From fe66536c1b7aec67233739df97cbe0301ee6475e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 19 Nov 2019 15:03:19 -0500 Subject: [PATCH] krb5-1.17post2 DES/3DES fixups Kept separate from the other patch because rawhide doesn't have DES. post2 adds krb5kdf workarounds. --- src/lib/crypto/krb/derive.c | 6 +++++- src/lib/crypto/openssl/enc_provider/des.c | 9 +++++++++ src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/src/lib/crypto/krb/derive.c b/src/lib/crypto/krb/derive.c index 915a173dd..ebdab69bc 100644 --- a/src/lib/crypto/krb/derive.c +++ b/src/lib/crypto/krb/derive.c @@ -348,6 +348,7 @@ cleanup: zapfree(prf.data, blocksize); return ret; } +#endif /* OSSL_KDFS */ static krb5_error_code builtin_derive_random_rfc3961(const struct krb5_enc_provider *enc, @@ -400,7 +401,6 @@ cleanup: zapfree(block.data, blocksize); return ret; } -#endif /* OSSL_KDFS */ krb5_error_code k5_sp800_108_counter_hmac(const struct krb5_hash_provider *hash, @@ -432,6 +432,10 @@ k5_derive_random_rfc3961(const struct krb5_enc_provider *enc, krb5_key inkey, krb5_data *outrnd, const krb5_data *in_constant) { + /* DES (single and triple). They'll be gone very soon. */ + if (enc->keylength == 8 || enc->keylength == 24) + return builtin_derive_random_rfc3961(enc, inkey, outrnd, in_constant); + #ifdef OSSL_KDFS return openssl_krb5kdf(enc, inkey, outrnd, in_constant); #else diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c index a662db512..7d17d287e 100644 --- a/src/lib/crypto/openssl/enc_provider/des.c +++ b/src/lib/crypto/openssl/enc_provider/des.c @@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, EVP_CIPHER_CTX *ctx; krb5_boolean empty; + if (FIPS_mode()) + return KRB5_CRYPTO_INTERNAL; + ret = validate(key, ivec, data, num_data, &empty); if (ret != 0 || empty) return ret; @@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, EVP_CIPHER_CTX *ctx; krb5_boolean empty; + if (FIPS_mode()) + return KRB5_CRYPTO_INTERNAL; + ret = validate(key, ivec, data, num_data, &empty); if (ret != 0 || empty) return ret; @@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data, DES_key_schedule sched; krb5_boolean empty; + if (FIPS_mode()) + return KRB5_CRYPTO_INTERNAL; + ret = validate(key, ivec, data, num_data, &empty); if (ret != 0) return ret; diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c index 1c439c2cd..8be555a8d 100644 --- a/src/lib/crypto/openssl/enc_provider/des3.c +++ b/src/lib/crypto/openssl/enc_provider/des3.c @@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, EVP_CIPHER_CTX *ctx; krb5_boolean empty; + if (FIPS_mode()) + return KRB5_CRYPTO_INTERNAL; + ret = validate(key, ivec, data, num_data, &empty); if (ret != 0 || empty) return ret; @@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, EVP_CIPHER_CTX *ctx; krb5_boolean empty; + if (FIPS_mode()) + return KRB5_CRYPTO_INTERNAL; + ret = validate(key, ivec, data, num_data, &empty); if (ret != 0 || empty) return ret;