Fix DES3 mention in KDFs

Resolves: #1955873
This commit is contained in:
Robbie Harwood 2021-05-20 10:39:59 -04:00
parent 0018db9e38
commit aec30dcfcb
4 changed files with 16 additions and 13 deletions

View File

@ -1,4 +1,4 @@
From 64a276e3485b7066a3c630d018ca44dabeb7b6c7 Mon Sep 17 00:00:00 2001
From ea62d96f5b1e47818ab9f33ad143c4ffb460b3af Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Sat, 15 May 2021 21:18:06 -0400
Subject: [PATCH] Handle OpenSSL 3's providers

View File

@ -1,4 +1,4 @@
From f135f51b0ec59d320f79cd961411231084364489 Mon Sep 17 00:00:00 2001
From a57ebca127a49869296ee2790e28eb37fdd20488 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 19 May 2021 19:33:34 -0400
Subject: [PATCH] Handle SSL_read changed behavior on server hangup

View File

@ -1,4 +1,4 @@
From 454a1a84ad161bd892c5b388edac09322c08cd06 Mon Sep 17 00:00:00 2001
From d8540c91db499761148ec681eb46a455f0808e22 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 4 Oct 2019 14:49:29 -0400
Subject: [PATCH] Use OpenSSL's KBKDF and KRB5KDF for deriving long-term keys
@ -8,12 +8,13 @@ KRB5KDF (3des and aes-sha1). We already use OpenSSL's PBKDF2 where
appropriate. OpenSSL added support for these KDFs in 3.0.
(cherry picked from commit ef8d11f6fb1232201c9efd2ae2ed567023fb85d2)
[rharwood@redhat.com: 3des removal]
---
src/lib/crypto/krb/derive.c | 411 ++++++++++++++++++++++++++++--------
1 file changed, 326 insertions(+), 85 deletions(-)
src/lib/crypto/krb/derive.c | 409 ++++++++++++++++++++++++++++--------
1 file changed, 324 insertions(+), 85 deletions(-)
diff --git a/src/lib/crypto/krb/derive.c b/src/lib/crypto/krb/derive.c
index 6707a7308..1f07464e0 100644
index 6707a7308..8e474b38e 100644
--- a/src/lib/crypto/krb/derive.c
+++ b/src/lib/crypto/krb/derive.c
@@ -27,6 +27,12 @@
@ -29,7 +30,7 @@ index 6707a7308..1f07464e0 100644
static krb5_key
find_cached_dkey(struct derived_key *list, const krb5_data *constant)
{
@@ -77,55 +83,253 @@ cleanup:
@@ -77,55 +83,251 @@ cleanup:
return ENOMEM;
}
@ -195,8 +196,6 @@ index 6707a7308..1f07464e0 100644
+ cipher = "AES-128-CBC";
+ } else if (!memcmp(enc, &krb5int_enc_aes256, sizeof(*enc))) {
+ cipher = "AES-256-CBC";
+ } else if (!memcmp(enc, &krb5int_enc_des3, sizeof(*enc))) {
+ cipher = "DES-EDE3-CBC";
+ } else {
+ ret = KRB5_CRYPTO_INTERNAL;
+ goto done;
@ -320,7 +319,7 @@ index 6707a7308..1f07464e0 100644
return ret;
}
@@ -139,9 +343,9 @@ cleanup:
@@ -139,9 +341,9 @@ cleanup:
* - Four bytes are used to encode the output length in the PRF input.
*/
static krb5_error_code
@ -333,7 +332,7 @@ index 6707a7308..1f07464e0 100644
{
size_t blocksize, keybytes, n;
krb5_crypto_iov iov[6];
@@ -204,56 +408,94 @@ cleanup:
@@ -204,56 +406,94 @@ cleanup:
return ret;
}
@ -471,7 +470,7 @@ index 6707a7308..1f07464e0 100644
}
krb5_error_code
@@ -268,8 +510,7 @@ krb5int_derive_random(const struct krb5_enc_provider *enc,
@@ -268,8 +508,7 @@ krb5int_derive_random(const struct krb5_enc_provider *enc,
case DERIVE_RFC3961:
return derive_random_rfc3961(enc, inkey, outrnd, in_constant);
case DERIVE_SP800_108_CMAC:

View File

@ -42,7 +42,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.19.1
Release: %{?zdpd}4%{?dist}
Release: %{?zdpd}5%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@ -640,6 +640,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-5
- Fix DES3 mention in KDFs
- Resolves: #1955873
* Wed May 19 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-4
- Port to OpenSSL 3 (alpha 15)
- Resolves: #1955873