Remove support for single-DES and CRC

Add-missing-newlines-to-deprecation-warnings.patch

@@ -1,4 +1,4 @@
-From d60851da93427e05793d52825ebc49448ae365b2 Mon Sep 17 00:00:00 2001
+From 4928699bdfd051bf0d69afee0b15574c15f40a48 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 21 May 2019 12:52:26 -0400
 Subject: [PATCH] Add missing newlines to deprecation warnings

Display-unsupported-enctype-names.patch

@@ -0,0 +1,79 @@
+From 144eea330aba65a140c0e0bf66ad3cfe06f28899 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 21 May 2019 13:34:39 -0400
+Subject: [PATCH] Display unsupported enctype names
+
+Add a table of unsupported enctype numbers to enctype_util.c and
+consult it in krb5_enctype_to_name().  Treat unsupported enctype
+numbers as deprecated in krb5int_c_deprecated_enctype().  In kadmin,
+display "UNSUPPORTED:" before invalid enctype names.
+
+ticket: 8808
+(cherry picked from commit ebbc6e8e99ee9d5d757411200a6a3173171774df)
+---
+ src/kadmin/cli/kadmin.c           |  4 +++-
+ src/lib/crypto/krb/enctype_util.c | 22 +++++++++++++++++++++-
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
+index fe4cb493c..b4d1aad93 100644
+--- a/src/kadmin/cli/kadmin.c
++++ b/src/kadmin/cli/kadmin.c
+@@ -1461,7 +1461,9 @@ kadmin_getprinc(int argc, char *argv[])
+                                      enctype, sizeof(enctype)))
+                 snprintf(enctype, sizeof(enctype), _("<Encryption type 0x%x>"),
+                          key_data->key_data_type[0]);
+-            if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
++            if (!krb5_c_valid_enctype(key_data->key_data_type[0]))
++                deprecated = "UNSUPPORTED:";
++            else if (krb5int_c_deprecated_enctype(key_data->key_data_type[0]))
+                 deprecated = "DEPRECATED:";
+             printf("Key: vno %d, %s%s", key_data->key_data_kvno, deprecated,
+                    enctype);
+diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
+index e394f4e19..1542d4062 100644
+--- a/src/lib/crypto/krb/enctype_util.c
++++ b/src/lib/crypto/krb/enctype_util.c
+@@ -36,6 +36,18 @@
+ 
+ #include "crypto_int.h"
+ 
++struct {
++    krb5_enctype etype;
++    const char *name;
++} unsupported_etypes[] = {
++    { ENCTYPE_DES_CBC_CRC, "des-cbc-crc" },
++    { ENCTYPE_DES_CBC_MD4, "des-cbc-md4" },
++    { ENCTYPE_DES_CBC_MD5, "des-cbc-md5" },
++    { ENCTYPE_DES_CBC_RAW, "des-cbc-raw" },
++    { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1" },
++    { ENCTYPE_NULL, NULL }
++};
++
+ krb5_boolean KRB5_CALLCONV
+ krb5_c_valid_enctype(krb5_enctype etype)
+ {
+@@ -55,7 +67,7 @@ krb5_boolean KRB5_CALLCONV
+ krb5int_c_deprecated_enctype(krb5_enctype etype)
+ {
+     const struct krb5_keytypes *ktp = find_enctype(etype);
+-    return ktp != NULL && (ktp->flags & ETYPE_DEPRECATED) != 0;
++    return ktp == NULL || (ktp->flags & ETYPE_DEPRECATED) != 0;
+ }
+ 
+ krb5_error_code KRB5_CALLCONV
+@@ -122,6 +134,14 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
+     const char *name;
+     int i;
+ 
++    for (i = 0; unsupported_etypes[i].etype != ENCTYPE_NULL; i++) {
++        if (enctype == unsupported_etypes[i].etype) {
++            if (strlcpy(buffer, unsupported_etypes[i].name, buflen) >= buflen)
++                return ENOMEM;
++            return 0;
++        }
++    }
++
+     ktp = find_enctype(enctype);
+     if (ktp == NULL)
+         return EINVAL;

Mark-the-doc-kadm5-tex-files-as-historic.patch

@@ -1,4 +1,4 @@
-From 1b138c349fa167f713572c8a37bc6fa39280396c Mon Sep 17 00:00:00 2001
+From b68ee166602b787c5acabe3d1b4780e527d672a7 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 11 Apr 2019 18:33:04 -0400
 Subject: [PATCH] Mark the doc/kadm5 tex files as historic

Modernize-example-enctypes-in-documentation.patch

@@ -1,4 +1,4 @@
-From c60e5d66e2aaa9123a333c4f7d5a44fdc735ec66 Mon Sep 17 00:00:00 2001
+From eb4fb8cb24e6cac194acc2c507b334658fc5431d Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 11 Apr 2019 18:25:41 -0400
 Subject: [PATCH] Modernize example enctypes in documentation

Remove-checksum-type-profile-variables.patch

@@ -1,4 +1,4 @@
-From 69bd1ba5a7002856778cf1d46082423ef89a0c0c Mon Sep 17 00:00:00 2001
+From 46aa5ffd844a280f368d78c7c395bb1b2323dfbe Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 13 May 2019 14:19:57 -0400
 Subject: [PATCH] Remove checksum type profile variables

Remove-dead-variable-def_kslist-from-two-files.patch

@@ -1,4 +1,4 @@
-From 5a009bddbec41c5811db9f7d0583fa4e4b726ee9 Mon Sep 17 00:00:00 2001
+From cc4aace493d1caaca9edebcc5d836e847e358afd Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 16:57:51 -0400
 Subject: [PATCH] Remove dead variable def_kslist from two files

Remove-the-v4-and-afs3-salt-types.patch

@@ -0,0 +1,508 @@
+From 35395701a34f68e99abfe23d07b93c59cd63ad50 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 24 May 2019 13:11:44 -0400
+Subject: [PATCH] Remove the v4 and afs3 salt types
+
+In preparation for removing single-DES support, remove the v4 and afs3
+salt types.  The afs3 salt type could only be used with single-DES
+keys, and the v4 salt type was only useful for single-DES keys from
+krb4 databases.
+
+[ghudson@mit.edu: wrote commit message]
+
+ticket: 8808
+(cherry picked from commit e0a35ff48c09a26ebb9aefd7e98855a84574b8be)
+---
+ doc/admin/conf_files/kdc_conf.rst             |  2 -
+ src/include/kdb.h                             |  4 +-
+ src/kadmin/testing/proto/kdc.conf.proto       |  2 +-
+ src/kdc/kdc_preauth.c                         | 40 +++++--------------
+ .../api.current/chpass-principal-v2.exp       |  8 ++--
+ .../api.current/get-principal-v2.exp          |  4 +-
+ src/lib/kdb/kdb5.c                            |  4 --
+ src/lib/kdb/kdb_cpw.c                         | 16 +-------
+ src/lib/krb5/krb/str_conv.c                   |  2 -
+ src/lib/krb5/krb/t_get_etype_info.py          |  7 ----
+ src/man/kdc.conf.man                          | 14 +------
+ src/tests/dejagnu/config/default.exp          | 17 --------
+ src/tests/t_etype_info.py                     | 24 +----------
+ src/tests/t_keytab.py                         |  5 ---
+ src/tests/t_renprinc.py                       |  2 +-
+ src/tests/t_salt.py                           | 26 +-----------
+ src/util/k5test.py                            | 11 -----
+ 17 files changed, 24 insertions(+), 164 deletions(-)
+
+diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
+index c73791ceb..62d1bfc05 100644
+--- a/doc/admin/conf_files/kdc_conf.rst
++++ b/doc/admin/conf_files/kdc_conf.rst
+@@ -917,10 +917,8 @@ follows:
+ 
+ ================= ============================================
+ normal            default for Kerberos Version 5
+-v4                the only type used by Kerberos Version 4 (no salt)
+ norealm           same as the default, without using realm information
+ onlyrealm         uses only realm information as the salt
+-afs3              AFS version 3, only used for compatibility with Kerberos 4 in AFS
+ special           generate a random salt
+ ================= ============================================
+ 
+diff --git a/src/include/kdb.h b/src/include/kdb.h
+index 9812a35e6..7749cfc99 100644
+--- a/src/include/kdb.h
++++ b/src/include/kdb.h
+@@ -73,11 +73,11 @@
+ 
+ /* Salt types */
+ #define KRB5_KDB_SALTTYPE_NORMAL        0
+-#define KRB5_KDB_SALTTYPE_V4            1
++/* #define KRB5_KDB_SALTTYPE_V4            1 */
+ #define KRB5_KDB_SALTTYPE_NOREALM       2
+ #define KRB5_KDB_SALTTYPE_ONLYREALM     3
+ #define KRB5_KDB_SALTTYPE_SPECIAL       4
+-#define KRB5_KDB_SALTTYPE_AFS3          5
++/* #define KRB5_KDB_SALTTYPE_AFS3          5 */
+ #define KRB5_KDB_SALTTYPE_CERTHASH      6
+ 
+ /* Attributes */
+diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
+index 61283ac77..45df78b91 100644
+--- a/src/kadmin/testing/proto/kdc.conf.proto
++++ b/src/kadmin/testing/proto/kdc.conf.proto
+@@ -12,5 +12,5 @@
+ 		kadmind_port = 1751
+ 		kpasswd_port = 1752
+ 		master_key_type = des3-hmac-sha1
+-		supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal des-cbc-raw:normal
++		supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal
+ 	}
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index caf133c14..508a5cf89 100644
+--- a/src/kdc/kdc_preauth.c
++++ b/src/kdc/kdc_preauth.c
+@@ -781,8 +781,8 @@ add_etype_info(krb5_context context, krb5_kdcpreauth_rock rock,
+     return add_pa_data_element(pa_list, pa);
+ }
+ 
+-/* Add PW-SALT or AFS3-SALT entries to pa_list as appropriate for the request
+- * and client principal. */
++/* Add PW-SALT entries to pa_list as appropriate for the request and client
++ * principal. */
+ static krb5_error_code
+ add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock,
+             krb5_pa_data ***pa_list)
+@@ -801,21 +801,13 @@ add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock,
+     if (ret)
+         return 0;
+ 
+-    if (salttype == KRB5_KDB_SALTTYPE_AFS3) {
+-        ret = alloc_pa_data(KRB5_PADATA_AFS3_SALT, salt->length + 1, &pa);
+-        if (ret)
+-            goto cleanup;
+-        memcpy(pa->contents, salt->data, salt->length);
+-        pa->contents[salt->length] = '\0';
+-    } else {
+-        /* Steal memory from salt to make the pa-data entry. */
+-        ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa);
+-        if (ret)
+-            goto cleanup;
+-        pa->length = salt->length;
+-        pa->contents = (uint8_t *)salt->data;
+-        salt->data = NULL;
+-    }
++    /* Steal memory from salt to make the pa-data entry. */
++    ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa);
++    if (ret)
++        goto cleanup;
++    pa->length = salt->length;
++    pa->contents = (uint8_t *)salt->data;
++    salt->data = NULL;
+ 
+     /* add_pa_data_element() claims pa on success or failure. */
+     ret = add_pa_data_element(pa_list, pa);
+@@ -1545,20 +1537,6 @@ _make_etype_info_entry(krb5_context context,
+                                    &salttype, &salt);
+     if (retval)
+         goto cleanup;
+-    if (etype_info2 && salttype == KRB5_KDB_SALTTYPE_AFS3) {
+-        switch (etype) {
+-        case ENCTYPE_DES_CBC_CRC:
+-        case ENCTYPE_DES_CBC_MD4:
+-        case ENCTYPE_DES_CBC_MD5:
+-            retval = alloc_data(&entry->s2kparams, 1);
+-            if (retval)
+-                goto cleanup;
+-            entry->s2kparams.data[0] = 1;
+-            break;
+-        default:
+-            break;
+-        }
+-    }
+ 
+     entry->length = salt->length;
+     entry->salt = (unsigned char *)salt->data;
+diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+index 8361fb085..db899a1dc 100644
+--- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
++++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+@@ -18,8 +18,8 @@ proc test200 {} {
+ 
+     # I'd like to specify a long list of keysalt tuples and make sure
+     # that chpass does the right thing, but we can only use those
+-    # enctypes that krbtgt has a key for: des-cbc-crc:normal and
+-    # des-cbc-crc:v4, according to the prototype kdc.conf.
++    # enctypes that krbtgt has a key for: des-cbc-crc:normal
++    # according to the prototype kdc.conf.
+     if {! [cmd [format {
+ 	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+ 		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
+@@ -53,10 +53,10 @@ proc test200 {} {
+     }
+ 
+     # XXX Perhaps I should actually check the key type returned.
+-    if {$num_keys == 3} {
++    if {$num_keys == 2} {
+ 	pass "$test"
+     } else {
+-	fail "$test: $num_keys keys, should be 3"
++	fail "$test: $num_keys keys, should be 2"
+     }
+     if { ! [cmd {kadm5_destroy $server_handle}]} {
+ 	perror "$test: unexpected failure in destroy"
+diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+index 86c45f49e..8526897ed 100644
+--- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
++++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+@@ -143,8 +143,8 @@ proc test101_102 {rpc} {
+     }
+ 
+     set failed 0
+-    if {$num_keys != 3} {
+-	fail "$test: num_keys $num_keys should be 3"
++    if {$num_keys != 2} {
++	fail "$test: num_keys $num_keys should be 2"
+ 	set failed 1
+     }
+     for {set i 0} {$i < $num_keys} {incr i} {
+diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
+index da5332217..b81a44312 100644
+--- a/src/lib/kdb/kdb5.c
++++ b/src/lib/kdb/kdb5.c
+@@ -2312,15 +2312,11 @@ krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key,
+         if (retval)
+             return retval;
+         break;
+-    case KRB5_KDB_SALTTYPE_V4:
+-        sdata = empty_data();
+-        break;
+     case KRB5_KDB_SALTTYPE_NOREALM:
+         retval = krb5_principal2salt_norealm(context, princ, &sdata);
+         if (retval)
+             return retval;
+         break;
+-    case KRB5_KDB_SALTTYPE_AFS3:
+     case KRB5_KDB_SALTTYPE_ONLYREALM:
+         return krb5_copy_data(context, &princ->realm, salt_out);
+     case KRB5_KDB_SALTTYPE_SPECIAL:
+diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c
+index 03efc28ed..450860f47 100644
+--- a/src/lib/kdb/kdb_cpw.c
++++ b/src/lib/kdb/kdb_cpw.c
+@@ -260,7 +260,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
+     krb5_keysalt          key_salt;
+     krb5_keyblock         key;
+     krb5_data             pwd;
+-    krb5_data             afs_params = string2data("\1"), *s2k_params;
+     int                   i, j;
+     krb5_key_data        *kd_slot;
+ 
+@@ -268,7 +267,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
+         krb5_boolean similar;
+ 
+         similar = 0;
+-        s2k_params = NULL;
+ 
+         /*
+          * We could use krb5_keysalt_iterate to replace this loop, or use
+@@ -316,18 +314,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
+                                               &key_salt.data)))
+                 return(retval);
+             break;
+-        case KRB5_KDB_SALTTYPE_V4:
+-            key_salt.data.length = 0;
+-            key_salt.data.data = 0;
+-            break;
+-        case KRB5_KDB_SALTTYPE_AFS3:
+-            retval = krb5int_copy_data_contents(context,
+-                                                &db_entry->princ->realm,
+-                                                &key_salt.data);
+-            if (retval)
+-                return retval;
+-            s2k_params = &afs_params;
+-            break;
+         case KRB5_KDB_SALTTYPE_SPECIAL:
+             retval = make_random_salt(context, &key_salt);
+             if (retval)
+@@ -342,7 +328,7 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
+         retval = krb5_c_string_to_key_with_params(context,
+                                                   ks_tuple[i].ks_enctype,
+                                                   &pwd, &key_salt.data,
+-                                                  s2k_params, &key);
++                                                  NULL, &key);
+         if (retval) {
+             free(key_salt.data.data);
+             return retval;
+diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c
+index 3d057241b..c8421a8c1 100644
+--- a/src/lib/krb5/krb/str_conv.c
++++ b/src/lib/krb5/krb/str_conv.c
+@@ -61,11 +61,9 @@ struct salttype_lookup_entry {
+ #include "kdb.h"
+ static const struct salttype_lookup_entry salttype_table[] = {
+     { KRB5_KDB_SALTTYPE_NORMAL,     "normal"     },
+-    { KRB5_KDB_SALTTYPE_V4,         "v4",        },
+     { KRB5_KDB_SALTTYPE_NOREALM,    "norealm",   },
+     { KRB5_KDB_SALTTYPE_ONLYREALM,  "onlyrealm", },
+     { KRB5_KDB_SALTTYPE_SPECIAL,    "special",   },
+-    { KRB5_KDB_SALTTYPE_AFS3,       "afs3",      },
+ };
+ static const int salttype_table_nents = sizeof(salttype_table)/
+     sizeof(salttype_table[0]);
+diff --git a/src/lib/krb5/krb/t_get_etype_info.py b/src/lib/krb5/krb/t_get_etype_info.py
+index 7c400be86..3c9168591 100644
+--- a/src/lib/krb5/krb/t_get_etype_info.py
++++ b/src/lib/krb5/krb/t_get_etype_info.py
+@@ -9,9 +9,6 @@ realm.run([kadminl, 'ank', '-nokey', '+preauth', 'pnokey'])
+ realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
+ realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
+            'pexp'])
+-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs'])
+-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth',
+-           'pafs'])
+ 
+ # Extract the explicit salt values from the database.
+ out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
+@@ -56,8 +53,4 @@ realm.run(['./t_get_etype_info', 'exp'],
+ realm.run(['./t_get_etype_info', 'pexp'],
+           expected_msg='etype: aes256-cts\nsalt: ' + pexp_salt + '\n')
+ 
+-msg = 'etype: des-cbc-crc\nsalt: KRBTEST.COM\ns2kparams: 01\n'
+-realm.run(['./t_get_etype_info', 'afs'], expected_msg=msg)
+-realm.run(['./t_get_etype_info', 'pafs'], expected_msg=msg)
+-
+ success('krb5_get_etype_info() tests')
+diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
+index ab3ee0289..4a75be8cb 100644
+--- a/src/man/kdc.conf.man
++++ b/src/man/kdc.conf.man
+@@ -1,6 +1,6 @@
+ .\" Man page generated from reStructuredText.
+ .
+-.TH "KDC.CONF" "5" " " "1.17" "MIT Kerberos"
++.TH "KDC.CONF" "5" " " "1.18" "MIT Kerberos"
+ .SH NAME
+ kdc.conf \- Kerberos V5 KDC configuration file
+ .
+@@ -1148,12 +1148,6 @@ default for Kerberos Version 5
+ T}
+ _
+ T{
+-v4
+-T}	T{
+-the only type used by Kerberos Version 4 (no salt)
+-T}
+-_
+-T{
+ norealm
+ T}	T{
+ same as the default, without using realm information
+@@ -1166,12 +1160,6 @@ uses only realm information as the salt
+ T}
+ _
+ T{
+-afs3
+-T}	T{
+-AFS version 3, only used for compatibility with Kerberos 4 in AFS
+-T}
+-_
+-T{
+ special
+ T}	T{
+ generate a random salt
+diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
+index ea9bedd45..c061d764e 100644
+--- a/src/tests/dejagnu/config/default.exp
++++ b/src/tests/dejagnu/config/default.exp
+@@ -238,22 +238,6 @@ set passes {
+ 	{master_key_type=aes256-cts-hmac-sha1-96}
+ 	{dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]}
+     }
+-    {
+-	des-v4
+-	mode=udp
+-	des3_krbtgt=0
+-	{supported_enctypes=des-cbc-crc:v4}
+-	{default_tkt_enctypes(client)=des-cbc-crc}
+-	{dummy=[verbose -log "DES TGT, DES-CRC enctype, V4 salt"]}
+-    }
+-    {
+-	des-md5-v4
+-	mode=udp
+-	des3_krbtgt=0
+-	{supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4}
+-	{default_tkt_enctypes(client)=des-cbc-md5 des-cbc-crc}
+-	{dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]}
+-    }
+     {
+ 	all-enctypes
+ 	mode=udp
+@@ -356,7 +340,6 @@ set unused_passes {
+ 	aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \
+ 	des3-cbc-sha1:normal des3-cbc-sha1:none \
+ 	des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
+-	des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \
+ 	}
+ 	{dummy=[verbose -log "DES3 TGT, default enctypes"]}
+     }
+diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
+index 2026e7876..c21d054f1 100644
+--- a/src/tests/t_etype_info.py
++++ b/src/tests/t_etype_info.py
+@@ -1,6 +1,6 @@
+ from k5test import *
+ 
+-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-crc:afs3'
++supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
+ conf = {'libdefaults': {'allow_weak_crypto': 'true'},
+         'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
+ realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
+@@ -43,28 +43,6 @@ test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
+ test_etinfo('preauthuser', 'rc4 aes256-cts',
+             ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
+ 
+-# AFS3 salt for DES enctypes is conveyed using s2kparams in
+-# PA-ETYPE-INFO2, not at all in PA-ETYPE-INFO, and with a special padata
+-# type instead of PA-PW-SALT.
+-test_etinfo('user', 'des-cbc-crc rc4',
+-            ['asrep etype_info2 des-cbc-crc KRBTEST.COM 01',
+-             'asrep etype_info des-cbc-crc KRBTEST.COM',
+-             'asrep afs3_salt KRBTEST.COM'])
+-test_etinfo('preauthuser', 'des-cbc-crc rc4',
+-            ['error etype_info2 des-cbc-crc KRBTEST.COM 01',
+-             'error etype_info des-cbc-crc KRBTEST.COM'])
+-
+-# DES keys can be used with other DES enctypes.  The requested enctype
+-# shows up in the etype-info, not the database key enctype.
+-test_etinfo('user', 'des-cbc-md4 rc4',
+-            ['asrep etype_info2 des-cbc-md4 KRBTEST.COM 01',
+-             'asrep etype_info des-cbc-md4 KRBTEST.COM',
+-             'asrep afs3_salt KRBTEST.COM'])
+-test_etinfo('user', 'des-cbc-md5 rc4',
+-            ['asrep etype_info2 des KRBTEST.COM 01',
+-             'asrep etype_info des KRBTEST.COM',
+-             'asrep afs3_salt KRBTEST.COM'])
+-
+ # If no keys are found matching the request enctypes, a
+ # preauth-required error can be generated with no etype-info at all
+ # (to allow for preauth mechs which don't depend on long-term keys).
+diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
+index 72e09daac..633f7c7ef 100755
+--- a/src/tests/t_keytab.py
++++ b/src/tests/t_keytab.py
+@@ -155,9 +155,6 @@ realm.run([kadminl, 'ank', '-pw', 'pw', 'default'])
+ realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
+ realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
+            'pexp'])
+-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs'])
+-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth',
+-           'pafs'])
+ 
+ # Extract one of the explicit salt values from the database.
+ out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
+@@ -187,8 +184,6 @@ test_addent(realm, 'default', '-f')
+ test_addent(realm, 'default', '-f -e aes128-cts')
+ test_addent(realm, 'exp', '-f')
+ test_addent(realm, 'pexp', '-f')
+-test_addent(realm, 'afs', '-f')
+-test_addent(realm, 'pafs', '-f')
+ 
+ success('Keytab-related tests')
+ success('Keytab-related tests')
+diff --git a/src/tests/t_renprinc.py b/src/tests/t_renprinc.py
+index 46cbed441..3dbb3e77e 100755
+--- a/src/tests/t_renprinc.py
++++ b/src/tests/t_renprinc.py
+@@ -25,7 +25,7 @@ from k5test import *
+ enctype = "aes128-cts"
+ 
+ realm = K5Realm(create_host=False, create_user=False)
+-salttypes = ('normal', 'v4', 'norealm', 'onlyrealm')
++salttypes = ('normal', 'norealm', 'onlyrealm')
+ 
+ # For a variety of salt types, test that we can rename a principal and
+ # still get tickets with the same password.
+diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py
+index 278911a22..008efcb03 100755
+--- a/src/tests/t_salt.py
++++ b/src/tests/t_salt.py
+@@ -15,13 +15,9 @@ def test_salt(realm, e1, salt, e2):
+     realm.run([kadminl, 'delprinc', 'user'])
+ 
+ # Enctype/salt pairs chosen with non-default salt types.
+-# The enctypes are mostly arbitrary, though afs3 must only be used with des.
+-# We do not enforce that v4 salts must only be used with des, but it seems
+-# like a good idea.
+-salts = [('des-cbc-crc', 'afs3'),
+-         ('des3-cbc-sha1', 'norealm'),
++# The enctypes are mostly arbitrary.
++salts = [('des3-cbc-sha1', 'norealm'),
+          ('arcfour-hmac', 'onlyrealm'),
+-         ('des-cbc-crc', 'v4'),
+          ('aes128-cts-hmac-sha1-96', 'special')]
+ # These enctypes are chosen to cover the different string-to-key routines.
+ # Omit ":normal" from aes256 to check that salttype defaulting works.
+@@ -56,22 +52,4 @@ dup_kstypes = ['arcfour-hmac-md5:normal,rc4-hmac:normal',
+ for ks in dup_kstypes:
+     test_dup(realm, ks)
+ 
+-# Attempt to create a principal with a non-des enctype and the afs3 salt,
+-# verifying that the expected error is received and the principal creation
+-# fails.
+-def test_reject_afs3(realm, etype):
+-    query = 'ank -e ' + etype + ':afs3 -pw password princ1'
+-    realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password',
+-               'princ1'], expected_code=1,
+-              expected_msg='Invalid key generation parameters from KDC')
+-    realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1,
+-              expected_msg='Principal does not exist')
+-
+-# Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes.
+-# We do not currently do any verification on the key-generation parameters
+-# for the triple-DES enctypes, so that test is commented out.
+-test_reject_afs3(realm, 'arcfour-hmac')
+-test_reject_afs3(realm, 'aes256-cts-hmac-sha1-96')
+-#test_reject_afs3(realm, 'des3-cbc-sha1')
+-
+ success("Salt types")
+diff --git a/src/util/k5test.py b/src/util/k5test.py
+index 3aec1ef92..b6d93f1d8 100644
+--- a/src/util/k5test.py
++++ b/src/util/k5test.py
+@@ -1246,17 +1246,6 @@ _passes = [
+     # No special settings; exercises AES256.
+     ('default', None, None, None),
+ 
+-    # Exercise a DES enctype and the v4 salt type.
+-    ('desv4', None,
+-     {'libdefaults': {
+-                'default_tgs_enctypes': 'des-cbc-crc',
+-                'default_tkt_enctypes': 'des-cbc-crc',
+-                'permitted_enctypes': 'des-cbc-crc',
+-                'allow_weak_crypto': 'true'}},
+-     {'realms': {'$realm': {
+-                    'supported_enctypes': 'des-cbc-crc:v4',
+-                    'master_key_type': 'des-cbc-crc'}}}),
+-
+     # Exercise the DES3 enctype.
+     ('des3', None,
+      {'libdefaults': {

Set-a-more-modern-default-ksu-CMD_PATH.patch

@@ -1,4 +1,4 @@
-From 4b11c083e2019ece267cfa5379bd417334e2038e Mon Sep 17 00:00:00 2001
+From 6b50f9c5b2a1b856e65fa69de05e7c05d2b89614 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:32:09 -0400
 Subject: [PATCH] Set a more modern default ksu CMD_PATH

Support-389ds-s-lockout-model.patch

@@ -1,4 +1,4 @@
-From 49ca1fc11d4e58289b518db7cdd4093b06ca9cf1 Mon Sep 17 00:00:00 2001
+From 2c00970b3fe53b38f976c79f648fdd75a2682287 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:47:44 -0400
 Subject: [PATCH] Support 389ds's lockout model

Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch

@@ -1,4 +1,4 @@
-From f179301f52e0e40eee9ac493bae0e82be49b7c28 Mon Sep 17 00:00:00 2001
+From 152e88043117927c334fead93bb3bd3dd74593b7 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 16 Apr 2019 14:16:39 -0400
 Subject: [PATCH] Update ASN.1 SAM tests to use a modern enctype

Update-default-krb5kdc-mkey-manual-entry-enctype.patch

@@ -1,4 +1,4 @@
-From e2b0a71ca45d6895c9df132560789774993e657d Mon Sep 17 00:00:00 2001
+From 2957d2186ee2b60b80e6ba97a1f5d661ccb20f30 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 20 May 2019 16:52:57 -0400
 Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype

krb5-1.17post3-FIPS-with-PRNG-SPAKE-and-RADIUS.patch

@@ -1,7 +1,7 @@
-From 35dbfaa4a224bbbdd0d75a0383fbe09d7deb389f Mon Sep 17 00:00:00 2001
+From b52fa25acec9c0302532e1610ffe390d714e8f7a Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
-Subject: [PATCH] krb5-1.17post2 FIPS with PRNG, SPAKE, and RADIUS
+Subject: [PATCH] krb5-1.17post3 FIPS with PRNG, SPAKE, and RADIUS
 
 NB: Use openssl's PRNG in FIPS mode, be aware during SPAKE group
 negotiation, and taint within krad.
@@ -15,10 +15,11 @@ awareness of what we can and can't safely call.
 This will slow down some calls slightly (FIPS_mode() takes multiple
 locks), but not for any ciphers we care about - which is to say that
 AES is fine.  Shame about the SPAKE groups though.
+
+post3 is (confusingly) on top of the 1DES removal.
 ---
  src/lib/crypto/krb/prng.c                     | 11 ++++-
  .../crypto/openssl/enc_provider/camellia.c    |  6 +++
- src/lib/crypto/openssl/enc_provider/des.c     |  9 ++++
  src/lib/crypto/openssl/enc_provider/des3.c    |  6 +++
  src/lib/crypto/openssl/enc_provider/rc4.c     | 13 +++++-
  .../crypto/openssl/hash_provider/hash_evp.c   |  4 ++
@@ -31,7 +32,7 @@ AES is fine.  Shame about the SPAKE groups though.
  src/lib/krad/t_attr.c                         |  3 +-
  src/lib/krad/t_attrset.c                      |  4 +-
  src/plugins/preauth/spake/groups.c            |  8 ++++
- 15 files changed, 132 insertions(+), 33 deletions(-)
+ 14 files changed, 123 insertions(+), 33 deletions(-)
 
 diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
 index cb9ca9b98..f0e9984ca 100644
@@ -88,40 +89,6 @@ index 2da691329..f79679a0b 100644
      state->length = 16;
      state->data = (void *) malloc(16);
      if (state->data == NULL)
-diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
-index a662db512..7d17d287e 100644
---- a/src/lib/crypto/openssl/enc_provider/des.c
-+++ b/src/lib/crypto/openssl/enc_provider/des.c
-@@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-     EVP_CIPHER_CTX *ctx;
-     krb5_boolean empty;
- 
-+    if (FIPS_mode())
-+        return KRB5_CRYPTO_INTERNAL;
-+
-     ret = validate(key, ivec, data, num_data, &empty);
-     if (ret != 0 || empty)
-         return ret;
-@@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-     EVP_CIPHER_CTX *ctx;
-     krb5_boolean empty;
- 
-+    if (FIPS_mode())
-+        return KRB5_CRYPTO_INTERNAL;
-+
-     ret = validate(key, ivec, data, num_data, &empty);
-     if (ret != 0 || empty)
-         return ret;
-@@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
-     DES_key_schedule sched;
-     krb5_boolean empty;
- 
-+    if (FIPS_mode())
-+        return KRB5_CRYPTO_INTERNAL;
-+
-     ret = validate(key, ivec, data, num_data, &empty);
-     if (ret != 0)
-         return ret;
 diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
 index 1c439c2cd..8be555a8d 100644
 --- a/src/lib/crypto/openssl/enc_provider/des3.c

krb5.spec

@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 25%{?dist}
+Release: 26%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@@ -89,7 +89,6 @@ Patch123: Avoid-alignment-warnings-in-openssl-rc4.c.patch
 Patch124: Simply-OpenSSL-PKCS7-decryption-code.patch
 Patch125: Improve-error-messages-from-kadmin-change_password.patch
 Patch126: Remove-more-dead-code.patch
-Patch127: krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
 Patch128: Remove-checksum-type-profile-variables.patch
 Patch129: Remove-dead-variable-def_kslist-from-two-files.patch
 Patch130: Mark-the-doc-kadm5-tex-files-as-historic.patch
@@ -99,6 +98,11 @@ Patch133: Update-default-krb5kdc-mkey-manual-entry-enctype.patch
 Patch134: Support-389ds-s-lockout-model.patch
 Patch135: Add-missing-newlines-to-deprecation-warnings.patch
 Patch136: Set-a-more-modern-default-ksu-CMD_PATH.patch
+Patch137: Remove-the-v4-and-afs3-salt-types.patch
+Patch138: Update-test-suite-to-avoid-single-DES-enctypes.patch
+Patch139: Remove-support-for-single-DES-and-CRC.patch
+Patch140: Display-unsupported-enctype-names.patch
+Patch141: krb5-1.17post3-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -708,6 +712,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue May 28 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-26
+- Remove support for single-DES and CRC
+
 * Wed May 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-25
 - Add missing newlines to deprecation warnings
 - Switch to upstream's ksu path patch