New upstream release and integrate with external git

2016-09-19 23:49:29 +00:00 · 2016-09-19 23:49:29 +00:00 · 14f028579d
commit 14f028579d
parent 4f5955da72
30 changed files with 747 additions and 1195 deletions
--- a/.gitignore
+++ b/.gitignore
@ -136,3 +136,6 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.14.3.tar.gz
 /krb5-1.14.3.tar.gz.asc
 /krb5-1.14.3-pdfs.tar
 /krb5-1.14.4.tar.gz
 /krb5-1.14.4.tar.gz.asc
 /krb5-1.14.4-pdfs.tar
--- a/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch
+++ b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch
@ -1,7 +1,7 @@
-From 700f0921e891c5986e31e8394a9e7287a7c16524 Mon Sep 17 00:00:00 2001
+From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Thu, 3 Mar 2016 18:53:31 +0100
-Subject: [PATCH 1/2] Add KDC pre-send and post-receive KDC hooks
+Subject: [PATCH 14/19] Add KDC pre-send and post-receive KDC hooks
 Add two new APIs, krb5_set_kdc_send_hook() and
 krb5_set_kdc_recv_hook(), which can be used to inspect and override
@ -47,10 +47,10 @@ index 51c4093..dc414cf 100644
    krb5_principal.rst
    krb5_principal_data.rst
 diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 41c3d1b..a4266d9 100644
+index 6b7b2e3..045abfc 100644
 --- a/src/include/k5-int.h
 +++ b/src/include/k5-int.h
-@@ -1237,6 +1237,12 @@ struct _krb5_context {
+@@ -1238,6 +1238,12 @@ struct _krb5_context {
     krb5_trace_callback trace_callback;
     void *trace_callback_data;
@ -64,10 +64,10 @@ index 41c3d1b..a4266d9 100644
     char *plugin_base_dir;
 };
 diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-index 851cea3..59baf70 100644
+index c93a0f2..2b0d59e 100644
 --- a/src/include/krb5/krb5.hin
 +++ b/src/include/krb5/krb5.hin
-@@ -8288,6 +8288,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,
+@@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,
 krb5_error_code KRB5_CALLCONV
 krb5_set_trace_filename(krb5_context context, const char *filename);
@ -192,10 +192,10 @@ index c623409..ea6982d 100644
 krb5_set_trace_callback
 krb5_set_trace_filename
 diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
-index 3b3b438..a2bc591 100644
+index 6231de2..be00b8f 100644
 --- a/src/lib/krb5/os/sendto_kdc.c
 +++ b/src/lib/krb5/os/sendto_kdc.c
-@@ -399,6 +399,22 @@ check_for_svc_unavailable (krb5_context context,
+@@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context,
     return 1;
 }
@ -218,7 +218,7 @@ index 3b3b438..a2bc591 100644
 /*
  * send the formatted request 'message' to a KDC for realm 'realm' and
  * return the response (if any) in 'reply'.
-@@ -412,13 +428,16 @@ check_for_svc_unavailable (krb5_context context,
+@@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context,
 krb5_error_code
 krb5_sendto_kdc(krb5_context context, const krb5_data *message,
@ -236,7 +236,7 @@ index 3b3b438..a2bc591 100644
     /*
      * find KDC location(s) for realm
-@@ -463,9 +482,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
+@@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
     if (retval)
         return retval;
@ -264,7 +264,7 @@ index 3b3b438..a2bc591 100644
                        check_for_svc_unavailable, &err);
     if (retval == KRB5_KDC_UNREACH) {
         if (err == KDC_ERR_SVC_UNAVAILABLE) {
-@@ -476,9 +512,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
+@@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
                       realm->length, realm->data);
         }
     }
@ -288,7 +288,7 @@ index 3b3b438..a2bc591 100644
     /* Set use_master to 1 if we ended up talking to a master when we didn't
      * explicitly request to. */
     if (*use_master == 0) {
-@@ -488,6 +538,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
+@@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
     }
 cleanup:
@ -310,5 +310,5 @@ index 3734e9b..8d58ea1 100644
 +	krb5_set_kdc_send_hook				@433
 +	krb5_set_kdc_recv_hook				@434
 -- 
-2.8.0.rc3
+2.9.3
--- a/krb5-1.15-krb5_db_register_keytab.patch
+++ b/krb5-1.15-krb5_db_register_keytab.patch
@ -1,7 +1,7 @@
-From c9136272512a6158d77e74035d52869443403a10 Mon Sep 17 00:00:00 2001
+From 2047b7b227a4e2a07b5e2ef149fd968406c8f750 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Wed, 7 Sep 2016 18:33:43 +0200
-Subject: [PATCH] Add krb5_db_register_keytab()
+Subject: [PATCH 19/19] Add krb5_db_register_keytab()
 Add a public libkdb5 function to register the KDB keytab type.  This
 functionality is needed for out-of-tree KDC servers such as the Samba
--- a/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch
+++ b/Add-tests-for-send-and-receive-sendto_kdc-hooks.patch
@ -1,7 +1,7 @@
-From e60e5e0a8e8e98edae8c678e5c300b30368006fb Mon Sep 17 00:00:00 2001
+From b54a8377972db8cfc5f74c42831f61445c6f82d9 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 7 Mar 2016 17:59:07 +0100
-Subject: [PATCH 2/2] Add tests for send and receive sendto_kdc hooks
+Subject: [PATCH 15/19] Add tests for send and receive sendto_kdc hooks
 [ghudson@mit.edu: style changes]
@ -10,7 +10,7 @@ ticket: 8386
 Conflicts:
 	src/tests/Makefile.in
 [rharwood@redhat.com: fix cherry-pick merge conflicts]
-[rharwood@redhat.com: remove references to .gitignore]
+[rharwood@redhat.com: locally remove gitignore]
 ---
 src/tests/Makefile.in |  12 ++-
 src/tests/deps        |  10 ++
@ -363,5 +363,5 @@ index 0000000..58dff3a
 +
 +success('send and recv hook tests')
 -- 
-2.8.0.rc3
+2.9.3
--- a/Change-KDC-error-for-encrypted-timestamp-preauth.patch
+++ b/Change-KDC-error-for-encrypted-timestamp-preauth.patch
@ -1,7 +1,7 @@
-From 7b072ef4135e776982a61fae62cda9a5f0fe001b Mon Sep 17 00:00:00 2001
+From ad1af1b23bd716fc3129de16e3fbf7edca0daa6b Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 8 Aug 2016 18:03:55 +0200
-Subject: [PATCH 3/3] Change KDC error for encrypted timestamp preauth
+Subject: [PATCH 18/19] Change KDC error for encrypted timestamp preauth
 When encrypted timestamp pre-authentication fails, respond with error
 code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for
--- a/Create-KDC-and-kadmind-log-files-with-mode-0640.patch
+++ b/Create-KDC-and-kadmind-log-files-with-mode-0640.patch
@ -1,7 +1,7 @@
-From 9914b93516bbce9b1123ed5f9f796b7028944892 Mon Sep 17 00:00:00 2001
+From 6b126bfc40ba416746e4d30edb0b6b72c21c8b10 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
-Date: Thu, 17 Dec 2015 13:31:39 -0500
+Date: Tue, 23 Aug 2016 16:58:44 -0400
-Subject: [PATCH] Create KDC and kadmind log files with mode 0640
+Subject: [PATCH 13/19] Create KDC and kadmind log files with mode 0640
 In krb5_klog_init(), use open() and fdopen() to open log files so that
 we can specify a mode.  Specify a mode which doesn't include the
@ -18,11 +18,10 @@ ticket: 8344 (new)
 1 file changed, 12 insertions(+), 9 deletions(-)
 diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
-index 19c4355..f4a9387 100644
+index 64f9641..0517efe 100644
-
+--- a/src/lib/kadm5/logger.c
--- a/src/lib/kadm5/logger.c	2016-01-21 18:52:52.529544902 +0000
+++ b/src/lib/kadm5/logger.c
-+++ b/src/lib/kadm5/logger.c	2016-01-21 18:57:22.923972419 +0000
+@@ -354,7 +354,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
@@ -354,7 +354,7 @@
     const char  *logging_profent[3];
     const char  *logging_defent[3];
     char        **logging_specs;
@ -31,7 +30,7 @@ index 19c4355..f4a9387 100644
     char        *cp, *cp2;
     char        savec = '\0';
     int         error;
-@@ -422,18 +422,21 @@
+@@ -422,18 +422,21 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
                     /*
                      * Check for append/overwrite, then open the file.
                      */
@ -61,3 +60,6 @@ index 19c4355..f4a9387 100644
                     }
                 }
 #ifdef  HAVE_SYSLOG
 -- 
 2.9.3
--- a/Fix-impersonate_name-to-work-with-interposers.patch
+++ b/Fix-impersonate_name-to-work-with-interposers.patch
@ -1,7 +1,7 @@
-From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001
+From 748617c1b8d1550284157a79bc7aeb6295a27bf4 Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Fri, 13 Nov 2015 14:54:11 -0500
-Subject: [PATCH] Fix impersonate_name to work with interposers
+Subject: [PATCH 12/19] Fix impersonate_name to work with interposers
 This follows the same modifications applied to
 gss_acquire_cred_with_password() when interposer plugins were
@ -154,10 +154,10 @@ index 0dd4f87..9eab25e 100644
     if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
 	free(union_cred);
 diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
-index e6703eb..28fb9b1 100644
+index 07435d8..99e374f 100644
 --- a/src/lib/gssapi/spnego/spnego_mech.c
 +++ b/src/lib/gssapi/spnego/spnego_mech.c
-@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
+@@ -2620,10 +2620,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
 					 gss_OID_set *actual_mechs,
 					 OM_uint32 *time_rec)
 {
@ -170,7 +170,7 @@ index e6703eb..28fb9b1 100644
 	dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
-@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
+@@ -2635,31 +2635,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
 	imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
 	imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
@ -218,5 +218,5 @@ index e6703eb..28fb9b1 100644
 	return (status);
 }
 -- 
-2.6.2
+2.9.3
--- a/krb5-1.15-improve-bad-password-inference.patch
+++ b/krb5-1.15-improve-bad-password-inference.patch
@ -1,7 +1,7 @@
-From c8938509344921906aa74d31eb6befe58055fc1d Mon Sep 17 00:00:00 2001
+From e9517473b649a50ab7414788fb5d6c2715ac8ee4 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 25 Jul 2016 13:28:43 -0400
-Subject: [PATCH 2/3] Improve bad password inference in kinit
+Subject: [PATCH 17/19] Improve bad password inference in kinit
 kinit currently outputs "Password incorrect" if it sees a
 bad-integrity error code, which results if the KDC reply couldn't be
--- a/Set-prompt-type-for-OTP-preauth-prompt.patch
+++ b/Set-prompt-type-for-OTP-preauth-prompt.patch
@ -1,7 +1,7 @@
-From 4885a9b10ddf457f290ff5e9ce4a9a99765cfd1d Mon Sep 17 00:00:00 2001
+From dc032c01a5c23eb199a267d9ab650eef02c2dd01 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 25 Jul 2016 13:23:31 -0400
-Subject: [PATCH 1/3] Set prompt type for OTP preauth prompt
+Subject: [PATCH 16/19] Set prompt type for OTP preauth prompt
 Add k5_set_prompt_type() calls around the prompter invocation in
 preauth_otp.c, and add the comment we conventionally put before
@ -14,7 +14,7 @@ ticket: 8464 (new)
 1 file changed, 5 insertions(+)
 diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
-index 3de528b..01c48b4 100644
+index 37f98b2..48fcbb5 100644
 --- a/src/lib/krb5/krb/preauth_otp.c
 +++ b/src/lib/krb5/krb/preauth_otp.c
@@ -31,6 +31,7 @@
--- a/krb5-1.11-kpasswdtest.patch
+++ b/krb5-1.11-kpasswdtest.patch
@ -1,6 +1,17 @@
--- krb5-1.11.3/src/kadmin/testing/proto/krb5.conf.proto
+From 61389fb098b36c1927ad01e4efa51f38da39176a Mon Sep 17 00:00:00 2001
-+++ krb5-1.11.3/src/kadmin/testing/proto/krb5.conf.proto
+From: Robbie Harwood <rharwood@redhat.com>
-@@ -7,6 +7,7 @@
+Date: Tue, 23 Aug 2016 16:52:01 -0400
 Subject: [PATCH 11/19] krb5-1.11-kpasswdtest.patch
 ---
 src/kadmin/testing/proto/krb5.conf.proto | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto
 index e9702bb..482fda6 100644
 --- a/src/kadmin/testing/proto/krb5.conf.proto
 +++ b/src/kadmin/testing/proto/krb5.conf.proto
@@ -8,6 +8,7 @@
 	__REALM__ = {
 		kdc = __KDCHOST__:1750
 		admin_server = __KDCHOST__:1751
@ -8,3 +19,6 @@
 		database_module = foobar_db2_module_blah
 	}
 -- 
 2.9.3
--- a/krb5-1.11-run_user_0.patch
+++ b/krb5-1.11-run_user_0.patch
@ -1,9 +1,19 @@
 From 8f81af0f10a917a000a12c9b344b3f801c939666 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:57 -0400
 Subject: [PATCH 10/19] krb5-1.11-run_user_0.patch
 A hack: if we're looking at creating a ccache directory directly below
 the /run/user/0 directory, and /run/user/0 doesn't exist, try to create
 it, too.
 ---
 src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
--- krb5/src/lib/krb5/ccache/cc_dir.c
+diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
-+++ krb5/src/lib/krb5/ccache/cc_dir.c
+index 73f0fe6..4850c0d 100644
 --- a/src/lib/krb5/ccache/cc_dir.c
 +++ b/src/lib/krb5/ccache/cc_dir.c
@@ -61,6 +61,8 @@
 #include <dirent.h>
@ -13,7 +23,7 @@ it, too.
 extern const krb5_cc_ops krb5_dcc_ops;
 extern const krb5_cc_ops krb5_fcc_ops;
-@@ -239,6 +241,18 @@
+@@ -237,6 +239,18 @@ verify_dir(krb5_context context, const char *dirname)
     if (stat(dirname, &st) < 0) {
         if (errno == ENOENT) {
@ -32,3 +42,6 @@ it, too.
 #ifdef USE_SELINUX
             selabel = krb5int_push_fscreatecon_for(dirname);
 #endif
 -- 
 2.9.3
--- a/krb5-1.12-api.patch
+++ b/krb5-1.12-api.patch
@ -1,10 +1,20 @@
 From 9ca4f0e1081e667ebc9150097559f5fe85595e33 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:47:00 -0400
 Subject: [PATCH 07/19] krb5-1.12-api.patch
 Reference docs don't define what happens if you call krb5_realm_compare() with
 malformed krb5_principal structures.  Define a behavior which keeps it from
 crashing if applications don't check ahead of time.
 ---
 src/lib/krb5/krb/princ_comp.c | 7 +++++++
 1 file changed, 7 insertions(+)
--- krb5/src/lib/krb5/krb/princ_comp.c
+diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
-+++ krb5/src/lib/krb5/krb/princ_comp.c
+index a693610..0ed7883 100644
-@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context
+--- a/src/lib/krb5/krb/princ_comp.c
 +++ b/src/lib/krb5/krb/princ_comp.c
@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
     const krb5_data *realm1 = &princ1->realm;
     const krb5_data *realm2 = &princ2->realm;
@ -15,7 +25,7 @@ crashing if applications don't check ahead of time.
     if (realm1->length != realm2->length)
         return FALSE;
     if (realm1->length == 0)
-@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
+@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
     krb5_principal upn2 = NULL;
     krb5_boolean ret = FALSE;
@ -25,3 +35,6 @@ crashing if applications don't check ahead of time.
     if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
         /* Treat UPNs as if they were real principals */
         if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
 -- 
 2.9.3
--- a/krb5-1.12-buildconf.patch
+++ b/krb5-1.12-buildconf.patch
@ -1,33 +1,24 @@
 From 1df0a74f88f044f1e538e3d4fda13bbceb76e68b Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:45:26 -0400
 Subject: [PATCH 05/19] krb5-1.12-buildconf.patch
 Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
 and install shared libraries with the execute bit set on them.  Prune out
 the -L/usr/lib* and PIE flags where they might leak out and affect
 apps which just want to link with the libraries. FIXME: needs to check and
 not just assume that the compiler supports using these flags.
 ---
 src/build-tools/krb5-config.in | 7 +++++++
 src/config/pre.in              | 2 +-
 src/config/shlib.conf          | 5 +++--
 3 files changed, 11 insertions(+), 3 deletions(-)
--- krb5/src/config/shlib.conf
+diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
-+++ krb5/src/config/shlib.conf
+index c17cb5e..1891dea 100755
-@@ -419,7 +419,7 @@ mips-*-netbsd*)
+--- a/src/build-tools/krb5-config.in
- 	SHLIBEXT=.so
+++ b/src/build-tools/krb5-config.in
- 	# Linux ld doesn't default to stuffing the SONAME field...
+@@ -226,6 +226,13 @@ if test -n "$do_libs"; then
 	# Use objdump -x to examine the fields of the library
 -	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
 +	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel'
 	# 
 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
 	SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -430,7 +430,8 @@
 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
 	PROFFLAGS=-pg
 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
 -	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
 +	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
 +	INSTALL_SHLIB='${INSTALL} -m755'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
 --- krb5/src/build-tools/krb5-config.in
 +++ krb5/src/build-tools/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
 	    -e 's#\$(CFLAGS)##'`
@ -41,9 +32,11 @@ not just assume that the compiler supports using these flags.
     if test $library = 'kdb'; then
 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
 	library=krb5
--- krb5/src/config/pre.in
+diff --git a/src/config/pre.in b/src/config/pre.in
-+++ krb5/src/config/pre.in
+index 63271e7..c100fef 100644
-@@ -188,7 +188,7 @@
+--- a/src/config/pre.in
 +++ b/src/config/pre.in
@@ -182,7 +182,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
 INSTALL_SCRIPT=@INSTALL_PROGRAM@
 INSTALL_DATA=@INSTALL_DATA@
 INSTALL_SHLIB=@INSTALL_SHLIB@
@ -52,3 +45,29 @@ not just assume that the compiler supports using these flags.
 ## This is needed because autoconf will sometimes define @exec_prefix@ to be
 ## ${prefix}.
 prefix=@prefix@
 diff --git a/src/config/shlib.conf b/src/config/shlib.conf
 index 55f16be..f4a762c 100644
 --- a/src/config/shlib.conf
 +++ b/src/config/shlib.conf
@@ -422,7 +422,7 @@ mips-*-netbsd*)
 	SHLIBEXT=.so
 	# Linux ld doesn't default to stuffing the SONAME field...
 	# Use objdump -x to examine the fields of the library
 -	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
 +	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel'
 	# 
 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
 	SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -433,7 +433,8 @@ mips-*-netbsd*)
 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
 	PROFFLAGS=-pg
 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
 -	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
 +	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
 +	INSTALL_SHLIB='${INSTALL} -m755'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
 -- 
 2.9.3
--- a/krb5-1.12-ksu-path.patch
+++ b/krb5-1.12-ksu-path.patch
@ -1,7 +1,17 @@
-Set the default PATH to the one set by login.
+From a33c34eabf9cd4d98d633994bfcf19359ff087a6 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:32:09 -0400
 Subject: [PATCH 03/19] krb5-1.12-ksu-path.patch
--- krb5/src/clients/ksu/Makefile.in
+Set the default PATH to the one set by login.
-+++ krb5/src/clients/ksu/Makefile.in
+---
 src/clients/ksu/Makefile.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
 index ad2406a..1379c4a 100644
 --- a/src/clients/ksu/Makefile.in
 +++ b/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
 mydir=clients$(S)ksu
 BUILDTOP=$(REL)..$(S)..
@ -10,3 +20,6 @@ Set the default PATH to the one set by login.
 KSU_LIBS=@KSU_LIBS@
 PAM_LIBS=@PAM_LIBS@
 -- 
 2.9.3
--- a/krb5-1.12-ktany.patch
+++ b/krb5-1.12-ktany.patch
@ -1,10 +1,51 @@
 From f02d4a098b5e94df15ae39e9fad79e861e6c6483 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:33:53 -0400
 Subject: [PATCH 04/19] krb5-1.12-ktany.patch
 Adds an "ANY" keytab type which is a list of other keytab locations to search
 when searching for a specific entry.  When iterated through, it only presents
 the contents of the first keytab.
 ---
 src/lib/krb5/keytab/Makefile.in |   3 +
 src/lib/krb5/keytab/kt_any.c    | 292 ++++++++++++++++++++++++++++++++++++++++
 src/lib/krb5/keytab/ktbase.c    |   7 +-
 3 files changed, 301 insertions(+), 1 deletion(-)
 create mode 100644 src/lib/krb5/keytab/kt_any.c
-diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c
+diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
--- /dev/null	2009-06-04 10:34:55.169007373 -0400
+index 28485d5..c17ab82 100644
-+++ krb5-1.7/src/lib/krb5/keytab/kt_any.c	2009-06-04 13:54:36.000000000 -0400
+--- a/src/lib/krb5/keytab/Makefile.in
 +++ b/src/lib/krb5/keytab/Makefile.in
@@ -12,6 +12,7 @@ STLIBOBJS= \
 	ktfr_entry.o	\
 	ktremove.o	\
 	ktfns.o		\
 +	kt_any.o	\
 	kt_file.o	\
 	kt_memory.o	\
 	kt_srvtab.o	\
@@ -24,6 +25,7 @@ OBJS=	\
 	$(OUTPRE)ktfr_entry.$(OBJEXT)	\
 	$(OUTPRE)ktremove.$(OBJEXT)	\
 	$(OUTPRE)ktfns.$(OBJEXT)	\
 +	$(OUTPRE)kt_any.$(OBJEXT)	\
 	$(OUTPRE)kt_file.$(OBJEXT)	\
 	$(OUTPRE)kt_memory.$(OBJEXT)	\
 	$(OUTPRE)kt_srvtab.$(OBJEXT)	\
@@ -36,6 +38,7 @@ SRCS=	\
 	$(srcdir)/ktfr_entry.c	\
 	$(srcdir)/ktremove.c	\
 	$(srcdir)/ktfns.c	\
 +	$(srcdir)/kt_any.c	\
 	$(srcdir)/kt_file.c	\
 	$(srcdir)/kt_memory.c	\
 	$(srcdir)/kt_srvtab.c	\
 diff --git a/src/lib/krb5/keytab/kt_any.c b/src/lib/krb5/keytab/kt_any.c
 new file mode 100644
 index 0000000..1b9b776
 --- /dev/null
 +++ b/src/lib/krb5/keytab/kt_any.c
@@ -0,0 +1,292 @@
 +/*
 + * lib/krb5/keytab/kt_any.c
@ -298,10 +339,11 @@ diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c
 +    free(data->choices);
 +    free(data);
 +}
-diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktbase.c
+diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c
--- krb5-1.7/src/lib/krb5/keytab/ktbase.c	2009-02-18 13:18:56.000000000 -0500
+index 0d39b29..6534d7c 100644
-+++ krb5-1.7/src/lib/krb5/keytab/ktbase.c	2009-06-04 13:54:36.000000000 -0400
+--- a/src/lib/krb5/keytab/ktbase.c
-@@ -59,14 +59,19 @@ extern const krb5_kt_ops krb5_ktf_ops;
+++ b/src/lib/krb5/keytab/ktbase.c
@@ -57,14 +57,19 @@ extern const krb5_kt_ops krb5_ktf_ops;
 extern const krb5_kt_ops krb5_ktf_writable_ops;
 extern const krb5_kt_ops krb5_kts_ops;
 extern const krb5_kt_ops krb5_mkt_ops;
@ -322,30 +364,6 @@ diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktba
 };
 const static struct krb5_kt_typelist krb5_kt_typelist_memory = {
     &krb5_mkt_ops,
-diff -up krb5-1.7/src/lib/krb5/keytab/Makefile.in krb5-1.7/src/lib/krb5/keytab/Makefile.in
+-- 
--- krb5-1.7/src/lib/krb5/keytab/Makefile.in	2009-01-05 15:27:53.000000000 -0500
+2.9.3
-+++ krb5-1.7/src/lib/krb5/keytab/Makefile.in	2009-06-04 13:54:36.000000000 -0400
+
@@ -19,6 +19,7 @@ STLIBOBJS= \
 	ktfr_entry.o	\
 	ktremove.o	\
 	ktfns.o		\
 +	kt_any.o	\
 	kt_file.o	\
 	kt_memory.o	\
 	kt_srvtab.o	\
@@ -31,6 +32,7 @@ OBJS=	\
 	$(OUTPRE)ktfr_entry.$(OBJEXT)	\
 	$(OUTPRE)ktremove.$(OBJEXT)	\
 	$(OUTPRE)ktfns.$(OBJEXT)	\
 +	$(OUTPRE)kt_any.$(OBJEXT)	\
 	$(OUTPRE)kt_file.$(OBJEXT)	\
 	$(OUTPRE)kt_memory.$(OBJEXT)	\
 	$(OUTPRE)kt_srvtab.$(OBJEXT)	\
@@ -43,6 +45,7 @@ SRCS=	\
 	$(srcdir)/ktfr_entry.c	\
 	$(srcdir)/ktremove.c	\
 	$(srcdir)/ktfns.c	\
 +	$(srcdir)/kt_any.c	\
 	$(srcdir)/kt_file.c	\
 	$(srcdir)/kt_memory.c	\
 	$(srcdir)/kt_srvtab.c	\
--- a/krb5-1.12.1-pam.patch
+++ b/krb5-1.12.1-pam.patch
@ -1,3 +1,8 @@
 From 74b07bf5a3c73f2d46ddfa4a03baa76b19ee1681 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:29:58 -0400
 Subject: [PATCH 01/19] krb5-1.12.1-pam.patch
 Modify ksu so that it performs account and session management on behalf of
 the target user account, mimicking the action of regular su.  The default
 service name is "ksu", because on Fedora at least the configuration used
@ -11,11 +16,22 @@ When enabled, ksu gains a dependency on libpam.
 Originally RT#5939, though it's changed since then to perform the account
 and session management before dropping privileges, and to apply on top of
 changes we're proposing for how it handles cache collections.
 ---
 src/aclocal.m4              |  67 ++++++++
 src/clients/ksu/Makefile.in |   8 +-
 src/clients/ksu/main.c      |  88 +++++++++-
 src/clients/ksu/pam.c       | 389 ++++++++++++++++++++++++++++++++++++++++++++
 src/clients/ksu/pam.h       |  57 +++++++
 src/configure.in            |   2 +
 6 files changed, 608 insertions(+), 3 deletions(-)
 create mode 100644 src/clients/ksu/pam.c
 create mode 100644 src/clients/ksu/pam.h
-diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4
+diff --git a/src/aclocal.m4 b/src/aclocal.m4
--- krb5/src/aclocal.m4.pam	2009-11-22 12:00:45.000000000 -0500
+index dbb7db2..ce045ab 100644
-+++ krb5/src/aclocal.m4	2010-03-05 10:48:08.000000000 -0500
+--- a/src/aclocal.m4
-@@ -1703,3 +1703,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
+++ b/src/aclocal.m4
@@ -1672,3 +1672,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
       ]))
 ])dnl
 dnl
@ -86,9 +102,48 @@ diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4
 +AC_SUBST(PAM_MAN)
 +AC_SUBST(NON_PAM_MAN)
 +])dnl
-diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
+diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
--- krb5/src/clients/ksu/main.c.pam	2009-11-02 22:27:56.000000000 -0500
+index c705fda..ad2406a 100644
-+++ krb5/src/clients/ksu/main.c	2010-03-05 10:48:08.000000000 -0500
+--- a/src/clients/ksu/Makefile.in
 +++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
 DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
 KSU_LIBS=@KSU_LIBS@
 +PAM_LIBS=@PAM_LIBS@
 SRCS = \
 	$(srcdir)/krb_auth_su.c \
 	$(srcdir)/ccache.c \
 	$(srcdir)/authorization.c \
 	$(srcdir)/main.c \
 +	$(srcdir)/pam.c \
 	$(srcdir)/heuristic.c \
 	$(srcdir)/xmalloc.c \
 	$(srcdir)/setenv.c
@@ -17,13 +19,17 @@ OBJS = \
 	ccache.o \
 	authorization.o \
 	main.o \
 +	pam.o \
 	heuristic.o \
 	xmalloc.o @SETENVOBJ@
 all:: ksu
 ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
 -	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
 +	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
 +
 +pam.o: pam.c
 +	$(CC) $(ALL_CFLAGS) -c $<
 clean::
 	$(RM) ksu
 diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
 index 2f8d8e1..1b2ca83 100644
 --- a/src/clients/ksu/main.c
 +++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
  * KSU was writen by:  Ari Medvinsky, ari@isi.edu
  */
@ -116,7 +171,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
 /***********/
 #define KS_TEMPORARY_CACHE "MEMORY:_ksu"
-@@ -586,6 +592,23 @@ main (argc, argv)
+@@ -514,6 +520,23 @@ main (argc, argv)
                prog_name,target_user,client_name,
                source_user,ontty());
@ -140,7 +195,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
         /* Run authorization as target.*/
         if (krb5_seteuid(target_uid)) {
             com_err(prog_name, errno, _("while switching to target for "
-@@ -651,6 +676,24 @@
+@@ -574,6 +597,24 @@ main (argc, argv)
             exit(1);
         }
@ -165,7 +220,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
     }
     if( some_rest_copy){
-@@ -720,6 +745,30 @@
+@@ -631,6 +672,30 @@ main (argc, argv)
         exit(1);
     }
@ -196,7 +251,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
     /* set permissions */
     if (setgid(target_pwd->pw_gid) < 0) {
         perror("ksu: setgid");
-@@ -792,7 +817,7 @@ main (argc, argv)
+@@ -728,7 +793,7 @@ main (argc, argv)
         fprintf(stderr, "program to be execed %s\n",params[0]);
     }
@ -205,7 +260,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
         execv(params[0], params);
         com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
         sweep_up(ksu_context, cc_target);
-@@ -823,16 +875,35 @@ main (argc, argv)
+@@ -758,16 +823,35 @@ main (argc, argv)
             if (ret_pid == -1) {
                 com_err(prog_name, errno, _("while calling waitpid"));
             }
@ -242,46 +297,11 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
             exit (1);
         }
     }
-diff -up krb5/src/clients/ksu/Makefile.in.pam krb5/src/clients/ksu/Makefile.in
+diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
--- krb5/src/clients/ksu/Makefile.in.pam	2009-11-22 13:13:29.000000000 -0500
+new file mode 100644
-+++ krb5/src/clients/ksu/Makefile.in	2010-03-05 11:55:14.000000000 -0500
+index 0000000..cbfe487
-@@ -7,12 +7,14 @@
+--- /dev/null
- DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+++ b/src/clients/ksu/pam.c
 KSU_LIBS=@KSU_LIBS@
 +PAM_LIBS=@PAM_LIBS@
 SRCS = \
 	$(srcdir)/krb_auth_su.c \
 	$(srcdir)/ccache.c \
 	$(srcdir)/authorization.c \
 	$(srcdir)/main.c \
 +	$(srcdir)/pam.c \
 	$(srcdir)/heuristic.c \
 	$(srcdir)/xmalloc.c \
 	$(srcdir)/setenv.c
@@ -21,13 +23,17 @@ OBJS = \
 	ccache.o \
 	authorization.o \
 	main.o \
 +	pam.o \
 	heuristic.o \
 	xmalloc.o @SETENVOBJ@
 all:: ksu
 ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
 -	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
 +	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
 +
 +pam.o: pam.c
 +	$(CC) $(ALL_CFLAGS) -c $<
 clean::
 	$(RM) ksu
 diff -up krb5/src/clients/ksu/pam.c.pam krb5/src/clients/ksu/pam.c
 --- krb5/src/clients/ksu/pam.c.pam	2010-03-05 10:48:08.000000000 -0500
 +++ krb5/src/clients/ksu/pam.c	2010-03-05 10:48:08.000000000 -0500
@@ -0,0 +1,389 @@
 +/*
 + * src/clients/ksu/pam.c
@ -672,9 +692,11 @@ diff -up krb5/src/clients/ksu/pam.c.pam krb5/src/clients/ksu/pam.c
 +	return ret;
 +}
 +#endif
-diff -up krb5/src/clients/ksu/pam.h.pam krb5/src/clients/ksu/pam.h
+diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
--- krb5/src/clients/ksu/pam.h.pam	2010-03-05 10:48:08.000000000 -0500
+new file mode 100644
-+++ krb5/src/clients/ksu/pam.h	2010-03-05 10:48:08.000000000 -0500
+index 0000000..0ab7656
 --- /dev/null
 +++ b/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
 +/*
 + * src/clients/ksu/pam.h
@ -733,10 +755,11 @@ diff -up krb5/src/clients/ksu/pam.h.pam krb5/src/clients/ksu/pam.h
 +int appl_pam_cred_init(void);
 +void appl_pam_cleanup(void);
 +#endif
-diff -up krb5/src/configure.in.pam krb5/src/configure.in
+diff --git a/src/configure.in b/src/configure.in
--- krb5/src/configure.in.pam	2009-12-31 18:13:56.000000000 -0500
+index b2a8675..8846ca0 100644
-+++ krb5/src/configure.in	2010-03-05 10:48:08.000000000 -0500
+--- a/src/configure.in
-@@ -1051,6 +1051,8 @@ if test "$ac_cv_lib_socket" = "yes" -a "
+++ b/src/configure.in
@@ -1327,6 +1327,8 @@ AC_SUBST([VERTO_VERSION])
 AC_PATH_PROG(GROFF, groff)
@ -745,3 +768,6 @@ diff -up krb5/src/configure.in.pam krb5/src/configure.in
 # Make localedir work in autoconf 2.5x.
 if test "${localedir+set}" != set; then
     localedir='$(datadir)/locale'
 -- 
 2.9.3
--- a/krb5-1.13-dirsrv-accountlock.patch
+++ b/krb5-1.13-dirsrv-accountlock.patch
@ -1,10 +1,21 @@
 From f7538a0621d6b593e31f2031570a6f4678940241 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:47:44 -0400
 Subject: [PATCH 08/19] krb5-1.13-dirsrv-accountlock.patch
 Treat 'nsAccountLock: true' the same as 'loginDisabled: true'.  Updated from
 original version filed as RT#5891.
 ---
 src/aclocal.m4                                    |  9 +++++++++
 src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c      | 17 +++++++++++++++++
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c |  3 +++
 3 files changed, 29 insertions(+)
-diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
+diff --git a/src/aclocal.m4 b/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock	2010-03-05 11:03:09.000000000 -0500
+index ed343c5..f67eef7 100644
-+++ krb5-1.8/src/aclocal.m4	2010-03-05 11:03:10.000000000 -0500
+--- a/src/aclocal.m4
-@@ -1656,6 +1656,15 @@ if test $with_ldap = yes; then
+++ b/src/aclocal.m4
@@ -1653,6 +1653,15 @@ if test "$with_ldap" = yes; then
   AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
   OPENLDAP_PLUGIN=yes
 fi
@ -20,10 +31,11 @@ diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
 ])dnl
 dnl
 dnl If libkeyutils exists (on Linux) include it and use keyring ccache
-diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock	2009-11-24 18:52:25.000000000 -0500
+index aca8f31..0a0968c 100644
-+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2010-03-05 11:03:10.000000000 -0500
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1545,6 +1545,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
     ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
     if (ret)
         goto cleanup;
@ -47,11 +59,11 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountloc
     ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
     if (ret)
-         goto cleanup;
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
-diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+index 6a06f55..1f87e21 100644
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock	2009-11-24 18:52:25.000000000 -0500
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
-+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2010-03-05 11:03:10.000000000 -0500
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
-@@ -59,6 +59,9 @@ char     *principal_attributes[] = { "kr
+@@ -54,6 +54,9 @@ char     *principal_attributes[] = { "krbprincipalname",
                                      "krbLastFailedAuth",
                                      "krbLoginFailedCount",
                                      "krbLastSuccessfulAuth",
@ -61,3 +73,6 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accou
                                      "krbLastPwdChange",
                                      "krbLastAdminUnlock",
                                      "krbExtraData",
 -- 
 2.9.3
--- a/krb5-1.13-selinux-label.patch
+++ b/krb5-1.13-selinux-label.patch
@ -1,3 +1,8 @@
 From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:30:53 -0400
 Subject: [PATCH 02/19] krb5-1.13-selinux-label.patch
 SELinux bases access to files on the domain of the requesting process,
 the operation being performed, and the context applied to the file.
@ -30,10 +35,42 @@ stomp all over us.
 The selabel APIs for looking up the context should be thread-safe (per
 Red Hat #273081), so switching to using them instead of matchpathcon(),
 which we used earlier, is some improvement.
 ---
 src/aclocal.m4                                     |  49 +++
 src/build-tools/krb5-config.in                     |   3 +-
 src/config/pre.in                                  |   3 +-
 src/configure.in                                   |   2 +
 src/include/k5-int.h                               |   1 +
 src/include/k5-label.h                             |  32 ++
 src/include/krb5/krb5.hin                          |   6 +
 src/kadmin/dbutil/dump.c                           |  11 +-
 src/kdc/main.c                                     |   2 +-
 src/lib/kadm5/logger.c                             |   4 +-
 src/lib/kdb/kdb_log.c                              |   2 +-
 src/lib/krb5/ccache/cc_dir.c                       |  26 +-
 src/lib/krb5/keytab/kt_file.c                      |   4 +-
 src/lib/krb5/os/trace.c                            |   2 +-
 src/lib/krb5/rcache/rc_dfl.c                       |  13 +
 src/plugins/kdb/db2/adb_openclose.c                |   2 +-
 src/plugins/kdb/db2/kdb_db2.c                      |   4 +-
 src/plugins/kdb/db2/libdb2/btree/bt_open.c         |   3 +-
 src/plugins/kdb/db2/libdb2/hash/hash.c             |   3 +-
 src/plugins/kdb/db2/libdb2/recno/rec_open.c        |   4 +-
 .../kdb/ldap/ldap_util/kdb5_ldap_services.c        |  11 +-
 src/slave/kpropd.c                                 |   9 +
 src/util/gss-kernel-lib/Makefile.in                |   5 +-
 src/util/profile/prof_file.c                       |   3 +-
 src/util/support/Makefile.in                       |   3 +-
 src/util/support/selinux.c                         | 381 +++++++++++++++++++++
 26 files changed, 566 insertions(+), 22 deletions(-)
 create mode 100644 src/include/k5-label.h
 create mode 100644 src/util/support/selinux.c
--- krb5/src/aclocal.m4
+diff --git a/src/aclocal.m4 b/src/aclocal.m4
-+++ krb5/src/aclocal.m4
+index ce045ab..311f099 100644
-@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
+--- a/src/aclocal.m4
 +++ b/src/aclocal.m4
@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag)
 dnl
 KRB5_AC_PRAGMA_WEAK_REF
 WITH_LDAP
@ -41,7 +78,7 @@ which we used earlier, is some improvement.
 KRB5_LIB_PARAMS
 KRB5_AC_INITFINI
 KRB5_AC_ENABLE_THREADS
-@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir)
+@@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS)
 AC_SUBST(PAM_MAN)
 AC_SUBST(NON_PAM_MAN)
 ])dnl
@ -93,9 +130,32 @@ which we used earlier, is some improvement.
 +LIBS="$old_LIBS"
 +AC_SUBST(SELINUX_LIBS)
 +])dnl
--- krb5/src/config/pre.in
+diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
-+++ krb5/src/config/pre.in
+index f6184da..c17cb5e 100755
-@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
+--- a/src/build-tools/krb5-config.in
 +++ b/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
 DEFCCNAME='@DEFCCNAME@'
 DEFKTNAME='@DEFKTNAME@'
 DEFCKTNAME='@DEFCKTNAME@'
 +SELINUX_LIBS='@SELINUX_LIBS@'
 LIBS='@LIBS@'
 GEN_LIB=@GEN_LIB@
@@ -255,7 +256,7 @@ if test -n "$do_libs"; then
     fi
     # If we ever support a flag to generate output suitable for static
 -    # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
 +    # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
     # here.
     echo $lib_flags
 diff --git a/src/config/pre.in b/src/config/pre.in
 index b0d9015..63271e7 100644
 --- a/src/config/pre.in
 +++ b/src/config/pre.in
@@ -174,6 +174,7 @@ LD = $(PURE) @LD@
 KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
 LDFLAGS = @LDFLAGS@
 LIBS = @LIBS@
@ -103,7 +163,7 @@ which we used earlier, is some improvement.
 INSTALL=@INSTALL@
 INSTALL_STRIP=
-@@ -379,7 +380,7 @@ SUPPORT_LIB			= -l$(SUPPORT_LIBNAME)
+@@ -395,7 +396,7 @@ SUPPORT_LIB			= -l$(SUPPORT_LIBNAME)
 # HESIOD_LIBS is -lhesiod...
 HESIOD_LIBS	= @HESIOD_LIBS@
@ -112,9 +172,11 @@ which we used earlier, is some improvement.
 KDB5_LIBS	= $(KDB5_LIB) $(GSSRPC_LIBS)
 GSS_LIBS	= $(GSS_KRB5_LIB)
 # needs fixing if ever used on Mac OS X!
--- krb5/src/configure.in
+diff --git a/src/configure.in b/src/configure.in
-+++ krb5/src/configure.in
+index 8846ca0..9ec8d84 100644
-@@ -1053,6 +1053,8 @@ fi
+--- a/src/configure.in
 +++ b/src/configure.in
@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff)
 KRB5_WITH_PAM
@ -123,8 +185,10 @@ which we used earlier, is some improvement.
 # Make localedir work in autoconf 2.5x.
 if test "${localedir+set}" != set; then
     localedir='$(datadir)/locale'
--- krb5/src/include/k5-int.h
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-+++ krb5/src/include/k5-int.h
+index 41c3d1b..6b7b2e3 100644
 --- a/src/include/k5-int.h
 +++ b/src/include/k5-int.h
@@ -129,6 +129,7 @@ typedef unsigned char   u_char;
@ -133,8 +197,11 @@ which we used earlier, is some improvement.
 #define KRB5_KDB_MAX_LIFE       (60*60*24) /* one day */
 #define KRB5_KDB_MAX_RLIFE      (60*60*24*7) /* one week */
--- krb5/src/include/k5-label.h
+diff --git a/src/include/k5-label.h b/src/include/k5-label.h
-+++ krb5/src/include/k5-label.h
+new file mode 100644
 index 0000000..dfaaa84
 --- /dev/null
 +++ b/src/include/k5-label.h
@@ -0,0 +1,32 @@
 +#ifndef _KRB5_LABEL_H
 +#define _KRB5_LABEL_H
@ -168,8 +235,10 @@ which we used earlier, is some improvement.
 +#define THREEPARAMOPEN(x,y,z) open(x,y,z)
 +#endif
 +#endif
--- krb5/src/include/krb5/krb5.hin
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-+++ krb5/src/include/krb5/krb5.hin
+index e2c08ae..c93a0f2 100644
 --- a/src/include/krb5/krb5.hin
 +++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
 #define THREEPARAMOPEN(x,y,z) open(x,y,z)
 #endif
@ -183,9 +252,11 @@ which we used earlier, is some improvement.
 #define KRB5_OLD_CRYPTO
 #include <stdlib.h>
--- krb5/src/kadmin/dbutil/dump.c
+diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
-+++ krb5/src/kadmin/dbutil/dump.c
+index 253bf3f..9c8c3dc 100644
-@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname
+--- a/src/kadmin/dbutil/dump.c
 +++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
 {
     int fd = -1;
     FILE *f;
@ -207,7 +278,7 @@ which we used earlier, is some improvement.
     if (fd == -1)
         goto error;
-@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char
+@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd)
         return 0;
     }
@ -216,28 +287,24 @@ which we used earlier, is some improvement.
     if (*fd == -1) {
         com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
         exit_status++;
--- krb5/src/build-tools/krb5-config.in
+diff --git a/src/kdc/main.c b/src/kdc/main.c
-+++ krb5/src/build-tools/krb5-config.in
+index 82dfc0e..936f46b 100644
-@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
+--- a/src/kdc/main.c
- DEFCCNAME='@DEFCCNAME@'
+++ b/src/kdc/main.c
- DEFKTNAME='@DEFKTNAME@'
+@@ -847,7 +847,7 @@ write_pid_file(const char *path)
- DEFCKTNAME='@DEFCKTNAME@'
+     FILE *file;
-+SELINUX_LIBS='@SELINUX_LIBS@'
+     unsigned long pid;
- LIBS='@LIBS@'
+-    file = fopen(path, "w");
- GEN_LIB=@GEN_LIB@
+    file = WRITABLEFOPEN(path, "w");
-@@ -218,7 +219,7 @@
+     if (file == NULL)
-     fi
+         return errno;
- 
+     pid = (unsigned long) getpid();
-     # If we ever support a flag to generate output suitable for static
+diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
-    # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+index 19c4355..64f9641 100644
-+    # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+--- a/src/lib/kadm5/logger.c
-     # here.
+++ b/src/lib/kadm5/logger.c
- 
+@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
     echo $lib_flags
 --- krb5/src/lib/kadm5/logger.c
 +++ krb5/src/lib/kadm5/logger.c
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
                      * Check for append/overwrite, then open the file.
                      */
                     if (cp[4] == ':' || cp[4] == '=') {
@ -246,7 +313,7 @@ which we used earlier, is some improvement.
                         if (f) {
                             set_cloexec_file(f);
                             log_control.log_entries[i].lfu_filep = f;
-@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
+@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
              * In case the old logfile did not get moved out of the
              * way, open for append to prevent squashing the old logs.
              */
@ -255,9 +322,74 @@ which we used earlier, is some improvement.
             if (f) {
                 set_cloexec_file(f);
                 log_control.log_entries[lindex].lfu_filep = f;
--- krb5/src/lib/krb5/keytab/kt_file.c
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
-+++ krb5/src/lib/krb5/keytab/kt_file.c
+index 99cda59..523b99a 100644
-@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context
+--- a/src/lib/kdb/kdb_log.c
 +++ b/src/lib/kdb/kdb_log.c
@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
     int ulogfd = -1;
     if (stat(logname, &st) == -1) {
 -        ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
 +        ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
         if (ulogfd == -1)
             return errno;
 diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
 index bba64e5..73f0fe6 100644
 --- a/src/lib/krb5/ccache/cc_dir.c
 +++ b/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
     char *newpath = NULL;
     FILE *fp = NULL;
     int fd = -1, status;
 +#ifdef USE_SELINUX
 +    void *selabel;
 +#endif
     if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
         return ENOMEM;
 +#ifdef USE_SELINUX
 +    selabel = krb5int_push_fscreatecon_for(primary_path);
 +#endif
     fd = mkstemp(newpath);
 +#ifdef USE_SELINUX
 +    krb5int_pop_fscreatecon(selabel);
 +#endif
     if (fd < 0)
         goto cleanup;
 #ifdef HAVE_CHMOD
@@ -221,10 +230,23 @@ static krb5_error_code
 verify_dir(krb5_context context, const char *dirname)
 {
     struct stat st;
 +    int status;
 +#ifdef USE_SELINUX
 +    void *selabel;
 +#endif
     if (stat(dirname, &st) < 0) {
 -        if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
 -            return 0;
 +        if (errno == ENOENT) {
 +#ifdef USE_SELINUX
 +            selabel = krb5int_push_fscreatecon_for(dirname);
 +#endif
 +            status = mkdir(dirname, S_IRWXU);
 +#ifdef USE_SELINUX
 +            krb5int_pop_fscreatecon(selabel);
 +#endif
 +            if (status == 0)
 +                return 0;
 +        }
         k5_setmsg(context, KRB5_FCC_NOFILE,
                   _("Credential cache directory %s does not exist"),
                   dirname);
 diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
 index e105a51..ff1fc54 100644
 --- a/src/lib/krb5/keytab/kt_file.c
 +++ b/src/lib/krb5/keytab/kt_file.c
@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
     KTCHECKLOCK(id);
     errno = 0;
@ -266,7 +398,7 @@ which we used earlier, is some improvement.
                         (mode == KRB5_LOCKMODE_EXCLUSIVE) ?
                         fopen_mode_rbplus : fopen_mode_rb);
     if (!KTFILEP(id)) {
-@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context
+@@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
             /* try making it first time around */
             k5_create_secure_file(context, KTFILENAME(id));
             errno = 0;
@ -275,20 +407,84 @@ which we used earlier, is some improvement.
             if (!KTFILEP(id))
                 goto report_errno;
             writevno = 1;
--- krb5/src/plugins/kdb/db2/adb_openclose.c
+diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
-+++ krb5/src/plugins/kdb/db2/adb_openclose.c
+index 83c8d4d..a192461 100644
-@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char 
+--- a/src/lib/krb5/os/trace.c
 +++ b/src/lib/krb5/os/trace.c
@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
     fd = malloc(sizeof(*fd));
     if (fd == NULL)
         return ENOMEM;
 -    *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
 +    *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
     if (*fd == -1) {
         free(fd);
         return errno;
 diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
 index 2fb6aa0..c453189 100644
 --- a/src/lib/krb5/rcache/rc_dfl.c
 +++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
     krb5_error_code retval = 0;
     krb5_rcache tmp;
     krb5_deltat lifespan = t->lifespan;  /* save original lifespan */
 +#ifdef USE_SELINUX
 +    void *selabel;
 +#endif
     if (! t->recovering) {
         name = t->name;
@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
     retval = krb5_rc_resolve(context, tmp, 0);
     if (retval)
         goto cleanup;
 +#ifdef USE_SELINUX
 +    if (t->d.fn != NULL)
 +        selabel = krb5int_push_fscreatecon_for(t->d.fn);
 +    else
 +        selabel = NULL;
 +#endif
     retval = krb5_rc_initialize(context, tmp, lifespan);
 +#ifdef USE_SELINUX
 +    if (selabel != NULL)
 +        krb5int_pop_fscreatecon(selabel);
 +#endif
     if (retval)
         goto cleanup;
     for (q = t->a; q; q = q->na) {
 diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
 index 7db30a3..2b9d019 100644
 --- a/src/plugins/kdb/db2/adb_openclose.c
 +++ b/src/plugins/kdb/db2/adb_openclose.c
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
          * needs be open read/write so that write locking can work with
          * POSIX systems
          */
         lockp->lockinfo.filename = strdup(lockfilename);
 -        if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
 +        if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
             /*
              * maybe someone took away write permission so we could only
              * get shared locks?
--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
-+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+index e97b841..5d1cd61 100644
-@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c	8.
+--- a/src/plugins/kdb/db2/kdb_db2.c
 +++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
     if (retval)
         return retval;
 -    dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
 -                           0600);
 +    dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
 +                                     O_CREAT | O_RDWR | O_TRUNC, 0600);
     if (dbc->db_lf_file < 0) {
         retval = errno;
         goto cleanup;
 diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
 index 2977b17..d5809a5 100644
 --- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
 +++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c	8.11 (Berkeley) 11/2/95";
 #include <string.h>
 #include <unistd.h>
@ -296,7 +492,7 @@ which we used earlier, is some improvement.
 #include "db-int.h"
 #include "btree.h"
-@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, 
+@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
 			goto einval;
 		}
@ -305,9 +501,11 @@ which we used earlier, is some improvement.
 			goto err;
 	} else {
--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
+diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
-+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
+index 2a5b4f8..7239d03 100644
-@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c	8.12 
+--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
 +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c	8.12 (Berkeley) 11/7/95";
 #include <assert.h>
 #endif
@ -315,7 +513,7 @@ which we used earlier, is some improvement.
 #include "db-int.h"
 #include "hash.h"
 #include "page.h"
-@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info
+@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
 		new_table = 1;
 	}
 	if (file) {
@ -324,9 +522,33 @@ which we used earlier, is some improvement.
 			RETURN_ERROR(errno, error0);
 		(void)fcntl(hashp->fp, F_SETFD, 1);
 	}
--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+index d8b26e7..b0daa7c 100644
-@@ -179,7 +179,7 @@ done:
+--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
 +++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c	8.12 (Berkeley) 11/18/94";
 #include <stdio.h>
 #include <unistd.h>
 +#include "k5-int.h"
 #include "db-int.h"
 #include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
 	int rfd = -1, sverrno;
 	/* Open the user's file -- if this fails, we're done. */
 -	if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
 +	if (fname != NULL &&
 +            (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
 		return (NULL);
 	if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
 diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
 index 64d0f91..5d5c0a6 100644
 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
 +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -178,7 +178,7 @@ done:
     /* set password in the file */
     old_mode = umask(0177);
@ -335,7 +557,7 @@ which we used earlier, is some improvement.
     if (pfile == NULL) {
         com_err(me, errno, _("Failed to open file %s: %s"), file_name,
                 strerror (errno));
-@@ -220,6 +220,9 @@ done:
+@@ -219,6 +219,9 @@ done:
          * Delete the existing entry and add the new entry
          */
         FILE *newfile;
@ -345,7 +567,7 @@ which we used earlier, is some improvement.
         mode_t omask;
-@@ -231,7 +234,13 @@ done:
+@@ -230,7 +233,13 @@ done:
         }
         omask = umask(077);
@ -359,9 +581,11 @@ which we used earlier, is some improvement.
         umask (omask);
         if (newfile == NULL) {
             com_err(me, errno, _("Error creating file %s"), tmp_file);
--- krb5/src/slave/kpropd.c
+diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
-+++ krb5/src/slave/kpropd.c
+index 1383156..a950924 100644
-@@ -437,6 +437,9 @@ void doit(fd)
+--- a/src/slave/kpropd.c
 +++ b/src/slave/kpropd.c
@@ -464,6 +464,9 @@ doit(int fd)
     krb5_enctype etype;
     int database_fd;
     char host[INET6_ADDRSTRLEN + 1];
@ -371,7 +595,7 @@ which we used earlier, is some improvement.
     signal_wrapper(SIGALRM, alarm_handler);
     alarm(params.iprop_resync_timeout);
-@@ -515,9 +518,15 @@ void doit(fd)
+@@ -520,9 +523,15 @@ doit(int fd)
         free(name);
         exit(1);
     }
@ -387,9 +611,37 @@ which we used earlier, is some improvement.
     retval = krb5_lock_file(kpropd_context, lock_fd,
                             KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
     if (retval) {
--- krb5/src/util/profile/prof_file.c
+diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in
-+++ krb5/src/util/profile/prof_file.c
+index f70f3c6..7a2f9cc 100644
-@@ -30,6 +30,7 @@
+--- a/src/util/gss-kernel-lib/Makefile.in
 +++ b/src/util/gss-kernel-lib/Makefile.in
@@ -61,6 +61,7 @@ HEADERS= \
 	gssapi_err_generic.h \
 	k5-int.h \
 	k5-int-pkinit.h \
 +	k5-label.h \
 	k5-thread.h \
 	k5-platform.h \
 	k5-buf.h \
@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h
 	$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
 gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
 	$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
 -k5-int.h: $(INCLUDE)/k5-int.h
 +k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
 	$(CP) $(INCLUDE)/k5-int.h $@
 k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
 	$(CP) $(INCLUDE)/k5-int-pkinit.h $@
 +k5-label.h: $(INCLUDE)/k5-label.h
 +	$(CP) $(INCLUDE)/k5-label.h $@
 k5-thread.h: $(INCLUDE)/k5-thread.h
 	$(CP) $(INCLUDE)/k5-thread.h $@
 k5-platform.h: $(INCLUDE)/k5-platform.h
 diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
 index 907c119..0f5462a 100644
 --- a/src/util/profile/prof_file.c
 +++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@
 #endif
 #include "k5-platform.h"
@ -397,7 +649,7 @@ which we used earlier, is some improvement.
 struct global_shared_profile_data {
     /* This is the head of the global list of shared trees */
-@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
+@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
     errno = 0;
@ -406,9 +658,11 @@ which we used earlier, is some improvement.
     if (!f) {
         retval = errno;
         if (retval == 0)
--- krb5/src/util/support/Makefile.in
+diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
-+++ krb5/src/util/support/Makefile.in
+index 5181762..f77acd4 100644
-@@ -54,6 +54,7 @@ IPC_SYMS= \
+--- a/src/util/support/Makefile.in
 +++ b/src/util/support/Makefile.in
@@ -59,6 +59,7 @@ IPC_SYMS= \
 STLIBOBJS= \
 	threads.o \
@ -416,7 +670,7 @@ which we used earlier, is some improvement.
 	init-addrinfo.o \
 	plugins.o \
 	errors.o \
-@@ -108,7 +109,7 @@ SRCS=\
+@@ -131,7 +132,7 @@ SRCS=\
 SHLIB_EXPDEPS =
 # Add -lm if dumping thread stats, for sqrt.
@ -425,8 +679,11 @@ which we used earlier, is some improvement.
 DEPLIBS=
--- krb5/src/util/support/selinux.c
+diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
-+++ krb5/src/util/support/selinux.c
+new file mode 100644
 index 0000000..ffba6a9
 --- /dev/null
 +++ b/src/util/support/selinux.c
@@ -0,0 +1,381 @@
 +/*
 + * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc.  All Rights Reserved.
@ -809,171 +1066,6 @@ which we used earlier, is some improvement.
 +}
 +
 +#endif
--- krb5/src/lib/krb5/rcache/rc_dfl.c
+-- 
-+++ krb5/src/lib/krb5/rcache/rc_dfl.c
+2.9.3
-@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context 
+
     krb5_error_code retval = 0;
     krb5_rcache tmp;
     krb5_deltat lifespan = t->lifespan;  /* save original lifespan */
 +#ifdef USE_SELINUX
 +    void *selabel;
 +#endif
     if (! t->recovering) {
         name = t->name;
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context 
     retval = krb5_rc_resolve(context, tmp, 0);
     if (retval)
         goto cleanup;
 +#ifdef USE_SELINUX
 +    if (t->d.fn != NULL)
 +        selabel = krb5int_push_fscreatecon_for(t->d.fn);
 +    else
 +        selabel = NULL;
 +#endif
     retval = krb5_rc_initialize(context, tmp, lifespan);
 +#ifdef USE_SELINUX
 +    if (selabel != NULL)
 +        krb5int_pop_fscreatecon(selabel);
 +#endif
     if (retval)
         goto cleanup;
     for (q = t->a; q; q = q->na) {
 --- krb5/src/lib/krb5/ccache/cc_dir.c
 +++ krb5/src/lib/krb5/ccache/cc_dir.c
@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p
     char *newpath = NULL;
     FILE *fp = NULL;
     int fd = -1, status;
 +#ifdef USE_SELINUX
 +    void *selabel;
 +#endif
     if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
         return ENOMEM;
 +#ifdef USE_SELINUX
 +    selabel = krb5int_push_fscreatecon_for(primary_path);
 +#endif
     fd = mkstemp(newpath);
 +#ifdef USE_SELINUX
 +    krb5int_pop_fscreatecon(selabel);
 +#endif
     if (fd < 0)
         goto cleanup;
 #ifdef HAVE_CHMOD
@@ -223,10 +232,23 @@
 verify_dir(krb5_context context, const char *dirname)
 {
     struct stat st;
 +    int status;
 +#ifdef USE_SELINUX
 +    void *selabel;
 +#endif
     if (stat(dirname, &st) < 0) {
 -        if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
 -            return 0;
 +        if (errno == ENOENT) {
 +#ifdef USE_SELINUX
 +            selabel = krb5int_push_fscreatecon_for(dirname);
 +#endif
 +            status = mkdir(dirname, S_IRWXU);
 +#ifdef USE_SELINUX
 +            krb5int_pop_fscreatecon(selabel);
 +#endif
 +            if (status == 0)
 +                return 0;
 +        }
         k5_setmsg(context, KRB5_FCC_NOFILE,
                   _("Credential cache directory %s does not exist"),
                   dirname);
 --- krb5/src/lib/krb5/os/trace.c
 +++ krb5/src/lib/krb5/os/trace.c
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
     fd = malloc(sizeof(*fd));
     if (fd == NULL)
         return ENOMEM;
 -    *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
 +    *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
     if (*fd == -1) {
         free(fd);
         return errno;
 --- krb5/src/plugins/kdb/db2/kdb_db2.c
 +++ krb5/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@
     if (retval)
         return retval;
 -    dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
 -                           0600);
 +    dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
 +                                     O_CREAT | O_RDWR | O_TRUNC, 0600);
     if (dbc->db_lf_file < 0) {
         retval = errno;
         goto cleanup;
 --- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
 +++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@
 #include <stdio.h>
 #include <unistd.h>
 +#include "k5-int.h"
 #include "db-int.h"
 #include "recno.h"
@@ -68,7 +69,8 @@
 	int rfd = -1, sverrno;
 	/* Open the user's file -- if this fails, we're done. */
 -	if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
 +	if (fname != NULL &&
 +            (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
 		return (NULL);
 	if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
 --- krb5/src/kdc/main.c
 +++ krb5/src/kdc/main.c
@@ -905,7 +905,7 @@ write_pid_file(const char *path)
     FILE *file;
     unsigned long pid;
 -    file = fopen(path, "w");
 +    file = WRITABLEFOPEN(path, "w");
     if (file == NULL)
         return errno;
     pid = (unsigned long) getpid();
 --- krb5/src/lib/kdb/kdb_log.c
 +++ krb5/src/lib/kdb/kdb_log.c
@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha
     int ulogfd = -1;
     if (stat(logname, &st) == -1) {
 -        ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
 +        ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
         if (ulogfd == -1)
             return errno;
 --- krb5/src/util/gss-kernel-lib/Makefile.in
 +++ krb5/src/util/gss-kernel-lib/Makefile.in
@@ -60,6 +60,7 @@ HEADERS= \
 	gssapi_err_generic.h \
 	k5-int.h \
 	k5-int-pkinit.h \
 +	k5-label.h \
 	k5-thread.h \
 	k5-platform.h \
 	k5-buf.h \
@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
 	$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
 gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
 	$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
 -k5-int.h: $(INCLUDE)/k5-int.h
 +k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
 	$(CP) $(INCLUDE)/k5-int.h $@
 k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
 	$(CP) $(INCLUDE)/k5-int-pkinit.h $@
 +k5-label.h: $(INCLUDE)/k5-label.h
 +	$(CP) $(INCLUDE)/k5-label.h $@
 k5-thread.h: $(INCLUDE)/k5-thread.h
 	$(CP) $(INCLUDE)/k5-thread.h $@
 k5-platform.h: $(INCLUDE)/k5-platform.h
--- a/krb5-1.14.4-SNI-HTTP-Host.patch
+++ b/krb5-1.14.4-SNI-HTTP-Host.patch
@ -1,108 +0,0 @@
 From 69c8662190bcd46f2300d0cea139681001ea5b26 Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Mon, 8 Aug 2016 12:38:17 +0200
 Subject: [PATCH] Add Host HTTP header to MS-KKDCP requests
 Some web servers require a Host HTTP header for TLS connections with
 SNI (server name indicator).  It is also required for virtual hosts.
 ticket: 8472 (new)
 target_version: 1.14-next
 tags: pullup
 ---
 src/lib/krb5/os/sendto_kdc.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)
 diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
 index c85fdba..a2b7359 100644
 --- a/src/lib/krb5/os/sendto_kdc.c
 +++ b/src/lib/krb5/os/sendto_kdc.c
@@ -78,6 +78,7 @@
 #define MAX_PASS                    3
 #define DEFAULT_UDP_PREF_LIMIT   1465
 #define HARD_UDP_LIMIT          32700 /* could probably do 64K-epsilon ? */
 +#define PORT_LENGTH                 6 /* decimal repr of UINT16_MAX */
 /* Select state flags.  */
 #define SSF_READ 0x01
@@ -138,6 +139,7 @@ struct conn_state {
     struct {
         const char *uri_path;
         const char *servername;
 +        char port[PORT_LENGTH];
         char *https_request;
         k5_tls_handle tls;
     } http;
@@ -611,6 +613,8 @@ make_proxy_request(struct conn_state *state, const krb5_data *realm,
     k5_buf_init_dynamic(&buf);
     uri_path = (state->http.uri_path != NULL) ? state->http.uri_path : "";
     k5_buf_add_fmt(&buf, "POST /%s HTTP/1.0\r\n", uri_path);
 +    k5_buf_add_fmt(&buf, "Host: %s:%s\r\n", state->http.servername,
 +                   state->http.port);
     k5_buf_add(&buf, "Cache-Control: no-cache\r\n");
     k5_buf_add(&buf, "Pragma: no-cache\r\n");
     k5_buf_add(&buf, "User-Agent: kerberos/1.0\r\n");
@@ -673,7 +677,7 @@ static krb5_error_code
 add_connection(struct conn_state **conns, k5_transport transport,
                krb5_boolean defer, struct addrinfo *ai, size_t server_index,
                const krb5_data *realm, const char *hostname,
 -               const char *uri_path, char **udpbufp)
 +               const char *port, const char *uri_path, char **udpbufp)
 {
     struct conn_state *state, **tailptr;
@@ -695,11 +699,13 @@ add_connection(struct conn_state **conns, k5_transport transport,
         state->service_write = service_tcp_write;
         state->service_read = service_tcp_read;
     } else if (transport == HTTPS) {
 +        assert(hostname != NULL && port != NULL);
         state->service_connect = service_tcp_connect;
         state->service_write = service_https_write;
         state->service_read = service_https_read;
         state->http.uri_path = uri_path;
         state->http.servername = hostname;
 +        strlcpy(state->http.port, port, PORT_LENGTH);
     } else {
         state->service_connect = NULL;
         state->service_write = NULL;
@@ -785,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
     struct addrinfo *addrs, *a, hint, ai;
     krb5_boolean defer;
     int err, result;
 -    char portbuf[64];
 +    char portbuf[PORT_LENGTH];
     /* Skip UDP entries if we don't want UDP. */
     if (strategy == NO_UDP && entry->transport == UDP)
@@ -800,7 +806,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
         ai.ai_addr = (struct sockaddr *)&entry->addr;
         defer = (entry->transport != transport);
         return add_connection(conns, entry->transport, defer, &ai, ind, realm,
 -                              NULL, entry->uri_path, udpbufp);
 +                              NULL, NULL, entry->uri_path, udpbufp);
     }
     /* If the entry has a specified transport, use it. */
@@ -826,7 +832,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
     retval = 0;
     for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
         retval = add_connection(conns, transport, FALSE, a, ind, realm,
 -                                entry->hostname, entry->uri_path, udpbufp);
 +                                entry->hostname, portbuf, entry->uri_path,
 +                                udpbufp);
     }
     /* For TCP_OR_UDP entries, add each address again with the non-preferred
@@ -836,7 +843,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
         for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
             a->ai_socktype = socktype_for_transport(transport);
             retval = add_connection(conns, transport, TRUE, a, ind, realm,
 -                                    entry->hostname, entry->uri_path, udpbufp);
 +                                    entry->hostname, portbuf,
 +                                    entry->uri_path, udpbufp);
         }
     }
     freeaddrinfo(addrs);
 -- 
 2.8.1
--- a/krb5-1.14.4-ofd-lock-workaround.patch
+++ b/krb5-1.14.4-ofd-lock-workaround.patch
@ -1,73 +0,0 @@
 From 65110210b75d38908cdd84cb202cf013ccf6ed0e Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sun, 14 Aug 2016 12:08:16 -0400
 Subject: [PATCH] Work around glibc OFD lock bug on 32-bit Linux
 A bug in Gnu libc causes OFD locking to fail unpredictably on 32-bit
 Linux, typically leading to deadlocks.  Work around this bug by using
 the fcntl64 system call and struct flock64.
 See also: https://sourceware.org/bugzilla/show_bug.cgi?id=20251
 ticket: 8474
 target_version: 1.14-next
 tags: pullup
 ---
 src/lib/krb5/os/lock_file.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)
 diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c
 index a2f247c..2360c96 100644
 --- a/src/lib/krb5/os/lock_file.c
 +++ b/src/lib/krb5/os/lock_file.c
@@ -43,7 +43,29 @@
 #if defined(HAVE_FCNTL_H) && defined(F_SETLKW) && defined(F_RDLCK)
 #define POSIX_FILE_LOCKS
 +
 +/*
 + * Gnu libc bug 20251, currently unfixed, breaks OFD lock support on
 + * 32-bit platforms.  Work around this bug by explicitly using the
 + * fcntl64 system call and struct flock64.
 + */
 +#if defined(__linux__) && __WORDSIZE == 32
 +#include <sys/syscall.h>
 +#ifdef SYS_fcntl64
 +#define USE_FCNTL64
 #endif
 +#endif
 +#ifdef USE_FCNTL64
 +/* Use the fcntl64 system call and struct flock64.  (Gnu libc does not
 + * define a fcntl64() function, so we must use syscall().) */
 +#define fcntl(fd, cmd, arg) syscall(SYS_fcntl64, fd, cmd, arg)
 +typedef struct flock64 fcntl_lock_st;
 +#else
 +/* Use regular fcntl() and struct flock. */
 +typedef struct flock fcntl_lock_st;
 +#endif
 +
 +#endif /* defined(HAVE_FCNTL_H) && defined(F_SETLKW) && defined(F_RDLCK) */
 #ifdef HAVE_FLOCK
 #ifndef sysvimp
@@ -66,7 +88,7 @@
  * older kernel than we were built with.
  */
 static int
 -ofdlock(int fd, int cmd, struct flock *lock_arg)
 +ofdlock(int fd, int cmd, fcntl_lock_st *lock_arg)
 {
 #ifdef F_OFD_SETLKW
     int st, ofdcmd;
@@ -89,7 +111,7 @@ krb5_lock_file(krb5_context context, int fd, int mode)
     krb5_error_code     retval = 0;
 #ifdef POSIX_FILE_LOCKS
     int lock_cmd = F_SETLKW;
 -    struct flock lock_arg = { 0 };
 +    fcntl_lock_st lock_arg = { 0 };
 #endif
     switch (mode & ~KRB5_LOCKMODE_DONTBLOCK) {
 -- 
 2.8.1
--- a/krb5-1.14.4-responder-non-preauth.patch
+++ b/krb5-1.14.4-responder-non-preauth.patch
@ -1,86 +0,0 @@
 From 60824edc278fe2207ead773baca6fe56416e2874 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Fri, 5 Aug 2016 12:28:03 -0400
 Subject: [PATCH] Use responder for non-preauth AS requests
 If no AS reply key is computed during pre-authentication (typically
 because no pre-authentication was required by the KDC), ask for the
 password using the responder before calling gak_fct for the key, and
 supply any resulting responder items to gak_fct.
 ticket: 8454
 target_version: 1.14-next
 target_version: 1.13-next
 tags: pullup
 ---
 src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
 src/tests/t_general.py        |  5 +++++
 2 files changed, 28 insertions(+), 1 deletion(-)
 diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
 index b78e19a..659be66 100644
 --- a/src/lib/krb5/krb/get_in_tkt.c
 +++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1351,6 +1351,8 @@ init_creds_step_reply(krb5_context context,
     krb5_keyblock encrypting_key;
     krb5_boolean fast_avail;
     krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt);
 +    krb5_responder_fn responder;
 +    void *responder_data;
     encrypting_key.length = 0;
     encrypting_key.contents = NULL;
@@ -1509,13 +1511,33 @@ init_creds_step_reply(krb5_context context,
         code = -1;
     if (code != 0) {
 +        /* If a responder was provided and we are using a password, ask for the
 +         * password using the responder before falling back to the prompter. */
 +        k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data);
 +        if (responder != NULL && !ctx->as_key.length) {
 +            /* Indicate a need for the AS key by calling the gak_fct with a
 +             * NULL as_key. */
 +            code = ctx->gak_fct(context, ctx->request->client, ctx->etype,
 +                                NULL, NULL, NULL, NULL, NULL, ctx->gak_data,
 +                                ctx->rctx.items);
 +            if (code != 0)
 +                goto cleanup;
 +
 +            /* If that produced a responder question, invoke the responder. */
 +            if (!k5_response_items_empty(ctx->rctx.items)) {
 +                code = (*responder)(context, responder_data, &ctx->rctx);
 +                if (code != 0)
 +                    goto cleanup;
 +            }
 +        }
 +
         /* if we haven't get gotten a key, get it now */
         TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams);
         code = (*ctx->gak_fct)(context, ctx->request->client,
                                ctx->reply->enc_part.enctype,
                                ctx->prompter, ctx->prompter_data,
                                &ctx->salt, &ctx->s2kparams,
 -                               &ctx->as_key, ctx->gak_data, NULL);
 +                               &ctx->as_key, ctx->gak_data, ctx->rctx.items);
         if (code != 0)
             goto cleanup;
         TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key);
 diff --git a/src/tests/t_general.py b/src/tests/t_general.py
 index c3629e6..13dd99b 100755
 --- a/src/tests/t_general.py
 +++ b/src/tests/t_general.py
@@ -34,6 +34,11 @@ realm.stop()
 realm = K5Realm(create_host=False)
 +# Regression test for #8454 (responder callback isn't used when
 +# preauth is not required).
 +realm.run(['./responder', '-r', 'password=%s' % password('user'),
 +           realm.user_princ])
 +
 # Test that WRONG_REALM responses aren't treated as referrals unless
 # they contain a crealm field pointing to a different realm.
 # (Regression test for #8060.)
 -- 
 2.9.3
--- a/krb5-1.14.4-samba-client-mutual-flag.patch
+++ b/krb5-1.14.4-samba-client-mutual-flag.patch
@ -1,37 +0,0 @@
 From dcb523a4201dc882b2c466824ee1913eaed2e30d Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@cryptomilk.org>
 Date: Thu, 25 Aug 2016 10:41:33 +0200
 Subject: [PATCH] Guess Samba client mutual flag using ap_options
 To work correctly with older Samba clients, we should guess the mutual
 flag based on the ap_options from the AP-REQ and not set it
 unconditionally.  Found by the Samba torture testsuite.
 [ghudson@mit.edu: edited comments and commit message]
 ticket: 8486 (new)
 target_version: 1.14-next
 tags: pullup
 ---
 src/lib/gssapi/krb5/accept_sec_context.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
 index b7fffeb..580d08c 100644
 --- a/src/lib/gssapi/krb5/accept_sec_context.c
 +++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle,
             goto fail;
         }
 -        gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
 +        /* Use ap_options from the request to guess the mutual flag. */
 +        gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
 +        if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED)
 +            gss_flags |= GSS_C_MUTUAL_FLAG;
     } else {
         /* gss krb5 v1 */
 -- 
 2.9.3
--- a/krb5-1.3.1-dns.patch
+++ b/krb5-1.3.1-dns.patch
@ -1,8 +1,18 @@
 From 95b7e75522dd905eea23e853f062d89749a17799 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:46:21 -0400
 Subject: [PATCH 06/19] krb5-1.3.1-dns.patch
 We want to be able to use --with-netlib and --enable-dns at the same time.
-RT#2022
+---
--- krb5-1.3.1/src/aclocal.m4	2003-11-24 11:17:30.000000000 -0500
+ src/aclocal.m4 | 1 +
-+++ krb5-1.3.1/src/aclocal.m4	2003-11-24 11:18:45.000000000 -0500
+ 1 file changed, 1 insertion(+)
-@@ -647,6 +647,7 @@
+
 diff --git a/src/aclocal.m4 b/src/aclocal.m4
 index 311f099..ed343c5 100644
 --- a/src/aclocal.m4
 +++ b/src/aclocal.m4
@@ -701,6 +701,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
 	LIBS="$LIBS $withval"
 	AC_MSG_RESULT("netlib will use \'$withval\'")
   fi
@ -10,3 +20,6 @@ RT#2022
 ],dnl
 [AC_LIBRARY_NET]
 )])dnl
 -- 
 2.9.3
--- a/krb5-1.6.3-kdc_listen_all.patch
+++ b/krb5-1.6.3-kdc_listen_all.patch
@ -1,247 +0,0 @@
 Provide an option to make the KDC also listen on loopback interfaces for
 datagram requests.  Adds an internal symbol to libkrb5 which the KDC
 needs if listening on loopback is enabled.
 The default might be better changed from FALSE to TRUE so that the
 default matches what we do with stream sockets.
 FIXME: doesn't add documentation anywhere.
 diff -up src/include/foreachaddr.h src/include/foreachaddr.h
 --- src/include/foreachaddr.h	2004-05-05 18:44:46.000000000 -0400
 +++ src/include/foreachaddr.h	2008-04-04 15:39:28.000000000 -0400
@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo
     ;
 #define foreach_localaddr krb5int_foreach_localaddr
 +
 +extern int
 +krb5int_foreach_localaddr_ext (/*@null@*/ void *data,
 +			       int (*pass1fn) (/*@null@*/ void *,
 +					       struct sockaddr *) /*@*/,
 +			       /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
 +			       /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
 +			       /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
 +							  struct sockaddr *) /*@*/)
 +#if defined(DEBUG) || defined(TEST)
 +     /*@modifies fileSystem@*/
 +#endif
 +    ;
 +
 +#define foreach_localaddr_ext krb5int_foreach_localaddr_ext
 diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h
 --- src/kdc/kdc_util.h	2008-04-04 16:28:18.000000000 -0400
 +++ src/kdc/kdc_util.h	2008-04-04 16:51:27.000000000 -0400
@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k
 krb5_error_code setup_server_realm (krb5_principal);
 /* network.c */
 +void process_listen_loopback (krb5_boolean);
 krb5_error_code listen_and_process (const char *);
 krb5_error_code setup_network (const char *);
 krb5_error_code closedown_network (const char *);
 diff -up src/kdc/main.c src/kdc/main.c
 --- src/kdc/main.c	2008-04-04 16:22:43.000000000 -0400
 +++ src/kdc/main.c	2008-04-04 16:55:22.000000000 -0400
@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext,
     krb5_enctype	menctype = ENCTYPE_UNKNOWN;
     kdc_realm_t		*rdatap;
     krb5_boolean	manual = FALSE;
 +    krb5_boolean	listen_loopback = FALSE;
     char		*default_udp_ports = 0;
     char		*default_tcp_ports = 0;
     krb5_pointer	aprof;
@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext,
 	if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode))
 	    v4mode = 0;
 #endif
 +	hierarchy[1] = "kdc_listen_loopback";
 +	if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback))
 +	    listen_loopback = FALSE;
 	/* aprof_init can return 0 with aprof == NULL */
 	if (aprof)
 	     krb5_aprof_finish(aprof);
@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext,
     free(v4mode);
 #endif
 +    process_listen_loopback(listen_loopback);
 +
     /*
      * Check to see if we processed any realms.
      */
 diff -up src/kdc/network.c src/kdc/network.c
 --- src/kdc/network.c	2008-04-04 15:39:28.000000000 -0400
 +++ src/kdc/network.c	2008-04-04 16:51:44.000000000 -0400
@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p
 #include "cm.h"
 static struct select_state sstate;
 +static krb5_boolean listen_loopback;
 static krb5_error_code add_udp_port(int port)
 {
@@ -604,6 +605,12 @@ scan_for_newlines:
 }
 #endif
 +void
 +process_listen_loopback(krb5_boolean listen_loop)
 +{
 +    listen_loopback = listen_loop;
 +}
 +
 /* XXX */
 extern int krb5int_debug_sendto_kdc;
 extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t);
@@ -662,7 +669,9 @@ setup_network(const char *prog)
        so we might need only one UDP socket; fall back to binding
        sockets on each address only if IPV6_PKTINFO isn't
        supported.  */
 -    if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
 +    if (listen_loopback ?
 +	foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) :
 +	foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
 	return setup_data.retval;
     }
     setup_tcp_listener_ports(&setup_data);
 diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
 --- src/lib/krb5/os/localaddr.c	2005-04-13 12:55:43.000000000 -0400
 +++ src/lib/krb5/os/localaddr.c	2008-04-04 15:39:28.000000000 -0400
@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons
 }
 #endif
 +static krb5_boolean
 +skip_loopback (struct sockaddr *addr, int flags)
 +{
 +#ifdef IFF_LOOPBACK
 +    if (flags & IFF_LOOPBACK) {
 +	return TRUE;
 +    }
 +#endif
 +    return FALSE;
 +}
 +
 #ifndef HAVE_IFADDRS_H
 /*@-usereleased@*/ /* lclint doesn't understand realloc */
 static /*@null@*/ void *
@@ -413,14 +424,27 @@ get_linux_ipv6_addrs ()
    indication, it should do it via some field pointed to by the DATA
    argument.  */
 -#ifdef HAVE_IFADDRS_H
 -
 int
 foreach_localaddr (/*@null@*/ void *data,
 		   int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
 		   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
 		   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
 					      struct sockaddr *) /*@*/)
 +{
 +    return foreach_localaddr_ext(data, pass1fn,
 +				 &skip_loopback, betweenfn,
 +				 pass2fn);
 +}
 +
 +#ifdef HAVE_IFADDRS_H
 +
 +int
 +foreach_localaddr_ext (/*@null@*/ void *data,
 +		       int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
 +		       /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
 +		       /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
 +		       /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
 +						  struct sockaddr *) /*@*/)
 #if defined(DEBUG) || defined(TEST)
      /*@modifies fileSystem@*/
 #endif
@@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data
 #endif
 	if ((ifp->ifa_flags & IFF_UP) == 0)
 	    continue;
 -	if (ifp->ifa_flags & IFF_LOOPBACK) {
 +	if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) {
 	    /* Pretend it's not up, so the second pass will skip
 	       it.  */
 	    ifp->ifa_flags &= ~IFF_UP;
@@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data
 	for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
 	    if ((ifp2->ifa_flags & IFF_UP) == 0)
 		continue;
 -	    if (ifp2->ifa_flags & IFF_LOOPBACK)
 +	    if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags))
 		continue;
 	    if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
 		match = 1;
@@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data
 #elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */
 int
 -foreach_localaddr (/*@null@*/ void *data,
 -		   int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
 -		   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
 -		   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
 -					      struct sockaddr *) /*@*/)
 +foreach_localaddr_ext (/*@null@*/ void *data,
 +		       int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
 +		       /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
 +		       /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
 +		       /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
 +					          struct sockaddr *) /*@*/)
 #if defined(DEBUG) || defined(TEST)
      /*@modifies fileSystem@*/
 #endif
@@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data
 	    }
 	    /*@=moduncon@*/
 -#ifdef IFF_LOOPBACK
 -	    /* None of the current callers want loopback addresses.  */
 -	    if (lifreq.lifr_flags & IFF_LOOPBACK) {
 -		Tprintf (("  loopback\n"));
 +	    if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags))
 +		if (skipfn && (skipfn == &skip_loopback))
 +		    Tprintf (("  loopback\n"));
 		goto skip;
 	    }
 -#endif
 +
 	    /* Ignore interfaces that are down.  */
 	    if ((lifreq.lifr_flags & IFF_UP) == 0) {
 		Tprintf (("  down\n"));
@@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data
 	    }
 	    /*@=moduncon@*/
 -#ifdef IFF_LOOPBACK
 	    /* None of the current callers want loopback addresses.  */
 -	    if (lifreq.iflr_flags & IFF_LOOPBACK) {
 -		Tprintf (("  loopback\n"));
 +	    if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags))
 +		if (skipfn && (skipfn == &skip_loopback))
 +		    Tprintf (("  loopback\n"));
 		goto skip;
 	    }
 -#endif
 	    /* Ignore interfaces that are down.  */
 	    if ((lifreq.iflr_flags & IFF_UP) == 0) {
 		Tprintf (("  down\n"));
@@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data
 	}
 	/*@=moduncon@*/
 -#ifdef IFF_LOOPBACK
 -	/* None of the current callers want loopback addresses.  */
 -	if (ifreq.ifr_flags & IFF_LOOPBACK) {
 -	    Tprintf (("  loopback\n"));
 +	if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags))
 +	    if (skipfn && (skipfn == &skip_loopback))
 +		Tprintf (("  loopback\n"));
 	    goto skip;
 	}
 -#endif
 +
 	/* Ignore interfaces that are down.  */
 	if ((ifreq.ifr_flags & IFF_UP) == 0) {
 	    Tprintf (("  down\n"));
--- a/krb5-1.9-debuginfo.patch
+++ b/krb5-1.9-debuginfo.patch
@ -1,10 +1,21 @@
 From 3743c3636fd23e62f996b119a1536ecd882a5e80 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:25 -0400
 Subject: [PATCH 09/19] krb5-1.9-debuginfo.patch
 We want to keep these y.tab.c files around because the debuginfo points to
 them.  It would be more elegant at the end to use symbolic links, but that
 could mess up people working in the tree on other things.
 ---
 src/kadmin/cli/Makefile.in                 | 5 +++++
 src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)
--- src/kadmin/cli/Makefile.in
+diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
-+++ src/kadmin/cli/Makefile.in
+index 789c597..7e7a148 100644
-@@ -43,3 +43,8 @@ clean-unix::
+--- a/src/kadmin/cli/Makefile.in
 +++ b/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@ clean-unix::
 # CC_LINK is not meant for compilation and this use may break in the future.
 datetest: getdate.c
 	$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
@ -13,9 +24,11 @@ could mess up people working in the tree on other things.
 +	$(RM) y.tab.c $@
 +	$(YACC.y) $< 
 +	$(CP) y.tab.c $@
--- src/plugins/kdb/ldap/ldap_util/Makefile.in
+diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
-+++ src/plugins/kdb/ldap/ldap_util/Makefile.in
+index b9ea339..060f500 100644
-@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR
+--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
 +++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
 getdate.c: $(GETDATE)
 	$(RM) getdate.c y.tab.c
 	$(YACC) $(GETDATE)
@ -24,3 +37,6 @@ could mess up people working in the tree on other things.
 install::
 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
 -- 
 2.9.3
--- a/krb5-disable_ofd_locks.patch
+++ b/krb5-disable_ofd_locks.patch
@ -1,18 +0,0 @@
 On x86 rawhide, usage of OFD locks causes deadlock in the test suite.
 TEMPORARILY revert their usage until I can investigate the deeper issue with
 their usage here.
 diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c
 index a2f247c..f7f5bb4 100644
 --- a/src/lib/krb5/os/lock_file.c
 +++ b/src/lib/krb5/os/lock_file.c
@@ -68,7 +68,8 @@
 static int
 ofdlock(int fd, int cmd, struct flock *lock_arg)
 {
 -#ifdef F_OFD_SETLKW
 +#if 0
 +/* #ifdef F_OFD_SETLKW */
     int st, ofdcmd;
     assert(cmd == F_SETLKW || cmd == F_SETLK);
--- a/krb5-kdcdir2.patch
+++ b/krb5-kdcdir2.patch
@ -1,17 +0,0 @@
 Remove an extra "/krb5kdc" from any paths under KDC_DIR, which already
 includes that component.
 --- krb5/src/include/osconf.hin
 +++ krb5/src/include/osconf.hin
@@ -63,10 +63,10 @@
 #define DEFAULT_KEYFILE_STUB    KDC_DIR "/.k5."
 #define KRB5_DEFAULT_ADMIN_ACL  KDC_DIR "/krb5_adm.acl"
 /* Used by old admin server */
 -#define DEFAULT_ADMIN_ACL       KDC_DIR "/krb5kdc/kadm_old.acl"
 +#define DEFAULT_ADMIN_ACL       KDC_DIR "/kadm_old.acl"
 /* Location of KDC profile */
 -#define DEFAULT_KDC_PROFILE     KDC_DIR "/krb5kdc/kdc.conf"
 +#define DEFAULT_KDC_PROFILE     KDC_DIR "/kdc.conf"
 #define KDC_PROFILE_ENV         "KRB5_KDC_PROFILE"
 #if TARGET_OS_MAC
--- a/krb5-pkinit-debug.patch
+++ b/krb5-pkinit-debug.patch
@ -1,99 +0,0 @@
 This is a cheap, non-very-portable way to make debugging a run-time option.
 diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
 index 6598482..85e1c0d 100644
 --- a/src/plugins/preauth/pkinit/pkinit.h
 +++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -34,6 +34,7 @@
 #include <krb5/krb5.h>
 #include <krb5/preauth_plugin.h>
 #include <k5-int-pkinit.h>
 +#include <autoconf.h>
 #include <profile.h>
 #include "pkinit_accessor.h"
@@ -96,12 +97,15 @@ extern int longhorn;	    /* XXX Talking to a Longhorn server? */
 #define pkiDebug	printf
 #else
 /* Still evaluates for side effects.  */
 -static inline void pkiDebug (const char *fmt, ...) { }
 +/* static inline void pkiDebug (const char *fmt, ...) { } */
 +#define pkiDebug	if (pkinit_debug_is_enabled()) printf
 /* This is better if the compiler doesn't inline variadic functions
    well, but gcc will warn about "left-hand operand of comma
    expression has no effect".  Still evaluates for side effects.  */
 /* #define pkiDebug	(void) */
 #endif
 +extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc);
 +extern int pkinit_debug_is_enabled(void);
 /* Solaris compiler doesn't grok __FUNCTION__
  * hack for now.  Fix all the uses eventually. */
 diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
 index 6888c1b..bb39fce 100644
 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c
 +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context,
     pkinit_req_context reqctx = (pkinit_req_context)request_context;
     krb5_keyblock *armor_key = NULL;
 +    pkinit_debug_init(context, &(request->server->realm), 0);
 +
     pkiDebug("pkinit_client_process %p %p %p %p\n",
              context, plgctx, reqctx, request);
 diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
 index a6d7762..2b59fd0 100644
 --- a/src/plugins/preauth/pkinit/pkinit_lib.c
 +++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename)
     fclose(f);
 }
 +
 +/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass
 +   in a context structure, which is where this flag would be better placed. */
 +static __thread int pkinit_debug_enabled = 0;
 +
 +void
 +pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc)
 +{
 +	pkinit_debug_enabled = -1;
 +	if (kdc) {
 +		pkinit_kdcdefault_boolean(context, realm, "pkinit_debug",
 +					  -1, &pkinit_debug_enabled);
 +	}
 +	if (pkinit_debug_enabled == -1) {
 +		pkinit_libdefault_boolean(context, realm, "pkinit_debug",
 +					  0, &pkinit_debug_enabled);
 +	}
 +	printf("pkinit_debug: %d\n", pkinit_debug_enabled);
 +}
 +
 +int
 +pkinit_debug_is_enabled(void)
 +{
 +	return (pkinit_debug_enabled == 1);
 +}
 diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
 index 5a7a5ad..d7a0a44 100644
 --- a/src/plugins/preauth/pkinit/pkinit_srv.c
 +++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context,
     pkinit_kdc_context plgctx = NULL;
     krb5_keyblock *armor_key = NULL;
 +    pkinit_debug_init(context, &(request->server->realm), 1);
 +
     pkiDebug("pkinit_server_get_edata: entered!\n");
     /* Remove (along with armor_key) when FAST PKINIT is settled. */
@@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context,
     int is_signed = 1;
     krb5_keyblock *armor_key;
 +    pkinit_debug_init(context, &(request->server->realm), 1);
 +
     pkiDebug("pkinit_verify_padata: entered!\n");
     if (data == NULL || data->length <= 0 || data->contents == NULL)
         return 0;
--- a/krb5.spec
+++ b/krb5.spec
@ -12,8 +12,8 @@
 Summary: The Kerberos network authentication system
 Name: krb5
-Version: 1.14.3
+Version: 1.14.4
-Release: 9%{?dist}
+Release: 1%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@ -45,33 +45,25 @@ Source39: krb5-krb5kdc.conf
 # Carry this locally until it's available in a packaged form.
 Source100: noport.c
-Patch6: krb5-1.12-ksu-path.patch
+Patch1: krb5-1.12.1-pam.patch
-Patch12: krb5-1.12-ktany.patch
+Patch2: krb5-1.13-selinux-label.patch
-Patch16: krb5-1.12-buildconf.patch
+Patch3: krb5-1.12-ksu-path.patch
-Patch23: krb5-1.3.1-dns.patch
+Patch4: krb5-1.12-ktany.patch
-Patch39: krb5-1.12-api.patch
+Patch5: krb5-1.12-buildconf.patch
-Patch60: krb5-1.12.1-pam.patch
+Patch6: krb5-1.3.1-dns.patch
-Patch63: krb5-1.13-selinux-label.patch
+Patch7: krb5-1.12-api.patch
-Patch71: krb5-1.13-dirsrv-accountlock.patch
+Patch8: krb5-1.13-dirsrv-accountlock.patch
-Patch86: krb5-1.9-debuginfo.patch
+Patch9: krb5-1.9-debuginfo.patch
-Patch129: krb5-1.11-run_user_0.patch
+Patch10: krb5-1.11-run_user_0.patch
-Patch134: krb5-1.11-kpasswdtest.patch
+Patch11: krb5-1.11-kpasswdtest.patch
-Patch148: krb5-1.14.4-ofd-lock-workaround.patch
+Patch12: Fix-impersonate_name-to-work-with-interposers.patch
-Patch150: krb5-acquire_cred_interposer.patch
+Patch13: Create-KDC-and-kadmind-log-files-with-mode-0640.patch
-Patch153: krb5-1.14.1-log_file_permissions.patch
+Patch14: Add-KDC-pre-send-and-post-receive-KDC-hooks.patch
-
+Patch15: Add-tests-for-send-and-receive-sendto_kdc-hooks.patch
-Patch164: krb5-1.15-kdc_send_receive_hooks.patch
+Patch16: Set-prompt-type-for-OTP-preauth-prompt.patch
-Patch165: krb5-1.15-kdc_hooks_test.patch
+Patch17: Improve-bad-password-inference-in-kinit.patch
-
+Patch18: Change-KDC-error-for-encrypted-timestamp-preauth.patch
-Patch166: krb5-1.14.4-SNI-HTTP-Host.patch
+Patch19: Add-krb5_db_register_keytab.patch
 Patch167: krb5-1.15-otp-preauth-prompt-type.patch
 Patch168: krb5-1.15-improve-bad-password-inference.patch
 Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch
 Patch170: krb5-1.14.4-samba-client-mutual-flag.patch
 Patch171: krb5-1.14.4-responder-non-preauth.patch
 Patch172: krb5-1.15-krb5_db_register_keytab.patch
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -254,41 +246,25 @@ interface is not considered stable.
 %setup -q -n %{name}-%{version}%{prerelease} -a 3
 ln NOTICE LICENSE
-%patch60 -p1 -b .pam
+%patch1 -p1 -b .krb5-1.12.1-pam
-
+%patch2 -p1 -b .krb5-1.13-selinux-label
-%patch63 -p1 -b .selinux-label
+%patch3 -p1 -b .krb5-1.12-ksu-path
-
+%patch4 -p1 -b .krb5-1.12-ktany
-%patch6  -p1 -b .ksu-path
+%patch5 -p1 -b .krb5-1.12-buildconf
-%patch12 -p1 -b .ktany
+%patch6 -p1 -b .krb5-1.3.1-dns
-%patch16 -p1 -b .buildconf %{?_rawbuild}
+%patch7 -p1 -b .krb5-1.12-api
-%patch23 -p1 -b .dns %{?_rawbuild}
+%patch8 -p1 -b .krb5-1.13-dirsrv-accountlock
-%patch39 -p1 -b .api
+%patch9 -p1 -b .krb5-1.9-debuginfo
-%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
+%patch10 -p1 -b .krb5-1.11-run_user_0
-%patch86 -p0 -b .debuginfo
+%patch11 -p1 -b .krb5-1.11-kpasswdtest
-
+%patch12 -p1 -b .Fix-impersonate_name-to-work-with-interposers
-# Apply when the hard-wired or configured default location is
+%patch13 -p1 -b .Create-KDC-and-kadmind-log-files-with-mode-0640
-# DIR:/run/user/%%{uid}/krb5cc.
+%patch14 -p1 -b .Add-KDC-pre-send-and-post-receive-KDC-hooks
-%patch129 -p1 -b .run_user_0
+%patch15 -p1 -b .Add-tests-for-send-and-receive-sendto_kdc-hooks
-
+%patch16 -p1 -b .Set-prompt-type-for-OTP-preauth-prompt
-%patch134 -p1 -b .kpasswdtest
+%patch17 -p1 -b .Improve-bad-password-inference-in-kinit
-
+%patch18 -p1 -b .Change-KDC-error-for-encrypted-timestamp-preauth
-%patch148 -p1 -b .ofd-lock-workaround
+%patch19 -p1 -b .Add-krb5_db_register_keytab
 %patch150 -p1 -b .fix_interposer
 %patch153 -p1 -b .log_file_permissions
 %patch164 -p1 -b .kdc_send_receive_hooks
 %patch165 -p1 -b .kdc_hooks_test
 %patch166 -p1 -b .SNI-HTTP-Host
 %patch167 -p1 -b .otp-preauth-prompt-type
 %patch168 -p1 -b .improve-bad-password-inference
 %patch169 -p1 -b .kdc-error-encrypted-timestamp
 %patch170 -p1 -b .samba-client-mutual-flag
 %patch171 -p1 -b .responder-non-preauth
 %patch172 -p1 -b .krb5_db_register_keytab
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -758,6 +734,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 %changelog
 * Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-1
 - New upstream release
 - Update names and numbers to match external git
 * Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-9
 - Add krb5_db_register_keytab
 - Resolves: #1376812
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-f76e4f8a3c95bb59980dd5ef4b48aea9  krb5-1.14.3.tar.gz
+ba90f5701fc2dda76133c1f34ba4ee80  krb5-1.14.4.tar.gz
-438c48157c7b7daf6f133ffe6369342e  krb5-1.14.3.tar.gz.asc
+1d91e165f25519bbb60b4715bcabda0f  krb5-1.14.4.tar.gz.asc
-c2385c39dfed8ecad41052abd09a49c9  krb5-1.14.3-pdfs.tar
+c2385c39dfed8ecad41052abd09a49c9  krb5-1.14.4-pdfs.tar