From 79613952e317c33391752d3f35143e88f649f607 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 21 May 2019 12:59:56 -0400 Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype Also update account lockout patch to upstream version --- ...nonicalize_hostname-fallback-support.patch | 2 +- ...on-and-enctype-flag-for-deprecations.patch | 2 +- Add-tests-for-KCM-ccache-type.patch | 2 +- Address-some-optimized-out-memset-calls.patch | 2 +- ...-alignment-warnings-in-openssl-rc4.c.patch | 2 +- ...llocating-a-register-in-zap-assembly.patch | 2 +- ...ore-errors-in-OpenSSL-crypto-backend.patch | 2 +- ...er-comment-for-krb5_cc_start_seq_get.patch | 2 +- ...able-flag-instead-of-denying-request.patch | 2 +- ...alm-change-logic-in-FILE-remove_cred.patch | 2 +- ...emory-leak-in-none-replay-cache-type.patch | 2 +- Fix-potential-close-1-in-cc_file.c.patch | 2 +- Fix-some-return-code-handling-bugs.patch | 2 +- ...5_cc_remove_cred-for-remaining-types.patch | 2 +- ...messages-from-kadmin-change_password.patch | 2 +- ...ebug-log-proper-ticket-enctype-names.patch | 2 +- ...ec-always-log-non-permitted-enctypes.patch | 2 +- ...ize-some-data-structure-magic-fields.patch | 2 +- ...ype-names-in-KDC-logs-human-readable.patch | 2 +- Mark-deprecated-enctypes-when-used.patch | 2 +- ...-the-doc-kadm5-tex-files-as-historic.patch | 2 +- ...ze-example-enctypes-in-documentation.patch | 2 +- ...exit-path-in-gss_krb5int_copy_ccache.patch | 2 +- Properly-size-ifdef-in-k5_cccol_lock.patch | 2 +- ...beros-v4-support-vestiges-from-ccapi.patch | 2 +- ...api-related-comments-in-configure.ac.patch | 2 +- Remove-checksum-type-profile-variables.patch | 2 +- Remove-confvalidator-utility.patch | 2 +- ...d-variable-def_kslist-from-two-files.patch | 2 +- ...ygen-generated-HTML-output-for-ccapi.patch | 2 +- ...admin-RPC-support-for-setting-v4-key.patch | 2 +- Remove-more-dead-code.patch | 2 +- ...ovsec_adm_export-dump-format-support.patch | 2 +- Remove-srvtab-support.patch | 2 +- Simplify-SAM-2-as_key-handling.patch | 2 +- Simply-OpenSSL-PKCS7-decryption-code.patch | 2 +- Support-389ds-s-lockout-model.patch | 63 ++++++++++++++++ ....1-SAM-tests-to-use-a-modern-enctype.patch | 2 +- ...lt-krb5kdc-mkey-manual-entry-enctype.patch | 54 +++++++++++++ Use-secure_getenv-where-appropriate.patch | 2 +- krb5-1.11-kpasswdtest.patch | 2 +- krb5-1.11-run_user_0.patch | 2 +- krb5-1.13-dirsrv-accountlock.patch | 75 ------------------- ...ost2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch | 2 +- krb5-1.9-debuginfo.patch | 2 +- krb5.spec | 9 ++- 46 files changed, 166 insertions(+), 119 deletions(-) create mode 100644 Support-389ds-s-lockout-model.patch create mode 100644 Update-default-krb5kdc-mkey-manual-entry-enctype.patch delete mode 100644 krb5-1.13-dirsrv-accountlock.patch diff --git a/Add-dns_canonicalize_hostname-fallback-support.patch b/Add-dns_canonicalize_hostname-fallback-support.patch index 7fb6a91..6e4c8c0 100644 --- a/Add-dns_canonicalize_hostname-fallback-support.patch +++ b/Add-dns_canonicalize_hostname-fallback-support.patch @@ -1,4 +1,4 @@ -From 770a525f940a319b4f9a91423a9f48bde28429b9 Mon Sep 17 00:00:00 2001 +From 8ec4a9ab41c73e7955ed7929a3d2a19592811596 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 4 Dec 2018 15:22:55 -0500 Subject: [PATCH] Add dns_canonicalize_hostname=fallback support diff --git a/Add-function-and-enctype-flag-for-deprecations.patch b/Add-function-and-enctype-flag-for-deprecations.patch index 739371b..b511554 100644 --- a/Add-function-and-enctype-flag-for-deprecations.patch +++ b/Add-function-and-enctype-flag-for-deprecations.patch @@ -1,4 +1,4 @@ -From 0713281743627e32f234e55bdaaeb58b37036675 Mon Sep 17 00:00:00 2001 +From 8491894d2bad21026d73b999814baffe8a695fb7 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 15 Jan 2019 16:16:57 -0500 Subject: [PATCH] Add function and enctype flag for deprecations diff --git a/Add-tests-for-KCM-ccache-type.patch b/Add-tests-for-KCM-ccache-type.patch index 08b6b03..ca70e00 100644 --- a/Add-tests-for-KCM-ccache-type.patch +++ b/Add-tests-for-KCM-ccache-type.patch @@ -1,4 +1,4 @@ -From b8be4f3272dcca4b34f9d79b47b88e510e0d4926 Mon Sep 17 00:00:00 2001 +From 01dcc90e901491196a7ce5da893eec0b699c28b5 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Nov 2018 00:27:35 -0500 Subject: [PATCH] Add tests for KCM ccache type diff --git a/Address-some-optimized-out-memset-calls.patch b/Address-some-optimized-out-memset-calls.patch index 51318c7..aa28531 100644 --- a/Address-some-optimized-out-memset-calls.patch +++ b/Address-some-optimized-out-memset-calls.patch @@ -1,4 +1,4 @@ -From 31df8a3ef6b01b11a5956e16206069907a7acf17 Mon Sep 17 00:00:00 2001 +From ef4610f2ca0337bf5522dca3dc6800f795cc6a82 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 30 Dec 2018 16:40:28 -0500 Subject: [PATCH] Address some optimized-out memset() calls diff --git a/Avoid-alignment-warnings-in-openssl-rc4.c.patch b/Avoid-alignment-warnings-in-openssl-rc4.c.patch index fdfe144..5fee63b 100644 --- a/Avoid-alignment-warnings-in-openssl-rc4.c.patch +++ b/Avoid-alignment-warnings-in-openssl-rc4.c.patch @@ -1,4 +1,4 @@ -From dac87fb5d866251731ba524053d55482bf5fad2a Mon Sep 17 00:00:00 2001 +From cf0981bf39558c6501fe1dd2386231ac5f430918 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 6 May 2019 15:14:49 -0400 Subject: [PATCH] Avoid alignment warnings in openssl rc4.c diff --git a/Avoid-allocating-a-register-in-zap-assembly.patch b/Avoid-allocating-a-register-in-zap-assembly.patch index 4444b3a..c8c8589 100644 --- a/Avoid-allocating-a-register-in-zap-assembly.patch +++ b/Avoid-allocating-a-register-in-zap-assembly.patch @@ -1,4 +1,4 @@ -From 087dd4f2cfde763b3b4ac1e34de87a3b9217037f Mon Sep 17 00:00:00 2001 +From f516db322b1469a13e59e1c2847e62cb265ce92c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 3 Jan 2019 17:19:32 +0100 Subject: [PATCH] Avoid allocating a register in zap() assembly diff --git a/Check-more-errors-in-OpenSSL-crypto-backend.patch b/Check-more-errors-in-OpenSSL-crypto-backend.patch index 64fbfa1..707c05d 100644 --- a/Check-more-errors-in-OpenSSL-crypto-backend.patch +++ b/Check-more-errors-in-OpenSSL-crypto-backend.patch @@ -1,4 +1,4 @@ -From 43fa850e47233f95c429c5b06fc74130a9c2b2b1 Mon Sep 17 00:00:00 2001 +From f001aa86071aabc398b0d7c38033c26b21fe85f2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 22 Apr 2019 14:26:42 -0400 Subject: [PATCH] Check more errors in OpenSSL crypto backend diff --git a/Clarify-header-comment-for-krb5_cc_start_seq_get.patch b/Clarify-header-comment-for-krb5_cc_start_seq_get.patch index 56d3027..82995e6 100644 --- a/Clarify-header-comment-for-krb5_cc_start_seq_get.patch +++ b/Clarify-header-comment-for-krb5_cc_start_seq_get.patch @@ -1,4 +1,4 @@ -From f6f799d2581251529c28bbb4644e42e19c6980ab Mon Sep 17 00:00:00 2001 +From 8f22ca7ddc9765e3d7a1de867164d307f8662cb3 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 2 Apr 2019 14:18:57 -0400 Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get() diff --git a/Clear-forwardable-flag-instead-of-denying-request.patch b/Clear-forwardable-flag-instead-of-denying-request.patch index ea19b4b..ff7e090 100644 --- a/Clear-forwardable-flag-instead-of-denying-request.patch +++ b/Clear-forwardable-flag-instead-of-denying-request.patch @@ -1,4 +1,4 @@ -From 63e531d3545d74d734f56987bbc77256cbcd7763 Mon Sep 17 00:00:00 2001 +From ab1435ed0654df9991bddb29971c913ef1f957be Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 15 Nov 2018 13:40:43 -0500 Subject: [PATCH] Clear forwardable flag instead of denying request diff --git a/Fix-config-realm-change-logic-in-FILE-remove_cred.patch b/Fix-config-realm-change-logic-in-FILE-remove_cred.patch index 53c69e8..ac58f37 100644 --- a/Fix-config-realm-change-logic-in-FILE-remove_cred.patch +++ b/Fix-config-realm-change-logic-in-FILE-remove_cred.patch @@ -1,4 +1,4 @@ -From 4cacf2fa4a181b728742bce8c1ea11c07ba9a143 Mon Sep 17 00:00:00 2001 +From 2f5531f3cffb497902241e4932db20617f4d30eb Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 16 Apr 2019 10:47:35 -0400 Subject: [PATCH] Fix config realm change logic in FILE remove_cred diff --git a/Fix-memory-leak-in-none-replay-cache-type.patch b/Fix-memory-leak-in-none-replay-cache-type.patch index 31753d3..bb51241 100644 --- a/Fix-memory-leak-in-none-replay-cache-type.patch +++ b/Fix-memory-leak-in-none-replay-cache-type.patch @@ -1,4 +1,4 @@ -From 492872c4581f8b7f6d78cbc2e50e0b819c47a168 Mon Sep 17 00:00:00 2001 +From 75b39bfb256b639cf6ca491568fd6ef667b19d46 Mon Sep 17 00:00:00 2001 From: Corene Casper Date: Sat, 16 Feb 2019 00:49:26 -0500 Subject: [PATCH] Fix memory leak in 'none' replay cache type diff --git a/Fix-potential-close-1-in-cc_file.c.patch b/Fix-potential-close-1-in-cc_file.c.patch index 94b96a8..5b504f2 100644 --- a/Fix-potential-close-1-in-cc_file.c.patch +++ b/Fix-potential-close-1-in-cc_file.c.patch @@ -1,4 +1,4 @@ -From 0201f95a60194c99bd3139235eb46e13e7f4484f Mon Sep 17 00:00:00 2001 +From 4faa872c4fc674b791a1c05652833ff40dac7889 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 18 Apr 2019 13:39:37 -0400 Subject: [PATCH] Fix potential close(-1) in cc_file.c diff --git a/Fix-some-return-code-handling-bugs.patch b/Fix-some-return-code-handling-bugs.patch index 436b65a..7b151c7 100644 --- a/Fix-some-return-code-handling-bugs.patch +++ b/Fix-some-return-code-handling-bugs.patch @@ -1,4 +1,4 @@ -From e196f175f5b551290efab029295dcf728feb4fac Mon Sep 17 00:00:00 2001 +From b7bbc88f5ebc6000a8dec95e7f0ff92bbeb54ad4 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 2 May 2019 14:05:38 -0400 Subject: [PATCH] Fix some return code handling bugs diff --git a/Implement-krb5_cc_remove_cred-for-remaining-types.patch b/Implement-krb5_cc_remove_cred-for-remaining-types.patch index 4cf15a1..9594ed0 100644 --- a/Implement-krb5_cc_remove_cred-for-remaining-types.patch +++ b/Implement-krb5_cc_remove_cred-for-remaining-types.patch @@ -1,4 +1,4 @@ -From 6e199a7d007bbfd72ed76ff5534b9b3b88a82227 Mon Sep 17 00:00:00 2001 +From 7d3da40bd7f44f2d6960b5a9245a1d773c4ee1a0 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 1 Apr 2019 14:28:48 -0400 Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types diff --git a/Improve-error-messages-from-kadmin-change_password.patch b/Improve-error-messages-from-kadmin-change_password.patch index afff2a1..6ecb07a 100644 --- a/Improve-error-messages-from-kadmin-change_password.patch +++ b/Improve-error-messages-from-kadmin-change_password.patch @@ -1,4 +1,4 @@ -From 35681c176f3519df4700fd799ed66efd323f8c66 Mon Sep 17 00:00:00 2001 +From ae3053282d879cdbb803c0ff1d6deef8940eeb2a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 6 May 2019 13:13:16 -0400 Subject: [PATCH] Improve error messages from kadmin change_password diff --git a/In-kpropd-debug-log-proper-ticket-enctype-names.patch b/In-kpropd-debug-log-proper-ticket-enctype-names.patch index 7972d01..e1b19e3 100644 --- a/In-kpropd-debug-log-proper-ticket-enctype-names.patch +++ b/In-kpropd-debug-log-proper-ticket-enctype-names.patch @@ -1,4 +1,4 @@ -From 34883789b60e7961ac0c63062ffadbb2e628a76e Mon Sep 17 00:00:00 2001 +From 71cbe768d29bbe35cff9c37959f3e5352569af39 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 15 Jan 2019 13:41:16 -0500 Subject: [PATCH] In kpropd, debug-log proper ticket enctype names diff --git a/In-rd_req_dec-always-log-non-permitted-enctypes.patch b/In-rd_req_dec-always-log-non-permitted-enctypes.patch index 9eb6a77..a2a4c53 100644 --- a/In-rd_req_dec-always-log-non-permitted-enctypes.patch +++ b/In-rd_req_dec-always-log-non-permitted-enctypes.patch @@ -1,4 +1,4 @@ -From 4d178af94f1a5f187b43de96ae16b2fb1cf4ba8a Mon Sep 17 00:00:00 2001 +From 4c59f0f53a698c9c4242791e8d620d50a394d5c6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 14 Jan 2019 17:14:42 -0500 Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes diff --git a/Initialize-some-data-structure-magic-fields.patch b/Initialize-some-data-structure-magic-fields.patch index d3ee55d..e418b9f 100644 --- a/Initialize-some-data-structure-magic-fields.patch +++ b/Initialize-some-data-structure-magic-fields.patch @@ -1,4 +1,4 @@ -From da7349429a2985423ad006cc1f9d149e594118b7 Mon Sep 17 00:00:00 2001 +From 37b73dd837a05c14d422379b686b8a10de0083fa Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 2 May 2019 13:36:38 -0400 Subject: [PATCH] Initialize some data structure magic fields diff --git a/Make-etype-names-in-KDC-logs-human-readable.patch b/Make-etype-names-in-KDC-logs-human-readable.patch index a77c4bc..ba85392 100644 --- a/Make-etype-names-in-KDC-logs-human-readable.patch +++ b/Make-etype-names-in-KDC-logs-human-readable.patch @@ -1,4 +1,4 @@ -From fddfa2abbc9e1ccd138d66a8c462a6a0eba1ecaa Mon Sep 17 00:00:00 2001 +From e05c448510fc20946fb6d777bd7e3841dd986e75 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 8 Jan 2019 17:42:35 -0500 Subject: [PATCH] Make etype names in KDC logs human-readable diff --git a/Mark-deprecated-enctypes-when-used.patch b/Mark-deprecated-enctypes-when-used.patch index b165d7f..8d9f327 100644 --- a/Mark-deprecated-enctypes-when-used.patch +++ b/Mark-deprecated-enctypes-when-used.patch @@ -1,4 +1,4 @@ -From c40eb78a918138369f6d7142590732f563968909 Mon Sep 17 00:00:00 2001 +From 7acee539da508c10aabbc8483243da6c6ba37892 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 10 Jan 2019 16:34:54 -0500 Subject: [PATCH] Mark deprecated enctypes when used diff --git a/Mark-the-doc-kadm5-tex-files-as-historic.patch b/Mark-the-doc-kadm5-tex-files-as-historic.patch index bacbb1b..abf1f4a 100644 --- a/Mark-the-doc-kadm5-tex-files-as-historic.patch +++ b/Mark-the-doc-kadm5-tex-files-as-historic.patch @@ -1,4 +1,4 @@ -From 7385ae430280e839a2a0b5a7c5a6be1b2b24aef4 Mon Sep 17 00:00:00 2001 +From 28a605c2411c3def3e5eaa19be5326777e959a1a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 11 Apr 2019 18:33:04 -0400 Subject: [PATCH] Mark the doc/kadm5 tex files as historic diff --git a/Modernize-example-enctypes-in-documentation.patch b/Modernize-example-enctypes-in-documentation.patch index 7c3d87c..428ac2b 100644 --- a/Modernize-example-enctypes-in-documentation.patch +++ b/Modernize-example-enctypes-in-documentation.patch @@ -1,4 +1,4 @@ -From 6eb0931738f26890952de08d4ea9de24b0f684f5 Mon Sep 17 00:00:00 2001 +From cef9a57dc094bb2ca57d5b765981fbb2ab93adde Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 11 Apr 2019 18:25:41 -0400 Subject: [PATCH] Modernize example enctypes in documentation diff --git a/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch b/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch index 489987d..ff1d987 100644 --- a/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch +++ b/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch @@ -1,4 +1,4 @@ -From bca13182a78bc3c62bd7e616c9b69ce96fe00b98 Mon Sep 17 00:00:00 2001 +From 894bcbfcf27c9bc1117bb624f27123eb25fcd7bf Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 2 May 2019 14:32:33 -0400 Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache() diff --git a/Properly-size-ifdef-in-k5_cccol_lock.patch b/Properly-size-ifdef-in-k5_cccol_lock.patch index b38fc66..d7af9bf 100644 --- a/Properly-size-ifdef-in-k5_cccol_lock.patch +++ b/Properly-size-ifdef-in-k5_cccol_lock.patch @@ -1,4 +1,4 @@ -From 5601f9e0291feedeba7a420396d83b38c7332e86 Mon Sep 17 00:00:00 2001 +From 6f9bd0a292f1b84e16cab8c89efee87359b007d2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 14 Feb 2019 11:50:35 -0500 Subject: [PATCH] Properly size #ifdef in k5_cccol_lock() diff --git a/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch b/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch index 796ad66..b00a745 100644 --- a/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch +++ b/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch @@ -1,4 +1,4 @@ -From ff88e21470d374f057107148de8b972a04f59641 Mon Sep 17 00:00:00 2001 +From ff011e05cfb28b408778f4ace22a745f19c0bdd2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 4 Apr 2019 14:37:38 -0400 Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi diff --git a/Remove-ccapi-related-comments-in-configure.ac.patch b/Remove-ccapi-related-comments-in-configure.ac.patch index 7f3fa56..0fb5d50 100644 --- a/Remove-ccapi-related-comments-in-configure.ac.patch +++ b/Remove-ccapi-related-comments-in-configure.ac.patch @@ -1,4 +1,4 @@ -From 32b05ffd5f0d6eff5f989a8c30a030a3e1972e5d Mon Sep 17 00:00:00 2001 +From 7f015c7ed945d1d51ffd0ba1dd5b89c150eacf83 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 3 Apr 2019 16:01:22 -0400 Subject: [PATCH] Remove ccapi-related comments in configure.ac diff --git a/Remove-checksum-type-profile-variables.patch b/Remove-checksum-type-profile-variables.patch index af1112e..eebabea 100644 --- a/Remove-checksum-type-profile-variables.patch +++ b/Remove-checksum-type-profile-variables.patch @@ -1,4 +1,4 @@ -From e3de3f9916acc4ba0ac2e15c2d9a6826802170d2 Mon Sep 17 00:00:00 2001 +From a642ac26ca00d4cfaae84398372035b0c1e444ed Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 13 May 2019 14:19:57 -0400 Subject: [PATCH] Remove checksum type profile variables diff --git a/Remove-confvalidator-utility.patch b/Remove-confvalidator-utility.patch index 134ba1e..302df29 100644 --- a/Remove-confvalidator-utility.patch +++ b/Remove-confvalidator-utility.patch @@ -1,4 +1,4 @@ -From 2ea1badfb30f8549a5ec00dc8c5f5e58caea5a03 Mon Sep 17 00:00:00 2001 +From ecab56bca80824913e98a5b25f34a5ebe483990d Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 3 Apr 2019 14:58:19 -0400 Subject: [PATCH] Remove confvalidator utility diff --git a/Remove-dead-variable-def_kslist-from-two-files.patch b/Remove-dead-variable-def_kslist-from-two-files.patch index ee60f78..9fd92c9 100644 --- a/Remove-dead-variable-def_kslist-from-two-files.patch +++ b/Remove-dead-variable-def_kslist-from-two-files.patch @@ -1,4 +1,4 @@ -From a37470b4f45cd40318c8ad84d92f56bdaac4993e Mon Sep 17 00:00:00 2001 +From 85416629f6d120bf272d9aaa9c661b8a849c40b3 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 2 May 2019 16:57:51 -0400 Subject: [PATCH] Remove dead variable def_kslist from two files diff --git a/Remove-doxygen-generated-HTML-output-for-ccapi.patch b/Remove-doxygen-generated-HTML-output-for-ccapi.patch index 9825899..48b515a 100644 --- a/Remove-doxygen-generated-HTML-output-for-ccapi.patch +++ b/Remove-doxygen-generated-HTML-output-for-ccapi.patch @@ -1,4 +1,4 @@ -From 90324f46fe8aed4054ecad4f3a0357ffa3716852 Mon Sep 17 00:00:00 2001 +From cf25d152b2b1f54bbd92e235a30de20e154f3e7a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 4 Apr 2019 14:15:58 -0400 Subject: [PATCH] Remove doxygen-generated HTML output for ccapi diff --git a/Remove-kadmin-RPC-support-for-setting-v4-key.patch b/Remove-kadmin-RPC-support-for-setting-v4-key.patch index 66a08c2..9b2ea36 100644 --- a/Remove-kadmin-RPC-support-for-setting-v4-key.patch +++ b/Remove-kadmin-RPC-support-for-setting-v4-key.patch @@ -1,4 +1,4 @@ -From 962e49c0ef0faf00210a1f88044782f6fa47a779 Mon Sep 17 00:00:00 2001 +From 12e48c208c042f219d5cb8fb984094c5c958c99b Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 4 Apr 2019 16:14:46 -0400 Subject: [PATCH] Remove kadmin RPC support for setting v4 key diff --git a/Remove-more-dead-code.patch b/Remove-more-dead-code.patch index ed67434..ef9a747 100644 --- a/Remove-more-dead-code.patch +++ b/Remove-more-dead-code.patch @@ -1,4 +1,4 @@ -From f708c93e82dc34c6ab2bd04be2149bd539faec4d Mon Sep 17 00:00:00 2001 +From 98e6b0ada15075ea017fe8086f21b95fc2280fcd Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 9 May 2019 14:07:24 -0400 Subject: [PATCH] Remove more dead code diff --git a/Remove-ovsec_adm_export-dump-format-support.patch b/Remove-ovsec_adm_export-dump-format-support.patch index aad68b3..f4b0510 100644 --- a/Remove-ovsec_adm_export-dump-format-support.patch +++ b/Remove-ovsec_adm_export-dump-format-support.patch @@ -1,4 +1,4 @@ -From 56be395114bed8e8dd41b91e41e233637488d3ab Mon Sep 17 00:00:00 2001 +From 6f9222fb372af6d7988c65cc4ec3cb56f6cc747a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 22 Jan 2019 18:34:58 -0500 Subject: [PATCH] Remove ovsec_adm_export dump format support diff --git a/Remove-srvtab-support.patch b/Remove-srvtab-support.patch index 0fa5c2a..6f2a7ec 100644 --- a/Remove-srvtab-support.patch +++ b/Remove-srvtab-support.patch @@ -1,4 +1,4 @@ -From 42b1d879cf0705d3bc76c4b546275f1c608ebda9 Mon Sep 17 00:00:00 2001 +From 0869d133743446612c512ce9aec5832ce10e282b Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 9 Oct 2017 15:58:33 -0400 Subject: [PATCH] Remove srvtab support diff --git a/Simplify-SAM-2-as_key-handling.patch b/Simplify-SAM-2-as_key-handling.patch index 54123ec..b9f877b 100644 --- a/Simplify-SAM-2-as_key-handling.patch +++ b/Simplify-SAM-2-as_key-handling.patch @@ -1,4 +1,4 @@ -From 251694f155bd132a162f876e59abf5caf7140c70 Mon Sep 17 00:00:00 2001 +From 48cca5e6134e6137cab7d592dfb31f0a19e4e7ea Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 5 May 2019 18:53:27 -0400 Subject: [PATCH] Simplify SAM-2 as_key handling diff --git a/Simply-OpenSSL-PKCS7-decryption-code.patch b/Simply-OpenSSL-PKCS7-decryption-code.patch index 16436e0..cc40c6e 100644 --- a/Simply-OpenSSL-PKCS7-decryption-code.patch +++ b/Simply-OpenSSL-PKCS7-decryption-code.patch @@ -1,4 +1,4 @@ -From 02c3a9756cba8676a3074ae8c1c96b26e1b47c98 Mon Sep 17 00:00:00 2001 +From 0b4433c4ab9653eb298e2b7d959e957d468fd3f9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 6 May 2019 13:13:06 -0400 Subject: [PATCH] Simply OpenSSL PKCS7 decryption code diff --git a/Support-389ds-s-lockout-model.patch b/Support-389ds-s-lockout-model.patch new file mode 100644 index 0000000..6bf16fc --- /dev/null +++ b/Support-389ds-s-lockout-model.patch @@ -0,0 +1,63 @@ +From 5673f1c22b602ac4b72e59c84b70ecedf3132c11 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:47:44 -0400 +Subject: [PATCH] Support 389ds's lockout model + +Handle the attribute 'nsAccountLock' from Netscape derivatives. Based +on a patch by Nalin Dahyabhai and Simo Sorce. + +ticket: 5891 +(cherry picked from commit 6ad061e24eca41a61eebed61db39768bfa51a084) +--- + src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 18 ++++++++++++++++++ + .../kdb/ldap/libkdb_ldap/ldap_principal.c | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +index 5b9d1e9fa..2ade63719 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +@@ -1420,6 +1420,7 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, + struct berval **ber_key_data = NULL, **ber_tl_data = NULL; + krb5_tl_data userinfo_tl_data = { NULL }, **endp, *tl; + osa_princ_ent_rec princ_ent; ++ char *is_login_disabled = NULL; + + memset(&princ_ent, 0, sizeof(princ_ent)); + +@@ -1653,6 +1654,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, + if (ret) + goto cleanup; + ++ /* ++ * 389ds and other Netscape directory server derivatives support an ++ * attribute "nsAccountLock" which functions similarly to eDirectory's ++ * "loginDisabled". When the user's account object is also a ++ * krbPrincipalAux object, the kdb entry should be treated as if ++ * DISALLOW_ALL_TIX has been set. ++ */ ++ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled, ++ &attr_present); ++ if (ret) ++ goto cleanup; ++ if (attr_present == TRUE) { ++ if (strcasecmp(is_login_disabled, "TRUE") == 0) ++ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; ++ free(is_login_disabled); ++ } ++ + ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); + if (ret) + goto cleanup; +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +index d722dbfa6..a5180c73f 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +@@ -54,6 +54,7 @@ char *principal_attributes[] = { "krbprincipalname", + "krbLastFailedAuth", + "krbLoginFailedCount", + "krbLastSuccessfulAuth", ++ "nsAccountLock", + "krbLastPwdChange", + "krbLastAdminUnlock", + "krbPrincipalAuthInd", diff --git a/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch b/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch index f90a723..526b44c 100644 --- a/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch +++ b/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch @@ -1,4 +1,4 @@ -From f3f8effd4978bc6671adc85d98105ca10a67df1f Mon Sep 17 00:00:00 2001 +From a7db3ad8e75a865c2de8c522f582129051bbe958 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 16 Apr 2019 14:16:39 -0400 Subject: [PATCH] Update ASN.1 SAM tests to use a modern enctype diff --git a/Update-default-krb5kdc-mkey-manual-entry-enctype.patch b/Update-default-krb5kdc-mkey-manual-entry-enctype.patch new file mode 100644 index 0000000..d8e85a5 --- /dev/null +++ b/Update-default-krb5kdc-mkey-manual-entry-enctype.patch @@ -0,0 +1,54 @@ +From 32d2b3e6dc3ab6aa9bb824701752ccfc23d61c1c Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 20 May 2019 16:52:57 -0400 +Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype + +Change from the legacy des-cbc-crc to the default for kdb5_util and +kadmind, which is currently aes256-cts-hmac-sha1-96. + +(cherry picked from commit 512f5cde625253cba1e6f87e037a00ef88178882) +--- + doc/admin/admin_commands/krb5kdc.rst | 2 +- + src/kdc/main.c | 2 +- + src/man/krb5kdc.man | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst +index 0342d0d18..455bb6858 100644 +--- a/doc/admin/admin_commands/krb5kdc.rst ++++ b/doc/admin/admin_commands/krb5kdc.rst +@@ -39,7 +39,7 @@ LDAP database. + + The **-k** *keytype* option specifies the key type of the master key + to be entered manually as a password when **-m** is given; the default +-is ``des-cbc-crc``. ++is |defmkey|. + + The **-M** *mkeyname* option specifies the principal name for the + master key in the database (usually ``K/M`` in the KDC's realm). +diff --git a/src/kdc/main.c b/src/kdc/main.c +index 60092a0df..04393772f 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -777,7 +777,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, + case 'm': /* manual type-in of master key */ + manual = TRUE; + if (menctype == ENCTYPE_UNKNOWN) +- menctype = ENCTYPE_DES_CBC_CRC; ++ menctype = DEFAULT_KDC_ENCTYPE; + break; + case 'M': /* master key name in DB */ + mkey_name = optarg; +diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man +index 8ace9662f..aa8614698 100644 +--- a/src/man/krb5kdc.man ++++ b/src/man/krb5kdc.man +@@ -59,7 +59,7 @@ LDAP database. + .sp + The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key + to be entered manually as a password when \fB\-m\fP is given; the default +-is \fBdes\-cbc\-crc\fP\&. ++is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. + .sp + The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the + master key in the database (usually \fBK/M\fP in the KDC\(aqs realm). diff --git a/Use-secure_getenv-where-appropriate.patch b/Use-secure_getenv-where-appropriate.patch index 6338aee..65d813e 100644 --- a/Use-secure_getenv-where-appropriate.patch +++ b/Use-secure_getenv-where-appropriate.patch @@ -1,4 +1,4 @@ -From a46c1dd1be09217f9f19e9c70381893dc3995c45 Mon Sep 17 00:00:00 2001 +From 4ed88289e0b3c5a6fcda13078abf211fb8e4f84c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 24 Apr 2019 16:19:50 -0400 Subject: [PATCH] Use secure_getenv() where appropriate diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index 7c763ce..4b4358b 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,4 +1,4 @@ -From d3e720a17e4284c791541840dcbc8652d33a75c4 Mon Sep 17 00:00:00 2001 +From 8e03102127701980c1ace62cbea93e4003a0ef5d Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:52:01 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index 673d127..c23e0a1 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,4 +1,4 @@ -From 75ba8f42c0e9426af80c71aaaa490cc6262e259c Mon Sep 17 00:00:00 2001 +From 44ecf1e570aacff7630334fbf1650e2f33f8675e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:57 -0400 Subject: [PATCH] krb5-1.11-run_user_0.patch diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch deleted file mode 100644 index e5fbd7f..0000000 --- a/krb5-1.13-dirsrv-accountlock.patch +++ /dev/null @@ -1,75 +0,0 @@ -From eb26e32b7cce535a7a70168b7f44aa07eb989264 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 23 Aug 2016 16:47:44 -0400 -Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch - -Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from -original version filed as RT#5891. ---- - src/aclocal.m4 | 9 +++++++++ - src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++ - .../kdb/ldap/libkdb_ldap/ldap_principal.c | 3 +++ - 3 files changed, 29 insertions(+) - -diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index db18226ed..518b1a547 100644 ---- a/src/aclocal.m4 -+++ b/src/aclocal.m4 -@@ -1678,6 +1678,15 @@ if test "$with_ldap" = yes; then - AC_MSG_NOTICE(enabling OpenLDAP database backend module support) - OPENLDAP_PLUGIN=yes - fi -+AC_ARG_WITH([dirsrv-account-locking], -+[ --with-dirsrv-account-locking compile 389/Red Hat/Fedora/Netscape Directory Server database backend module], -+[case "$withval" in -+ yes | no) ;; -+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;; -+esac], with_dirsrv_account_locking=no) -+if test $with_dirsrv_account_locking = yes; then -+ AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.]) -+fi - ])dnl - dnl - dnl If libkeyutils exists (on Linux) include it and use keyring ccache -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -index 5b9d1e9fa..4e7270065 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -@@ -1652,6 +1652,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, - ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); - if (ret) - goto cleanup; -+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING -+ { -+ krb5_timestamp expiretime=0; -+ char *is_login_disabled=NULL; -+ -+ /* LOGIN DISABLED */ -+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled, -+ &attr_present); -+ if (ret) -+ goto cleanup; -+ if (attr_present == TRUE) { -+ if (strcasecmp(is_login_disabled, "TRUE")== 0) -+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; -+ free (is_login_disabled); -+ } -+ } -+#endif - - ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); - if (ret) -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -index d722dbfa6..5e8e9a897 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -@@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname", - "krbLastFailedAuth", - "krbLoginFailedCount", - "krbLastSuccessfulAuth", -+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING -+ "nsAccountLock", -+#endif - "krbLastPwdChange", - "krbLastAdminUnlock", - "krbPrincipalAuthInd", diff --git a/krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch b/krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch index 8acdf1b..37adcee 100644 --- a/krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch +++ b/krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch @@ -1,4 +1,4 @@ -From 853a9aacfbc842037b30607bacb5c60f5918cccb Mon Sep 17 00:00:00 2001 +From 3cd7636a824638f880e7512fa1f547ec379b8499 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] krb5-1.17post2 FIPS with PRNG, SPAKE, and RADIUS diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 6723eb4..cbe852c 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,4 +1,4 @@ -From 454b35ce48bb8de491cad93c8944c783d1c47fd1 Mon Sep 17 00:00:00 2001 +From 371770fc1d545414838685bcd2542450dfb0e097 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch diff --git a/krb5.spec b/krb5.spec index f679038..ee5b5d6 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 23%{?dist} +Release: 24%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -54,7 +54,6 @@ Patch27: krb5-1.17-beta1-selinux-label.patch Patch28: krb5-1.12-ksu-path.patch Patch30: krb5-1.15-beta1-buildconf.patch Patch31: krb5-1.3.1-dns.patch -Patch33: krb5-1.13-dirsrv-accountlock.patch Patch34: krb5-1.9-debuginfo.patch Patch35: krb5-1.11-run_user_0.patch Patch36: krb5-1.11-kpasswdtest.patch @@ -97,6 +96,8 @@ Patch129: Remove-dead-variable-def_kslist-from-two-files.patch Patch130: Mark-the-doc-kadm5-tex-files-as-historic.patch Patch131: Modernize-example-enctypes-in-documentation.patch Patch132: Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch +Patch133: Update-default-krb5kdc-mkey-manual-entry-enctype.patch +Patch134: Support-389ds-s-lockout-model.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -706,6 +707,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue May 21 2019 Robbie Harwood - 1.17-24 +- Update default krb5kdc mkey manual-entry enctype +- Also update account lockout patch to upstream version + * Mon May 20 2019 Robbie Harwood - 1.17-23 - Test & docs fixes in preparation for DES removal