215,7 @@ index 9c13d9d75..275327e67 100644 typedef struct { const char *name; -@@ -51,12 +53,14 @@ typedef struct { +@@ -51,12 +52,14 @@ typedef struct { static krb5_error_code user_password_encode(krb5_context ctx, const char *secret, const unsigned char *auth, const krb5_data *in, @@ -220,7 +232,7 @@ index 9c13d9d75..275327e67 100644 static const attribute_record attributes[UCHAR_MAX] = { {"User-Name", 1, MAX_ATTRSIZE, NULL, NULL}, -@@ -128,7 +132,8 @@ static const attribute_record attributes[UCHAR_MAX] = { +@@ -128,7 +131,8 @@ static const attribute_record attributes[UCHAR_MAX] = { static krb5_error_code user_password_encode(krb5_context ctx, const char *secret, const unsigned char *auth, const krb5_data *in, @@ -230,20 +242,21 @@ index 9c13d9d75..275327e67 100644 { const unsigned char *indx; krb5_error_code retval; -@@ -154,8 +159,14 @@ user_password_encode(krb5_context ctx, const char *secret, +@@ -154,8 +158,15 @@ user_password_encode(krb5_context ctx, const char *secret, for (blck = 0, indx = auth; blck * BLOCKSIZE < len; blck++) { memcpy(tmp.data + seclen, indx, BLOCKSIZE); - retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, - &sum); -+ if (FIPS_mode()) { ++ if (kr_use_fips(ctx)) { + /* Skip encryption here. Taint so that we won't pass it out of + * the machine by accident. */ + *is_fips = TRUE; + sum.contents = calloc(1, BLOCKSIZE); -+ } else ++ } else { + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, + &sum); ++ } if (retval != 0) { zap(tmp.data, tmp.length); zap(outbuf, len); @@ -257,24 +270,25 @@ index 9c13d9d75..275327e67 100644 { const unsigned char *indx; krb5_error_code retval; -@@ -204,8 +216,14 @@ user_password_decode(krb5_context ctx, const char *secret, +@@ -204,8 +216,15 @@ user_password_decode(krb5_context ctx, const char *secret, for (blck = 0, indx = auth; blck * BLOCKSIZE < in->length; blck++) { memcpy(tmp.data + seclen, indx, BLOCKSIZE); - retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, - &tmp, &sum); -+ if (FIPS_mode()) { ++ if (kr_use_fips(ctx)) { + /* Skip encryption here. Taint so that we won't pass it out of + * the machine by accident. */ + *is_fips = TRUE; + sum.contents = calloc(1, BLOCKSIZE); -+ } else ++ } else { + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, + &tmp, &sum); ++ } if (retval != 0) { zap(tmp.data, tmp.length); zap(outbuf, in->length); -@@ -248,7 +266,7 @@ krb5_error_code +@@ -248,7 +267,7 @@ krb5_error_code kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, krad_attr type, const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE], @@ -283,7 +297,7 @@ index 9c13d9d75..275327e67 100644 { krb5_error_code retval; -@@ -265,7 +283,8 @@ kr_attr_encode(krb5_context ctx, const char *secret, +@@ -265,7 +284,8 @@ kr_attr_encode(krb5_context ctx, const char *secret, return 0; } @@ -293,7 +307,7 @@ index 9c13d9d75..275327e67 100644 } krb5_error_code -@@ -274,6 +293,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, +@@ -274,6 +294,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) { krb5_error_code retval; @@ -301,7 +315,7 @@ index 9c13d9d75..275327e67 100644 retval = kr_attr_valid(type, in); if (retval != 0) -@@ -288,7 +308,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, +@@ -288,7 +309,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, return 0; } @@ -335,10 +349,19 @@ index 03c613716..d89982a13 100644 return retval; diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h -index 996a89372..a53ce31ce 100644 +index 996a89372..312dc8258 100644 --- a/src/lib/krad/internal.h +++ b/src/lib/krad/internal.h -@@ -49,6 +49,13 @@ +@@ -39,6 +39,8 @@ + #include + #include + ++#include ++ + #ifndef UCHAR_MAX + #define UCHAR_MAX 255 + #endif +@@ -49,6 +51,13 @@ typedef struct krad_remote_st krad_remote; @@ -352,7 +375,7 @@ index 996a89372..a53ce31ce 100644 /* Validate constraints of an attribute. */ krb5_error_code kr_attr_valid(krad_attr type, const krb5_data *data); -@@ -57,7 +64,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); +@@ -57,7 +66,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); krb5_error_code kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, krad_attr type, const krb5_data *in, @@ -362,7 +385,7 @@ index 996a89372..a53ce31ce 100644 /* Decode an attribute. */ krb5_error_code -@@ -69,7 +77,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, +@@ -69,7 +79,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, krb5_error_code kr_attrset_encode(const krad_attrset *set, const char *secret, const unsigned char *auth, @@ -372,19 +395,29 @@ index 996a89372..a53ce31ce 100644 /* Decode attributes from a buffer. */ krb5_error_code +@@ -152,4 +163,17 @@ gai_error_code(int err) + } + } + ++static inline krb5_boolean ++kr_use_fips(krb5_context ctx) ++{ ++ int val = 0; ++ ++ if (!FIPS_mode()) ++ return 0; ++ ++ profile_get_boolean(ctx->profile, "libdefaults", ++ "radius_md5_fips_override", NULL, 0, &val); ++ return !val; ++} ++ + #endif /* INTERNAL_H_ */ diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c -index c597174b6..794ac84c4 100644 +index c597174b6..fc2d24800 100644 --- a/src/lib/krad/packet.c +++ b/src/lib/krad/packet.c -@@ -32,6 +32,7 @@ - #include - - #include -+#include - - typedef unsigned char uchar; - -@@ -53,12 +54,6 @@ typedef unsigned char uchar; +@@ -53,12 +53,6 @@ typedef unsigned char uchar; #define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH)) #define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR)) @@ -397,19 +430,20 @@ index c597174b6..794ac84c4 100644 typedef struct { uchar x[(UCHAR_MAX + 1) / 8]; } idmap; -@@ -187,8 +182,13 @@ auth_generate_response(krb5_context ctx, const char *secret, +@@ -187,8 +181,14 @@ auth_generate_response(krb5_context ctx, const char *secret, memcpy(data.data + response->pkt.length, secret, strlen(secret)); /* Hash it. */ - retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, - &hash); -+ if (FIPS_mode()) { ++ if (kr_use_fips(ctx)) { + /* This checksum does very little security-wise anyway, so don't + * taint. */ + hash.contents = calloc(1, AUTH_FIELD_SIZE); -+ } else ++ } else { + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, + &hash); ++ } free(data.data); if (retval != 0) return retval; diff --git a/krb5.spec b/krb5.spec index 4ffc992..8f389f4 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 23%{?dist} +Release: 24%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -633,6 +633,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Oct 02 2020 Robbie Harwood - 1.18.2-24 +- Add md5 override to krad + * Thu Sep 10 2020 Robbie Harwood - 1.18.2-23 - Use `systemctl reload` to HUP the KDC during logrotate - Resolves: #1877692