[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1017998: marked as done (buster-pu: package krb5/1.17-3+deb10u4)

Your message dated Sat, 10 Sep 2022 13:40:55 +0100
with message-id <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 10.13
has caused the Debian Bug report #1017998,
regarding buster-pu: package krb5/1.17-3+deb10u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1017998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017998
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu


[ Reason ]

Rhel9 deprecates SHA1 as a CMS digest algorithm.  Without this patch,
a buster client cannot perform (anonymous) pkinit to a RHEL9 KDC.
Pkinit is important enough that I'd like to see this fixed, but is not
so common that I'm worried about needing to do a huge cross-version
compatibility test before accepting the change.

That said, it looks like Redhat has fairly thoroughly researched the
compatibility issues.  Accepting this patch into buster probably
breaks anonymous pkinit from jessie to a buster KDC because jessie is
too old to support SHA256 for all the pkinit uses.  Stretch should be
new enough.

This has been in unstable as part of krb5 1.20 for a while.
Expect a bullseye update shortly.

[ Impact ]

Anonymous pkinit breaks against RHEL9 and probably bookworm+1.


[ Tests ]

I ran the automated pkinit tests and confirmed they have adequate coverage to test that I properly applied the patch.
I'm trusting Redhat's analysis for the cross-version testing.
Based on knowledge of the people involved and the description of the analysis I think that is appropriate.


[ Risks ]

See above.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
(Explain *all* the changes)

diff --git a/debian/.git-dpm b/debian/.git-dpm
index fcd6a7f36e..713ff3581e 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-668523c82a2446609f3eab8688c8837c59b97de2
-668523c82a2446609f3eab8688c8837c59b97de2
+c5354e5b2e0ad5c68fc3f07ecf2c3ab3285d0f08
+c5354e5b2e0ad5c68fc3f07ecf2c3ab3285d0f08
 a75eb54fd955cbf7a8ac44e527fd0e400e87844a
 a75eb54fd955cbf7a8ac44e527fd0e400e87844a
 krb5_1.17.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 45d55810ea..8167db8a4d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+krb5 (1.17-3+deb10u4) buster; urgency=medium
+
+  * Use SHA256 as Pkinit CMS Digest, Closes: #1017995
+
+ -- Sam Hartman <hartmans@debian.org>  Tue, 23 Aug 2022 14:28:40 -0600
+
 krb5 (1.17-3+deb10u3) buster; urgency=high
 
   * Fix KDC null dereference crash on FAST request with no server field,
diff --git a/debian/patches/0016-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch b/debian/patches/0016-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
new file mode 100644
index 0000000000..6bef568521
--- /dev/null
+++ b/debian/patches/0016-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
@@ -0,0 +1,128 @@
+From c5354e5b2e0ad5c68fc3f07ecf2c3ab3285d0f08 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Fri, 11 Mar 2022 12:04:14 +0100
+Subject: Use SHA-256 instead of SHA-1 for PKINIT CMS digest
+
+[ghudson@mit.edu: edited comments]
+
+ticket: 9055 (new)
+---
+ .../preauth/pkinit/pkinit_crypto_openssl.c    | 41 +++++++++++--------
+ 1 file changed, 23 insertions(+), 18 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 5ff81d8cf4..66b09c6f41 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1237,7 +1237,7 @@ cms_signeddata_create(krb5_context context,
+         /* will not fill-out EVP_PKEY because it's on the smartcard */
+ 
+         /* Set digest algs */
+-        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
++        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
+ 
+         if (p7si->digest_alg->parameter != NULL)
+             ASN1_TYPE_free(p7si->digest_alg->parameter);
+@@ -1248,7 +1248,8 @@ cms_signeddata_create(krb5_context context,
+         /* Set sig algs */
+         if (p7si->digest_enc_alg->parameter != NULL)
+             ASN1_TYPE_free(p7si->digest_enc_alg->parameter);
+-        p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
++        p7si->digest_enc_alg->algorithm =
++            OBJ_nid2obj(NID_sha256WithRSAEncryption);
+         if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new()))
+             goto cleanup;
+         p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
+@@ -1259,16 +1260,17 @@ cms_signeddata_create(krb5_context context,
+             alen = data_len;
+         } else {
+             /* add signed attributes */
+-            /* compute sha1 digest over the EncapsulatedContentInfo */
++            /* compute sha256 digest over the EncapsulatedContentInfo */
+             ctx = EVP_MD_CTX_new();
+             if (ctx == NULL)
+                 goto cleanup;
+-            EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
++            EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
+             EVP_DigestUpdate(ctx, data, data_len);
+             md_tmp = EVP_MD_CTX_md(ctx);
+             EVP_DigestFinal_ex(ctx, md_data, &md_len);
+             EVP_MD_CTX_free(ctx);
+ 
++
+             /* create a message digest attr */
+             digest_attr = ASN1_OCTET_STRING_new();
+             ASN1_OCTET_STRING_set(digest_attr, md_data, (int)md_len);
+@@ -1292,12 +1294,14 @@ cms_signeddata_create(krb5_context context,
+         } /* signed attributes */
+ 
+ #ifndef WITHOUT_PKCS11
+-        /* Some tokens can only do RSAEncryption without sha1 hash */
+-        /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
+-         * function and the hash value into an ASN.1 value of type DigestInfo
+-         * DigestInfo::=SEQUENCE {
+-         *  digestAlgorithm  AlgorithmIdentifier,
+-         *  digest OCTET STRING }
++        /*
++         * Some tokens can only do RSAEncryption without a hash.  To compute
++         * sha256WithRSAEncryption, encode the algorithm ID for the hash
++         * function and the hash value into an ASN.1 value of type DigestInfo:
++         * DigestInfo ::= SEQUENCE {
++         *   digestAlgorithm  AlgorithmIdentifier,
++         *   digest  OCTET STRING
++         * }
+          */
+         if (id_cryptoctx->pkcs11_method == 1 &&
+             id_cryptoctx->mech == CKM_RSA_PKCS) {
+@@ -1317,7 +1321,7 @@ cms_signeddata_create(krb5_context context,
+             alg = X509_ALGOR_new();
+             if (alg == NULL)
+                 goto cleanup2;
+-            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
++            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
+             alg_len = i2d_X509_ALGOR(alg, NULL);
+ 
+             digest = ASN1_OCTET_STRING_new();
+@@ -1346,7 +1350,7 @@ cms_signeddata_create(krb5_context context,
+ #endif
+         {
+             pkiDebug("mech = %s\n",
+-                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
++                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
+             retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen,
+                                       &sig, &sig_len);
+         }
+@@ -4225,7 +4229,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
+     ctx = EVP_MD_CTX_new();
+     if (ctx == NULL)
+         return ENOMEM;
+-    EVP_SignInit(ctx, EVP_sha1());
++    EVP_SignInit(ctx, EVP_sha256());
+     EVP_SignUpdate(ctx, data, data_len);
+     *sig_len = EVP_PKEY_size(pkey);
+     if ((*sig = malloc(*sig_len)) == NULL)
+@@ -4700,10 +4704,11 @@ pkinit_get_certs_pkcs11(krb5_context context,
+ 
+ #ifndef PKINIT_USE_MECH_LIST
+     /*
+-     * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
+-     * many cards seems to be confused about whether they are capable of
+-     * this or not. The safe thing seems to be to ignore the mechanism list,
+-     * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
++     * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
++     * historically many cards seem to be confused about whether they are
++     * capable of mechanisms or not. The safe thing seems to be to ignore the
++     * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
++     * ourselves.
+      */
+ 
+     id_cryptoctx->mech = CKM_RSA_PKCS;
+@@ -4731,7 +4736,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
+         if (mechp[i] == CKM_RSA_PKCS) {
+             /* This seems backwards... */
+             id_cryptoctx->mech =
+-                (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
++                (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
+         }
+     }
+     free(mechp);
diff --git a/debian/patches/series b/debian/patches/series
index a5e368e5e9..00635e0a2b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ upstream/0012-CVE-2020-28196.patch
 upstream/0013-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
 0014-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
 0015-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
+0016-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 5ff81d8cf4..66b09c6f41 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1237,7 +1237,7 @@ cms_signeddata_create(krb5_context context,
         /* will not fill-out EVP_PKEY because it's on the smartcard */
 
         /* Set digest algs */
-        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
+        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
 
         if (p7si->digest_alg->parameter != NULL)
             ASN1_TYPE_free(p7si->digest_alg->parameter);
@@ -1248,7 +1248,8 @@ cms_signeddata_create(krb5_context context,
         /* Set sig algs */
         if (p7si->digest_enc_alg->parameter != NULL)
             ASN1_TYPE_free(p7si->digest_enc_alg->parameter);
-        p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
+        p7si->digest_enc_alg->algorithm =
+            OBJ_nid2obj(NID_sha256WithRSAEncryption);
         if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new()))
             goto cleanup;
         p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
@@ -1259,16 +1260,17 @@ cms_signeddata_create(krb5_context context,
             alen = data_len;
         } else {
             /* add signed attributes */
-            /* compute sha1 digest over the EncapsulatedContentInfo */
+            /* compute sha256 digest over the EncapsulatedContentInfo */
             ctx = EVP_MD_CTX_new();
             if (ctx == NULL)
                 goto cleanup;
-            EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+            EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
             EVP_DigestUpdate(ctx, data, data_len);
             md_tmp = EVP_MD_CTX_md(ctx);
             EVP_DigestFinal_ex(ctx, md_data, &md_len);
             EVP_MD_CTX_free(ctx);
 
+
             /* create a message digest attr */
             digest_attr = ASN1_OCTET_STRING_new();
             ASN1_OCTET_STRING_set(digest_attr, md_data, (int)md_len);
@@ -1292,12 +1294,14 @@ cms_signeddata_create(krb5_context context,
         } /* signed attributes */
 
 #ifndef WITHOUT_PKCS11
-        /* Some tokens can only do RSAEncryption without sha1 hash */
-        /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
-         * function and the hash value into an ASN.1 value of type DigestInfo
-         * DigestInfo::=SEQUENCE {
-         *  digestAlgorithm  AlgorithmIdentifier,
-         *  digest OCTET STRING }
+        /*
+         * Some tokens can only do RSAEncryption without a hash.  To compute
+         * sha256WithRSAEncryption, encode the algorithm ID for the hash
+         * function and the hash value into an ASN.1 value of type DigestInfo:
+         * DigestInfo ::= SEQUENCE {
+         *   digestAlgorithm  AlgorithmIdentifier,
+         *   digest  OCTET STRING
+         * }
          */
         if (id_cryptoctx->pkcs11_method == 1 &&
             id_cryptoctx->mech == CKM_RSA_PKCS) {
@@ -1317,7 +1321,7 @@ cms_signeddata_create(krb5_context context,
             alg = X509_ALGOR_new();
             if (alg == NULL)
                 goto cleanup2;
-            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
+            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
             alg_len = i2d_X509_ALGOR(alg, NULL);
 
             digest = ASN1_OCTET_STRING_new();
@@ -1346,7 +1350,7 @@ cms_signeddata_create(krb5_context context,
 #endif
         {
             pkiDebug("mech = %s\n",
-                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
+                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
             retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen,
                                       &sig, &sig_len);
         }
@@ -4225,7 +4229,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
     ctx = EVP_MD_CTX_new();
     if (ctx == NULL)
         return ENOMEM;
-    EVP_SignInit(ctx, EVP_sha1());
+    EVP_SignInit(ctx, EVP_sha256());
     EVP_SignUpdate(ctx, data, data_len);
     *sig_len = EVP_PKEY_size(pkey);
     if ((*sig = malloc(*sig_len)) == NULL)
@@ -4700,10 +4704,11 @@ pkinit_get_certs_pkcs11(krb5_context context,
 
 #ifndef PKINIT_USE_MECH_LIST
     /*
-     * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
-     * many cards seems to be confused about whether they are capable of
-     * this or not. The safe thing seems to be to ignore the mechanism list,
-     * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
+     * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
+     * historically many cards seem to be confused about whether they are
+     * capable of mechanisms or not. The safe thing seems to be to ignore the
+     * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
+     * ourselves.
      */
 
     id_cryptoctx->mech = CKM_RSA_PKCS;
@@ -4731,7 +4736,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
         if (mechp[i] == CKM_RSA_PKCS) {
             /* This seems backwards... */
             id_cryptoctx->mech =
-                (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
+                (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
         }
     }
     free(mechp);

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.13

Hi,

Each of the updates referenced in these bugs was included in today's
10.13 point release.

Regards,

Adam

--- End Message ---
Reply to: