--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package krb5/1.18.3-6+deb11u2
- From: Sam Hartman <hartmans@debian.org>
- Date: Tue, 23 Aug 2022 15:23:38 -0600
- Message-id: <166128981822.164862.17852096049010591577.reportbug@industrial-algebra.suchdamage.org>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Rhel9 deprecates SHA1 as a CMS digest algorithm. Without this patch,
a bullseye client cannot perform (anonymous) pkinit to a RHEL9 KDC.
Pkinit is important enough that I'd like to see this fixed, but is not
so common that I'm worried about needing to do a huge cross-version
compatibility test before accepting the change.
That said, it looks like Redhat has fairly thoroughly researched the
compatibility issues. Accepting this patch into bullseye probably
breaks anonymous pkinit from jessie to a bullseye KDC because jessie is
too old to support SHA256 for all the pkinit uses. Stretch should be
new enough.
This has been in unstable as part of krb5 1.20 for a while. Companion
to the just submitted buster update. The patch is slightly different
because I had to backport one of the changes and because bullseye uses
gbp pq while buster uses git-dpm.
[ Impact ]
Anonymous pkinit breaks against RHEL9 and probably bookworm+1.
[ Tests ]
I ran the automated pkinit tests and confirmed they have adequate coverage to test that I properly applied the patch.
I'm trusting Redhat's analysis for the cross-version testing.
Based on knowledge of the people involved and the description of the analysis I think that is appropriate.
[ Risks ]
See above.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
(Explain *all* the changes)
diff --git a/debian/changelog b/debian/changelog
index 0be31136f4..d6eaa38262 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+krb5 (1.18.3-6+deb11u2) bullseye; urgency=medium
+
+ * Use SHA256 as Pkinit CMS Digest, Closes: #1017995
+
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 23 Aug 2022 14:49:09 -0600
+
krb5 (1.18.3-6+deb11u1) bullseye; urgency=medium
* Fix KDC null dereference crash on FAST request with no server field,
diff --git a/debian/patches/0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch b/debian/patches/0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
new file mode 100644
index 0000000000..720bca3bc7
--- /dev/null
+++ b/debian/patches/0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
@@ -0,0 +1,119 @@
+From: Julien Rische <jrische@redhat.com>
+Date: Fri, 11 Mar 2022 12:04:14 +0100
+Subject: Use SHA-256 instead of SHA-1 for PKINIT CMS digest
+
+[ghudson@mit.edu: edited comments]
+
+ticket: 9055 (new)
+---
+ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 40 ++++++++++++----------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 8c7fd0c..4452d4e 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1227,7 +1227,7 @@ cms_signeddata_create(krb5_context context,
+ /* will not fill-out EVP_PKEY because it's on the smartcard */
+
+ /* Set digest algs */
+- p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
++ p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
+
+ if (p7si->digest_alg->parameter != NULL)
+ ASN1_TYPE_free(p7si->digest_alg->parameter);
+@@ -1238,17 +1238,18 @@ cms_signeddata_create(krb5_context context,
+ /* Set sig algs */
+ if (p7si->digest_enc_alg->parameter != NULL)
+ ASN1_TYPE_free(p7si->digest_enc_alg->parameter);
+- p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
++ p7si->digest_enc_alg->algorithm =
++ OBJ_nid2obj(NID_sha256WithRSAEncryption);
+ if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new()))
+ goto cleanup;
+ p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
+
+ /* add signed attributes */
+- /* compute sha1 digest over the EncapsulatedContentInfo */
++ /* compute sha256 digest over the EncapsulatedContentInfo */
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
+ goto cleanup;
+- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
++ EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
+ EVP_DigestUpdate(ctx, data, data_len);
+ md_tmp = EVP_MD_CTX_md(ctx);
+ EVP_DigestFinal_ex(ctx, md_data, &md_len);
+@@ -1276,12 +1277,14 @@ cms_signeddata_create(krb5_context context,
+ goto cleanup2;
+
+ #ifndef WITHOUT_PKCS11
+- /* Some tokens can only do RSAEncryption without sha1 hash */
+- /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
+- * function and the hash value into an ASN.1 value of type DigestInfo
+- * DigestInfo::=SEQUENCE {
+- * digestAlgorithm AlgorithmIdentifier,
+- * digest OCTET STRING }
++ /*
++ * Some tokens can only do RSAEncryption without a hash. To compute
++ * sha256WithRSAEncryption, encode the algorithm ID for the hash
++ * function and the hash value into an ASN.1 value of type DigestInfo:
++ * DigestInfo ::= SEQUENCE {
++ * digestAlgorithm AlgorithmIdentifier,
++ * digest OCTET STRING
++ * }
+ */
+ if (id_cryptoctx->pkcs11_method == 1 &&
+ id_cryptoctx->mech == CKM_RSA_PKCS) {
+@@ -1297,7 +1300,7 @@ cms_signeddata_create(krb5_context context,
+ alg = X509_ALGOR_new();
+ if (alg == NULL)
+ goto cleanup2;
+- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
++ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
+ alg_len = i2d_X509_ALGOR(alg, NULL);
+
+ digest = ASN1_OCTET_STRING_new();
+@@ -1326,7 +1329,7 @@ cms_signeddata_create(krb5_context context,
+ #endif
+ {
+ pkiDebug("mech = %s\n",
+- id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
++ id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
+ retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen,
+ &sig, &sig_len);
+ }
+@@ -4094,7 +4097,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
+ return ENOMEM;
+- EVP_SignInit(ctx, EVP_sha1());
++ EVP_SignInit(ctx, EVP_sha256());
+ EVP_SignUpdate(ctx, data, data_len);
+ *sig_len = EVP_PKEY_size(pkey);
+ if ((*sig = malloc(*sig_len)) == NULL)
+@@ -4569,10 +4572,11 @@ pkinit_get_certs_pkcs11(krb5_context context,
+
+ #ifndef PKINIT_USE_MECH_LIST
+ /*
+- * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
+- * many cards seems to be confused about whether they are capable of
+- * this or not. The safe thing seems to be to ignore the mechanism list,
+- * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
++ * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
++ * historically many cards seem to be confused about whether they are
++ * capable of mechanisms or not. The safe thing seems to be to ignore the
++ * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
++ * ourselves.
+ */
+
+ id_cryptoctx->mech = CKM_RSA_PKCS;
+@@ -4600,7 +4604,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
+ if (mechp[i] == CKM_RSA_PKCS) {
+ /* This seems backwards... */
+ id_cryptoctx->mech =
+- (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
++ (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
+ }
+ }
+ free(mechp);
diff --git a/debian/patches/series b/debian/patches/series
index 23f41f56da..c02427759f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ debian-local/0008-Use-isystem-for-include-paths.patch
0010-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
0011-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
0012-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
+0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
--- End Message ---