Blob Blame History Raw
From fe66536c1b7aec67233739df97cbe0301ee6475e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 19 Nov 2019 15:03:19 -0500
Subject: [PATCH] krb5-1.17post2 DES/3DES fixups

Kept separate from the other patch because rawhide doesn't have DES.

post2 adds krb5kdf workarounds.
---
 src/lib/crypto/krb/derive.c                | 6 +++++-
 src/lib/crypto/openssl/enc_provider/des.c  | 9 +++++++++
 src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/lib/crypto/krb/derive.c b/src/lib/crypto/krb/derive.c
index 915a173dd..ebdab69bc 100644
--- a/src/lib/crypto/krb/derive.c
+++ b/src/lib/crypto/krb/derive.c
@@ -348,6 +348,7 @@ cleanup:
     zapfree(prf.data, blocksize);
     return ret;
 }
+#endif /* OSSL_KDFS */
 
 static krb5_error_code
 builtin_derive_random_rfc3961(const struct krb5_enc_provider *enc,
@@ -400,7 +401,6 @@ cleanup:
     zapfree(block.data, blocksize);
     return ret;
 }
-#endif /* OSSL_KDFS */
 
 krb5_error_code
 k5_sp800_108_counter_hmac(const struct krb5_hash_provider *hash,
@@ -432,6 +432,10 @@ k5_derive_random_rfc3961(const struct krb5_enc_provider *enc,
                          krb5_key inkey, krb5_data *outrnd,
                          const krb5_data *in_constant)
 {
+    /* DES (single and triple).  They'll be gone very soon. */
+    if (enc->keylength == 8 || enc->keylength == 24)
+        return builtin_derive_random_rfc3961(enc, inkey, outrnd, in_constant);
+
 #ifdef OSSL_KDFS
     return openssl_krb5kdf(enc, inkey, outrnd, in_constant);
 #else
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
index a662db512..7d17d287e 100644
--- a/src/lib/crypto/openssl/enc_provider/des.c
+++ b/src/lib/crypto/openssl/enc_provider/des.c
@@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
     EVP_CIPHER_CTX *ctx;
     krb5_boolean empty;
 
+    if (FIPS_mode())
+        return KRB5_CRYPTO_INTERNAL;
+
     ret = validate(key, ivec, data, num_data, &empty);
     if (ret != 0 || empty)
         return ret;
@@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
     EVP_CIPHER_CTX *ctx;
     krb5_boolean empty;
 
+    if (FIPS_mode())
+        return KRB5_CRYPTO_INTERNAL;
+
     ret = validate(key, ivec, data, num_data, &empty);
     if (ret != 0 || empty)
         return ret;
@@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
     DES_key_schedule sched;
     krb5_boolean empty;
 
+    if (FIPS_mode())
+        return KRB5_CRYPTO_INTERNAL;
+
     ret = validate(key, ivec, data, num_data, &empty);
     if (ret != 0)
         return ret;
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
index 1c439c2cd..8be555a8d 100644
--- a/src/lib/crypto/openssl/enc_provider/des3.c
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
     EVP_CIPHER_CTX *ctx;
     krb5_boolean empty;
 
+    if (FIPS_mode())
+        return KRB5_CRYPTO_INTERNAL;
+
     ret = validate(key, ivec, data, num_data, &empty);
     if (ret != 0 || empty)
         return ret;
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
     EVP_CIPHER_CTX *ctx;
     krb5_boolean empty;
 
+    if (FIPS_mode())
+        return KRB5_CRYPTO_INTERNAL;
+
     ret = validate(key, ivec, data, num_data, &empty);
     if (ret != 0 || empty)
         return ret;