From dd3e136188bd2c37d9aa0f8eb0f21d98127e6fab Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 7 Feb 2020 10:59:57 -0500 Subject: [PATCH] Don't assume OpenSSL failures are memory errors --- ...e-OpenSSL-failures-are-memory-errors.patch | 44 +++++++++++++++++++ krb5.spec | 6 ++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 Don-t-assume-OpenSSL-failures-are-memory-errors.patch diff --git a/Don-t-assume-OpenSSL-failures-are-memory-errors.patch b/Don-t-assume-OpenSSL-failures-are-memory-errors.patch new file mode 100644 index 0000000..151e523 --- /dev/null +++ b/Don-t-assume-OpenSSL-failures-are-memory-errors.patch @@ -0,0 +1,44 @@ +From 4951953618e5b53a571c4d1e4fcb5e6b14fbe004 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 5 Feb 2020 12:56:00 -0500 +Subject: [PATCH] Don't assume OpenSSL failures are memory errors + +More recent versions of OpenSSL can fail for other reasons. Indicate +a crypto-related error occurred rather than a memory error to aid +debugging. + +ticket: 8873 (new) +tags: pullup +target_version: 1.18 +target_version: 1.17-next + +(cherry picked from commit bf9b2134ceddd6c727362be894b1c95c297a0f17) +--- + src/lib/crypto/openssl/hash_provider/hash_evp.c | 2 +- + src/lib/crypto/openssl/sha256.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c +index 915da9dbe..feb5eda99 100644 +--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c ++++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c +@@ -63,7 +63,7 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, + } + ok = ok && EVP_DigestFinal_ex(ctx, (uint8_t *)output->data, NULL); + EVP_MD_CTX_free(ctx); +- return ok ? 0 : ENOMEM; ++ return ok ? 0 : KRB5_CRYPTO_INTERNAL; + } + + static krb5_error_code +diff --git a/src/lib/crypto/openssl/sha256.c b/src/lib/crypto/openssl/sha256.c +index 0edd8b7ba..f9dfc8539 100644 +--- a/src/lib/crypto/openssl/sha256.c ++++ b/src/lib/crypto/openssl/sha256.c +@@ -48,5 +48,5 @@ k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN]) + ok = ok && EVP_DigestUpdate(ctx, in[i].data, in[i].length); + ok = ok && EVP_DigestFinal_ex(ctx, out, NULL); + EVP_MD_CTX_free(ctx); +- return ok ? 0 : ENOMEM; ++ return ok ? 0 : KRB5_CRYPTO_INTERNAL; + } diff --git a/krb5.spec b/krb5.spec index 73216f6..aa68ebf 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 0.beta2.2%{?dist} +Release: 0.beta2.3%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -52,6 +52,7 @@ Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch Patch8: Put-KDB-authdata-first.patch Patch9: Test-that-PAC-is-the-first-authdata-element.patch +Patch10: Don-t-assume-OpenSSL-failures-are-memory-errors.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -625,6 +626,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Feb 07 2020 Robbie Harwood - 1.18-0.beta2.3 +- Don't assume OpenSSL failures are memory errors + * Thu Feb 06 2020 Robbie Harwood - 1.18-0.beta2.2 - Put KDB authdata first