rpms/krb5
5
0
Fork 0
Code Issues Pull Requests Releases Activity

(Patch consolidation; hopefully no changes)

Browse Source
This commit is contained in:
Robbie Harwood 2019-05-14 12:34:12 -04:00
parent 4b3d9079ae
commit aa55266a84
38 changed files with 294 additions and 301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Add-dns_canonicalize_hostname-fallback-support.patch
View File

@ -1,4 +1,4 @@
From 05672fdc2530618441710361daba097bccf51f61 Mon Sep 17 00:00:00 2001
From f256aeea76ad81305d005d3a052e7d2e0250dccc Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 4 Dec 2018 15:22:55 -0500
Subject: [PATCH] Add dns_canonicalize_hostname=fallback support

2
Add-function-and-enctype-flag-for-deprecations.patch
View File

@ -1,4 +1,4 @@
From 4cd829c935319049142052ac45f252a8c3c54b49 Mon Sep 17 00:00:00 2001
From 81fe68ce11a676f93c101ddd7523e8de9b419deb Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 15 Jan 2019 16:16:57 -0500
Subject: [PATCH] Add function and enctype flag for deprecations

2
Add-tests-for-KCM-ccache-type.patch
View File

@ -1,4 +1,4 @@
From 306c0260dca7809c90dfa9e8889a6bd2401cee84 Mon Sep 17 00:00:00 2001
From deedc59d6ab6dd4f988db931a3a0d43f977ca708 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Nov 2018 00:27:35 -0500
Subject: [PATCH] Add tests for KCM ccache type

2
Address-some-optimized-out-memset-calls.patch
View File

@ -1,4 +1,4 @@
From 3dd99db324de1492444aab3e5468aea5f1767c6d Mon Sep 17 00:00:00 2001
From 3909d11478c7bbfc988b5c09ed7b2d32a5959947 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 30 Dec 2018 16:40:28 -0500
Subject: [PATCH] Address some optimized-out memset() calls

2
Avoid-alignment-warnings-in-openssl-rc4.c.patch
View File

@ -1,4 +1,4 @@
From 05c4ea24fa8603572ea1bffc767886bb26b8d542 Mon Sep 17 00:00:00 2001
From 041a4f3507ffe9f19bb69f8c1959230753b73f90 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 15:14:49 -0400
Subject: [PATCH] Avoid alignment warnings in openssl rc4.c

2
Avoid-allocating-a-register-in-zap-assembly.patch
View File

@ -1,4 +1,4 @@
From 273475be9d8aafb41edf417f6317c9537a03c3fa Mon Sep 17 00:00:00 2001
From e66fc8b903cded3aed007310815a8f1fac7e6c30 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Jan 2019 17:19:32 +0100
Subject: [PATCH] Avoid allocating a register in zap() assembly

2
Check-more-errors-in-OpenSSL-crypto-backend.patch
View File

@ -1,4 +1,4 @@
From b87d0cd119732b9066606d388b4fdebde2facbe5 Mon Sep 17 00:00:00 2001
From f48e578e443cf0217360dee6cef1fe2869059be4 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 22 Apr 2019 14:26:42 -0400
Subject: [PATCH] Check more errors in OpenSSL crypto backend

2
Clarify-header-comment-for-krb5_cc_start_seq_get.patch
View File

@ -1,4 +1,4 @@
From dc0ff969a963c0dcbf203a636cf12030ea2845d9 Mon Sep 17 00:00:00 2001
From b804c5ec00580cf62fd3660939f0f3baf71822fe Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 2 Apr 2019 14:18:57 -0400
Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get()

2
Clear-forwardable-flag-instead-of-denying-request.patch
View File

@ -1,4 +1,4 @@
From 561ac441f046a01a4e71e3c475760cc2d42b8213 Mon Sep 17 00:00:00 2001
From 6a23d8a1cf2ff7e247dbd4a737b87c792f78e5ab Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 15 Nov 2018 13:40:43 -0500
Subject: [PATCH] Clear forwardable flag instead of denying request

2
Fix-config-realm-change-logic-in-FILE-remove_cred.patch
View File

@ -1,4 +1,4 @@
From 7eb42e3fbdb854b085eceaa500f1c18569bd044d Mon Sep 17 00:00:00 2001
From 5215fad65699527aaea73add2cbbbb40de770fa6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 16 Apr 2019 10:47:35 -0400
Subject: [PATCH] Fix config realm change logic in FILE remove_cred

2
Fix-memory-leak-in-none-replay-cache-type.patch
View File

@ -1,4 +1,4 @@
From aeae5941ff8beea66516a31cd16fe4df6e8165f9 Mon Sep 17 00:00:00 2001
From 7e3cb737332fad7803205035a90237a9b50e0a36 Mon Sep 17 00:00:00 2001
From: Corene Casper <C.Casper@Dell.com>
Date: Sat, 16 Feb 2019 00:49:26 -0500
Subject: [PATCH] Fix memory leak in 'none' replay cache type

2
Fix-potential-close-1-in-cc_file.c.patch
View File

@ -1,4 +1,4 @@
From c1fe784e79b847a7e9ae9009193dee66bc1b6164 Mon Sep 17 00:00:00 2001
From cfe28dcc4a478fa99639b48476316936db87d69e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 18 Apr 2019 13:39:37 -0400
Subject: [PATCH] Fix potential close(-1) in cc_file.c

2
Fix-some-return-code-handling-bugs.patch
View File

@ -1,4 +1,4 @@
From 202a4ef4b2d1fa88d1a5c7f0b673bc4f563c57cd Mon Sep 17 00:00:00 2001
From 0bbbeeacc3c8bf22064db4d049e2069a81ab4270 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 14:05:38 -0400
Subject: [PATCH] Fix some return code handling bugs

2
Implement-krb5_cc_remove_cred-for-remaining-types.patch
View File

@ -1,4 +1,4 @@
From fd67573d4f0e2ac155752697ebf750c43fab3c59 Mon Sep 17 00:00:00 2001
From 78bfdbba03bbeb3c86c41273a3c3157bfbab7878 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 1 Apr 2019 14:28:48 -0400
Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types

2
Improve-error-messages-from-kadmin-change_password.patch
View File

@ -1,4 +1,4 @@
From a479ad01696f97114cdc1734a7fe5f3d4bd80e80 Mon Sep 17 00:00:00 2001
From 93717ffc7a5f213e3040e60431df199a5f6e9c76 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 13:13:16 -0400
Subject: [PATCH] Improve error messages from kadmin change_password

2
In-kpropd-debug-log-proper-ticket-enctype-names.patch
View File

@ -1,4 +1,4 @@
From fe497f16d8da570dea363dacb18cfc2fcfa52f24 Mon Sep 17 00:00:00 2001
From 7483ca4dbac8fedca5bd5ac1ea310e020df0d843 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 15 Jan 2019 13:41:16 -0500
Subject: [PATCH] In kpropd, debug-log proper ticket enctype names

2
In-rd_req_dec-always-log-non-permitted-enctypes.patch
View File

@ -1,4 +1,4 @@
From d868f6753cd6e9de447f097626f5e5155c727414 Mon Sep 17 00:00:00 2001
From 9503055f4caad2ab71db488ec434494cc23ce74e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 14 Jan 2019 17:14:42 -0500
Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes

2
Initialize-some-data-structure-magic-fields.patch
View File

@ -1,4 +1,4 @@
From a1327230380d0c73ebb9a22e4c6bbb1b6f3e0c64 Mon Sep 17 00:00:00 2001
From 7973ef9891219a5179592db7081b7ffd6db95103 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 13:36:38 -0400
Subject: [PATCH] Initialize some data structure magic fields

2
Make-etype-names-in-KDC-logs-human-readable.patch
View File

@ -1,4 +1,4 @@
From c14796879b9c4601a3333444c9aa6388031e6ab2 Mon Sep 17 00:00:00 2001
From 64843356847cc944d246eedd45e34d65c3336e05 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 8 Jan 2019 17:42:35 -0500
Subject: [PATCH] Make etype names in KDC logs human-readable

2
Mark-deprecated-enctypes-when-used.patch
View File

@ -1,4 +1,4 @@
From 5b81e75e1c5ec39a070df7c87c64aa74b5b9c0ba Mon Sep 17 00:00:00 2001
From a3df9ce1ebe05300aaf930d11d53bd354561f044 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 10 Jan 2019 16:34:54 -0500
Subject: [PATCH] Mark deprecated enctypes when used

2
Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
View File

@ -1,4 +1,4 @@
From ae9b51bc4f4ca5e88d7675d373e35fde8470e223 Mon Sep 17 00:00:00 2001
From 50116db1dcf88ad7a5fbe03e5045c6d3059e2bb0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 14:32:33 -0400
Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache()

2
Properly-size-ifdef-in-k5_cccol_lock.patch
View File

@ -1,4 +1,4 @@
From 85577bdae928613c87828fff79d5d6c6b9b8b291 Mon Sep 17 00:00:00 2001
From 3e750e184a870a7bc96dac75e2da61ca4414ddd1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 14 Feb 2019 11:50:35 -0500
Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()

2
Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
View File

@ -1,4 +1,4 @@
From 6bd60d3985df4e327f86d2a19349f52058d09a17 Mon Sep 17 00:00:00 2001
From 69c1393e9077ecedea84cffc4d2721981aa9205a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 14:37:38 -0400
Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi

2
Remove-ccapi-related-comments-in-configure.ac.patch
View File

@ -1,4 +1,4 @@
From 74c45a65b34e49aecfedfb8451b857350fbbe616 Mon Sep 17 00:00:00 2001
From fad2355105eaa8ec34cd4c4d3bed05f66d0157ce Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 3 Apr 2019 16:01:22 -0400
Subject: [PATCH] Remove ccapi-related comments in configure.ac

2
Remove-checksum-type-profile-variables.patch
View File

@ -1,4 +1,4 @@
From 443b8989c5d554f5347b72364d704d4626ca9a92 Mon Sep 17 00:00:00 2001
From 9d0403155222b7815d5db6063cecd79d530f7e93 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 13 May 2019 14:19:57 -0400
Subject: [PATCH] Remove checksum type profile variables

2
Remove-confvalidator-utility.patch
View File

@ -1,4 +1,4 @@
From 841be050c7f02d09aade0ed2c708bff8787afcd2 Mon Sep 17 00:00:00 2001
From 6d289b110c39c1d617c5e8252cc0bb1d25450b0e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 3 Apr 2019 14:58:19 -0400
Subject: [PATCH] Remove confvalidator utility

2
Remove-dead-variable-def_kslist-from-two-files.patch
View File

@ -1,4 +1,4 @@
From f18a482eec20369d7bcb4a7b2b6440c907215eff Mon Sep 17 00:00:00 2001
From 29262595f5c603276dbeb016b122141839304755 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 May 2019 16:57:51 -0400
Subject: [PATCH] Remove dead variable def_kslist from two files

2
Remove-doxygen-generated-HTML-output-for-ccapi.patch
View File

@ -1,4 +1,4 @@
From 33acfff1a6ec51f2d60933c362ec8afb89d5d548 Mon Sep 17 00:00:00 2001
From 7e85faa6d1df1af351c00a92219e789939d2924c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 14:15:58 -0400
Subject: [PATCH] Remove doxygen-generated HTML output for ccapi

2
Remove-kadmin-RPC-support-for-setting-v4-key.patch
View File

@ -1,4 +1,4 @@
From 76b39ce5081eb3b288532d615c356ab508e93495 Mon Sep 17 00:00:00 2001
From 93ee33d4b7ab08c041868a2e43111924c578b5b5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 16:14:46 -0400
Subject: [PATCH] Remove kadmin RPC support for setting v4 key

2
Remove-more-dead-code.patch
View File

@ -1,4 +1,4 @@
From eb6d9cd533d087d38b7f3c1b7086a712cb0bfe46 Mon Sep 17 00:00:00 2001
From dbc7e1a5ca3afad7ac6d057266358c6cbe517db5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 9 May 2019 14:07:24 -0400
Subject: [PATCH] Remove more dead code

2
Remove-ovsec_adm_export-dump-format-support.patch
View File

@ -1,4 +1,4 @@
From e7766b4c1df19738a4cf34d498046cfa8dd91637 Mon Sep 17 00:00:00 2001
From 17d6296546fc363731e10c986ba19e0d85bd9e0c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 22 Jan 2019 18:34:58 -0500
Subject: [PATCH] Remove ovsec_adm_export dump format support

2
Remove-srvtab-support.patch
View File

@ -1,4 +1,4 @@
From e74dc82235b3948dee706310ebf5b1878d08d7df Mon Sep 17 00:00:00 2001
From aec66c783ddba8b036ea1077bb852832cffcc432 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 9 Oct 2017 15:58:33 -0400
Subject: [PATCH] Remove srvtab support

2
Simplify-SAM-2-as_key-handling.patch
View File

@ -1,4 +1,4 @@
From 4f9e21c9daf505f5147dcab2fb4d1b241e1b90f8 Mon Sep 17 00:00:00 2001
From c63484d9ff8199261e778169474af50883ea11f5 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 5 May 2019 18:53:27 -0400
Subject: [PATCH] Simplify SAM-2 as_key handling

2
Simply-OpenSSL-PKCS7-decryption-code.patch
View File

@ -1,4 +1,4 @@
From 89470cb724edb9a3c9d31f6fb5c967fed73e38a1 Mon Sep 17 00:00:00 2001
From bcc55c108502402d2d1f6e4a6ce9a348dd655609 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 6 May 2019 13:13:06 -0400
Subject: [PATCH] Simply OpenSSL PKCS7 decryption code

2
Use-secure_getenv-where-appropriate.patch
View File

@ -1,4 +1,4 @@
From ec428980300c85ba2c4b220174c2c05447cf4bd8 Mon Sep 17 00:00:00 2001
From d7cb05ad91e778c1de0c977b053a22060e6ed579 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 24 Apr 2019 16:19:50 -0400
Subject: [PATCH] Use secure_getenv() where appropriate

250
krb5-1.17post1-FIPS-with-PRNG-and-SPAKE.patch
View File

@ -1,250 +0,0 @@
From dff44c20d9d9ed6a3e71888406b2913d9309e738 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17post1 FIPS with PRNG and SPAKE
NB: Use openssl's PRNG in FIPS mode, and be aware during SPAKE group
negotiation.
A lot of the FIPS error conditions from OpenSSL are incredibly
mysterious (at best, things return NULL unexpectedly; at worst,
internal assertions are tripped; most of the time, you just get
ENOMEM). In order to cope with this, we need to have some level of
awareness of what we can and can't safely call.
This will slow down some calls slightly (FIPS_mode() takes multiple
locks), but not for any ciphers we care about - which is to say that
AES is fine. Shame about the SPAKE groups though.
---
src/lib/crypto/krb/prng.c | 11 ++++++++++-
src/lib/crypto/openssl/enc_provider/camellia.c | 6 ++++++
src/lib/crypto/openssl/enc_provider/des.c | 9 +++++++++
src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++
src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++++++++++++-
src/lib/crypto/openssl/hash_provider/hash_evp.c | 4 ++++
src/lib/crypto/openssl/hmac.c | 6 +++++-
src/plugins/preauth/spake/groups.c | 8 ++++++++
8 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index cb9ca9b98..f0e9984ca 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -26,6 +26,8 @@
#include "crypto_int.h"
+#include <openssl/rand.h>
+
krb5_error_code KRB5_CALLCONV
krb5_c_random_seed(krb5_context context, krb5_data *data)
{
@@ -99,9 +101,16 @@ krb5_boolean
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
const char *device;
-#if defined(__linux__) && defined(SYS_getrandom)
int r;
+ /* A wild FIPS mode appeared! */
+ if (FIPS_mode()) {
+ /* The return codes on this API are not good */
+ r = RAND_bytes(buf, len);
+ return r == 1;
+ }
+
+#if defined(__linux__) && defined(SYS_getrandom)
while (len > 0) {
/*
* Pull from the /dev/urandom pool, but require it to have been seeded.
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
index 2da691329..f79679a0b 100644
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
@@ -304,6 +304,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE];
struct iov_cursor cursor;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
if (output->length < CAMELLIA_BLOCK_SIZE)
return KRB5_BAD_MSIZE;
@@ -331,6 +334,9 @@ static krb5_error_code
krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage,
krb5_data *state)
{
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
state->length = 16;
state->data = (void *) malloc(16);
if (state->data == NULL)
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
index a662db512..7d17d287e 100644
--- a/src/lib/crypto/openssl/enc_provider/des.c
+++ b/src/lib/crypto/openssl/enc_provider/des.c
@@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
DES_key_schedule sched;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0)
return ret;
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
index 1c439c2cd..8be555a8d 100644
--- a/src/lib/crypto/openssl/enc_provider/des3.c
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index a65d57b7a..6ccaca94a 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
@@ -66,6 +66,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx = NULL;
struct arcfour_state *arcstate;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
arcstate = (state != NULL) ? (void *)state->data : NULL;
if (arcstate != NULL) {
ctx = arcstate->ctx;
@@ -113,7 +116,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
static void
k5_arcfour_free_state(krb5_data *state)
{
- struct arcfour_state *arcstate = (void *)state->data;
+ struct arcfour_state *arcstate;
+
+ if (FIPS_mode())
+ return;
+
+ arcstate = (void *) state->data;
EVP_CIPHER_CTX_free(arcstate->ctx);
free(arcstate);
@@ -125,6 +133,9 @@ k5_arcfour_init_state(const krb5_keyblock *key,
{
struct arcfour_state *arcstate;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
/*
* The cipher state here is a saved pointer to a struct arcfour_state
* object, rather than a flat byte array as in most enc providers. The
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
index 957ed8d9c..8c1fd7f59 100644
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
@@ -64,12 +64,16 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
static krb5_error_code
hash_md4(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
return hash_evp(EVP_md4(), data, num_data, output);
}
static krb5_error_code
hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
return hash_evp(EVP_md5(), data, num_data, output);
}
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index 7dc59dcc0..769a50c00 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -103,7 +103,11 @@ map_digest(const struct krb5_hash_provider *hash)
return EVP_sha256();
else if (!strncmp(hash->hash_name, "SHA-384",7))
return EVP_sha384();
- else if (!strncmp(hash->hash_name, "MD5", 3))
+
+ if (FIPS_mode())
+ return NULL;
+
+ if (!strncmp(hash->hash_name, "MD5", 3))
return EVP_md5();
else if (!strncmp(hash->hash_name, "MD4", 3))
return EVP_md4();
diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
index a195cc195..8a913cb5a 100644
--- a/src/plugins/preauth/spake/groups.c
+++ b/src/plugins/preauth/spake/groups.c
@@ -56,6 +56,8 @@
#include "trace.h"
#include "groups.h"
+#include <openssl/crypto.h>
+
#define DEFAULT_GROUPS_CLIENT "edwards25519"
#define DEFAULT_GROUPS_KDC ""
@@ -102,6 +104,9 @@ find_gdef(int32_t group)
{
size_t i;
+ if (group == builtin_edwards25519.reg->id && FIPS_mode())
+ return NULL;
+
for (i = 0; groupdefs[i] != NULL; i++) {
if (groupdefs[i]->reg->id == group)
return groupdefs[i];
@@ -116,6 +121,9 @@ find_gnum(const char *name)
{
size_t i;
+ if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
+ return 0;
+
for (i = 0; groupdefs[i] != NULL; i++) {
if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
return groupdefs[i]->reg->id;

265
krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch → krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
View File

@ -1,19 +1,227 @@
From 105bd2c8be23ab94ba6e0601ee8e531f013389d6 Mon Sep 17 00:00:00 2001
From 0c6860f5213e35226670772b53d70c858258a63e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 31 Jul 2018 13:47:26 -0400
Subject: [PATCH] krb5-1.17 In FIPS mode, add plaintext fallback for RC4 usages
and taint
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17post2 FIPS with PRNG, SPAKE, and RADIUS
NB: Use openssl's PRNG in FIPS mode, be aware during SPAKE group
negotiation, and taint within krad.
A lot of the FIPS error conditions from OpenSSL are incredibly
mysterious (at best, things return NULL unexpectedly; at worst,
internal assertions are tripped; most of the time, you just get
ENOMEM). In order to cope with this, we need to have some level of
awareness of what we can and can't safely call.
This will slow down some calls slightly (FIPS_mode() takes multiple
locks), but not for any ciphers we care about - which is to say that
AES is fine. Shame about the SPAKE groups though.
---
src/lib/krad/attr.c | 45 +++++++++++++++++++++++++++++-----------
src/lib/krad/attrset.c | 5 +++--
src/lib/krad/internal.h | 13 ++++++++++--
src/lib/krad/packet.c | 22 +++++++++++---------
src/lib/krad/remote.c | 10 +++++++--
src/lib/krad/t_attr.c | 3 ++-
src/lib/krad/t_attrset.c | 4 +++-
7 files changed, 72 insertions(+), 30 deletions(-)
src/lib/crypto/krb/prng.c | 11 ++++-
.../crypto/openssl/enc_provider/camellia.c | 6 +++
src/lib/crypto/openssl/enc_provider/des.c | 9 ++++
src/lib/crypto/openssl/enc_provider/des3.c | 6 +++
src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++-
.../crypto/openssl/hash_provider/hash_evp.c | 4 ++
src/lib/crypto/openssl/hmac.c | 6 ++-
src/lib/krad/attr.c | 45 ++++++++++++++-----
src/lib/krad/attrset.c | 5 ++-
src/lib/krad/internal.h | 13 +++++-
src/lib/krad/packet.c | 22 ++++-----
src/lib/krad/remote.c | 10 ++++-
src/lib/krad/t_attr.c | 3 +-
src/lib/krad/t_attrset.c | 4 +-
src/plugins/preauth/spake/groups.c | 8 ++++
15 files changed, 132 insertions(+), 33 deletions(-)
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
index cb9ca9b98..f0e9984ca 100644
--- a/src/lib/crypto/krb/prng.c
+++ b/src/lib/crypto/krb/prng.c
@@ -26,6 +26,8 @@
#include "crypto_int.h"
+#include <openssl/rand.h>
+
krb5_error_code KRB5_CALLCONV
krb5_c_random_seed(krb5_context context, krb5_data *data)
{
@@ -99,9 +101,16 @@ krb5_boolean
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
{
const char *device;
-#if defined(__linux__) && defined(SYS_getrandom)
int r;
+ /* A wild FIPS mode appeared! */
+ if (FIPS_mode()) {
+ /* The return codes on this API are not good */
+ r = RAND_bytes(buf, len);
+ return r == 1;
+ }
+
+#if defined(__linux__) && defined(SYS_getrandom)
while (len > 0) {
/*
* Pull from the /dev/urandom pool, but require it to have been seeded.
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
index 2da691329..f79679a0b 100644
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
@@ -304,6 +304,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE];
struct iov_cursor cursor;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
if (output->length < CAMELLIA_BLOCK_SIZE)
return KRB5_BAD_MSIZE;
@@ -331,6 +334,9 @@ static krb5_error_code
krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage,
krb5_data *state)
{
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
state->length = 16;
state->data = (void *) malloc(16);
if (state->data == NULL)
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
index a662db512..7d17d287e 100644
--- a/src/lib/crypto/openssl/enc_provider/des.c
+++ b/src/lib/crypto/openssl/enc_provider/des.c
@@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
DES_key_schedule sched;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0)
return ret;
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
index 1c439c2cd..8be555a8d 100644
--- a/src/lib/crypto/openssl/enc_provider/des3.c
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx;
krb5_boolean empty;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
ret = validate(key, ivec, data, num_data, &empty);
if (ret != 0 || empty)
return ret;
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index a65d57b7a..6ccaca94a 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
@@ -66,6 +66,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
EVP_CIPHER_CTX *ctx = NULL;
struct arcfour_state *arcstate;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
arcstate = (state != NULL) ? (void *)state->data : NULL;
if (arcstate != NULL) {
ctx = arcstate->ctx;
@@ -113,7 +116,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
static void
k5_arcfour_free_state(krb5_data *state)
{
- struct arcfour_state *arcstate = (void *)state->data;
+ struct arcfour_state *arcstate;
+
+ if (FIPS_mode())
+ return;
+
+ arcstate = (void *) state->data;
EVP_CIPHER_CTX_free(arcstate->ctx);
free(arcstate);
@@ -125,6 +133,9 @@ k5_arcfour_init_state(const krb5_keyblock *key,
{
struct arcfour_state *arcstate;
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
+
/*
* The cipher state here is a saved pointer to a struct arcfour_state
* object, rather than a flat byte array as in most enc providers. The
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
index 957ed8d9c..8c1fd7f59 100644
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
@@ -64,12 +64,16 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
static krb5_error_code
hash_md4(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
return hash_evp(EVP_md4(), data, num_data, output);
}
static krb5_error_code
hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
+ if (FIPS_mode())
+ return KRB5_CRYPTO_INTERNAL;
return hash_evp(EVP_md5(), data, num_data, output);
}
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
index 7dc59dcc0..769a50c00 100644
--- a/src/lib/crypto/openssl/hmac.c
+++ b/src/lib/crypto/openssl/hmac.c
@@ -103,7 +103,11 @@ map_digest(const struct krb5_hash_provider *hash)
return EVP_sha256();
else if (!strncmp(hash->hash_name, "SHA-384",7))
return EVP_sha384();
- else if (!strncmp(hash->hash_name, "MD5", 3))
+
+ if (FIPS_mode())
+ return NULL;
+
+ if (!strncmp(hash->hash_name, "MD5", 3))
return EVP_md5();
else if (!strncmp(hash->hash_name, "MD4", 3))
return EVP_md4();
diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c
index 9c13d9d75..275327e67 100644
--- a/src/lib/krad/attr.c
@ -351,3 +559,36 @@ index 7928335ca..0f9576253 100644
krad_attrset_free(set);
/* Manually encode User-Name. */
diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
index a195cc195..8a913cb5a 100644
--- a/src/plugins/preauth/spake/groups.c
+++ b/src/plugins/preauth/spake/groups.c
@@ -56,6 +56,8 @@
#include "trace.h"
#include "groups.h"
+#include <openssl/crypto.h>
+
#define DEFAULT_GROUPS_CLIENT "edwards25519"
#define DEFAULT_GROUPS_KDC ""
@@ -102,6 +104,9 @@ find_gdef(int32_t group)
{
size_t i;
+ if (group == builtin_edwards25519.reg->id && FIPS_mode())
+ return NULL;
+
for (i = 0; groupdefs[i] != NULL; i++) {
if (groupdefs[i]->reg->id == group)
return groupdefs[i];
@@ -116,6 +121,9 @@ find_gnum(const char *name)
{
size_t i;
+ if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
+ return 0;
+
for (i = 0; groupdefs[i] != NULL; i++) {
if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
return groupdefs[i]->reg->id;

10
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 19%{?dist}
Release: 20%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -59,7 +59,6 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch
Patch34: krb5-1.9-debuginfo.patch
Patch35: krb5-1.11-run_user_0.patch
Patch36: krb5-1.11-kpasswdtest.patch
Patch37: krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch
Patch90: Add-tests-for-KCM-ccache-type.patch
Patch92: Address-some-optimized-out-memset-calls.patch
Patch94: Avoid-allocating-a-register-in-zap-assembly.patch
@ -93,12 +92,12 @@ Patch123: Avoid-alignment-warnings-in-openssl-rc4.c.patch
Patch124: Simply-OpenSSL-PKCS7-decryption-code.patch
Patch125: Improve-error-messages-from-kadmin-change_password.patch
Patch126: Remove-more-dead-code.patch
Patch127: krb5-1.17post1-FIPS-with-PRNG-and-SPAKE.patch
Patch127: krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
Patch128: Remove-checksum-type-profile-variables.patch
Patch129: Remove-dead-variable-def_kslist-from-two-files.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
URL: https://web.mit.edu/kerberos/www/
BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, pkgconfig, sed
BuildRequires: gcc
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
@ -702,6 +701,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Tue May 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-20
- (Patch consolidation; hopefully no changes)
* Tue May 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-19
- Remove checksum type profile variables