From 39ba823db63ab6db1be81fb776a96700f0c61c91 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 20 May 2019 16:49:04 -0400 Subject: [PATCH] Test & docs fixes in preparation for DES removal --- ...-the-doc-kadm5-tex-files-as-historic.patch | 139 +++++++++++ ...ze-example-enctypes-in-documentation.patch | 231 ++++++++++++++++++ ....1-SAM-tests-to-use-a-modern-enctype.patch | 85 +++++++ krb5.spec | 8 +- 4 files changed, 462 insertions(+), 1 deletion(-) create mode 100644 Mark-the-doc-kadm5-tex-files-as-historic.patch create mode 100644 Modernize-example-enctypes-in-documentation.patch create mode 100644 Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch diff --git a/Mark-the-doc-kadm5-tex-files-as-historic.patch b/Mark-the-doc-kadm5-tex-files-as-historic.patch new file mode 100644 index 0000000..bacbb1b --- /dev/null +++ b/Mark-the-doc-kadm5-tex-files-as-historic.patch @@ -0,0 +1,139 @@ +From 7385ae430280e839a2a0b5a7c5a6be1b2b24aef4 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 11 Apr 2019 18:33:04 -0400 +Subject: [PATCH] Mark the doc/kadm5 tex files as historic + +Remove rcsid.sty and the uses of the \rcsId macro as git does not +perform the keyword expansion necessary to make it work. Add comments +indicating the historic status of the kadm5 documentation. + +[ghudson@mit.edu: fix the tex files instead of marking them as +non-building] + +(cherry picked from commit e6047bdd6dec0d104417f9a1318bbafe022b81c1) +--- + doc/kadm5/adb-unit-test.tex | 7 ++++--- + doc/kadm5/api-funcspec.tex | 9 +++++---- + doc/kadm5/api-server-design.tex | 9 +++++---- + doc/kadm5/api-unit-test.tex | 7 ++++--- + doc/kadm5/rcsid.sty | 5 ----- + 5 files changed, 18 insertions(+), 19 deletions(-) + delete mode 100644 doc/kadm5/rcsid.sty + +diff --git a/doc/kadm5/adb-unit-test.tex b/doc/kadm5/adb-unit-test.tex +index d401342df..987af1a5e 100644 +--- a/doc/kadm5/adb-unit-test.tex ++++ b/doc/kadm5/adb-unit-test.tex +@@ -1,6 +1,7 @@ +-\documentstyle[times,fullpage,rcsid]{article} ++% This document is included for historical purposes only, and does not ++% apply to krb5 today. + +-\rcs$Id$ ++\documentstyle[times,fullpage]{article} + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %% Make _ actually generate an _, and allow line-breaking after it. +@@ -39,7 +40,7 @@ + %\newcommand{\Priority}[1]{} + + \title{OpenV*Secure Admin Database API\\ +-Unit Test Description\footnote{\rcsId}} ++Unit Test Description} + \author{Jonathan I. Kamens} + + \begin{document} +diff --git a/doc/kadm5/api-funcspec.tex b/doc/kadm5/api-funcspec.tex +index c13090a51..76d2bb5d0 100644 +--- a/doc/kadm5/api-funcspec.tex ++++ b/doc/kadm5/api-funcspec.tex +@@ -1,4 +1,7 @@ +-\documentstyle[12pt,fullpage,rcsid]{article} ++% This document is included for historical purposes only, and does not ++% apply to krb5 today. ++ ++\documentstyle[12pt,fullpage]{article} + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %% Make _ actually generate an _, and allow line-breaking after it. +@@ -7,15 +10,13 @@ + \def_{\underscore\penalty75\relax} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +-\rcs$Id$ +- + \setlength{\parskip}{.7\baselineskip} + \setlength{\parindent}{0pt} + + \def\v#1{\verb+#1+} + + \title{Kerberos Administration System \\ +- KADM5 API Functional Specifications\thanks{\rcsId}} ++ KADM5 API Functional Specifications} + \author{Barry Jaspan} + + \begin{document} +diff --git a/doc/kadm5/api-server-design.tex b/doc/kadm5/api-server-design.tex +index 228e83113..94e05b877 100644 +--- a/doc/kadm5/api-server-design.tex ++++ b/doc/kadm5/api-server-design.tex +@@ -1,4 +1,7 @@ +-\documentstyle[12pt,fullpage,rcsid]{article} ++% This document is included for historical purposes only, and does not ++% apply to krb5 today. ++ ++\documentstyle[12pt,fullpage]{article} + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %% Make _ actually generate an _, and allow line-breaking after it. +@@ -7,15 +10,13 @@ + \def_{\underscore\penalty75\relax} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +-\rcs$Id$ +- + \setlength{\parskip}{.7\baselineskip} + \setlength{\parindent}{0pt} + + \def\v#1{\verb+#1+} + \def\k#1{K$_#1$} + +-\title{KADM5 Library and Server \\ Implementation Design\thanks{\rcsId}} ++\title{KADM5 Library and Server \\ Implementation Design} + \author{Barry Jaspan} + + \begin{document} +diff --git a/doc/kadm5/api-unit-test.tex b/doc/kadm5/api-unit-test.tex +index 3e0eb503e..bfd6280bb 100644 +--- a/doc/kadm5/api-unit-test.tex ++++ b/doc/kadm5/api-unit-test.tex +@@ -1,6 +1,7 @@ +-\documentstyle[times,fullpage,rcsid]{article} ++% This document is included for historical purposes only, and does not ++% apply to krb5 today. + +-\rcs$Id$ ++\documentstyle[times,fullpage]{article} + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %% Make _ actually generate an _, and allow line-breaking after it. +@@ -41,7 +42,7 @@ + %\newcommand{\Priority}[1]{} + + \title{KADM5 Admin API\\ +-Unit Test Description\footnote{\rcsId}} ++Unit Test Description} + \author{Jonathan I. Kamens} + + \begin{document} +diff --git a/doc/kadm5/rcsid.sty b/doc/kadm5/rcsid.sty +deleted file mode 100644 +index 3ad7826ff..000000000 +--- a/doc/kadm5/rcsid.sty ++++ /dev/null +@@ -1,5 +0,0 @@ +-\def\rcs$#1: #2${\expandafter\def\csname rcs#1\endcsname{#2}} +- +-% example usage: +-% \rcs$Version$ +-% Version \rcsVersion diff --git a/Modernize-example-enctypes-in-documentation.patch b/Modernize-example-enctypes-in-documentation.patch new file mode 100644 index 0000000..7c3d87c --- /dev/null +++ b/Modernize-example-enctypes-in-documentation.patch @@ -0,0 +1,231 @@ +From 6eb0931738f26890952de08d4ea9de24b0f684f5 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 11 Apr 2019 18:25:41 -0400 +Subject: [PATCH] Modernize example enctypes in documentation + +ticket: 8805 (new) +(cherry picked from commit ccb4a3e4b35fa9ea63af0e98a42eba4aadb099e2) +--- + doc/admin/admin_commands/kadmin_local.rst | 8 ++++---- + doc/admin/admin_commands/kdb5_util.rst | 10 +++++----- + doc/admin/database.rst | 2 +- + doc/admin/install_appl_srv.rst | 19 +++++++------------ + doc/admin/install_kdc.rst | 2 +- + src/man/kadmin.man | 10 +++++----- + src/man/kdb5_util.man | 10 +++++----- + .../kdb/ldap/libkdb_ldap/kerberos.ldif | 4 ++-- + .../kdb/ldap/libkdb_ldap/kerberos.schema | 4 ++-- + 9 files changed, 32 insertions(+), 37 deletions(-) + +diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst +index 150da1fad..71aa894f6 100644 +--- a/doc/admin/admin_commands/kadmin_local.rst ++++ b/doc/admin/admin_commands/kadmin_local.rst +@@ -569,16 +569,16 @@ Examples:: + Principal: tlyu/admin@BLEEP.COM + Expiration date: [never] + Last password change: Mon Aug 12 14:16:47 EDT 1996 +- Password expiration date: [none] ++ Password expiration date: [never] + Maximum ticket life: 0 days 10:00:00 + Maximum renewable life: 7 days 00:00:00 + Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) + Last successful authentication: [never] + Last failed authentication: [never] + Failed password attempts: 0 +- Number of keys: 2 +- Key: vno 1, des-cbc-crc +- Key: vno 1, des-cbc-crc:v4 ++ Number of keys: 1 ++ Key: vno 1, aes256-cts-hmac-sha384-192 ++ MKey: vno 1 + Attributes: + Policy: [none] + +diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst +index 7dd54f797..444c58bcd 100644 +--- a/doc/admin/admin_commands/kdb5_util.rst ++++ b/doc/admin/admin_commands/kdb5_util.rst +@@ -476,17 +476,17 @@ Examples:: + $ kdb5_util tabdump -o keyinfo.txt keyinfo + $ cat keyinfo.txt + name keyindex kvno enctype salttype salt ++ K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 + foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 + bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 +- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 + $ sqlite3 + sqlite> .mode tabs + sqlite> .import keyinfo.txt keyinfo +- sqlite> select * from keyinfo where enctype like 'des-cbc-%'; +- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 ++ sqlite> select * from keyinfo where enctype like 'aes256-%'; ++ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 + sqlite> .quit +- $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt +- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 ++ $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt ++ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 + + + ENVIRONMENT +diff --git a/doc/admin/database.rst b/doc/admin/database.rst +index 113a680a6..0eb5ccde7 100644 +--- a/doc/admin/database.rst ++++ b/doc/admin/database.rst +@@ -483,7 +483,7 @@ availability. To roll over the master key, follow these steps: + + $ kdb5_util list_mkeys + Master keys for Principal: K/M@KRBTEST.COM +- KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 * ++ KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * + + #. On the master KDC, run ``kdb5_util use_mkey 1`` to ensure that a + master key activation list is present in the database. This step +diff --git a/doc/admin/install_appl_srv.rst b/doc/admin/install_appl_srv.rst +index 6bae7248f..6b2d8e471 100644 +--- a/doc/admin/install_appl_srv.rst ++++ b/doc/admin/install_appl_srv.rst +@@ -44,18 +44,13 @@ pop, the administrator ``joeadmin`` would issue the command (on + ``trillium.mit.edu``):: + + trillium% kadmin +- kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu +- pop/trillium.mit.edu +- kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with +- kvno 3, encryption type DES-CBC-CRC added to keytab +- FILE:/etc/krb5.keytab. +- kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with +- kvno 3, encryption type DES-CBC-CRC added to keytab +- FILE:/etc/krb5.keytab. +- kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with +- kvno 3, encryption type DES-CBC-CRC added to keytab +- FILE:/etc/krb5.keytab. +- kadmin5: quit ++ Authenticating as principal root/admin@ATHENA.MIT.EDU with password. ++ Password for root/admin@ATHENA.MIT.EDU: ++ kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu ++ Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. ++ kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. ++ kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. ++ kadmin: quit + trillium% + + If you generate the keytab file on another host, you need to get a +diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst +index 5d1e70ede..3bec59f96 100644 +--- a/doc/admin/install_kdc.rst ++++ b/doc/admin/install_kdc.rst +@@ -340,7 +340,7 @@ To extract a keytab directly on a replica KDC called + Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption + type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. + Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption +- type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. ++ type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. + Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption + type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. + +diff --git a/src/man/kadmin.man b/src/man/kadmin.man +index 849677258..44859a378 100644 +--- a/src/man/kadmin.man ++++ b/src/man/kadmin.man +@@ -1,6 +1,6 @@ + .\" Man page generated from reStructuredText. + . +-.TH "KADMIN" "1" " " "1.17" "MIT Kerberos" ++.TH "KADMIN" "1" " " "1.18" "MIT Kerberos" + .SH NAME + kadmin \- Kerberos V5 database administration program + . +@@ -610,16 +610,16 @@ kadmin: getprinc tlyu/admin + Principal: tlyu/admin@BLEEP.COM + Expiration date: [never] + Last password change: Mon Aug 12 14:16:47 EDT 1996 +-Password expiration date: [none] ++Password expiration date: [never] + Maximum ticket life: 0 days 10:00:00 + Maximum renewable life: 7 days 00:00:00 + Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) + Last successful authentication: [never] + Last failed authentication: [never] + Failed password attempts: 0 +-Number of keys: 2 +-Key: vno 1, des\-cbc\-crc +-Key: vno 1, des\-cbc\-crc:v4 ++Number of keys: 1 ++Key: vno 1, aes256\-cts\-hmac\-sha384\-192 ++MKey: vno 1 + Attributes: + Policy: [none] + +diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man +index 9a36ef0df..46772a236 100644 +--- a/src/man/kdb5_util.man ++++ b/src/man/kdb5_util.man +@@ -529,17 +529,17 @@ Examples: + $ kdb5_util tabdump \-o keyinfo.txt keyinfo + $ cat keyinfo.txt + name keyindex kvno enctype salttype salt ++K/M@EXAMPLE.COM 0 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 + foo@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1 + bar@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1 +-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 + $ sqlite3 + sqlite> .mode tabs + sqlite> .import keyinfo.txt keyinfo +-sqlite> select * from keyinfo where enctype like \(aqdes\-cbc\-%\(aq; +-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 ++sqlite> select * from keyinfo where enctype like \(aqaes256\-%\(aq; ++K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 + sqlite> .quit +-$ awk \-F\(aq\et\(aq \(aq$4 ~ /des\-cbc\-/ { print }\(aq keyinfo.txt +-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 ++$ awk \-F\(aq\et\(aq \(aq$4 ~ /aes256\-/ { print }\(aq keyinfo.txt ++K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 + .ft P + .fi + .UNINDENT +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif +index 13db48609..4224f0850 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif +@@ -512,7 +512,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 + + ##### Holds the default encryption/salt type combinations of principals for + ##### the Realm. Stores in the form of key:salt strings. +-##### Example: des-cbc-crc:normal ++##### Example: aes256-cts-hmac-sha384-192:normal + + dn: cn=schema + changetype: modify +@@ -533,7 +533,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 + ##### ONLYREALM + ##### SPECIAL + ##### AFS3 +-##### Example: des-cbc-crc:normal ++##### Example: aes256-cts-hmac-sha384-192:normal + ##### + ##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes + ##### attributes. +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema +index 52036a178..171f66927 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema +@@ -410,7 +410,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.41.1 + ##### Holds the default encryption/salt type combinations of principals for + ##### the Realm. Stores in the form of key:salt strings. This will be + ##### subset of the supported encryption/salt types. +-##### Example: des-cbc-crc:normal ++##### Example: aes256-cts-hmac-sha384-192:normal + + attributetype ( 2.16.840.1.113719.1.301.4.42.1 + NAME 'krbDefaultEncSaltTypes' +@@ -428,7 +428,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.42.1 + ##### ONLYREALM + ##### SPECIAL + ##### AFS3 +-##### Example: des-cbc-crc:normal ++##### Example: aes256-cts-hmac-sha384-192:normal + + attributetype ( 2.16.840.1.113719.1.301.4.43.1 + NAME 'krbSupportedEncSaltTypes' diff --git a/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch b/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch new file mode 100644 index 0000000..f90a723 --- /dev/null +++ b/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch @@ -0,0 +1,85 @@ +From f3f8effd4978bc6671adc85d98105ca10a67df1f Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 16 Apr 2019 14:16:39 -0400 +Subject: [PATCH] Update ASN.1 SAM tests to use a modern enctype + +(cherry picked from commit 3e94e53febc6d5636272f31ae9dba8e3babe9263) +--- + src/tests/asn.1/krb5_decode_test.c | 2 +- + src/tests/asn.1/ktest.c | 4 ++-- + src/tests/asn.1/reference_encode.out | 4 ++-- + src/tests/asn.1/trval_reference.out | 4 ++-- + 4 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c +index ee70fa4b9..cbd99ba63 100644 +--- a/src/tests/asn.1/krb5_decode_test.c ++++ b/src/tests/asn.1/krb5_decode_test.c +@@ -934,7 +934,7 @@ int main(argc, argv) + /* decode_sam_challenge_2_body */ + { + setup(krb5_sam_challenge_2_body,ktest_make_sample_sam_challenge_2_body); +- decode_run("sam_challenge_2_body","","30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 01",decode_krb5_sam_challenge_2_body,ktest_equal_sam_challenge_2_body,krb5_free_sam_challenge_2_body); ++ decode_run("sam_challenge_2_body","","30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 14",decode_krb5_sam_challenge_2_body,ktest_equal_sam_challenge_2_body,krb5_free_sam_challenge_2_body); + ktest_empty_sam_challenge_2_body(&ref); + + } +diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c +index 5bfdc5be2..6bf6e54ac 100644 +--- a/src/tests/asn.1/ktest.c ++++ b/src/tests/asn.1/ktest.c +@@ -507,7 +507,7 @@ ktest_make_sample_sam_challenge_2_body(krb5_sam_challenge_2_body *p) + krb5_data_parse(&p->sam_response_prompt, "response_prompt ipse"); + p->sam_pk_for_sad = empty_data(); + p->sam_nonce = 0x543210; +- p->sam_etype = ENCTYPE_DES_CBC_CRC; ++ p->sam_etype = ENCTYPE_AES256_CTS_HMAC_SHA384_192; + } + + void +@@ -518,7 +518,7 @@ ktest_make_sample_sam_response_2(krb5_sam_response_2 *p) + p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */ + krb5_data_parse(&p->sam_track_id, "track data"); + krb5_data_parse(&p->sam_enc_nonce_or_sad.ciphertext, "nonce or sad"); +- p->sam_enc_nonce_or_sad.enctype = ENCTYPE_DES_CBC_CRC; ++ p->sam_enc_nonce_or_sad.enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192; + p->sam_enc_nonce_or_sad.kvno = 3382; + p->sam_nonce = 0x543210; + } +diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out +index a76deead2..80b18a2fb 100644 +--- a/src/tests/asn.1/reference_encode.out ++++ b/src/tests/asn.1/reference_encode.out +@@ -49,8 +49,8 @@ encode_krb5_enc_data: 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 4 + encode_krb5_enc_data(MSB-set kvno): 30 26 A0 03 02 01 00 A1 06 02 04 FF 00 00 00 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 + encode_krb5_enc_data(kvno=-1): 30 23 A0 03 02 01 00 A1 03 02 01 FF A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 + encode_krb5_sam_challenge_2: 30 22 A0 0D 30 0B 04 09 63 68 61 6C 6C 65 6E 67 65 A1 11 30 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 +-encode_krb5_sam_challenge_2_body: 30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 01 +-encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 01 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10 ++encode_krb5_sam_challenge_2_body: 30 64 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 03 02 01 14 ++encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 14 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10 + encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32 + encode_krb5_pa_for_user: 30 4B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 0A 1B 08 6B 72 62 35 64 61 74 61 + encode_krb5_pa_s4u_x509_user: 30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 +diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out +index e5c715924..432fdcebb 100644 +--- a/src/tests/asn.1/trval_reference.out ++++ b/src/tests/asn.1/trval_reference.out +@@ -1180,7 +1180,7 @@ encode_krb5_sam_challenge_2_body: + . [5] [Octet String] "challenge ipse" + . [6] [Octet String] "response_prompt ipse" + . [8] [Integer] 5517840 +-. [9] [Integer] 1 ++. [9] [Integer] 20 + + encode_krb5_sam_response_2: + +@@ -1189,7 +1189,7 @@ encode_krb5_sam_response_2: + . [1] [Bit String] 0x80000000 + . [2] [Octet String] "track data" + . [3] [Sequence/Sequence Of] +-. . [0] [Integer] 1 ++. . [0] [Integer] 20 + . . [1] [Integer] 3382 + . . [2] [Octet String] "nonce or sad" + . [4] [Integer] 5517840 diff --git a/krb5.spec b/krb5.spec index 3774e73..f679038 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 22%{?dist} +Release: 23%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -94,6 +94,9 @@ Patch126: Remove-more-dead-code.patch Patch127: krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch Patch128: Remove-checksum-type-profile-variables.patch Patch129: Remove-dead-variable-def_kslist-from-two-files.patch +Patch130: Mark-the-doc-kadm5-tex-files-as-historic.patch +Patch131: Modernize-example-enctypes-in-documentation.patch +Patch132: Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -703,6 +706,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon May 20 2019 Robbie Harwood - 1.17-23 +- Test & docs fixes in preparation for DES removal + * Wed May 15 2019 Robbie Harwood - 1.17-22 - Drop krb5_realm_compare() etc. NULL check patches