New upstream beta release - 1.18-beta2

Adjust naming convention for downstream patches
This commit is contained in:
Robbie Harwood 2020-01-31 20:31:53 +00:00
parent b3d5b8f719
commit 8fb4697062
11 changed files with 80 additions and 64 deletions

2
.gitignore vendored
View File

@ -179,3 +179,5 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.17.1.tar.gz.asc
/krb5-1.18-beta1.tar.gz
/krb5-1.18-beta1.tar.gz.asc
/krb5-1.18-beta2.tar.gz
/krb5-1.18-beta2.tar.gz.asc

View File

@ -1,13 +1,15 @@
From e07920163e88a538e73b4d72db26b74c951b8256 Mon Sep 17 00:00:00 2001
From 74e18ba4575ed2fbf67dd57c3712f01ecba76932 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
Subject: [PATCH] [downstream] Adjust build configuration
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Last-updated: krb5-1.15-beta1
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-

View File

@ -1,7 +1,7 @@
From ad14cab8d35e6c7edee196708ce5b5516b9bb1f8 Mon Sep 17 00:00:00 2001
From 494658b52c8aebd7d31d51faa4eb498b6e6843ed Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17post6 FIPS with PRNG and RADIUS and MD4
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
NB: Use openssl's PRNG in FIPS mode and taint within krad.
@ -16,6 +16,8 @@ locks), but not for any ciphers we care about - which is to say that
AES is fine. Shame about SPAKE though.
post6 restores MD4 (and therefore keygen-only RC4).
Last-updated: krb5-1.17
---
src/lib/crypto/krb/prng.c | 11 ++++-
.../crypto/openssl/enc_provider/camellia.c | 6 +++

View File

@ -1,12 +1,14 @@
From d042a0d6ea28c70e87ae342255a0af2bab631ec1 Mon Sep 17 00:00:00 2001
From 0153147f716b8f8710fd307df54908267779c3a4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] krb5-1.18-beta1-Remove-3des-support
Subject: [PATCH] [downstream] Remove 3des support
Completely remove support for all DES3 enctypes (des3-cbc-raw,
des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation
to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
their constants.
Last-updated: 1.18-beta2
---
doc/admin/advanced/retiring-des.rst | 11 +
doc/admin/conf_files/kdc_conf.rst | 7 +-
@ -102,9 +104,9 @@ their constants.
src/tests/t_keyrollover.py | 8 +-
src/tests/t_mkey.py | 35 --
src/tests/t_salt.py | 5 +-
src/util/k5test.py | 10 -
src/util/k5test.py | 7 -
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
96 files changed, 163 insertions(+), 4837 deletions(-)
96 files changed, 163 insertions(+), 4834 deletions(-)
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
@ -194,10 +196,10 @@ index 9759756a2..cf8a12547 100644
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
index 84183a53c..b3fdc7c8b 100644
index caf6d9267..65b55cdb9 100644
--- a/doc/admin/enctypes.rst
+++ b/doc/admin/enctypes.rst
@@ -125,7 +125,7 @@ enctype weak? krb5 Windows
@@ -129,7 +129,7 @@ enctype weak? krb5 Windows
des-cbc-crc weak <1.18 >=2000
des-cbc-md4 weak <1.18 ?
des-cbc-md5 weak <1.18 >=2000
@ -206,7 +208,7 @@ index 84183a53c..b3fdc7c8b 100644
arcfour-hmac >=1.3 >=2000
arcfour-hmac-exp weak >=1.3 >=2000
aes128-cts-hmac-sha1-96 >=1.3 >=Vista
@@ -136,7 +136,10 @@ camellia128-cts-cmac >=1.9 none
@@ -140,7 +140,10 @@ camellia128-cts-cmac >=1.9 none
camellia256-cts-cmac >=1.9 none
========================== ===== ======== =======
@ -267,7 +269,7 @@ index fc5662767..37eda67fa 100644
.. |copy| unicode:: U+000A9
'''
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index d58c71898..8655e257d 100644
index a7e55f206..77c095c75 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
@ -363,7 +365,7 @@ index 8a4b87de1..d7f1d076b 100644
+ supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal
}
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index d0fd5d7e1..050672840 100644
index 221bde1dd..b8d292021 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1103,8 +1103,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
@ -375,7 +377,7 @@ index d0fd5d7e1..050672840 100644
else
return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
@@ -1839,8 +1837,6 @@ krb5_boolean
@@ -1841,8 +1839,6 @@ krb5_boolean
enctype_requires_etype_info_2(krb5_enctype enctype)
{
switch(enctype) {
@ -5621,7 +5623,7 @@ index 2925c1c43..2f76c8b43 100644
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 0fad90389..316c2b40b 100644
index e7d67cca4..9a4741fa6 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -59,7 +59,6 @@
@ -5642,7 +5644,7 @@ index 0fad90389..316c2b40b 100644
mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list);
mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list);
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 8202fe9d3..731281938 100644
index 504eb557f..fc5c886d6 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -287,8 +287,6 @@ verify_s4u2self_reply(krb5_context context,
@ -5961,7 +5963,7 @@ index 2279202d3..96b0307d7 100644
/* initial key, w, x, y, T, S, K */
"8846F7EAEE8FB117AD06BDD830B7586C",
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index c24651737..9ef2af745 100644
index b047ef1f7..4d8c917cd 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -15,8 +15,6 @@ set timeout 100
@ -5999,7 +6001,7 @@ index c24651737..9ef2af745 100644
{supported_enctypes=aes256-sha2:normal}
{permitted_enctypes(kdc)=aes256-sha2}
{permitted_enctypes(replica)=aes256-sha2}
@@ -154,7 +143,6 @@ set passes {
@@ -146,7 +135,6 @@ set passes {
{
camellia-only
mode=udp
@ -6007,7 +6009,7 @@ index c24651737..9ef2af745 100644
{supported_enctypes=camellia256-cts:normal}
{permitted_enctypes(kdc)=camellia256-cts}
{permitted_enctypes(replica)=camellia256-cts}
@@ -175,32 +163,9 @@ set passes {
@@ -159,32 +147,9 @@ set passes {
{master_key_type=camellia256-cts}
{dummy=[verbose -log "Camellia-256 enctype"]}
}
@ -6040,7 +6042,7 @@ index c24651737..9ef2af745 100644
{allow_weak_crypto(kdc)=false}
{allow_weak_crypto(replica)=false}
{allow_weak_crypto(client)=false}
@@ -962,7 +927,6 @@ proc setup_kerberos_db { standalone } {
@@ -946,7 +911,6 @@ proc setup_kerberos_db { standalone } {
global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY
global tmppwd hostname
global spawn_id
@ -6048,7 +6050,7 @@ index c24651737..9ef2af745 100644
global multipass_name last_passname_db
set failall 0
@@ -1159,48 +1123,6 @@ proc setup_kerberos_db { standalone } {
@@ -1143,48 +1107,6 @@ proc setup_kerberos_db { standalone } {
}
}
@ -6111,7 +6113,7 @@ index f71ee8638..8c08cf42f 100644
# Delete any db, ulog files
delete_db
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
index ca3d32d21..96d0e7330 100755
index 7494d7fcd..2f95d8996 100755
--- a/src/tests/gssapi/t_enctypes.py
+++ b/src/tests/gssapi/t_enctypes.py
@@ -1,24 +1,17 @@
@ -6137,14 +6139,14 @@ index ca3d32d21..96d0e7330 100755
# These tests make assumptions about the default enctype lists, so set
# them explicitly rather than relying on the library defaults.
-enctypes='aes des3 rc4'
-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
+enctypes='aes rc4'
-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
+supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'
conf = {'libdefaults': {
'default_tgs_enctypes': enctypes,
'default_tkt_enctypes': enctypes,
@@ -91,19 +84,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'},
'realms': {'$realm': {'supported_enctypes': supp}}}
realm = K5Realm(krb5_conf=conf)
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
@@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
test_err('acc aes128', None, 'aes128-cts',
'Encryption type aes256-cts-hmac-sha1-96 not permitted')
@ -6165,7 +6167,7 @@ index ca3d32d21..96d0e7330 100755
# subkey.
test('upgrade noargs', None, None,
tktenc=aes256, tktsession=d_rc4,
@@ -119,13 +105,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
@@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
tktenc=aes256, tktsession=d_rc4,
proto='cfx', isubkey=rc4, asubkey=aes128)
@ -6256,7 +6258,7 @@ index f71774cdc..d1857c433 100644
"3BB3AE288C12B3B9D06B208A4151B3B6",
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index 9b41bc0c1..5e6d31302 100644
index 378174a2e..3153ebca3 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -172,7 +172,7 @@ realm.run([kvno, 'restricted'])
@ -6419,26 +6421,23 @@ index 65084bbf3..55ca89745 100755
# Test using different salt types in a principal's key list.
# Parameters from one key in the list must not leak over to later ones.
diff --git a/src/util/k5test.py b/src/util/k5test.py
index e3614d735..94ab1e71e 100644
index 442a4e4f7..eea92275d 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1297,16 +1297,6 @@ _passes = [
@@ -1299,13 +1299,6 @@ _passes = [
# No special settings; exercises AES256.
('default', None, None, None),
- # Exercise the DES3 enctype.
- ('des3', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'des3',
- 'default_tkt_enctypes': 'des3',
- 'permitted_enctypes': 'des3'}},
- {'libdefaults': {'permitted_enctypes': 'des3'}},
- {'realms': {'$realm': {
- 'supported_enctypes': 'des3-cbc-sha1:normal',
- 'master_key_type': 'des3-cbc-sha1'}}}),
-
# Exercise the arcfour enctype.
('arcfour', None,
{'libdefaults': {
{'libdefaults': {'permitted_enctypes': 'rc4'}},
diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm
index 1aebdd0b4..c38eefd2b 100644
--- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm

View File

@ -1,7 +1,7 @@
From 49a03b8bff8399b9259b51da1e034f67878bfad4 Mon Sep 17 00:00:00 2001
From bbdfaec5156307c791804c6eb5ed8c2eefff1318 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.18-beta1-selinux-label.patch
Subject: [PATCH] [downstream] SELinux integration
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
@ -35,6 +35,8 @@ stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Last-updated: krb5-1.18-beta1
---
src/aclocal.m4 | 48 +++
src/build-tools/krb5-config.in | 3 +-

View File

@ -1,8 +1,10 @@
From 9d887898571744f5ea0a523c7fba9d86d9cf8588 Mon Sep 17 00:00:00 2001
From 6015b8b21da26d4b2845ffad8fee3442402ea709 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 15 Nov 2019 20:05:16 +0000
Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface
Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF
interface
Last-updated: krb5-1.17
---
src/configure.ac | 4 +
src/lib/crypto/krb/derive.c | 356 +++++++++++++-----

View File

@ -1,11 +1,13 @@
From c26cf6cc3507ba63cb458094b9237ad2231ca5eb Mon Sep 17 00:00:00 2001
From c0eb69736c57f791802ba9d2ce8a2c987bb538ba Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch
Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
Last-updated: krb5-1.9
---
src/kadmin/cli/Makefile.in | 5 +++++
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-

View File

@ -1,7 +1,7 @@
From 9d77eb513f95821f01f12e233e16d4ce50da7d23 Mon Sep 17 00:00:00 2001
From f59ec1fb55c13b0b0da413930d84a7c73019ed2b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.18beta1-pam.patch
Subject: [PATCH] [downstream] ksu pam integration
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
@ -16,6 +16,8 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges, and to apply on top of
changes we're proposing for how it handles cache collections.
Last-updated: krb5-1.18-beta1
---
src/aclocal.m4 | 69 +++++++
src/clients/ksu/Makefile.in | 8 +-

View File

@ -1,9 +1,11 @@
From fe90cb8f915e7f43899437e5e2d9a3aebf23ed82 Mon Sep 17 00:00:00 2001
From 080082e5a62475fa10da0f9476cac69231f13de0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch
Subject: [PATCH] [downstream] netlib and dns
We want to be able to use --with-netlib and --enable-dns at the same time.
Last-updated: krb5-1.3.1
---
src/aclocal.m4 | 1 +
1 file changed, 1 insertion(+)

View File

@ -9,7 +9,7 @@
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
# leave empty or set to e.g., -beta2
%global prerelease -beta1
%global prerelease -beta2
# Should be in form 5.0, 6.1, etc.
%global kdbversion 8.0
@ -18,11 +18,11 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 0.beta1.1%{?dist}.1
Release: 0.beta2.1%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz.asc
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz.asc
# Numbering is a relic of old init systems etc. It's easiest to just leave.
Source2: kprop.service
@ -42,14 +42,14 @@ Source39: krb5-krb5kdc.conf
# Carry this locally until it's available in a packaged form.
Source100: noport.c
Patch1: krb5-1.18beta1-pam.patch
Patch2: krb5-1.18-beta1-selinux-label.patch
Patch30: krb5-1.15-beta1-buildconf.patch
Patch31: krb5-1.3.1-dns.patch
Patch34: krb5-1.9-debuginfo.patch
Patch35: krb5-1.18-beta1-Remove-3des-support.patch
Patch169: Use-backported-version-of-OpenSSL-3-KDF-interface.patch
Patch170: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch0: downstream-ksu-pam-integration.patch
Patch1: downstream-SELinux-integration.patch
Patch2: downstream-Adjust-build-configuration.patch
Patch3: downstream-netlib-and-dns.patch
Patch4: downstream-fix-debuginfo-with-y.tab.c.patch
Patch5: downstream-Remove-3des-support.patch
Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -623,10 +623,11 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18-0.beta1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 31 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.1
- New upstream beta release - 1.18-beta2
- Adjust naming convention for downstream patches
* Fri Jan 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0beta1.1
* Fri Jan 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta1.1
- New upstream beta release - 1.18-beta1
* Wed Jan 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.17.1-5

View File

@ -1,2 +1,2 @@
SHA512 (krb5-1.18-beta1.tar.gz) = e9e622350c9d07bca573d1e416a7277377e85c0f3eab605d3f551f96c5ddc7eb21e8ef2cfadddbac7d9da99a204d738fd22939cfb23d7fcc8166e8ae35a679a4
SHA512 (krb5-1.18-beta1.tar.gz.asc) = b8542e317db89d11ad29bba9bc55f4d294e649b0e8c28b37dde398fed64fa3da394af262225ebefda5e5f3224ba108df21af460837e72a4349ae7e6469e21e43
SHA512 (krb5-1.18-beta2.tar.gz) = 1805c56dd6bde929aeaaf82fe20a3485daef5b2730bd74b92e3351b63d99f96c8523d43c5814b1e65b5c293252df7a70e9584530f49734ccad433d4c6c5a392e
SHA512 (krb5-1.18-beta2.tar.gz.asc) = f437c43e7295365f5dc561b66ec67b90b30c2300ca2c89b2bf0570ad8aa2df4f78f160d0026f3e21b36898d74b5434ce55819d8bdf9b4a535c814cedfdb294b2