diff --git a/SOURCES/Generate-and-verify-message-MACs-in-libkrad.patch b/SOURCES/Generate-and-verify-message-MACs-in-libkrad.patch new file mode 100644 index 0000000..d1e5080 --- /dev/null +++ b/SOURCES/Generate-and-verify-message-MACs-in-libkrad.patch @@ -0,0 +1,629 @@ +From aad00d346e5c7923287fc0016a37b49c4618d78e Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 22 Aug 2024 17:15:50 +0200 +Subject: [PATCH] Generate and verify message MACs in libkrad + +Implement some of the measures specified in +draft-ietf-radext-deprecating-radius-03 for mitigating the BlastRADIUS +attack (CVE-2024-3596): + +* Include a Message-Authenticator MAC as the first attribute when + generating a packet of type Access-Request, Access-Reject, + Access-Accept, or Access-Challenge (sections 5.2.1 and 5.2.4), if + the secret is non-empty. (An empty secret indicates the use of Unix + domain socket transport.) + +* Validate the Message-Authenticator MAC in received packets, if + present. + +FreeRADIUS enforces Message-Authenticator as of versions 3.2.5 and +3.0.27. libkrad must generate Message-Authenticator attributes in +order to remain compatible with these implementations. + +[ghudson@mit.edu: adjusted style and naming; simplified some +functions; edited commit message] + +ticket: 9142 (new) +tags: pullup +target_version: 1.21-next + +(cherry picked from commit 871125fea8ce0370a972bf65f7d1de63f619b06c) +--- + src/include/k5-int.h | 5 + + src/lib/crypto/krb/checksum_hmac_md5.c | 28 ++++ + src/lib/crypto/libk5crypto.exports | 1 + + src/lib/krad/attr.c | 17 ++ + src/lib/krad/attrset.c | 59 +++++-- + src/lib/krad/internal.h | 7 +- + src/lib/krad/packet.c | 206 +++++++++++++++++++++++-- + src/lib/krad/t_attrset.c | 2 +- + src/lib/krad/t_daemon.py | 3 +- + src/lib/krad/t_packet.c | 11 ++ + src/tests/t_otp.py | 3 + + 11 files changed, 311 insertions(+), 31 deletions(-) + +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 9d5e41ca2c..d062617268 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -2415,4 +2415,9 @@ void k5_change_error_message_code(krb5_context ctx, krb5_error_code oldcode, + #define k5_prependmsg krb5_prepend_error_message + #define k5_wrapmsg krb5_wrap_error_message + ++/* Generate an HMAC-MD5 keyed checksum as specified by RFC 2104. */ ++krb5_error_code ++k5_hmac_md5(const krb5_data *key, const krb5_crypto_iov *data, size_t num_data, ++ krb5_data *output); ++ + #endif /* _KRB5_INT_H */ +diff --git a/src/lib/crypto/krb/checksum_hmac_md5.c b/src/lib/crypto/krb/checksum_hmac_md5.c +index ec024f3966..a809388549 100644 +--- a/src/lib/crypto/krb/checksum_hmac_md5.c ++++ b/src/lib/crypto/krb/checksum_hmac_md5.c +@@ -92,3 +92,31 @@ cleanup: + free(hash_iov); + return ret; + } ++ ++krb5_error_code ++k5_hmac_md5(const krb5_data *key, const krb5_crypto_iov *data, size_t num_data, ++ krb5_data *output) ++{ ++ krb5_error_code ret; ++ const struct krb5_hash_provider *hash = &krb5int_hash_md5; ++ krb5_keyblock keyblock = { 0 }; ++ krb5_data hashed_key; ++ uint8_t hkeybuf[16]; ++ krb5_crypto_iov iov; ++ ++ /* Hash the key if it is longer than the block size. */ ++ if (key->length > hash->blocksize) { ++ hashed_key = make_data(hkeybuf, sizeof(hkeybuf)); ++ iov.flags = KRB5_CRYPTO_TYPE_DATA; ++ iov.data = *key; ++ ret = hash->hash(&iov, 1, &hashed_key); ++ if (ret) ++ return ret; ++ key = &hashed_key; ++ } ++ ++ keyblock.magic = KV5M_KEYBLOCK; ++ keyblock.length = key->length; ++ keyblock.contents = (uint8_t *)key->data; ++ return krb5int_hmac_keyblock(hash, &keyblock, data, num_data, output); ++} +diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports +index 9db1813810..b4dcd29937 100644 +--- a/src/lib/crypto/libk5crypto.exports ++++ b/src/lib/crypto/libk5crypto.exports +@@ -107,3 +107,4 @@ krb5_c_prfplus + krb5_c_derive_prfplus + k5_enctype_to_ssf + krb5int_c_deprecated_enctype ++k5_hmac_md5 +diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c +index 42d354a3b5..65ed1d35e7 100644 +--- a/src/lib/krad/attr.c ++++ b/src/lib/krad/attr.c +@@ -125,6 +125,23 @@ static const attribute_record attributes[UCHAR_MAX] = { + {"NAS-Port-Type", 4, 4, NULL, NULL}, + {"Port-Limit", 4, 4, NULL, NULL}, + {"Login-LAT-Port", 1, MAX_ATTRSIZE, NULL, NULL}, ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ ++ {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ ++ {NULL, 0, 0, NULL, NULL}, /* Password-Retry */ ++ {NULL, 0, 0, NULL, NULL}, /* Prompt */ ++ {NULL, 0, 0, NULL, NULL}, /* Connect-Info */ ++ {NULL, 0, 0, NULL, NULL}, /* Configuration-Token */ ++ {NULL, 0, 0, NULL, NULL}, /* EAP-Message */ ++ {"Message-Authenticator", MD5_DIGEST_SIZE, MD5_DIGEST_SIZE, NULL, NULL}, + }; + + /* Encode User-Password attribute. */ +diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c +index 6ec031e320..e5457ebfd7 100644 +--- a/src/lib/krad/attrset.c ++++ b/src/lib/krad/attrset.c +@@ -164,15 +164,44 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy) + return 0; + } + ++/* Place an encoded attributes into outbuf at position *i. Increment *i by the ++ * length of the encoding. */ ++static krb5_error_code ++append_attr(krb5_context ctx, const char *secret, ++ const uint8_t *auth, krad_attr type, const krb5_data *data, ++ uint8_t outbuf[MAX_ATTRSETSIZE], size_t *i, krb5_boolean *is_fips) ++{ ++ uint8_t buffer[MAX_ATTRSIZE]; ++ size_t attrlen; ++ krb5_error_code retval; ++ ++ retval = kr_attr_encode(ctx, secret, auth, type, data, buffer, &attrlen, ++ is_fips); ++ if (retval) ++ return retval; ++ ++ if (attrlen > MAX_ATTRSETSIZE - *i - 2) ++ return EMSGSIZE; ++ ++ outbuf[(*i)++] = type; ++ outbuf[(*i)++] = attrlen + 2; ++ memcpy(outbuf + *i, buffer, attrlen); ++ *i += attrlen; ++ ++ return 0; ++} ++ + krb5_error_code + kr_attrset_encode(const krad_attrset *set, const char *secret, +- const unsigned char *auth, ++ const uint8_t *auth, krb5_boolean add_msgauth, + unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, + krb5_boolean *is_fips) + { +- unsigned char buffer[MAX_ATTRSIZE]; + krb5_error_code retval; +- size_t i = 0, attrlen; ++ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); ++ const uint8_t zeroes[MD5_DIGEST_SIZE] = { 0 }; ++ krb5_data zerodata; ++ size_t i = 0; + attr *a; + + if (set == NULL) { +@@ -180,19 +209,21 @@ kr_attrset_encode(const krad_attrset *set, const char *secret, + return 0; + } + +- K5_TAILQ_FOREACH(a, &set->list, list) { +- retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr, +- buffer, &attrlen, is_fips); +- if (retval != 0) ++ if (add_msgauth) { ++ /* Encode Message-Authenticator as the first attribute, per ++ * draft-ietf-radext-deprecating-radius-03 section 5.2. */ ++ zerodata = make_data((uint8_t *)zeroes, MD5_DIGEST_SIZE); ++ retval = append_attr(set->ctx, secret, auth, msgauth_type, &zerodata, ++ outbuf, &i, is_fips); ++ if (retval) + return retval; ++ } + +- if (i + attrlen + 2 > MAX_ATTRSETSIZE) +- return EMSGSIZE; +- +- outbuf[i++] = a->type; +- outbuf[i++] = attrlen + 2; +- memcpy(&outbuf[i], buffer, attrlen); +- i += attrlen; ++ K5_TAILQ_FOREACH(a, &set->list, list) { ++ retval = append_attr(set->ctx, secret, auth, a->type, &a->attr, ++ outbuf, &i, is_fips); ++ if (retval) ++ return retval; + } + + *outlen = i; +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index b086598fb2..f3e4a1d8d3 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -45,6 +45,8 @@ + #define UCHAR_MAX 255 + #endif + ++#define MD5_DIGEST_SIZE 16 ++ + /* RFC 2865 */ + #define MAX_ATTRSIZE (UCHAR_MAX - 2) + #define MAX_ATTRSETSIZE (KRAD_PACKET_SIZE_MAX - 20) +@@ -75,10 +77,11 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + krad_attr type, const krb5_data *in, + unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); + +-/* Encode the attributes into the buffer. */ ++/* Encode set into outbuf. If add_msgauth is true, include a zeroed ++ * Message-Authenticator as the first attribute. */ + krb5_error_code + kr_attrset_encode(const krad_attrset *set, const char *secret, +- const unsigned char *auth, ++ const uint8_t *auth, krb5_boolean add_msgauth, + unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, + krb5_boolean *is_fips); + +diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c +index fc2d248001..257bbc6345 100644 +--- a/src/lib/krad/packet.c ++++ b/src/lib/krad/packet.c +@@ -36,6 +36,7 @@ + typedef unsigned char uchar; + + /* RFC 2865 */ ++#define MSGAUTH_SIZE (2 + MD5_DIGEST_SIZE) + #define OFFSET_CODE 0 + #define OFFSET_ID 1 + #define OFFSET_LENGTH 2 +@@ -222,6 +223,106 @@ packet_set_attrset(krb5_context ctx, const char *secret, krad_packet *pkt) + return kr_attrset_decode(ctx, &tmp, secret, pkt_auth(pkt), &pkt->attrset); + } + ++/* Determine if a packet requires a Message-Authenticator attribute. */ ++static inline krb5_boolean ++requires_msgauth(const char *secret, krad_code code) ++{ ++ /* If no secret is provided, assume that the transport is a UNIX socket. ++ * Message-Authenticator is required only on UDP and TCP connections. */ ++ if (*secret == '\0') ++ return FALSE; ++ ++ /* ++ * Per draft-ietf-radext-deprecating-radius-03 sections 5.2.1 and 5.2.4, ++ * Message-Authenticator is required in Access-Request packets and all ++ * potential responses when UDP or TCP transport is used. ++ */ ++ return code == krad_code_name2num("Access-Request") || ++ code == krad_code_name2num("Access-Reject") || ++ code == krad_code_name2num("Access-Accept") || ++ code == krad_code_name2num("Access-Challenge"); ++} ++ ++/* Check if the packet has a Message-Authenticator attribute. */ ++static inline krb5_boolean ++has_pkt_msgauth(const krad_packet *pkt) ++{ ++ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); ++ ++ return krad_attrset_get(pkt->attrset, msgauth_type, 0) != NULL; ++} ++ ++/* Return the beginning of the Message-Authenticator attribute in pkt, or NULL ++ * if no such attribute is present. */ ++static const uint8_t * ++lookup_msgauth_addr(const krad_packet *pkt) ++{ ++ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); ++ size_t i; ++ uint8_t *p; ++ ++ i = OFFSET_ATTR; ++ while (i + 2 < pkt->pkt.length) { ++ p = (uint8_t *)offset(&pkt->pkt, i); ++ if (msgauth_type == *p) ++ return p; ++ i += p[1]; ++ } ++ ++ return NULL; ++} ++ ++/* ++ * Calculate the message authenticator MAC for pkt as specified in RFC 2869 ++ * section 5.14, placing the result in mac_out. Use the provided authenticator ++ * auth, which may be from pkt or from a corresponding request. ++ */ ++static krb5_error_code ++calculate_mac(const char *secret, const krad_packet *pkt, ++ const uint8_t auth[AUTH_FIELD_SIZE], ++ uint8_t mac_out[MD5_DIGEST_SIZE]) ++{ ++ uint8_t zeroed_msgauth[MSGAUTH_SIZE]; ++ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); ++ const uint8_t *msgauth_attr, *msgauth_end, *pkt_end; ++ krb5_crypto_iov input[5]; ++ krb5_data ksecr, mac; ++ ++ msgauth_attr = lookup_msgauth_addr(pkt); ++ if (msgauth_attr == NULL) ++ return EINVAL; ++ msgauth_end = msgauth_attr + MSGAUTH_SIZE; ++ pkt_end = (const uint8_t *)pkt->pkt.data + pkt->pkt.length; ++ ++ /* Read code, id, and length from the packet. */ ++ input[0].flags = KRB5_CRYPTO_TYPE_DATA; ++ input[0].data = make_data(pkt->pkt.data, OFFSET_AUTH); ++ ++ /* Read the provided authenticator. */ ++ input[1].flags = KRB5_CRYPTO_TYPE_DATA; ++ input[1].data = make_data((uint8_t *)auth, AUTH_FIELD_SIZE); ++ ++ /* Read any attributes before Message-Authenticator. */ ++ input[2].flags = KRB5_CRYPTO_TYPE_DATA; ++ input[2].data = make_data(pkt_attr(pkt), msgauth_attr - pkt_attr(pkt)); ++ ++ /* Read Message-Authenticator with the data bytes all set to zero, per RFC ++ * 2869 section 5.14. */ ++ zeroed_msgauth[0] = msgauth_type; ++ zeroed_msgauth[1] = MSGAUTH_SIZE; ++ memset(zeroed_msgauth + 2, 0, MD5_DIGEST_SIZE); ++ input[3].flags = KRB5_CRYPTO_TYPE_DATA; ++ input[3].data = make_data(zeroed_msgauth, MSGAUTH_SIZE); ++ ++ /* Read any attributes after Message-Authenticator. */ ++ input[4].flags = KRB5_CRYPTO_TYPE_DATA; ++ input[4].data = make_data((uint8_t *)msgauth_end, pkt_end - msgauth_end); ++ ++ mac = make_data(mac_out, MD5_DIGEST_SIZE); ++ ksecr = string2data((char *)secret); ++ return k5_hmac_md5(&ksecr, input, 5, &mac); ++} ++ + ssize_t + krad_packet_bytes_needed(const krb5_data *buffer) + { +@@ -255,6 +356,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, + krad_packet *pkt; + uchar id; + size_t attrset_len; ++ krb5_boolean msgauth_required; + + pkt = packet_new(); + if (pkt == NULL) { +@@ -274,9 +376,13 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, + if (retval != 0) + goto error; + ++ /* Determine if Message-Authenticator is required. */ ++ msgauth_required = (*secret != '\0' && ++ code == krad_code_name2num("Access-Request")); ++ + /* Encode the attributes. */ +- retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt), +- &attrset_len, &pkt->is_fips); ++ retval = kr_attrset_encode(set, secret, pkt_auth(pkt), msgauth_required, ++ pkt_attr(pkt), &attrset_len, &pkt->is_fips); + if (retval != 0) + goto error; + +@@ -285,6 +391,13 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, + pkt_code_set(pkt, code); + pkt_len_set(pkt, pkt->pkt.length); + ++ if (msgauth_required) { ++ /* Calculate and set the Message-Authenticator MAC. */ ++ retval = calculate_mac(secret, pkt, pkt_auth(pkt), pkt_attr(pkt) + 2); ++ if (retval != 0) ++ goto error; ++ } ++ + /* Copy the attrset for future use. */ + retval = packet_set_attrset(ctx, secret, pkt); + if (retval != 0) +@@ -307,14 +420,19 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code, + krb5_error_code retval; + krad_packet *pkt; + size_t attrset_len; ++ krb5_boolean msgauth_required; + + pkt = packet_new(); + if (pkt == NULL) + return ENOMEM; + ++ /* Determine if Message-Authenticator is required. */ ++ msgauth_required = requires_msgauth(secret, code); ++ + /* Encode the attributes. */ +- retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt), +- &attrset_len, &pkt->is_fips); ++ retval = kr_attrset_encode(set, secret, pkt_auth(request), ++ msgauth_required, pkt_attr(pkt), &attrset_len, ++ &pkt->is_fips); + if (retval != 0) + goto error; + +@@ -330,6 +448,18 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code, + if (retval != 0) + goto error; + ++ if (msgauth_required) { ++ /* ++ * Calculate and replace the Message-Authenticator MAC. Per RFC 2869 ++ * section 5.14, use the authenticator from the request, not from the ++ * response. ++ */ ++ retval = calculate_mac(secret, pkt, pkt_auth(request), ++ pkt_attr(pkt) + 2); ++ if (retval != 0) ++ goto error; ++ } ++ + /* Copy the attrset for future use. */ + retval = packet_set_attrset(ctx, secret, pkt); + if (retval != 0) +@@ -343,6 +473,34 @@ error: + return retval; + } + ++/* Verify the Message-Authenticator value in pkt, using the provided ++ * authenticator (which may be from pkt or from a corresponding request). */ ++static krb5_error_code ++verify_msgauth(const char *secret, const krad_packet *pkt, ++ const uint8_t auth[AUTH_FIELD_SIZE]) ++{ ++ uint8_t mac[MD5_DIGEST_SIZE]; ++ krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); ++ const krb5_data *msgauth; ++ krb5_error_code retval; ++ ++ msgauth = krad_packet_get_attr(pkt, msgauth_type, 0); ++ if (msgauth == NULL) ++ return ENODATA; ++ ++ retval = calculate_mac(secret, pkt, auth, mac); ++ if (retval) ++ return retval; ++ ++ if (msgauth->length != MD5_DIGEST_SIZE) ++ return EMSGSIZE; ++ ++ if (k5_bcmp(mac, msgauth->data, MD5_DIGEST_SIZE) != 0) ++ return EBADMSG; ++ ++ return 0; ++} ++ + /* Decode a packet. */ + static krb5_error_code + decode_packet(krb5_context ctx, const char *secret, const krb5_data *buffer, +@@ -394,21 +552,35 @@ krad_packet_decode_request(krb5_context ctx, const char *secret, + krad_packet **reqpkt) + { + const krad_packet *tmp = NULL; ++ krad_packet *req; + krb5_error_code retval; + +- retval = decode_packet(ctx, secret, buffer, reqpkt); +- if (cb != NULL && retval == 0) { ++ retval = decode_packet(ctx, secret, buffer, &req); ++ if (retval) ++ return retval; ++ ++ /* Verify Message-Authenticator if present. */ ++ if (has_pkt_msgauth(req)) { ++ retval = verify_msgauth(secret, req, pkt_auth(req)); ++ if (retval) { ++ krad_packet_free(req); ++ return retval; ++ } ++ } ++ ++ if (cb != NULL) { + for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) { + if (pkt_id_get(*reqpkt) == pkt_id_get(tmp)) + break; + } +- } + +- if (cb != NULL && (retval != 0 || tmp != NULL)) +- (*cb)(data, TRUE); ++ if (tmp != NULL) ++ (*cb)(data, TRUE); ++ } + ++ *reqpkt = req; + *duppkt = tmp; +- return retval; ++ return 0; + } + + krb5_error_code +@@ -435,9 +607,17 @@ krad_packet_decode_response(krb5_context ctx, const char *secret, + break; + } + +- /* If the authenticator matches, then the response is valid. */ +- if (memcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) == 0) +- break; ++ /* Verify the response authenticator. */ ++ if (k5_bcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) != 0) ++ continue; ++ ++ /* Verify Message-Authenticator if present. */ ++ if (has_pkt_msgauth(*rsppkt)) { ++ if (verify_msgauth(secret, *rsppkt, pkt_auth(tmp)) != 0) ++ continue; ++ } ++ ++ break; + } + } + +diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c +index 0f95762534..9a70529dc5 100644 +--- a/src/lib/krad/t_attrset.c ++++ b/src/lib/krad/t_attrset.c +@@ -63,7 +63,7 @@ main() + noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp)); + + /* Encode attrset. */ +- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len, ++ noerror(kr_attrset_encode(set, "foo", auth, FALSE, buffer, &encode_len, + &is_fips)); + krad_attrset_free(set); + +diff --git a/src/lib/krad/t_daemon.py b/src/lib/krad/t_daemon.py +index 7668cd7f87..7fa0449a3c 100755 +--- a/src/lib/krad/t_daemon.py ++++ b/src/lib/krad/t_daemon.py +@@ -40,6 +40,7 @@ DICTIONARY = """ + ATTRIBUTE\tUser-Name\t1\tstring + ATTRIBUTE\tUser-Password\t2\toctets + ATTRIBUTE\tNAS-Identifier\t32\tstring ++ATTRIBUTE\tMessage-Authenticator\t80\toctets + """ + + class TestServer(server.Server): +@@ -52,7 +53,7 @@ class TestServer(server.Server): + if key == "User-Password": + passwd = map(pkt.PwDecrypt, pkt[key]) + +- reply = self.CreateReplyPacket(pkt) ++ reply = self.CreateReplyPacket(pkt, message_authenticator=True) + if passwd == ['accept']: + reply.code = packet.AccessAccept + else: +diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c +index c22489144f..104b6507a2 100644 +--- a/src/lib/krad/t_packet.c ++++ b/src/lib/krad/t_packet.c +@@ -172,6 +172,9 @@ main(int argc, const char **argv) + krb5_data username, password; + krb5_boolean auth = FALSE; + krb5_context ctx; ++ const krad_packet *dupreq; ++ const krb5_data *encpkt; ++ krad_packet *decreq; + + username = string2data("testUser"); + +@@ -184,9 +187,17 @@ main(int argc, const char **argv) + + password = string2data("accept"); + noerror(make_packet(ctx, &username, &password, &packets[ACCEPT_PACKET])); ++ encpkt = krad_packet_encode(packets[ACCEPT_PACKET]); ++ noerror(krad_packet_decode_request(ctx, "foo", encpkt, NULL, NULL, ++ &dupreq, &decreq)); ++ krad_packet_free(decreq); + + password = string2data("reject"); + noerror(make_packet(ctx, &username, &password, &packets[REJECT_PACKET])); ++ encpkt = krad_packet_encode(packets[REJECT_PACKET]); ++ noerror(krad_packet_decode_request(ctx, "foo", encpkt, NULL, NULL, ++ &dupreq, &decreq)); ++ krad_packet_free(decreq); + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; +diff --git a/src/tests/t_otp.py b/src/tests/t_otp.py +index cba871a0f2..1ec916598c 100755 +--- a/src/tests/t_otp.py ++++ b/src/tests/t_otp.py +@@ -49,6 +49,7 @@ ATTRIBUTE User-Name 1 string + ATTRIBUTE User-Password 2 octets + ATTRIBUTE Service-Type 6 integer + ATTRIBUTE NAS-Identifier 32 string ++ATTRIBUTE Message-Authenticator 80 octets + ''' + + class RadiusDaemon(Process): +@@ -97,6 +98,8 @@ class RadiusDaemon(Process): + reply.code = packet.AccessReject + replyq['reply'] = False + ++ reply.add_message_authenticator() ++ + outq.put(replyq) + if addr is None: + sock.send(reply.ReplyPacket()) +-- +2.46.0 + diff --git a/SOURCES/Remove-PKINIT-RSA-support.patch b/SOURCES/Remove-PKINIT-RSA-support.patch new file mode 100644 index 0000000..2dbaf44 --- /dev/null +++ b/SOURCES/Remove-PKINIT-RSA-support.patch @@ -0,0 +1,1299 @@ +From cc31e37cc4f8bbac99ee7eff37e8c25d21343bb7 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sun, 26 Nov 2023 17:42:34 -0500 +Subject: [PATCH] Remove PKINIT RSA support + +RSA mode is no longer needed for interoperability. Reduce the attack +surface of clients and KDCs by removing support for it. + +ticket: 9108 (new) +(cherry picked from commit 401f584526e501b68e7516c17d8e467883f8f210) +--- + doc/user/user_commands/kinit.rst | 4 - + src/plugins/preauth/pkinit/pkinit.h | 2 - + src/plugins/preauth/pkinit/pkinit_clnt.c | 242 +++------ + src/plugins/preauth/pkinit/pkinit_crypto.h | 42 -- + .../preauth/pkinit/pkinit_crypto_openssl.c | 487 ------------------ + src/plugins/preauth/pkinit/pkinit_lib.c | 2 - + src/plugins/preauth/pkinit/pkinit_srv.c | 213 +++----- + src/plugins/preauth/pkinit/pkinit_trace.h | 9 - + src/tests/t_pkinit.py | 9 - + src/windows/leash/htmlhelp/html/KINIT.htm | 3 - + 10 files changed, 139 insertions(+), 874 deletions(-) + +diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst +index e12e88a372..2d67698dac 100644 +--- a/doc/user/user_commands/kinit.rst ++++ b/doc/user/user_commands/kinit.rst +@@ -192,10 +192,6 @@ OPTIONS + **X509_anchors**\ =\ *value* + specify where to find trusted X509 anchor information + +- **flag_RSA_PROTOCOL**\ [**=yes**] +- specify use of RSA, rather than the default Diffie-Hellman +- protocol +- + **disable_freshness**\ [**=yes**] + disable sending freshness tokens (for testing purposes only) + +diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h +index b437fd53fb..ab132d78a9 100644 +--- a/src/plugins/preauth/pkinit/pkinit.h ++++ b/src/plugins/preauth/pkinit/pkinit.h +@@ -147,7 +147,6 @@ typedef struct _pkinit_plg_opts { + int require_eku; /* require EKU checking (default is true) */ + int accept_secondary_eku;/* accept secondary EKU (default is false) */ + int allow_upn; /* allow UPN-SAN instead of pkinit-SAN */ +- int dh_or_rsa; /* selects DH or RSA based pkinit */ + int require_crl_checking; /* require CRL for a CA (default is false) */ + int require_freshness; /* require freshness token (default is false) */ + int disable_freshness; /* disable freshness token on client for testing */ +@@ -161,7 +160,6 @@ typedef struct _pkinit_req_opts { + int require_eku; + int accept_secondary_eku; + int allow_upn; +- int dh_or_rsa; + int require_crl_checking; + int dh_size; /* initial request DH modulus size (default=1024) */ + int require_hostname_match; +diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c +index 021e5f0723..ca0162897b 100644 +--- a/src/plugins/preauth/pkinit/pkinit_clnt.c ++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +@@ -193,7 +193,6 @@ pkinit_as_req_create(krb5_context context, + krb5_auth_pack auth_pack; + krb5_pa_pk_as_req *req = NULL; + krb5_algorithm_identifier **cmstypes = NULL; +- int protocol = reqctx->opts->dh_or_rsa; + unsigned char *dh_params = NULL, *dh_pubkey = NULL; + unsigned int dh_params_len, dh_pubkey_len; + +@@ -212,35 +211,19 @@ pkinit_as_req_create(krb5_context context, + auth_pack.clientPublicValue = &info; + auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; + +- switch(protocol) { +- case DH_PROTOCOL: +- TRACE_PKINIT_CLIENT_REQ_DH(context); +- pkiDebug("as_req: DH key transport algorithm\n"); +- info.algorithm.algorithm = dh_oid; +- +- /* create client-side DH keys */ +- retval = client_create_dh(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, +- reqctx->opts->dh_size, &dh_params, +- &dh_params_len, &dh_pubkey, &dh_pubkey_len); +- if (retval != 0) { +- pkiDebug("failed to create dh parameters\n"); +- goto cleanup; +- } +- info.algorithm.parameters = make_data(dh_params, dh_params_len); +- info.subjectPublicKey = make_data(dh_pubkey, dh_pubkey_len); +- break; +- case RSA_PROTOCOL: +- TRACE_PKINIT_CLIENT_REQ_RSA(context); +- pkiDebug("as_req: RSA key transport algorithm\n"); +- auth_pack.clientPublicValue = NULL; +- break; +- default: +- pkiDebug("as_req: unknown key transport protocol %d\n", +- protocol); +- retval = -1; ++ TRACE_PKINIT_CLIENT_REQ_DH(context); ++ info.algorithm.algorithm = dh_oid; ++ ++ /* create client-side DH keys */ ++ retval = client_create_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, ++ reqctx->idctx, reqctx->opts->dh_size, &dh_params, ++ &dh_params_len, &dh_pubkey, &dh_pubkey_len); ++ if (retval != 0) { ++ pkiDebug("failed to create dh parameters\n"); + goto cleanup; + } ++ info.algorithm.parameters = make_data(dh_params, dh_params_len); ++ info.subjectPublicKey = make_data(dh_pubkey, dh_pubkey_len); + + retval = k5int_encode_krb5_auth_pack(&auth_pack, &coded_auth_pack); + if (retval) { +@@ -556,49 +539,33 @@ pkinit_as_rep_parse(krb5_context context, + return retval; + } + +- switch(kdc_reply->choice) { +- case choice_pa_pk_as_rep_dhInfo: +- pkiDebug("as_rep: DH key transport algorithm\n"); ++ if (kdc_reply->choice != choice_pa_pk_as_rep_dhInfo) { ++ pkiDebug("unknown as_rep type %d\n", kdc_reply->choice); ++ retval = KRB5KDC_ERR_PREAUTH_FAILED; ++ goto cleanup; ++ } ++ + #ifdef DEBUG_ASN1 +- print_buffer_bin(kdc_reply->u.dh_Info.dhSignedData.data, +- kdc_reply->u.dh_Info.dhSignedData.length, "/tmp/client_kdc_signeddata"); ++ print_buffer_bin(kdc_reply->u.dh_Info.dhSignedData.data, ++ kdc_reply->u.dh_Info.dhSignedData.length, ++ "/tmp/client_kdc_signeddata"); + #endif +- if ((retval = cms_signeddata_verify(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_SERVER, +- reqctx->opts->require_crl_checking, +- (unsigned char *) +- kdc_reply->u.dh_Info.dhSignedData.data, +- kdc_reply->u.dh_Info.dhSignedData.length, +- (unsigned char **)&dh_data.data, +- &dh_data.length, +- NULL, NULL, NULL)) != 0) { +- pkiDebug("failed to verify pkcs7 signed data\n"); +- TRACE_PKINIT_CLIENT_REP_DH_FAIL(context); +- goto cleanup; +- } +- TRACE_PKINIT_CLIENT_REP_DH(context); +- break; +- case choice_pa_pk_as_rep_encKeyPack: +- pkiDebug("as_rep: RSA key transport algorithm\n"); +- if ((retval = cms_envelopeddata_verify(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, pa_type, +- reqctx->opts->require_crl_checking, +- (unsigned char *) +- kdc_reply->u.encKeyPack.data, +- kdc_reply->u.encKeyPack.length, +- (unsigned char **)&dh_data.data, +- &dh_data.length)) != 0) { +- pkiDebug("failed to verify pkcs7 enveloped data\n"); +- TRACE_PKINIT_CLIENT_REP_RSA_FAIL(context); +- goto cleanup; +- } +- TRACE_PKINIT_CLIENT_REP_RSA(context); +- break; +- default: +- pkiDebug("unknown as_rep type %d\n", kdc_reply->choice); +- retval = -1; ++ if ((retval = cms_signeddata_verify(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, reqctx->idctx, ++ CMS_SIGN_SERVER, ++ reqctx->opts->require_crl_checking, ++ (unsigned char *) ++ kdc_reply->u.dh_Info.dhSignedData.data, ++ kdc_reply->u.dh_Info.dhSignedData.length, ++ (unsigned char **)&dh_data.data, ++ &dh_data.length, ++ NULL, NULL, NULL)) != 0) { ++ pkiDebug("failed to verify pkcs7 signed data\n"); ++ TRACE_PKINIT_CLIENT_REP_DH_FAIL(context); + goto cleanup; + } ++ TRACE_PKINIT_CLIENT_REP_DH(context); ++ + retval = krb5_build_principal_ext(context, &kdc_princ, + request->server->realm.length, + request->server->realm.data, +@@ -635,116 +602,55 @@ pkinit_as_rep_parse(krb5_context context, + + OCTETDATA_TO_KRB5DATA(&dh_data, &k5data); + +- switch(kdc_reply->choice) { +- case choice_pa_pk_as_rep_dhInfo: + #ifdef DEBUG_ASN1 +- print_buffer_bin(dh_data.data, dh_data.length, +- "/tmp/client_dh_key"); ++ print_buffer_bin(dh_data.data, dh_data.length, "/tmp/client_dh_key"); + #endif +- if ((retval = k5int_decode_krb5_kdc_dh_key_info(&k5data, +- &kdc_dh)) != 0) { +- pkiDebug("failed to decode kdc_dh_key_info\n"); +- goto cleanup; +- } +- +- /* client after KDC reply */ +- if ((retval = client_process_dh(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, +- (unsigned char *) +- kdc_dh->subjectPublicKey.data, +- kdc_dh->subjectPublicKey.length, +- &client_key, &client_key_len)) != 0) { +- pkiDebug("failed to process dh params\n"); +- goto cleanup; +- } +- +- /* If we have a KDF algorithm ID, call the algorithm agility KDF... */ +- if (kdc_reply->u.dh_Info.kdfID) { +- secret.length = client_key_len; +- secret.data = (char *)client_key; +- +- retval = pkinit_alg_agility_kdf(context, &secret, +- kdc_reply->u.dh_Info.kdfID, +- request->client, request->server, +- etype, encoded_request, +- (krb5_data *)as_rep, key_block); ++ if ((retval = k5int_decode_krb5_kdc_dh_key_info(&k5data, &kdc_dh)) != 0) { ++ pkiDebug("failed to decode kdc_dh_key_info\n"); ++ goto cleanup; ++ } + +- if (retval) { +- pkiDebug("failed to create key pkinit_alg_agility_kdf %s\n", +- error_message(retval)); +- goto cleanup; +- } +- TRACE_PKINIT_CLIENT_KDF_ALG(context, kdc_reply->u.dh_Info.kdfID, +- key_block); ++ /* client after KDC reply */ ++ if ((retval = client_process_dh(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, reqctx->idctx, ++ (unsigned char *) ++ kdc_dh->subjectPublicKey.data, ++ kdc_dh->subjectPublicKey.length, ++ &client_key, &client_key_len)) != 0) { ++ pkiDebug("failed to process dh params\n"); ++ goto cleanup; ++ } + +- /* ...otherwise, use the older octetstring2key function. */ +- } else { ++ /* If we have a KDF algorithm ID, call the algorithm agility KDF... */ ++ if (kdc_reply->u.dh_Info.kdfID) { ++ secret.length = client_key_len; ++ secret.data = (char *)client_key; + +- retval = pkinit_octetstring2key(context, etype, client_key, +- client_key_len, key_block); +- if (retval) { +- pkiDebug("failed to create key pkinit_octetstring2key %s\n", +- error_message(retval)); +- goto cleanup; +- } +- TRACE_PKINIT_CLIENT_KDF_OS2K(context, key_block); +- } ++ retval = pkinit_alg_agility_kdf(context, &secret, ++ kdc_reply->u.dh_Info.kdfID, ++ request->client, request->server, ++ etype, encoded_request, ++ (krb5_data *)as_rep, key_block); + +- break; +- case choice_pa_pk_as_rep_encKeyPack: +-#ifdef DEBUG_ASN1 +- print_buffer_bin(dh_data.data, dh_data.length, +- "/tmp/client_key_pack"); +-#endif +- retval = k5int_decode_krb5_reply_key_pack(&k5data, &key_pack); + if (retval) { +- pkiDebug("failed to decode reply_key_pack\n"); ++ pkiDebug("failed to create key pkinit_alg_agility_kdf %s\n", ++ error_message(retval)); + goto cleanup; + } +- retval = krb5_c_make_checksum(context, +- key_pack->asChecksum.checksum_type, +- &key_pack->replyKey, +- KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, +- encoded_request, &cksum); ++ TRACE_PKINIT_CLIENT_KDF_ALG(context, kdc_reply->u.dh_Info.kdfID, ++ key_block); ++ ++ /* ...otherwise, use the older octetstring2key function. */ ++ } else { ++ ++ retval = pkinit_octetstring2key(context, etype, client_key, ++ client_key_len, key_block); + if (retval) { +- pkiDebug("failed to make a checksum\n"); ++ pkiDebug("failed to create key pkinit_octetstring2key %s\n", ++ error_message(retval)); + goto cleanup; + } +- +- if ((cksum.length != key_pack->asChecksum.length) || +- k5_bcmp(cksum.contents, key_pack->asChecksum.contents, +- cksum.length) != 0) { +- TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(context, &cksum, +- &key_pack->asChecksum); +- pkiDebug("failed to match the checksums\n"); +-#ifdef DEBUG_CKSUM +- pkiDebug("calculating checksum on buf size (%d)\n", +- encoded_request->length); +- print_buffer(encoded_request->data, encoded_request->length); +- pkiDebug("encrypting key (%d)\n", key_pack->replyKey.length); +- print_buffer(key_pack->replyKey.contents, +- key_pack->replyKey.length); +- pkiDebug("received checksum type=%d size=%d ", +- key_pack->asChecksum.checksum_type, +- key_pack->asChecksum.length); +- print_buffer(key_pack->asChecksum.contents, +- key_pack->asChecksum.length); +- pkiDebug("expected checksum type=%d size=%d ", +- cksum.checksum_type, cksum.length); +- print_buffer(cksum.contents, cksum.length); +-#endif +- goto cleanup; +- } else +- pkiDebug("checksums match\n"); +- +- krb5_copy_keyblock_contents(context, &key_pack->replyKey, +- key_block); +- TRACE_PKINIT_CLIENT_REP_RSA_KEY(context, key_block, &cksum); +- +- break; +- default: +- pkiDebug("unknow as_rep type %d\n", kdc_reply->choice); +- goto cleanup; ++ TRACE_PKINIT_CLIENT_KDF_OS2K(context, key_block); + } + + retval = 0; +@@ -1286,7 +1192,6 @@ pkinit_client_req_init(krb5_context context, + + reqctx->opts->require_eku = plgctx->opts->require_eku; + reqctx->opts->accept_secondary_eku = plgctx->opts->accept_secondary_eku; +- reqctx->opts->dh_or_rsa = plgctx->opts->dh_or_rsa; + reqctx->opts->allow_upn = plgctx->opts->allow_upn; + reqctx->opts->require_crl_checking = plgctx->opts->require_crl_checking; + reqctx->opts->disable_freshness = plgctx->opts->disable_freshness; +@@ -1457,11 +1362,6 @@ handle_gic_opt(krb5_context context, + retval = add_string_to_array(context, &plgctx->idopts->anchors, value); + if (retval) + return retval; +- } else if (strcmp(attr, "flag_RSA_PROTOCOL") == 0) { +- if (strcmp(value, "yes") == 0) { +- pkiDebug("Setting flag to use RSA_PROTOCOL\n"); +- plgctx->opts->dh_or_rsa = RSA_PROTOCOL; +- } + } else if (strcmp(attr, "disable_freshness") == 0) { + if (strcmp(value, "yes") == 0) + plgctx->opts->disable_freshness = 1; +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index a291889b0d..f251e41064 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -183,48 +183,6 @@ krb5_error_code cms_signeddata_verify + int *is_signed); /* OUT + receives whether message is signed */ + +-/* +- * this function creates a CMS message where eContentType is EnvelopedData +- */ +-krb5_error_code cms_envelopeddata_create +- (krb5_context context, /* IN */ +- pkinit_plg_crypto_context plg_cryptoctx, /* IN */ +- pkinit_req_crypto_context req_cryptoctx, /* IN */ +- pkinit_identity_crypto_context id_cryptoctx, /* IN */ +- krb5_preauthtype pa_type, /* IN */ +- int include_certchain, /* IN +- specifies whether the certificates field in +- SignedData should contain certificate path */ +- unsigned char *key_pack, /* IN +- contains DER encoded ReplyKeyPack */ +- unsigned int key_pack_len, /* IN +- contains length of key_pack */ +- unsigned char **envel_data, /* OUT +- receives DER encoded encKeyPack */ +- unsigned int *envel_data_len); /* OUT +- receives length of envel_data */ +- +-/* +- * this function creates a CMS message where eContentType is EnvelopedData +- */ +-krb5_error_code cms_envelopeddata_verify +- (krb5_context context, /* IN */ +- pkinit_plg_crypto_context plg_cryptoctx, /* IN */ +- pkinit_req_crypto_context req_cryptoctx, /* IN */ +- pkinit_identity_crypto_context id_cryptoctx, /* IN */ +- krb5_preauthtype pa_type, /* IN */ +- int require_crl_checking, /* IN +- specifies whether CRL checking should be +- strictly enforced */ +- unsigned char *envel_data, /* IN +- contains DER encoded encKeyPack */ +- unsigned int envel_data_len, /* IN +- contains length of envel_data */ +- unsigned char **signed_data, /* OUT +- receives ReplyKeyPack */ +- unsigned int *signed_data_len); /* OUT +- receives length of signed_data */ +- + /* + * This function retrieves the signer's identity, in a form that could + * be passed back in to a future invocation of this module as a candidate +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 32291e3ac0..76ad7526bb 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -71,26 +71,14 @@ static krb5_error_code create_signature + (unsigned char **, unsigned int *, unsigned char *, unsigned int, + EVP_PKEY *pkey); + +-static krb5_error_code pkinit_decode_data +-(krb5_context context, pkinit_identity_crypto_context cryptoctx, +- const uint8_t *data, unsigned int data_len, uint8_t **decoded, +- unsigned int *decoded_len); +- + #ifdef DEBUG_DH + static void print_dh(DH *, char *); + static void print_pubkey(BIGNUM *, char *); + #endif + +-static int prepare_enc_data +-(const uint8_t *indata, int indata_len, uint8_t **outdata, int *outdata_len); +- + static int openssl_callback (int, X509_STORE_CTX *); + static int openssl_callback_ignore_crls (int, X509_STORE_CTX *); + +-static int pkcs7_decrypt +-(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7, +- unsigned char **data_out, unsigned int *len_out); +- + static ASN1_OBJECT * pkinit_pkcs7type2oid + (pkinit_plg_crypto_context plg_cryptoctx, int pkcs7_type); + +@@ -111,31 +99,17 @@ static krb5_error_code pkinit_open_session + (krb5_context context, pkinit_identity_crypto_context id_cryptoctx); + static void * pkinit_C_LoadModule(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p); + static CK_RV pkinit_C_UnloadModule(void *handle); +-#ifdef SILLYDECRYPT +-CK_RV pkinit_C_Decrypt +-(pkinit_identity_crypto_context id_cryptoctx, +- CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, +- CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen); +-#endif + + static krb5_error_code pkinit_sign_data_pkcs11 + (krb5_context context, pkinit_identity_crypto_context id_cryptoctx, + unsigned char *data, unsigned int data_len, + unsigned char **sig, unsigned int *sig_len); +-static krb5_error_code pkinit_decode_data_pkcs11 +-(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, +- const uint8_t *data, unsigned int data_len, uint8_t **decoded_data, +- unsigned int *decoded_data_len); + #endif /* WITHOUT_PKCS11 */ + + static krb5_error_code pkinit_sign_data_fs + (krb5_context context, pkinit_identity_crypto_context id_cryptoctx, + unsigned char *data, unsigned int data_len, + unsigned char **sig, unsigned int *sig_len); +-static krb5_error_code pkinit_decode_data_fs +-(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, +- const uint8_t *data, unsigned int data_len, uint8_t **decoded_data, +- unsigned int *decoded_data_len); + + static krb5_error_code + create_krb5_invalidCertificates(krb5_context context, +@@ -147,9 +121,6 @@ create_krb5_invalidCertificates(krb5_context context, + static krb5_error_code + create_identifiers_from_stack(STACK_OF(X509) *sk, + krb5_external_principal_identifier *** ids); +-static int +-wrap_signeddata(unsigned char *data, unsigned int data_len, +- unsigned char **out, unsigned int *out_len); + + static char * + pkinit_pkcs11_code_to_text(int err); +@@ -1791,176 +1762,6 @@ cleanup: + return retval; + } + +-krb5_error_code +-cms_envelopeddata_create(krb5_context context, +- pkinit_plg_crypto_context plgctx, +- pkinit_req_crypto_context reqctx, +- pkinit_identity_crypto_context idctx, +- krb5_preauthtype pa_type, +- int include_certchain, +- unsigned char *key_pack, +- unsigned int key_pack_len, +- unsigned char **out, +- unsigned int *out_len) +-{ +- +- krb5_error_code retval = ENOMEM; +- PKCS7 *p7 = NULL; +- BIO *in = NULL; +- unsigned char *p = NULL, *signed_data = NULL, *enc_data = NULL; +- int signed_data_len = 0, enc_data_len = 0, flags = PKCS7_BINARY; +- STACK_OF(X509) *encerts = NULL; +- const EVP_CIPHER *cipher = NULL; +- +- retval = cms_signeddata_create(context, plgctx, reqctx, idctx, +- CMS_ENVEL_SERVER, include_certchain, +- key_pack, key_pack_len, &signed_data, +- (unsigned int *)&signed_data_len); +- if (retval) { +- pkiDebug("failed to create pkcs7 signed data\n"); +- goto cleanup; +- } +- +- /* check we have client's certificate */ +- if (reqctx->received_cert == NULL) { +- retval = KRB5KDC_ERR_PREAUTH_FAILED; +- goto cleanup; +- } +- encerts = sk_X509_new_null(); +- sk_X509_push(encerts, reqctx->received_cert); +- +- cipher = EVP_des_ede3_cbc(); +- in = BIO_new(BIO_s_mem()); +- prepare_enc_data(signed_data, signed_data_len, &enc_data, +- &enc_data_len); +- retval = BIO_write(in, enc_data, enc_data_len); +- if (retval != enc_data_len) { +- pkiDebug("BIO_write only wrote %d\n", retval); +- goto cleanup; +- } +- +- p7 = PKCS7_encrypt(encerts, in, cipher, flags); +- if (p7 == NULL) { +- retval = oerr(context, 0, _("Failed to encrypt PKCS7 object")); +- goto cleanup; +- } +- p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_signed); +- +- *out_len = i2d_PKCS7(p7, NULL); +- if (!*out_len || (p = *out = malloc(*out_len)) == NULL) { +- retval = ENOMEM; +- goto cleanup; +- } +- retval = i2d_PKCS7(p7, &p); +- if (!retval) { +- retval = oerr(context, 0, _("Failed to DER encode PKCS7")); +- goto cleanup; +- } +- retval = 0; +- +-#ifdef DEBUG_ASN1 +- print_buffer_bin(*out, *out_len, "/tmp/kdc_enveloped_data"); +-#endif +- +-cleanup: +- if (p7 != NULL) +- PKCS7_free(p7); +- if (in != NULL) +- BIO_free(in); +- free(signed_data); +- free(enc_data); +- if (encerts != NULL) +- sk_X509_free(encerts); +- +- return retval; +-} +- +-krb5_error_code +-cms_envelopeddata_verify(krb5_context context, +- pkinit_plg_crypto_context plg_cryptoctx, +- pkinit_req_crypto_context req_cryptoctx, +- pkinit_identity_crypto_context id_cryptoctx, +- krb5_preauthtype pa_type, +- int require_crl_checking, +- unsigned char *enveloped_data, +- unsigned int enveloped_data_len, +- unsigned char **data, +- unsigned int *data_len) +-{ +- krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; +- PKCS7 *p7 = NULL; +- const unsigned char *p = enveloped_data; +- unsigned int tmp_buf_len = 0, tmp_buf2_len = 0, vfy_buf_len = 0; +- unsigned char *tmp_buf = NULL, *tmp_buf2 = NULL, *vfy_buf = NULL; +- +-#ifdef DEBUG_ASN1 +- print_buffer_bin(enveloped_data, enveloped_data_len, +- "/tmp/client_envelopeddata"); +-#endif +- /* decode received PKCS7 message */ +- if ((p7 = d2i_PKCS7(NULL, &p, (int)enveloped_data_len)) == NULL) { +- retval = oerr(context, 0, _("Failed to decode PKCS7")); +- goto cleanup; +- } +- +- /* verify that the received message is PKCS7 EnvelopedData message */ +- if (OBJ_obj2nid(p7->type) != NID_pkcs7_enveloped) { +- pkiDebug("Expected id-enveloped PKCS7 msg (received type = %d)\n", +- OBJ_obj2nid(p7->type)); +- krb5_set_error_message(context, retval, "wrong oid\n"); +- goto cleanup; +- } +- +- /* decrypt received PKCS7 message */ +- if (pkcs7_decrypt(context, id_cryptoctx, p7, &tmp_buf, &tmp_buf_len)) { +- pkiDebug("PKCS7 decryption successful\n"); +- } else { +- retval = oerr(context, 0, _("Failed to decrypt PKCS7 message")); +- goto cleanup; +- } +- +-#ifdef DEBUG_ASN1 +- print_buffer_bin(tmp_buf, tmp_buf_len, "/tmp/client_enc_keypack"); +-#endif +- /* verify PKCS7 SignedData message */ +- /* Wrap the signed data to make decoding easier in the verify routine. */ +- retval = wrap_signeddata(tmp_buf, tmp_buf_len, &tmp_buf2, &tmp_buf2_len); +- if (retval) { +- pkiDebug("failed to encode signeddata\n"); +- goto cleanup; +- } +- vfy_buf = tmp_buf2; +- vfy_buf_len = tmp_buf2_len; +- +-#ifdef DEBUG_ASN1 +- print_buffer_bin(vfy_buf, vfy_buf_len, "/tmp/client_enc_keypack2"); +-#endif +- +- retval = cms_signeddata_verify(context, plg_cryptoctx, req_cryptoctx, +- id_cryptoctx, CMS_ENVEL_SERVER, +- require_crl_checking, +- vfy_buf, vfy_buf_len, +- data, data_len, NULL, NULL, NULL); +- +- if (!retval) +- pkiDebug("PKCS7 Verification Success\n"); +- else { +- pkiDebug("PKCS7 Verification Failure\n"); +- goto cleanup; +- } +- +- retval = 0; +- +-cleanup: +- +- if (p7 != NULL) +- PKCS7_free(p7); +- free(tmp_buf); +- free(tmp_buf2); +- +- return retval; +-} +- + static krb5_error_code + crypto_retrieve_X509_sans(krb5_context context, + pkinit_plg_crypto_context plgctx, +@@ -3539,70 +3340,6 @@ pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type) + + } + +-static int +-wrap_signeddata(unsigned char *data, unsigned int data_len, +- unsigned char **out, unsigned int *out_len) +-{ +- +- unsigned int orig_len = 0, oid_len = 0, tot_len = 0; +- ASN1_OBJECT *oid = NULL; +- unsigned char *p = NULL; +- +- /* Get length to wrap the original data with SEQUENCE tag */ +- tot_len = orig_len = ASN1_object_size(1, (int)data_len, V_ASN1_SEQUENCE); +- +- /* Add the signedData OID and adjust lengths */ +- oid = OBJ_nid2obj(NID_pkcs7_signed); +- oid_len = i2d_ASN1_OBJECT(oid, NULL); +- +- tot_len = ASN1_object_size(1, (int)(orig_len+oid_len), V_ASN1_SEQUENCE); +- +- p = *out = malloc(tot_len); +- if (p == NULL) return -1; +- +- ASN1_put_object(&p, 1, (int)(orig_len+oid_len), +- V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); +- +- i2d_ASN1_OBJECT(oid, &p); +- +- ASN1_put_object(&p, 1, (int)data_len, 0, V_ASN1_CONTEXT_SPECIFIC); +- memcpy(p, data, data_len); +- +- *out_len = tot_len; +- +- return 0; +-} +- +-static int +-prepare_enc_data(const uint8_t *indata, int indata_len, uint8_t **outdata, +- int *outdata_len) +-{ +- int tag, class; +- long tlen, slen; +- const uint8_t *p = indata, *oldp; +- +- if (ASN1_get_object(&p, &slen, &tag, &class, indata_len) & 0x80) +- return EINVAL; +- if (tag != V_ASN1_SEQUENCE) +- return EINVAL; +- +- oldp = p; +- if (ASN1_get_object(&p, &tlen, &tag, &class, slen) & 0x80) +- return EINVAL; +- p += tlen; +- slen -= (p - oldp); +- +- if (ASN1_get_object(&p, &tlen, &tag, &class, slen) & 0x80) +- return EINVAL; +- +- *outdata = malloc(tlen); +- if (*outdata == NULL) +- return ENOMEM; +- memcpy(*outdata, p, tlen); +- *outdata_len = tlen; +- return 0; +-} +- + #ifndef WITHOUT_PKCS11 + static void * + pkinit_C_LoadModule(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p) +@@ -3894,148 +3631,6 @@ pkinit_find_private_key(pkinit_identity_crypto_context id_cryptoctx, + } + #endif + +-static krb5_error_code +-pkinit_decode_data_fs(krb5_context context, +- pkinit_identity_crypto_context id_cryptoctx, +- const uint8_t *data, unsigned int data_len, +- uint8_t **decoded_data, unsigned int *decoded_data_len) +-{ +- X509 *cert = sk_X509_value(id_cryptoctx->my_certs, +- id_cryptoctx->cert_index); +- EVP_PKEY *pkey = id_cryptoctx->my_key; +- uint8_t *buf; +- int buf_len, decrypt_len; +- +- *decoded_data = NULL; +- *decoded_data_len = 0; +- +- if (cert != NULL && !X509_check_private_key(cert, pkey)) { +- pkiDebug("private key does not match certificate\n"); +- return KRB5KDC_ERR_PREAUTH_FAILED; +- } +- +- buf_len = EVP_PKEY_size(pkey); +- buf = malloc(buf_len + 10); +- if (buf == NULL) +- return KRB5KDC_ERR_PREAUTH_FAILED; +- +- decrypt_len = EVP_PKEY_decrypt_old(buf, data, data_len, pkey); +- if (decrypt_len <= 0) { +- pkiDebug("unable to decrypt received data (len=%d)\n", data_len); +- free(buf); +- return KRB5KDC_ERR_PREAUTH_FAILED; +- } +- +- *decoded_data = buf; +- *decoded_data_len = decrypt_len; +- return 0; +-} +- +-#ifndef WITHOUT_PKCS11 +-/* +- * When using the ActivCard Linux pkcs11 library (v2.0.1), the decrypt function +- * fails. By inserting an extra function call, which serves nothing but to +- * change the stack, we were able to work around the issue. If the ActivCard +- * library is fixed in the future, this function can be inlined back into the +- * caller. +- */ +-static CK_RV +-pkinit_C_Decrypt(pkinit_identity_crypto_context id_cryptoctx, +- CK_BYTE_PTR pEncryptedData, +- CK_ULONG ulEncryptedDataLen, +- CK_BYTE_PTR pData, +- CK_ULONG_PTR pulDataLen) +-{ +- CK_RV rv = CKR_OK; +- +- rv = id_cryptoctx->p11->C_Decrypt(id_cryptoctx->session, pEncryptedData, +- ulEncryptedDataLen, pData, pulDataLen); +- if (rv == CKR_OK) { +- pkiDebug("pData %p *pulDataLen %d\n", (void *) pData, +- (int) *pulDataLen); +- } +- return rv; +-} +- +-static krb5_error_code +-pkinit_decode_data_pkcs11(krb5_context context, +- pkinit_identity_crypto_context id_cryptoctx, +- const uint8_t *data, unsigned int data_len, +- uint8_t **decoded_data, +- unsigned int *decoded_data_len) +-{ +- CK_OBJECT_HANDLE obj; +- CK_ULONG len; +- CK_MECHANISM mech; +- uint8_t *cp; +- int r; +- +- *decoded_data = NULL; +- *decoded_data_len = 0; +- +- if (pkinit_open_session(context, id_cryptoctx)) { +- pkiDebug("can't open pkcs11 session\n"); +- return KRB5KDC_ERR_PREAUTH_FAILED; +- } +- +- pkinit_find_private_key(id_cryptoctx, CKA_DECRYPT, &obj); +- +- mech.mechanism = CKM_RSA_PKCS; +- mech.pParameter = NULL; +- mech.ulParameterLen = 0; +- +- if ((r = id_cryptoctx->p11->C_DecryptInit(id_cryptoctx->session, &mech, +- obj)) != CKR_OK) { +- pkiDebug("C_DecryptInit: 0x%x\n", (int) r); +- return KRB5KDC_ERR_PREAUTH_FAILED; +- } +- pkiDebug("data_len = %d\n", data_len); +- cp = malloc((size_t) data_len); +- if (cp == NULL) +- return ENOMEM; +- len = data_len; +- pkiDebug("session %p edata %p edata_len %d data %p datalen @%p %d\n", +- (void *) id_cryptoctx->session, (void *) data, (int) data_len, +- (void *) cp, (void *) &len, (int) len); +- r = pkinit_C_Decrypt(id_cryptoctx, (CK_BYTE_PTR) data, (CK_ULONG) data_len, +- cp, &len); +- if (r != CKR_OK) { +- pkiDebug("C_Decrypt: %s\n", pkinit_pkcs11_code_to_text(r)); +- if (r == CKR_BUFFER_TOO_SMALL) +- pkiDebug("decrypt %d needs %d\n", (int) data_len, (int) len); +- return KRB5KDC_ERR_PREAUTH_FAILED; +- } +- pkiDebug("decrypt %d -> %d\n", (int) data_len, (int) len); +- *decoded_data_len = len; +- *decoded_data = cp; +- +- return 0; +-} +-#endif +- +-krb5_error_code +-pkinit_decode_data(krb5_context context, +- pkinit_identity_crypto_context id_cryptoctx, +- const uint8_t *data, unsigned int data_len, +- uint8_t **decoded_data, unsigned int *decoded_data_len) +-{ +- krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; +- +- *decoded_data = NULL; +- *decoded_data_len = 0; +- +- if (id_cryptoctx->pkcs11_method != 1) +- retval = pkinit_decode_data_fs(context, id_cryptoctx, data, data_len, +- decoded_data, decoded_data_len); +-#ifndef WITHOUT_PKCS11 +- else +- retval = pkinit_decode_data_pkcs11(context, id_cryptoctx, data, +- data_len, decoded_data, decoded_data_len); +-#endif +- +- return retval; +-} +- + static krb5_error_code + pkinit_sign_data_fs(krb5_context context, + pkinit_identity_crypto_context id_cryptoctx, +@@ -5683,88 +5278,6 @@ cleanup: + return retval; + } + +-/* Originally based on OpenSSL's PKCS7_dataDecode(), now modified to remove the +- * use of BIO objects and to fit the PKINIT internal interfaces. */ +-static int +-pkcs7_decrypt(krb5_context context, +- pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7, +- unsigned char **data_out, unsigned int *len_out) +-{ +- krb5_error_code ret; +- int ok = 0, plaintext_len = 0, final_len; +- unsigned int keylen = 0, eklen = 0, blocksize; +- unsigned char *ek = NULL, *tkey = NULL, *plaintext = NULL, *use_key; +- ASN1_OCTET_STRING *data_body = p7->d.enveloped->enc_data->enc_data; +- const EVP_CIPHER *evp_cipher; +- EVP_CIPHER_CTX *evp_ctx = NULL; +- X509_ALGOR *enc_alg = p7->d.enveloped->enc_data->algorithm; +- STACK_OF(PKCS7_RECIP_INFO) *rsk = p7->d.enveloped->recipientinfo; +- PKCS7_RECIP_INFO *ri = NULL; +- +- *data_out = NULL; +- *len_out = 0; +- +- p7->state = PKCS7_S_HEADER; +- +- /* RFC 4556 section 3.2.3.2 requires that there be exactly one +- * recipientInfo. */ +- if (sk_PKCS7_RECIP_INFO_num(rsk) != 1) { +- pkiDebug("invalid number of EnvelopedData RecipientInfos\n"); +- return 0; +- } +- ri = sk_PKCS7_RECIP_INFO_value(rsk, 0); +- +- evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); +- if (evp_cipher == NULL) +- goto cleanup; +- keylen = EVP_CIPHER_key_length(evp_cipher); +- blocksize = EVP_CIPHER_block_size(evp_cipher); +- +- evp_ctx = EVP_CIPHER_CTX_new(); +- if (evp_ctx == NULL) +- goto cleanup; +- if (!EVP_DecryptInit(evp_ctx, evp_cipher, NULL, NULL) || +- EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) <= 0) +- goto cleanup; +- +- /* Generate a random symmetric key to avoid exposing timing data if RSA +- * decryption fails the padding check. */ +- tkey = malloc(keylen); +- if (tkey == NULL || !EVP_CIPHER_CTX_rand_key(evp_ctx, tkey)) +- goto cleanup; +- +- /* Decrypt the secret key with the private key. */ +- ret = pkinit_decode_data(context, id_cryptoctx, +- ASN1_STRING_get0_data(ri->enc_key), +- ASN1_STRING_length(ri->enc_key), &ek, &eklen); +- use_key = (ret || eklen != keylen) ? tkey : ek; +- +- /* Allocate a plaintext buffer and decrypt data_body into it. */ +- plaintext = malloc(data_body->length + blocksize); +- if (plaintext == NULL) +- goto cleanup; +- if (!EVP_DecryptInit(evp_ctx, NULL, use_key, NULL)) +- goto cleanup; +- if (!EVP_DecryptUpdate(evp_ctx, plaintext, &plaintext_len, +- data_body->data, data_body->length)) +- goto cleanup; +- if (!EVP_DecryptFinal(evp_ctx, plaintext + plaintext_len, &final_len)) +- goto cleanup; +- plaintext_len += final_len; +- +- *len_out = plaintext_len; +- *data_out = plaintext; +- plaintext = NULL; +- ok = 1; +- +-cleanup: +- EVP_CIPHER_CTX_free(evp_ctx); +- zapfree(plaintext, plaintext_len); +- zapfree(ek, eklen); +- zapfree(tkey, keylen); +- return ok; +-} +- + #ifdef DEBUG_DH + static void + print_dh(DH * dh, char *msg) +diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c +index bb2916bd5d..7af880bf5c 100644 +--- a/src/plugins/preauth/pkinit/pkinit_lib.c ++++ b/src/plugins/preauth/pkinit/pkinit_lib.c +@@ -50,7 +50,6 @@ pkinit_init_req_opts(pkinit_req_opts **reqopts) + opts->require_eku = 1; + opts->accept_secondary_eku = 0; + opts->allow_upn = 0; +- opts->dh_or_rsa = DH_PROTOCOL; + opts->require_crl_checking = 0; + opts->dh_size = PKINIT_DEFAULT_DH_MIN_BITS; + +@@ -79,7 +78,6 @@ pkinit_init_plg_opts(pkinit_plg_opts **plgopts) + + opts->require_eku = 1; + opts->accept_secondary_eku = 0; +- opts->dh_or_rsa = DH_PROTOCOL; + opts->allow_upn = 0; + opts->require_crl_checking = 0; + opts->require_freshness = 0; +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 3bff456f8f..4eab5a2761 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -826,133 +826,62 @@ pkinit_server_return_padata(krb5_context context, + retval = ENOMEM; + goto cleanup; + } +- /* let's assume it's RSA. we'll reset it to DH if needed */ +- rep->choice = choice_pa_pk_as_rep_encKeyPack; + +- if (reqctx->rcv_auth_pack != NULL && +- reqctx->rcv_auth_pack->clientPublicValue != NULL) { +- subjectPublicKey = (unsigned char *) +- reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.data; +- subjectPublicKey_len = +- reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length; +- rep->choice = choice_pa_pk_as_rep_dhInfo; +- +- pkiDebug("received DH key delivery AS REQ\n"); +- retval = server_process_dh(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, subjectPublicKey, +- subjectPublicKey_len, &dh_pubkey, &dh_pubkey_len, +- &server_key, &server_key_len); +- if (retval) { +- pkiDebug("failed to process/create dh parameters\n"); +- goto cleanup; +- } ++ if (reqctx->rcv_auth_pack == NULL || ++ reqctx->rcv_auth_pack->clientPublicValue == NULL) { ++ retval = KRB5KDC_ERR_PREAUTH_FAILED; ++ k5_setmsg(context, retval, _("Unsupported PKINIT RSA request")); ++ goto cleanup; ++ } + +- /* +- * This is DH, so don't generate the key until after we +- * encode the reply, because the encoded reply is needed +- * to generate the key in some cases. +- */ ++ subjectPublicKey = (unsigned char *) ++ reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.data; ++ subjectPublicKey_len = ++ reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length; ++ rep->choice = choice_pa_pk_as_rep_dhInfo; ++ ++ pkiDebug("received DH key delivery AS REQ\n"); ++ retval = server_process_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, ++ plgctx->idctx, subjectPublicKey, ++ subjectPublicKey_len, &dh_pubkey, &dh_pubkey_len, ++ &server_key, &server_key_len); ++ if (retval) { ++ pkiDebug("failed to process/create dh parameters\n"); ++ goto cleanup; ++ } + +- dhkey_info.subjectPublicKey.length = dh_pubkey_len; +- dhkey_info.subjectPublicKey.data = (char *)dh_pubkey; +- dhkey_info.nonce = request->nonce; +- dhkey_info.dhKeyExpiration = 0; ++ dhkey_info.subjectPublicKey.length = dh_pubkey_len; ++ dhkey_info.subjectPublicKey.data = (char *)dh_pubkey; ++ dhkey_info.nonce = request->nonce; ++ dhkey_info.dhKeyExpiration = 0; + +- retval = k5int_encode_krb5_kdc_dh_key_info(&dhkey_info, +- &encoded_dhkey_info); +- if (retval) { +- pkiDebug("encode_krb5_kdc_dh_key_info failed\n"); +- goto cleanup; +- } ++ retval = k5int_encode_krb5_kdc_dh_key_info(&dhkey_info, ++ &encoded_dhkey_info); ++ if (retval) { ++ pkiDebug("encode_krb5_kdc_dh_key_info failed\n"); ++ goto cleanup; ++ } + #ifdef DEBUG_ASN1 +- print_buffer_bin((unsigned char *)encoded_dhkey_info->data, +- encoded_dhkey_info->length, +- "/tmp/kdc_dh_key_info"); ++ print_buffer_bin((unsigned char *)encoded_dhkey_info->data, ++ encoded_dhkey_info->length, "/tmp/kdc_dh_key_info"); + #endif + +- retval = cms_signeddata_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, +- CMS_SIGN_SERVER, 1, +- (unsigned char *) +- encoded_dhkey_info->data, +- encoded_dhkey_info->length, +- (unsigned char **) +- &rep->u.dh_Info.dhSignedData.data, +- &rep->u.dh_Info.dhSignedData.length); +- if (retval) { +- pkiDebug("failed to create pkcs7 signed data\n"); +- goto cleanup; +- } +- +- } else { +- pkiDebug("received RSA key delivery AS REQ\n"); +- +- retval = krb5_c_make_random_key(context, enctype, encrypting_key); +- if (retval) { +- pkiDebug("unable to make a session key\n"); +- goto cleanup; +- } +- +- init_krb5_reply_key_pack(&key_pack); +- if (key_pack == NULL) { +- retval = ENOMEM; +- goto cleanup; +- } +- +- retval = krb5_c_make_checksum(context, 0, encrypting_key, +- KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, +- req_pkt, &key_pack->asChecksum); +- if (retval) { +- pkiDebug("unable to calculate AS REQ checksum\n"); +- goto cleanup; +- } +-#ifdef DEBUG_CKSUM +- pkiDebug("calculating checksum on buf size = %d\n", req_pkt->length); +- print_buffer(req_pkt->data, req_pkt->length); +- pkiDebug("checksum size = %d\n", key_pack->asChecksum.length); +- print_buffer(key_pack->asChecksum.contents, +- key_pack->asChecksum.length); +- pkiDebug("encrypting key (%d)\n", encrypting_key->length); +- print_buffer(encrypting_key->contents, encrypting_key->length); +-#endif +- +- krb5_copy_keyblock_contents(context, encrypting_key, +- &key_pack->replyKey); +- +- retval = k5int_encode_krb5_reply_key_pack(key_pack, +- &encoded_key_pack); +- if (retval) { +- pkiDebug("failed to encode reply_key_pack\n"); +- goto cleanup; +- } +- +- rep->choice = choice_pa_pk_as_rep_encKeyPack; +- retval = cms_envelopeddata_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, +- padata->pa_type, 1, +- (unsigned char *) +- encoded_key_pack->data, +- encoded_key_pack->length, +- (unsigned char **) +- &rep->u.encKeyPack.data, +- &rep->u.encKeyPack.length); +- if (retval) { +- pkiDebug("failed to create pkcs7 enveloped data: %s\n", +- error_message(retval)); +- goto cleanup; +- } +-#ifdef DEBUG_ASN1 +- print_buffer_bin((unsigned char *)encoded_key_pack->data, +- encoded_key_pack->length, +- "/tmp/kdc_key_pack"); +- print_buffer_bin(rep->u.encKeyPack.data, rep->u.encKeyPack.length, +- "/tmp/kdc_enc_key_pack"); +-#endif ++ retval = cms_signeddata_create(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, plgctx->idctx, ++ CMS_SIGN_SERVER, 1, ++ (unsigned char *) ++ encoded_dhkey_info->data, ++ encoded_dhkey_info->length, ++ (unsigned char **) ++ &rep->u.dh_Info.dhSignedData.data, ++ &rep->u.dh_Info.dhSignedData.length); ++ if (retval) { ++ pkiDebug("failed to create pkcs7 signed data\n"); ++ goto cleanup; + } + +- if (rep->choice == choice_pa_pk_as_rep_dhInfo && +- ((reqctx->rcv_auth_pack != NULL && +- reqctx->rcv_auth_pack->supportedKDFs != NULL))) { ++ if (reqctx->rcv_auth_pack != NULL && ++ reqctx->rcv_auth_pack->supportedKDFs != NULL) { + + /* If using the alg-agility KDF, put the algorithm in the reply + * before encoding it. +@@ -980,35 +909,29 @@ pkinit_server_return_padata(krb5_context context, + "/tmp/kdc_as_rep"); + #endif + +- /* If this is DH, we haven't computed the key yet, so do it now. */ +- if (rep->choice == choice_pa_pk_as_rep_dhInfo) { +- +- /* If mutually supported KDFs were found, use the algorithm agility +- * KDF. */ +- if (rep->u.dh_Info.kdfID) { +- secret.data = (char *)server_key; +- secret.length = server_key_len; ++ /* If mutually supported KDFs were found, use the algorithm agility KDF. */ ++ if (rep->u.dh_Info.kdfID) { ++ secret.data = (char *)server_key; ++ secret.length = server_key_len; + +- retval = pkinit_alg_agility_kdf(context, &secret, +- rep->u.dh_Info.kdfID, +- request->client, request->server, +- enctype, req_pkt, out_data, +- encrypting_key); +- if (retval) { +- pkiDebug("pkinit_alg_agility_kdf failed: %s\n", +- error_message(retval)); +- goto cleanup; +- } ++ retval = pkinit_alg_agility_kdf(context, &secret, rep->u.dh_Info.kdfID, ++ request->client, request->server, ++ enctype, req_pkt, out_data, ++ encrypting_key); ++ if (retval) { ++ pkiDebug("pkinit_alg_agility_kdf failed: %s\n", ++ error_message(retval)); ++ goto cleanup; ++ } + +- /* Otherwise, use the older octetstring2key() function */ +- } else { +- retval = pkinit_octetstring2key(context, enctype, server_key, +- server_key_len, encrypting_key); +- if (retval) { +- pkiDebug("pkinit_octetstring2key failed: %s\n", +- error_message(retval)); +- goto cleanup; +- } ++ /* Otherwise, use the older octetstring2key() function */ ++ } else { ++ retval = pkinit_octetstring2key(context, enctype, server_key, ++ server_key_len, encrypting_key); ++ if (retval) { ++ pkiDebug("pkinit_octetstring2key failed: %s\n", ++ error_message(retval)); ++ goto cleanup; + } + } + +diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h +index bba3226bda..4f80e0b9b6 100644 +--- a/src/plugins/preauth/pkinit/pkinit_trace.h ++++ b/src/plugins/preauth/pkinit/pkinit_trace.h +@@ -58,19 +58,10 @@ + TRACE(c, "PKINIT client verified DH reply") + #define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c) \ + TRACE(c, "PKINIT client could not verify DH reply") +-#define TRACE_PKINIT_CLIENT_REP_RSA(c) \ +- TRACE(c, "PKINIT client verified RSA reply") +-#define TRACE_PKINIT_CLIENT_REP_RSA_KEY(c, keyblock, cksum) \ +- TRACE(c, "PKINIT client retrieved reply key {keyblock} from RSA " \ +- "reply (checksum {cksum})", keyblock, cksum) +-#define TRACE_PKINIT_CLIENT_REP_RSA_FAIL(c) \ +- TRACE(c, "PKINIT client could not verify RSA reply") + #define TRACE_PKINIT_CLIENT_REQ_CHECKSUM(c, cksum) \ + TRACE(c, "PKINIT client computed kdc-req-body checksum {cksum}", cksum) + #define TRACE_PKINIT_CLIENT_REQ_DH(c) \ + TRACE(c, "PKINIT client making DH request") +-#define TRACE_PKINIT_CLIENT_REQ_RSA(c) \ +- TRACE(c, "PKINIT client making RSA request") + #define TRACE_PKINIT_CLIENT_SAN_CONFIG_DNSNAME(c, host) \ + TRACE(c, "PKINIT client config accepts KDC dNSName SAN {str}", host) + #define TRACE_PKINIT_CLIENT_SAN_MATCH_DNSNAME(c, host) \ +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index f224383c81..e8b7b4d207 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -183,15 +183,6 @@ realm.kinit(realm.user_princ, + realm.klist(realm.user_princ) + realm.run([kvno, realm.host_princ]) + +-# Try again using RSA instead of DH. +-mark('FILE identity, no password, RSA') +-realm.kinit(realm.user_princ, +- flags=['-X', 'X509_user_identity=%s' % file_identity, +- '-X', 'flag_RSA_PROTOCOL=yes'], +- expected_trace=('PKINIT client making RSA request', +- 'PKINIT client verified RSA reply')) +-realm.klist(realm.user_princ) +- + # Test a DH parameter renegotiation by temporarily setting a 4096-bit + # minimum on the KDC. (Preauth type 16 is PKINIT PA_PK_AS_REQ; + # 109 is PKINIT TD_DH_PARAMETERS; 133 is FAST PA-FX-COOKIE.) +diff --git a/src/windows/leash/htmlhelp/html/KINIT.htm b/src/windows/leash/htmlhelp/html/KINIT.htm +index eeee211a6e..46cb4a3ad8 100644 +--- a/src/windows/leash/htmlhelp/html/KINIT.htm ++++ b/src/windows/leash/htmlhelp/html/KINIT.htm +@@ -146,9 +146,6 @@ default credentials cache may vary between systems. If the KRB5CCNAME en + -S service_name + specify an alternate service name to use when getting initial + tickets. +- +- flag_RSA_PROTOCOL[=yes] +- specify use of RSA, rather than the default Diffie-Hellman protocol. + + +

ENVIRONMENT

+-- +2.46.0 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index b73d025..cd36cc3 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 29%{?dist} +Release: 30%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -107,6 +107,8 @@ Patch161: Fix-two-unlikely-memory-leaks.patch Patch162: Fix-defcred-leak-in-krb5-gss_inquire_cred.patch Patch163: Add-a-simple-DER-support-header.patch Patch164: Fix-vulnerabilities-in-GSS-message-token-handling.patch +Patch165: Remove-PKINIT-RSA-support.patch +Patch166: Generate-and-verify-message-MACs-in-libkrad.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -717,6 +719,12 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Oct 17 2024 Julien Rische - 1.18.2-30 +- libkrad: implement support for Message-Authenticator (CVE-2024-3596) + Resolves: RHEL-50253 +- Remove RSA protocol for PKINIT + Resolves: RHEL-17616 + * Mon Jul 01 2024 Julien Rische - 1.18.2-29 - CVE-2024-37370 CVE-2024-37371 Fix vulnerabilities in GSS message token handling