From 4530bb6de9f097108be1cc64007685e68c7d3844 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 3 Aug 2020 15:39:37 -0400 Subject: [PATCH] Revert qualify_shortname removal --- Add-channel-bindings-tests.patch | 2 +- ...client_aware_channel_bindings-option.patch | 6 +- ...ss_unwrap_iov-of-unpadded-RC4-tokens.patch | 2 +- ...ns_canonicalize_hostname-to-fallback.patch | 371 ++++++++++++++++++ ...-enctypes-in-krb5_string_to_keysalts.patch | 2 +- Implement-GSS_C_CHANNEL_BOUND_FLAG.patch | 2 +- ...ment-KERB_AP_OPTIONS_CBT-server-side.patch | 2 +- Improve-negoex_parse_token-code-hygiene.patch | 2 +- ...SER-if-we-can-t-compute-its-checksum.patch | 2 +- Pass-channel-bindings-through-SPNEGO.patch | 2 +- Refactor-krb5-GSS-checksum-handling.patch | 2 +- Remove-resolver-test-utility.patch | 2 +- ...eues-for-concurrent-t_otp.py-daemons.patch | 2 +- krb5.spec | 6 +- 14 files changed, 390 insertions(+), 15 deletions(-) create mode 100644 Default-dns_canonicalize_hostname-to-fallback.patch diff --git a/Add-channel-bindings-tests.patch b/Add-channel-bindings-tests.patch index a152fa2..b758c79 100644 --- a/Add-channel-bindings-tests.patch +++ b/Add-channel-bindings-tests.patch @@ -1,4 +1,4 @@ -From 5f98c9d9ff16f3760ac26304cfdb87bf53bc8628 Mon Sep 17 00:00:00 2001 +From 3e92520c1417f22447751cd9172d5ab30c2e0ad8 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 20 Mar 2020 00:17:28 +0100 Subject: [PATCH] Add channel bindings tests diff --git a/Add-client_aware_channel_bindings-option.patch b/Add-client_aware_channel_bindings-option.patch index e8b5374..012ce8d 100644 --- a/Add-client_aware_channel_bindings-option.patch +++ b/Add-client_aware_channel_bindings-option.patch @@ -1,4 +1,4 @@ -From bb7425941f5d84a53e30721c20fbfc714157f082 Mon Sep 17 00:00:00 2001 +From 2a08fe3d2d1972df4ffe37d4bb64b161889ff988 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 10 Mar 2020 13:13:17 +0100 Subject: [PATCH] Add client_aware_channel_bindings option @@ -20,10 +20,10 @@ ticket: 8900 3 files changed, 98 insertions(+), 86 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 1d2aa7f68..1d8ffc1e4 100644 +index a7e7a29d1..7f2879640 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst -@@ -383,6 +383,12 @@ The libdefaults section may contain any of the following relations: +@@ -382,6 +382,12 @@ The libdefaults section may contain any of the following relations: credentials will fail if the client machine does not have a keytab. The default value is false. diff --git a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch index 716fa8a..4698963 100644 --- a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch +++ b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch @@ -1,4 +1,4 @@ -From 297857dec4f82a802caa734670b57f0a18d942e2 Mon Sep 17 00:00:00 2001 +From bedbb5ee1ad821b91f00d30361985e6863c0e6ba Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 11 Jul 2020 21:57:30 -0400 Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens diff --git a/Default-dns_canonicalize_hostname-to-fallback.patch b/Default-dns_canonicalize_hostname-to-fallback.patch new file mode 100644 index 0000000..ef80329 --- /dev/null +++ b/Default-dns_canonicalize_hostname-to-fallback.patch @@ -0,0 +1,371 @@ +From 07179e38e5ee72e82ebc77a1c8d73e34905268b7 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 27 May 2020 18:48:35 -0400 +Subject: [PATCH] Default dns_canonicalize_hostname to "fallback" + +This change should mitigate some of the pain caused by the rdns=true +default (generally associated with unwanted PTR records that cannot +easily be changed), with a minimum of fallout. + +Update the documentation and tests accordingly. In test environments, +disable qualify_shortname and use the uncanonicalized system hostname +(lowercased) to match the initial sn2princ result. + +ticket: 8911 (new) +--- + doc/admin/appl_servers.rst | 14 +++--- + doc/admin/conf_files/krb5_conf.rst | 9 ++-- + doc/admin/princ_dns.rst | 44 +++++++++++-------- + src/kadmin/testing/proto/krb5.conf.proto | 8 ++-- + src/kadmin/testing/scripts/env-setup.shin | 4 +- + src/kadmin/testing/scripts/init_db | 3 +- + src/kadmin/testing/scripts/start_servers | 3 +- + .../testing/scripts/start_servers_local | 2 +- + .../kadm5/unit-test/api.current/init-v2.exp | 6 +-- + src/lib/krb5/krb/init_ctx.c | 2 +- + src/tests/dejagnu/config/default.exp | 5 +-- + src/tests/t_sn2princ.py | 5 ++- + src/util/k5test.py | 25 +++-------- + 13 files changed, 58 insertions(+), 72 deletions(-) + +diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst +index 5232db9af..afdf30297 100644 +--- a/doc/admin/appl_servers.rst ++++ b/doc/admin/appl_servers.rst +@@ -115,14 +115,12 @@ Getting DNS information correct + ------------------------------- + + Several aspects of Kerberos rely on name service. When a hostname is +-used to name a service, the Kerberos library canonicalizes the +-hostname using forward and reverse name resolution. (The reverse name +-resolution step can be turned off using the **rdns** variable in +-:ref:`libdefaults`.) The result of this canonicalization must match +-the principal entry in the host's keytab, or authentication will fail. +- +-Each host's canonical name must be the fully-qualified host name +-(including the domain), and each host's IP address must ++used to name a service, clients may canonicalize the hostname using ++forward and possibly reverse name resolution. The result of this ++canonicalization must match the principal entry in the host's keytab, ++or authentication will fail. To work with all client canonicalization ++configurations, each host's canonical name must be the fully-qualified ++host name (including the domain), and each host's IP address must + reverse-resolve to the canonical name. + + Configuration of hostnames varies by operating system. On the +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 1d2aa7f68..a7e7a29d1 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -188,11 +188,10 @@ The libdefaults section may contain any of the following relations: + hostnames for use in service principal names. Setting this flag + to false can improve security by reducing reliance on DNS, but + means that short hostnames will not be canonicalized to +- fully-qualified hostnames. The default value is true. +- +- If this option is set to ``fallback`` (new in release 1.18), DNS +- canonicalization will only be performed the server hostname is not +- found with the original name when requesting credentials. ++ fully-qualified hostnames. If this option is set to ``fallback`` (new ++ in release 1.18), DNS canonicalization will only be performed the ++ server hostname is not found with the original name when ++ requesting credentials. The default value is ``fallback``. + + **dns_lookup_kdc** + Indicate whether DNS SRV records should be used to locate the KDCs +diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst +index e1d823f27..32a269afc 100644 +--- a/doc/admin/princ_dns.rst ++++ b/doc/admin/princ_dns.rst +@@ -31,27 +31,35 @@ based on rotating ``CNAME`` records in DNS. + Service principal canonicalization + ---------------------------------- + +-MIT Kerberos clients currently always do forward resolution (looking +-up the IPv4 and possibly IPv6 addresses using ``getaddrinfo()``) of +-the hostname part of a host-based service principal to canonicalize +-the hostname. They obtain the "canonical" name of the host when doing +-so. By default, MIT Kerberos clients will also then do reverse DNS +-resolution (looking up the hostname associated with the IPv4 or IPv6 +-address using ``getnameinfo()``) of the hostname. Using the +-:ref:`krb5.conf(5)` setting:: ++In the MIT krb5 client library, canonicalization of host-based service ++principals is controlled by the **dns_canonicalize_hostname**, ++**rnds**, and **qualify_shortname** variables in :ref:`libdefaults`. + +- [libdefaults] +- rdns = false ++If **dns_canonicalize_hostname** is set to ``true`` (the default value ++before release 1.19), the client performs forward resolution by ++looking up the IPv4 and/or IPv6 addresses of the hostname using ++``getaddrinfo()``. This process will typically add a domain suffix to ++the hostname if needed, and follow CNAME records in the DNS. If ++**rdns** is also set to ``true`` (the default), the client will then ++perform a reverse lookup of the first returned Internet address using ++``getnameinfo()``, finding the name associated with the PTR record. + +-will disable reverse DNS lookup on clients. The default setting is +-"true". ++If **dns_canonicalize_hostname** is set to ``false``, the hostname is ++not canonicalized using DNS. If the hostname has only one component ++(i.e. it contains no "." characters), the host's primary DNS search ++domain will be appended, if there is one. The **qualify_shortname** ++variable can be used to override or disable this suffix. ++ ++If **dns_canonicalize_hostname** is set to ``fallback`` (the default ++value in release 1.19 and later), the hostname is initially treated ++according to the rules for ``dns_canonicalize_hostname=false``. If a ++ticket request fails because the service principal is unknown, it the ++hostname will be canonicalized according to the rules for ++``dns_canonicalize_hostname=true`` and the request will be retried. ++ ++In all cases, the hostname is converted to lowercase, and any trailing ++dot is removed. + +-Operating system bugs may prevent a setting of ``rdns = false`` from +-disabling reverse DNS lookup. Some versions of GNU libc have a bug in +-``getaddrinfo()`` that cause them to look up ``PTR`` records even when +-not required. MIT Kerberos releases krb5-1.10.2 and newer have a +-workaround for this problem, as does the krb5-1.9.x series as of +-release krb5-1.9.4. + + + Reverse DNS mismatches +diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto +index e710852d4..c0af716a5 100644 +--- a/src/kadmin/testing/proto/krb5.conf.proto ++++ b/src/kadmin/testing/proto/krb5.conf.proto +@@ -2,19 +2,19 @@ + default_realm = __REALM__ + default_keytab_name = FILE:__K5ROOT__/keytab + dns_fallback = no ++ qualify_shortname = "" + plugin_base_dir = __PLUGIN_DIR__ + allow_weak_crypto = true + + [realms] + __REALM__ = { +- kdc = __KDCHOST__:1750 +- admin_server = __KDCHOST__:1751 ++ kdc = __HOSTNAME__:1750 ++ admin_server = __HOSTNAME__:1751 + database_module = foobar_db2_module_blah + } + + [domain_realm] +- __LOCALHOST__ = __REALM__ +- __KDCHOST__ = __REALM__ ++ __HOSTNAME__ = __REALM__ + + [logging] + admin_server = FILE:__K5ROOT__/syslog +diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin +index 969c5340c..88f8ad1aa 100755 +--- a/src/kadmin/testing/scripts/env-setup.shin ++++ b/src/kadmin/testing/scripts/env-setup.shin +@@ -71,8 +71,8 @@ BSDDB_DUMP=$TESTDIR/util/bsddb_dump; export BSDDB_DUMP + CLNTTCL=$TESTDIR/util/kadm5_clnt_tcl; export CLNTTCL + SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL + +-QUALNAME=`$BUILDTOP/tests/resolve/resolve -q | tr '[A-Z]' '[a-z]'` +-export QUALNAME ++HOSTNAME=`hostname | tr '[A-Z]' '[a-z]'` ++export HOSTNAME + + KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG + KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE +diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db +index e65826c96..216f62793 100755 +--- a/src/kadmin/testing/scripts/init_db ++++ b/src/kadmin/testing/scripts/init_db +@@ -79,8 +79,7 @@ fi + # done + + sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ +- -e "s/__KDCHOST__/$QUALNAME/g" \ +- -e "s/__LOCALHOST__/$QUALNAME/g" \ ++ -e "s/__HOSTNAME__/$HOSTNAME/g" \ + -e "s#__MODDIR__#$MODDIR#g" \ + < $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf + sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ +diff --git a/src/kadmin/testing/scripts/start_servers b/src/kadmin/testing/scripts/start_servers +index f23df0682..05519e4ee 100755 +--- a/src/kadmin/testing/scripts/start_servers ++++ b/src/kadmin/testing/scripts/start_servers +@@ -36,8 +36,7 @@ if [ $local = 0 ]; then + + # Fix up the local krb5.conf to point to the remote + sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ +- -e "s/__KDCHOST__/$hostname/g" \ +- -e "s/__LOCALHOST__/$QUALNAME/g" \ ++ -e "s/__HOSTNAME__/$HOSTNAME/g" \ + -e "s#__MODDIR__#$TOP/../plugins/kdb#g"\ + -e "s#__PLUGIN_DIR__#$TOP/../plugins#g"\ + < $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf +diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local +index 998ef9164..858e88031 100755 +--- a/src/kadmin/testing/scripts/start_servers_local ++++ b/src/kadmin/testing/scripts/start_servers_local +@@ -79,7 +79,7 @@ cat - > /tmp/start_servers_local$$ <<\EOF + if { [catch { + source $env(STOP)/testing/tcl/util.t + set r $env(REALM) +- set q $env(QUALNAME) ++ set q $env(HOSTNAME) + puts stdout [kadm5_init $env(SRVTCL) mrroot null \ + [config_params {KADM5_CONFIG_REALM} $r] \ + $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 server_handle] +diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/unit-test/api.current/init-v2.exp +index 7a353d4e9..47764c212 100644 +--- a/src/lib/kadm5/unit-test/api.current/init-v2.exp ++++ b/src/lib/kadm5/unit-test/api.current/init-v2.exp +@@ -3,18 +3,14 @@ load_lib lib.t + api_exit + api_start + +-if ![info exists RESOLVE] { +- set RESOLVE [findfile $objdir/../../../tests/resolve/resolve] +-} + proc get_hostname { } { +- global RESOLVE + global hostname + + if {[info exists hostname]} { + return 1 + } + +- catch "exec $RESOLVE -q >myname" exec_output ++ catch "exec hostname >myname" exec_output + if ![string match "" $exec_output] { + send_log "$exec_output\n" + verbose $exec_output +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 9a4741fa6..0b8ae6714 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -237,7 +237,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + ctx->enforce_ok_as_delegate = tmp; + + retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback", +- CANONHOST_FALLBACK, 1, &tmp); ++ CANONHOST_FALLBACK, CANONHOST_FALLBACK, &tmp); + if (retval) + goto cleanup; + ctx->dns_canonicalize_hostname = tmp; +diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp +index 4d8c917cd..1e7777f1e 100644 +--- a/src/tests/dejagnu/config/default.exp ++++ b/src/tests/dejagnu/config/default.exp +@@ -268,7 +268,6 @@ foreach i { + {KTUTIL $objdir/../../kadmin/ktutil/ktutil} + {KLIST $objdir/../../clients/klist/klist} + {KDESTROY $objdir/../../clients/kdestroy/kdestroy} +- {RESOLVE $objdir/../resolve/resolve} + {T_INETD $objdir/t_inetd} + {KPROPLOG $objdir/../../kprop/kproplog} + {KPASSWD $objdir/../../clients/kpasswd/kpasswd} +@@ -462,7 +461,6 @@ proc setup_runtime_env { } { + # 0 on failure. + + proc get_hostname { } { +- global RESOLVE + global hostname + global tmppwd + +@@ -472,7 +470,7 @@ proc get_hostname { } { + + envstack_push + setup_runtime_env +- catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output ++ catch "exec hostname >$tmppwd/hostname" exec_output + envstack_pop + if ![string match "" $exec_output] { + verbose -log $exec_output +@@ -710,6 +708,7 @@ proc setup_krb5_conf { {type client} } { + puts $conffile "\[libdefaults\]" + puts $conffile " default_realm = $REALMNAME" + puts $conffile " dns_lookup_kdc = false" ++ puts $conffile " qualify_shortname = \"\"" + if [info exists allow_weak_crypto($type)] { + puts $conffile " allow_weak_crypto = $allow_weak_crypto($type)" + } else { +diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py +index 26dcb91c2..f3e187286 100755 +--- a/src/tests/t_sn2princ.py ++++ b/src/tests/t_sn2princ.py +@@ -2,7 +2,8 @@ from k5test import * + + offline = (len(args) > 0 and args[0] != "no") + +-conf = {'domain_realm': {'kerberos.org': 'R1', ++conf = {'libdefaults': {'dns_canonicalize_hostname': 'true'}, ++ 'domain_realm': {'kerberos.org': 'R1', + 'example.com': 'R2', + 'mit.edu': 'R3'}} + no_rdns_conf = {'libdefaults': {'rdns': 'false'}} +@@ -28,7 +29,7 @@ def testbase(host, nametype, princhost, princrealm, env=None): + fail('Expected %s, got %s' % (expected, out)) + + def test(host, princhost, princrealm): +- # Test with the host-based name type in the default environment. ++ # Test with the host-based name type with canonicalization enabled. + testbase(host, 'srv-hst', princhost, princrealm) + + def testnc(host, princhost, princrealm): +diff --git a/src/util/k5test.py b/src/util/k5test.py +index eea92275d..5196cfa43 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -193,7 +193,10 @@ Scripts may use the following functions and variables: + + * plugins: The plugin directory in the build tree (absolute path). + +-* hostname: This machine's fully-qualified domain name. ++* hostname: The local hostname as it will initially appear in ++ krb5_sname_to_principal() results. (Shortname qualification is ++ turned off in the test environment to make this value easy to ++ discover from Python.) + + * null_input: A file opened to read /dev/null. + +@@ -525,23 +528,6 @@ def _find_srctop(): + return os.path.abspath(root) + + +-# Return the local hostname as it will be canonicalized by +-# krb5_sname_to_principal. We can't simply use socket.getfqdn() +-# because it explicitly prefers results containing periods and +-# krb5_sname_to_principal doesn't care. +-def _get_hostname(): +- hostname = socket.gethostname() +- try: +- ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME) +- except socket.gaierror as e: +- fail('Local hostname "%s" does not resolve: %s.' % (hostname, e[1])) +- (family, socktype, proto, canonname, sockaddr) = ai[0] +- try: +- name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD) +- except socket.gaierror: +- return canonname.lower() +- return name[0].lower() +- + # Parse command line arguments, setting global option variables. Also + # sets the global variable args to the positional arguments, which may + # be used by the test script. +@@ -1263,6 +1249,7 @@ _default_krb5_conf = { + 'libdefaults': { + 'default_realm': '$realm', + 'dns_lookup_kdc': 'false', ++ 'qualify_shortname': '', + 'plugin_base_dir': '$plugins'}, + 'realms': {'$realm': { + 'kdc': '$hostname:$port0', +@@ -1356,7 +1343,7 @@ buildtop = _find_buildtop() + srctop = _find_srctop() + plugins = os.path.join(buildtop, 'plugins') + runenv = _import_runenv() +-hostname = _get_hostname() ++hostname = socket.gethostname().lower() + null_input = open(os.devnull, 'r') + + # A DB pass is a tuple of: name, kdc_conf. diff --git a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch index b91c81b..2bdd0a3 100644 --- a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch +++ b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch @@ -1,4 +1,4 @@ -From 63b526ffbdd932dffd5bc1d4a2b3ef6300208fb8 Mon Sep 17 00:00:00 2001 +From 3f873868fb08b77da2d30e164a0ef6c71c17c607 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 15 Jul 2020 15:42:20 -0400 Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts() diff --git a/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch b/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch index 5a1cad7..649caa4 100644 --- a/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch +++ b/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch @@ -1,4 +1,4 @@ -From bfc91774e1bf67b544d38abe10b41cdb76e30d8c Mon Sep 17 00:00:00 2001 +From 3ea1d6296ced3a998e79356f9be212e4c5e6a5d5 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 5 Jul 2017 11:38:30 -0400 Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG diff --git a/Implement-KERB_AP_OPTIONS_CBT-server-side.patch b/Implement-KERB_AP_OPTIONS_CBT-server-side.patch index 7757547..41cf5f0 100644 --- a/Implement-KERB_AP_OPTIONS_CBT-server-side.patch +++ b/Implement-KERB_AP_OPTIONS_CBT-server-side.patch @@ -1,4 +1,4 @@ -From 49e5ab0f11287dd2fd87de02abf14e63e5040c5b Mon Sep 17 00:00:00 2001 +From 6407bf087fe53088d91efd09df736e979cd4e8db Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 9 Mar 2020 16:04:21 +0100 Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side) diff --git a/Improve-negoex_parse_token-code-hygiene.patch b/Improve-negoex_parse_token-code-hygiene.patch index fd16725..f6b42a6 100644 --- a/Improve-negoex_parse_token-code-hygiene.patch +++ b/Improve-negoex_parse_token-code-hygiene.patch @@ -1,4 +1,4 @@ -From 409a8920e13cd14fec8533c1ff864de92d292178 Mon Sep 17 00:00:00 2001 +From c726a72c68244129eb08b840b92144acfa776573 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 9 Jun 2020 16:23:37 -0400 Subject: [PATCH] Improve negoex_parse_token() code hygiene diff --git a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch index 2514e20..d0db74b 100644 --- a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch +++ b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch @@ -1,4 +1,4 @@ -From 911f19b661cb13373ad3de4fb92015beb3647de7 Mon Sep 17 00:00:00 2001 +From c36e826c70cb5b3bff8bd4371d47884cea30b3f4 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 6 Jun 2020 11:03:37 +0200 Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum diff --git a/Pass-channel-bindings-through-SPNEGO.patch b/Pass-channel-bindings-through-SPNEGO.patch index 1dff308..5ab5c07 100644 --- a/Pass-channel-bindings-through-SPNEGO.patch +++ b/Pass-channel-bindings-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From 20ec2ee13c34bfae03d62662b25f2f7708d1a418 Mon Sep 17 00:00:00 2001 +From ee79bd43005245d3e5a2d3ec6d61146945e77717 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 28 Apr 2020 18:15:55 +0200 Subject: [PATCH] Pass channel bindings through SPNEGO diff --git a/Refactor-krb5-GSS-checksum-handling.patch b/Refactor-krb5-GSS-checksum-handling.patch index 6e41865..392d929 100644 --- a/Refactor-krb5-GSS-checksum-handling.patch +++ b/Refactor-krb5-GSS-checksum-handling.patch @@ -1,4 +1,4 @@ -From 5037c0fe698ad00a8e8f53fdcfc3d3b1c3537aba Mon Sep 17 00:00:00 2001 +From a34b7c50e62c19f80d39ece6a72017dac781df64 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 30 Jun 2017 16:03:01 -0400 Subject: [PATCH] Refactor krb5 GSS checksum handling diff --git a/Remove-resolver-test-utility.patch b/Remove-resolver-test-utility.patch index d70f078..6602185 100644 --- a/Remove-resolver-test-utility.patch +++ b/Remove-resolver-test-utility.patch @@ -1,4 +1,4 @@ -From 3eb685873f5390a3af518ac86e99f6863750ada3 Mon Sep 17 00:00:00 2001 +From 85bb5fe5a11708b78e9f0bd3a3b34999b6c888a7 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 28 May 2020 18:41:02 -0400 Subject: [PATCH] Remove resolver test utility diff --git a/Use-two-queues-for-concurrent-t_otp.py-daemons.patch b/Use-two-queues-for-concurrent-t_otp.py-daemons.patch index 7a66d35..33da6f5 100644 --- a/Use-two-queues-for-concurrent-t_otp.py-daemons.patch +++ b/Use-two-queues-for-concurrent-t_otp.py-daemons.patch @@ -1,4 +1,4 @@ -From ccc6e0fae1fc000e10e51ffa45cc59674038714a Mon Sep 17 00:00:00 2001 +From 8e08f01d73ddca1b828788710ec6bb3e0354727a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 4 Mar 2020 17:18:51 -0500 Subject: [PATCH] Use two queues for concurrent t_otp.py daemons diff --git a/krb5.spec b/krb5.spec index c5818f4..4a61316 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 16%{?dist} +Release: 17%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -57,6 +57,7 @@ Patch17: Pass-gss_localname-through-SPNEGO.patch Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch Patch21: Replace-gssrpc-tests-with-a-Python-script.patch +Patch22: Default-dns_canonicalize_hostname-to-fallback.patch Patch23: Remove-resolver-test-utility.patch Patch24: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch Patch25: Improve-negoex_parse_token-code-hygiene.patch @@ -630,6 +631,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Aug 03 2020 Robbie Harwood - 1.18.2-17 +- Revert qualify_shortname removal + * Mon Aug 03 2020 Robbie Harwood - 1.18.2-16 - Disable tests on s390x - Resolves: #1863952