rpms/krb5
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Make PKINIT CMS SHA-1 signature verification available in FIPS mode

Browse Source 
Resolves: rhbz#2155607
Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2023-06-08 15:46:19 +02:00
parent a599b39ea9
commit 73e19c7eb6
2 changed files with 52 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
0020-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch Normal file
View File

@ -0,0 +1,47 @@
From 9483b1ec7aa0c82d85ec3aa22bd4f10cb388ecfa Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 23 May 2023 12:19:54 +0200
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
available in FIPS mode
We recommend using the SHA1 crypto-module in order to allow the
verification of SHA-1 signature for CMS messages. However, this module
does not work in FIPS mode, because the SHA-1 algorithm is absent from
the OpenSSL FIPS provider.
This commit enables the signature verification process to fetch the
algorithm from a non-FIPS OpenSSL provider.
Support for SHA-1 CMS signature is still required, especially in order
to interoperate with Active Directory. At least it is until elliptic
curve cryptography is implemented for PKINIT in MIT krb5.
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index bfa3fe8e91..ca105d2421 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1885,8 +1885,17 @@ cms_signeddata_verify(krb5_context context,
if (oid == NULL)
goto cleanup;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ /* Do not use FIPS provider (even in FIPS mode) because it keeps from
+ * allowing SHA-1 signature verification using the SHA1 crypto-module
+ */
+ cms = CMS_ContentInfo_new_ex(NULL, "-fips");
+ if (!cms)
+ goto cleanup;
+#endif
+
/* decode received CMS message */
- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
+ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) {
retval = oerr(context, 0, _("Failed to decode CMS message"));
goto cleanup;
}
--
2.40.1

7
krb5.spec
View File

@ -34,7 +34,7 @@
# #
# baserelease is what we have standardized across Fedora and what # baserelease is what we have standardized across Fedora and what
# rpmdev-bumpspec knows how to handle. # rpmdev-bumpspec knows how to handle.
%global baserelease 8.1 %global baserelease 8.2
# This should be e.g. beta1 or %%nil # This should be e.g. beta1 or %%nil
%global pre_release %nil %global pre_release %nil
@ -102,6 +102,7 @@ Patch16: 0016-Add-PAC-full-checksums.patch
Patch17: 0017-Fix-possible-double-free-during-KDB-creation.patch Patch17: 0017-Fix-possible-double-free-during-KDB-creation.patch
Patch18: 0018-Fix-meridian-type-in-kadmin-datetime-parser.patch Patch18: 0018-Fix-meridian-type-in-kadmin-datetime-parser.patch
Patch19: 0019-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch Patch19: 0019-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
Patch20: 0020-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
License: MIT License: MIT
URL: https://web.mit.edu/kerberos/www/ URL: https://web.mit.edu/kerberos/www/
@ -666,7 +667,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Thu Jun 08 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8.1 * Thu Jun 08 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8.2
- Make PKINIT CMS SHA-1 signature verification available in FIPS mode
- Resolves: rhbz#2155607
- Allow to set PAC ticket signature as optional - Allow to set PAC ticket signature as optional
- Resolves: rhbz#2178298 - Resolves: rhbz#2178298