rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Don't assume OpenSSL failures are memory errors

Browse Source
This commit is contained in:
Robbie Harwood 2020-02-07 10:59:57 -05:00
parent edfb00e001
commit dd3e136188
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Don-t-assume-OpenSSL-failures-are-memory-errors.patch Normal file
View File

@ -0,0 +1,44 @@
From 4951953618e5b53a571c4d1e4fcb5e6b14fbe004 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 5 Feb 2020 12:56:00 -0500
Subject: [PATCH] Don't assume OpenSSL failures are memory errors
More recent versions of OpenSSL can fail for other reasons. Indicate
a crypto-related error occurred rather than a memory error to aid
debugging.
ticket: 8873 (new)
tags: pullup
target_version: 1.18
target_version: 1.17-next
(cherry picked from commit bf9b2134ceddd6c727362be894b1c95c297a0f17)
---
src/lib/crypto/openssl/hash_provider/hash_evp.c | 2 +-
src/lib/crypto/openssl/sha256.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
index 915da9dbe..feb5eda99 100644
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
@@ -63,7 +63,7 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
}
ok = ok && EVP_DigestFinal_ex(ctx, (uint8_t *)output->data, NULL);
EVP_MD_CTX_free(ctx);
- return ok ? 0 : ENOMEM;
+ return ok ? 0 : KRB5_CRYPTO_INTERNAL;
}
static krb5_error_code
diff --git a/src/lib/crypto/openssl/sha256.c b/src/lib/crypto/openssl/sha256.c
index 0edd8b7ba..f9dfc8539 100644
--- a/src/lib/crypto/openssl/sha256.c
+++ b/src/lib/crypto/openssl/sha256.c
@@ -48,5 +48,5 @@ k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN])
ok = ok && EVP_DigestUpdate(ctx, in[i].data, in[i].length);
ok = ok && EVP_DigestFinal_ex(ctx, out, NULL);
EVP_MD_CTX_free(ctx);
- return ok ? 0 : ENOMEM;
+ return ok ? 0 : KRB5_CRYPTO_INTERNAL;
}

6
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 0.beta2.2%{?dist}
Release: 0.beta2.3%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -52,6 +52,7 @@ Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch8: Put-KDB-authdata-first.patch
Patch9: Test-that-PAC-is-the-first-authdata-element.patch
Patch10: Don-t-assume-OpenSSL-failures-are-memory-errors.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -625,6 +626,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Fri Feb 07 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.3
- Don't assume OpenSSL failures are memory errors
* Thu Feb 06 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.2
- Put KDB authdata first