Ubuntu
krb5 package

link libkrb5 with openssl

  1. Jammy (22.04)
  2. Bug #1943530
Bug #1943530 reported by Nikos Mavrogiannopoulos
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Confirmed
Undecided
Unassigned
Jammy
Confirmed
Undecided
Unassigned

Bug Description

In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release.

[0]. https://ubuntu.com/security/fips

See original description
Nikos Mavrogiannopoulos (nmavrogiannopoulos)
description: updated
Nikos Mavrogiannopoulos (nmavrogiannopoulos)
description: updated
description: updated
Dimitri John Ledkov (xnox)
tags: added: rls-ii-incoming rls-jj-incoming
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

krb5 (1.13~alpha1+dfsg-1) experimental; urgency=low

  [ Benjamin Kaduk ]
  * New upstream prerelease:
    - Add support for accessing KDCs via an https proxy using the MS-KKDCP
      protocol, using a plugin provided by the new krb5-k5tls package, which
      uses openssl for the TLS implementation. The openssl-using code is
      confined to a separate, runtime-loadable, plugin module, in a separate
      package, to ameliorate concerns about GPL code that links libkrb5 running
      into issues with the openssl license. The Kerberos license is both
    GPL and OpenSSL compatible. There might be an issue if an application
    was GPL licensed and someone used the OpenSSL plugin with that
    application. Even that is probably fine provided that no one
    distributes a combination that tends to encourage such usage. There's
    an existing krb5-pkinit plugin that also links to OpenSSL, but at time
    of integration into Debian no GPLed applications in the archive called
    APIs that would cause that plugin to be loaded.

The above concerns are still valid, and given that currently OpenSSL is neither GPLv2 or GPLv3 compatible doing this may not be feasible immediately.

The licensing choices will have to be re-evaluated again, once OpenSSL v3 is the default OpenSSL implementation in the archive, which is GPLv3 compatible.

tags: added: rls-ii-wontfix
removed: rls-ii-incoming
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Do we even know for sure this krb5-k5tls is enough for fips compliance, and that it replaces *all* crypto code in kerberos with openssl calls?

Brian Murray (brian-murray)
Changed in krb5 (Ubuntu):
status: New → Incomplete
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> Do we even know for sure this krb5-k5tls is enough for fips compliance, and that it replaces *all* crypto code in kerberos with openssl calls?

No it does not. But intention is to make the over the network communications with TLS to be FIPS-TLS compliant which is cheaper to certify when reusing a certified TLS component library.

Changed in krb5 (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Nikos Mavrogiannopoulos (nmavrogiannopoulos) wrote :

For 22.04 we should switch to openssl 3.0 for cryptography for the whole.

Brian Murray (brian-murray)
tags: removed: rls-jj-incoming
Matthieu Clemenceau (mclemenceau)
tags: added: fr-1900
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.