diff --git a/Remove-now-unused-checksum-functions.patch b/Remove-now-unused-checksum-functions.patch new file mode 100644 index 0000000..640f059 --- /dev/null +++ b/Remove-now-unused-checksum-functions.patch @@ -0,0 +1,335 @@ +From 3c132f6e129f3e4805ae44a8db749930f1e398b1 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Fri, 28 Jun 2019 13:09:47 -0400 +Subject: [PATCH] Remove now-unused checksum functions + +fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8 removed all call sites of +krb5int_cbc_checksum(), krb5int_confounder_verify(), and +krb5int_confounder_checksum(), but neglected the functions themselves. + +ticket: 8808 +(cherry picked from commit 2063ff09b384d466c15aca8970c01d074230c815) +--- + src/lib/crypto/krb/Makefile.in | 6 - + src/lib/crypto/krb/checksum_cbc.c | 41 ------ + src/lib/crypto/krb/checksum_confounder.c | 159 ----------------------- + src/lib/crypto/krb/crypto_int.h | 16 --- + src/lib/crypto/krb/deps | 26 ---- + 5 files changed, 248 deletions(-) + delete mode 100644 src/lib/crypto/krb/checksum_cbc.c + delete mode 100644 src/lib/crypto/krb/checksum_confounder.c + +diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in +index b587f7e19..2b0c4163d 100644 +--- a/src/lib/crypto/krb/Makefile.in ++++ b/src/lib/crypto/krb/Makefile.in +@@ -10,8 +10,6 @@ STLIBOBJS=\ + aead.o \ + block_size.o \ + cf2.o \ +- checksum_cbc.o \ +- checksum_confounder.o \ + checksum_dk_cmac.o \ + checksum_dk_hmac.o \ + checksum_etm.o \ +@@ -70,8 +68,6 @@ OBJS=\ + $(OUTPRE)aead.$(OBJEXT) \ + $(OUTPRE)block_size.$(OBJEXT) \ + $(OUTPRE)cf2.$(OBJEXT) \ +- $(OUTPRE)checksum_cbc.$(OBJEXT) \ +- $(OUTPRE)checksum_confounder.$(OBJEXT) \ + $(OUTPRE)checksum_dk_cmac.$(OBJEXT) \ + $(OUTPRE)checksum_dk_hmac.$(OBJEXT) \ + $(OUTPRE)checksum_etm.$(OBJEXT) \ +@@ -130,8 +126,6 @@ SRCS=\ + $(srcdir)/aead.c \ + $(srcdir)/block_size.c \ + $(srcdir)/cf2.c \ +- $(srcdir)/checksum_cbc.c \ +- $(srcdir)/checksum_confounder.c \ + $(srcdir)/checksum_dk_cmac.c \ + $(srcdir)/checksum_dk_hmac.c \ + $(srcdir)/checksum_etm.c \ +diff --git a/src/lib/crypto/krb/checksum_cbc.c b/src/lib/crypto/krb/checksum_cbc.c +deleted file mode 100644 +index 48afeb0e5..000000000 +--- a/src/lib/crypto/krb/checksum_cbc.c ++++ /dev/null +@@ -1,41 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/krb/checksum_cbc.c */ +-/* +- * Copyright (C) 2009 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* CBC checksum, which computes the ivec resulting from CBC encryption of the +- * input. */ +- +-#include "crypto_int.h" +- +-krb5_error_code +-krb5int_cbc_checksum(const struct krb5_cksumtypes *ctp, +- krb5_key key, krb5_keyusage usage, +- const krb5_crypto_iov *data, size_t num_data, +- krb5_data *output) +-{ +- if (ctp->enc->cbc_mac == NULL) +- return KRB5_CRYPTO_INTERNAL; +- return ctp->enc->cbc_mac(key, data, num_data, NULL, output); +-} +diff --git a/src/lib/crypto/krb/checksum_confounder.c b/src/lib/crypto/krb/checksum_confounder.c +deleted file mode 100644 +index 34941562c..000000000 +--- a/src/lib/crypto/krb/checksum_confounder.c ++++ /dev/null +@@ -1,159 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/krb/checksum_confounder.c */ +-/* +- * Copyright (C) 2009 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* +- * Confounder checksum implementation, using tokens of the form: +- * enc(xorkey, confounder | hash(confounder | data)) +- * where xorkey is the key XOR'd with 0xf0 bytes. +- */ +- +-#include "crypto_int.h" +- +-/* Derive a key by XOR with 0xF0 bytes. */ +-static krb5_error_code +-mk_xorkey(krb5_key origkey, krb5_key *xorkey) +-{ +- krb5_error_code retval = 0; +- unsigned char *xorbytes; +- krb5_keyblock xorkeyblock; +- size_t i = 0; +- +- xorbytes = k5memdup(origkey->keyblock.contents, origkey->keyblock.length, +- &retval); +- if (xorbytes == NULL) +- return retval; +- for (i = 0; i < origkey->keyblock.length; i++) +- xorbytes[i] ^= 0xf0; +- +- /* Do a shallow copy here. */ +- xorkeyblock = origkey->keyblock; +- xorkeyblock.contents = xorbytes; +- +- retval = krb5_k_create_key(0, &xorkeyblock, xorkey); +- zapfree(xorbytes, origkey->keyblock.length); +- return retval; +-} +- +-krb5_error_code +-krb5int_confounder_checksum(const struct krb5_cksumtypes *ctp, +- krb5_key key, krb5_keyusage usage, +- const krb5_crypto_iov *data, size_t num_data, +- krb5_data *output) +-{ +- krb5_error_code ret; +- krb5_data conf, hashval; +- krb5_key xorkey = NULL; +- krb5_crypto_iov *hash_iov, iov; +- size_t blocksize = ctp->enc->block_size, hashsize = ctp->hash->hashsize; +- +- /* Partition the output buffer into confounder and hash. */ +- conf = make_data(output->data, blocksize); +- hashval = make_data(output->data + blocksize, hashsize); +- +- /* Create the confounder. */ +- ret = krb5_c_random_make_octets(NULL, &conf); +- if (ret != 0) +- return ret; +- +- ret = mk_xorkey(key, &xorkey); +- if (ret) +- return ret; +- +- /* Hash the confounder, then the input data. */ +- hash_iov = k5calloc(num_data + 1, sizeof(krb5_crypto_iov), &ret); +- if (hash_iov == NULL) +- goto cleanup; +- hash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA; +- hash_iov[0].data = conf; +- memcpy(hash_iov + 1, data, num_data * sizeof(krb5_crypto_iov)); +- ret = ctp->hash->hash(hash_iov, num_data + 1, &hashval); +- if (ret != 0) +- goto cleanup; +- +- /* Confounder and hash are in output buffer; encrypt them in place. */ +- iov.flags = KRB5_CRYPTO_TYPE_DATA; +- iov.data = *output; +- ret = ctp->enc->encrypt(xorkey, NULL, &iov, 1); +- +-cleanup: +- free(hash_iov); +- krb5_k_free_key(NULL, xorkey); +- return ret; +-} +- +-krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp, +- krb5_key key, krb5_keyusage usage, +- const krb5_crypto_iov *data, +- size_t num_data, +- const krb5_data *input, +- krb5_boolean *valid) +-{ +- krb5_error_code ret; +- unsigned char *plaintext = NULL; +- krb5_key xorkey = NULL; +- krb5_data computed = empty_data(); +- krb5_crypto_iov *hash_iov = NULL, iov; +- size_t blocksize = ctp->enc->block_size, hashsize = ctp->hash->hashsize; +- +- plaintext = k5memdup(input->data, input->length, &ret); +- if (plaintext == NULL) +- return ret; +- +- ret = mk_xorkey(key, &xorkey); +- if (ret != 0) +- goto cleanup; +- +- /* Decrypt the input checksum. */ +- iov.flags = KRB5_CRYPTO_TYPE_DATA; +- iov.data = make_data(plaintext, input->length); +- ret = ctp->enc->decrypt(xorkey, NULL, &iov, 1); +- if (ret != 0) +- goto cleanup; +- +- /* Hash the confounder, then the input data. */ +- hash_iov = k5calloc(num_data + 1, sizeof(krb5_crypto_iov), &ret); +- if (hash_iov == NULL) +- goto cleanup; +- hash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA; +- hash_iov[0].data = make_data(plaintext, blocksize); +- memcpy(hash_iov + 1, data, num_data * sizeof(krb5_crypto_iov)); +- ret = alloc_data(&computed, hashsize); +- if (ret != 0) +- goto cleanup; +- ret = ctp->hash->hash(hash_iov, num_data + 1, &computed); +- if (ret != 0) +- goto cleanup; +- +- /* Compare the decrypted hash to the computed one. */ +- *valid = (k5_bcmp(plaintext + blocksize, computed.data, hashsize) == 0); +- +-cleanup: +- zapfree(plaintext, input->length); +- zapfree(computed.data, hashsize); +- free(hash_iov); +- krb5_k_free_key(NULL, xorkey); +- return ret; +-} +diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h +index 1b4324d71..5cc1f8e43 100644 +--- a/src/lib/crypto/krb/crypto_int.h ++++ b/src/lib/crypto/krb/crypto_int.h +@@ -299,11 +299,6 @@ krb5_error_code krb5int_unkeyed_checksum(const struct krb5_cksumtypes *ctp, + const krb5_crypto_iov *data, + size_t num_data, + krb5_data *output); +-krb5_error_code krb5int_cbc_checksum(const struct krb5_cksumtypes *ctp, +- krb5_key key, krb5_keyusage usage, +- const krb5_crypto_iov *data, +- size_t num_data, +- krb5_data *output); + krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp, + krb5_key key, krb5_keyusage usage, + const krb5_crypto_iov *data, +@@ -317,17 +312,6 @@ krb5_error_code krb5int_dk_cmac_checksum(const struct krb5_cksumtypes *ctp, + krb5_key key, krb5_keyusage usage, + const krb5_crypto_iov *data, + size_t num_data, krb5_data *output); +-krb5_error_code krb5int_confounder_checksum(const struct krb5_cksumtypes *ctp, +- krb5_key key, krb5_keyusage usage, +- const krb5_crypto_iov *data, +- size_t num_data, +- krb5_data *output); +-krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp, +- krb5_key key, krb5_keyusage usage, +- const krb5_crypto_iov *data, +- size_t num_data, +- const krb5_data *input, +- krb5_boolean *valid); + krb5_error_code krb5int_etm_checksum(const struct krb5_cksumtypes *ctp, + krb5_key key, krb5_keyusage usage, + const krb5_crypto_iov *data, +diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps +index 2f4af1906..883d12c56 100644 +--- a/src/lib/crypto/krb/deps ++++ b/src/lib/crypto/krb/deps +@@ -37,32 +37,6 @@ cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + cf2.c crypto_int.h +-checksum_cbc.so checksum_cbc.po $(OUTPRE)checksum_cbc.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \ +- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h checksum_cbc.c \ +- crypto_int.h +-checksum_confounder.so checksum_confounder.po $(OUTPRE)checksum_confounder.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \ +- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h checksum_confounder.c \ +- crypto_int.h + checksum_dk_cmac.so checksum_dk_cmac.po $(OUTPRE)checksum_dk_cmac.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/krb5.spec b/krb5.spec index 02efe4e..1604fef 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 33%{?dist} +Release: 34%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -110,6 +110,7 @@ Patch147: Remove-strerror-calls-from-k5_get_error.patch Patch148: Remove-PKINIT-draft-9-support.patch Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch Patch150: Remove-3des-support.patch +Patch151: Remove-now-unused-checksum-functions.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -719,6 +720,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Jul 02 2019 Robbie Harwood - 1.17-34 +- Remove now-unused checksum functions + * Wed Jun 26 2019 Robbie Harwood - 1.17-33 - Fix typo in 3des commit