From f0b4f85e9e3715cf90d634cd4cd21452fda2620a Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 5 Jan 2023 20:18:20 +0100 Subject: [PATCH] Include missing OpenSSL FIPS header Signed-off-by: Julien Rische --- ...-Include-missing-OpenSSL-FIPS-header.patch | 120 ++++++++++++++++++ krb5.spec | 4 +- 2 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch diff --git a/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch b/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch new file mode 100644 index 0000000..24ba48a --- /dev/null +++ b/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch @@ -0,0 +1,120 @@ +From d57a804136c5ebf473ce053a9517edd71a56389f Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 5 Jan 2023 20:06:47 +0100 +Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header + +The inclusion of openssl/fips.h, which provides the declaration of +FIPS_mode(), was removed from openssl/crypto.h. As a consequence, this +header file has to be included explicitly in krb5 code. +--- + src/lib/crypto/krb/prng.c | 4 +++- + src/lib/crypto/openssl/enc_provider/camellia.c | 1 + + src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++++ + src/lib/crypto/openssl/hmac.c | 1 + + src/lib/krad/internal.h | 4 ++++ + src/plugins/preauth/spake/spake_client.c | 4 ++++ + src/plugins/preauth/spake/spake_kdc.c | 4 ++++ + 7 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c +index 9e80a03d21..ae37c77518 100644 +--- a/src/lib/crypto/krb/prng.c ++++ b/src/lib/crypto/krb/prng.c +@@ -28,7 +28,9 @@ + + #include + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#else + #include + #endif + +diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c +index d9f327add6..3dd3b0624f 100644 +--- a/src/lib/crypto/openssl/enc_provider/camellia.c ++++ b/src/lib/crypto/openssl/enc_provider/camellia.c +@@ -32,6 +32,7 @@ + #include + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include ++#include + #else + #include + #endif +diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c +index ce63cb5f1b..6a83f10d27 100644 +--- a/src/lib/crypto/openssl/enc_provider/rc4.c ++++ b/src/lib/crypto/openssl/enc_provider/rc4.c +@@ -38,6 +38,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + /* + * The loopback field is a pointer to the structure. If the application copies + * the state (not a valid operation, but one which happens to works with some +diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c +index f21e268f7f..25a419d73a 100644 +--- a/src/lib/crypto/openssl/hmac.c ++++ b/src/lib/crypto/openssl/hmac.c +@@ -59,6 +59,7 @@ + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include + #include ++#include + #else + #include + #endif +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index e123763954..a17b6f39b1 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -41,6 +41,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + #ifndef UCHAR_MAX + #define UCHAR_MAX 255 + #endif +diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c +index a3ce22b70f..13c699071f 100644 +--- a/src/plugins/preauth/spake/spake_client.c ++++ b/src/plugins/preauth/spake/spake_client.c +@@ -40,6 +40,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + typedef struct reqstate_st { + krb5_pa_spake *msg; /* set in prep_questions, used in process */ + krb5_keyblock *initial_key; +diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c +index 232e78bc05..3394f8a58e 100644 +--- a/src/plugins/preauth/spake/spake_kdc.c ++++ b/src/plugins/preauth/spake/spake_kdc.c +@@ -43,6 +43,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + /* + * The SPAKE kdcpreauth module uses a secure cookie containing the following + * concatenated fields (all integer fields are big-endian): +-- +2.38.1 + diff --git a/krb5.spec b/krb5.spec index 44696f6..3593e7d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -72,6 +72,7 @@ Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch Patch12: 0012-Add-and-use-ts_interval-helper.patch Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -708,7 +709,8 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog -* Tue Dec 20 2022 Julien Rische - 1.20.1-4 +* Thu Jan 05 2023 Julien Rische - 1.20.1-4 +- Include missing OpenSSL FIPS header - Make tests compatible with sssd_krb5_locator_plugin.so * Tue Dec 06 2022 Julien Rische - 1.20.1-3