diff --git a/Remove-checksum-type-profile-variables.patch b/Remove-checksum-type-profile-variables.patch new file mode 100644 index 0000000..90596e5 --- /dev/null +++ b/Remove-checksum-type-profile-variables.patch @@ -0,0 +1,428 @@ +From 443b8989c5d554f5347b72364d704d4626ca9a92 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 13 May 2019 14:19:57 -0400 +Subject: [PATCH] Remove checksum type profile variables + +Remove support for the krb5.conf relations ap_req_checksum_type, +kdc_req_checksum_type, and safe_checksum_type. These values were +useful for interoperating with very old KDCs, which should no longer +be deployed. + +Additionally, kdc_req_checksum_type was incorrectly documented as only +applying to single-DES keys; in practice it also worked for RC4. The +other two were not clearly documented, but safe_checksum_type did +allow use of hmac-md5-rc4 for any enctype, and ap_req_checksum_type +did not impose any limitations. + +[ghudson@mit.edu: edited commit message] + +ticket: 8804 (new) +(cherry picked from commit a5a140dc85201faf1ba3a687553058354722a1b4) +--- + doc/admin/conf_files/krb5_conf.rst | 37 ------------ + src/include/k5-int.h | 6 -- + src/lib/krb5/krb/auth_con.c | 2 - + src/lib/krb5/krb/init_ctx.c | 13 ----- + src/lib/krb5/krb/send_tgs.c | 19 +------ + src/lib/krb5/krb/ser_ctx.c | 38 +------------ + src/lib/krb5/krb/t_copy_context.c | 6 -- + src/man/krb5.conf.man | 90 ++---------------------------- + 8 files changed, 7 insertions(+), 204 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index e9f7e8c59..5df3bfe36 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -111,14 +111,6 @@ The libdefaults section may contain any of the following relations: + strong crypto. Users in affected environments should set this tag + to true until their infrastructure adopts stronger ciphers. + +-**ap_req_checksum_type** +- An integer which specifies the type of AP-REQ checksum to use in +- authenticators. This variable should be unset so the appropriate +- checksum for the encryption key in use will be used. This can be +- set if backward compatibility requires a specific checksum type. +- See the **kdc_req_checksum_type** configuration option for the +- possible values and their meanings. +- + **canonicalize** + If this flag is set to true, initial ticket requests to the KDC + will request canonicalization of the client principal name, and +@@ -297,26 +289,6 @@ The libdefaults section may contain any of the following relations: + corrective factor is only used by the Kerberos library; it is not + used to change the system clock. The default value is 1. + +-**kdc_req_checksum_type** +- An integer which specifies the type of checksum to use for the KDC +- requests, for compatibility with very old KDC implementations. +- This value is only used for DES keys; other keys use the preferred +- checksum type for those keys. +- +- The possible values and their meanings are as follows. +- +- ======== =============================== +- 1 CRC32 +- 2 RSA MD4 +- 3 RSA MD4 DES +- 4 DES CBC +- 7 RSA MD5 +- 8 RSA MD5 DES +- 9 NIST SHA +- 12 HMAC SHA1 DES3 +- -138 Microsoft MD5 HMAC checksum type +- ======== =============================== +- + **noaddresses** + If this flag is true, requests for initial tickets will not be + made with address restrictions set, allowing the tickets to be +@@ -365,15 +337,6 @@ The libdefaults section may contain any of the following relations: + (:ref:`duration` string.) Sets the default renewable lifetime + for initial ticket requests. The default value is 0. + +-**safe_checksum_type** +- An integer which specifies the type of checksum to use for the +- KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For +- compatibility with applications linked against DCE version 1.1 or +- earlier Kerberos libraries, use a value of 3 to use the RSA MD4 +- DES instead. This field is ignored when its value is incompatible +- with the session key type. See the **kdc_req_checksum_type** +- configuration option for the possible values and their meanings. +- + **spake_preauth_groups** + A whitespace or comma-separated list of words which specifies the + groups allowed for SPAKE preauthentication. The possible values +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 1e6a739e9..1a78fd7a9 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -182,7 +182,6 @@ typedef unsigned char u_char; + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" +-#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" + #define KRB5_CONF_CANONICALIZE "canonicalize" +@@ -241,7 +240,6 @@ typedef unsigned char u_char; + #define KRB5_CONF_KDC_LISTEN "kdc_listen" + #define KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size" + #define KRB5_CONF_KDC_PORTS "kdc_ports" +-#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type" + #define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports" + #define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen" + #define KRB5_CONF_KDC_TCP_LISTEN_BACKLOG "kdc_tcp_listen_backlog" +@@ -289,7 +287,6 @@ typedef unsigned char u_char; + #define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit" + #define KRB5_CONF_RENEW_LIFETIME "renew_lifetime" + #define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT "restrict_anonymous_to_tgt" +-#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type" + #define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes" + #define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator" + #define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge" +@@ -1185,9 +1182,6 @@ struct _krb5_context { + void *ser_ctx; + /* allowable clock skew */ + krb5_deltat clockskew; +- krb5_cksumtype kdc_req_sumtype; +- krb5_cksumtype default_ap_req_sumtype; +- krb5_cksumtype default_safe_sumtype; + krb5_flags kdc_default_options; + krb5_flags library_options; + krb5_boolean profile_secure; +diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c +index c86a4af63..1dfce631c 100644 +--- a/src/lib/krb5/krb/auth_con.c ++++ b/src/lib/krb5/krb/auth_con.c +@@ -40,8 +40,6 @@ krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context) + (*auth_context)->auth_context_flags = + KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED; + +- (*auth_context)->req_cksumtype = context->default_ap_req_sumtype; +- (*auth_context)->safe_cksumtype = context->default_safe_sumtype; + (*auth_context)->checksum_func = NULL; + (*auth_context)->checksum_func_data = NULL; + (*auth_context)->negotiated_etype = ENCTYPE_NULL; +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index d263d5cc5..37405728c 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -258,19 +258,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp); + ctx->clockskew = tmp; + +- /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ +- /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ +- get_integer(ctx, KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5, +- &tmp); +- ctx->kdc_req_sumtype = tmp; +- +- get_integer(ctx, KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, &tmp); +- ctx->default_ap_req_sumtype = tmp; +- +- get_integer(ctx, KRB5_CONF_SAFE_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5_DES, +- &tmp); +- ctx->default_safe_sumtype = tmp; +- + get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK, + &tmp); + ctx->kdc_default_options = tmp; +diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c +index e43a5cc5b..3dda2fdaa 100644 +--- a/src/lib/krb5/krb/send_tgs.c ++++ b/src/lib/krb5/krb/send_tgs.c +@@ -53,7 +53,6 @@ tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data, + krb5_creds *tgt, krb5_keyblock *subkey, + krb5_data **ap_req_asn1_out) + { +- krb5_cksumtype cksumtype; + krb5_error_code ret; + krb5_checksum checksum; + krb5_authenticator authent; +@@ -67,24 +66,8 @@ tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data, + memset(&ap_req, 0, sizeof(ap_req)); + memset(&authent_enc, 0, sizeof(authent_enc)); + +- /* Determine the authenticator checksum type. */ +- switch (tgt->keyblock.enctype) { +- case ENCTYPE_DES_CBC_CRC: +- case ENCTYPE_DES_CBC_MD4: +- case ENCTYPE_DES_CBC_MD5: +- case ENCTYPE_ARCFOUR_HMAC: +- case ENCTYPE_ARCFOUR_HMAC_EXP: +- cksumtype = context->kdc_req_sumtype; +- break; +- default: +- ret = krb5int_c_mandatory_cksumtype(context, tgt->keyblock.enctype, +- &cksumtype); +- if (ret) +- goto cleanup; +- } +- + /* Generate checksum. */ +- ret = krb5_c_make_checksum(context, cksumtype, &tgt->keyblock, ++ ret = krb5_c_make_checksum(context, 0, &tgt->keyblock, + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, checksum_data, + &checksum); + if (ret) +diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c +index a9f50b239..39f656322 100644 +--- a/src/lib/krb5/krb/ser_ctx.c ++++ b/src/lib/krb5/krb/ser_ctx.c +@@ -124,9 +124,6 @@ krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) + * krb5_int32 for n_tgs_etypes*sizeof(krb5_int32) + * nktypes*sizeof(krb5_int32) for tgs_etypes. + * krb5_int32 for clockskew +- * krb5_int32 for kdc_req_sumtype +- * krb5_int32 for ap_req_sumtype +- * krb5_int32 for safe_sumtype + * krb5_int32 for kdc_default_options + * krb5_int32 for library_options + * krb5_int32 for profile_secure +@@ -139,7 +136,7 @@ krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) + kret = EINVAL; + if ((context = (krb5_context) arg)) { + /* Calculate base length */ +- required = (14 * sizeof(krb5_int32) + ++ required = (11 * sizeof(krb5_int32) + + (etypes_len(context->in_tkt_etypes) * sizeof(krb5_int32)) + + (etypes_len(context->tgs_etypes) * sizeof(krb5_int32))); + +@@ -255,24 +252,6 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b + if (kret) + return (kret); + +- /* Now kdc_req_sumtype */ +- kret = krb5_ser_pack_int32((krb5_int32) context->kdc_req_sumtype, +- &bp, &remain); +- if (kret) +- return (kret); +- +- /* Now default ap_req_sumtype */ +- kret = krb5_ser_pack_int32((krb5_int32) context->default_ap_req_sumtype, +- &bp, &remain); +- if (kret) +- return (kret); +- +- /* Now default safe_sumtype */ +- kret = krb5_ser_pack_int32((krb5_int32) context->default_safe_sumtype, +- &bp, &remain); +- if (kret) +- return (kret); +- + /* Now kdc_default_options */ + kret = krb5_ser_pack_int32((krb5_int32) context->kdc_default_options, + &bp, &remain); +@@ -426,21 +405,6 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * + goto cleanup; + context->clockskew = (krb5_deltat) ibuf; + +- /* kdc_req_sumtype */ +- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) +- goto cleanup; +- context->kdc_req_sumtype = (krb5_cksumtype) ibuf; +- +- /* default ap_req_sumtype */ +- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) +- goto cleanup; +- context->default_ap_req_sumtype = (krb5_cksumtype) ibuf; +- +- /* default_safe_sumtype */ +- if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) +- goto cleanup; +- context->default_safe_sumtype = (krb5_cksumtype) ibuf; +- + /* kdc_default_options */ + if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) + goto cleanup; +diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c +index a6e48cd25..22be2198b 100644 +--- a/src/lib/krb5/krb/t_copy_context.c ++++ b/src/lib/krb5/krb/t_copy_context.c +@@ -77,9 +77,6 @@ check_context(krb5_context c, krb5_context r) + check(c->os_context.os_flags == r->os_context.os_flags); + compare_string(c->os_context.default_ccname, r->os_context.default_ccname); + check(c->clockskew == r->clockskew); +- check(c->kdc_req_sumtype == r->kdc_req_sumtype); +- check(c->default_ap_req_sumtype == r->default_ap_req_sumtype); +- check(c->default_safe_sumtype == r->default_safe_sumtype); + check(c->kdc_default_options == r->kdc_default_options); + check(c->library_options == r->library_options); + check(c->profile_secure == r->profile_secure); +@@ -136,9 +133,6 @@ main(int argc, char **argv) + check(krb5_cc_set_default_name(ctx, "defccname") == 0); + check(krb5_set_default_realm(ctx, "defrealm") == 0); + ctx->clockskew = 18; +- ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA; +- ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128; +- ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256; + ctx->kdc_default_options = KDC_OPT_FORWARDABLE; + ctx->library_options = 0; + ctx->profile_secure = TRUE; +diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man +index d431dce75..aafdf7f83 100644 +--- a/src/man/krb5.conf.man ++++ b/src/man/krb5.conf.man +@@ -1,6 +1,6 @@ + .\" Man page generated from reStructuredText. + . +-.TH "KRB5.CONF" "5" " " "1.17" "MIT Kerberos" ++.TH "KRB5.CONF" "5" " " "1.18" "MIT Kerberos" + .SH NAME + krb5.conf \- Kerberos configuration file + . +@@ -202,14 +202,6 @@ failures in existing Kerberos infrastructures that do not support + strong crypto. Users in affected environments should set this tag + to true until their infrastructure adopts stronger ciphers. + .TP +-\fBap_req_checksum_type\fP +-An integer which specifies the type of AP\-REQ checksum to use in +-authenticators. This variable should be unset so the appropriate +-checksum for the encryption key in use will be used. This can be +-set if backward compatibility requires a specific checksum type. +-See the \fBkdc_req_checksum_type\fP configuration option for the +-possible values and their meanings. +-.TP + \fBcanonicalize\fP + If this flag is set to true, initial ticket requests to the KDC + will request canonicalization of the client principal name, and +@@ -291,6 +283,10 @@ hostnames for use in service principal names. Setting this flag + to false can improve security by reducing reliance on DNS, but + means that short hostnames will not be canonicalized to + fully\-qualified hostnames. The default value is true. ++.sp ++If this option is set to \fBfallback\fP (new in release 1.18), DNS ++canonicalization will only be performed the server hostname is not ++found with the original name when requesting credentials. + .TP + \fBdns_lookup_kdc\fP + Indicate whether DNS SRV records should be used to locate the KDCs +@@ -384,73 +380,6 @@ requesting service tickets or authenticating to services. This + corrective factor is only used by the Kerberos library; it is not + used to change the system clock. The default value is 1. + .TP +-\fBkdc_req_checksum_type\fP +-An integer which specifies the type of checksum to use for the KDC +-requests, for compatibility with very old KDC implementations. +-This value is only used for DES keys; other keys use the preferred +-checksum type for those keys. +-.sp +-The possible values and their meanings are as follows. +-.TS +-center; +-|l|l|. +-_ +-T{ +-1 +-T} T{ +-CRC32 +-T} +-_ +-T{ +-2 +-T} T{ +-RSA MD4 +-T} +-_ +-T{ +-3 +-T} T{ +-RSA MD4 DES +-T} +-_ +-T{ +-4 +-T} T{ +-DES CBC +-T} +-_ +-T{ +-7 +-T} T{ +-RSA MD5 +-T} +-_ +-T{ +-8 +-T} T{ +-RSA MD5 DES +-T} +-_ +-T{ +-9 +-T} T{ +-NIST SHA +-T} +-_ +-T{ +-12 +-T} T{ +-HMAC SHA1 DES3 +-T} +-_ +-T{ +-\-138 +-T} T{ +-Microsoft MD5 HMAC checksum type +-T} +-_ +-.TE +-.TP + \fBnoaddresses\fP + If this flag is true, requests for initial tickets will not be + made with address restrictions set, allowing the tickets to be +@@ -499,15 +428,6 @@ set. The default is not to search domain components. + (duration string.) Sets the default renewable lifetime + for initial ticket requests. The default value is 0. + .TP +-\fBsafe_checksum_type\fP +-An integer which specifies the type of checksum to use for the +-KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For +-compatibility with applications linked against DCE version 1.1 or +-earlier Kerberos libraries, use a value of 3 to use the RSA MD4 +-DES instead. This field is ignored when its value is incompatible +-with the session key type. See the \fBkdc_req_checksum_type\fP +-configuration option for the possible values and their meanings. +-.TP + \fBspake_preauth_groups\fP + A whitespace or comma\-separated list of words which specifies the + groups allowed for SPAKE preauthentication. The possible values diff --git a/Remove-dead-variable-def_kslist-from-two-files.patch b/Remove-dead-variable-def_kslist-from-two-files.patch new file mode 100644 index 0000000..80b6a1f --- /dev/null +++ b/Remove-dead-variable-def_kslist-from-two-files.patch @@ -0,0 +1,69 @@ +From f18a482eec20369d7bcb4a7b2b6440c907215eff Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 2 May 2019 16:57:51 -0400 +Subject: [PATCH] Remove dead variable def_kslist from two files + +def_kslist was part of kdb5_create.c since its addition (commit +edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1) and has always been +irrelevant since the rblock structure is fully initialized in +kdb5_create(). + +def_klist was copied into kdb5_ldap_realm.c (present in addition at +commit 42d9d6ab320ee3a661fe21472be542acd542d5be). The global rblock +structure (and therefore the initializer) was removed in commit +9c850f8b62784170a5e42315c1a9552ddcf4ca2b, leaving def_kslist +unreferenced. + +Remove def_kslist from both files, and remove the rblock initializer +from kdb5_create.c. + +[ghudson@mit.edu: edited commit message] + +(cherry picked from commit 6309f5e3508cd24151222b2cd095766283e205f2) +--- + src/kadmin/dbutil/kdb5_create.c | 12 +----------- + src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 1 - + 2 files changed, 1 insertion(+), 12 deletions(-) + +diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c +index bc1b9195d..efdb8adb0 100644 +--- a/src/kadmin/dbutil/kdb5_create.c ++++ b/src/kadmin/dbutil/kdb5_create.c +@@ -66,8 +66,6 @@ enum ap_op { + TGT_KEY /* special handling for tgt key */ + }; + +-krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL }; +- + struct realm_info { + krb5_deltat max_life; + krb5_deltat max_rlife; +@@ -76,15 +74,7 @@ struct realm_info { + krb5_keyblock *key; + krb5_int32 nkslist; + krb5_key_salt_tuple *kslist; +-} rblock = { /* XXX */ +- KRB5_KDB_MAX_LIFE, +- KRB5_KDB_MAX_RLIFE, +- KRB5_KDB_EXPIRATION, +- KRB5_KDB_DEF_FLAGS, +- (krb5_keyblock *) NULL, +- 1, +- &def_kslist +-}; ++} rblock; + + struct iterate_args { + krb5_context ctx; +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +index 5a745e21d..c21d19981 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +@@ -91,7 +91,6 @@ + extern time_t get_date(char *); /* kadmin/cli/getdate.o */ + + char *yes = "yes\n"; /* \n to compare against result of fgets */ +-krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL}; + + krb5_data tgt_princ_entries[] = { + {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME}, diff --git a/krb5.spec b/krb5.spec index 16dc2e4..b3a6e0b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 18%{?dist} +Release: 19%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -94,6 +94,8 @@ Patch124: Simply-OpenSSL-PKCS7-decryption-code.patch Patch125: Improve-error-messages-from-kadmin-change_password.patch Patch126: Remove-more-dead-code.patch Patch127: krb5-1.17post1-FIPS-with-PRNG-and-SPAKE.patch +Patch128: Remove-checksum-type-profile-variables.patch +Patch129: Remove-dead-variable-def_kslist-from-two-files.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -700,6 +702,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue May 14 2019 Robbie Harwood - 1.17-19 +- Remove checksum type profile variables + * Fri May 10 2019 Robbie Harwood - 1.17-18 - Pull in 2019-05-02 static analysis updates