parent
3757332441
commit
13a890c182
@ -1 +1 @@
|
||||
SOURCES/krb5-1.20.1.tar.gz
|
||||
SOURCES/krb5-1.21.1.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
06278439a6cd5a2aa861d8e877451b794487534b SOURCES/krb5-1.20.1.tar.gz
|
||||
505440658a00e009c430439dba60e13a98067cd3 SOURCES/krb5-1.21.1.tar.gz
|
||||
|
@ -0,0 +1,310 @@
|
||||
From 93bb4f5ba6fd79e72a75de20e209db219118a3a1 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 2 Aug 2023 10:19:28 +0200
|
||||
Subject: [PATCH] [downstream] Revert "Don't issue session keys with deprecated
|
||||
enctypes"
|
||||
|
||||
This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463.
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 12 ------------
|
||||
doc/admin/enctypes.rst | 23 +++-------------------
|
||||
src/include/k5-int.h | 4 ----
|
||||
src/kdc/kdc_util.c | 10 ----------
|
||||
src/lib/krb5/krb/get_in_tkt.c | 31 +++++++++++-------------------
|
||||
src/lib/krb5/krb/init_ctx.c | 10 ----------
|
||||
src/tests/gssapi/t_enctypes.py | 3 +--
|
||||
src/tests/t_etype_info.py | 2 +-
|
||||
src/tests/t_sesskeynego.py | 28 ++-------------------------
|
||||
src/util/k5test.py | 4 ++--
|
||||
10 files changed, 20 insertions(+), 107 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index ecdf917501..f22d5db11b 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -95,18 +95,6 @@ Additionally, krb5.conf may include any of the relations described in
|
||||
|
||||
The libdefaults section may contain any of the following relations:
|
||||
|
||||
-**allow_des3**
|
||||
- Permit the KDC to issue tickets with des3-cbc-sha1 session keys.
|
||||
- In future releases, this flag will allow des3-cbc-sha1 to be used
|
||||
- at all. The default value for this tag is false. (Added in
|
||||
- release 1.21.)
|
||||
-
|
||||
-**allow_rc4**
|
||||
- Permit the KDC to issue tickets with arcfour-hmac session keys.
|
||||
- In future releases, this flag will allow arcfour-hmac to be used
|
||||
- at all. The default value for this tag is false. (Added in
|
||||
- release 1.21.)
|
||||
-
|
||||
**allow_weak_crypto**
|
||||
If this flag is set to false, then weak encryption types (as noted
|
||||
in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered
|
||||
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
|
||||
index dce19ad43e..694922c0d9 100644
|
||||
--- a/doc/admin/enctypes.rst
|
||||
+++ b/doc/admin/enctypes.rst
|
||||
@@ -48,15 +48,12 @@ Session key selection
|
||||
The KDC chooses the session key enctype by taking the intersection of
|
||||
its **permitted_enctypes** list, the list of long-term keys for the
|
||||
most recent kvno of the service, and the client's requested list of
|
||||
-enctypes. Starting in krb5-1.21, all services are assumed to support
|
||||
-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session
|
||||
-keys will not be issued by default.
|
||||
+enctypes.
|
||||
|
||||
Starting in krb5-1.11, it is possible to set a string attribute on a
|
||||
service principal to control what session key enctypes the KDC may
|
||||
-issue for service tickets for that principal, overriding the service's
|
||||
-long-term keys and the assumption of aes256-cts-hmac-sha1-96 support.
|
||||
-See :ref:`set_string` in :ref:`kadmin(1)` for details.
|
||||
+issue for service tickets for that principal. See :ref:`set_string`
|
||||
+in :ref:`kadmin(1)` for details.
|
||||
|
||||
|
||||
Choosing enctypes for a service
|
||||
@@ -90,20 +87,6 @@ affect how enctypes are chosen.
|
||||
acceptable risk for your environment and the weak enctypes are
|
||||
required for backward compatibility.
|
||||
|
||||
-**allow_des3**
|
||||
- was added in release 1.21 and defaults to *false*. Unless this
|
||||
- flag is set to *true*, the KDC will not issue tickets with
|
||||
- des3-cbc-sha1 session keys. In a future release, this flag will
|
||||
- control whether des3-cbc-sha1 is permitted in similar fashion to
|
||||
- weak enctypes.
|
||||
-
|
||||
-**allow_rc4**
|
||||
- was added in release 1.21 and defaults to *false*. Unless this
|
||||
- flag is set to *true*, the KDC will not issue tickets with
|
||||
- arcfour-hmac session keys. In a future release, this flag will
|
||||
- control whether arcfour-hmac is permitted in similar fashion to
|
||||
- weak enctypes.
|
||||
-
|
||||
**permitted_enctypes**
|
||||
controls the set of enctypes that a service will permit for
|
||||
session keys and for ticket and authenticator encryption. The KDC
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 2f7791b775..1d1c8293f4 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -180,8 +180,6 @@ typedef unsigned char u_char;
|
||||
* matches the variable name. Keep these alphabetized. */
|
||||
#define KRB5_CONF_ACL_FILE "acl_file"
|
||||
#define KRB5_CONF_ADMIN_SERVER "admin_server"
|
||||
-#define KRB5_CONF_ALLOW_DES3 "allow_des3"
|
||||
-#define KRB5_CONF_ALLOW_RC4 "allow_rc4"
|
||||
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
|
||||
#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
|
||||
#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
|
||||
@@ -1240,8 +1238,6 @@ struct _krb5_context {
|
||||
struct _kdb_log_context *kdblog_context;
|
||||
|
||||
krb5_boolean allow_weak_crypto;
|
||||
- krb5_boolean allow_des3;
|
||||
- krb5_boolean allow_rc4;
|
||||
krb5_boolean ignore_acceptor_hostname;
|
||||
krb5_boolean enforce_ok_as_delegate;
|
||||
enum dns_canonhost dns_canonicalize_hostname;
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index e54cc751f9..75e04b73db 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -1088,16 +1088,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
|
||||
if (!krb5_is_permitted_enctype(context, ktype[i]))
|
||||
continue;
|
||||
|
||||
- /*
|
||||
- * Prevent these deprecated enctypes from being used as session keys
|
||||
- * unless they are explicitly allowed. In the future they will be more
|
||||
- * comprehensively disabled and eventually removed.
|
||||
- */
|
||||
- if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3)
|
||||
- continue;
|
||||
- if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4)
|
||||
- continue;
|
||||
-
|
||||
if (dbentry_supports_enctype(context, server, ktype[i]))
|
||||
return ktype[i];
|
||||
}
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index ea089f0fcc..1b420a3ac2 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -1582,31 +1582,22 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
||||
(*prompter)(context, data, 0, banner, 0, 0);
|
||||
}
|
||||
|
||||
-/* Display a warning via the prompter if a deprecated enctype was used for
|
||||
- * either the reply key or the session key. */
|
||||
+/* Display a warning via the prompter if des3-cbc-sha1 was used for either the
|
||||
+ * reply key or the session key. */
|
||||
static void
|
||||
-warn_deprecated(krb5_context context, krb5_init_creds_context ctx,
|
||||
- krb5_enctype as_key_enctype)
|
||||
+warn_des3(krb5_context context, krb5_init_creds_context ctx,
|
||||
+ krb5_enctype as_key_enctype)
|
||||
{
|
||||
- krb5_enctype etype;
|
||||
- char encbuf[128], banner[256];
|
||||
+ const char *banner;
|
||||
|
||||
- if (ctx->prompter == NULL)
|
||||
- return;
|
||||
-
|
||||
- if (krb5int_c_deprecated_enctype(as_key_enctype))
|
||||
- etype = as_key_enctype;
|
||||
- else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype))
|
||||
- etype = ctx->cred.keyblock.enctype;
|
||||
- else
|
||||
+ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 &&
|
||||
+ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1)
|
||||
return;
|
||||
-
|
||||
- if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0)
|
||||
+ if (ctx->prompter == NULL)
|
||||
return;
|
||||
- snprintf(banner, sizeof(banner),
|
||||
- _("Warning: encryption type %s used for authentication is "
|
||||
- "deprecated and will be disabled"), encbuf);
|
||||
|
||||
+ banner = _("Warning: encryption type des3-cbc-sha1 used for "
|
||||
+ "authentication is weak and will be disabled");
|
||||
/* PROMPTER_INVOCATION */
|
||||
(*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL);
|
||||
}
|
||||
@@ -1857,7 +1848,7 @@ init_creds_step_reply(krb5_context context,
|
||||
ctx->complete = TRUE;
|
||||
warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data,
|
||||
ctx->in_tkt_service, ctx->reply);
|
||||
- warn_deprecated(context, ctx, encrypting_key.enctype);
|
||||
+ warn_des3(context, ctx, encrypting_key.enctype);
|
||||
|
||||
cleanup:
|
||||
krb5_free_pa_data(context, kdc_padata);
|
||||
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||
index a6c2bbeb54..87b486c53f 100644
|
||||
--- a/src/lib/krb5/krb/init_ctx.c
|
||||
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||
@@ -221,16 +221,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||
goto cleanup;
|
||||
ctx->allow_weak_crypto = tmp;
|
||||
|
||||
- retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp);
|
||||
- if (retval)
|
||||
- goto cleanup;
|
||||
- ctx->allow_des3 = tmp;
|
||||
-
|
||||
- retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp);
|
||||
- if (retval)
|
||||
- goto cleanup;
|
||||
- ctx->allow_rc4 = tmp;
|
||||
-
|
||||
retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp);
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
|
||||
index f5f11842e2..7494d7fcdb 100755
|
||||
--- a/src/tests/gssapi/t_enctypes.py
|
||||
+++ b/src/tests/gssapi/t_enctypes.py
|
||||
@@ -18,8 +18,7 @@ d_rc4 = 'DEPRECATED:arcfour-hmac'
|
||||
# These tests make assumptions about the default enctype lists, so set
|
||||
# them explicitly rather than relying on the library defaults.
|
||||
supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
|
||||
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',
|
||||
- 'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||
+conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
|
||||
'realms': {'$realm': {'supported_enctypes': supp}}}
|
||||
realm = K5Realm(krb5_conf=conf)
|
||||
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
|
||||
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
|
||||
index 38cf96ca8f..c982508d8b 100644
|
||||
--- a/src/tests/t_etype_info.py
|
||||
+++ b/src/tests/t_etype_info.py
|
||||
@@ -1,7 +1,7 @@
|
||||
from k5test import *
|
||||
|
||||
supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
|
||||
-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},
|
||||
+conf = {'libdefaults': {'allow_weak_crypto': 'true'},
|
||||
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
|
||||
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
|
||||
|
||||
diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py
|
||||
index 5a213617b5..9024aee838 100755
|
||||
--- a/src/tests/t_sesskeynego.py
|
||||
+++ b/src/tests/t_sesskeynego.py
|
||||
@@ -25,8 +25,6 @@ conf3 = {'libdefaults': {
|
||||
'default_tkt_enctypes': 'aes128-cts',
|
||||
'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
|
||||
conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
|
||||
-conf5 = {'libdefaults': {'allow_rc4': 'true'}}
|
||||
-conf6 = {'libdefaults': {'allow_des3': 'true'}}
|
||||
# Test with client request and session_enctypes preferring aes128, but
|
||||
# aes256 long-term key.
|
||||
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
|
||||
@@ -56,12 +54,10 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
||||
'aes128-cts,aes256-cts'])
|
||||
test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
||||
|
||||
-# 3b: Skip RC4 (as the KDC does not allow it for session keys by
|
||||
-# default) and negotiate aes128-cts session key, with only an aes256
|
||||
-# long-term service key.
|
||||
+# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term.
|
||||
realm.run([kadminl, 'setstr', 'server', 'session_enctypes',
|
||||
'rc4-hmac,aes128-cts,aes256-cts'])
|
||||
-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96')
|
||||
+test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
||||
realm.stop()
|
||||
|
||||
# 4: Check that permitted_enctypes is a default for session key enctypes.
|
||||
@@ -71,24 +67,4 @@ realm.run([kvno, 'user'],
|
||||
expected_trace=('etypes requested in TGS request: aes256-cts',))
|
||||
realm.stop()
|
||||
|
||||
-# 5: allow_rc4 permits negotiation of rc4-hmac session key.
|
||||
-realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False)
|
||||
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
||||
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])
|
||||
-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
|
||||
-realm.stop()
|
||||
-
|
||||
-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.
|
||||
-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)
|
||||
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
|
||||
-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])
|
||||
-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')
|
||||
-realm.stop()
|
||||
-
|
||||
-# 7: default config negotiates aes256-sha1 session key for RC4-only service.
|
||||
-realm = K5Realm(create_host=False, get_creds=False)
|
||||
-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])
|
||||
-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac')
|
||||
-realm.stop()
|
||||
-
|
||||
success('sesskeynego')
|
||||
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
||||
index 8e5f5ba8e9..2a86c5cdfc 100644
|
||||
--- a/src/util/k5test.py
|
||||
+++ b/src/util/k5test.py
|
||||
@@ -1340,14 +1340,14 @@ _passes = [
|
||||
|
||||
# Exercise the DES3 enctype.
|
||||
('des3', None,
|
||||
- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},
|
||||
+ {'libdefaults': {'permitted_enctypes': 'des3'}},
|
||||
{'realms': {'$realm': {
|
||||
'supported_enctypes': 'des3-cbc-sha1:normal',
|
||||
'master_key_type': 'des3-cbc-sha1'}}}),
|
||||
|
||||
# Exercise the arcfour enctype.
|
||||
('arcfour', None,
|
||||
- {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},
|
||||
+ {'libdefaults': {'permitted_enctypes': 'rc4'}},
|
||||
{'realms': {'$realm': {
|
||||
'supported_enctypes': 'arcfour-hmac:normal',
|
||||
'master_key_type': 'arcfour-hmac'}}}),
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,201 +0,0 @@
|
||||
From c0a6d66e98e62b94d72bb51b8d6c00130a951215 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Fri, 22 Apr 2022 14:12:37 +0200
|
||||
Subject: [PATCH] Add configure variable for default PKCS#11 module
|
||||
|
||||
[ghudson@mit.edu: added documentation of configure variable and doc
|
||||
substitution; shortened commit message]
|
||||
|
||||
ticket: 9058 (new)
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 2 +-
|
||||
doc/build/options2configure.rst | 3 +++
|
||||
doc/conf.py | 3 +++
|
||||
doc/mitK5defaults.rst | 25 +++++++++++++------------
|
||||
src/configure.ac | 8 ++++++++
|
||||
src/doc/Makefile.in | 2 ++
|
||||
src/man/Makefile.in | 4 +++-
|
||||
src/man/krb5.conf.man | 2 +-
|
||||
src/plugins/preauth/pkinit/pkinit.h | 1 -
|
||||
9 files changed, 34 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index 2a4962069f..a33711d918 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -1017,7 +1017,7 @@ information for PKINIT is as follows:
|
||||
All keyword/values are optional. *modname* specifies the location
|
||||
of a library implementing PKCS #11. If a value is encountered
|
||||
with no keyword, it is assumed to be the *modname*. If no
|
||||
- module-name is specified, the default is ``opensc-pkcs11.so``.
|
||||
+ module-name is specified, the default is |pkcs11_modname|.
|
||||
``slotid=`` and/or ``token=`` may be specified to force the use of
|
||||
a particular smard card reader or token if there is more than one
|
||||
available. ``certid=`` and/or ``certlabel=`` may be specified to
|
||||
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
|
||||
index 9e355dc2c5..e879b18bd2 100644
|
||||
--- a/doc/build/options2configure.rst
|
||||
+++ b/doc/build/options2configure.rst
|
||||
@@ -137,6 +137,9 @@ Environment variables
|
||||
This option allows one to specify libraries to be passed to the
|
||||
linker (e.g., ``-l<library>``)
|
||||
|
||||
+**PKCS11_MODNAME=**\ *library*
|
||||
+ Override the built-in default PKCS11 library name.
|
||||
+
|
||||
**SS_LIB=**\ *libs*...
|
||||
If ``-lss`` is not the correct way to link in your installed ss
|
||||
library, for example if additional support libraries are needed,
|
||||
diff --git a/doc/conf.py b/doc/conf.py
|
||||
index 12168fa695..0ab5ff9606 100644
|
||||
--- a/doc/conf.py
|
||||
+++ b/doc/conf.py
|
||||
@@ -242,6 +242,7 @@ if 'mansubs' in tags:
|
||||
ccache = '``@CCNAME@``'
|
||||
keytab = '``@KTNAME@``'
|
||||
ckeytab = '``@CKTNAME@``'
|
||||
+ pkcs11_modname = '``@PKCS11MOD@``'
|
||||
elif 'pathsubs' in tags:
|
||||
# Read configured paths from a file produced by the build system.
|
||||
exec(open("paths.py").read())
|
||||
@@ -255,6 +256,7 @@ else:
|
||||
ccache = ':ref:`DEFCCNAME <paths>`'
|
||||
keytab = ':ref:`DEFKTNAME <paths>`'
|
||||
ckeytab = ':ref:`DEFCKTNAME <paths>`'
|
||||
+ pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'
|
||||
|
||||
rst_epilog = '\n'
|
||||
|
||||
@@ -275,6 +277,7 @@ else:
|
||||
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
|
||||
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
|
||||
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
|
||||
+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
|
||||
rst_epilog += '''
|
||||
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
||||
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
||||
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
|
||||
index 74e69f4ad0..aea7af3dbb 100644
|
||||
--- a/doc/mitK5defaults.rst
|
||||
+++ b/doc/mitK5defaults.rst
|
||||
@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an
|
||||
operating system, the paths are generally chosen to match the
|
||||
operating system's filesystem layout.
|
||||
|
||||
-========================== ============= =========================== ===========================
|
||||
-Description Symbolic name Custom build path Typical OS path
|
||||
-========================== ============= =========================== ===========================
|
||||
-User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
||||
-Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
||||
-Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
||||
-Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
||||
-Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
||||
-Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
||||
-Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
||||
-Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
||||
-========================== ============= =========================== ===========================
|
||||
+========================== ============== =========================== ===========================
|
||||
+Description Symbolic name Custom build path Typical OS path
|
||||
+========================== ============== =========================== ===========================
|
||||
+User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
||||
+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
||||
+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
||||
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
||||
+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
||||
+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
||||
+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
||||
+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
||||
+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so``
|
||||
+========================== ============== =========================== ===========================
|
||||
|
||||
The default client keytab name (DEFCKTNAME) typically defaults to
|
||||
``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom
|
||||
diff --git a/src/configure.ac b/src/configure.ac
|
||||
index 8dc864718d..9774cb71ae 100644
|
||||
--- a/src/configure.ac
|
||||
+++ b/src/configure.ac
|
||||
@@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])
|
||||
AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
|
||||
[Define to default client keytab name])
|
||||
|
||||
+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])
|
||||
+if test "${PKCS11_MODNAME+set}" != set; then
|
||||
+ PKCS11_MODNAME=opensc-pkcs11.so
|
||||
+fi
|
||||
+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])
|
||||
+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],
|
||||
+ [Default PKCS11 module name])
|
||||
+
|
||||
AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])
|
||||
AC_CONFIG_FILES([build-tools/kadm-server.pc
|
||||
build-tools/kadm-client.pc
|
||||
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
|
||||
index 379bc36511..a1b0cff0a4 100644
|
||||
--- a/src/doc/Makefile.in
|
||||
+++ b/src/doc/Makefile.in
|
||||
@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@
|
||||
DEFCCNAME=@DEFCCNAME@
|
||||
DEFKTNAME=@DEFKTNAME@
|
||||
DEFCKTNAME=@DEFCKTNAME@
|
||||
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
||||
|
||||
RST_SOURCES= _static \
|
||||
_templates \
|
||||
@@ -118,6 +119,7 @@ paths.py:
|
||||
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
|
||||
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
|
||||
echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
|
||||
+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@
|
||||
|
||||
# Dummy rule that man/Makefile can invoke
|
||||
version.py: $(docsrc)/version.py
|
||||
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
|
||||
index 00b1b2de06..85cae0914e 100644
|
||||
--- a/src/man/Makefile.in
|
||||
+++ b/src/man/Makefile.in
|
||||
@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@
|
||||
DEFCCNAME=@DEFCCNAME@
|
||||
DEFKTNAME=@DEFKTNAME@
|
||||
DEFCKTNAME=@DEFCKTNAME@
|
||||
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
||||
|
||||
MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
|
||||
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
|
||||
@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
|
||||
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
|
||||
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
|
||||
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
|
||||
- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@
|
||||
+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
|
||||
+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@
|
||||
|
||||
all: $(MANSUBS)
|
||||
|
||||
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
||||
index 51acb38815..fd2c6f2bc4 100644
|
||||
--- a/src/man/krb5.conf.man
|
||||
+++ b/src/man/krb5.conf.man
|
||||
@@ -1148,7 +1148,7 @@ user\(aqs certificate and private key.
|
||||
All keyword/values are optional. \fImodname\fP specifies the location
|
||||
of a library implementing PKCS #11. If a value is encountered
|
||||
with no keyword, it is assumed to be the \fImodname\fP\&. If no
|
||||
-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
|
||||
+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.
|
||||
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
|
||||
a particular smard card reader or token if there is more than one
|
||||
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
|
||||
index 8135535e2c..66f92d8f03 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit.h
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit.h
|
||||
@@ -42,7 +42,6 @@
|
||||
#ifndef WITHOUT_PKCS11
|
||||
#include "pkcs11.h"
|
||||
|
||||
-#define PKCS11_MODNAME "opensc-pkcs11.so"
|
||||
#define PK_SIGLEN_GUESS 1000
|
||||
#define PK_NOSLOT 999999
|
||||
#endif
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,159 +0,0 @@
|
||||
From 3cc9ef956342f55cc9ae283e30fc3ba080248cf3 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 1 Jun 2022 18:02:04 +0200
|
||||
Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT
|
||||
|
||||
The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know
|
||||
the algorithms it supports for verification of the CMS data signature.
|
||||
(The MIT krb5 KDC currently ignores this list, but other
|
||||
implementations use it.)
|
||||
|
||||
Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption.
|
||||
|
||||
[ghudson@mit.edu: simplified code and used appropriate helpers; edited
|
||||
commit message]
|
||||
|
||||
ticket: 9066 (new)
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_constants.c | 33 ++++++++++++-
|
||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 ++
|
||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 49 ++++++++++---------
|
||||
3 files changed, 60 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c
|
||||
index 652897fa14..1da482e0b4 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_constants.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_constants.c
|
||||
@@ -32,9 +32,14 @@
|
||||
|
||||
#include "pkinit.h"
|
||||
|
||||
-/* statically declare OID constants for all three algorithms */
|
||||
-static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01};
|
||||
+/* RFC 8636 id-pkinit-kdf-ah-sha1: iso(1) identified-organization(3) dod(6)
|
||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha1(1) */
|
||||
+static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01 };
|
||||
+/* RFC 8636 id-pkinit-kdf-ah-sha256: iso(1) identified-organization(3) dod(6)
|
||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha256(2) */
|
||||
static char sha256_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02 };
|
||||
+/* RFC 8636 id-pkinit-kdf-ah-sha512: iso(1) identified-organization(3) dod(6)
|
||||
+ * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha512(3) */
|
||||
static char sha512_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03 };
|
||||
|
||||
const krb5_data sha1_id = { KV5M_DATA, sizeof(sha1_oid), sha1_oid };
|
||||
@@ -48,6 +53,30 @@ krb5_data const * const supported_kdf_alg_ids[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
|
||||
+ * rsadsi(113549) pkcs(1) 1 11 */
|
||||
+static char sha256WithRSAEncr_oid[9] = {
|
||||
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
|
||||
+};
|
||||
+/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
|
||||
+ * rsadsi(113549) pkcs(1) 1 13 */
|
||||
+static char sha512WithRSAEncr_oid[9] = {
|
||||
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
|
||||
+};
|
||||
+
|
||||
+const krb5_data sha256WithRSAEncr_id = {
|
||||
+ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid
|
||||
+};
|
||||
+const krb5_data sha512WithRSAEncr_id = {
|
||||
+ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid
|
||||
+};
|
||||
+
|
||||
+krb5_data const * const supported_cms_algs[] = {
|
||||
+ &sha512WithRSAEncr_id,
|
||||
+ &sha256WithRSAEncr_id,
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
/* RFC 2412 section E.2 (well-known group 2) parameters, DER-encoded as
|
||||
* DomainParameters (RFC 3279 section 2.3.3). */
|
||||
static const uint8_t o1024[] = {
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
index 65f6210727..64300da856 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
@@ -620,6 +620,10 @@ extern const krb5_data oakley_4096;
|
||||
*/
|
||||
extern krb5_data const * const supported_kdf_alg_ids[];
|
||||
|
||||
+/* CMS signature algorithms supported by this implementation, in order of
|
||||
+ * decreasing preference. */
|
||||
+extern krb5_data const * const supported_cms_algs[];
|
||||
+
|
||||
krb5_error_code
|
||||
crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
|
||||
uint8_t **der_out, size_t *der_len);
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index d500455dec..1c2aa02827 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -5475,37 +5475,38 @@ create_krb5_supportedCMSTypes(krb5_context context,
|
||||
pkinit_plg_crypto_context plg_cryptoctx,
|
||||
pkinit_req_crypto_context req_cryptoctx,
|
||||
pkinit_identity_crypto_context id_cryptoctx,
|
||||
- krb5_algorithm_identifier ***oids)
|
||||
+ krb5_algorithm_identifier ***algs_out)
|
||||
{
|
||||
+ krb5_error_code ret;
|
||||
+ krb5_algorithm_identifier **algs = NULL;
|
||||
+ size_t i, count;
|
||||
|
||||
- krb5_error_code retval = ENOMEM;
|
||||
- krb5_algorithm_identifier **loids = NULL;
|
||||
- krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
|
||||
+ *algs_out = NULL;
|
||||
|
||||
- *oids = NULL;
|
||||
- loids = malloc(2 * sizeof(krb5_algorithm_identifier *));
|
||||
- if (loids == NULL)
|
||||
- goto cleanup;
|
||||
- loids[1] = NULL;
|
||||
- loids[0] = malloc(sizeof(krb5_algorithm_identifier));
|
||||
- if (loids[0] == NULL) {
|
||||
- free(loids);
|
||||
- goto cleanup;
|
||||
- }
|
||||
- retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid);
|
||||
- if (retval) {
|
||||
- free(loids[0]);
|
||||
- free(loids);
|
||||
+ /* Count supported OIDs and allocate list (including null terminator). */
|
||||
+ for (count = 0; supported_cms_algs[count] != NULL; count++);
|
||||
+ algs = k5calloc(count + 1, sizeof(*algs), &ret);
|
||||
+ if (algs == NULL)
|
||||
goto cleanup;
|
||||
+
|
||||
+ /* Add an algorithm identifier for each OID, with no parameters. */
|
||||
+ for (i = 0; i < count; i++) {
|
||||
+ algs[i] = k5alloc(sizeof(*algs[i]), &ret);
|
||||
+ if (algs[i] == NULL)
|
||||
+ goto cleanup;
|
||||
+ ret = krb5int_copy_data_contents(context, supported_cms_algs[i],
|
||||
+ &algs[i]->algorithm);
|
||||
+ if (ret)
|
||||
+ goto cleanup;
|
||||
+ algs[i]->parameters = empty_data();
|
||||
}
|
||||
- loids[0]->parameters.length = 0;
|
||||
- loids[0]->parameters.data = NULL;
|
||||
|
||||
- *oids = loids;
|
||||
- retval = 0;
|
||||
-cleanup:
|
||||
+ *algs_out = algs;
|
||||
+ algs = NULL;
|
||||
|
||||
- return retval;
|
||||
+cleanup:
|
||||
+ free_krb5_algorithm_identifiers(&algs);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,622 +0,0 @@
|
||||
From 593109802b52e3f89c3a65436bfdba78f8c517c4 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 23 Jun 2022 16:41:40 -0400
|
||||
Subject: [PATCH] Simplify plugin loading code
|
||||
|
||||
Remove the USE_CFBUNDLE code, which was only used by KfM. Handle
|
||||
platform conditionals according to current practice. Use
|
||||
k5_dir_filenames() instead of opendir() and remove the Windows
|
||||
implementation of opendir().
|
||||
---
|
||||
src/util/support/plugins.c | 507 +++++++++++--------------------------
|
||||
1 file changed, 150 insertions(+), 357 deletions(-)
|
||||
|
||||
diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c
|
||||
index c6a9a21d57..0850565687 100644
|
||||
--- a/src/util/support/plugins.c
|
||||
+++ b/src/util/support/plugins.c
|
||||
@@ -29,16 +29,6 @@
|
||||
#if USE_DLOPEN
|
||||
#include <dlfcn.h>
|
||||
#endif
|
||||
-#include <sys/types.h>
|
||||
-#ifdef HAVE_SYS_STAT_H
|
||||
-#include <sys/stat.h>
|
||||
-#endif
|
||||
-#ifdef HAVE_SYS_PARAM_H
|
||||
-#include <sys/param.h>
|
||||
-#endif
|
||||
-#ifdef HAVE_UNISTD_H
|
||||
-#include <unistd.h>
|
||||
-#endif
|
||||
|
||||
#if USE_DLOPEN
|
||||
#ifdef RTLD_GROUP
|
||||
@@ -68,16 +58,6 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
-#if USE_DLOPEN && USE_CFBUNDLE
|
||||
-#include <CoreFoundation/CoreFoundation.h>
|
||||
-
|
||||
-/* Currently CoreFoundation only exists on the Mac so we just use
|
||||
- * pthreads directly to avoid creating empty function calls on other
|
||||
- * platforms. If a thread initializer ever gets created in the common
|
||||
- * plugin code, move this there */
|
||||
-static pthread_mutex_t krb5int_bundle_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
-#endif
|
||||
-
|
||||
#include <stdarg.h>
|
||||
static void Tprintf (const char *fmt, ...)
|
||||
{
|
||||
@@ -90,374 +70,193 @@ static void Tprintf (const char *fmt, ...)
|
||||
}
|
||||
|
||||
struct plugin_file_handle {
|
||||
-#if USE_DLOPEN
|
||||
+#if defined(USE_DLOPEN)
|
||||
void *dlhandle;
|
||||
-#endif
|
||||
-#ifdef _WIN32
|
||||
- HMODULE hinstPlugin;
|
||||
-#endif
|
||||
-#if !defined (USE_DLOPEN) && !defined (_WIN32)
|
||||
+#elif defined(_WIN32)
|
||||
+ HMODULE module;
|
||||
+#else
|
||||
char dummy;
|
||||
#endif
|
||||
};
|
||||
|
||||
-#ifdef _WIN32
|
||||
-struct dirent {
|
||||
- long d_ino; /* inode (always 1 in WIN32) */
|
||||
- off_t d_off; /* offset to this dirent */
|
||||
- unsigned short d_reclen; /* length of d_name */
|
||||
- char d_name[_MAX_FNAME+1]; /* filename (null terminated) */
|
||||
-};
|
||||
-
|
||||
-typedef struct {
|
||||
- intptr_t handle; /* _findfirst/_findnext handle */
|
||||
- short offset; /* offset into directory */
|
||||
- short finished; /* 1 if there are not more files */
|
||||
- struct _finddata_t fileinfo;/* from _findfirst/_findnext */
|
||||
- char *dir; /* the dir we are reading */
|
||||
- struct dirent dent; /* the dirent to return */
|
||||
-} DIR;
|
||||
+#if defined(USE_DLOPEN)
|
||||
|
||||
-DIR * opendir(const char *dir)
|
||||
+static long
|
||||
+open_plugin_dlfcn(struct plugin_file_handle *h, const char *filename,
|
||||
+ struct errinfo *ep)
|
||||
{
|
||||
- DIR *dp;
|
||||
- char *filespec;
|
||||
- intptr_t handle;
|
||||
- int index;
|
||||
-
|
||||
- filespec = malloc(strlen(dir) + 2 + 1);
|
||||
- strcpy(filespec, dir);
|
||||
- index = strlen(filespec) - 1;
|
||||
- if (index >= 0 && (filespec[index] == '/' || filespec[index] == '\\'))
|
||||
- filespec[index] = '\0';
|
||||
- strcat(filespec, "/*");
|
||||
-
|
||||
- dp = (DIR *)malloc(sizeof(DIR));
|
||||
- dp->offset = 0;
|
||||
- dp->finished = 0;
|
||||
- dp->dir = strdup(dir);
|
||||
-
|
||||
- if ((handle = _findfirst(filespec, &(dp->fileinfo))) < 0) {
|
||||
- if (errno == ENOENT)
|
||||
- dp->finished = 1;
|
||||
- else {
|
||||
- free(filespec);
|
||||
- free(dp->dir);
|
||||
- free(dp);
|
||||
- return NULL;
|
||||
- }
|
||||
+ const char *e;
|
||||
+
|
||||
+ h->dlhandle = dlopen(filename, PLUGIN_DLOPEN_FLAGS);
|
||||
+ if (h->dlhandle == NULL) {
|
||||
+ e = dlerror();
|
||||
+ if (e == NULL)
|
||||
+ e = _("unknown failure");
|
||||
+ Tprintf("dlopen(%s): %s\n", filename, e);
|
||||
+ k5_set_error(ep, ENOENT, _("unable to load plugin [%s]: %s"),
|
||||
+ filename, e);
|
||||
+ return ENOENT;
|
||||
}
|
||||
-
|
||||
- dp->handle = handle;
|
||||
- free(filespec);
|
||||
-
|
||||
- return dp;
|
||||
+ return 0;
|
||||
}
|
||||
+#define open_plugin open_plugin_dlfcn
|
||||
|
||||
-struct dirent * readdir(DIR *dp)
|
||||
+static long
|
||||
+get_sym_dlfcn(struct plugin_file_handle *h, const char *csymname,
|
||||
+ void **sym_out, struct errinfo *ep)
|
||||
{
|
||||
- if (!dp || dp->finished) return NULL;
|
||||
-
|
||||
- if (dp->offset != 0) {
|
||||
- if (_findnext(dp->handle, &(dp->fileinfo)) < 0) {
|
||||
- dp->finished = 1;
|
||||
- return NULL;
|
||||
- }
|
||||
+ const char *e;
|
||||
+
|
||||
+ if (h->dlhandle == NULL)
|
||||
+ return ENOENT;
|
||||
+ *sym_out = dlsym(h->dlhandle, csymname);
|
||||
+ if (*sym_out == NULL) {
|
||||
+ e = dlerror();
|
||||
+ if (e == NULL)
|
||||
+ e = _("unknown failure");
|
||||
+ Tprintf("dlsym(%s): %s\n", csymname, e);
|
||||
+ k5_set_error(ep, ENOENT, "%s", e);
|
||||
+ return ENOENT;
|
||||
}
|
||||
- dp->offset++;
|
||||
-
|
||||
- strncpy(dp->dent.d_name, dp->fileinfo.name, _MAX_FNAME);
|
||||
- dp->dent.d_ino = 1;
|
||||
- dp->dent.d_reclen = (unsigned short)strlen(dp->dent.d_name);
|
||||
- dp->dent.d_off = dp->offset;
|
||||
-
|
||||
- return &(dp->dent);
|
||||
-}
|
||||
-
|
||||
-int closedir(DIR *dp)
|
||||
-{
|
||||
- if (!dp) return 0;
|
||||
- _findclose(dp->handle);
|
||||
- free(dp->dir);
|
||||
- free(dp);
|
||||
-
|
||||
return 0;
|
||||
}
|
||||
-#endif
|
||||
+#define get_sym get_sym_dlfcn
|
||||
|
||||
-long KRB5_CALLCONV
|
||||
-krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct errinfo *ep)
|
||||
+static void
|
||||
+close_plugin_dlfcn(struct plugin_file_handle *h)
|
||||
{
|
||||
- long err = 0;
|
||||
- struct plugin_file_handle *htmp = NULL;
|
||||
- int got_plugin = 0;
|
||||
-#if defined(USE_CFBUNDLE) || defined(_WIN32)
|
||||
- struct stat statbuf;
|
||||
-
|
||||
- if (!err) {
|
||||
- if (stat (filepath, &statbuf) < 0) {
|
||||
- err = errno;
|
||||
- Tprintf ("stat(%s): %s\n", filepath, strerror (err));
|
||||
- k5_set_error(ep, err, _("unable to find plugin [%s]: %s"),
|
||||
- filepath, strerror(err));
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
- if (!err) {
|
||||
- htmp = calloc (1, sizeof (*htmp)); /* calloc initializes ptrs to NULL */
|
||||
- if (htmp == NULL) { err = ENOMEM; }
|
||||
- }
|
||||
-
|
||||
-#if USE_DLOPEN
|
||||
- if (!err
|
||||
-#if USE_CFBUNDLE
|
||||
- && ((statbuf.st_mode & S_IFMT) == S_IFREG
|
||||
- || (statbuf.st_mode & S_IFMT) == S_IFDIR)
|
||||
-#endif /* USE_CFBUNDLE */
|
||||
- ) {
|
||||
- void *handle = NULL;
|
||||
-
|
||||
-#if USE_CFBUNDLE
|
||||
- char executablepath[MAXPATHLEN];
|
||||
-
|
||||
- if ((statbuf.st_mode & S_IFMT) == S_IFDIR) {
|
||||
- int lock_err = 0;
|
||||
- CFStringRef pluginString = NULL;
|
||||
- CFURLRef pluginURL = NULL;
|
||||
- CFBundleRef pluginBundle = NULL;
|
||||
- CFURLRef executableURL = NULL;
|
||||
-
|
||||
- /* Lock around CoreFoundation calls since objects are refcounted
|
||||
- * and the refcounts are not thread-safe. Using pthreads directly
|
||||
- * because this code is Mac-specific */
|
||||
- lock_err = pthread_mutex_lock(&krb5int_bundle_mutex);
|
||||
- if (lock_err) { err = lock_err; }
|
||||
-
|
||||
- if (!err) {
|
||||
- pluginString = CFStringCreateWithCString (kCFAllocatorDefault,
|
||||
- filepath,
|
||||
- kCFStringEncodingASCII);
|
||||
- if (pluginString == NULL) { err = ENOMEM; }
|
||||
- }
|
||||
-
|
||||
- if (!err) {
|
||||
- pluginURL = CFURLCreateWithFileSystemPath (kCFAllocatorDefault,
|
||||
- pluginString,
|
||||
- kCFURLPOSIXPathStyle,
|
||||
- true);
|
||||
- if (pluginURL == NULL) { err = ENOMEM; }
|
||||
- }
|
||||
-
|
||||
- if (!err) {
|
||||
- pluginBundle = CFBundleCreate (kCFAllocatorDefault, pluginURL);
|
||||
- if (pluginBundle == NULL) { err = ENOENT; } /* XXX need better error */
|
||||
- }
|
||||
-
|
||||
- if (!err) {
|
||||
- executableURL = CFBundleCopyExecutableURL (pluginBundle);
|
||||
- if (executableURL == NULL) { err = ENOMEM; }
|
||||
- }
|
||||
-
|
||||
- if (!err) {
|
||||
- if (!CFURLGetFileSystemRepresentation (executableURL,
|
||||
- true, /* absolute */
|
||||
- (UInt8 *)executablepath,
|
||||
- sizeof (executablepath))) {
|
||||
- err = ENOMEM;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (!err) {
|
||||
- /* override the path the caller passed in */
|
||||
- filepath = executablepath;
|
||||
- }
|
||||
-
|
||||
- if (executableURL != NULL) { CFRelease (executableURL); }
|
||||
- if (pluginBundle != NULL) { CFRelease (pluginBundle); }
|
||||
- if (pluginURL != NULL) { CFRelease (pluginURL); }
|
||||
- if (pluginString != NULL) { CFRelease (pluginString); }
|
||||
-
|
||||
- /* unlock after CFRelease calls since they modify refcounts */
|
||||
- if (!lock_err) { pthread_mutex_unlock (&krb5int_bundle_mutex); }
|
||||
- }
|
||||
-#endif /* USE_CFBUNDLE */
|
||||
-
|
||||
- if (!err) {
|
||||
- handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS);
|
||||
- if (handle == NULL) {
|
||||
- const char *e = dlerror();
|
||||
- if (e == NULL)
|
||||
- e = _("unknown failure");
|
||||
- Tprintf ("dlopen(%s): %s\n", filepath, e);
|
||||
- err = ENOENT; /* XXX */
|
||||
- k5_set_error(ep, err, _("unable to load plugin [%s]: %s"),
|
||||
- filepath, e);
|
||||
- }
|
||||
- }
|
||||
+ if (h->dlhandle != NULL)
|
||||
+ dlclose(h->dlhandle);
|
||||
+}
|
||||
+#define close_plugin close_plugin_dlfcn
|
||||
|
||||
- if (!err) {
|
||||
- got_plugin = 1;
|
||||
- htmp->dlhandle = handle;
|
||||
- handle = NULL;
|
||||
- }
|
||||
+#elif defined(_WIN32)
|
||||
|
||||
- if (handle != NULL) { dlclose (handle); }
|
||||
+static long
|
||||
+open_plugin_win32(struct plugin_file_handle *h, const char *filename,
|
||||
+ struct errinfo *ep)
|
||||
+{
|
||||
+ h->module = LoadLibrary(filename);
|
||||
+ if (h == NULL) {
|
||||
+ Tprintf("Unable to load dll: %s\n", filename);
|
||||
+ k5_set_error(ep, ENOENT, _("unable to load DLL [%s]"), filename);
|
||||
+ return ENOENT;
|
||||
}
|
||||
-#endif /* USE_DLOPEN */
|
||||
-
|
||||
-#ifdef _WIN32
|
||||
- if (!err && (statbuf.st_mode & S_IFMT) == S_IFREG) {
|
||||
- HMODULE handle = NULL;
|
||||
+ return 0;
|
||||
+}
|
||||
+#define open_plugin open_plugin_win32
|
||||
|
||||
- handle = LoadLibrary(filepath);
|
||||
- if (handle == NULL) {
|
||||
- Tprintf ("Unable to load dll: %s\n", filepath);
|
||||
- err = ENOENT; /* XXX */
|
||||
- k5_set_error(ep, err, _("unable to load DLL [%s]"), filepath);
|
||||
- }
|
||||
+static long
|
||||
+get_sym_win32(struct plugin_file_handle *h, const char *csymname,
|
||||
+ void **sym_out, struct errinfo *ep)
|
||||
+{
|
||||
+ LPVOID lpMsgBuf;
|
||||
+ DWORD dw;
|
||||
|
||||
- if (!err) {
|
||||
- got_plugin = 1;
|
||||
- htmp->hinstPlugin = handle;
|
||||
- handle = NULL;
|
||||
+ if (h->module == NULL)
|
||||
+ return ENOENT;
|
||||
+ *sym_out = GetProcAddress(h->module, csymname);
|
||||
+ if (*sym_out == NULL) {
|
||||
+ Tprintf("GetProcAddress(%s): %i\n", csymname, GetLastError());
|
||||
+ dw = GetLastError();
|
||||
+ if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
|
||||
+ FORMAT_MESSAGE_FROM_SYSTEM,
|
||||
+ NULL, dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
|
||||
+ (LPTSTR)&lpMsgBuf, 0, NULL)) {
|
||||
+ k5_set_error(ep, ENOENT, _("unable to get DLL Symbol: %s"),
|
||||
+ (char *)lpMsgBuf);
|
||||
+ LocalFree(lpMsgBuf);
|
||||
}
|
||||
-
|
||||
- if (handle != NULL)
|
||||
- FreeLibrary(handle);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
- if (!err && !got_plugin) {
|
||||
- err = ENOENT; /* no plugin or no way to load plugins */
|
||||
- k5_set_error(ep, err, _("plugin unavailable: %s"), strerror(err));
|
||||
+ return ENOENT;
|
||||
}
|
||||
+ return 0;
|
||||
+}
|
||||
+#define get_sym get_sym_win32
|
||||
|
||||
- if (!err) {
|
||||
- *h = htmp;
|
||||
- htmp = NULL; /* h takes ownership */
|
||||
- }
|
||||
+static void
|
||||
+close_plugin_win32(struct plugin_file_handle *h)
|
||||
+{
|
||||
+ if (h->module != NULL)
|
||||
+ FreeLibrary(h->module);
|
||||
+}
|
||||
+#define close_plugin close_plugin_win32
|
||||
|
||||
- free(htmp);
|
||||
+#else
|
||||
|
||||
- return err;
|
||||
+static long
|
||||
+open_plugin_dummy(struct plugin_file_handle *h, const char *filename,
|
||||
+ struct errinfo *ep)
|
||||
+{
|
||||
+ k5_set_error(ep, ENOENT, _("plugin loading unavailable"));
|
||||
+ return ENOENT;
|
||||
}
|
||||
+#define open_plugin open_plugin_dummy
|
||||
|
||||
static long
|
||||
-krb5int_get_plugin_sym (struct plugin_file_handle *h,
|
||||
- const char *csymname, int isfunc, void **ptr,
|
||||
- struct errinfo *ep)
|
||||
+get_sym_dummy(struct plugin_file_handle *h, const char *csymname,
|
||||
+ void **sym_out, struct errinfo *ep)
|
||||
{
|
||||
- long err = 0;
|
||||
- void *sym = NULL;
|
||||
+ return ENOENT;
|
||||
+}
|
||||
+#define get_sym get_sym_dummy
|
||||
+
|
||||
+static void
|
||||
+close_plugin_dummy(struct plugin_file_handle *h)
|
||||
+{
|
||||
+}
|
||||
+#define close_plugin close_plugin_dummy
|
||||
|
||||
-#if USE_DLOPEN
|
||||
- if (!err && !sym && (h->dlhandle != NULL)) {
|
||||
- /* XXX Do we need to add a leading "_" to the symbol name on any
|
||||
- modern platforms? */
|
||||
- sym = dlsym (h->dlhandle, csymname);
|
||||
- if (sym == NULL) {
|
||||
- const char *e = dlerror (); /* XXX copy and save away */
|
||||
- if (e == NULL)
|
||||
- e = "unknown failure";
|
||||
- Tprintf ("dlsym(%s): %s\n", csymname, e);
|
||||
- err = ENOENT; /* XXX */
|
||||
- k5_set_error(ep, err, "%s", e);
|
||||
- }
|
||||
- }
|
||||
#endif
|
||||
|
||||
-#ifdef _WIN32
|
||||
- LPVOID lpMsgBuf;
|
||||
- DWORD dw;
|
||||
+long KRB5_CALLCONV
|
||||
+krb5int_open_plugin(const char *filename,
|
||||
+ struct plugin_file_handle **handle_out, struct errinfo *ep)
|
||||
+{
|
||||
+ long ret;
|
||||
+ struct plugin_file_handle *h;
|
||||
|
||||
- if (!err && !sym && (h->hinstPlugin != NULL)) {
|
||||
- sym = GetProcAddress(h->hinstPlugin, csymname);
|
||||
- if (sym == NULL) {
|
||||
- const char *e = "unable to get dll symbol"; /* XXX copy and save away */
|
||||
- Tprintf ("GetProcAddress(%s): %i\n", csymname, GetLastError());
|
||||
- err = ENOENT; /* XXX */
|
||||
- k5_set_error(ep, err, "%s", e);
|
||||
-
|
||||
- dw = GetLastError();
|
||||
- if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
|
||||
- FORMAT_MESSAGE_FROM_SYSTEM,
|
||||
- NULL,
|
||||
- dw,
|
||||
- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
|
||||
- (LPTSTR) &lpMsgBuf,
|
||||
- 0, NULL )) {
|
||||
-
|
||||
- fprintf (stderr, "unable to get dll symbol, %s\n", (LPCTSTR)lpMsgBuf);
|
||||
- LocalFree(lpMsgBuf);
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
+ *handle_out = NULL;
|
||||
|
||||
- if (!err && (sym == NULL)) {
|
||||
- err = ENOENT; /* unimplemented */
|
||||
- }
|
||||
+ h = calloc(1, sizeof(*h));
|
||||
+ if (h == NULL)
|
||||
+ return ENOMEM;
|
||||
|
||||
- if (!err) {
|
||||
- *ptr = sym;
|
||||
+ ret = open_plugin(h, filename, ep);
|
||||
+ if (ret) {
|
||||
+ free(h);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
- return err;
|
||||
+ *handle_out = h;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
long KRB5_CALLCONV
|
||||
-krb5int_get_plugin_data (struct plugin_file_handle *h, const char *csymname,
|
||||
- void **ptr, struct errinfo *ep)
|
||||
+krb5int_get_plugin_data(struct plugin_file_handle *h, const char *csymname,
|
||||
+ void **sym_out, struct errinfo *ep)
|
||||
{
|
||||
- return krb5int_get_plugin_sym (h, csymname, 0, ptr, ep);
|
||||
+ return get_sym(h, csymname, sym_out, ep);
|
||||
}
|
||||
|
||||
long KRB5_CALLCONV
|
||||
-krb5int_get_plugin_func (struct plugin_file_handle *h, const char *csymname,
|
||||
- void (**ptr)(), struct errinfo *ep)
|
||||
+krb5int_get_plugin_func(struct plugin_file_handle *h, const char *csymname,
|
||||
+ void (**sym_out)(), struct errinfo *ep)
|
||||
{
|
||||
void *dptr = NULL;
|
||||
- long err = krb5int_get_plugin_sym (h, csymname, 1, &dptr, ep);
|
||||
- if (!err) {
|
||||
- /* Cast function pointers to avoid code duplication */
|
||||
- *ptr = (void (*)()) dptr;
|
||||
- }
|
||||
- return err;
|
||||
+ long ret = get_sym(h, csymname, &dptr, ep);
|
||||
+
|
||||
+ if (!ret)
|
||||
+ *sym_out = (void (*)())dptr;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
void KRB5_CALLCONV
|
||||
krb5int_close_plugin (struct plugin_file_handle *h)
|
||||
{
|
||||
-#if USE_DLOPEN
|
||||
- if (h->dlhandle != NULL) { dlclose(h->dlhandle); }
|
||||
-#endif
|
||||
-#ifdef _WIN32
|
||||
- if (h->hinstPlugin != NULL) { FreeLibrary(h->hinstPlugin); }
|
||||
-#endif
|
||||
- free (h);
|
||||
+ close_plugin(h);
|
||||
+ free(h);
|
||||
}
|
||||
|
||||
-/* autoconf docs suggest using this preference order */
|
||||
-#if HAVE_DIRENT_H || USE_DIRENT_H
|
||||
-#include <dirent.h>
|
||||
-#define NAMELEN(D) strlen((D)->d_name)
|
||||
-#else
|
||||
-#ifndef _WIN32
|
||||
-#define dirent direct
|
||||
-#define NAMELEN(D) ((D)->d->namlen)
|
||||
-#else
|
||||
-#define NAMELEN(D) strlen((D)->d_name)
|
||||
-#endif
|
||||
-#if HAVE_SYS_NDIR_H
|
||||
-# include <sys/ndir.h>
|
||||
-#elif HAVE_SYS_DIR_H
|
||||
-# include <sys/dir.h>
|
||||
-#elif HAVE_NDIR_H
|
||||
-# include <ndir.h>
|
||||
-#endif
|
||||
-#endif
|
||||
-
|
||||
static long
|
||||
krb5int_plugin_file_handle_array_init (struct plugin_file_handle ***harray)
|
||||
{
|
||||
@@ -619,42 +418,36 @@ krb5int_open_plugin_dirs (const char * const *dirnames,
|
||||
if (handle != NULL) { krb5int_close_plugin (handle); }
|
||||
}
|
||||
} else {
|
||||
- /* load all plugins in each directory */
|
||||
- DIR *dir = opendir (dirnames[i]);
|
||||
+ char **fnames = NULL;
|
||||
+ int j;
|
||||
|
||||
- while (dir != NULL && !err) {
|
||||
- struct dirent *d = NULL;
|
||||
+ err = k5_dir_filenames(dirnames[i], &fnames);
|
||||
+ for (j = 0; !err && fnames[j] != NULL; j++) {
|
||||
char *filepath = NULL;
|
||||
struct plugin_file_handle *handle = NULL;
|
||||
|
||||
- d = readdir (dir);
|
||||
- if (d == NULL) { break; }
|
||||
-
|
||||
- if ((strcmp (d->d_name, ".") == 0) ||
|
||||
- (strcmp (d->d_name, "..") == 0)) {
|
||||
+ if (strcmp(fnames[j], ".") == 0 ||
|
||||
+ strcmp(fnames[j], "..") == 0)
|
||||
continue;
|
||||
- }
|
||||
|
||||
- if (!err) {
|
||||
- int len = NAMELEN (d);
|
||||
- if (asprintf(&filepath, "%s/%*s", dirnames[i], len, d->d_name) < 0) {
|
||||
- filepath = NULL;
|
||||
- err = ENOMEM;
|
||||
- }
|
||||
+ if (asprintf(&filepath, "%s/%s", dirnames[i], fnames[j]) < 0) {
|
||||
+ filepath = NULL;
|
||||
+ err = ENOMEM;
|
||||
}
|
||||
|
||||
- if (!err) {
|
||||
- if (krb5int_open_plugin (filepath, &handle, ep) == 0) {
|
||||
- err = krb5int_plugin_file_handle_array_add (&h, &count, handle);
|
||||
- if (!err) { handle = NULL; } /* h takes ownership */
|
||||
- }
|
||||
+ if (!err && krb5int_open_plugin(filepath, &handle, ep) == 0) {
|
||||
+ err = krb5int_plugin_file_handle_array_add(&h, &count,
|
||||
+ handle);
|
||||
+ if (!err)
|
||||
+ handle = NULL; /* h takes ownership */
|
||||
}
|
||||
|
||||
free(filepath);
|
||||
- if (handle != NULL) { krb5int_close_plugin (handle); }
|
||||
+ if (handle != NULL)
|
||||
+ krb5int_close_plugin(handle);
|
||||
}
|
||||
|
||||
- if (dir != NULL) { closedir (dir); }
|
||||
+ k5_free_filenames(fnames);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,120 @@
|
||||
From 52904f3693397dace4e9ef5db1cd7d14eaa3b1fb Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 5 Jan 2023 20:06:47 +0100
|
||||
Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
|
||||
|
||||
The inclusion of openssl/fips.h, which provides the declaration of
|
||||
FIPS_mode(), was removed from openssl/crypto.h. As a consequence, this
|
||||
header file has to be included explicitly in krb5 code.
|
||||
---
|
||||
src/lib/crypto/krb/prng.c | 4 +++-
|
||||
src/lib/crypto/openssl/enc_provider/camellia.c | 1 +
|
||||
src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++++
|
||||
src/lib/crypto/openssl/hmac.c | 1 +
|
||||
src/lib/krad/internal.h | 4 ++++
|
||||
src/plugins/preauth/spake/spake_client.c | 4 ++++
|
||||
src/plugins/preauth/spake/spake_kdc.c | 4 ++++
|
||||
7 files changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||
index 9e80a03d21..ae37c77518 100644
|
||||
--- a/src/lib/crypto/krb/prng.c
|
||||
+++ b/src/lib/crypto/krb/prng.c
|
||||
@@ -28,7 +28,9 @@
|
||||
|
||||
#include <openssl/rand.h>
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+#include <openssl/fips.h>
|
||||
+#else
|
||||
#include <openssl/crypto.h>
|
||||
#endif
|
||||
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
index d9f327add6..3dd3b0624f 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
@@ -32,6 +32,7 @@
|
||||
#include <openssl/camellia.h>
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#include <openssl/core_names.h>
|
||||
+#include <openssl/fips.h>
|
||||
#else
|
||||
#include <openssl/modes.h>
|
||||
#endif
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
index ce63cb5f1b..6a83f10d27 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
@@ -38,6 +38,10 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+#include <openssl/fips.h>
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* The loopback field is a pointer to the structure. If the application copies
|
||||
* the state (not a valid operation, but one which happens to works with some
|
||||
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
|
||||
index f21e268f7f..25a419d73a 100644
|
||||
--- a/src/lib/crypto/openssl/hmac.c
|
||||
+++ b/src/lib/crypto/openssl/hmac.c
|
||||
@@ -59,6 +59,7 @@
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/core_names.h>
|
||||
+#include <openssl/fips.h>
|
||||
#else
|
||||
#include <openssl/hmac.h>
|
||||
#endif
|
||||
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
|
||||
index e123763954..a17b6f39b1 100644
|
||||
--- a/src/lib/krad/internal.h
|
||||
+++ b/src/lib/krad/internal.h
|
||||
@@ -41,6 +41,10 @@
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+#include <openssl/fips.h>
|
||||
+#endif
|
||||
+
|
||||
#ifndef UCHAR_MAX
|
||||
#define UCHAR_MAX 255
|
||||
#endif
|
||||
diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c
|
||||
index a3ce22b70f..13c699071f 100644
|
||||
--- a/src/plugins/preauth/spake/spake_client.c
|
||||
+++ b/src/plugins/preauth/spake/spake_client.c
|
||||
@@ -40,6 +40,10 @@
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+#include <openssl/fips.h>
|
||||
+#endif
|
||||
+
|
||||
typedef struct reqstate_st {
|
||||
krb5_pa_spake *msg; /* set in prep_questions, used in process */
|
||||
krb5_keyblock *initial_key;
|
||||
diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
|
||||
index 232e78bc05..3394f8a58e 100644
|
||||
--- a/src/plugins/preauth/spake/spake_kdc.c
|
||||
+++ b/src/plugins/preauth/spake/spake_kdc.c
|
||||
@@ -43,6 +43,10 @@
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+#include <openssl/fips.h>
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* The SPAKE kdcpreauth module uses a secure cookie containing the following
|
||||
* concatenated fields (all integer fields are big-endian):
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,48 +0,0 @@
|
||||
From 75f71ace74449a6e5154314229bfa61960cd326c Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 28 Jul 2022 15:20:12 +0200
|
||||
Subject: [PATCH] Update error checking for OpenSSL CMS_verify
|
||||
|
||||
The code for CMS data verification was initially written for OpenSSL's
|
||||
PKCS7_verify() function. It now uses CMS_verify(), but error handling
|
||||
is still done using PKCS7_verify() error identifiers. Update the
|
||||
recognized error codes so that the KDC generates
|
||||
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
|
||||
Use ERR_peek_last_error() to observe the error generated closest to
|
||||
the API surface.
|
||||
|
||||
[ghudson@mit.edu: edited commit message]
|
||||
|
||||
ticket: 9069 (new)
|
||||
tags: pullup
|
||||
target_version: 1.20-next
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index 1c2aa02827..16edf15cb2 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -2102,12 +2102,15 @@ cms_signeddata_verify(krb5_context context,
|
||||
goto cleanup;
|
||||
out = BIO_new(BIO_s_mem());
|
||||
if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
|
||||
- unsigned long err = ERR_peek_error();
|
||||
+ unsigned long err = ERR_peek_last_error();
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case PKCS7_R_DIGEST_FAILURE:
|
||||
+ case RSA_R_DIGEST_NOT_ALLOWED:
|
||||
+ case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
|
||||
+ case CMS_R_NO_MATCHING_DIGEST:
|
||||
+ case CMS_R_NO_MATCHING_SIGNATURE:
|
||||
retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
|
||||
break;
|
||||
- case PKCS7_R_SIGNATURE_FAILURE:
|
||||
+ case CMS_R_VERIFICATION_FAILURE:
|
||||
default:
|
||||
retval = KRB5KDC_ERR_INVALID_SIG;
|
||||
}
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,28 +0,0 @@
|
||||
From 3f8a3b57cf0e057635e570d5038fb52c19ca5744 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Fri, 19 Aug 2022 10:34:52 +0200
|
||||
Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for
|
||||
PKINIT
|
||||
|
||||
An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if
|
||||
CMS_verify is called to verify a SHA-1 signature. If this error is
|
||||
caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index 16edf15cb2..bfa3fe8e91 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context,
|
||||
if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
|
||||
unsigned long err = ERR_peek_last_error();
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
+ case EVP_R_INVALID_DIGEST:
|
||||
case RSA_R_DIGEST_NOT_ALLOWED:
|
||||
case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
|
||||
case CMS_R_NO_MATCHING_DIGEST:
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,239 +0,0 @@
|
||||
From 6ba011d89f9cf4661eb7110bf810cfdb514b69fa Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 19 Sep 2022 15:18:50 -0400
|
||||
Subject: [PATCH] Add and use ts_interval() helper
|
||||
|
||||
ts_delta() returns a signed result, which cannot hold an interval
|
||||
larger than 2^31-1 seconds. Intervals like this have been seen when
|
||||
admins set password expiration dates more than 68 years in the future.
|
||||
|
||||
Add a second helper ts_interval() which returns a signed result, and
|
||||
has the arguments reversed so that the start time is first. Use it in
|
||||
warn_pw_expiry() to handle the password expiration case, in the GSS
|
||||
krb5 mech where we return an unsigned context or credential lifetime
|
||||
to the caller, and in the KEYRING ccache type where we compute an
|
||||
unsigned keyring timeout.
|
||||
|
||||
ticket: 9071 (new)
|
||||
---
|
||||
src/include/k5-int.h | 9 +++++++++
|
||||
src/lib/gssapi/krb5/accept_sec_context.c | 10 ++++++----
|
||||
src/lib/gssapi/krb5/acquire_cred.c | 3 +--
|
||||
src/lib/gssapi/krb5/context_time.c | 2 +-
|
||||
src/lib/gssapi/krb5/init_sec_context.c | 4 ++--
|
||||
src/lib/gssapi/krb5/inq_context.c | 2 +-
|
||||
src/lib/gssapi/krb5/inq_cred.c | 2 +-
|
||||
src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +-
|
||||
src/lib/krb5/ccache/cc_keyring.c | 4 ++--
|
||||
src/lib/krb5/krb/get_in_tkt.c | 15 +++++++--------
|
||||
10 files changed, 31 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index c3aecba7d4..768110e5ef 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -2325,6 +2325,15 @@ ts_delta(krb5_timestamp a, krb5_timestamp b)
|
||||
return (krb5_deltat)((uint32_t)a - (uint32_t)b);
|
||||
}
|
||||
|
||||
+/* Return (end - start) as an unsigned 32-bit value, or 0 if start > end. */
|
||||
+static inline uint32_t
|
||||
+ts_interval(krb5_timestamp start, krb5_timestamp end)
|
||||
+{
|
||||
+ if ((uint32_t)start > (uint32_t)end)
|
||||
+ return 0;
|
||||
+ return (uint32_t)end - (uint32_t)start;
|
||||
+}
|
||||
+
|
||||
/* Increment a timestamp by a signed 32-bit interval, without relying on
|
||||
* undefined behavior. */
|
||||
static inline krb5_timestamp
|
||||
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
|
||||
index 1bc807172b..7de2c9fd77 100644
|
||||
--- a/src/lib/gssapi/krb5/accept_sec_context.c
|
||||
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
|
||||
@@ -353,8 +353,8 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
|
||||
*mech_type = ctx->mech_used;
|
||||
|
||||
if (time_rec) {
|
||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now) +
|
||||
- ctx->k5_context->clockskew;
|
||||
+ *time_rec = ts_interval(now - ctx->k5_context->clockskew,
|
||||
+ ctx->krb_times.endtime);
|
||||
}
|
||||
|
||||
/* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
|
||||
@@ -1151,8 +1151,10 @@ kg_accept_krb5(minor_status, context_handle,
|
||||
|
||||
/* Add the maximum allowable clock skew as a grace period for context
|
||||
* expiration, just as we do for the ticket. */
|
||||
- if (time_rec)
|
||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew;
|
||||
+ if (time_rec) {
|
||||
+ *time_rec = ts_interval(now - context->clockskew,
|
||||
+ ctx->krb_times.endtime);
|
||||
+ }
|
||||
|
||||
if (ret_flags)
|
||||
*ret_flags = ctx->gss_flags;
|
||||
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
|
||||
index e226a02692..006eba114d 100644
|
||||
--- a/src/lib/gssapi/krb5/acquire_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/acquire_cred.c
|
||||
@@ -879,8 +879,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
|
||||
GSS_C_NO_NAME);
|
||||
if (GSS_ERROR(ret))
|
||||
goto error_out;
|
||||
- *time_rec = ts_after(cred->expire, now) ?
|
||||
- ts_delta(cred->expire, now) : 0;
|
||||
+ *time_rec = ts_interval(now, cred->expire);
|
||||
k5_mutex_unlock(&cred->lock);
|
||||
}
|
||||
}
|
||||
diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
|
||||
index 1fdb5a16f2..5469d8154c 100644
|
||||
--- a/src/lib/gssapi/krb5/context_time.c
|
||||
+++ b/src/lib/gssapi/krb5/context_time.c
|
||||
@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
|
||||
return(GSS_S_FAILURE);
|
||||
}
|
||||
|
||||
- lifetime = ts_delta(ctx->krb_times.endtime, now);
|
||||
+ lifetime = ts_interval(now, ctx->krb_times.endtime);
|
||||
if (!ctx->initiate)
|
||||
lifetime += ctx->k5_context->clockskew;
|
||||
if (lifetime <= 0) {
|
||||
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
|
||||
index ea87cf6432..f0f094ccb7 100644
|
||||
--- a/src/lib/gssapi/krb5/init_sec_context.c
|
||||
+++ b/src/lib/gssapi/krb5/init_sec_context.c
|
||||
@@ -664,7 +664,7 @@ kg_new_connection(
|
||||
if (time_rec) {
|
||||
if ((code = krb5_timeofday(context, &now)))
|
||||
goto cleanup;
|
||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now);
|
||||
+ *time_rec = ts_interval(now, ctx->krb_times.endtime);
|
||||
}
|
||||
|
||||
/* set the other returns */
|
||||
@@ -878,7 +878,7 @@ mutual_auth(
|
||||
if (time_rec) {
|
||||
if ((code = krb5_timeofday(context, &now)))
|
||||
goto fail;
|
||||
- *time_rec = ts_delta(ctx->krb_times.endtime, now);
|
||||
+ *time_rec = ts_interval(now, ctx->krb_times.endtime);
|
||||
}
|
||||
|
||||
if (ret_flags)
|
||||
diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
|
||||
index cac024da1f..51c484fdfe 100644
|
||||
--- a/src/lib/gssapi/krb5/inq_context.c
|
||||
+++ b/src/lib/gssapi/krb5/inq_context.c
|
||||
@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
|
||||
|
||||
/* Add the maximum allowable clock skew as a grace period for context
|
||||
* expiration, just as we do for the ticket during authentication. */
|
||||
- lifetime = ts_delta(ctx->krb_times.endtime, now);
|
||||
+ lifetime = ts_interval(now, ctx->krb_times.endtime);
|
||||
if (!ctx->initiate)
|
||||
lifetime += context->clockskew;
|
||||
if (lifetime < 0)
|
||||
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
|
||||
index bb63b726c8..0e675959a3 100644
|
||||
--- a/src/lib/gssapi/krb5/inq_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/inq_cred.c
|
||||
@@ -131,7 +131,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
|
||||
}
|
||||
|
||||
if (cred->expire != 0) {
|
||||
- lifetime = ts_delta(cred->expire, now);
|
||||
+ lifetime = ts_interval(now, cred->expire);
|
||||
if (lifetime < 0)
|
||||
lifetime = 0;
|
||||
}
|
||||
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
|
||||
index 7dcfe4e1eb..fa7f980af7 100644
|
||||
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
|
||||
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
|
||||
@@ -279,7 +279,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
|
||||
if (code != 0)
|
||||
goto cleanup;
|
||||
|
||||
- *time_rec = ts_delta(cred->expire, now);
|
||||
+ *time_rec = ts_interval(now, cred->expire);
|
||||
}
|
||||
|
||||
major_status = GSS_S_COMPLETE;
|
||||
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
|
||||
index ebef37d607..1dadeef64f 100644
|
||||
--- a/src/lib/krb5/ccache/cc_keyring.c
|
||||
+++ b/src/lib/krb5/ccache/cc_keyring.c
|
||||
@@ -762,7 +762,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id)
|
||||
|
||||
/* Setting the timeout to zero would reset the timeout, so we set it to one
|
||||
* second instead if creds are already expired. */
|
||||
- timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1;
|
||||
+ timeout = ts_after(endtime, now) ? ts_interval(now, endtime) : 1;
|
||||
(void)keyctl_set_timeout(data->cache_id, timeout);
|
||||
}
|
||||
|
||||
@@ -1343,7 +1343,7 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
|
||||
|
||||
if (ts_after(creds->times.endtime, now)) {
|
||||
(void)keyctl_set_timeout(cred_key,
|
||||
- ts_delta(creds->times.endtime, now));
|
||||
+ ts_interval(now, creds->times.endtime));
|
||||
}
|
||||
|
||||
update_keyring_expiration(context, id);
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index 8b5ab595e9..1b420a3ac2 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -1522,7 +1522,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
||||
void *expire_data;
|
||||
krb5_timestamp pw_exp, acct_exp, now;
|
||||
krb5_boolean is_last_req;
|
||||
- krb5_deltat delta;
|
||||
+ uint32_t interval;
|
||||
char ts[256], banner[1024];
|
||||
|
||||
if (as_reply == NULL || as_reply->enc_part2 == NULL)
|
||||
@@ -1553,8 +1553,8 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
||||
ret = krb5_timeofday(context, &now);
|
||||
if (ret != 0)
|
||||
return;
|
||||
- if (!is_last_req &&
|
||||
- (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60))
|
||||
+ interval = ts_interval(now, pw_exp);
|
||||
+ if (!is_last_req && (!interval || interval > 7 * 24 * 60 * 60))
|
||||
return;
|
||||
|
||||
if (!prompter)
|
||||
@@ -1564,19 +1564,18 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
|
||||
if (ret != 0)
|
||||
return;
|
||||
|
||||
- delta = ts_delta(pw_exp, now);
|
||||
- if (delta < 3600) {
|
||||
+ if (interval < 3600) {
|
||||
snprintf(banner, sizeof(banner),
|
||||
_("Warning: Your password will expire in less than one hour "
|
||||
"on %s"), ts);
|
||||
- } else if (delta < 86400 * 2) {
|
||||
+ } else if (interval < 86400 * 2) {
|
||||
snprintf(banner, sizeof(banner),
|
||||
_("Warning: Your password will expire in %d hour%s on %s"),
|
||||
- delta / 3600, delta < 7200 ? "" : "s", ts);
|
||||
+ interval / 3600, interval < 7200 ? "" : "s", ts);
|
||||
} else {
|
||||
snprintf(banner, sizeof(banner),
|
||||
_("Warning: Your password will expire in %d days on %s"),
|
||||
- delta / 86400, ts);
|
||||
+ interval / 86400, ts);
|
||||
}
|
||||
|
||||
/* PROMPTER_INVOCATION */
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,279 @@
|
||||
From 83c99246ae9b157e462142daddccca5e18c2f3fd Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 15 Mar 2023 15:56:34 +0100
|
||||
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
|
||||
|
||||
MS-PAC states that "The ticket signature SHOULD be included in tickets
|
||||
that are not encrypted to the krbtgt account". However, the
|
||||
implementation of krb5_kdc_verify_ticket() will require the ticket
|
||||
signature to be present in case the target of the request is a service
|
||||
principal.
|
||||
|
||||
In gradual upgrade environments, it results in S4U2Proxy requests
|
||||
against a 1.20 KDC using a service ticket generated by an older version
|
||||
KDC to fail.
|
||||
|
||||
This commit adds a krb5_kdc_verify_ticket_ext() function with an extra
|
||||
switch parameter to tolerate the absence of ticket signature in this
|
||||
scenario. If the ticket signature is present, it has to be valid,
|
||||
regardless of this parameter.
|
||||
|
||||
This parameter is set based on the "optional_pac_tkt_chksum" string
|
||||
attribute of the TGT KDB entry.
|
||||
---
|
||||
doc/admin/admin_commands/kadmin_local.rst | 6 ++++
|
||||
doc/appdev/refs/api/index.rst | 1 +
|
||||
src/include/kdb.h | 1 +
|
||||
src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++
|
||||
src/kdc/kdc_util.c | 32 ++++++++++++++----
|
||||
src/lib/krb5/krb/pac.c | 31 +++++++++++++++---
|
||||
src/lib/krb5/libkrb5.exports | 1 +
|
||||
src/man/kadmin.man | 6 ++++
|
||||
8 files changed, 108 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
|
||||
index 2435b3c361..58ac79549f 100644
|
||||
--- a/doc/admin/admin_commands/kadmin_local.rst
|
||||
+++ b/doc/admin/admin_commands/kadmin_local.rst
|
||||
@@ -658,6 +658,12 @@ KDC:
|
||||
Directory realm when using aes-sha2 keys on the local krbtgt
|
||||
entry.
|
||||
|
||||
+**optional_pac_tkt_chksum**
|
||||
+ Boolean value defining the behavior of the KDC in case an expected
|
||||
+ ticket checksum signed with one of this principal keys is not
|
||||
+ present in the PAC. This is typically the case for TGS or
|
||||
+ cross-realm TGS principals when processing S4U2Proxy requests.
|
||||
+
|
||||
This command requires the **modify** privilege.
|
||||
|
||||
Alias: **setstr**
|
||||
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
|
||||
index d12be47c3c..9b95ebd0f9 100644
|
||||
--- a/doc/appdev/refs/api/index.rst
|
||||
+++ b/doc/appdev/refs/api/index.rst
|
||||
@@ -225,6 +225,7 @@ Rarely used public interfaces
|
||||
krb5_is_referral_realm.rst
|
||||
krb5_kdc_sign_ticket.rst
|
||||
krb5_kdc_verify_ticket.rst
|
||||
+ krb5_kdc_verify_ticket_ext.rst
|
||||
krb5_kt_add_entry.rst
|
||||
krb5_kt_end_seq_get.rst
|
||||
krb5_kt_get_entry.rst
|
||||
diff --git a/src/include/kdb.h b/src/include/kdb.h
|
||||
index 745b24f351..6075349e5e 100644
|
||||
--- a/src/include/kdb.h
|
||||
+++ b/src/include/kdb.h
|
||||
@@ -136,6 +136,7 @@
|
||||
#define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype"
|
||||
#define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"
|
||||
#define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"
|
||||
+#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum"
|
||||
|
||||
#if !defined(_WIN32)
|
||||
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index 350bcf86f2..17e1b52266 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
const krb5_keyblock *server,
|
||||
const krb5_keyblock *privsvr, krb5_pac *pac_out);
|
||||
|
||||
+/**
|
||||
+ * Verify a PAC, possibly including ticket signature
|
||||
+ *
|
||||
+ * @param [in] context Library context
|
||||
+ * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC
|
||||
+ * @param [in] server_princ Canonicalized name of ticket server
|
||||
+ * @param [in] server Key to validate server checksum (or NULL)
|
||||
+ * @param [in] privsvr Key to validate KDC checksum (or NULL)
|
||||
+ * @paran [in] optional_tkt_chksum Whether to require a ticket checksum
|
||||
+ * @param [out] pac_out Verified PAC (NULL if no PAC included)
|
||||
+ *
|
||||
+ * This function is an extension of krb5_kdc_verify_ticket(), adding the @a
|
||||
+ * optional_tkt_chksum parameter allowing to tolerate the absence of the PAC
|
||||
+ * ticket signature.
|
||||
+ *
|
||||
+ * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is
|
||||
+ * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service and
|
||||
+ * @a optional_tkt_chksum is FALSE, require a ticket signature over @a enc_tkt
|
||||
+ * in addition to the KDC signature. Place the verified PAC in @a pac_out. If
|
||||
+ * an invalid PAC signature is found, return an error matching the Windows KDC
|
||||
+ * protocol code for that condition as closely as possible.
|
||||
+ *
|
||||
+ * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return
|
||||
+ * successfully.
|
||||
+ *
|
||||
+ * @note This function does not validate the PAC_CLIENT_INFO buffer. If a
|
||||
+ * specific value is expected, the caller can make a separate call to
|
||||
+ * krb5_pac_verify_ext() with a principal but no keys.
|
||||
+ *
|
||||
+ * @retval 0 Success; otherwise - Kerberos error codes
|
||||
+ */
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_kdc_verify_ticket_ext(krb5_context context,
|
||||
+ const krb5_enc_tkt_part *enc_tkt,
|
||||
+ krb5_const_principal server_princ,
|
||||
+ const krb5_keyblock *server,
|
||||
+ const krb5_keyblock *privsvr,
|
||||
+ krb5_boolean optional_tkt_chksum,
|
||||
+ krb5_pac *pac_out);
|
||||
+
|
||||
/** @deprecated Use krb5_kdc_sign_ticket() instead. */
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index fe4e48209a..93415ba862 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -560,16 +560,36 @@ cleanup:
|
||||
static krb5_error_code
|
||||
try_verify_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
krb5_db_entry *server, krb5_keyblock *server_key,
|
||||
- const krb5_keyblock *tgt_key, krb5_pac *pac_out)
|
||||
+ krb5_db_entry *tgt, const krb5_keyblock *tgt_key,
|
||||
+ krb5_pac *pac_out)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
+ krb5_boolean optional_tkt_chksum;
|
||||
+ char *str = NULL;
|
||||
krb5_keyblock *privsvr_key;
|
||||
|
||||
ret = pac_privsvr_key(context, server, tgt_key, &privsvr_key);
|
||||
if (ret)
|
||||
return ret;
|
||||
- ret = krb5_kdc_verify_ticket(context, enc_tkt, server->princ, server_key,
|
||||
- privsvr_key, pac_out);
|
||||
+
|
||||
+ /* Check if the absence of ticket signature is tolerated for this realm */
|
||||
+ ret = krb5_dbe_get_string(context, tgt,
|
||||
+ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str);
|
||||
+ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not
|
||||
+ * available here.
|
||||
+ */
|
||||
+ optional_tkt_chksum = !ret && str && (strncasecmp(str, "true", 4) == 0
|
||||
+ || strncasecmp(str, "t", 1) == 0
|
||||
+ || strncasecmp(str, "yes", 3) == 0
|
||||
+ || strncasecmp(str, "y", 1) == 0
|
||||
+ || strncasecmp(str, "1", 1) == 0
|
||||
+ || strncasecmp(str, "on", 2) == 0);
|
||||
+
|
||||
+ krb5_dbe_free_string(context, str);
|
||||
+
|
||||
+ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, server->princ,
|
||||
+ server_key, privsvr_key,
|
||||
+ optional_tkt_chksum, pac_out);
|
||||
krb5_free_keyblock(context, privsvr_key);
|
||||
return ret;
|
||||
}
|
||||
@@ -599,7 +619,7 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
server_key, NULL, pac_out);
|
||||
}
|
||||
|
||||
- ret = try_verify_pac(context, enc_tkt, server, server_key, tgt_key,
|
||||
+ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, tgt_key,
|
||||
pac_out);
|
||||
if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE)
|
||||
return ret;
|
||||
@@ -613,8 +633,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL);
|
||||
if (ret)
|
||||
return ret;
|
||||
- ret = try_verify_pac(context, enc_tkt, server, server_key, &old_key,
|
||||
- pac_out);
|
||||
+ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt,
|
||||
+ &old_key, pac_out);
|
||||
krb5_free_keyblock_contents(context, &old_key);
|
||||
if (!ret)
|
||||
return 0;
|
||||
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||
index 5d1fdf1ba0..0c0e2ada68 100644
|
||||
--- a/src/lib/krb5/krb/pac.c
|
||||
+++ b/src/lib/krb5/krb/pac.c
|
||||
@@ -594,6 +594,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
krb5_const_principal server_princ,
|
||||
const krb5_keyblock *server,
|
||||
const krb5_keyblock *privsvr, krb5_pac *pac_out)
|
||||
+{
|
||||
+ return krb5_kdc_verify_ticket_ext(context, enc_tkt, server_princ, server,
|
||||
+ privsvr, FALSE, pac_out);
|
||||
+}
|
||||
+
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_kdc_verify_ticket_ext(krb5_context context,
|
||||
+ const krb5_enc_tkt_part *enc_tkt,
|
||||
+ krb5_const_principal server_princ,
|
||||
+ const krb5_keyblock *server,
|
||||
+ const krb5_keyblock *privsvr,
|
||||
+ krb5_boolean optional_tkt_chksum,
|
||||
+ krb5_pac *pac_out)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_pac pac = NULL;
|
||||
@@ -602,7 +615,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
krb5_authdata *orig, **ifrel = NULL, **recoded_ifrel = NULL;
|
||||
uint8_t z = 0;
|
||||
krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };
|
||||
- krb5_boolean is_service_tkt;
|
||||
+ krb5_boolean is_service_tkt, has_tkt_chksum = FALSE;
|
||||
size_t i, j;
|
||||
|
||||
*pac_out = NULL;
|
||||
@@ -667,11 +680,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
|
||||
ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr,
|
||||
KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt);
|
||||
- if (ret)
|
||||
- goto cleanup;
|
||||
+ if (ret) {
|
||||
+ if (!optional_tkt_chksum)
|
||||
+ goto cleanup;
|
||||
+ else if (ret != ENOENT)
|
||||
+ goto cleanup;
|
||||
+ /* Otherwise ticket signature is absent but optional. Proceed... */
|
||||
+ } else {
|
||||
+ has_tkt_chksum = TRUE;
|
||||
+ }
|
||||
}
|
||||
+ /* Else, we make the assumption the ticket signature is absent in case this
|
||||
+ * is not a service ticket.
|
||||
+ */
|
||||
|
||||
- ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr);
|
||||
+ ret = verify_pac_checksums(context, pac, has_tkt_chksum, server, privsvr);
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
|
||||
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
|
||||
index 4c50e935a2..d4b0455c8c 100644
|
||||
--- a/src/lib/krb5/libkrb5.exports
|
||||
+++ b/src/lib/krb5/libkrb5.exports
|
||||
@@ -463,6 +463,7 @@ krb5_is_thread_safe
|
||||
krb5_kdc_rep_decrypt_proc
|
||||
krb5_kdc_sign_ticket
|
||||
krb5_kdc_verify_ticket
|
||||
+krb5_kdc_verify_ticket_ext
|
||||
krb5_kt_add_entry
|
||||
krb5_kt_client_default
|
||||
krb5_kt_close
|
||||
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
||||
index c29638a227..1da1609cc8 100644
|
||||
--- a/src/man/kadmin.man
|
||||
+++ b/src/man/kadmin.man
|
||||
@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to
|
||||
"aes256\-sha1" on the cross\-realm krbtgt entry for an Active
|
||||
Directory realm when using aes\-sha2 keys on the local krbtgt
|
||||
entry.
|
||||
+.TP
|
||||
+\fBoptional_pac_tkt_chksum\fP
|
||||
+Boolean value defining the behavior of the KDC in case an expected ticket
|
||||
+checksum signed with one of this principal keys is not present in the PAC. This
|
||||
+is typically the case for TGS or cross-realm TGS principals when processing
|
||||
+S4U2Proxy requests.
|
||||
.UNINDENT
|
||||
.sp
|
||||
This command requires the \fBmodify\fP privilege.
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,47 @@
|
||||
From fef5896463a50e94d3a68f59f7c78a6e943ac5ad Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Tue, 23 May 2023 12:19:54 +0200
|
||||
Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
|
||||
available in FIPS mode
|
||||
|
||||
We recommend using the SHA1 crypto-module in order to allow the
|
||||
verification of SHA-1 signature for CMS messages. However, this module
|
||||
does not work in FIPS mode, because the SHA-1 algorithm is absent from
|
||||
the OpenSSL FIPS provider.
|
||||
|
||||
This commit enables the signature verification process to fetch the
|
||||
algorithm from a non-FIPS OpenSSL provider.
|
||||
|
||||
Support for SHA-1 CMS signature is still required, especially in order
|
||||
to interoperate with Active Directory. At least it is until elliptic
|
||||
curve cryptography is implemented for PKINIT in MIT krb5.
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index f41328763e..263ef7845e 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
|
||||
if (oid == NULL)
|
||||
goto cleanup;
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ /* Do not use FIPS provider (even in FIPS mode) because it keeps from
|
||||
+ * allowing SHA-1 signature verification using the SHA1 crypto-module
|
||||
+ */
|
||||
+ cms = CMS_ContentInfo_new_ex(NULL, "-fips");
|
||||
+ if (!cms)
|
||||
+ goto cleanup;
|
||||
+#endif
|
||||
+
|
||||
/* decode received CMS message */
|
||||
- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
|
||||
+ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) {
|
||||
retval = oerr(context, 0, _("Failed to decode CMS message"));
|
||||
goto cleanup;
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,217 @@
|
||||
From 906d3441b846ed09882490b6128db6fedf39e63b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 30 May 2023 01:21:48 -0400
|
||||
Subject: [PATCH] Enable PKINIT if at least one group is available
|
||||
|
||||
OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman
|
||||
group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL
|
||||
does not know about MODP group 2 (1024-bit), which is considered as a
|
||||
custom group. As a consequence, the PKINIT kdcpreauth module fails to
|
||||
load in FIPS mode.
|
||||
|
||||
Allow initialization of PKINIT plugin if at least one of the MODP
|
||||
well-known group parameters successfully decodes.
|
||||
|
||||
[ghudson@mit.edu: minor commit message and code edits]
|
||||
|
||||
ticket: 9096 (new)
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +-
|
||||
src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +-
|
||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++--------
|
||||
src/plugins/preauth/pkinit/pkinit_srv.c | 2 +-
|
||||
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +
|
||||
5 files changed, 51 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||
index 725d5bc438..ea9ba454df 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||
@@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context,
|
||||
if (retval)
|
||||
goto errout;
|
||||
|
||||
- retval = pkinit_init_plg_crypto(&ctx->cryptoctx);
|
||||
+ retval = pkinit_init_plg_crypto(context, &ctx->cryptoctx);
|
||||
if (retval)
|
||||
goto errout;
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
index 9fa315d7a0..8bdbea8e95 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
||||
@@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data {
|
||||
/*
|
||||
* Functions to initialize and cleanup crypto contexts
|
||||
*/
|
||||
-krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *);
|
||||
+krb5_error_code pkinit_init_plg_crypto(krb5_context,
|
||||
+ pkinit_plg_crypto_context *);
|
||||
void pkinit_fini_plg_crypto(pkinit_plg_crypto_context);
|
||||
|
||||
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index 263ef7845e..d646073d55 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -47,7 +47,8 @@
|
||||
static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
|
||||
static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
|
||||
|
||||
-static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context );
|
||||
+static krb5_error_code pkinit_init_dh_params(krb5_context,
|
||||
+ pkinit_plg_crypto_context);
|
||||
static void pkinit_fini_dh_params(pkinit_plg_crypto_context );
|
||||
|
||||
static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx);
|
||||
@@ -951,7 +952,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx,
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
-pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)
|
||||
+pkinit_init_plg_crypto(krb5_context context,
|
||||
+ pkinit_plg_crypto_context *cryptoctx)
|
||||
{
|
||||
krb5_error_code retval = ENOMEM;
|
||||
pkinit_plg_crypto_context ctx = NULL;
|
||||
@@ -969,7 +971,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)
|
||||
if (retval)
|
||||
goto out;
|
||||
|
||||
- retval = pkinit_init_dh_params(ctx);
|
||||
+ retval = pkinit_init_dh_params(context, ctx);
|
||||
if (retval)
|
||||
goto out;
|
||||
|
||||
@@ -1278,30 +1280,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)
|
||||
ASN1_OBJECT_free(ctx->id_kp_serverAuth);
|
||||
}
|
||||
|
||||
-static krb5_error_code
|
||||
-pkinit_init_dh_params(pkinit_plg_crypto_context plgctx)
|
||||
+static int
|
||||
+try_import_group(krb5_context context, const krb5_data *params,
|
||||
+ const char *name, EVP_PKEY **pkey_out)
|
||||
{
|
||||
- krb5_error_code retval = ENOMEM;
|
||||
-
|
||||
- plgctx->dh_1024 = decode_dh_params(&oakley_1024);
|
||||
- if (plgctx->dh_1024 == NULL)
|
||||
- goto cleanup;
|
||||
-
|
||||
- plgctx->dh_2048 = decode_dh_params(&oakley_2048);
|
||||
- if (plgctx->dh_2048 == NULL)
|
||||
- goto cleanup;
|
||||
+ *pkey_out = decode_dh_params(params);
|
||||
+ if (*pkey_out == NULL)
|
||||
+ TRACE_PKINIT_DH_GROUP_UNAVAILABLE(context, name);
|
||||
+ return (*pkey_out != NULL) ? 1 : 0;
|
||||
+}
|
||||
|
||||
- plgctx->dh_4096 = decode_dh_params(&oakley_4096);
|
||||
- if (plgctx->dh_4096 == NULL)
|
||||
- goto cleanup;
|
||||
+static krb5_error_code
|
||||
+pkinit_init_dh_params(krb5_context context, pkinit_plg_crypto_context plgctx)
|
||||
+{
|
||||
+ int n = 0;
|
||||
|
||||
- retval = 0;
|
||||
+ n += try_import_group(context, &oakley_1024, "MODP 2 (1024-bit)",
|
||||
+ &plgctx->dh_1024);
|
||||
+ n += try_import_group(context, &oakley_2048, "MODP 14 (2048-bit)",
|
||||
+ &plgctx->dh_2048);
|
||||
+ n += try_import_group(context, &oakley_4096, "MODP 16 (4096-bit)",
|
||||
+ &plgctx->dh_4096);
|
||||
|
||||
-cleanup:
|
||||
- if (retval)
|
||||
+ if (n == 0) {
|
||||
pkinit_fini_dh_params(plgctx);
|
||||
+ k5_setmsg(context, ENOMEM,
|
||||
+ _("PKINIT cannot initialize any key exchange groups"));
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
|
||||
- return retval;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context,
|
||||
|
||||
if (cryptoctx->received_params != NULL)
|
||||
params = cryptoctx->received_params;
|
||||
- else if (dh_size == 1024)
|
||||
+ else if (plg_cryptoctx->dh_1024 != NULL && dh_size == 1024)
|
||||
params = plg_cryptoctx->dh_1024;
|
||||
- else if (dh_size == 2048)
|
||||
+ else if (plg_cryptoctx->dh_2048 != NULL && dh_size == 2048)
|
||||
params = plg_cryptoctx->dh_2048;
|
||||
- else if (dh_size == 4096)
|
||||
+ else if (plg_cryptoctx->dh_4096 != NULL && dh_size == 4096)
|
||||
params = plg_cryptoctx->dh_4096;
|
||||
else
|
||||
goto cleanup;
|
||||
@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
|
||||
krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };
|
||||
krb5_algorithm_identifier *alglist[4];
|
||||
|
||||
- if (opts->dh_min_bits > 4096) {
|
||||
- ret = KRB5KRB_ERR_GENERIC;
|
||||
- goto cleanup;
|
||||
- }
|
||||
-
|
||||
i = 0;
|
||||
- if (opts->dh_min_bits <= 2048)
|
||||
+ if (plg_cryptoctx->dh_2048 != NULL && opts->dh_min_bits <= 2048)
|
||||
alglist[i++] = &alg_2048;
|
||||
- alglist[i++] = &alg_4096;
|
||||
- if (opts->dh_min_bits <= 1024)
|
||||
+ if (plg_cryptoctx->dh_4096 != NULL && opts->dh_min_bits <= 4096)
|
||||
+ alglist[i++] = &alg_4096;
|
||||
+ if (plg_cryptoctx->dh_1024 != NULL && opts->dh_min_bits <= 1024)
|
||||
alglist[i++] = &alg_1024;
|
||||
alglist[i] = NULL;
|
||||
|
||||
+ if (i == 0) {
|
||||
+ ret = KRB5KRB_ERR_GENERIC;
|
||||
+ k5_setmsg(context, ret,
|
||||
+ _("OpenSSL has no supported key exchange groups for "
|
||||
+ "pkinit_dh_min_bits=%d"), opts->dh_min_bits);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
ret = k5int_encode_krb5_td_dh_parameters(alglist, &der_alglist);
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
index 1b3bf6d4d0..768a4e559f 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
@@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname,
|
||||
goto errout;
|
||||
plgctx->realmname_len = strlen(plgctx->realmname);
|
||||
|
||||
- retval = pkinit_init_plg_crypto(&plgctx->cryptoctx);
|
||||
+ retval = pkinit_init_plg_crypto(context, &plgctx->cryptoctx);
|
||||
if (retval)
|
||||
goto errout;
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||
index 259e95c6c2..5ee39c085c 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
|
||||
@@ -90,6 +90,9 @@
|
||||
#define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \
|
||||
TRACE(c, "PKINIT client trying again with KDC-provided parameters")
|
||||
|
||||
+#define TRACE_PKINIT_DH_GROUP_UNAVAILABLE(c, name) \
|
||||
+ TRACE(c, "PKINIT key exchange group {str} unsupported", name)
|
||||
+
|
||||
#define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \
|
||||
TRACE(c, "PKINIT OpenSSL error: {str}", msg)
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,48 @@
|
||||
From 137e424f7ae7c054e1dcb41c929a961bb021ed8b Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 4 Aug 2023 09:54:06 +0200
|
||||
Subject: [PATCH] Fix double-free in KDC TGS processing
|
||||
|
||||
When issuing a ticket for a TGS renew or validate request, copy only
|
||||
the server field from the outer part of the header ticket to the new
|
||||
ticket. Copying the whole structure causes the enc_part pointer to be
|
||||
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
|
||||
resulting in a double-free if handle_authdata() fails.
|
||||
|
||||
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
|
||||
than check for aliasing before freeing; rewrote commit message]
|
||||
|
||||
CVE-2023-39975:
|
||||
|
||||
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
|
||||
free the same pointer twice if it can induce a failure in
|
||||
authorization data handling.
|
||||
|
||||
ticket: 9101 (new)
|
||||
tags: pullup
|
||||
target_version: 1.21-next
|
||||
|
||||
(cherry picked from commit 88a1701b423c13991a8064feeb26952d3641d840)
|
||||
---
|
||||
src/kdc/do_tgs_req.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
||||
index 6e4c8fa9f3..0acc45850f 100644
|
||||
--- a/src/kdc/do_tgs_req.c
|
||||
+++ b/src/kdc/do_tgs_req.c
|
||||
@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t,
|
||||
}
|
||||
|
||||
if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
|
||||
- /* Copy the whole header ticket except for authorization data. */
|
||||
- ticket_reply = *t->header_tkt;
|
||||
+ /* Copy the header ticket server and all enc-part fields except for
|
||||
+ * authorization data. */
|
||||
+ ticket_reply.server = t->header_tkt->server;
|
||||
enc_tkt_reply = *t->header_tkt->enc_part2;
|
||||
enc_tkt_reply.authorization_data = NULL;
|
||||
} else {
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,672 +0,0 @@
|
||||
From f09300d9a9988215263775ac122b7ea2898d04db Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Dec 2022 03:05:23 -0500
|
||||
Subject: [PATCH] Add PAC full checksums
|
||||
|
||||
A paper by Tom Tervoort noted that computing the PAC privsvr checksum
|
||||
over only the server checksum is vulnerable to collision attacks
|
||||
(CVE-2022-37967). In response, Microsoft has added a second KDC
|
||||
checksum over the full contents of the PAC. Generate and verify full
|
||||
KDC checksums in PACs for service tickets. Update the t_pac.c ticket
|
||||
test case to use a ticket issued by a recent version of Active
|
||||
Directory (provided by Stefan Metzmacher).
|
||||
|
||||
ticket: 9084 (new)
|
||||
---
|
||||
doc/appdev/refs/macros/index.rst | 1 +
|
||||
src/include/krb5/krb5.hin | 1 +
|
||||
src/lib/krb5/krb/pac.c | 92 +++++++++--------
|
||||
src/lib/krb5/krb/pac_sign.c | 146 +++++++++++++++-----------
|
||||
src/lib/krb5/krb/t_pac.c | 171 ++++++++++++++++++-------------
|
||||
src/tests/t_authdata.py | 4 +-
|
||||
6 files changed, 240 insertions(+), 175 deletions(-)
|
||||
|
||||
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
|
||||
index 5f34dea5e8..3eeee25593 100644
|
||||
--- a/doc/appdev/refs/macros/index.rst
|
||||
+++ b/doc/appdev/refs/macros/index.rst
|
||||
@@ -247,6 +247,7 @@ Public
|
||||
KRB5_PAC_SERVER_CHECKSUM.rst
|
||||
KRB5_PAC_TICKET_CHECKSUM.rst
|
||||
KRB5_PAC_UPN_DNS_INFO.rst
|
||||
+ KRB5_PAC_FULL_CHECKSUM.rst
|
||||
KRB5_PADATA_AFS3_SALT.rst
|
||||
KRB5_PADATA_AP_REQ.rst
|
||||
KRB5_PADATA_AS_CHECKSUM.rst
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index fb9f2a366c..2ba4010514 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -8164,6 +8164,7 @@ krb5_verify_authdata_kdc_issued(krb5_context context,
|
||||
#define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */
|
||||
#define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */
|
||||
#define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */
|
||||
+#define KRB5_PAC_FULL_CHECKSUM 19 /**< KDC full checksum */
|
||||
|
||||
struct krb5_pac_data;
|
||||
/** PAC data structure to convey authorization information */
|
||||
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||
index f6c4373de0..954482e0c7 100644
|
||||
--- a/src/lib/krb5/krb/pac.c
|
||||
+++ b/src/lib/krb5/krb/pac.c
|
||||
@@ -490,7 +490,8 @@ zero_signature(krb5_context context, const krb5_pac pac, krb5_ui_4 type,
|
||||
size_t i;
|
||||
|
||||
assert(type == KRB5_PAC_SERVER_CHECKSUM ||
|
||||
- type == KRB5_PAC_PRIVSVR_CHECKSUM);
|
||||
+ type == KRB5_PAC_PRIVSVR_CHECKSUM ||
|
||||
+ type == KRB5_PAC_FULL_CHECKSUM);
|
||||
assert(data->length >= pac->data.length);
|
||||
|
||||
for (i = 0; i < pac->pac->cBuffers; i++) {
|
||||
@@ -557,17 +558,17 @@ verify_checksum(krb5_context context, const krb5_pac pac, uint32_t buffer_type,
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
-verify_server_checksum(krb5_context context, const krb5_pac pac,
|
||||
- const krb5_keyblock *server)
|
||||
+verify_pac_checksums(krb5_context context, const krb5_pac pac,
|
||||
+ krb5_boolean expect_full_checksum,
|
||||
+ const krb5_keyblock *server, const krb5_keyblock *privsvr)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
- krb5_data copy; /* PAC with zeroed checksums */
|
||||
+ krb5_data copy, server_checksum;
|
||||
|
||||
+ /* Make a copy of the PAC with zeroed out server and privsvr checksums. */
|
||||
ret = krb5int_copy_data_contents(context, &pac->data, ©);
|
||||
if (ret)
|
||||
return ret;
|
||||
-
|
||||
- /* Zero out both checksum buffers */
|
||||
ret = zero_signature(context, pac, KRB5_PAC_SERVER_CHECKSUM, ©);
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
@@ -575,32 +576,46 @@ verify_server_checksum(krb5_context context, const krb5_pac pac,
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
|
||||
- ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server,
|
||||
- KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
||||
+ if (server != NULL) {
|
||||
+ /* Verify the server checksum over the PAC copy. */
|
||||
+ ret = verify_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM, server,
|
||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
||||
+ }
|
||||
|
||||
-cleanup:
|
||||
- free(copy.data);
|
||||
- return ret;
|
||||
-}
|
||||
+ if (privsvr != NULL && expect_full_checksum) {
|
||||
+ /* Zero the full checksum buffer in the copy and verify the full
|
||||
+ * checksum over the copy with all three checksums zeroed. */
|
||||
+ ret = zero_signature(context, pac, KRB5_PAC_FULL_CHECKSUM, ©);
|
||||
+ if (ret)
|
||||
+ goto cleanup;
|
||||
+ ret = verify_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM, privsvr,
|
||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, ©);
|
||||
+ if (ret)
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
|
||||
-static krb5_error_code
|
||||
-verify_kdc_checksum(krb5_context context, const krb5_pac pac,
|
||||
- const krb5_keyblock *privsvr)
|
||||
-{
|
||||
- krb5_error_code ret;
|
||||
- krb5_data server_checksum;
|
||||
+ if (privsvr != NULL) {
|
||||
+ /* Verify the privsvr checksum over the server checksum. */
|
||||
+ ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
||||
+ &server_checksum);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+ if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
|
||||
+ return KRB5_BAD_MSIZE;
|
||||
+ server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
|
||||
+ server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
|
||||
|
||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
||||
- &server_checksum);
|
||||
- if (ret)
|
||||
- return ret;
|
||||
- if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
|
||||
- return KRB5_BAD_MSIZE;
|
||||
- server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
|
||||
- server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
|
||||
+ ret = verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr,
|
||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum);
|
||||
+ if (ret)
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ pac->verified = TRUE;
|
||||
|
||||
- return verify_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM, privsvr,
|
||||
- KRB5_KEYUSAGE_APP_DATA_CKSUM, &server_checksum);
|
||||
+cleanup:
|
||||
+ free(copy.data);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
/* Per MS-PAC 2.8.3, tickets encrypted to TGS and password change principals
|
||||
@@ -628,6 +643,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
krb5_authdata **authdata, *orig, **ifrel = NULL, **recoded_ifrel = NULL;
|
||||
uint8_t z = 0;
|
||||
krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };
|
||||
+ krb5_boolean is_service_tkt;
|
||||
size_t i, j;
|
||||
|
||||
*pac_out = NULL;
|
||||
@@ -669,7 +685,8 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
|
||||
- if (privsvr != NULL && k5_pac_should_have_ticket_signature(server_princ)) {
|
||||
+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ);
|
||||
+ if (privsvr != NULL && is_service_tkt) {
|
||||
/* To check the PAC ticket signatures, re-encode the ticket with the
|
||||
* PAC contents replaced by a single zero. */
|
||||
orig = ifrel[j];
|
||||
@@ -693,8 +710,9 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- ret = krb5_pac_verify_ext(context, pac, enc_tkt->times.authtime, NULL,
|
||||
- server, privsvr, FALSE);
|
||||
+ ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr);
|
||||
+ if (ret)
|
||||
+ goto cleanup;
|
||||
|
||||
*pac_out = pac;
|
||||
pac = NULL;
|
||||
@@ -730,14 +748,8 @@ krb5_pac_verify_ext(krb5_context context,
|
||||
{
|
||||
krb5_error_code ret;
|
||||
|
||||
- if (server != NULL) {
|
||||
- ret = verify_server_checksum(context, pac, server);
|
||||
- if (ret != 0)
|
||||
- return ret;
|
||||
- }
|
||||
-
|
||||
- if (privsvr != NULL) {
|
||||
- ret = verify_kdc_checksum(context, pac, privsvr);
|
||||
+ if (server != NULL || privsvr != NULL) {
|
||||
+ ret = verify_pac_checksums(context, pac, FALSE, server, privsvr);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
}
|
||||
@@ -749,8 +761,6 @@ krb5_pac_verify_ext(krb5_context context,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- pac->verified = TRUE;
|
||||
-
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
|
||||
index 0f9581abbb..8ea61ac17b 100644
|
||||
--- a/src/lib/krb5/krb/pac_sign.c
|
||||
+++ b/src/lib/krb5/krb/pac_sign.c
|
||||
@@ -187,26 +187,41 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-krb5_error_code KRB5_CALLCONV
|
||||
-krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
- krb5_const_principal principal, const krb5_keyblock *server_key,
|
||||
- const krb5_keyblock *privsvr_key, krb5_data *data)
|
||||
+/* Find the buffer of type buftype in pac and write within it a checksum of
|
||||
+ * type cksumtype over data. Set *cksum_out to the checksum. */
|
||||
+static krb5_error_code
|
||||
+compute_pac_checksum(krb5_context context, krb5_pac pac, uint32_t buftype,
|
||||
+ const krb5_keyblock *key, krb5_cksumtype cksumtype,
|
||||
+ const krb5_data *data, krb5_data *cksum_out)
|
||||
{
|
||||
- return krb5_pac_sign_ext(context, pac, authtime, principal, server_key,
|
||||
- privsvr_key, FALSE, data);
|
||||
+ krb5_error_code ret;
|
||||
+ krb5_data buf;
|
||||
+ krb5_crypto_iov iov[2];
|
||||
+
|
||||
+ ret = k5_pac_locate_buffer(context, pac, buftype, &buf);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
+ assert(buf.length > PAC_SIGNATURE_DATA_LENGTH);
|
||||
+ *cksum_out = make_data(buf.data + PAC_SIGNATURE_DATA_LENGTH,
|
||||
+ buf.length - PAC_SIGNATURE_DATA_LENGTH);
|
||||
+ iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||
+ iov[0].data = *data;
|
||||
+ iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
||||
+ iov[1].data = *cksum_out;
|
||||
+ return krb5_c_make_checksum_iov(context, cksumtype, key,
|
||||
+ KRB5_KEYUSAGE_APP_DATA_CKSUM, iov, 2);
|
||||
}
|
||||
|
||||
-krb5_error_code KRB5_CALLCONV
|
||||
-krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
- krb5_const_principal principal,
|
||||
- const krb5_keyblock *server_key,
|
||||
- const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
||||
- krb5_data *data)
|
||||
+static krb5_error_code
|
||||
+sign_pac(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
+ krb5_const_principal principal, const krb5_keyblock *server_key,
|
||||
+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
||||
+ krb5_boolean is_service_tkt, krb5_data *data)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
- krb5_data server_cksum, privsvr_cksum;
|
||||
+ krb5_data full_cksum, server_cksum, privsvr_cksum;
|
||||
krb5_cksumtype server_cksumtype, privsvr_cksumtype;
|
||||
- krb5_crypto_iov iov[2];
|
||||
|
||||
data->length = 0;
|
||||
data->data = NULL;
|
||||
@@ -214,67 +229,53 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
if (principal != NULL) {
|
||||
ret = k5_insert_client_info(context, pac, authtime, principal,
|
||||
with_realm);
|
||||
- if (ret != 0)
|
||||
+ if (ret)
|
||||
return ret;
|
||||
}
|
||||
|
||||
- /* Create zeroed buffers for both checksums */
|
||||
+ /* Create zeroed buffers for all checksums. */
|
||||
ret = k5_insert_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
||||
server_key, &server_cksumtype);
|
||||
- if (ret != 0)
|
||||
+ if (ret)
|
||||
return ret;
|
||||
-
|
||||
ret = k5_insert_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
||||
privsvr_key, &privsvr_cksumtype);
|
||||
- if (ret != 0)
|
||||
+ if (ret)
|
||||
return ret;
|
||||
+ if (is_service_tkt) {
|
||||
+ ret = k5_insert_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM,
|
||||
+ privsvr_key, &privsvr_cksumtype);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+ }
|
||||
|
||||
- /* Now, encode the PAC header so that the checksums will include it */
|
||||
+ /* Encode the PAC header so that the checksums will include it. */
|
||||
ret = k5_pac_encode_header(context, pac);
|
||||
- if (ret != 0)
|
||||
- return ret;
|
||||
-
|
||||
- /* Generate the server checksum over the entire PAC */
|
||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
||||
- &server_cksum);
|
||||
- if (ret != 0)
|
||||
+ if (ret)
|
||||
return ret;
|
||||
|
||||
- assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH);
|
||||
-
|
||||
- iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||
- iov[0].data = pac->data;
|
||||
-
|
||||
- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
||||
- iov[1].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
||||
- iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
||||
+ if (is_service_tkt) {
|
||||
+ /* Generate a full KDC checksum over the whole PAC. */
|
||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_FULL_CHECKSUM,
|
||||
+ privsvr_key, privsvr_cksumtype,
|
||||
+ &pac->data, &full_cksum);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+ }
|
||||
|
||||
- ret = krb5_c_make_checksum_iov(context, server_cksumtype,
|
||||
- server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM,
|
||||
- iov, sizeof(iov)/sizeof(iov[0]));
|
||||
- if (ret != 0)
|
||||
+ /* Generate the server checksum over the whole PAC, including the full KDC
|
||||
+ * checksum if we added one. */
|
||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_SERVER_CHECKSUM,
|
||||
+ server_key, server_cksumtype, &pac->data,
|
||||
+ &server_cksum);
|
||||
+ if (ret)
|
||||
return ret;
|
||||
|
||||
- /* Generate the privsvr checksum over the server checksum buffer */
|
||||
- ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
||||
+ /* Generate the privsvr checksum over the server checksum buffer. */
|
||||
+ ret = compute_pac_checksum(context, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
|
||||
+ privsvr_key, privsvr_cksumtype, &server_cksum,
|
||||
&privsvr_cksum);
|
||||
- if (ret != 0)
|
||||
- return ret;
|
||||
-
|
||||
- assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH);
|
||||
-
|
||||
- iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||
- iov[0].data.data = server_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
||||
- iov[0].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
||||
-
|
||||
- iov[1].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
||||
- iov[1].data.data = privsvr_cksum.data + PAC_SIGNATURE_DATA_LENGTH;
|
||||
- iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH;
|
||||
-
|
||||
- ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype,
|
||||
- privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM,
|
||||
- iov, sizeof(iov)/sizeof(iov[0]));
|
||||
- if (ret != 0)
|
||||
+ if (ret)
|
||||
return ret;
|
||||
|
||||
data->data = k5memdup(pac->data.data, pac->data.length, &ret);
|
||||
@@ -288,6 +289,26 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
+ krb5_const_principal principal, const krb5_keyblock *server_key,
|
||||
+ const krb5_keyblock *privsvr_key, krb5_data *data)
|
||||
+{
|
||||
+ return sign_pac(context, pac, authtime, principal, server_key,
|
||||
+ privsvr_key, FALSE, FALSE, data);
|
||||
+}
|
||||
+
|
||||
+krb5_error_code KRB5_CALLCONV
|
||||
+krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
||||
+ krb5_const_principal principal,
|
||||
+ const krb5_keyblock *server_key,
|
||||
+ const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
||||
+ krb5_data *data)
|
||||
+{
|
||||
+ return sign_pac(context, pac, authtime, principal, server_key, privsvr_key,
|
||||
+ with_realm, FALSE, data);
|
||||
+}
|
||||
+
|
||||
/* Add a signature over der_enc_tkt in privsvr to pac. der_enc_tkt should be
|
||||
* encoded with a dummy PAC authdata element containing a single zero byte. */
|
||||
static krb5_error_code
|
||||
@@ -359,6 +380,7 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
||||
krb5_error_code ret;
|
||||
krb5_data *der_enc_tkt = NULL, pac_data = empty_data();
|
||||
krb5_authdata **list, *pac_ad;
|
||||
+ krb5_boolean is_service_tkt;
|
||||
size_t count;
|
||||
|
||||
/* Reallocate space for another authdata element in enc_tkt. */
|
||||
@@ -377,7 +399,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
||||
memmove(list + 1, list, (count + 1) * sizeof(*list));
|
||||
list[0] = pac_ad;
|
||||
|
||||
- if (k5_pac_should_have_ticket_signature(server_princ)) {
|
||||
+ is_service_tkt = k5_pac_should_have_ticket_signature(server_princ);
|
||||
+ if (is_service_tkt) {
|
||||
ret = encode_krb5_enc_tkt_part(enc_tkt, &der_enc_tkt);
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
@@ -388,9 +411,8 @@ krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- ret = krb5_pac_sign_ext(context, pac, enc_tkt->times.authtime,
|
||||
- client_princ, server, privsvr, with_realm,
|
||||
- &pac_data);
|
||||
+ ret = sign_pac(context, pac, enc_tkt->times.authtime, client_princ, server,
|
||||
+ privsvr, with_realm, is_service_tkt, &pac_data);
|
||||
if (ret)
|
||||
goto cleanup;
|
||||
|
||||
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
|
||||
index 173bde7bab..81f1642ab0 100644
|
||||
--- a/src/lib/krb5/krb/t_pac.c
|
||||
+++ b/src/lib/krb5/krb/t_pac.c
|
||||
@@ -607,78 +607,102 @@ check_pac(krb5_context context, int index, const unsigned char *pdata,
|
||||
|
||||
static const krb5_keyblock ticket_sig_krbtgt_key = {
|
||||
0, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
||||
- 32, U("\x7a\x58\x98\xd2\xaf\xa6\xaf\xc0\x6a\xce\x06\x04\x4b\xc2\x70\x84"
|
||||
- "\x9b\x8e\x0a\x6c\x4c\x07\xdc\x6f\xbb\x48\x43\xe1\xd2\xaa\x97\xf7")
|
||||
+ 32, U("\x03\x73\x81\xEC\x43\x96\x7B\xC2\xAC\x3D\xF5\x2A\xAE\x95\xA6\x8E"
|
||||
+ "\xBE\x24\x58\xDB\xCE\x52\x28\x20\xAF\x5E\xB7\x04\xA2\x22\x71\x4F")
|
||||
};
|
||||
|
||||
static const krb5_keyblock ticket_sig_server_key = {
|
||||
- 0, ENCTYPE_ARCFOUR_HMAC,
|
||||
- 16, U("\xed\x23\x11\x20\x7a\x21\x44\x20\xbf\xc0\x8d\x36\xf7\xf6\xb2\x3e")
|
||||
+ 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
||||
+ 32, U("\x11\x4A\x84\xE3\x14\x8F\xAA\xB1\xFA\x7B\x53\x51\xB2\x8A\xC2\xF1"
|
||||
+ "\xFD\x19\x6D\x61\xE0\xF3\xF2\x3E\x1F\xDB\xD3\xC1\x79\x7D\xC1\xEE")
|
||||
};
|
||||
|
||||
+/* A ticket issued by an Active Directory KDC (Windows Server 2022), containing
|
||||
+ * a PAC with a full checksum. */
|
||||
static const krb5_data ticket_data = {
|
||||
- .length = 972, .data =
|
||||
- "\x61\x82\x03\xC8\x30\x82\x03\xC4\xA0\x03\x02\x01\x05\xA1\x0A\x1B"
|
||||
- "\x08\x43\x44\x4F\x4D\x2E\x43\x4F\x4D\xA2\x0F\x30\x0D\xA0\x03\x02"
|
||||
- "\x01\x01\xA1\x06\x30\x04\x1B\x02\x73\x31\xA3\x82\x03\x9E\x30\x82"
|
||||
- "\x03\x9A\xA0\x03\x02\x01\x17\xA1\x03\x02\x01\x03\xA2\x82\x03\x8C"
|
||||
- "\x04\x82\x03\x88\x44\x31\x61\x20\x17\xC9\xFE\xBC\xAC\x46\xB5\x77"
|
||||
- "\xE9\x68\x04\x4C\x9B\x31\x91\x0C\xC1\xD4\xDD\xEF\xC7\x34\x20\x08"
|
||||
- "\x90\x91\xE8\x79\xE0\xB5\x03\x26\xA4\x65\xDE\xEC\x47\x03\x2A\x8F"
|
||||
- "\x61\xE7\x4D\x38\x5A\x42\x95\x5A\xF9\x2F\x41\x2C\x2A\x6E\x60\xA1"
|
||||
- "\xEB\x51\xB3\xBD\x4C\x00\x41\x2A\x44\x76\x08\x37\x1A\x51\xFD\x65"
|
||||
- "\x67\x7E\xBF\x3D\x90\x86\xE3\x9A\x54\x6B\x67\xA8\x08\x7A\x73\xCC"
|
||||
- "\xC3\xB7\x4B\xD5\x5C\x3A\x14\x6C\xC1\x5F\x54\x4B\x92\x55\xB4\xB7"
|
||||
- "\x92\x23\x3F\x53\x89\x47\x8E\x1F\x8B\xB9\xDB\x3B\x93\xE8\x70\xE4"
|
||||
- "\x24\xB8\x9D\xF0\x0E\x35\x28\xF8\x7A\x27\x5D\xF7\x25\x97\x9C\xF5"
|
||||
- "\x9F\x9F\x64\x04\xF2\xA3\xAB\x11\x15\xB6\xDA\x18\xD6\x46\xD5\xE6"
|
||||
- "\xB8\x08\xDE\x0A\x62\xFD\xF8\xAA\x52\x90\xD9\x67\x29\xB2\xCD\x06"
|
||||
- "\xB6\xB0\x50\x2B\x3F\x0F\xA3\xA5\xBF\xAA\x6E\x40\x03\xD6\x5F\x02"
|
||||
- "\xBC\xD8\x18\x47\x97\x09\xD7\xE4\x96\x3B\xCB\xEB\x92\x2C\x3C\x49"
|
||||
- "\xFF\x1F\x71\xE0\x52\x94\x0F\x8B\x9F\xB8\x2A\xBB\x9C\xE2\xA3\xDD"
|
||||
- "\x38\x89\xE2\xB1\x0B\x9E\x1F\x7A\xB3\xE3\xD2\xB0\x94\xDC\x87\xBE"
|
||||
- "\x37\xA6\xD3\xB3\x29\x35\x9A\x72\xC3\x7A\xF1\xA9\xE6\xC5\xD1\x26"
|
||||
- "\x83\x65\x44\x17\xBA\x55\xA8\x5E\x94\x26\xED\xE9\x8A\x93\x11\x5D"
|
||||
- "\x7E\x20\x1B\x9C\x15\x9E\x13\x37\x03\x4D\xDD\x99\x51\xD8\x66\x29"
|
||||
- "\x6A\xB9\xFB\x49\xFE\x52\x78\xDA\x86\x85\xA9\xA3\xB9\xEF\xEC\xAD"
|
||||
- "\x35\xA6\x8D\xAC\x0F\x75\x22\xBB\x0B\x49\x1C\x13\x52\x40\xC9\x52"
|
||||
- "\x69\x09\x54\xD1\x0F\x94\x3F\x22\x48\x67\xB0\x96\x28\xAA\xE6\x28"
|
||||
- "\xD9\x0C\x08\xEF\x51\xED\x15\x5E\xA2\x53\x59\xA5\x03\xB4\x06\x20"
|
||||
- "\x3D\xCC\xB4\xC5\xF8\x8C\x73\x67\xA3\x21\x3D\x19\xCD\xD4\x12\x28"
|
||||
- "\xD2\x93\xDE\x0D\xF0\x71\x10\x50\xD6\x33\x35\x04\x11\x64\x43\x39"
|
||||
- "\xC3\xDF\x96\xE3\x66\xE3\x85\xCA\xE7\x67\x14\x3A\xF0\x43\xAA\xBB"
|
||||
- "\xD4\x1D\xB5\x24\xB5\x74\x90\x25\xA7\x87\x7E\xDB\xD3\x83\x8A\x3A"
|
||||
- "\x69\xA8\x2D\xAF\xB7\xB8\xF3\xDC\x13\xAF\x45\x61\x3F\x59\x39\x7E"
|
||||
- "\x69\xDE\x0C\x04\xF1\x10\x6B\xB4\x56\xFA\x21\x9F\x72\x2B\x60\x86"
|
||||
- "\xE3\x23\x0E\xC4\x51\xF6\xBE\xD8\xE1\x5F\xEE\x73\x4C\x17\x4C\x2C"
|
||||
- "\x1B\xFB\x9F\x1F\x7A\x3B\x07\x5B\x8E\xF1\x01\xAC\xD6\x30\x94\x8A"
|
||||
- "\x5D\x22\x6F\x08\xCE\xED\x5E\xB6\xDB\x86\x8C\x87\xEB\x8D\x91\xFF"
|
||||
- "\x0A\x86\x30\xBD\xC0\xF8\x25\xE7\xAE\x24\x35\xF2\xFC\xE5\xFD\x1B"
|
||||
- "\xB0\x05\x4A\xA3\xE5\xEB\x2E\x05\xAD\x99\x67\x49\x87\xE6\xB3\x87"
|
||||
- "\x82\xA4\x59\xA7\x6E\xDD\xF2\xB6\x66\xE8\xF7\x70\xF5\xBD\xC9\x0E"
|
||||
- "\xFA\x9C\x79\x84\xD4\x9B\x05\x0E\xBB\xF5\xDB\xEF\xFC\xCC\x26\xF2"
|
||||
- "\x93\xCF\xD2\x04\x3C\xA9\x2C\x65\x42\x97\x86\xD8\x38\x0A\x1E\xF6"
|
||||
- "\xD6\xCA\x30\xB5\x1A\xEC\xFB\xBA\x3B\x84\x57\xB0\xFD\xFB\xE6\xBC"
|
||||
- "\xF2\x76\xF6\x4C\xBB\xAB\xB1\x31\xA1\x27\x7C\xE6\xE6\x81\xB6\xCE"
|
||||
- "\x84\x86\x40\xB6\x40\x33\xC4\xF8\xB4\x15\xCF\xAA\xA5\x51\x78\xB9"
|
||||
- "\x8B\x50\x25\xB2\x88\x86\x96\x72\x8C\x71\x4D\xB5\x3A\x94\x86\x77"
|
||||
- "\x0E\x95\x9B\x16\x93\xEF\x3A\x11\x79\xBA\x83\xF7\x74\xD3\x8D\xBA"
|
||||
- "\x15\xE1\x2C\x04\x57\xA8\x92\x1E\x9D\x00\x8E\x20\xFD\x30\x70\xE7"
|
||||
- "\xF5\x65\x2F\x19\x0C\x94\xBA\x03\x71\x12\x96\xCD\xC8\xB4\x96\xDB"
|
||||
- "\xCE\x19\xC2\xDF\x3C\xC2\xF6\x3D\x53\xED\x98\xA5\x41\x72\x2A\x22"
|
||||
- "\x7B\xF3\x2B\x17\x6C\xE1\x39\x7D\xAE\x9B\x11\xF9\xC1\xA6\x9E\x9F"
|
||||
- "\x89\x3C\x12\xAA\x94\x74\xA7\x4F\x70\xE8\xB9\xDE\x04\xF0\x9D\x39"
|
||||
- "\x24\x2D\x92\xE8\x46\x2D\x2E\xF0\x40\x66\x1A\xD9\x27\xF9\x98\xF1"
|
||||
- "\x81\x1D\x70\x62\x63\x30\x6D\xCD\x84\x04\x5F\xFA\x83\xD3\xEC\x8D"
|
||||
- "\x86\xFB\x40\x61\xC1\x8A\x45\xFF\x7B\xD9\xD4\x18\x61\x7F\x51\xE3"
|
||||
- "\xFC\x1E\x18\xF0\xAF\xC6\x18\x2C\xE1\x6D\x5D\xF9\x62\xFC\x20\xA3"
|
||||
- "\xB2\x8A\x5F\xE5\xBB\x29\x0F\x99\x63\x07\x88\x38\x3A\x3B\x73\x2A"
|
||||
- "\x6D\xDA\x3D\xA8\x0D\x8F\x56\x41\x89\x82\xE5\xB8\x61\x00\x64\x7D"
|
||||
- "\x17\x0C\xCE\x03\x55\x8F\xF4\x5B\x0D\x50\xF2\xEB\x05\x67\xBE\xDB"
|
||||
- "\x7B\x75\xC5\xEA\xA1\xAB\x1D\xB0\x3C\x6D\x42\x08\x0B\x9A\x45\x20"
|
||||
- "\xA8\x8F\xE5\x67\x47\x30\xDE\x93\x5F\x43\x05\xEB\xA8\x2D\x80\xF5"
|
||||
- "\x1A\xB8\x4A\x4E\x42\x2D\x0B\x7A\xDC\x46\x20\x2D\x13\x17\xDD\x4B"
|
||||
- "\x94\x96\xAA\x1F\x06\x0C\x1F\x62\x07\x9C\x40\xA1"
|
||||
+ .length = 1307, .data =
|
||||
+ "\x61\x82\x05\x17\x30\x82\x05\x13\xA0\x03\x02\x01\x05\xA1\x0F\x1B"
|
||||
+ "\x0D\x57\x32\x30\x32\x32\x2D\x4C\x37\x2E\x42\x41\x53\x45\xA2\x2A"
|
||||
+ "\x30\x28\xA0\x03\x02\x01\x01\xA1\x21\x30\x1F\x1B\x04\x63\x69\x66"
|
||||
+ "\x73\x1B\x17\x77\x32\x30\x32\x32\x2D\x31\x31\x38\x2E\x77\x32\x30"
|
||||
+ "\x32\x32\x2D\x6C\x37\x2E\x62\x61\x73\x65\xA3\x82\x04\xCD\x30\x82"
|
||||
+ "\x04\xC9\xA0\x03\x02\x01\x12\xA1\x03\x02\x01\x05\xA2\x82\x04\xBB"
|
||||
+ "\x04\x82\x04\xB7\x44\x5C\x7B\x5A\x3F\x2E\xA3\x50\x34\xDE\xB0\x69"
|
||||
+ "\x23\x2D\x47\x89\x2C\xC0\xA3\xF9\xDD\x70\xAA\xA5\x1E\xFE\x74\xE5"
|
||||
+ "\x19\xA2\x4F\x65\x6C\x9E\x00\xB4\x60\x00\x7C\x0C\x29\x43\x31\x99"
|
||||
+ "\x77\x02\x73\xED\xB9\x40\xF5\xD2\xD1\xC9\x20\x0F\xE3\x38\xF9\xCC"
|
||||
+ "\x5E\x2A\xBD\x1F\x91\x66\x1A\xD8\x2A\x80\x3C\x2C\x00\x3C\x1E\xC9"
|
||||
+ "\x2A\x29\x19\x19\x96\x18\x54\x03\x97\x8F\x1D\x5F\xDB\xE9\x66\x68"
|
||||
+ "\xCD\xB1\xD5\x00\x35\x69\x49\x45\xF1\x6A\x78\x7B\x37\x71\x87\x14"
|
||||
+ "\x1C\x98\x4D\x69\xCB\x1B\xD8\xF5\xA3\xD8\x53\x4A\x75\x76\x62\xBA"
|
||||
+ "\x6C\x3F\xEA\x8B\x97\x21\xCA\x8A\x46\x4B\x38\xDA\x09\x9F\x5A\xC8"
|
||||
+ "\x38\xFF\x34\x97\x5B\xA2\xE5\xBA\xC9\x87\x17\xD8\x08\x05\x7A\x83"
|
||||
+ "\x04\xD6\x02\x8E\x9B\x18\xB6\x40\x1A\xF7\x47\x25\x24\x3E\x37\x1E"
|
||||
+ "\xF6\xC1\x3A\x1F\xCA\xB3\x43\x5A\xAE\x94\x83\x31\xAF\xFB\xEE\xED"
|
||||
+ "\x46\x71\xEF\xE2\x37\x37\x15\xFE\x1B\x0B\x9E\xF8\x3E\x0C\x43\x96"
|
||||
+ "\xB6\x0A\x04\x78\xF8\x5E\xAA\x33\x1F\xE2\x07\x5A\x8D\xC4\x4E\x32"
|
||||
+ "\x6D\xD6\xA0\xC5\xEA\x3D\x12\x59\xD4\x41\x40\x4E\xA1\xD8\xBE\xED"
|
||||
+ "\x17\xCB\x68\xCC\x59\xCB\x53\xB2\x0E\x58\x8A\xA9\x33\x7F\x6F\x2B"
|
||||
+ "\x37\x89\x08\x44\xBA\xC7\x67\x17\xBB\x91\xF7\xC3\x0F\x00\xF8\xAA"
|
||||
+ "\xA1\x33\xA6\x08\x47\xCA\xFA\xE8\x49\x27\x45\x46\xF1\xC1\xC3\x5F"
|
||||
+ "\xE2\x45\x0A\x7D\x64\x52\x8C\x2E\xE1\xDE\xFF\xB2\x64\xEC\x69\x98"
|
||||
+ "\x15\xDF\x9E\xB1\xEB\xD6\x9D\x08\x06\x4E\x73\xC1\x0B\x71\x21\x05"
|
||||
+ "\x9E\xBC\xA2\x17\xCF\xB3\x70\xF4\xEF\xB8\x69\xA9\x94\x27\xFD\x5E"
|
||||
+ "\x72\xB1\x2D\xD2\x20\x1B\x57\x80\xAB\x38\x97\xCF\x22\x68\x4F\xB8"
|
||||
+ "\xB7\x17\x53\x25\x67\x0B\xED\xD1\x58\x20\x0D\x45\xF9\x09\xFA\xE7"
|
||||
+ "\x61\x3E\xDB\xC2\x59\x7B\x3A\x3B\x59\x81\x51\xAA\xA4\x81\xF4\x96"
|
||||
+ "\x3B\xE1\x6F\x6F\xF4\x8E\x68\x9E\xBA\x1E\x0F\xF2\x44\x68\x11\xFC"
|
||||
+ "\x2B\x5F\xBE\xF2\xEA\x07\x80\xB9\xCA\x9E\x41\xBD\x2F\x81\xF5\x11"
|
||||
+ "\x2A\x12\xF3\x4F\xD6\x12\x16\x0F\x21\x90\xF1\xD3\x1E\xF1\xA4\x94"
|
||||
+ "\x46\xEA\x30\xF3\x84\x06\xC1\xA4\x51\xFC\x43\x35\xBD\xEF\x4D\x89"
|
||||
+ "\x1D\xA5\x44\xB2\x69\xC4\x0F\xBF\x86\x01\x08\x44\x77\xD5\xB4\xB7"
|
||||
+ "\x5C\x3F\xA7\xD4\x2F\x39\x73\x85\x88\xEE\xB1\x64\x1D\x80\x6C\xEE"
|
||||
+ "\x6E\x31\x90\x92\x0D\xA1\xB7\xC4\x5C\xCC\xEE\x91\xC8\xCB\x11\x2D"
|
||||
+ "\x4A\x1A\x7D\x43\x8F\xEB\x60\x09\xED\x1B\x07\x58\xBE\xBC\xBD\x29"
|
||||
+ "\xF3\xB3\xA3\x4F\xC5\x8A\x30\x33\xB9\xA9\x9F\x43\x08\x27\x15\xC4"
|
||||
+ "\x9C\x5D\x8E\xBD\x5C\x05\xC6\x05\x9C\x87\x60\x08\x1E\xE2\x52\xB8"
|
||||
+ "\x45\x8D\x28\xB6\x2C\x15\x46\x74\x9F\x0E\xAA\x6B\x70\x3A\x2A\x55"
|
||||
+ "\x45\x26\xB2\x58\x4D\x35\xA6\xF1\x96\xBE\x60\xB2\x71\x7B\xF8\x54"
|
||||
+ "\xB9\x90\x21\x8E\xB9\x0F\x35\x98\x5E\x88\xEB\x1A\x53\xB4\x59\x7F"
|
||||
+ "\xAF\x69\x1C\x61\x67\xF4\xF6\xBD\xAC\x24\xCD\xB7\xA9\x67\xE8\xA1"
|
||||
+ "\x83\x85\x5F\x11\x74\x1F\xF7\x4C\x78\x36\xEF\x50\x74\x88\x58\x4B"
|
||||
+ "\x1A\x9F\x84\x9A\x9A\x05\x92\xEC\x1D\xD5\xF3\xC4\x95\x51\x28\xE2"
|
||||
+ "\x3F\x32\x87\xB2\xFD\x21\x27\x66\xE4\x6B\x85\x2F\xDC\x7B\xC0\x22"
|
||||
+ "\xEB\x7A\x94\x20\x5A\x7B\xD3\x7A\xB9\x5B\xF8\x1A\x5A\x84\x4E\xA1"
|
||||
+ "\x73\x41\x53\xD2\x60\xF7\x7C\xEE\x68\x59\x85\x80\xFC\x3D\x70\x4B"
|
||||
+ "\x04\x32\xE7\xF2\xFD\xBD\xB3\xD9\x21\xE2\x37\x56\xA2\x16\xCC\xDE"
|
||||
+ "\x8A\xD3\xBC\x71\xEF\x58\x19\x0E\x45\x8A\x5B\x53\xD6\x77\x30\x6A"
|
||||
+ "\xA7\xF8\x68\x06\x4E\x07\xCA\xCE\x30\xD7\x35\xAB\x1A\xC7\x18\xD4"
|
||||
+ "\xC6\x2F\x1A\xFF\xE9\x7A\x94\x0B\x76\x5E\x7E\x29\x0C\xE6\xD3\x3B"
|
||||
+ "\x5B\x44\x96\xA8\xF1\x29\x23\x95\xD9\x79\xB3\x39\xFC\x76\xED\xE1"
|
||||
+ "\x1E\x67\x4E\xF7\xE8\x7B\x7A\x12\x9E\xD8\x4B\x35\x09\x0A\xF2\xC1"
|
||||
+ "\x63\x5B\xEE\xFD\x2A\xC2\xA6\x66\x30\x3C\x1F\x95\xAF\x65\x22\x95"
|
||||
+ "\x14\x1D\xF5\xD5\xDC\x38\x79\x35\x1C\xCD\x24\x47\xE0\xFD\x08\xC8"
|
||||
+ "\xF4\x15\x55\x9F\xD9\xC7\xAC\x3F\x67\xB3\x4F\xEB\x26\x7C\x8E\xD6"
|
||||
+ "\x74\xB3\x0A\xCD\xE7\xFA\xBE\x7E\xA3\x3E\xEC\x61\x50\x77\x52\x56"
|
||||
+ "\xCF\x90\x5D\x48\xFB\xD4\x2C\x6C\x61\x8B\xDD\x2B\xF5\x92\x1F\x30"
|
||||
+ "\xBF\x3F\x80\x0D\x31\xDB\xB2\x0B\x7D\x84\xE3\xA6\x42\x7F\x00\x38"
|
||||
+ "\x44\x02\xC5\xB8\xD9\x58\x29\x9D\x68\x5C\x32\x8B\x76\xAE\xED\x15"
|
||||
+ "\xF9\x7C\xAE\x7B\xB6\x8E\xD6\x54\x24\xFF\xFA\x87\x05\xEF\x15\x08"
|
||||
+ "\x5E\x4B\x21\xA2\x2F\x49\xE7\x0F\xC3\xD0\xB9\x49\x22\xEF\xD5\xCA"
|
||||
+ "\xB2\x11\xF2\x17\xB6\x77\x24\x68\x76\xB2\x07\xF8\x0A\x73\xDD\x65"
|
||||
+ "\x9C\x75\x64\xF7\xA1\xC6\x23\x08\x84\x72\x3E\x54\x2E\xEB\x9B\x40"
|
||||
+ "\xA6\x83\x87\xEB\xB5\x00\x40\x4F\xE1\x72\x2A\x59\x3A\x06\x60\x29"
|
||||
+ "\x7E\x25\x2F\xD8\x80\x40\x8C\x59\xCA\xCF\x8E\x44\xE4\x2D\x84\x7E"
|
||||
+ "\xCB\xFD\x1E\x3B\xD5\xFF\x9A\xB9\x66\x93\x6D\x5E\xC8\xB7\x13\x26"
|
||||
+ "\xD6\x38\x1B\x2B\xE1\x87\x96\x05\xD5\xF3\xAB\x68\xF7\x12\x62\x2C"
|
||||
+ "\x58\xC1\xC9\x85\x3C\x72\xF1\x26\xEE\xC0\x09\x5F\x1D\x4B\xAC\x01"
|
||||
+ "\x41\xC8\x12\xF8\xF3\x93\x43\x41\xFF\xEC\x0B\x80\xE2\xEE\x20\x85"
|
||||
+ "\x25\xCD\x6C\x30\x8C\x0D\x24\x2E\xBA\x19\xEA\x28\x7F\xCF\xD5\x10"
|
||||
+ "\x5C\xE9\xB2\x9D\x5F\x16\xE4\xC0\xF3\xCC\xD9\x68\x4A\x05\x08\x70"
|
||||
+ "\x17\x26\xC8\x5C\x4A\xBF\x94\x6A\x0E\xD5\xDA\x67\x47\x4B\xAF\x44"
|
||||
+ "\xE3\x94\xAA\x05\xDB\xA2\x49\x74\xFA\x5C\x69\xAB\x44\xB7\xF7\xBA"
|
||||
+ "\xAE\x7A\x23\x87\xEB\x54\x7E\x80\xF1\x5B\x60\xA5\x93\xE5\xD4\x24"
|
||||
+ "\x84\xF7\x0A\x16\x10\xBE\xE9\x4D\xD8\x6B\x15\x40\x5D\x74\xDA\x1B"
|
||||
+ "\xFF\x2E\x4D\x17\x9D\x35\xF7\x0D\xCF\x66\x38\x0D\x8A\xE4\xDD\x6B"
|
||||
+ "\xE1\x0F\x1F\xBD\xFD\x4F\x30\x37\x3F\x96\xB4\x92\x54\xD3\x9A\x7A"
|
||||
+ "\xD1\x5B\x5B\xA9\x54\x16\xE6\x24\xAB\xD4\x23\x39\x7D\xD2\xC7\x09"
|
||||
+ "\xFA\xD4\x86\x55\x4D\x60\xC2\x87\x67\x6B\xE6"
|
||||
};
|
||||
|
||||
static void
|
||||
@@ -686,7 +710,7 @@ test_pac_ticket_signature(krb5_context context)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_ticket *ticket;
|
||||
- krb5_principal sprinc;
|
||||
+ krb5_principal cprinc, sprinc;
|
||||
krb5_authdata **authdata1, **authdata2;
|
||||
krb5_pac pac, pac2, pac3;
|
||||
uint32_t *list;
|
||||
@@ -701,7 +725,13 @@ test_pac_ticket_signature(krb5_context context)
|
||||
if (ret)
|
||||
err(context, ret, "while decrypting ticket");
|
||||
|
||||
- ret = krb5_parse_name(context, "s1@CDOM.COM", &sprinc);
|
||||
+ ret = krb5_parse_name(context, "administrator@W2022-L7.BASE", &cprinc);
|
||||
+ if (ret)
|
||||
+ err(context, ret, "krb5_parse_name");
|
||||
+
|
||||
+ ret = krb5_parse_name(context,
|
||||
+ "cifs/w2022-118.w2022-l7.base@W2022-L7.BASE",
|
||||
+ &sprinc);
|
||||
if (ret)
|
||||
err(context, ret, "krb5_parse_name");
|
||||
|
||||
@@ -713,7 +743,7 @@ test_pac_ticket_signature(krb5_context context)
|
||||
|
||||
/* In this test, the server is also the client. */
|
||||
ret = krb5_pac_verify(context, pac, ticket->enc_part2->times.authtime,
|
||||
- ticket->server, NULL, NULL);
|
||||
+ cprinc, NULL, NULL);
|
||||
if (ret)
|
||||
err(context, ret, "while verifying PAC client info");
|
||||
|
||||
@@ -722,7 +752,7 @@ test_pac_ticket_signature(krb5_context context)
|
||||
ticket->enc_part2->authorization_data = NULL;
|
||||
|
||||
ret = krb5_kdc_sign_ticket(context, ticket->enc_part2, pac, sprinc,
|
||||
- sprinc, &ticket_sig_server_key,
|
||||
+ cprinc, &ticket_sig_server_key,
|
||||
&ticket_sig_krbtgt_key, FALSE);
|
||||
if (ret)
|
||||
err(context, ret, "while signing ticket");
|
||||
@@ -781,6 +811,7 @@ test_pac_ticket_signature(krb5_context context)
|
||||
krb5_pac_free(context, pac);
|
||||
krb5_pac_free(context, pac2);
|
||||
krb5_pac_free(context, pac3);
|
||||
+ krb5_free_principal(context, cprinc);
|
||||
krb5_free_principal(context, sprinc);
|
||||
krb5_free_ticket(context, ticket);
|
||||
}
|
||||
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
|
||||
index 47ea9e4b47..e934799268 100644
|
||||
--- a/src/tests/t_authdata.py
|
||||
+++ b/src/tests/t_authdata.py
|
||||
@@ -11,7 +11,7 @@ realm = K5Realm(krb5_conf=conf)
|
||||
# container.
|
||||
mark('baseline authdata')
|
||||
out = realm.run(['./adata', realm.host_princ])
|
||||
-if '?128: [6, 7, 10, 16]' not in out or '^-42: Hello' not in out:
|
||||
+if '?128: [6, 7, 10, 16, 19]' not in out or '^-42: Hello' not in out:
|
||||
fail('expected authdata not seen for basic request')
|
||||
|
||||
# Requested authdata is copied into the ticket, with KDC-only types
|
||||
@@ -243,7 +243,7 @@ out = realm.run(['./adata', '-p', realm.user_princ, 'service/2'])
|
||||
if '+97: [indcl]' not in out or '[inds1]' in out:
|
||||
fail('correct auth-indicator not seen for S4U2Proxy req')
|
||||
# Make sure a PAC with an S4U_DELEGATION_INFO(11) buffer is included.
|
||||
-if '?128: [1, 6, 7, 10, 11, 16]' not in out:
|
||||
+if '?128: [1, 6, 7, 10, 11, 16, 19]' not in out:
|
||||
fail('PAC with delegation info not seen for S4U2Proxy req')
|
||||
|
||||
# Get another S4U2Proxy ticket including request-authdata.
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,45 +0,0 @@
|
||||
From ff9c99b689855a646c371379d30a668dfd7a87a7 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 1 Feb 2023 15:57:26 +0100
|
||||
Subject: [PATCH] Fix possible double-free during KDB creation
|
||||
|
||||
In krb5_dbe_def_encrypt_key_data(), when we free
|
||||
key_data->key_data_contents[0], reset it to null so the caller doesn't
|
||||
free it as well.
|
||||
|
||||
Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
|
||||
manifests as a double-free during KDB creation if master key
|
||||
encryption fails.
|
||||
|
||||
[ghudson@mit.edu: edited commit message]
|
||||
|
||||
ticket: 9086 (new)
|
||||
tags: pullup
|
||||
target_version: 1.20-next
|
||||
---
|
||||
src/lib/kdb/encrypt_key.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
|
||||
index dc612c810e..91debea533 100644
|
||||
--- a/src/lib/kdb/encrypt_key.c
|
||||
+++ b/src/lib/kdb/encrypt_key.c
|
||||
@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context,
|
||||
if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
|
||||
&plain, &cipher))) {
|
||||
free(key_data->key_data_contents[0]);
|
||||
+ key_data->key_data_contents[0] = NULL;
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context,
|
||||
key_data->key_data_contents[1] = malloc(keysalt->data.length);
|
||||
if (key_data->key_data_contents[1] == NULL) {
|
||||
free(key_data->key_data_contents[0]);
|
||||
+ key_data->key_data_contents[0] = NULL;
|
||||
return ENOMEM;
|
||||
}
|
||||
memcpy(key_data->key_data_contents[1], keysalt->data.data,
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,36 +0,0 @@
|
||||
From 604fce63b468d0efce4438df4ba0286f00bfce8d Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Tue, 21 Feb 2023 10:03:35 +0100
|
||||
Subject: [PATCH] Fix meridian type in kadmin datetime parser
|
||||
|
||||
The meridian suffix is typed as "Number" in kadmin YACC file for
|
||||
datetime parsing, while it should be using the "Meridian" enumeration
|
||||
one.
|
||||
|
||||
This results in invalid Meridian value on 64-bit IBM zSystems (s390x),
|
||||
causing core dumped errors on most kadmin commands where meridian
|
||||
suffices are used.
|
||||
|
||||
Upstream PR:
|
||||
https://github.com/krb5/krb5/pull/1290
|
||||
---
|
||||
src/kadmin/cli/getdate.y | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y
|
||||
index b9dceec1ee..d14cf963c5 100644
|
||||
--- a/src/kadmin/cli/getdate.y
|
||||
+++ b/src/kadmin/cli/getdate.y
|
||||
@@ -181,7 +181,8 @@ static time_t yyRelSeconds;
|
||||
|
||||
%token tAGO tID tDST tNEVER
|
||||
%token <Number> tDAY tDAYZONE tMINUTE_UNIT tMONTH tMONTH_UNIT
|
||||
-%token <Number> tSEC_UNIT tSNUMBER tUNUMBER tZONE tMERIDIAN
|
||||
+%token <Number> tSEC_UNIT tSNUMBER tUNUMBER tZONE
|
||||
+%token <Meridian> tMERIDIAN
|
||||
%type <Meridian> o_merid
|
||||
|
||||
%%
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D
|
||||
ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc
|
||||
UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg
|
||||
jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn
|
||||
6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK
|
||||
0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/
|
||||
YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL
|
||||
SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR
|
||||
jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R
|
||||
Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH
|
||||
CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m
|
||||
twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU=
|
||||
=1WIq
|
||||
-----END PGP SIGNATURE-----
|
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmSsc/kACgkQDLoIV1+D
|
||||
ct+wPxAArlkJs5WpFIm2JDJXGF82BNw/FEhg+OkWcPHeLMWJF8qO0AxVp8Yq4g1g
|
||||
qFpTABwY8V2tfr84XQJ6rw7Qq93NjRjFHr1z1tDmCceLisXof6Tu7/RKjHwNmJt8
|
||||
M3srmsXPlmx/7cXuaYIljJfftun3D/iuEaydWluGb1DZicaU/OsofGhKE8/YEZrN
|
||||
H0XdIC45raG4O9t6CGjQRcAIv5Z4afCtXH4aaEmLg6E2+aTUyx+czu7nBASCaTyv
|
||||
s4df8fhbVpdBi6iA6BQJC296Rc1gyDnuxnjyCH8Rj2gTuiI4Oa2dxRPGT3mjksz3
|
||||
OheYcXK9XGCtUbG22zrxqUuHDA3jF6KKmsVSXnbygB6XSS/c0bqmeDRTQGPksWH6
|
||||
RJbmlKG9PQ0BavlXRa7Nupaa7f0jblFiduScYujRsyWxi/8YkckedugYyuww59gV
|
||||
piUwGGRDWldy+JIAYtvzirsfe6Oum0/SKY5wYXyKv0flM95pbfBEw+TzRxmlCQ5J
|
||||
+i8L9Frr4gTmT576GHB6WzBlOEPf6mRc8jg0DyyUOoDHXyj4MCyJGEJxvcyVV1WX
|
||||
tJlu0uH1f8pMZx4IQ279PsNFimO/NsdSTefqiVGXA7FWK1EPLc+l9ZBcrLi9KEmJ
|
||||
7TfVq9cAg6+m2tql+gjAQrfXHUU1mNdPLFMnShYlqHjTle4cQKE=
|
||||
=AIvQ
|
||||
-----END PGP SIGNATURE-----
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue