From aec30dcfcb629c33baee930331e910c74755f88f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 20 May 2021 10:39:59 -0400 Subject: [PATCH] Fix DES3 mention in KDFs Resolves: #1955873 --- Handle-OpenSSL-3-s-providers.patch | 2 +- ...ad-changed-behavior-on-server-hangup.patch | 2 +- ...KDF-and-KRB5KDF-for-deriving-long-te.patch | 19 +++++++++---------- krb5.spec | 6 +++++- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/Handle-OpenSSL-3-s-providers.patch b/Handle-OpenSSL-3-s-providers.patch index dd80bfb..98a87a5 100644 --- a/Handle-OpenSSL-3-s-providers.patch +++ b/Handle-OpenSSL-3-s-providers.patch @@ -1,4 +1,4 @@ -From 64a276e3485b7066a3c630d018ca44dabeb7b6c7 Mon Sep 17 00:00:00 2001 +From ea62d96f5b1e47818ab9f33ad143c4ffb460b3af Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Sat, 15 May 2021 21:18:06 -0400 Subject: [PATCH] Handle OpenSSL 3's providers diff --git a/Handle-SSL_read-changed-behavior-on-server-hangup.patch b/Handle-SSL_read-changed-behavior-on-server-hangup.patch index 5efa8f8..cc71a31 100644 --- a/Handle-SSL_read-changed-behavior-on-server-hangup.patch +++ b/Handle-SSL_read-changed-behavior-on-server-hangup.patch @@ -1,4 +1,4 @@ -From f135f51b0ec59d320f79cd961411231084364489 Mon Sep 17 00:00:00 2001 +From a57ebca127a49869296ee2790e28eb37fdd20488 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 19 May 2021 19:33:34 -0400 Subject: [PATCH] Handle SSL_read changed behavior on server hangup diff --git a/Use-OpenSSL-s-KBKDF-and-KRB5KDF-for-deriving-long-te.patch b/Use-OpenSSL-s-KBKDF-and-KRB5KDF-for-deriving-long-te.patch index 744366e..c62db8f 100644 --- a/Use-OpenSSL-s-KBKDF-and-KRB5KDF-for-deriving-long-te.patch +++ b/Use-OpenSSL-s-KBKDF-and-KRB5KDF-for-deriving-long-te.patch @@ -1,4 +1,4 @@ -From 454a1a84ad161bd892c5b388edac09322c08cd06 Mon Sep 17 00:00:00 2001 +From d8540c91db499761148ec681eb46a455f0808e22 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 4 Oct 2019 14:49:29 -0400 Subject: [PATCH] Use OpenSSL's KBKDF and KRB5KDF for deriving long-term keys @@ -8,12 +8,13 @@ KRB5KDF (3des and aes-sha1). We already use OpenSSL's PBKDF2 where appropriate. OpenSSL added support for these KDFs in 3.0. (cherry picked from commit ef8d11f6fb1232201c9efd2ae2ed567023fb85d2) +[rharwood@redhat.com: 3des removal] --- - src/lib/crypto/krb/derive.c | 411 ++++++++++++++++++++++++++++-------- - 1 file changed, 326 insertions(+), 85 deletions(-) + src/lib/crypto/krb/derive.c | 409 ++++++++++++++++++++++++++++-------- + 1 file changed, 324 insertions(+), 85 deletions(-) diff --git a/src/lib/crypto/krb/derive.c b/src/lib/crypto/krb/derive.c -index 6707a7308..1f07464e0 100644 +index 6707a7308..8e474b38e 100644 --- a/src/lib/crypto/krb/derive.c +++ b/src/lib/crypto/krb/derive.c @@ -27,6 +27,12 @@ @@ -29,7 +30,7 @@ index 6707a7308..1f07464e0 100644 static krb5_key find_cached_dkey(struct derived_key *list, const krb5_data *constant) { -@@ -77,55 +83,253 @@ cleanup: +@@ -77,55 +83,251 @@ cleanup: return ENOMEM; } @@ -195,8 +196,6 @@ index 6707a7308..1f07464e0 100644 + cipher = "AES-128-CBC"; + } else if (!memcmp(enc, &krb5int_enc_aes256, sizeof(*enc))) { + cipher = "AES-256-CBC"; -+ } else if (!memcmp(enc, &krb5int_enc_des3, sizeof(*enc))) { -+ cipher = "DES-EDE3-CBC"; + } else { + ret = KRB5_CRYPTO_INTERNAL; + goto done; @@ -320,7 +319,7 @@ index 6707a7308..1f07464e0 100644 return ret; } -@@ -139,9 +343,9 @@ cleanup: +@@ -139,9 +341,9 @@ cleanup: * - Four bytes are used to encode the output length in the PRF input. */ static krb5_error_code @@ -333,7 +332,7 @@ index 6707a7308..1f07464e0 100644 { size_t blocksize, keybytes, n; krb5_crypto_iov iov[6]; -@@ -204,56 +408,94 @@ cleanup: +@@ -204,56 +406,94 @@ cleanup: return ret; } @@ -471,7 +470,7 @@ index 6707a7308..1f07464e0 100644 } krb5_error_code -@@ -268,8 +510,7 @@ krb5int_derive_random(const struct krb5_enc_provider *enc, +@@ -268,8 +508,7 @@ krb5int_derive_random(const struct krb5_enc_provider *enc, case DERIVE_RFC3961: return derive_random_rfc3961(enc, inkey, outrnd, in_constant); case DERIVE_SP800_108_CMAC: diff --git a/krb5.spec b/krb5.spec index 8be3477..730b803 100644 --- a/krb5.spec +++ b/krb5.spec @@ -42,7 +42,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.19.1 -Release: %{?zdpd}4%{?dist} +Release: %{?zdpd}5%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz @@ -640,6 +640,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu May 20 2021 Robbie Harwood - 1.19.1-5 +- Fix DES3 mention in KDFs +- Resolves: #1955873 + * Wed May 19 2021 Robbie Harwood - 1.19.1-4 - Port to OpenSSL 3 (alpha 15) - Resolves: #1955873