104 lines
3.5 KiB
Diff
104 lines
3.5 KiB
Diff
From fe66536c1b7aec67233739df97cbe0301ee6475e Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Tue, 19 Nov 2019 15:03:19 -0500
|
|
Subject: [PATCH] krb5-1.17post2 DES/3DES fixups
|
|
|
|
Kept separate from the other patch because rawhide doesn't have DES.
|
|
|
|
post2 adds krb5kdf workarounds.
|
|
---
|
|
src/lib/crypto/krb/derive.c | 6 +++++-
|
|
src/lib/crypto/openssl/enc_provider/des.c | 9 +++++++++
|
|
src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++
|
|
3 files changed, 20 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/lib/crypto/krb/derive.c b/src/lib/crypto/krb/derive.c
|
|
index 915a173dd..ebdab69bc 100644
|
|
--- a/src/lib/crypto/krb/derive.c
|
|
+++ b/src/lib/crypto/krb/derive.c
|
|
@@ -348,6 +348,7 @@ cleanup:
|
|
zapfree(prf.data, blocksize);
|
|
return ret;
|
|
}
|
|
+#endif /* OSSL_KDFS */
|
|
|
|
static krb5_error_code
|
|
builtin_derive_random_rfc3961(const struct krb5_enc_provider *enc,
|
|
@@ -400,7 +401,6 @@ cleanup:
|
|
zapfree(block.data, blocksize);
|
|
return ret;
|
|
}
|
|
-#endif /* OSSL_KDFS */
|
|
|
|
krb5_error_code
|
|
k5_sp800_108_counter_hmac(const struct krb5_hash_provider *hash,
|
|
@@ -432,6 +432,10 @@ k5_derive_random_rfc3961(const struct krb5_enc_provider *enc,
|
|
krb5_key inkey, krb5_data *outrnd,
|
|
const krb5_data *in_constant)
|
|
{
|
|
+ /* DES (single and triple). They'll be gone very soon. */
|
|
+ if (enc->keylength == 8 || enc->keylength == 24)
|
|
+ return builtin_derive_random_rfc3961(enc, inkey, outrnd, in_constant);
|
|
+
|
|
#ifdef OSSL_KDFS
|
|
return openssl_krb5kdf(enc, inkey, outrnd, in_constant);
|
|
#else
|
|
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
|
|
index a662db512..7d17d287e 100644
|
|
--- a/src/lib/crypto/openssl/enc_provider/des.c
|
|
+++ b/src/lib/crypto/openssl/enc_provider/des.c
|
|
@@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
|
EVP_CIPHER_CTX *ctx;
|
|
krb5_boolean empty;
|
|
|
|
+ if (FIPS_mode())
|
|
+ return KRB5_CRYPTO_INTERNAL;
|
|
+
|
|
ret = validate(key, ivec, data, num_data, &empty);
|
|
if (ret != 0 || empty)
|
|
return ret;
|
|
@@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
|
EVP_CIPHER_CTX *ctx;
|
|
krb5_boolean empty;
|
|
|
|
+ if (FIPS_mode())
|
|
+ return KRB5_CRYPTO_INTERNAL;
|
|
+
|
|
ret = validate(key, ivec, data, num_data, &empty);
|
|
if (ret != 0 || empty)
|
|
return ret;
|
|
@@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
|
|
DES_key_schedule sched;
|
|
krb5_boolean empty;
|
|
|
|
+ if (FIPS_mode())
|
|
+ return KRB5_CRYPTO_INTERNAL;
|
|
+
|
|
ret = validate(key, ivec, data, num_data, &empty);
|
|
if (ret != 0)
|
|
return ret;
|
|
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
|
|
index 1c439c2cd..8be555a8d 100644
|
|
--- a/src/lib/crypto/openssl/enc_provider/des3.c
|
|
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
|
|
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
|
EVP_CIPHER_CTX *ctx;
|
|
krb5_boolean empty;
|
|
|
|
+ if (FIPS_mode())
|
|
+ return KRB5_CRYPTO_INTERNAL;
|
|
+
|
|
ret = validate(key, ivec, data, num_data, &empty);
|
|
if (ret != 0 || empty)
|
|
return ret;
|
|
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
|
EVP_CIPHER_CTX *ctx;
|
|
krb5_boolean empty;
|
|
|
|
+ if (FIPS_mode())
|
|
+ return KRB5_CRYPTO_INTERNAL;
|
|
+
|
|
ret = validate(key, ivec, data, num_data, &empty);
|
|
if (ret != 0 || empty)
|
|
return ret;
|