Blame SOURCES/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch

d283c7
From 4c4c22639eb2794e563370a2ee48a34dbdddc639 Mon Sep 17 00:00:00 2001
d283c7
From: Isaac Boukris <iboukris@gmail.com>
d283c7
Date: Sat, 6 Jun 2020 11:03:37 +0200
d283c7
Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum
d283c7
d283c7
OpenSSL in FIPS mode will refuse to perform hmac-md5.  Omit the legacy
d283c7
PA_FOR_USER element in this case rather than failing out.
d283c7
d283c7
[ghudson@mit.edu: minor code and comment edits; wrote commit message]
d283c7
d283c7
ticket: 8912 (new)
d283c7
(cherry picked from commit 03f122bdb22cfa53c7d855ed929c9541e56365e0)
d283c7
(cherry picked from commit 086de78292b8ae89aba8a72926831124da44205d)
d283c7
---
d283c7
 src/lib/krb5/krb/s4u_creds.c | 7 +++++++
d283c7
 1 file changed, 7 insertions(+)
d283c7
d283c7
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
d283c7
index fc5c886d6..d8f486dc6 100644
d283c7
--- a/src/lib/krb5/krb/s4u_creds.c
d283c7
+++ b/src/lib/krb5/krb/s4u_creds.c
d283c7
@@ -534,6 +534,13 @@ krb5_get_self_cred_from_kdc(krb5_context context,
d283c7
         if (s4u_user.user_id.user != NULL && s4u_user.user_id.user->length) {
d283c7
             code = build_pa_for_user(context, tgtptr, &s4u_user.user_id,
d283c7
                                      &in_padata[1]);
d283c7
+            /*
d283c7
+             * If we couldn't compute the hmac-md5 checksum, send only the
d283c7
+             * KRB5_PADATA_S4U_X509_USER; this will still work against modern
d283c7
+             * Windows and MIT KDCs.
d283c7
+             */
d283c7
+            if (code == KRB5_CRYPTO_INTERNAL)
d283c7
+                code = 0;
d283c7
             if (code != 0) {
d283c7
                 krb5_free_pa_data(context, in_padata);
d283c7
                 goto cleanup;