From 710f626f12ede3d343fe5dc32214b8d2afea9099 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 31 Jul 2020 13:31:53 -0400 Subject: [PATCH] Revert qualify_shortname changes --- Add-channel-bindings-tests.patch | 2 +- ...client_aware_channel_bindings-option.patch | 6 +- ...ss_unwrap_iov-of-unpadded-RC4-tokens.patch | 2 +- ...ns_canonicalize_hostname-to-fallback.patch | 371 ------------------ ...-enctypes-in-krb5_string_to_keysalts.patch | 2 +- Implement-GSS_C_CHANNEL_BOUND_FLAG.patch | 2 +- ...ment-KERB_AP_OPTIONS_CBT-server-side.patch | 2 +- Improve-negoex_parse_token-code-hygiene.patch | 2 +- ...SER-if-we-can-t-compute-its-checksum.patch | 2 +- Pass-channel-bindings-through-SPNEGO.patch | 2 +- Refactor-krb5-GSS-checksum-handling.patch | 2 +- Remove-resolver-test-utility.patch | 2 +- ...eues-for-concurrent-t_otp.py-daemons.patch | 2 +- krb5.spec | 6 +- 14 files changed, 18 insertions(+), 387 deletions(-) delete mode 100644 Default-dns_canonicalize_hostname-to-fallback.patch diff --git a/Add-channel-bindings-tests.patch b/Add-channel-bindings-tests.patch index b758c79..a152fa2 100644 --- a/Add-channel-bindings-tests.patch +++ b/Add-channel-bindings-tests.patch @@ -1,4 +1,4 @@ -From 3e92520c1417f22447751cd9172d5ab30c2e0ad8 Mon Sep 17 00:00:00 2001 +From 5f98c9d9ff16f3760ac26304cfdb87bf53bc8628 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 20 Mar 2020 00:17:28 +0100 Subject: [PATCH] Add channel bindings tests diff --git a/Add-client_aware_channel_bindings-option.patch b/Add-client_aware_channel_bindings-option.patch index 012ce8d..e8b5374 100644 --- a/Add-client_aware_channel_bindings-option.patch +++ b/Add-client_aware_channel_bindings-option.patch @@ -1,4 +1,4 @@ -From 2a08fe3d2d1972df4ffe37d4bb64b161889ff988 Mon Sep 17 00:00:00 2001 +From bb7425941f5d84a53e30721c20fbfc714157f082 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 10 Mar 2020 13:13:17 +0100 Subject: [PATCH] Add client_aware_channel_bindings option @@ -20,10 +20,10 @@ ticket: 8900 3 files changed, 98 insertions(+), 86 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index a7e7a29d1..7f2879640 100644 +index 1d2aa7f68..1d8ffc1e4 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst -@@ -382,6 +382,12 @@ The libdefaults section may contain any of the following relations: +@@ -383,6 +383,12 @@ The libdefaults section may contain any of the following relations: credentials will fail if the client machine does not have a keytab. The default value is false. diff --git a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch index 4698963..716fa8a 100644 --- a/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch +++ b/Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch @@ -1,4 +1,4 @@ -From bedbb5ee1ad821b91f00d30361985e6863c0e6ba Mon Sep 17 00:00:00 2001 +From 297857dec4f82a802caa734670b57f0a18d942e2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 11 Jul 2020 21:57:30 -0400 Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens diff --git a/Default-dns_canonicalize_hostname-to-fallback.patch b/Default-dns_canonicalize_hostname-to-fallback.patch deleted file mode 100644 index ef80329..0000000 --- a/Default-dns_canonicalize_hostname-to-fallback.patch +++ /dev/null @@ -1,371 +0,0 @@ -From 07179e38e5ee72e82ebc77a1c8d73e34905268b7 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Wed, 27 May 2020 18:48:35 -0400 -Subject: [PATCH] Default dns_canonicalize_hostname to "fallback" - -This change should mitigate some of the pain caused by the rdns=true -default (generally associated with unwanted PTR records that cannot -easily be changed), with a minimum of fallout. - -Update the documentation and tests accordingly. In test environments, -disable qualify_shortname and use the uncanonicalized system hostname -(lowercased) to match the initial sn2princ result. - -ticket: 8911 (new) ---- - doc/admin/appl_servers.rst | 14 +++--- - doc/admin/conf_files/krb5_conf.rst | 9 ++-- - doc/admin/princ_dns.rst | 44 +++++++++++-------- - src/kadmin/testing/proto/krb5.conf.proto | 8 ++-- - src/kadmin/testing/scripts/env-setup.shin | 4 +- - src/kadmin/testing/scripts/init_db | 3 +- - src/kadmin/testing/scripts/start_servers | 3 +- - .../testing/scripts/start_servers_local | 2 +- - .../kadm5/unit-test/api.current/init-v2.exp | 6 +-- - src/lib/krb5/krb/init_ctx.c | 2 +- - src/tests/dejagnu/config/default.exp | 5 +-- - src/tests/t_sn2princ.py | 5 ++- - src/util/k5test.py | 25 +++-------- - 13 files changed, 58 insertions(+), 72 deletions(-) - -diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst -index 5232db9af..afdf30297 100644 ---- a/doc/admin/appl_servers.rst -+++ b/doc/admin/appl_servers.rst -@@ -115,14 +115,12 @@ Getting DNS information correct - ------------------------------- - - Several aspects of Kerberos rely on name service. When a hostname is --used to name a service, the Kerberos library canonicalizes the --hostname using forward and reverse name resolution. (The reverse name --resolution step can be turned off using the **rdns** variable in --:ref:`libdefaults`.) The result of this canonicalization must match --the principal entry in the host's keytab, or authentication will fail. -- --Each host's canonical name must be the fully-qualified host name --(including the domain), and each host's IP address must -+used to name a service, clients may canonicalize the hostname using -+forward and possibly reverse name resolution. The result of this -+canonicalization must match the principal entry in the host's keytab, -+or authentication will fail. To work with all client canonicalization -+configurations, each host's canonical name must be the fully-qualified -+host name (including the domain), and each host's IP address must - reverse-resolve to the canonical name. - - Configuration of hostnames varies by operating system. On the -diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 1d2aa7f68..a7e7a29d1 100644 ---- a/doc/admin/conf_files/krb5_conf.rst -+++ b/doc/admin/conf_files/krb5_conf.rst -@@ -188,11 +188,10 @@ The libdefaults section may contain any of the following relations: - hostnames for use in service principal names. Setting this flag - to false can improve security by reducing reliance on DNS, but - means that short hostnames will not be canonicalized to -- fully-qualified hostnames. The default value is true. -- -- If this option is set to ``fallback`` (new in release 1.18), DNS -- canonicalization will only be performed the server hostname is not -- found with the original name when requesting credentials. -+ fully-qualified hostnames. If this option is set to ``fallback`` (new -+ in release 1.18), DNS canonicalization will only be performed the -+ server hostname is not found with the original name when -+ requesting credentials. The default value is ``fallback``. - - **dns_lookup_kdc** - Indicate whether DNS SRV records should be used to locate the KDCs -diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst -index e1d823f27..32a269afc 100644 ---- a/doc/admin/princ_dns.rst -+++ b/doc/admin/princ_dns.rst -@@ -31,27 +31,35 @@ based on rotating ``CNAME`` records in DNS. - Service principal canonicalization - ---------------------------------- - --MIT Kerberos clients currently always do forward resolution (looking --up the IPv4 and possibly IPv6 addresses using ``getaddrinfo()``) of --the hostname part of a host-based service principal to canonicalize --the hostname. They obtain the "canonical" name of the host when doing --so. By default, MIT Kerberos clients will also then do reverse DNS --resolution (looking up the hostname associated with the IPv4 or IPv6 --address using ``getnameinfo()``) of the hostname. Using the --:ref:`krb5.conf(5)` setting:: -+In the MIT krb5 client library, canonicalization of host-based service -+principals is controlled by the **dns_canonicalize_hostname**, -+**rnds**, and **qualify_shortname** variables in :ref:`libdefaults`. - -- [libdefaults] -- rdns = false -+If **dns_canonicalize_hostname** is set to ``true`` (the default value -+before release 1.19), the client performs forward resolution by -+looking up the IPv4 and/or IPv6 addresses of the hostname using -+``getaddrinfo()``. This process will typically add a domain suffix to -+the hostname if needed, and follow CNAME records in the DNS. If -+**rdns** is also set to ``true`` (the default), the client will then -+perform a reverse lookup of the first returned Internet address using -+``getnameinfo()``, finding the name associated with the PTR record. - --will disable reverse DNS lookup on clients. The default setting is --"true". -+If **dns_canonicalize_hostname** is set to ``false``, the hostname is -+not canonicalized using DNS. If the hostname has only one component -+(i.e. it contains no "." characters), the host's primary DNS search -+domain will be appended, if there is one. The **qualify_shortname** -+variable can be used to override or disable this suffix. -+ -+If **dns_canonicalize_hostname** is set to ``fallback`` (the default -+value in release 1.19 and later), the hostname is initially treated -+according to the rules for ``dns_canonicalize_hostname=false``. If a -+ticket request fails because the service principal is unknown, it the -+hostname will be canonicalized according to the rules for -+``dns_canonicalize_hostname=true`` and the request will be retried. -+ -+In all cases, the hostname is converted to lowercase, and any trailing -+dot is removed. - --Operating system bugs may prevent a setting of ``rdns = false`` from --disabling reverse DNS lookup. Some versions of GNU libc have a bug in --``getaddrinfo()`` that cause them to look up ``PTR`` records even when --not required. MIT Kerberos releases krb5-1.10.2 and newer have a --workaround for this problem, as does the krb5-1.9.x series as of --release krb5-1.9.4. - - - Reverse DNS mismatches -diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto -index e710852d4..c0af716a5 100644 ---- a/src/kadmin/testing/proto/krb5.conf.proto -+++ b/src/kadmin/testing/proto/krb5.conf.proto -@@ -2,19 +2,19 @@ - default_realm = __REALM__ - default_keytab_name = FILE:__K5ROOT__/keytab - dns_fallback = no -+ qualify_shortname = "" - plugin_base_dir = __PLUGIN_DIR__ - allow_weak_crypto = true - - [realms] - __REALM__ = { -- kdc = __KDCHOST__:1750 -- admin_server = __KDCHOST__:1751 -+ kdc = __HOSTNAME__:1750 -+ admin_server = __HOSTNAME__:1751 - database_module = foobar_db2_module_blah - } - - [domain_realm] -- __LOCALHOST__ = __REALM__ -- __KDCHOST__ = __REALM__ -+ __HOSTNAME__ = __REALM__ - - [logging] - admin_server = FILE:__K5ROOT__/syslog -diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin -index 969c5340c..88f8ad1aa 100755 ---- a/src/kadmin/testing/scripts/env-setup.shin -+++ b/src/kadmin/testing/scripts/env-setup.shin -@@ -71,8 +71,8 @@ BSDDB_DUMP=$TESTDIR/util/bsddb_dump; export BSDDB_DUMP - CLNTTCL=$TESTDIR/util/kadm5_clnt_tcl; export CLNTTCL - SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL - --QUALNAME=`$BUILDTOP/tests/resolve/resolve -q | tr '[A-Z]' '[a-z]'` --export QUALNAME -+HOSTNAME=`hostname | tr '[A-Z]' '[a-z]'` -+export HOSTNAME - - KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG - KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE -diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db -index e65826c96..216f62793 100755 ---- a/src/kadmin/testing/scripts/init_db -+++ b/src/kadmin/testing/scripts/init_db -@@ -79,8 +79,7 @@ fi - # done - - sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ -- -e "s/__KDCHOST__/$QUALNAME/g" \ -- -e "s/__LOCALHOST__/$QUALNAME/g" \ -+ -e "s/__HOSTNAME__/$HOSTNAME/g" \ - -e "s#__MODDIR__#$MODDIR#g" \ - < $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf - sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ -diff --git a/src/kadmin/testing/scripts/start_servers b/src/kadmin/testing/scripts/start_servers -index f23df0682..05519e4ee 100755 ---- a/src/kadmin/testing/scripts/start_servers -+++ b/src/kadmin/testing/scripts/start_servers -@@ -36,8 +36,7 @@ if [ $local = 0 ]; then - - # Fix up the local krb5.conf to point to the remote - sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ -- -e "s/__KDCHOST__/$hostname/g" \ -- -e "s/__LOCALHOST__/$QUALNAME/g" \ -+ -e "s/__HOSTNAME__/$HOSTNAME/g" \ - -e "s#__MODDIR__#$TOP/../plugins/kdb#g"\ - -e "s#__PLUGIN_DIR__#$TOP/../plugins#g"\ - < $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf -diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local -index 998ef9164..858e88031 100755 ---- a/src/kadmin/testing/scripts/start_servers_local -+++ b/src/kadmin/testing/scripts/start_servers_local -@@ -79,7 +79,7 @@ cat - > /tmp/start_servers_local$$ <<\EOF - if { [catch { - source $env(STOP)/testing/tcl/util.t - set r $env(REALM) -- set q $env(QUALNAME) -+ set q $env(HOSTNAME) - puts stdout [kadm5_init $env(SRVTCL) mrroot null \ - [config_params {KADM5_CONFIG_REALM} $r] \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 server_handle] -diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/unit-test/api.current/init-v2.exp -index 7a353d4e9..47764c212 100644 ---- a/src/lib/kadm5/unit-test/api.current/init-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/init-v2.exp -@@ -3,18 +3,14 @@ load_lib lib.t - api_exit - api_start - --if ![info exists RESOLVE] { -- set RESOLVE [findfile $objdir/../../../tests/resolve/resolve] --} - proc get_hostname { } { -- global RESOLVE - global hostname - - if {[info exists hostname]} { - return 1 - } - -- catch "exec $RESOLVE -q >myname" exec_output -+ catch "exec hostname >myname" exec_output - if ![string match "" $exec_output] { - send_log "$exec_output\n" - verbose $exec_output -diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index 9a4741fa6..0b8ae6714 100644 ---- a/src/lib/krb5/krb/init_ctx.c -+++ b/src/lib/krb5/krb/init_ctx.c -@@ -237,7 +237,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, - ctx->enforce_ok_as_delegate = tmp; - - retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback", -- CANONHOST_FALLBACK, 1, &tmp); -+ CANONHOST_FALLBACK, CANONHOST_FALLBACK, &tmp); - if (retval) - goto cleanup; - ctx->dns_canonicalize_hostname = tmp; -diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp -index 4d8c917cd..1e7777f1e 100644 ---- a/src/tests/dejagnu/config/default.exp -+++ b/src/tests/dejagnu/config/default.exp -@@ -268,7 +268,6 @@ foreach i { - {KTUTIL $objdir/../../kadmin/ktutil/ktutil} - {KLIST $objdir/../../clients/klist/klist} - {KDESTROY $objdir/../../clients/kdestroy/kdestroy} -- {RESOLVE $objdir/../resolve/resolve} - {T_INETD $objdir/t_inetd} - {KPROPLOG $objdir/../../kprop/kproplog} - {KPASSWD $objdir/../../clients/kpasswd/kpasswd} -@@ -462,7 +461,6 @@ proc setup_runtime_env { } { - # 0 on failure. - - proc get_hostname { } { -- global RESOLVE - global hostname - global tmppwd - -@@ -472,7 +470,7 @@ proc get_hostname { } { - - envstack_push - setup_runtime_env -- catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output -+ catch "exec hostname >$tmppwd/hostname" exec_output - envstack_pop - if ![string match "" $exec_output] { - verbose -log $exec_output -@@ -710,6 +708,7 @@ proc setup_krb5_conf { {type client} } { - puts $conffile "\[libdefaults\]" - puts $conffile " default_realm = $REALMNAME" - puts $conffile " dns_lookup_kdc = false" -+ puts $conffile " qualify_shortname = \"\"" - if [info exists allow_weak_crypto($type)] { - puts $conffile " allow_weak_crypto = $allow_weak_crypto($type)" - } else { -diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py -index 26dcb91c2..f3e187286 100755 ---- a/src/tests/t_sn2princ.py -+++ b/src/tests/t_sn2princ.py -@@ -2,7 +2,8 @@ from k5test import * - - offline = (len(args) > 0 and args[0] != "no") - --conf = {'domain_realm': {'kerberos.org': 'R1', -+conf = {'libdefaults': {'dns_canonicalize_hostname': 'true'}, -+ 'domain_realm': {'kerberos.org': 'R1', - 'example.com': 'R2', - 'mit.edu': 'R3'}} - no_rdns_conf = {'libdefaults': {'rdns': 'false'}} -@@ -28,7 +29,7 @@ def testbase(host, nametype, princhost, princrealm, env=None): - fail('Expected %s, got %s' % (expected, out)) - - def test(host, princhost, princrealm): -- # Test with the host-based name type in the default environment. -+ # Test with the host-based name type with canonicalization enabled. - testbase(host, 'srv-hst', princhost, princrealm) - - def testnc(host, princhost, princrealm): -diff --git a/src/util/k5test.py b/src/util/k5test.py -index eea92275d..5196cfa43 100644 ---- a/src/util/k5test.py -+++ b/src/util/k5test.py -@@ -193,7 +193,10 @@ Scripts may use the following functions and variables: - - * plugins: The plugin directory in the build tree (absolute path). - --* hostname: This machine's fully-qualified domain name. -+* hostname: The local hostname as it will initially appear in -+ krb5_sname_to_principal() results. (Shortname qualification is -+ turned off in the test environment to make this value easy to -+ discover from Python.) - - * null_input: A file opened to read /dev/null. - -@@ -525,23 +528,6 @@ def _find_srctop(): - return os.path.abspath(root) - - --# Return the local hostname as it will be canonicalized by --# krb5_sname_to_principal. We can't simply use socket.getfqdn() --# because it explicitly prefers results containing periods and --# krb5_sname_to_principal doesn't care. --def _get_hostname(): -- hostname = socket.gethostname() -- try: -- ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME) -- except socket.gaierror as e: -- fail('Local hostname "%s" does not resolve: %s.' % (hostname, e[1])) -- (family, socktype, proto, canonname, sockaddr) = ai[0] -- try: -- name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD) -- except socket.gaierror: -- return canonname.lower() -- return name[0].lower() -- - # Parse command line arguments, setting global option variables. Also - # sets the global variable args to the positional arguments, which may - # be used by the test script. -@@ -1263,6 +1249,7 @@ _default_krb5_conf = { - 'libdefaults': { - 'default_realm': '$realm', - 'dns_lookup_kdc': 'false', -+ 'qualify_shortname': '', - 'plugin_base_dir': '$plugins'}, - 'realms': {'$realm': { - 'kdc': '$hostname:$port0', -@@ -1356,7 +1343,7 @@ buildtop = _find_buildtop() - srctop = _find_srctop() - plugins = os.path.join(buildtop, 'plugins') - runenv = _import_runenv() --hostname = _get_hostname() -+hostname = socket.gethostname().lower() - null_input = open(os.devnull, 'r') - - # A DB pass is a tuple of: name, kdc_conf. diff --git a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch index 2bdd0a3..b91c81b 100644 --- a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch +++ b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch @@ -1,4 +1,4 @@ -From 3f873868fb08b77da2d30e164a0ef6c71c17c607 Mon Sep 17 00:00:00 2001 +From 63b526ffbdd932dffd5bc1d4a2b3ef6300208fb8 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 15 Jul 2020 15:42:20 -0400 Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts() diff --git a/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch b/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch index 649caa4..5a1cad7 100644 --- a/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch +++ b/Implement-GSS_C_CHANNEL_BOUND_FLAG.patch @@ -1,4 +1,4 @@ -From 3ea1d6296ced3a998e79356f9be212e4c5e6a5d5 Mon Sep 17 00:00:00 2001 +From bfc91774e1bf67b544d38abe10b41cdb76e30d8c Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 5 Jul 2017 11:38:30 -0400 Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG diff --git a/Implement-KERB_AP_OPTIONS_CBT-server-side.patch b/Implement-KERB_AP_OPTIONS_CBT-server-side.patch index 41cf5f0..7757547 100644 --- a/Implement-KERB_AP_OPTIONS_CBT-server-side.patch +++ b/Implement-KERB_AP_OPTIONS_CBT-server-side.patch @@ -1,4 +1,4 @@ -From 6407bf087fe53088d91efd09df736e979cd4e8db Mon Sep 17 00:00:00 2001 +From 49e5ab0f11287dd2fd87de02abf14e63e5040c5b Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 9 Mar 2020 16:04:21 +0100 Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side) diff --git a/Improve-negoex_parse_token-code-hygiene.patch b/Improve-negoex_parse_token-code-hygiene.patch index f6b42a6..fd16725 100644 --- a/Improve-negoex_parse_token-code-hygiene.patch +++ b/Improve-negoex_parse_token-code-hygiene.patch @@ -1,4 +1,4 @@ -From c726a72c68244129eb08b840b92144acfa776573 Mon Sep 17 00:00:00 2001 +From 409a8920e13cd14fec8533c1ff864de92d292178 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 9 Jun 2020 16:23:37 -0400 Subject: [PATCH] Improve negoex_parse_token() code hygiene diff --git a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch index d0db74b..2514e20 100644 --- a/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch +++ b/Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch @@ -1,4 +1,4 @@ -From c36e826c70cb5b3bff8bd4371d47884cea30b3f4 Mon Sep 17 00:00:00 2001 +From 911f19b661cb13373ad3de4fb92015beb3647de7 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 6 Jun 2020 11:03:37 +0200 Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum diff --git a/Pass-channel-bindings-through-SPNEGO.patch b/Pass-channel-bindings-through-SPNEGO.patch index 5ab5c07..1dff308 100644 --- a/Pass-channel-bindings-through-SPNEGO.patch +++ b/Pass-channel-bindings-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From ee79bd43005245d3e5a2d3ec6d61146945e77717 Mon Sep 17 00:00:00 2001 +From 20ec2ee13c34bfae03d62662b25f2f7708d1a418 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 28 Apr 2020 18:15:55 +0200 Subject: [PATCH] Pass channel bindings through SPNEGO diff --git a/Refactor-krb5-GSS-checksum-handling.patch b/Refactor-krb5-GSS-checksum-handling.patch index 392d929..6e41865 100644 --- a/Refactor-krb5-GSS-checksum-handling.patch +++ b/Refactor-krb5-GSS-checksum-handling.patch @@ -1,4 +1,4 @@ -From a34b7c50e62c19f80d39ece6a72017dac781df64 Mon Sep 17 00:00:00 2001 +From 5037c0fe698ad00a8e8f53fdcfc3d3b1c3537aba Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 30 Jun 2017 16:03:01 -0400 Subject: [PATCH] Refactor krb5 GSS checksum handling diff --git a/Remove-resolver-test-utility.patch b/Remove-resolver-test-utility.patch index 6602185..d70f078 100644 --- a/Remove-resolver-test-utility.patch +++ b/Remove-resolver-test-utility.patch @@ -1,4 +1,4 @@ -From 85bb5fe5a11708b78e9f0bd3a3b34999b6c888a7 Mon Sep 17 00:00:00 2001 +From 3eb685873f5390a3af518ac86e99f6863750ada3 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 28 May 2020 18:41:02 -0400 Subject: [PATCH] Remove resolver test utility diff --git a/Use-two-queues-for-concurrent-t_otp.py-daemons.patch b/Use-two-queues-for-concurrent-t_otp.py-daemons.patch index 33da6f5..7a66d35 100644 --- a/Use-two-queues-for-concurrent-t_otp.py-daemons.patch +++ b/Use-two-queues-for-concurrent-t_otp.py-daemons.patch @@ -1,4 +1,4 @@ -From 8e08f01d73ddca1b828788710ec6bb3e0354727a Mon Sep 17 00:00:00 2001 +From ccc6e0fae1fc000e10e51ffa45cc59674038714a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 4 Mar 2020 17:18:51 -0500 Subject: [PATCH] Use two queues for concurrent t_otp.py daemons diff --git a/krb5.spec b/krb5.spec index 8e6cb4e..6d25581 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 13%{?dist} +Release: 14%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -57,7 +57,6 @@ Patch17: Pass-gss_localname-through-SPNEGO.patch Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch Patch21: Replace-gssrpc-tests-with-a-Python-script.patch -Patch22: Default-dns_canonicalize_hostname-to-fallback.patch Patch23: Remove-resolver-test-utility.patch Patch24: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch Patch25: Improve-negoex_parse_token-code-hygiene.patch @@ -624,6 +623,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Jul 31 2020 Robbie Harwood - 1.18.2-14 +- Revert qualify_shortname changes + * Tue Jul 28 2020 Fedora Release Engineering - 1.18.2-13 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild