From 40a05d03472a1bcc7aa57f32273357732b2fe895 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 10 Jul 2018 17:34:02 -0400
Subject: [PATCH] Use SHA-256 instead of MD5 for audit ticket IDs

---
 ...-instead-of-MD5-for-audit-ticket-IDs.patch | 53 +++++++++++++++++++
 krb5.spec                                     |  6 ++-
 2 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch

diff --git a/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch b/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch
new file mode 100644
index 0000000..26df25a
--- /dev/null
+++ b/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch
@@ -0,0 +1,53 @@
+From a9bc03fe03ef4b00bcdad13c99bb4c376a8b9964 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 10 Jul 2018 16:17:15 -0400
+Subject: [PATCH] Use SHA-256 instead of MD5 for audit ticket IDs
+
+ticket: 8711 (new)
+(cherry picked from commit c1e1bfa26bd2f045e88e6013c500fca9428c98f3)
+---
+ src/kdc/kdc_audit.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/src/kdc/kdc_audit.c b/src/kdc/kdc_audit.c
+index c9a7f9f9d..f40913dc8 100644
+--- a/src/kdc/kdc_audit.c
++++ b/src/kdc/kdc_audit.c
+@@ -146,7 +146,7 @@ kau_make_tkt_id(krb5_context context,
+ {
+     krb5_error_code ret = 0;
+     char *hash = NULL, *ptr;
+-    krb5_checksum cksum;
++    uint8_t hashbytes[K5_SHA256_HASHLEN];
+     unsigned int i;
+ 
+     *out = NULL;
+@@ -154,19 +154,18 @@ kau_make_tkt_id(krb5_context context,
+     if (ticket == NULL)
+         return EINVAL;
+ 
+-    ret = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, NULL, 0,
+-                               &ticket->enc_part.ciphertext, &cksum);
++    ret = k5_sha256(&ticket->enc_part.ciphertext, 1, hashbytes);
+     if (ret)
+         return ret;
+ 
+-    hash = k5alloc(cksum.length * 2 + 1, &ret);
+-    if (hash != NULL) {
+-        for (i = 0, ptr = hash; i < cksum.length; i++, ptr += 2)
+-            snprintf(ptr, 3, "%02X", cksum.contents[i]);
+-        *ptr = '\0';
+-        *out = hash;
+-    }
+-    krb5_free_checksum_contents(context, &cksum);
++    hash = k5alloc(sizeof(hashbytes) * 2 + 1, &ret);
++    if (hash == NULL)
++        return ret;
++
++    for (i = 0, ptr = hash; i < sizeof(hashbytes); i++, ptr += 2)
++        snprintf(ptr, 3, "%02X", hashbytes[i]);
++    *ptr = '\0';
++    *out = hash;
+ 
+     return 0;
+ }
diff --git a/krb5.spec b/krb5.spec
index b022c73..0a258c1 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.16.1
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 9%{?dist}
+Release: 10%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@@ -93,6 +93,7 @@ Patch73: Process-profile-includedir-in-sorted-order.patch
 Patch74: Make-docs-build-python3-compatible.patch
 Patch75: Add-flag-to-disable-encrypted-timestamp-on-client.patch
 Patch76: Explicitly-look-for-python2-in-configure.in.patch
+Patch77: Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -740,6 +741,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Jul 10 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-10
+- Use SHA-256 instead of MD5 for audit ticket IDs
+
 * Fri Jul 06 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-9
 - Add BuildRequires on python2 so we can run tests at build-time