From 56d39b6273db22f9f2a625cc3a4433e5c03ee9ff Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Fri, 22 Apr 2022 10:09:30 +0000 Subject: [PATCH] import krb5-1.18.2-17.el8 --- ...nstead-of-SHA1-for-PKINIT-CMS-digest.patch | 124 +++++++ ...orced-dejagnu-path-naming-convention.patch | 342 ++++++++++++++++++ SPECS/krb5.spec | 10 +- 3 files changed, 474 insertions(+), 2 deletions(-) create mode 100644 SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch create mode 100644 SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch diff --git a/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch b/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch new file mode 100644 index 0000000..9d0939f --- /dev/null +++ b/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch @@ -0,0 +1,124 @@ +From baa2a485190d1b31f3dae06a18dc24d71dbe35bf Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Fri, 11 Mar 2022 12:04:14 +0100 +Subject: [PATCH] Use SHA-256 instead of SHA-1 for PKINIT CMS digest + +Various organizations including NIST have been strongly recommending to +stop using SHA-1 for digital signatures for some years already. CMS +digest is used to generate such signatures, hence it should be upgraded +to use SHA-256. +--- + .../preauth/pkinit/pkinit_crypto_openssl.c | 40 ++++++++++--------- + 1 file changed, 22 insertions(+), 18 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index dbb054378..32291e3ac 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1234,7 +1234,7 @@ cms_signeddata_create(krb5_context context, + /* will not fill-out EVP_PKEY because it's on the smartcard */ + + /* Set digest algs */ +- p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1); ++ p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256); + + if (p7si->digest_alg->parameter != NULL) + ASN1_TYPE_free(p7si->digest_alg->parameter); +@@ -1245,17 +1245,18 @@ cms_signeddata_create(krb5_context context, + /* Set sig algs */ + if (p7si->digest_enc_alg->parameter != NULL) + ASN1_TYPE_free(p7si->digest_enc_alg->parameter); +- p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption); ++ p7si->digest_enc_alg->algorithm = ++ OBJ_nid2obj(NID_sha256WithRSAEncryption); + if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new())) + goto cleanup; + p7si->digest_enc_alg->parameter->type = V_ASN1_NULL; + + /* add signed attributes */ +- /* compute sha1 digest over the EncapsulatedContentInfo */ ++ /* compute sha256 digest over the EncapsulatedContentInfo */ + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) + goto cleanup; +- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); ++ EVP_DigestInit_ex(ctx, EVP_sha256(), NULL); + EVP_DigestUpdate(ctx, data, data_len); + md_tmp = EVP_MD_CTX_md(ctx); + EVP_DigestFinal_ex(ctx, md_data, &md_len); +@@ -1283,12 +1284,14 @@ cms_signeddata_create(krb5_context context, + goto cleanup2; + + #ifndef WITHOUT_PKCS11 +- /* Some tokens can only do RSAEncryption without sha1 hash */ +- /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash +- * function and the hash value into an ASN.1 value of type DigestInfo +- * DigestInfo::=SEQUENCE { +- * digestAlgorithm AlgorithmIdentifier, +- * digest OCTET STRING } ++ /* ++ * Some tokens can only do RSAEncryption without a hash. To compute ++ * sha256WithRSAEncryption, encode the algorithm ID for the hash ++ * function and the hash value into an ASN.1 value of type DigestInfo: ++ * DigestInfo ::= SEQUENCE { ++ * digestAlgorithm AlgorithmIdentifier, ++ * digest OCTET STRING ++ * } + */ + if (id_cryptoctx->pkcs11_method == 1 && + id_cryptoctx->mech == CKM_RSA_PKCS) { +@@ -1304,7 +1307,7 @@ cms_signeddata_create(krb5_context context, + alg = X509_ALGOR_new(); + if (alg == NULL) + goto cleanup2; +- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL); ++ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL); + alg_len = i2d_X509_ALGOR(alg, NULL); + + digest = ASN1_OCTET_STRING_new(); +@@ -1333,7 +1336,7 @@ cms_signeddata_create(krb5_context context, + #endif + { + pkiDebug("mech = %s\n", +- id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS"); ++ id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS"); + retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen, + &sig, &sig_len); + } +@@ -4147,7 +4150,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len, + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) + return ENOMEM; +- EVP_SignInit(ctx, EVP_sha1()); ++ EVP_SignInit(ctx, EVP_sha256()); + EVP_SignUpdate(ctx, data, data_len); + *sig_len = EVP_PKEY_size(pkey); + if ((*sig = malloc(*sig_len)) == NULL) +@@ -4623,10 +4626,11 @@ pkinit_get_certs_pkcs11(krb5_context context, + + #ifndef PKINIT_USE_MECH_LIST + /* +- * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but +- * many cards seems to be confused about whether they are capable of +- * this or not. The safe thing seems to be to ignore the mechanism list, +- * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves. ++ * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but ++ * historically many cards seem to be confused about whether they are ++ * capable of mechanisms or not. The safe thing seems to be to ignore the ++ * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest ++ * ourselves. + */ + + id_cryptoctx->mech = CKM_RSA_PKCS; +@@ -4654,7 +4658,7 @@ pkinit_get_certs_pkcs11(krb5_context context, + if (mechp[i] == CKM_RSA_PKCS) { + /* This seems backwards... */ + id_cryptoctx->mech = +- (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS; ++ (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS; + } + } + free(mechp); +-- +2.35.1 + diff --git a/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch new file mode 100644 index 0000000..3b8ccec --- /dev/null +++ b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch @@ -0,0 +1,342 @@ +From cc1cd235a6a8c066531a17d5773f601455bedb52 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 31 Mar 2022 18:24:39 +0200 +Subject: [PATCH] Use newly enforced dejagnu path naming convention + +Since version 1.6.3, dejagnu started to enforce a naming convention that +was already in place, but not mandatory: dejagnu test directories have +to be named "testsuite". If they don't implicit relative sub-paths +resolution (e.g. "lib", "config") is not forking. + +This commit renames kadm5 library's unit tests directory to match this +requirement. + +Resolves: rhbz#2070879 + +Signed-off-by: Julien Rische +--- + src/configure.ac | 2 +- + src/lib/kadm5/Makefile.in | 2 +- + .../{unit-test => testsuite}/Makefile.in | 28 +++++++++---------- + .../api.2/crte-policy.exp | 0 + .../api.2/get-policy.exp | 0 + .../api.2/mod-policy.exp | 0 + .../api.current/chpass-principal-v2.exp | 0 + .../api.current/chpass-principal.exp | 0 + .../api.current/crte-policy.exp | 0 + .../api.current/crte-principal.exp | 0 + .../api.current/destroy.exp | 0 + .../api.current/dlte-policy.exp | 0 + .../api.current/dlte-principal.exp | 0 + .../api.current/get-policy.exp | 0 + .../api.current/get-principal-v2.exp | 0 + .../api.current/get-principal.exp | 0 + .../api.current/init-v2.exp | 0 + .../api.current/init.exp | 0 + .../api.current/mod-policy.exp | 0 + .../api.current/mod-principal-v2.exp | 0 + .../api.current/mod-principal.exp | 0 + .../api.current/randkey-principal-v2.exp | 0 + .../api.current/randkey-principal.exp | 0 + .../{unit-test => testsuite}/config/unix.exp | 0 + src/lib/kadm5/{unit-test => testsuite}/deps | 0 + .../{unit-test => testsuite}/destroy-test.c | 0 + .../diff-files/destroy-1 | 0 + .../diff-files/no-diffs | 0 + .../{unit-test => testsuite}/handle-test.c | 0 + .../{unit-test => testsuite}/init-test.c | 0 + .../{unit-test => testsuite}/iter-test.c | 0 + .../kadm5/{unit-test => testsuite}/lib/lib.t | 2 +- + .../{unit-test => testsuite}/lock-test.c | 0 + .../{unit-test => testsuite}/randkey-test.c | 0 + .../{unit-test => testsuite}/setkey-test.c | 0 + .../kadm5/{unit-test => testsuite}/site.exp | 0 + 36 files changed, 17 insertions(+), 17 deletions(-) + rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%) + rename src/lib/kadm5/{unit-test => testsuite}/deps (100%) + rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%) + rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%) + rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%) + rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%) + rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%) + +diff --git a/src/configure.ac b/src/configure.ac +index 29be532cb..37e36b76d 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1499,7 +1499,7 @@ V5_AC_OUTPUT_MAKEFILE(. + + lib/rpc lib/rpc/unit-test + +- lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test ++ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite + lib/krad + lib/apputils + +diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in +index c4eaad38d..76fc4b548 100644 +--- a/src/lib/kadm5/Makefile.in ++++ b/src/lib/kadm5/Makefile.in +@@ -1,6 +1,6 @@ + mydir=lib$(S)kadm5 + BUILDTOP=$(REL)..$(S).. +-SUBDIRS = clnt srv unit-test ++SUBDIRS = clnt srv testsuite + + ##DOSBUILDTOP = ..\.. + +diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in +similarity index 86% +rename from src/lib/kadm5/unit-test/Makefile.in +rename to src/lib/kadm5/testsuite/Makefile.in +index 68fa097ff..5a55b786b 100644 +--- a/src/lib/kadm5/unit-test/Makefile.in ++++ b/src/lib/kadm5/testsuite/Makefile.in +@@ -1,4 +1,4 @@ +-mydir=lib$(S)kadm5$(S)unit-test ++mydir=lib$(S)kadm5$(S)testsuite + BUILDTOP=$(REL)..$(S)..$(S).. + KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) + +@@ -61,7 +61,7 @@ runenv.exp: Makefile + eval echo "set env\($$i\) \$$$$i"; done > runenv.exp + + # +-# The unit-test targets ++# The testsuite targets + # + + check: check-@DO_TEST@ +@@ -72,13 +72,13 @@ check-: + @echo "+++ Either tcl, runtest, or Perl is unavailable." + @echo "+++" + +-check-ok unit-test: unit-test-client unit-test-server ++check-ok testsuite: testsuite-client testsuite-server + +-unit-test-client: unit-test-client-setup unit-test-client-body \ +- unit-test-client-cleanup ++testsuite-client: testsuite-client-setup testsuite-client-body \ ++ testsuite-client-cleanup + +-unit-test-server: unit-test-server-setup unit-test-server-body \ +- unit-test-server-cleanup ++testsuite-server: testsuite-server-setup testsuite-server-body \ ++ testsuite-server-cleanup + + test-randkey: randkey-test + $(ENV_SETUP) $(VALGRIND) ./randkey-test +@@ -98,19 +98,19 @@ test-destroy: destroy-test + test-setkey-client: client-setkey-test + $(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin + +-unit-test-client-setup: runenv.sh ++testsuite-client-setup: runenv.sh + $(ENV_SETUP) $(VALGRIND) $(START_SERVERS) + +-unit-test-client-cleanup: ++testsuite-client-cleanup: + $(ENV_SETUP) $(STOP_SERVERS) + +-unit-test-server-setup: runenv.sh ++testsuite-server-setup: runenv.sh + $(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL) + +-unit-test-server-cleanup: ++testsuite-server-cleanup: + $(ENV_SETUP) $(STOP_SERVERS_LOCAL) + +-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \ ++testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \ + test-setkey-client runenv.exp + $(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \ + KINIT=$(BUILDTOP)/clients/kinit/kinit \ +@@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \ + -mv api.log capi.log + -mv api.sum capi.sum + +-unit-test-server-body: site.exp test-handle-server lock-test ++testsuite-server-body: site.exp test-handle-server lock-test + $(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \ + LOCKTEST=./lock-test \ + KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \ +@@ -140,4 +140,4 @@ clean: + $(RM) lock-test lock-test.o + $(RM) server-iter-test iter-test.o + $(RM) server-setkey-test client-setkey-test setkey-test.o +- $(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp ++ $(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp +diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp +rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/get-policy.exp +rename to src/lib/kadm5/testsuite/api.2/get-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp +rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp +rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp +rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp +rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/destroy.exp +rename to src/lib/kadm5/testsuite/api.current/destroy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp +rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp +rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-policy.exp +rename to src/lib/kadm5/testsuite/api.current/get-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/get-principal.exp +rename to src/lib/kadm5/testsuite/api.current/get-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/init-v2.exp +rename to src/lib/kadm5/testsuite/api.current/init-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/init.exp +rename to src/lib/kadm5/testsuite/api.current/init.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp +rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp +rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp +diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp +rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp +diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp +rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp +diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/config/unix.exp +rename to src/lib/kadm5/testsuite/config/unix.exp +diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps +similarity index 100% +rename from src/lib/kadm5/unit-test/deps +rename to src/lib/kadm5/testsuite/deps +diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/destroy-test.c +rename to src/lib/kadm5/testsuite/destroy-test.c +diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1 +similarity index 100% +rename from src/lib/kadm5/unit-test/diff-files/destroy-1 +rename to src/lib/kadm5/testsuite/diff-files/destroy-1 +diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs +similarity index 100% +rename from src/lib/kadm5/unit-test/diff-files/no-diffs +rename to src/lib/kadm5/testsuite/diff-files/no-diffs +diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/handle-test.c +rename to src/lib/kadm5/testsuite/handle-test.c +diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/init-test.c +rename to src/lib/kadm5/testsuite/init-test.c +diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/iter-test.c +rename to src/lib/kadm5/testsuite/iter-test.c +diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t +similarity index 99% +rename from src/lib/kadm5/unit-test/lib/lib.t +rename to src/lib/kadm5/testsuite/lib/lib.t +index 3444775cf..327946849 100644 +--- a/src/lib/kadm5/unit-test/lib/lib.t ++++ b/src/lib/kadm5/testsuite/lib/lib.t +@@ -226,7 +226,7 @@ proc end_dump_compare {name} { + global RPC + + if { ! $RPC } { +-# set file $TOP/admin/lib/unit-test/diff-files/$name ++# set file $TOP/admin/lib/testsuite/diff-files/$name + # exec $env(SIMPLE_DUMP) > /tmp/dump.after + # exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file + } +diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/lock-test.c +rename to src/lib/kadm5/testsuite/lock-test.c +diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/randkey-test.c +rename to src/lib/kadm5/testsuite/randkey-test.c +diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c +similarity index 100% +rename from src/lib/kadm5/unit-test/setkey-test.c +rename to src/lib/kadm5/testsuite/setkey-test.c +diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp +similarity index 100% +rename from src/lib/kadm5/unit-test/site.exp +rename to src/lib/kadm5/testsuite/site.exp +-- +2.35.1 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 5e13c23..d969a61 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 14%{?dist} +Release: 17%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -86,6 +86,8 @@ Patch140: Use-KCM_OP_RETRIEVE-in-KCM-client.patch Patch141: Fix-KCM-retrieval-support-for-sssd.patch Patch142: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch Patch143: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch +Patch144: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch +Patch145: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -291,7 +293,7 @@ popd # builds going on the same host don't step on each other. cfg="src/kadmin/testing/proto/kdc.conf.proto \ src/kadmin/testing/proto/krb5.conf.proto \ - src/lib/kadm5/unit-test/api.current/init-v2.exp \ + src/lib/kadm5/testsuite/api.current/init-v2.exp \ src/util/k5test.py" LONG_BIT=`getconf LONG_BIT` PORT=`expr 61000 + $LONG_BIT - 48` @@ -696,6 +698,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Mar 21 2022 Julien Rische - 1.18.2-15 +- Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest +- Resolves: #2066316 + * Wed Aug 25 2021 Robbie Harwood - 1.18.2-14 - Fix KDC null deref on TGS inner body null server (CVE-2021-37750) - Resolves: #1997601