diff --git a/0020-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch b/0020-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch new file mode 100644 index 0000000..f74023c --- /dev/null +++ b/0020-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch @@ -0,0 +1,47 @@ +From 9483b1ec7aa0c82d85ec3aa22bd4f10cb388ecfa Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 23 May 2023 12:19:54 +0200 +Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification + available in FIPS mode + +We recommend using the SHA1 crypto-module in order to allow the +verification of SHA-1 signature for CMS messages. However, this module +does not work in FIPS mode, because the SHA-1 algorithm is absent from +the OpenSSL FIPS provider. + +This commit enables the signature verification process to fetch the +algorithm from a non-FIPS OpenSSL provider. + +Support for SHA-1 CMS signature is still required, especially in order +to interoperate with Active Directory. At least it is until elliptic +curve cryptography is implemented for PKINIT in MIT krb5. +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index bfa3fe8e91..ca105d2421 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1885,8 +1885,17 @@ cms_signeddata_verify(krb5_context context, + if (oid == NULL) + goto cleanup; + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ /* Do not use FIPS provider (even in FIPS mode) because it keeps from ++ * allowing SHA-1 signature verification using the SHA1 crypto-module ++ */ ++ cms = CMS_ContentInfo_new_ex(NULL, "-fips"); ++ if (!cms) ++ goto cleanup; ++#endif ++ + /* decode received CMS message */ +- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { ++ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) { + retval = oerr(context, 0, _("Failed to decode CMS message")); + goto cleanup; + } +-- +2.40.1 + diff --git a/krb5.spec b/krb5.spec index ea56638..7e7e419 100644 --- a/krb5.spec +++ b/krb5.spec @@ -34,7 +34,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 8.1 +%global baserelease 8.2 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -102,6 +102,7 @@ Patch16: 0016-Add-PAC-full-checksums.patch Patch17: 0017-Fix-possible-double-free-during-KDB-creation.patch Patch18: 0018-Fix-meridian-type-in-kadmin-datetime-parser.patch Patch19: 0019-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch +Patch20: 0020-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -666,7 +667,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog -* Thu Jun 08 2023 Julien Rische - 1.20.1-8.1 +* Thu Jun 08 2023 Julien Rische - 1.20.1-8.2 +- Make PKINIT CMS SHA-1 signature verification available in FIPS mode +- Resolves: rhbz#2155607 - Allow to set PAC ticket signature as optional - Resolves: rhbz#2178298