Remove checksum type profile variables
This commit is contained in:
parent
0b0d802a54
commit
4b3d9079ae
428
Remove-checksum-type-profile-variables.patch
Normal file
428
Remove-checksum-type-profile-variables.patch
Normal file
@ -0,0 +1,428 @@
|
||||
From 443b8989c5d554f5347b72364d704d4626ca9a92 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 13 May 2019 14:19:57 -0400
|
||||
Subject: [PATCH] Remove checksum type profile variables
|
||||
|
||||
Remove support for the krb5.conf relations ap_req_checksum_type,
|
||||
kdc_req_checksum_type, and safe_checksum_type. These values were
|
||||
useful for interoperating with very old KDCs, which should no longer
|
||||
be deployed.
|
||||
|
||||
Additionally, kdc_req_checksum_type was incorrectly documented as only
|
||||
applying to single-DES keys; in practice it also worked for RC4. The
|
||||
other two were not clearly documented, but safe_checksum_type did
|
||||
allow use of hmac-md5-rc4 for any enctype, and ap_req_checksum_type
|
||||
did not impose any limitations.
|
||||
|
||||
[ghudson@mit.edu: edited commit message]
|
||||
|
||||
ticket: 8804 (new)
|
||||
(cherry picked from commit a5a140dc85201faf1ba3a687553058354722a1b4)
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 37 ------------
|
||||
src/include/k5-int.h | 6 --
|
||||
src/lib/krb5/krb/auth_con.c | 2 -
|
||||
src/lib/krb5/krb/init_ctx.c | 13 -----
|
||||
src/lib/krb5/krb/send_tgs.c | 19 +------
|
||||
src/lib/krb5/krb/ser_ctx.c | 38 +------------
|
||||
src/lib/krb5/krb/t_copy_context.c | 6 --
|
||||
src/man/krb5.conf.man | 90 ++----------------------------
|
||||
8 files changed, 7 insertions(+), 204 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index e9f7e8c59..5df3bfe36 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -111,14 +111,6 @@ The libdefaults section may contain any of the following relations:
|
||||
strong crypto. Users in affected environments should set this tag
|
||||
to true until their infrastructure adopts stronger ciphers.
|
||||
|
||||
-**ap_req_checksum_type**
|
||||
- An integer which specifies the type of AP-REQ checksum to use in
|
||||
- authenticators. This variable should be unset so the appropriate
|
||||
- checksum for the encryption key in use will be used. This can be
|
||||
- set if backward compatibility requires a specific checksum type.
|
||||
- See the **kdc_req_checksum_type** configuration option for the
|
||||
- possible values and their meanings.
|
||||
-
|
||||
**canonicalize**
|
||||
If this flag is set to true, initial ticket requests to the KDC
|
||||
will request canonicalization of the client principal name, and
|
||||
@@ -297,26 +289,6 @@ The libdefaults section may contain any of the following relations:
|
||||
corrective factor is only used by the Kerberos library; it is not
|
||||
used to change the system clock. The default value is 1.
|
||||
|
||||
-**kdc_req_checksum_type**
|
||||
- An integer which specifies the type of checksum to use for the KDC
|
||||
- requests, for compatibility with very old KDC implementations.
|
||||
- This value is only used for DES keys; other keys use the preferred
|
||||
- checksum type for those keys.
|
||||
-
|
||||
- The possible values and their meanings are as follows.
|
||||
-
|
||||
- ======== ===============================
|
||||
- 1 CRC32
|
||||
- 2 RSA MD4
|
||||
- 3 RSA MD4 DES
|
||||
- 4 DES CBC
|
||||
- 7 RSA MD5
|
||||
- 8 RSA MD5 DES
|
||||
- 9 NIST SHA
|
||||
- 12 HMAC SHA1 DES3
|
||||
- -138 Microsoft MD5 HMAC checksum type
|
||||
- ======== ===============================
|
||||
-
|
||||
**noaddresses**
|
||||
If this flag is true, requests for initial tickets will not be
|
||||
made with address restrictions set, allowing the tickets to be
|
||||
@@ -365,15 +337,6 @@ The libdefaults section may contain any of the following relations:
|
||||
(:ref:`duration` string.) Sets the default renewable lifetime
|
||||
for initial ticket requests. The default value is 0.
|
||||
|
||||
-**safe_checksum_type**
|
||||
- An integer which specifies the type of checksum to use for the
|
||||
- KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
|
||||
- compatibility with applications linked against DCE version 1.1 or
|
||||
- earlier Kerberos libraries, use a value of 3 to use the RSA MD4
|
||||
- DES instead. This field is ignored when its value is incompatible
|
||||
- with the session key type. See the **kdc_req_checksum_type**
|
||||
- configuration option for the possible values and their meanings.
|
||||
-
|
||||
**spake_preauth_groups**
|
||||
A whitespace or comma-separated list of words which specifies the
|
||||
groups allowed for SPAKE preauthentication. The possible values
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 1e6a739e9..1a78fd7a9 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -182,7 +182,6 @@ typedef unsigned char u_char;
|
||||
#define KRB5_CONF_ACL_FILE "acl_file"
|
||||
#define KRB5_CONF_ADMIN_SERVER "admin_server"
|
||||
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
|
||||
-#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
|
||||
#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
|
||||
#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
|
||||
#define KRB5_CONF_CANONICALIZE "canonicalize"
|
||||
@@ -241,7 +240,6 @@ typedef unsigned char u_char;
|
||||
#define KRB5_CONF_KDC_LISTEN "kdc_listen"
|
||||
#define KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
|
||||
#define KRB5_CONF_KDC_PORTS "kdc_ports"
|
||||
-#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
|
||||
#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
|
||||
#define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen"
|
||||
#define KRB5_CONF_KDC_TCP_LISTEN_BACKLOG "kdc_tcp_listen_backlog"
|
||||
@@ -289,7 +287,6 @@ typedef unsigned char u_char;
|
||||
#define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
|
||||
#define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
|
||||
#define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT "restrict_anonymous_to_tgt"
|
||||
-#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
|
||||
#define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
|
||||
#define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator"
|
||||
#define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge"
|
||||
@@ -1185,9 +1182,6 @@ struct _krb5_context {
|
||||
void *ser_ctx;
|
||||
/* allowable clock skew */
|
||||
krb5_deltat clockskew;
|
||||
- krb5_cksumtype kdc_req_sumtype;
|
||||
- krb5_cksumtype default_ap_req_sumtype;
|
||||
- krb5_cksumtype default_safe_sumtype;
|
||||
krb5_flags kdc_default_options;
|
||||
krb5_flags library_options;
|
||||
krb5_boolean profile_secure;
|
||||
diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c
|
||||
index c86a4af63..1dfce631c 100644
|
||||
--- a/src/lib/krb5/krb/auth_con.c
|
||||
+++ b/src/lib/krb5/krb/auth_con.c
|
||||
@@ -40,8 +40,6 @@ krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context)
|
||||
(*auth_context)->auth_context_flags =
|
||||
KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED;
|
||||
|
||||
- (*auth_context)->req_cksumtype = context->default_ap_req_sumtype;
|
||||
- (*auth_context)->safe_cksumtype = context->default_safe_sumtype;
|
||||
(*auth_context)->checksum_func = NULL;
|
||||
(*auth_context)->checksum_func_data = NULL;
|
||||
(*auth_context)->negotiated_etype = ENCTYPE_NULL;
|
||||
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||
index d263d5cc5..37405728c 100644
|
||||
--- a/src/lib/krb5/krb/init_ctx.c
|
||||
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||
@@ -258,19 +258,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||
get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp);
|
||||
ctx->clockskew = tmp;
|
||||
|
||||
- /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */
|
||||
- /* DCE add kdc_req_checksum_type = 2 to krb5.conf */
|
||||
- get_integer(ctx, KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5,
|
||||
- &tmp);
|
||||
- ctx->kdc_req_sumtype = tmp;
|
||||
-
|
||||
- get_integer(ctx, KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, &tmp);
|
||||
- ctx->default_ap_req_sumtype = tmp;
|
||||
-
|
||||
- get_integer(ctx, KRB5_CONF_SAFE_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5_DES,
|
||||
- &tmp);
|
||||
- ctx->default_safe_sumtype = tmp;
|
||||
-
|
||||
get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK,
|
||||
&tmp);
|
||||
ctx->kdc_default_options = tmp;
|
||||
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
|
||||
index e43a5cc5b..3dda2fdaa 100644
|
||||
--- a/src/lib/krb5/krb/send_tgs.c
|
||||
+++ b/src/lib/krb5/krb/send_tgs.c
|
||||
@@ -53,7 +53,6 @@ tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data,
|
||||
krb5_creds *tgt, krb5_keyblock *subkey,
|
||||
krb5_data **ap_req_asn1_out)
|
||||
{
|
||||
- krb5_cksumtype cksumtype;
|
||||
krb5_error_code ret;
|
||||
krb5_checksum checksum;
|
||||
krb5_authenticator authent;
|
||||
@@ -67,24 +66,8 @@ tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data,
|
||||
memset(&ap_req, 0, sizeof(ap_req));
|
||||
memset(&authent_enc, 0, sizeof(authent_enc));
|
||||
|
||||
- /* Determine the authenticator checksum type. */
|
||||
- switch (tgt->keyblock.enctype) {
|
||||
- case ENCTYPE_DES_CBC_CRC:
|
||||
- case ENCTYPE_DES_CBC_MD4:
|
||||
- case ENCTYPE_DES_CBC_MD5:
|
||||
- case ENCTYPE_ARCFOUR_HMAC:
|
||||
- case ENCTYPE_ARCFOUR_HMAC_EXP:
|
||||
- cksumtype = context->kdc_req_sumtype;
|
||||
- break;
|
||||
- default:
|
||||
- ret = krb5int_c_mandatory_cksumtype(context, tgt->keyblock.enctype,
|
||||
- &cksumtype);
|
||||
- if (ret)
|
||||
- goto cleanup;
|
||||
- }
|
||||
-
|
||||
/* Generate checksum. */
|
||||
- ret = krb5_c_make_checksum(context, cksumtype, &tgt->keyblock,
|
||||
+ ret = krb5_c_make_checksum(context, 0, &tgt->keyblock,
|
||||
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, checksum_data,
|
||||
&checksum);
|
||||
if (ret)
|
||||
diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c
|
||||
index a9f50b239..39f656322 100644
|
||||
--- a/src/lib/krb5/krb/ser_ctx.c
|
||||
+++ b/src/lib/krb5/krb/ser_ctx.c
|
||||
@@ -124,9 +124,6 @@ krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
|
||||
* krb5_int32 for n_tgs_etypes*sizeof(krb5_int32)
|
||||
* nktypes*sizeof(krb5_int32) for tgs_etypes.
|
||||
* krb5_int32 for clockskew
|
||||
- * krb5_int32 for kdc_req_sumtype
|
||||
- * krb5_int32 for ap_req_sumtype
|
||||
- * krb5_int32 for safe_sumtype
|
||||
* krb5_int32 for kdc_default_options
|
||||
* krb5_int32 for library_options
|
||||
* krb5_int32 for profile_secure
|
||||
@@ -139,7 +136,7 @@ krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
|
||||
kret = EINVAL;
|
||||
if ((context = (krb5_context) arg)) {
|
||||
/* Calculate base length */
|
||||
- required = (14 * sizeof(krb5_int32) +
|
||||
+ required = (11 * sizeof(krb5_int32) +
|
||||
(etypes_len(context->in_tkt_etypes) * sizeof(krb5_int32)) +
|
||||
(etypes_len(context->tgs_etypes) * sizeof(krb5_int32)));
|
||||
|
||||
@@ -255,24 +252,6 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b
|
||||
if (kret)
|
||||
return (kret);
|
||||
|
||||
- /* Now kdc_req_sumtype */
|
||||
- kret = krb5_ser_pack_int32((krb5_int32) context->kdc_req_sumtype,
|
||||
- &bp, &remain);
|
||||
- if (kret)
|
||||
- return (kret);
|
||||
-
|
||||
- /* Now default ap_req_sumtype */
|
||||
- kret = krb5_ser_pack_int32((krb5_int32) context->default_ap_req_sumtype,
|
||||
- &bp, &remain);
|
||||
- if (kret)
|
||||
- return (kret);
|
||||
-
|
||||
- /* Now default safe_sumtype */
|
||||
- kret = krb5_ser_pack_int32((krb5_int32) context->default_safe_sumtype,
|
||||
- &bp, &remain);
|
||||
- if (kret)
|
||||
- return (kret);
|
||||
-
|
||||
/* Now kdc_default_options */
|
||||
kret = krb5_ser_pack_int32((krb5_int32) context->kdc_default_options,
|
||||
&bp, &remain);
|
||||
@@ -426,21 +405,6 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet *
|
||||
goto cleanup;
|
||||
context->clockskew = (krb5_deltat) ibuf;
|
||||
|
||||
- /* kdc_req_sumtype */
|
||||
- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
|
||||
- goto cleanup;
|
||||
- context->kdc_req_sumtype = (krb5_cksumtype) ibuf;
|
||||
-
|
||||
- /* default ap_req_sumtype */
|
||||
- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
|
||||
- goto cleanup;
|
||||
- context->default_ap_req_sumtype = (krb5_cksumtype) ibuf;
|
||||
-
|
||||
- /* default_safe_sumtype */
|
||||
- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
|
||||
- goto cleanup;
|
||||
- context->default_safe_sumtype = (krb5_cksumtype) ibuf;
|
||||
-
|
||||
/* kdc_default_options */
|
||||
if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)))
|
||||
goto cleanup;
|
||||
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
|
||||
index a6e48cd25..22be2198b 100644
|
||||
--- a/src/lib/krb5/krb/t_copy_context.c
|
||||
+++ b/src/lib/krb5/krb/t_copy_context.c
|
||||
@@ -77,9 +77,6 @@ check_context(krb5_context c, krb5_context r)
|
||||
check(c->os_context.os_flags == r->os_context.os_flags);
|
||||
compare_string(c->os_context.default_ccname, r->os_context.default_ccname);
|
||||
check(c->clockskew == r->clockskew);
|
||||
- check(c->kdc_req_sumtype == r->kdc_req_sumtype);
|
||||
- check(c->default_ap_req_sumtype == r->default_ap_req_sumtype);
|
||||
- check(c->default_safe_sumtype == r->default_safe_sumtype);
|
||||
check(c->kdc_default_options == r->kdc_default_options);
|
||||
check(c->library_options == r->library_options);
|
||||
check(c->profile_secure == r->profile_secure);
|
||||
@@ -136,9 +133,6 @@ main(int argc, char **argv)
|
||||
check(krb5_cc_set_default_name(ctx, "defccname") == 0);
|
||||
check(krb5_set_default_realm(ctx, "defrealm") == 0);
|
||||
ctx->clockskew = 18;
|
||||
- ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA;
|
||||
- ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
|
||||
- ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256;
|
||||
ctx->kdc_default_options = KDC_OPT_FORWARDABLE;
|
||||
ctx->library_options = 0;
|
||||
ctx->profile_secure = TRUE;
|
||||
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
||||
index d431dce75..aafdf7f83 100644
|
||||
--- a/src/man/krb5.conf.man
|
||||
+++ b/src/man/krb5.conf.man
|
||||
@@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
-.TH "KRB5.CONF" "5" " " "1.17" "MIT Kerberos"
|
||||
+.TH "KRB5.CONF" "5" " " "1.18" "MIT Kerberos"
|
||||
.SH NAME
|
||||
krb5.conf \- Kerberos configuration file
|
||||
.
|
||||
@@ -202,14 +202,6 @@ failures in existing Kerberos infrastructures that do not support
|
||||
strong crypto. Users in affected environments should set this tag
|
||||
to true until their infrastructure adopts stronger ciphers.
|
||||
.TP
|
||||
-\fBap_req_checksum_type\fP
|
||||
-An integer which specifies the type of AP\-REQ checksum to use in
|
||||
-authenticators. This variable should be unset so the appropriate
|
||||
-checksum for the encryption key in use will be used. This can be
|
||||
-set if backward compatibility requires a specific checksum type.
|
||||
-See the \fBkdc_req_checksum_type\fP configuration option for the
|
||||
-possible values and their meanings.
|
||||
-.TP
|
||||
\fBcanonicalize\fP
|
||||
If this flag is set to true, initial ticket requests to the KDC
|
||||
will request canonicalization of the client principal name, and
|
||||
@@ -291,6 +283,10 @@ hostnames for use in service principal names. Setting this flag
|
||||
to false can improve security by reducing reliance on DNS, but
|
||||
means that short hostnames will not be canonicalized to
|
||||
fully\-qualified hostnames. The default value is true.
|
||||
+.sp
|
||||
+If this option is set to \fBfallback\fP (new in release 1.18), DNS
|
||||
+canonicalization will only be performed the server hostname is not
|
||||
+found with the original name when requesting credentials.
|
||||
.TP
|
||||
\fBdns_lookup_kdc\fP
|
||||
Indicate whether DNS SRV records should be used to locate the KDCs
|
||||
@@ -384,73 +380,6 @@ requesting service tickets or authenticating to services. This
|
||||
corrective factor is only used by the Kerberos library; it is not
|
||||
used to change the system clock. The default value is 1.
|
||||
.TP
|
||||
-\fBkdc_req_checksum_type\fP
|
||||
-An integer which specifies the type of checksum to use for the KDC
|
||||
-requests, for compatibility with very old KDC implementations.
|
||||
-This value is only used for DES keys; other keys use the preferred
|
||||
-checksum type for those keys.
|
||||
-.sp
|
||||
-The possible values and their meanings are as follows.
|
||||
-.TS
|
||||
-center;
|
||||
-|l|l|.
|
||||
-_
|
||||
-T{
|
||||
-1
|
||||
-T} T{
|
||||
-CRC32
|
||||
-T}
|
||||
-_
|
||||
-T{
|
||||
-2
|
||||
-T} T{
|
||||
-RSA MD4
|
||||
-T}
|
||||
-_
|
||||
-T{
|
||||
-3
|
||||
-T} T{
|
||||
-RSA MD4 DES
|
||||
-T}
|
||||
-_
|
||||
-T{
|
||||
-4
|
||||
-T} T{
|
||||
-DES CBC
|
||||
-T}
|
||||
-_
|
||||
-T{
|
||||
-7
|
||||
-T} T{
|
||||
-RSA MD5
|
||||
-T}
|
||||
-_
|
||||
-T{
|
||||
-8
|
||||
-T} T{
|
||||
-RSA MD5 DES
|
||||
-T}
|
||||
-_
|
||||
-T{
|
||||
-9
|
||||
-T} T{
|
||||
-NIST SHA
|
||||
-T}
|
||||
-_
|
||||
-T{
|
||||
-12
|
||||
-T} T{
|
||||
-HMAC SHA1 DES3
|
||||
-T}
|
||||
-_
|
||||
-T{
|
||||
-\-138
|
||||
-T} T{
|
||||
-Microsoft MD5 HMAC checksum type
|
||||
-T}
|
||||
-_
|
||||
-.TE
|
||||
-.TP
|
||||
\fBnoaddresses\fP
|
||||
If this flag is true, requests for initial tickets will not be
|
||||
made with address restrictions set, allowing the tickets to be
|
||||
@@ -499,15 +428,6 @@ set. The default is not to search domain components.
|
||||
(duration string.) Sets the default renewable lifetime
|
||||
for initial ticket requests. The default value is 0.
|
||||
.TP
|
||||
-\fBsafe_checksum_type\fP
|
||||
-An integer which specifies the type of checksum to use for the
|
||||
-KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
|
||||
-compatibility with applications linked against DCE version 1.1 or
|
||||
-earlier Kerberos libraries, use a value of 3 to use the RSA MD4
|
||||
-DES instead. This field is ignored when its value is incompatible
|
||||
-with the session key type. See the \fBkdc_req_checksum_type\fP
|
||||
-configuration option for the possible values and their meanings.
|
||||
-.TP
|
||||
\fBspake_preauth_groups\fP
|
||||
A whitespace or comma\-separated list of words which specifies the
|
||||
groups allowed for SPAKE preauthentication. The possible values
|
69
Remove-dead-variable-def_kslist-from-two-files.patch
Normal file
69
Remove-dead-variable-def_kslist-from-two-files.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From f18a482eec20369d7bcb4a7b2b6440c907215eff Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 16:57:51 -0400
|
||||
Subject: [PATCH] Remove dead variable def_kslist from two files
|
||||
|
||||
def_kslist was part of kdb5_create.c since its addition (commit
|
||||
edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1) and has always been
|
||||
irrelevant since the rblock structure is fully initialized in
|
||||
kdb5_create().
|
||||
|
||||
def_klist was copied into kdb5_ldap_realm.c (present in addition at
|
||||
commit 42d9d6ab320ee3a661fe21472be542acd542d5be). The global rblock
|
||||
structure (and therefore the initializer) was removed in commit
|
||||
9c850f8b62784170a5e42315c1a9552ddcf4ca2b, leaving def_kslist
|
||||
unreferenced.
|
||||
|
||||
Remove def_kslist from both files, and remove the rblock initializer
|
||||
from kdb5_create.c.
|
||||
|
||||
[ghudson@mit.edu: edited commit message]
|
||||
|
||||
(cherry picked from commit 6309f5e3508cd24151222b2cd095766283e205f2)
|
||||
---
|
||||
src/kadmin/dbutil/kdb5_create.c | 12 +-----------
|
||||
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 1 -
|
||||
2 files changed, 1 insertion(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c
|
||||
index bc1b9195d..efdb8adb0 100644
|
||||
--- a/src/kadmin/dbutil/kdb5_create.c
|
||||
+++ b/src/kadmin/dbutil/kdb5_create.c
|
||||
@@ -66,8 +66,6 @@ enum ap_op {
|
||||
TGT_KEY /* special handling for tgt key */
|
||||
};
|
||||
|
||||
-krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL };
|
||||
-
|
||||
struct realm_info {
|
||||
krb5_deltat max_life;
|
||||
krb5_deltat max_rlife;
|
||||
@@ -76,15 +74,7 @@ struct realm_info {
|
||||
krb5_keyblock *key;
|
||||
krb5_int32 nkslist;
|
||||
krb5_key_salt_tuple *kslist;
|
||||
-} rblock = { /* XXX */
|
||||
- KRB5_KDB_MAX_LIFE,
|
||||
- KRB5_KDB_MAX_RLIFE,
|
||||
- KRB5_KDB_EXPIRATION,
|
||||
- KRB5_KDB_DEF_FLAGS,
|
||||
- (krb5_keyblock *) NULL,
|
||||
- 1,
|
||||
- &def_kslist
|
||||
-};
|
||||
+} rblock;
|
||||
|
||||
struct iterate_args {
|
||||
krb5_context ctx;
|
||||
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
|
||||
index 5a745e21d..c21d19981 100644
|
||||
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
|
||||
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
|
||||
@@ -91,7 +91,6 @@
|
||||
extern time_t get_date(char *); /* kadmin/cli/getdate.o */
|
||||
|
||||
char *yes = "yes\n"; /* \n to compare against result of fgets */
|
||||
-krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
|
||||
|
||||
krb5_data tgt_princ_entries[] = {
|
||||
{0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
|
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.17
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 18%{?dist}
|
||||
Release: 19%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -94,6 +94,8 @@ Patch124: Simply-OpenSSL-PKCS7-decryption-code.patch
|
||||
Patch125: Improve-error-messages-from-kadmin-change_password.patch
|
||||
Patch126: Remove-more-dead-code.patch
|
||||
Patch127: krb5-1.17post1-FIPS-with-PRNG-and-SPAKE.patch
|
||||
Patch128: Remove-checksum-type-profile-variables.patch
|
||||
Patch129: Remove-dead-variable-def_kslist-from-two-files.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -700,6 +702,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Tue May 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-19
|
||||
- Remove checksum type profile variables
|
||||
|
||||
* Fri May 10 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-18
|
||||
- Pull in 2019-05-02 static analysis updates
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user