New upstream beta release - 1.18-beta2

Adjust naming convention for downstream patches

.gitignore

@@ -179,3 +179,5 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.17.1.tar.gz.asc
 /krb5-1.18-beta1.tar.gz
 /krb5-1.18-beta1.tar.gz.asc
+/krb5-1.18-beta2.tar.gz
+/krb5-1.18-beta2.tar.gz.asc

downstream-Adjust-build-configuration.patch

@@ -1,13 +1,15 @@
-From e07920163e88a538e73b4d72db26b74c951b8256 Mon Sep 17 00:00:00 2001
+From 74e18ba4575ed2fbf67dd57c3712f01ecba76932 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:45:26 -0400
-Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
+Subject: [PATCH] [downstream] Adjust build configuration
 
 Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
 and install shared libraries with the execute bit set on them.  Prune out
 the -L/usr/lib* and PIE flags where they might leak out and affect
 apps which just want to link with the libraries. FIXME: needs to check and
 not just assume that the compiler supports using these flags.
+
+Last-updated: krb5-1.15-beta1
 ---
  src/build-tools/krb5-config.in | 7 +++++++
  src/config/pre.in              | 2 +-

downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch

@@ -1,7 +1,7 @@
-From ad14cab8d35e6c7edee196708ce5b5516b9bb1f8 Mon Sep 17 00:00:00 2001
+From 494658b52c8aebd7d31d51faa4eb498b6e6843ed Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
-Subject: [PATCH] krb5-1.17post6 FIPS with PRNG and RADIUS and MD4
+Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
 
 NB: Use openssl's PRNG in FIPS mode and taint within krad.
 
@@ -16,6 +16,8 @@ locks), but not for any ciphers we care about - which is to say that
 AES is fine.  Shame about SPAKE though.
 
 post6 restores MD4 (and therefore keygen-only RC4).
+
+Last-updated: krb5-1.17
 ---
  src/lib/crypto/krb/prng.c                     | 11 ++++-
  .../crypto/openssl/enc_provider/camellia.c    |  6 +++

downstream-Remove-3des-support.patch

@@ -1,12 +1,14 @@
-From d042a0d6ea28c70e87ae342255a0af2bab631ec1 Mon Sep 17 00:00:00 2001
+From 0153147f716b8f8710fd307df54908267779c3a4 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 26 Mar 2019 18:51:10 -0400
-Subject: [PATCH] krb5-1.18-beta1-Remove-3des-support
+Subject: [PATCH] [downstream] Remove 3des support
 
 Completely remove support for all DES3 enctypes (des3-cbc-raw,
 des3-hmac-sha1, des3-cbc-sha1-kd).  Update all tests and documentation
 to user other enctypes.  Mark the 3DES enctypes UNSUPPORTED and retain
 their constants.
+
+Last-updated: 1.18-beta2
 ---
  doc/admin/advanced/retiring-des.rst           |  11 +
  doc/admin/conf_files/kdc_conf.rst             |   7 +-
@@ -102,9 +104,9 @@ their constants.
  src/tests/t_keyrollover.py                    |   8 +-
  src/tests/t_mkey.py                           |  35 --
  src/tests/t_salt.py                           |   5 +-
- src/util/k5test.py                            |  10 -
+ src/util/k5test.py                            |   7 -
  .../leash/htmlhelp/html/Encryption_Types.htm  |  13 -
- 96 files changed, 163 insertions(+), 4837 deletions(-)
+ 96 files changed, 163 insertions(+), 4834 deletions(-)
  delete mode 100644 src/lib/crypto/builtin/des/ISSUES
  delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
  delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
@@ -194,10 +196,10 @@ index 9759756a2..cf8a12547 100644
  
  While **aes128-cts** and **aes256-cts** are supported for all Kerberos
 diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
-index 84183a53c..b3fdc7c8b 100644
+index caf6d9267..65b55cdb9 100644
 --- a/doc/admin/enctypes.rst
 +++ b/doc/admin/enctypes.rst
-@@ -125,7 +125,7 @@ enctype                    weak? krb5     Windows
+@@ -129,7 +129,7 @@ enctype                    weak? krb5     Windows
  des-cbc-crc                weak  <1.18    >=2000
  des-cbc-md4                weak  <1.18    ?
  des-cbc-md5                weak  <1.18    >=2000
@@ -206,7 +208,7 @@ index 84183a53c..b3fdc7c8b 100644
  arcfour-hmac                     >=1.3    >=2000
  arcfour-hmac-exp           weak  >=1.3    >=2000
  aes128-cts-hmac-sha1-96          >=1.3    >=Vista
-@@ -136,7 +136,10 @@ camellia128-cts-cmac             >=1.9    none
+@@ -140,7 +140,10 @@ camellia128-cts-cmac             >=1.9    none
  camellia256-cts-cmac             >=1.9    none
  ========================== ===== ======== =======
  
@@ -267,7 +269,7 @@ index fc5662767..37eda67fa 100644
  .. |copy| unicode:: U+000A9
  '''
 diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
-index d58c71898..8655e257d 100644
+index a7e55f206..77c095c75 100644
 --- a/doc/mitK5features.rst
 +++ b/doc/mitK5features.rst
 @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
@@ -363,7 +365,7 @@ index 8a4b87de1..d7f1d076b 100644
 +		supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal
  	}
 diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index d0fd5d7e1..050672840 100644
+index 221bde1dd..b8d292021 100644
 --- a/src/kdc/kdc_util.c
 +++ b/src/kdc/kdc_util.c
 @@ -1103,8 +1103,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
@@ -375,7 +377,7 @@ index d0fd5d7e1..050672840 100644
      else
          return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
  
-@@ -1839,8 +1837,6 @@ krb5_boolean
+@@ -1841,8 +1839,6 @@ krb5_boolean
  enctype_requires_etype_info_2(krb5_enctype enctype)
  {
      switch(enctype) {
@@ -5621,7 +5623,7 @@ index 2925c1c43..2f76c8b43 100644
      if { ! [cmd {kadm5_destroy $server_handle}]} {
  	perror "$test: unexpected failure in destroy"
 diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
-index 0fad90389..316c2b40b 100644
+index e7d67cca4..9a4741fa6 100644
 --- a/src/lib/krb5/krb/init_ctx.c
 +++ b/src/lib/krb5/krb/init_ctx.c
 @@ -59,7 +59,6 @@
@@ -5642,7 +5644,7 @@ index 0fad90389..316c2b40b 100644
              mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list);
              mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list);
 diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
-index 8202fe9d3..731281938 100644
+index 504eb557f..fc5c886d6 100644
 --- a/src/lib/krb5/krb/s4u_creds.c
 +++ b/src/lib/krb5/krb/s4u_creds.c
 @@ -287,8 +287,6 @@ verify_s4u2self_reply(krb5_context context,
@@ -5961,7 +5963,7 @@ index 2279202d3..96b0307d7 100644
        /* initial key, w, x, y, T, S, K */
        "8846F7EAEE8FB117AD06BDD830B7586C",
 diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
-index c24651737..9ef2af745 100644
+index b047ef1f7..4d8c917cd 100644
 --- a/src/tests/dejagnu/config/default.exp
 +++ b/src/tests/dejagnu/config/default.exp
 @@ -15,8 +15,6 @@ set timeout 100
@@ -5999,7 +6001,7 @@ index c24651737..9ef2af745 100644
  	{supported_enctypes=aes256-sha2:normal}
  	{permitted_enctypes(kdc)=aes256-sha2}
  	{permitted_enctypes(replica)=aes256-sha2}
-@@ -154,7 +143,6 @@ set passes {
+@@ -146,7 +135,6 @@ set passes {
      {
  	camellia-only
  	mode=udp
@@ -6007,7 +6009,7 @@ index c24651737..9ef2af745 100644
  	{supported_enctypes=camellia256-cts:normal}
  	{permitted_enctypes(kdc)=camellia256-cts}
  	{permitted_enctypes(replica)=camellia256-cts}
-@@ -175,32 +163,9 @@ set passes {
+@@ -159,32 +147,9 @@ set passes {
  	{master_key_type=camellia256-cts}
  	{dummy=[verbose -log "Camellia-256 enctype"]}
      }
@@ -6040,7 +6042,7 @@ index c24651737..9ef2af745 100644
  	{allow_weak_crypto(kdc)=false}
  	{allow_weak_crypto(replica)=false}
  	{allow_weak_crypto(client)=false}
-@@ -962,7 +927,6 @@ proc setup_kerberos_db { standalone } {
+@@ -946,7 +911,6 @@ proc setup_kerberos_db { standalone } {
      global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY
      global tmppwd hostname
      global spawn_id
@@ -6048,7 +6050,7 @@ index c24651737..9ef2af745 100644
      global multipass_name last_passname_db
  
      set failall 0
-@@ -1159,48 +1123,6 @@ proc setup_kerberos_db { standalone } {
+@@ -1143,48 +1107,6 @@ proc setup_kerberos_db { standalone } {
  	}
      }
  
@@ -6111,7 +6113,7 @@ index f71ee8638..8c08cf42f 100644
      # Delete any db, ulog files
      delete_db
 diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
-index ca3d32d21..96d0e7330 100755
+index 7494d7fcd..2f95d8996 100755
 --- a/src/tests/gssapi/t_enctypes.py
 +++ b/src/tests/gssapi/t_enctypes.py
 @@ -1,24 +1,17 @@
@@ -6137,14 +6139,14 @@ index ca3d32d21..96d0e7330 100755
  
  # These tests make assumptions about the default enctype lists, so set
  # them explicitly rather than relying on the library defaults.
--enctypes='aes des3 rc4'
 -supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
-+enctypes='aes rc4'
+-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
 +supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'
- conf = {'libdefaults': {
++conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'},
-         'default_tgs_enctypes': enctypes,
+         'realms': {'$realm': {'supported_enctypes': supp}}}
-         'default_tkt_enctypes': enctypes,
+ realm = K5Realm(krb5_conf=conf)
-@@ -91,19 +84,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
+ shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
+@@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',
  test_err('acc aes128', None, 'aes128-cts',
           'Encryption type aes256-cts-hmac-sha1-96 not permitted')
  
@@ -6165,7 +6167,7 @@ index ca3d32d21..96d0e7330 100755
  # subkey.
  test('upgrade noargs', None, None,
       tktenc=aes256, tktsession=d_rc4,
-@@ -119,13 +105,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
+@@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,
       tktenc=aes256, tktsession=d_rc4,
       proto='cfx', isubkey=rc4, asubkey=aes128)
  
@@ -6256,7 +6258,7 @@ index f71774cdc..d1857c433 100644
        "3BB3AE288C12B3B9D06B208A4151B3B6",
        "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
 diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
-index 9b41bc0c1..5e6d31302 100644
+index 378174a2e..3153ebca3 100644
 --- a/src/tests/t_authdata.py
 +++ b/src/tests/t_authdata.py
 @@ -172,7 +172,7 @@ realm.run([kvno, 'restricted'])
@@ -6419,26 +6421,23 @@ index 65084bbf3..55ca89745 100755
  # Test using different salt types in a principal's key list.
  # Parameters from one key in the list must not leak over to later ones.
 diff --git a/src/util/k5test.py b/src/util/k5test.py
-index e3614d735..94ab1e71e 100644
+index 442a4e4f7..eea92275d 100644
 --- a/src/util/k5test.py
 +++ b/src/util/k5test.py
-@@ -1297,16 +1297,6 @@ _passes = [
+@@ -1299,13 +1299,6 @@ _passes = [
      # No special settings; exercises AES256.
      ('default', None, None, None),
  
 -    # Exercise the DES3 enctype.
 -    ('des3', None,
--     {'libdefaults': {
+-     {'libdefaults': {'permitted_enctypes': 'des3'}},
--                'default_tgs_enctypes': 'des3',
--                'default_tkt_enctypes': 'des3',
--                'permitted_enctypes': 'des3'}},
 -     {'realms': {'$realm': {
 -                    'supported_enctypes': 'des3-cbc-sha1:normal',
 -                    'master_key_type': 'des3-cbc-sha1'}}}),
 -
      # Exercise the arcfour enctype.
      ('arcfour', None,
-      {'libdefaults': {
+      {'libdefaults': {'permitted_enctypes': 'rc4'}},
 diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm
 index 1aebdd0b4..c38eefd2b 100644
 --- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm

downstream-SELinux-integration.patch

@@ -1,7 +1,7 @@
-From 49a03b8bff8399b9259b51da1e034f67878bfad4 Mon Sep 17 00:00:00 2001
+From bbdfaec5156307c791804c6eb5ed8c2eefff1318 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:30:53 -0400
-Subject: [PATCH] krb5-1.18-beta1-selinux-label.patch
+Subject: [PATCH] [downstream] SELinux integration
 
 SELinux bases access to files on the domain of the requesting process,
 the operation being performed, and the context applied to the file.
@@ -35,6 +35,8 @@ stomp all over us.
 The selabel APIs for looking up the context should be thread-safe (per
 Red Hat #273081), so switching to using them instead of matchpathcon(),
 which we used earlier, is some improvement.
+
+Last-updated: krb5-1.18-beta1
 ---
  src/aclocal.m4                                |  48 +++
  src/build-tools/krb5-config.in                |   3 +-

downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch

@@ -1,8 +1,10 @@
-From 9d887898571744f5ea0a523c7fba9d86d9cf8588 Mon Sep 17 00:00:00 2001
+From 6015b8b21da26d4b2845ffad8fee3442402ea709 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 15 Nov 2019 20:05:16 +0000
-Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface
+Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF
+ interface
 
+Last-updated: krb5-1.17
 ---
  src/configure.ac                              |   4 +
  src/lib/crypto/krb/derive.c                   | 356 +++++++++++++-----

downstream-fix-debuginfo-with-y.tab.c.patch

@@ -1,11 +1,13 @@
-From c26cf6cc3507ba63cb458094b9237ad2231ca5eb Mon Sep 17 00:00:00 2001
+From c0eb69736c57f791802ba9d2ce8a2c987bb538ba Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:25 -0400
-Subject: [PATCH] krb5-1.9-debuginfo.patch
+Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
 
 We want to keep these y.tab.c files around because the debuginfo points to
 them.  It would be more elegant at the end to use symbolic links, but that
 could mess up people working in the tree on other things.
+
+Last-updated: krb5-1.9
 ---
  src/kadmin/cli/Makefile.in                 | 5 +++++
  src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-

downstream-ksu-pam-integration.patch

@@ -1,7 +1,7 @@
-From 9d77eb513f95821f01f12e233e16d4ce50da7d23 Mon Sep 17 00:00:00 2001
+From f59ec1fb55c13b0b0da413930d84a7c73019ed2b Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:29:58 -0400
-Subject: [PATCH] krb5-1.18beta1-pam.patch
+Subject: [PATCH] [downstream] ksu pam integration
 
 Modify ksu so that it performs account and session management on behalf of
 the target user account, mimicking the action of regular su.  The default
@@ -16,6 +16,8 @@ When enabled, ksu gains a dependency on libpam.
 Originally RT#5939, though it's changed since then to perform the account
 and session management before dropping privileges, and to apply on top of
 changes we're proposing for how it handles cache collections.
+
+Last-updated: krb5-1.18-beta1
 ---
  src/aclocal.m4              |  69 +++++++
  src/clients/ksu/Makefile.in |   8 +-

downstream-netlib-and-dns.patch

@@ -1,9 +1,11 @@
-From fe90cb8f915e7f43899437e5e2d9a3aebf23ed82 Mon Sep 17 00:00:00 2001
+From 080082e5a62475fa10da0f9476cac69231f13de0 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:46:21 -0400
-Subject: [PATCH] krb5-1.3.1-dns.patch
+Subject: [PATCH] [downstream] netlib and dns
 
 We want to be able to use --with-netlib and --enable-dns at the same time.
+
+Last-updated: krb5-1.3.1
 ---
  src/aclocal.m4 | 1 +
  1 file changed, 1 insertion(+)

krb5.spec

@@ -9,7 +9,7 @@
 %global configured_default_ccache_name KEYRING:persistent:%%{uid}
 
 # leave empty or set to e.g., -beta2
-%global prerelease -beta1
+%global prerelease -beta2
 
 # Should be in form 5.0, 6.1, etc.
 %global kdbversion 8.0
@@ -18,11 +18,11 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 0.beta1.1%{?dist}.1
+Release: 0.beta2.1%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
-Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
+Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
-Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz.asc
+Source1: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz.asc
 
 # Numbering is a relic of old init systems etc.  It's easiest to just leave.
 Source2: kprop.service
@@ -42,14 +42,14 @@ Source39: krb5-krb5kdc.conf
 # Carry this locally until it's available in a packaged form.
 Source100: noport.c
 
-Patch1: krb5-1.18beta1-pam.patch
+Patch0: downstream-ksu-pam-integration.patch
-Patch2: krb5-1.18-beta1-selinux-label.patch
+Patch1: downstream-SELinux-integration.patch
-Patch30: krb5-1.15-beta1-buildconf.patch
+Patch2: downstream-Adjust-build-configuration.patch
-Patch31: krb5-1.3.1-dns.patch
+Patch3: downstream-netlib-and-dns.patch
-Patch34: krb5-1.9-debuginfo.patch
+Patch4: downstream-fix-debuginfo-with-y.tab.c.patch
-Patch35: krb5-1.18-beta1-Remove-3des-support.patch
+Patch5: downstream-Remove-3des-support.patch
-Patch169: Use-backported-version-of-OpenSSL-3-KDF-interface.patch
+Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
-Patch170: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
+Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -623,10 +623,11 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18-0.beta1.1.1
+* Fri Jan 31 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+- New upstream beta release - 1.18-beta2
+- Adjust naming convention for downstream patches
 
-* Fri Jan 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0beta1.1
+* Fri Jan 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta1.1
 - New upstream beta release - 1.18-beta1
 
 * Wed Jan 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.17.1-5

sources

@@ -1,2 +1,2 @@
-SHA512 (krb5-1.18-beta1.tar.gz) = e9e622350c9d07bca573d1e416a7277377e85c0f3eab605d3f551f96c5ddc7eb21e8ef2cfadddbac7d9da99a204d738fd22939cfb23d7fcc8166e8ae35a679a4
+SHA512 (krb5-1.18-beta2.tar.gz) = 1805c56dd6bde929aeaaf82fe20a3485daef5b2730bd74b92e3351b63d99f96c8523d43c5814b1e65b5c293252df7a70e9584530f49734ccad433d4c6c5a392e
-SHA512 (krb5-1.18-beta1.tar.gz.asc) = b8542e317db89d11ad29bba9bc55f4d294e649b0e8c28b37dde398fed64fa3da394af262225ebefda5e5f3224ba108df21af460837e72a4349ae7e6469e21e43
+SHA512 (krb5-1.18-beta2.tar.gz.asc) = f437c43e7295365f5dc561b66ec67b90b30c2300ca2c89b2bf0570ad8aa2df4f78f160d0026f3e21b36898d74b5434ce55819d8bdf9b4a535c814cedfdb294b2