New upstream version - 1.17.1

Stop building and packaging PDFs
2019-12-12 18:34:55 +00:00 · 2019-12-12 18:34:55 +00:00 · 9d642021d7
commit 9d642021d7
parent 4aee4bdd71
83 changed files with 195 additions and 920 deletions
--- a/.gitignore
+++ b/.gitignore
@ -175,3 +175,5 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.17-pdfs.tar
 /krb5-1.17.tar.gz
 /krb5-1.17.tar.gz.asc
 /krb5-1.17.1.tar.gz
 /krb5-1.17.1.tar.gz.asc
--- a/Add-dns_canonicalize_hostname-fallback-support.patch
+++ b/Add-dns_canonicalize_hostname-fallback-support.patch
@ -1,4 +1,4 @@
-From 947ba07fe50c4bb6188d453fd3f6b0b9ef6d5288 Mon Sep 17 00:00:00 2001
+From b952b5ac5301ed9f4ae49300e90631ae0562b012 Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Tue, 4 Dec 2018 15:22:55 -0500
 Subject: [PATCH] Add dns_canonicalize_hostname=fallback support
@ -28,10 +28,10 @@ ticket: 8765 (new)
 10 files changed, 167 insertions(+), 18 deletions(-)
 diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
-index 7b4389f6b..e9f7e8c59 100644
+index 4adb084a6..d1e1a222d 100644
 --- a/doc/admin/conf_files/krb5_conf.rst
 +++ b/doc/admin/conf_files/krb5_conf.rst
-@@ -201,6 +201,10 @@ The libdefaults section may contain any of the following relations:
+@@ -195,6 +195,10 @@ The libdefaults section may contain any of the following relations:
     means that short hostnames will not be canonicalized to
     fully-qualified hostnames.  The default value is true.
--- a/Add-function-and-enctype-flag-for-deprecations.patch
+++ b/Add-function-and-enctype-flag-for-deprecations.patch
@ -1,4 +1,4 @@
-From 15ac04c3e0d02c36643427ac943d344711cd8b50 Mon Sep 17 00:00:00 2001
+From 397ce771e195edf63f796f1cf917bc65b4eafd8c Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 15 Jan 2019 16:16:57 -0500
 Subject: [PATCH] Add function and enctype flag for deprecations
--- a/Add-missing-newlines-to-deprecation-warnings.patch
+++ b/Add-missing-newlines-to-deprecation-warnings.patch
@ -1,4 +1,4 @@
-From 98b86c4f1ca794a18cbe957b6d520380fe424240 Mon Sep 17 00:00:00 2001
+From 6946ea68b719da8434fc4c09b4ed97be91d8464b Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 21 May 2019 12:52:26 -0400
 Subject: [PATCH] Add missing newlines to deprecation warnings
--- a/Add-soft-pkcs11-source-code.patch
+++ b/Add-soft-pkcs11-source-code.patch
@ -1,4 +1,4 @@
-From d80e1a0f07591c1fedc9cfc2cbb6ab7e54b55287 Mon Sep 17 00:00:00 2001
+From 5ede44dfeffca55c793fe5ea49b438497dff027b Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 20 Jun 2019 10:45:18 -0400
 Subject: [PATCH] Add soft-pkcs11 source code
--- a/Add-tests-for-KCM-ccache-type.patch
+++ b/Add-tests-for-KCM-ccache-type.patch
@ -1,4 +1,4 @@
-From bb8109eaafe65f323052493f7539c88204799b70 Mon Sep 17 00:00:00 2001
+From 0b63afda1a399a37274021115524db1e65675cb9 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 22 Nov 2018 00:27:35 -0500
 Subject: [PATCH] Add tests for KCM ccache type
--- a/Add-zapfreedata-convenience-function.patch
+++ b/Add-zapfreedata-convenience-function.patch
@ -1,4 +1,4 @@
-From 90cf4ccec641d9bc466d4e404d36d486b3573a07 Mon Sep 17 00:00:00 2001
+From b99ba3fa4bc99c2925fa4b509004d694e9d7ac68 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 14 Mar 2019 11:26:44 -0400
 Subject: [PATCH] Add zapfreedata() convenience function
--- a/Address-some-optimized-out-memset-calls.patch
+++ b/Address-some-optimized-out-memset-calls.patch
@ -1,4 +1,4 @@
-From 842ffb8cd2f47844346c6a88ff7575c6d131644b Mon Sep 17 00:00:00 2001
+From 95fec44aebd6a4d815f88a0b5a53517c4f3175f4 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sun, 30 Dec 2018 16:40:28 -0500
 Subject: [PATCH] Address some optimized-out memset() calls
@ -60,10 +60,10 @@ index bb1072fe4..47c161ec9 100644
     iah.cookie = cookie;
 diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index 21c53ece1..9ab2c5a74 100644
+index 8582bbc56..be0922101 100644
 --- a/src/lib/kadm5/srv/svr_principal.c
 +++ b/src/lib/kadm5/srv/svr_principal.c
-@@ -2093,14 +2093,8 @@ static int decrypt_key_data(krb5_context context,
+@@ -2097,14 +2097,8 @@ static int decrypt_key_data(krb5_context context,
         ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
                                         NULL);
         if (ret) {
--- a/Avoid-alignment-warnings-in-openssl-rc4.c.patch
+++ b/Avoid-alignment-warnings-in-openssl-rc4.c.patch
@ -1,4 +1,4 @@
-From ceb6a10c14ec83b0d4d1bb6f792917e6945995d6 Mon Sep 17 00:00:00 2001
+From 399b9ed8ef199b6280bf4d6564928c79a3611cc5 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 6 May 2019 15:14:49 -0400
 Subject: [PATCH] Avoid alignment warnings in openssl rc4.c
--- a/Avoid-allocating-a-register-in-zap-assembly.patch
+++ b/Avoid-allocating-a-register-in-zap-assembly.patch
@ -1,4 +1,4 @@
-From df3bfd244f8b4601f8750599270eb98cadccdafe Mon Sep 17 00:00:00 2001
+From c896facca7dd9d0fbbd561d3a723a90216821b72 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Thu, 3 Jan 2019 17:19:32 +0100
 Subject: [PATCH] Avoid allocating a register in zap() assembly
@ -17,7 +17,7 @@ Also add explicit_bzero() (glibc, FreeBSD) and explicit_memset()
 2 files changed, 6 insertions(+), 2 deletions(-)
 diff --git a/src/configure.in b/src/configure.in
-index 93aec682e..7c309a26b 100644
+index feae21c3e..505dabb02 100644
 --- a/src/configure.in
 +++ b/src/configure.in
@@ -421,7 +421,7 @@ AC_PROG_LEX
--- a/Check-more-errors-in-OpenSSL-crypto-backend.patch
+++ b/Check-more-errors-in-OpenSSL-crypto-backend.patch
@ -1,4 +1,4 @@
-From 8eee70cc192adf9c0c11061c48d708e0157a9399 Mon Sep 17 00:00:00 2001
+From 57e48b63b1f0b34861c66fb24dafc0feb524f47c Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 22 Apr 2019 14:26:42 -0400
 Subject: [PATCH] Check more errors in OpenSSL crypto backend
--- a/Clarify-header-comment-for-krb5_cc_start_seq_get.patch
+++ b/Clarify-header-comment-for-krb5_cc_start_seq_get.patch
@ -1,4 +1,4 @@
-From eb8d1bbf210b159384859dd482657a31de80a787 Mon Sep 17 00:00:00 2001
+From 037981b197a6046574539ec405cc1d67b9f22473 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 2 Apr 2019 14:18:57 -0400
 Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get()
--- a/Clear-forwardable-flag-instead-of-denying-request.patch
+++ b/Clear-forwardable-flag-instead-of-denying-request.patch
@ -1,4 +1,4 @@
-From 24d3008698d6c654ab079413583c9f1359ad8f59 Mon Sep 17 00:00:00 2001
+From 54b5eceb45db9cf6ff86eea5efebba66cf48153e Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 15 Nov 2018 13:40:43 -0500
 Subject: [PATCH] Clear forwardable flag instead of denying request
--- a/Display-unsupported-enctype-names.patch
+++ b/Display-unsupported-enctype-names.patch
@ -1,4 +1,4 @@
-From 756e069368719f53444b5a819753fdeda5561994 Mon Sep 17 00:00:00 2001
+From c8b24f222719df0c4b9815d26019ad96c551ec81 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 21 May 2019 13:34:39 -0400
 Subject: [PATCH] Display unsupported enctype names
--- a/Don-t-error-on-invalid-enctypes-in-keytab.patch
+++ b/Don-t-error-on-invalid-enctypes-in-keytab.patch
@ -1,4 +1,4 @@
-From 261e67018b25412c53a290c429612bb55569428e Mon Sep 17 00:00:00 2001
+From d39897c46818f990eb7752573c309b97d90a983e Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 10 Jul 2019 17:10:16 -0400
 Subject: [PATCH] Don't error on invalid enctypes in keytab
--- a/Filter-enctypes-in-gss_set_allowable_enctypes.patch
+++ b/Filter-enctypes-in-gss_set_allowable_enctypes.patch
@ -1,4 +1,4 @@
-From 675edf995b497d681732a2909df21d8e4fe11e07 Mon Sep 17 00:00:00 2001
+From 073c20a214df8b416b8d848412256c57feb43ef0 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 16 Jul 2019 00:15:42 -0400
 Subject: [PATCH] Filter enctypes in gss_set_allowable_enctypes()
--- a/Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
+++ b/Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
@ -1,4 +1,4 @@
-From 0acc96dccbb4f4e75584ee39239da392b919f5f8 Mon Sep 17 00:00:00 2001
+From 14bc517f1fbd0bc7b3a6137871c167c595747a3e Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sat, 20 Jul 2019 00:51:52 -0400
 Subject: [PATCH] Fix Coverity defects in soft-pkcs11 test code
--- a/Fix-KCM-client-time-offset-propagation.patch
+++ b/Fix-KCM-client-time-offset-propagation.patch
@ -1,32 +0,0 @@
 From 48dd1debf9bd7b04195aeb435d54eefde39bc35e Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 14 Aug 2019 13:52:27 -0400
 Subject: [PATCH] Fix KCM client time offset propagation
 An inverted status check in get_kdc_offset() would cause querying the
 offset time from the ccache to always fail (silently) on KCM.  Fix the
 status check so that KCM can properly handle desync.
 ticket: 8826 (new)
 tags: pullup
 target_version: 1.17-next
 target_verison: 1.16-next
 (cherry picked from commit 323abb6d1ebe5469d6c2167c29aa5d696d099b90)
 ---
 src/lib/krb5/ccache/cc_kcm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
 index 092ab7daf..fe93ca3dc 100644
 --- a/src/lib/krb5/ccache/cc_kcm.c
 +++ b/src/lib/krb5/ccache/cc_kcm.c
@@ -583,7 +583,7 @@ get_kdc_offset(krb5_context context, krb5_ccache cache)
     if (cache_call(context, cache, &req, FALSE) != 0)
         goto cleanup;
     time_offset = k5_input_get_uint32_be(&req.reply);
 -    if (!req.reply.status)
 +    if (req.reply.status)
         goto cleanup;
     context->os_context.time_offset = time_offset;
     context->os_context.usec_offset = 0;
--- a/Fix-KDC-crash-when-logging-PKINIT-enctypes.patch
+++ b/Fix-KDC-crash-when-logging-PKINIT-enctypes.patch
@ -1,4 +1,4 @@
-From fd25fce46c2454b7386d2725dba493471a2e3fe8 Mon Sep 17 00:00:00 2001
+From 2f939727e531f04a24b687b9807b2e23599a2e4f Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Wed, 25 Sep 2019 12:57:56 -0400
 Subject: [PATCH] Fix KDC crash when logging PKINIT enctypes
--- a/Fix-config-realm-change-logic-in-FILE-remove_cred.patch
+++ b/Fix-config-realm-change-logic-in-FILE-remove_cred.patch
@ -1,4 +1,4 @@
-From 508863ce900694d4a78af60361e23be59143aac8 Mon Sep 17 00:00:00 2001
+From bde05bf227939691855c025ce3c79cda07093fa7 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 16 Apr 2019 10:47:35 -0400
 Subject: [PATCH] Fix config realm change logic in FILE remove_cred
--- a/Fix-kadmin-addprinc-randkey-kvno.patch
+++ b/Fix-kadmin-addprinc-randkey-kvno.patch
@ -1,45 +0,0 @@
 From 5e0baa51f69ae9f67865d808213bda5872ee7dc6 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sat, 16 Nov 2019 19:54:51 -0500
 Subject: [PATCH] Fix kadmin addprinc -randkey -kvno
 Commit f07bca9fc94a5cf2e3c0f58226c7973a4b86b7a9 made addprinc -randkey
 use a single RPC request, but the server-side handling always creates
 the random keys with kvno 1.  If a kvno is specified in the RPC
 request, set the kvno of the key data after creating it.  Reported by
 Andreas Ladanyi.
 ticket: 8848
 tags: pullup
 target_version: 1.17-next
 target_version: 1.16-next
 (cherry picked from commit 462e85208d57b8d4120c99e801fbd156b9ccf16f)
 ---
 src/lib/kadm5/srv/svr_principal.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
 index 48cac0c11..a1ecdbfc4 100644
 --- a/src/lib/kadm5/srv/svr_principal.c
 +++ b/src/lib/kadm5/srv/svr_principal.c
@@ -302,7 +302,7 @@ kadm5_create_principal_3(void *server_handle,
     kadm5_server_handle_t handle = server_handle;
     krb5_keyblock               *act_mkey;
     krb5_kvno                   act_kvno;
 -    int                         new_n_ks_tuple = 0;
 +    int                         new_n_ks_tuple = 0, i;
     krb5_key_salt_tuple         *new_ks_tuple = NULL;
     CHECK_HANDLE(server_handle);
@@ -468,6 +468,10 @@ kadm5_create_principal_3(void *server_handle,
         /* Null password means create with random key (new in 1.8). */
         ret = krb5_dbe_crk(handle->context, &master_keyblock,
                            new_ks_tuple, new_n_ks_tuple, FALSE, kdb);
 +        if (mask & KADM5_KVNO) {
 +            for (i = 0; i < kdb->n_key_data; i++)
 +                kdb->key_data[i].key_data_kvno = entry->kvno;
 +        }
     }
     if (ret)
         goto cleanup;
--- a/Fix-memory-leak-in-none-replay-cache-type.patch
+++ b/Fix-memory-leak-in-none-replay-cache-type.patch
@ -1,33 +0,0 @@
 From 0bb94eb7c3b231279d8ded0484ecea10ebe89302 Mon Sep 17 00:00:00 2001
 From: Corene Casper <C.Casper@Dell.com>
 Date: Sat, 16 Feb 2019 00:49:26 -0500
 Subject: [PATCH] Fix memory leak in 'none' replay cache type
 Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
 leak in the 'none' replay cache type by freeing the outer container,
 but we also need to free the mutex.
 [ghudson@mit.edu: wrote commit message]
 ticket: 8783
 tags: pullup
 target_version: 1.17-next
 target_version: 1.16-next
 (cherry picked from commit af2a3115cb8feb5174151b4b40223ae45aa9db17)
 ---
 src/lib/krb5/rcache/rc_none.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c
 index e30aed09f..0b2274df7 100644
 --- a/src/lib/krb5/rcache/rc_none.c
 +++ b/src/lib/krb5/rcache/rc_none.c
@@ -50,6 +50,7 @@ krb5_rc_none_noargs(krb5_context ctx, krb5_rcache rc)
 static krb5_error_code KRB5_CALLCONV
 krb5_rc_none_close(krb5_context ctx, krb5_rcache rc)
 {
 +    k5_mutex_destroy(&rc->lock);
     free (rc);
     return 0;
 }
--- a/Fix-memory-leaks-in-soft-pkcs11-code.patch
+++ b/Fix-memory-leaks-in-soft-pkcs11-code.patch
@ -1,4 +1,4 @@
-From 8087bdce8a5e9912f693ab199198a5bf4db54001 Mon Sep 17 00:00:00 2001
+From b0acd2918e673a60a88cfed9fe7da08fb7fc4987 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 5 Aug 2019 01:53:51 -0400
 Subject: [PATCH] Fix memory leaks in soft-pkcs11 code
--- a/Fix-minor-errors-in-softpkcs11.patch
+++ b/Fix-minor-errors-in-softpkcs11.patch
@ -1,4 +1,4 @@
-From 0d27dbf488547b9ca6780f23e5e40fa820928385 Mon Sep 17 00:00:00 2001
+From 343068058951e343179156e895c7483ab8194236 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 8 Nov 2019 14:28:56 -0500
 Subject: [PATCH] Fix minor errors in softpkcs11
--- a/Fix-potential-close-1-in-cc_file.c.patch
+++ b/Fix-potential-close-1-in-cc_file.c.patch
@ -1,4 +1,4 @@
-From 5917d1d1a51c2a4b243661710b3107b1bc43fff0 Mon Sep 17 00:00:00 2001
+From 20e18b31bac004c13b7f2b5b1e67e80730481aea Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 18 Apr 2019 13:39:37 -0400
 Subject: [PATCH] Fix potential close(-1) in cc_file.c
--- a/Fix-some-return-code-handling-bugs.patch
+++ b/Fix-some-return-code-handling-bugs.patch
@ -1,103 +0,0 @@
 From 3612a7873e5e07b51d47c6c38f8a83e0b3d51e20 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 14:05:38 -0400
 Subject: [PATCH] Fix some return code handling bugs
 Fix five cases where return codes could be set (in unlikely cases) but
 did not result in error exits.
 [ghudson@mit.edu: squashed commits and rewrote commit message]
 ticket: 8801 (new)
 tags: pullup
 target_version: 1.17-next
 target_version: 1.16-next
 (cherry picked from commit 7c26740f9df3c79c3f01c3a4dda4d9dabba5298d)
 ---
 src/kdc/fast_util.c               | 16 ++++++++--------
 src/lib/gssapi/krb5/k5unsealiov.c |  1 +
 src/lib/kadm5/clnt/client_init.c  |  3 +++
 src/tests/gssapi/t_pcontok.c      |  1 +
 4 files changed, 13 insertions(+), 8 deletions(-)
 diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
 index 6a3fc11b9..c9ba83e5e 100644
 --- a/src/kdc/fast_util.c
 +++ b/src/kdc/fast_util.c
@@ -47,9 +47,10 @@ static krb5_error_code armor_ap_request
     if (retval == 0)
         retval = krb5_auth_con_setflags(kdc_context,
                                         authcontext, 0); /*disable replay cache*/
 -    retval = krb5_rd_req(kdc_context, &authcontext,
 -                         &armor->armor_value, NULL /*server*/,
 -                         kdc_active_realm->realm_keytab,  NULL, &ticket);
 +    if (retval == 0)
 +        retval = krb5_rd_req(kdc_context, &authcontext, &armor->armor_value,
 +                             NULL /*server*/, kdc_active_realm->realm_keytab,
 +                             NULL, &ticket);
     if (retval != 0) {
         const char * errmsg = krb5_get_error_message(kdc_context, retval);
         k5_setmsg(kdc_context, retval, _("%s while handling ap-request armor"),
@@ -132,7 +133,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
 {
     krb5_error_code retval = 0;
     krb5_pa_data *fast_padata;
 -    krb5_data scratch, *inner_body = NULL;
 +    krb5_data scratch, plaintext, *inner_body = NULL;
     krb5_fast_req * fast_req = NULL;
     krb5_kdc_req *request = *requestptr;
     krb5_fast_armored_req *fast_armored_req = NULL;
@@ -183,11 +184,10 @@ kdc_find_fast(krb5_kdc_req **requestptr,
             }
         }
         if (retval == 0) {
 -            krb5_data plaintext;
             plaintext.length = fast_armored_req->enc_part.ciphertext.length;
 -            plaintext.data = malloc(plaintext.length);
 -            if (plaintext.data == NULL)
 -                retval = ENOMEM;
 +            plaintext.data = k5alloc(plaintext.length, &retval);
 +        }
 +        if (retval == 0) {
             retval = krb5_c_decrypt(kdc_context,
                                     state->armor_key,
                                     KRB5_KEYUSAGE_FAST_ENC, NULL,
 diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
 index 8b6704274..f15d2db69 100644
 --- a/src/lib/gssapi/krb5/k5unsealiov.c
 +++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -281,6 +281,7 @@ kg_unseal_v1_iov(krb5_context context,
         (!ctx->initiate && direction != 0)) {
         *minor_status = (OM_uint32)G_BAD_DIRECTION;
         retval = GSS_S_BAD_SIG;
 +        goto cleanup;
     }
     code = 0;
 diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
 index 6f10db018..aa08918e2 100644
 --- a/src/lib/kadm5/clnt/client_init.c
 +++ b/src/lib/kadm5/clnt/client_init.c
@@ -465,6 +465,9 @@ gic_iter(kadm5_server_handle_t handle, enum init_type init_type,
     /* Credentials for kadmin don't need to be forwardable or proxiable. */
     if (init_type != INIT_CREDS) {
         code = krb5_get_init_creds_opt_alloc(ctx, &opt);
 +        if (code)
 +            goto error;
 +
         krb5_get_init_creds_opt_set_forwardable(opt, 0);
         krb5_get_init_creds_opt_set_proxiable(opt, 0);
         krb5_get_init_creds_opt_set_out_ccache(ctx, opt, ccache);
 diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c
 index b966f8129..c40ea434c 100644
 --- a/src/tests/gssapi/t_pcontok.c
 +++ b/src/tests/gssapi/t_pcontok.c
@@ -126,6 +126,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
         iov.flags = KRB5_CRYPTO_TYPE_DATA;
         iov.data = make_data(cksum.contents, 16);
         ret = krb5_k_encrypt_iov(context, seq, 0, NULL, &iov, 1);
 +        check_k5err(context, "krb5_k_encrypt_iov", ret);
         memcpy(ptr + 8, cksum.contents + 8, 8);
     } else {
         memcpy(ptr + 8, cksum.contents, cksize);
--- a/Implement-krb5_cc_remove_cred-for-remaining-types.patch
+++ b/Implement-krb5_cc_remove_cred-for-remaining-types.patch
@ -1,4 +1,4 @@
-From 43e56c3442e7601a6e041a010f0ca9acb6021d8f Mon Sep 17 00:00:00 2001
+From adeba65ff738184656bb9589e1e3ffb079d3adf0 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 1 Apr 2019 14:28:48 -0400
 Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types
--- a/Improve-error-messages-from-kadmin-change_password.patch
+++ b/Improve-error-messages-from-kadmin-change_password.patch
@ -1,4 +1,4 @@
-From 3f5781029e48d7f2f5a694a4d3e19691eefde87f Mon Sep 17 00:00:00 2001
+From 69a09fc7c76f443f08c437043d689669d39f46ca Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 6 May 2019 13:13:16 -0400
 Subject: [PATCH] Improve error messages from kadmin change_password
--- a/In-kpropd-debug-log-proper-ticket-enctype-names.patch
+++ b/In-kpropd-debug-log-proper-ticket-enctype-names.patch
@ -1,4 +1,4 @@
-From d1bbb1c98c3c2deb3713959281a3eee2b5019480 Mon Sep 17 00:00:00 2001
+From bcd727fc66e9213e7b6ea4d22f781812033789ba Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 15 Jan 2019 13:41:16 -0500
 Subject: [PATCH] In kpropd, debug-log proper ticket enctype names
--- a/In-rd_req_dec-always-log-non-permitted-enctypes.patch
+++ b/In-rd_req_dec-always-log-non-permitted-enctypes.patch
@ -1,4 +1,4 @@
-From 803290c5773eb2e6a344f0ad0a01645e30c79031 Mon Sep 17 00:00:00 2001
+From 7710ba9b6d48ae82a2b2559131c6a8da802a4c0d Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 14 Jan 2019 17:14:42 -0500
 Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes
--- a/Initialize-life-rlife-in-kdcpolicy-interface.patch
+++ b/Initialize-life-rlife-in-kdcpolicy-interface.patch
@ -1,41 +0,0 @@
 From 17d1dbd3b2eb3961c061b140f8a7641405e59d44 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Aug 2019 14:07:22 -0400
 Subject: [PATCH] Initialize life/rlife in kdcpolicy interface
 A value of 0 indicates that the plugin doesn't wish to modify lifetimes.
 Make this the default, rather than requiring all plugins to set these
 values themselves.
 ticket: 8824 (new)
 tags: pullup
 target_version: 1.17-next
 target_version: 1.16-next
 (cherry picked from commit d81c5870013240c04642c8e0cb994b4c49e40ddf)
 ---
 src/kdc/policy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/kdc/policy.c b/src/kdc/policy.c
 index 26c16f97c..a3ff556c5 100644
 --- a/src/kdc/policy.c
 +++ b/src/kdc/policy.c
@@ -106,7 +106,7 @@ check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
                    krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
                    krb5_ticket_times *times, const char **status)
 {
 -    krb5_deltat life, rlife;
 +    krb5_deltat life = 0, rlife = 0;
     krb5_error_code ret;
     kdcpolicy_handle *hp, h;
     char **ais = NULL;
@@ -146,7 +146,7 @@ check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
                     krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
                     krb5_ticket_times *times, const char **status)
 {
 -    krb5_deltat life, rlife;
 +    krb5_deltat life = 0, rlife = 0;
     krb5_error_code ret;
     kdcpolicy_handle *hp, h;
     char **ais = NULL;
--- a/Initialize-some-data-structure-magic-fields.patch
+++ b/Initialize-some-data-structure-magic-fields.patch
@ -1,4 +1,4 @@
-From e4e58539348e886f9ac39881d576c7512fc37a2b Mon Sep 17 00:00:00 2001
+From 3f8434553e5bc3551c7be651de196caf98647cf3 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 13:36:38 -0400
 Subject: [PATCH] Initialize some data structure magic fields
--- a/Log-unknown-enctypes-as-unsupported-in-KDC.patch
+++ b/Log-unknown-enctypes-as-unsupported-in-KDC.patch
@ -1,4 +1,4 @@
-From 78e9d11d8a6c05218d18b9b200d1de888a95503c Mon Sep 17 00:00:00 2001
+From f4681ed7ec9f22fdbacc5c58a9f12ef567601267 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Fri, 27 Sep 2019 16:55:37 -0400
 Subject: [PATCH] Log unknown enctypes as unsupported in KDC
--- a/Make-etype-names-in-KDC-logs-human-readable.patch
+++ b/Make-etype-names-in-KDC-logs-human-readable.patch
@ -1,4 +1,4 @@
-From a50161ee09ef887493afcf5f3901f9d0a9c20fc5 Mon Sep 17 00:00:00 2001
+From 87e5a350db1c18a92427a2a7645cc53d5813672d Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 8 Jan 2019 17:42:35 -0500
 Subject: [PATCH] Make etype names in KDC logs human-readable
--- a/Mark-deprecated-enctypes-when-used.patch
+++ b/Mark-deprecated-enctypes-when-used.patch
@ -1,4 +1,4 @@
-From de5bdedc1d27ee3e9ff7072614ea1316064b222a Mon Sep 17 00:00:00 2001
+From 8e3b86c1e7bdd12c649127a8a44e5a269b5b4453 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 10 Jan 2019 16:34:54 -0500
 Subject: [PATCH] Mark deprecated enctypes when used
--- a/Mark-the-doc-kadm5-tex-files-as-historic.patch
+++ b/Mark-the-doc-kadm5-tex-files-as-historic.patch
@ -1,4 +1,4 @@
-From 4ebd1454a32df78d10c7de4c09ac8dc8ebb4f41b Mon Sep 17 00:00:00 2001
+From d8a20291fca962dfc88e396f2a60e41ede62be46 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 11 Apr 2019 18:33:04 -0400
 Subject: [PATCH] Mark the doc/kadm5 tex files as historic
--- a/Modernize-example-enctypes-in-documentation.patch
+++ b/Modernize-example-enctypes-in-documentation.patch
@ -1,10 +1,11 @@
-From c547bf2cae39d503de3ac3670d99b2cc324c6567 Mon Sep 17 00:00:00 2001
+From b90cdec363eae38cb2ea40d40668e3fbc83edeb8 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 11 Apr 2019 18:25:41 -0400
 Subject: [PATCH] Modernize example enctypes in documentation
 ticket: 8805 (new)
 (cherry picked from commit ccb4a3e4b35fa9ea63af0e98a42eba4aadb099e2)
 [rharwood@redhat.com: release version conflict in man pages]
 ---
 doc/admin/admin_commands/kadmin_local.rst     |  8 ++++----
 doc/admin/admin_commands/kdb5_util.rst        | 10 +++++-----
@ -70,7 +71,7 @@ index 7dd54f797..444c58bcd 100644
 ENVIRONMENT
 diff --git a/doc/admin/database.rst b/doc/admin/database.rst
-index 113a680a6..0eb5ccde7 100644
+index 33895b857..cea60b009 100644
 --- a/doc/admin/database.rst
 +++ b/doc/admin/database.rst
@@ -483,7 +483,7 @@ availability.  To roll over the master key, follow these steps:
@ -126,13 +127,13 @@ index 5d1e70ede..3bec59f96 100644
         type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
 diff --git a/src/man/kadmin.man b/src/man/kadmin.man
-index 849677258..44859a378 100644
+index 3c4f013fb..44859a378 100644
 --- a/src/man/kadmin.man
 +++ b/src/man/kadmin.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADMIN" "1" " " "1.17" "MIT Kerberos"
+-.TH "KADMIN" "1" " " "1.17.1" "MIT Kerberos"
 +.TH "KADMIN" "1" " " "1.18" "MIT Kerberos"
 .SH NAME
 kadmin \- Kerberos V5 database administration program
--- a/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
+++ b/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
@ -1,4 +1,4 @@
-From 8fe3c4bde435c68a74c8075661a432cd1d3c17b9 Mon Sep 17 00:00:00 2001
+From 762241d6dbcb7b90ecf6a7352553465c30fcab74 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 14:32:33 -0400
 Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache()
--- a/Properly-size-ifdef-in-k5_cccol_lock.patch
+++ b/Properly-size-ifdef-in-k5_cccol_lock.patch
@ -1,4 +1,4 @@
-From 916861d361be090965e1b4df4f60fce64206cf79 Mon Sep 17 00:00:00 2001
+From c1b4612565658d64940ba4760e0b47afd21e718f Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 14 Feb 2019 11:50:35 -0500
 Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()
--- a/Qualify-short-hostnames-when-not-using-DNS.patch
+++ b/Qualify-short-hostnames-when-not-using-DNS.patch
@ -1,309 +0,0 @@
 From 35160d8bf1aa1464d7e757c73ed11644478cc4d4 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Fri, 29 Nov 2019 20:39:38 -0500
 Subject: [PATCH] Qualify short hostnames when not using DNS
 When DNS forward canonicalization is turned off or fails, qualify
 single-component hostnames with the first DNS search domain.  Add the
 qualify_shortname relation to override this suffix.
 For one of the tests we need to disable qualification, which is
 accomplished with an empty value.  Adjust k5test.py to correctly emit
 empty values when writing profiles.
 ticket: 8855 (new)
 (cherry picked from commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c)
 ---
 doc/admin/conf_files/krb5_conf.rst |  9 +++++++
 src/include/k5-int.h               |  1 +
 src/lib/krb5/os/dnsglue.c          | 23 ++++++++++++++++
 src/lib/krb5/os/os-proto.h         |  2 ++
 src/lib/krb5/os/sn2princ.c         | 43 +++++++++++++++++++++++++++++-
 src/tests/gssapi/t_ccselect.py     |  5 ++--
 src/tests/t_sn2princ.py            | 12 ++++++---
 src/util/k5test.py                 | 34 ++++++++++++-----------
 8 files changed, 106 insertions(+), 23 deletions(-)
 diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
 index 89f02434b..582ac8df0 100644
 --- a/doc/admin/conf_files/krb5_conf.rst
 +++ b/doc/admin/conf_files/krb5_conf.rst
@@ -308,6 +308,15 @@ The libdefaults section may contain any of the following relations:
     If this flag is true, initial tickets will be proxiable by
     default, if allowed by the KDC.  The default value is false.
 +**qualify_shortname**
 +    If this string is set, it determines the domain suffix for
 +    single-component hostnames when DNS canonicalization is not used
 +    (either because **dns_canonicalize_hostname** is false or because
 +    forward canonicalization failed).  The default value is the first
 +    search domain of the system's DNS configuration.  To disable
 +    qualification of shortnames, set this relation to the empty string
 +    with ``qualify_shortname = ""``.  (New in release 1.18.)
 +
 **rdns**
     If this flag is true, reverse name lookup will be used in addition
     to forward name lookup to canonicalizing hostnames for use in
 diff --git a/src/include/k5-int.h b/src/include/k5-int.h
 index cb328785d..7458319fa 100644
 --- a/src/include/k5-int.h
 +++ b/src/include/k5-int.h
@@ -280,6 +280,7 @@ typedef unsigned char   u_char;
 #define KRB5_CONF_PLUGIN_BASE_DIR              "plugin_base_dir"
 #define KRB5_CONF_PREFERRED_PREAUTH_TYPES      "preferred_preauth_types"
 #define KRB5_CONF_PROXIABLE                    "proxiable"
 +#define KRB5_CONF_QUALIFY_SHORTNAME            "qualify_shortname"
 #define KRB5_CONF_RDNS                         "rdns"
 #define KRB5_CONF_REALMS                       "realms"
 #define KRB5_CONF_REALM_TRY_DOMAINS            "realm_try_domains"
 diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c
 index 59ff92963..e35ca9d76 100644
 --- a/src/lib/krb5/os/dnsglue.c
 +++ b/src/lib/krb5/os/dnsglue.c
@@ -71,6 +71,7 @@ static int initparse(struct krb5int_dns_state *);
  * Define macros to use the best available DNS search functions.  INIT_HANDLE()
  * returns true if handle initialization is successful, false if it is not.
  * SEARCH() returns the length of the response or -1 on error.
 + * PRIMARY_DOMAIN() returns the first search domain in allocated memory.
  * DECLARE_HANDLE() must be used last in the declaration list since it may
  * evaluate to nothing.
  */
@@ -81,6 +82,7 @@ static int initparse(struct krb5int_dns_state *);
 #define DECLARE_HANDLE(h) dns_handle_t h
 #define INIT_HANDLE(h) ((h = dns_open(NULL)) != NULL)
 #define SEARCH(h, n, c, t, a, l) dns_search(h, n, c, t, a, l, NULL, NULL)
 +#define PRIMARY_DOMAIN(h) dns_search_list_domain(h, 0)
 #define DESTROY_HANDLE(h) dns_free(h)
 #elif HAVE_RES_NINIT && HAVE_RES_NSEARCH
@@ -89,6 +91,7 @@ static int initparse(struct krb5int_dns_state *);
 #define DECLARE_HANDLE(h) struct __res_state h
 #define INIT_HANDLE(h) (memset(&h, 0, sizeof(h)), res_ninit(&h) == 0)
 #define SEARCH(h, n, c, t, a, l) res_nsearch(&h, n, c, t, a, l)
 +#define PRIMARY_DOMAIN(h) strdup(h.dnsrch[0])
 #if HAVE_RES_NDESTROY
 #define DESTROY_HANDLE(h) res_ndestroy(&h)
 #else
@@ -101,6 +104,7 @@ static int initparse(struct krb5int_dns_state *);
 #define DECLARE_HANDLE(h)
 #define INIT_HANDLE(h) (res_init() == 0)
 #define SEARCH(h, n, c, t, a, l) res_search(n, c, t, a, l)
 +#define PRIMARY_DOMAIN(h) strdup(_res.defdname)
 #define DESTROY_HANDLE(h)
 #endif
@@ -433,6 +437,12 @@ cleanup:
     return ret;
 }
 +char *
 +k5_primary_domain()
 +{
 +    return NULL;
 +}
 +
 #else /* _WIN32 */
 krb5_error_code
@@ -485,5 +495,18 @@ errout:
     return retval;
 }
 +char *
 +k5_primary_domain()
 +{
 +    char *domain;
 +    DECLARE_HANDLE(h);
 +
 +    if (!INIT_HANDLE(h))
 +        return NULL;
 +    domain = PRIMARY_DOMAIN(h);
 +    DESTROY_HANDLE(h);
 +    return domain;
 +}
 +
 #endif /* not _WIN32 */
 #endif /* KRB5_DNS_LOOKUP */
 diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
 index 066d30221..a16a34b74 100644
 --- a/src/lib/krb5/os/os-proto.h
 +++ b/src/lib/krb5/os/os-proto.h
@@ -136,6 +136,8 @@ k5_make_uri_query(krb5_context context, const krb5_data *realm,
 krb5_error_code k5_try_realm_txt_rr(krb5_context context, const char *prefix,
                                     const char *name, char **realm);
 +char *k5_primary_domain(void);
 +
 int _krb5_use_dns_realm (krb5_context);
 int _krb5_use_dns_kdc (krb5_context);
 int _krb5_conf_boolean (const char *);
 diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
 index 98d2600aa..a51761d0c 100644
 --- a/src/lib/krb5/os/sn2princ.c
 +++ b/src/lib/krb5/os/sn2princ.c
@@ -50,15 +50,47 @@ use_reverse_dns(krb5_context context)
                               &value);
     if (ret)
         return DEFAULT_RDNS_LOOKUP;
 +
     return value;
 }
 +/* Append a domain suffix to host and return the result in allocated memory.
 + * Return NULL if no suffix is configured or on failure. */
 +static char *
 +qualify_shortname(krb5_context context, const char *host)
 +{
 +    krb5_error_code ret;
 +    char *fqdn = NULL, *prof_domain = NULL, *os_domain = NULL;
 +    const char *domain;
 +
 +    ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
 +                             KRB5_CONF_QUALIFY_SHORTNAME, NULL, NULL,
 +                             &prof_domain);
 +    if (ret)
 +        return NULL;
 +
 +#ifdef KRB5_DNS_LOOKUP
 +    if (prof_domain == NULL)
 +        os_domain = k5_primary_domain();
 +#endif
 +
 +    domain = (prof_domain != NULL) ? prof_domain : os_domain;
 +    if (domain != NULL && *domain != '\0') {
 +        if (asprintf(&fqdn, "%s.%s", host, domain) < 0)
 +            fqdn = NULL;
 +    }
 +
 +    profile_release_string(prof_domain);
 +    free(os_domain);
 +    return fqdn;
 +}
 +
 krb5_error_code
 k5_expand_hostname(krb5_context context, const char *host,
                    krb5_boolean is_fallback, char **canonhost_out)
 {
     struct addrinfo *ai = NULL, hint;
 -    char namebuf[NI_MAXHOST], *copy, *p;
 +    char namebuf[NI_MAXHOST], *qualified = NULL, *copy, *p;
     int err;
     const char *canonhost;
     krb5_boolean use_dns;
@@ -90,6 +122,14 @@ k5_expand_hostname(krb5_context context, const char *host,
         }
     }
 +    /* If we didn't use DNS and the name is just one component, try to add a
 +     * domain suffix. */
 +    if (canonhost == host && strchr(host, '.') == NULL) {
 +        qualified = qualify_shortname(context, host);
 +        if (qualified != NULL)
 +            canonhost = qualified;
 +    }
 +
     copy = strdup(canonhost);
     if (copy == NULL)
         goto cleanup;
@@ -113,6 +153,7 @@ cleanup:
     /* We only return success or ENOMEM. */
     if (ai != NULL)
         freeaddrinfo(ai);
 +    free(qualified);
     return (*canonhost_out == NULL) ? ENOMEM : 0;
 }
 diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
 index 9ca66554f..66d85880c 100755
 --- a/src/tests/gssapi/t_ccselect.py
 +++ b/src/tests/gssapi/t_ccselect.py
@@ -24,8 +24,9 @@ from k5test import *
 # Create two independent realms (no cross-realm TGTs).  For the
 # fallback realm tests we need to control the precise server hostname,
 -# so turn off DNS canonicalization.
 -conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
 +# so turn off DNS canonicalization and shortname qualification.
 +conf = {'libdefaults': {'dns_canonicalize_hostname': 'false',
 +                        'qualify_shortname': ''}}
 r1 = K5Realm(create_user=False, krb5_conf=conf)
 r2 = K5Realm(create_user=False, krb5_conf=conf, realm='KRBTEST2.COM',
              portbase=62000, testdir=os.path.join(r1.testdir, 'r2'))
 diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py
 index fe435a2d5..26dcb91c2 100755
 --- a/src/tests/t_sn2princ.py
 +++ b/src/tests/t_sn2princ.py
@@ -6,7 +6,8 @@ conf = {'domain_realm': {'kerberos.org': 'R1',
                          'example.com': 'R2',
                          'mit.edu': 'R3'}}
 no_rdns_conf = {'libdefaults': {'rdns': 'false'}}
 -no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
 +no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false',
 +                                 'qualify_shortname': 'example.com'}}
 fallback_canon_conf = {'libdefaults':
                        {'rdns': 'false',
                         'dns_canonicalize_hostname': 'fallback'}}
@@ -62,12 +63,15 @@ testu('Example.COM:xyZ', 'Example.COM:xyZ', 'R2')
 testu('example.com.::123', 'example.com.::123', '')
 # With dns_canonicalize_hostname=false, we downcase and remove
 -# trailing dots but do not canonicalize the hostname.  Trailers do not
 -# get downcased.
 +# trailing dots but do not canonicalize the hostname.
 +# Single-component names are qualified with the configured suffix
 +# (defaulting to the first OS search domain, but Python cannot easily
 +# retrieve that value so we don't test it).  Trailers do not get
 +# downcased.
 mark('dns_canonicalize_host=false')
 testnc('ptr-mismatch.kerberos.org', 'ptr-mismatch.kerberos.org', 'R1')
 testnc('Example.COM', 'example.com', 'R2')
 -testnc('abcde', 'abcde', '')
 +testnc('abcde', 'abcde.example.com', 'R2')
 testnc('example.com.:123', 'example.com:123', 'R2')
 testnc('Example.COM:xyZ', 'example.com:xyZ', 'R2')
 testnc('example.com.::123', 'example.com.::123', '')
 diff --git a/src/util/k5test.py b/src/util/k5test.py
 index feb6df7a0..c7f941303 100644
 --- a/src/util/k5test.py
 +++ b/src/util/k5test.py
@@ -918,22 +918,24 @@ class K5Realm(object):
     def _subst_cfg_value(self, value):
         global buildtop, srctop, hostname
         template = string.Template(value)
 -        return template.substitute(realm=self.realm,
 -                                   testdir=self.testdir,
 -                                   buildtop=buildtop,
 -                                   srctop=srctop,
 -                                   plugins=plugins,
 -                                   hostname=hostname,
 -                                   port0=self.portbase,
 -                                   port1=self.portbase + 1,
 -                                   port2=self.portbase + 2,
 -                                   port3=self.portbase + 3,
 -                                   port4=self.portbase + 4,
 -                                   port5=self.portbase + 5,
 -                                   port6=self.portbase + 6,
 -                                   port7=self.portbase + 7,
 -                                   port8=self.portbase + 8,
 -                                   port9=self.portbase + 9)
 +        subst = template.substitute(realm=self.realm,
 +                                    testdir=self.testdir,
 +                                    buildtop=buildtop,
 +                                    srctop=srctop,
 +                                    plugins=plugins,
 +                                    hostname=hostname,
 +                                    port0=self.portbase,
 +                                    port1=self.portbase + 1,
 +                                    port2=self.portbase + 2,
 +                                    port3=self.portbase + 3,
 +                                    port4=self.portbase + 4,
 +                                    port5=self.portbase + 5,
 +                                    port6=self.portbase + 6,
 +                                    port7=self.portbase + 7,
 +                                    port8=self.portbase + 8,
 +                                    port9=self.portbase + 9)
 +        # Empty values must be quoted to avoid a syntax error.
 +        return subst if subst else '""'
     def _create_acl(self):
         global hostname
--- a/Remove-3des-support.patch
+++ b/Remove-3des-support.patch
@ -1,4 +1,4 @@
-From bea06cc4cf4df3d545fb3da1a9429aa28f690d80 Mon Sep 17 00:00:00 2001
+From 98db8d2582b72fb75023c43c5bee435be960247f Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 26 Mar 2019 18:51:10 -0400
 Subject: [PATCH] Remove 3des support
@ -9,12 +9,14 @@ to user other enctypes.  Mark the 3DES enctypes UNSUPPORTED and retain
 their constants.
 (cherry picked from commit 57a8a84e035000b515ca9efd56e5cbe1568b95e7)
 [rharwood@redhat.com: supported enctypes docs landed first]
 ---
 doc/admin/advanced/retiring-des.rst           |  11 +
 doc/admin/conf_files/kdc_conf.rst             |   7 +-
 doc/admin/enctypes.rst                        |  13 +-
 doc/admin/troubleshoot.rst                    |   9 +-
 doc/appdev/refs/macros/index.rst              |   1 -
 doc/conf.py                                   |   4 +-
 doc/mitK5features.rst                         |   2 +-
 src/Makefile.in                               |   4 +-
 src/configure.in                              |   1 -
@ -105,7 +107,7 @@ their constants.
 src/tests/t_salt.py                           |   5 +-
 src/util/k5test.py                            |  10 -
 .../leash/htmlhelp/html/Encryption_Types.htm  |  13 -
- 95 files changed, 155 insertions(+), 4829 deletions(-)
+ 96 files changed, 157 insertions(+), 4831 deletions(-)
 delete mode 100644 src/lib/crypto/builtin/des/ISSUES
 delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
 delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
@ -163,10 +165,10 @@ index 4a964c15c..cb6258d77 100644
 -------------
 diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
-index 2c6ea1855..a9ecaf4a9 100644
+index 9759756a2..cf8a12547 100644
 --- a/doc/admin/conf_files/kdc_conf.rst
 +++ b/doc/admin/conf_files/kdc_conf.rst
-@@ -841,8 +841,6 @@ Encryption types marked as "weak" are available for compatibility but
+@@ -843,8 +843,6 @@ Encryption types marked as "weak" are available for compatibility but
 not recommended for use.
 ==================================================== =========================================================
@ -175,7 +177,7 @@ index 2c6ea1855..a9ecaf4a9 100644
 aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1       AES-256 CTS mode with 96-bit SHA-1 HMAC
 aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1       AES-128 CTS mode with 96-bit SHA-1 HMAC
 aes256-cts-hmac-sha384-192 aes256-sha2               AES-256 CTS mode with 192-bit SHA-384 HMAC
-@@ -851,7 +849,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5               RC4 with HMAC/MD5
+@@ -853,7 +851,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5               RC4 with HMAC/MD5
 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp   Exportable RC4 with HMAC/MD5 (weak)
 camellia256-cts-cmac camellia256-cts                 Camellia-256 CTS mode with CMAC
 camellia128-cts-cmac camellia128-cts                 Camellia-128 CTS mode with CMAC
@ -183,7 +185,7 @@ index 2c6ea1855..a9ecaf4a9 100644
 aes                                                  The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
 rc4                                                  The RC4 family: arcfour-hmac
 camellia                                             The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
-@@ -863,8 +860,8 @@ from the current list by prefixing them with a minus sign ("-").
+@@ -865,8 +862,8 @@ from the current list by prefixing them with a minus sign ("-").
 Types or families can be prefixed with a plus sign ("+") for symmetry;
 it has the same meaning as just listing the type or family.  For
 example, "``DEFAULT -rc4``" would be the default set of encryption
@ -254,6 +256,21 @@ index 534795d15..9542611ea 100644
    CKSUMTYPE_MD5_HMAC_ARCFOUR.rst
    CKSUMTYPE_NIST_SHA.rst
    CKSUMTYPE_RSA_MD4.rst
 diff --git a/doc/conf.py b/doc/conf.py
 index 759367c21..37eda67fa 100644
 --- a/doc/conf.py
 +++ b/doc/conf.py
@@ -271,8 +271,8 @@ else:
     rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
     rst_epilog += '''
 .. |krb5conf| replace:: ``/etc/krb5.conf``
 -.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
 -.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
 +.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
 +.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
 .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
 .. |copy| unicode:: U+000A9
 '''
 diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
 index a19068e26..5bfdc3936 100644
 --- a/doc/mitK5features.rst
@ -290,7 +307,7 @@ index 91a5f4bf8..0197e5b6d 100644
 ##DOS##	$(WCONFIG) config < $@.in > $@
 ##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
 diff --git a/src/configure.in b/src/configure.in
-index 8d781a7c8..a19a0ea97 100644
+index 9d6825b78..3e3b95e49 100644
 --- a/src/configure.in
 +++ b/src/configure.in
@@ -1443,7 +1443,6 @@ V5_AC_OUTPUT_MAKEFILE(.
--- a/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
+++ b/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
@ -1,4 +1,4 @@
-From 2bbf5046e0d1ad4a4927570ebed5aa661e322024 Mon Sep 17 00:00:00 2001
+From 34aa9b5889a48f05b4dec33d40e72e97390118a5 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 4 Apr 2019 14:37:38 -0400
 Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi
--- a/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
+++ b/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
@ -1,4 +1,4 @@
-From a52788c294f56a023b7bc05286990717ec993158 Mon Sep 17 00:00:00 2001
+From 044e7ea922800bfc17ba816780803b1d67622b7b Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 18 Jun 2019 11:40:48 -0400
 Subject: [PATCH] Remove PKINIT draft 9 ASN.1 code and types
--- a/Remove-PKINIT-draft-9-support.patch
+++ b/Remove-PKINIT-draft-9-support.patch
@ -1,4 +1,4 @@
-From f00a9416374087dbf135215a13c5316477ca2f45 Mon Sep 17 00:00:00 2001
+From b13b0e48470e03203afd4133e4be9c6471e2acb4 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 18 Jun 2019 13:06:44 -0400
 Subject: [PATCH] Remove PKINIT draft 9 support
--- a/Remove-ccapi-related-comments-in-configure.ac.patch
+++ b/Remove-ccapi-related-comments-in-configure.ac.patch
@ -1,4 +1,4 @@
-From 8096d0c97bcb5ac1ad830b6f354b4e32c90ac4cf Mon Sep 17 00:00:00 2001
+From ac8df1b0977dd5aedfaeb3d10458aaf18cece29f Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 3 Apr 2019 16:01:22 -0400
 Subject: [PATCH] Remove ccapi-related comments in configure.ac
@ -12,7 +12,7 @@ is not.
 1 file changed, 3 deletions(-)
 diff --git a/src/configure.in b/src/configure.in
-index 7c309a26b..8d781a7c8 100644
+index 505dabb02..9d6825b78 100644
 --- a/src/configure.in
 +++ b/src/configure.in
@@ -1450,7 +1450,6 @@ V5_AC_OUTPUT_MAKEFILE(.
--- a/Remove-checksum-type-profile-variables.patch
+++ b/Remove-checksum-type-profile-variables.patch
@ -1,4 +1,4 @@
-From 443754ab8140d87e2e5bbd595f39827461d6498a Mon Sep 17 00:00:00 2001
+From ee07471fa613fb68ddebc28577870e97cb5190cf Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 13 May 2019 14:19:57 -0400
 Subject: [PATCH] Remove checksum type profile variables
@ -18,6 +18,7 @@ did not impose any limitations.
 ticket: 8804 (new)
 (cherry picked from commit a5a140dc85201faf1ba3a687553058354722a1b4)
 [rharwood@redhat.com: release version conflict in man pages]
 ---
 doc/admin/conf_files/krb5_conf.rst | 37 ------------
 src/include/k5-int.h               |  6 --
@ -30,10 +31,10 @@ ticket: 8804 (new)
 8 files changed, 7 insertions(+), 204 deletions(-)
 diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
-index e9f7e8c59..5df3bfe36 100644
+index d1e1a222d..a3fb5d9f2 100644
 --- a/doc/admin/conf_files/krb5_conf.rst
 +++ b/doc/admin/conf_files/krb5_conf.rst
-@@ -111,14 +111,6 @@ The libdefaults section may contain any of the following relations:
+@@ -105,14 +105,6 @@ The libdefaults section may contain any of the following relations:
     strong crypto.  Users in affected environments should set this tag
     to true until their infrastructure adopts stronger ciphers.
@ -48,7 +49,7 @@ index e9f7e8c59..5df3bfe36 100644
 **canonicalize**
     If this flag is set to true, initial ticket requests to the KDC
     will request canonicalization of the client principal name, and
-@@ -297,26 +289,6 @@ The libdefaults section may contain any of the following relations:
+@@ -291,26 +283,6 @@ The libdefaults section may contain any of the following relations:
     corrective factor is only used by the Kerberos library; it is not
     used to change the system clock.  The default value is 1.
@ -75,7 +76,7 @@ index e9f7e8c59..5df3bfe36 100644
 **noaddresses**
     If this flag is true, requests for initial tickets will not be
     made with address restrictions set, allowing the tickets to be
-@@ -365,15 +337,6 @@ The libdefaults section may contain any of the following relations:
+@@ -359,15 +331,6 @@ The libdefaults section may contain any of the following relations:
     (:ref:`duration` string.)  Sets the default renewable lifetime
     for initial ticket requests.  The default value is 0.
@ -299,18 +300,18 @@ index a6e48cd25..22be2198b 100644
     ctx->library_options = 0;
     ctx->profile_secure = TRUE;
 diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
-index d431dce75..aafdf7f83 100644
+index 2a7af6aa4..433f38d71 100644
 --- a/src/man/krb5.conf.man
 +++ b/src/man/krb5.conf.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KRB5.CONF" "5" " " "1.17" "MIT Kerberos"
+-.TH "KRB5.CONF" "5" " " "1.17.1" "MIT Kerberos"
 +.TH "KRB5.CONF" "5" " " "1.18" "MIT Kerberos"
 .SH NAME
 krb5.conf \- Kerberos configuration file
 .
-@@ -202,14 +202,6 @@ failures in existing Kerberos infrastructures that do not support
+@@ -188,14 +188,6 @@ failures in existing Kerberos infrastructures that do not support
 strong crypto.  Users in affected environments should set this tag
 to true until their infrastructure adopts stronger ciphers.
 .TP
@ -325,7 +326,7 @@ index d431dce75..aafdf7f83 100644
 \fBcanonicalize\fP
 If this flag is set to true, initial ticket requests to the KDC
 will request canonicalization of the client principal name, and
-@@ -291,6 +283,10 @@ hostnames for use in service principal names.  Setting this flag
+@@ -277,6 +269,10 @@ hostnames for use in service principal names.  Setting this flag
 to false can improve security by reducing reliance on DNS, but
 means that short hostnames will not be canonicalized to
 fully\-qualified hostnames.  The default value is true.
@ -336,7 +337,7 @@ index d431dce75..aafdf7f83 100644
 .TP
 \fBdns_lookup_kdc\fP
 Indicate whether DNS SRV records should be used to locate the KDCs
-@@ -384,73 +380,6 @@ requesting service tickets or authenticating to services.  This
+@@ -370,73 +366,6 @@ requesting service tickets or authenticating to services.  This
 corrective factor is only used by the Kerberos library; it is not
 used to change the system clock.  The default value is 1.
 .TP
@ -410,7 +411,7 @@ index d431dce75..aafdf7f83 100644
 \fBnoaddresses\fP
 If this flag is true, requests for initial tickets will not be
 made with address restrictions set, allowing the tickets to be
-@@ -499,15 +428,6 @@ set.  The default is not to search domain components.
+@@ -485,15 +414,6 @@ set.  The default is not to search domain components.
 (duration string.)  Sets the default renewable lifetime
 for initial ticket requests.  The default value is 0.
 .TP
--- a/Remove-confvalidator-utility.patch
+++ b/Remove-confvalidator-utility.patch
@ -1,4 +1,4 @@
-From 0d471a72541952ebe090919610cf9ba8b31d1291 Mon Sep 17 00:00:00 2001
+From 1df6ae50de14c8795af7f7aea7f54eede51fd206 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 3 Apr 2019 14:58:19 -0400
 Subject: [PATCH] Remove confvalidator utility
--- a/Remove-dead-variable-def_kslist-from-two-files.patch
+++ b/Remove-dead-variable-def_kslist-from-two-files.patch
@ -1,4 +1,4 @@
-From 20be29dfddcbc4afda79eae2bcd3d5de3bb0330d Mon Sep 17 00:00:00 2001
+From 5c9dce0ac1b8b6fcb048404e3830fd4619f4f1c5 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 16:57:51 -0400
 Subject: [PATCH] Remove dead variable def_kslist from two files
--- a/Remove-doxygen-generated-HTML-output-for-ccapi.patch
+++ b/Remove-doxygen-generated-HTML-output-for-ccapi.patch
@ -1,4 +1,4 @@
-From 33c39a069022eab2d56ccbaf0be31b3b5b0071a2 Mon Sep 17 00:00:00 2001
+From a0c231f79b0b9c02120802cc5549c8576b5156bd Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 4 Apr 2019 14:15:58 -0400
 Subject: [PATCH] Remove doxygen-generated HTML output for ccapi
--- a/Remove-kadmin-RPC-support-for-setting-v4-key.patch
+++ b/Remove-kadmin-RPC-support-for-setting-v4-key.patch
@ -1,4 +1,4 @@
-From e1e27c400736ca304c9cbdc52e2946c65e047a21 Mon Sep 17 00:00:00 2001
+From 620a45acc6ea6c01cce0474883011ed47cb35458 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 4 Apr 2019 16:14:46 -0400
 Subject: [PATCH] Remove kadmin RPC support for setting v4 key
@ -336,10 +336,10 @@ index 64ad5dd69..e3c04e690 100644
 xdr_ui_4
 kadm5_init_iprop
 diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index 9ab2c5a74..48cac0c11 100644
+index be0922101..a1ecdbfc4 100644
 --- a/src/lib/kadm5/srv/svr_principal.c
 +++ b/src/lib/kadm5/srv/svr_principal.c
-@@ -1645,124 +1645,6 @@ done:
+@@ -1649,124 +1649,6 @@ done:
     return ret;
 }
--- a/Remove-krb5int_c_combine_keys.patch
+++ b/Remove-krb5int_c_combine_keys.patch
@ -1,4 +1,4 @@
-From 6181039fc3f70c073e4125d98d8a28aec9c223bf Mon Sep 17 00:00:00 2001
+From 90c702467b0c4373758f235512c67f80f1998e02 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 18 Apr 2019 17:27:07 -0400
 Subject: [PATCH] Remove krb5int_c_combine_keys()
--- a/Remove-more-dead-code.patch
+++ b/Remove-more-dead-code.patch
@ -1,4 +1,4 @@
-From 067f8685648e4a316ea0dfe90694d5a7b64c8848 Mon Sep 17 00:00:00 2001
+From e470fc217b19f6d958cc891910527e43651167a3 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 9 May 2019 14:07:24 -0400
 Subject: [PATCH] Remove more dead code
--- a/Remove-now-unused-checksum-functions.patch
+++ b/Remove-now-unused-checksum-functions.patch
@ -1,4 +1,4 @@
-From 3d6b547ca1454b8113c6f83161def1f995c04616 Mon Sep 17 00:00:00 2001
+From e9cc0b8762266ed368cb50e7ba48d6196db54da5 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 28 Jun 2019 13:09:47 -0400
 Subject: [PATCH] Remove now-unused checksum functions
--- a/Remove-null-check-in-krb5_gss_duplicate_name.patch
+++ b/Remove-null-check-in-krb5_gss_duplicate_name.patch
@ -1,4 +1,4 @@
-From 13df40bef90954d1c373c5e9cece1d5897c7afcf Mon Sep 17 00:00:00 2001
+From 61855503e579611b2bb2f322070c2e1e0ca36ce8 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 30 Aug 2019 11:19:52 -0400
 Subject: [PATCH] Remove null check in krb5_gss_duplicate_name()
--- a/Remove-ovsec_adm_export-dump-format-support.patch
+++ b/Remove-ovsec_adm_export-dump-format-support.patch
@ -1,4 +1,4 @@
-From 019dc5d64d6e1c0fabaf9957bef5b633eb6fa475 Mon Sep 17 00:00:00 2001
+From e4c75d01bfdedfe77068a641e0053eef227dc22b Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 22 Jan 2019 18:34:58 -0500
 Subject: [PATCH] Remove ovsec_adm_export dump format support
@ -9,6 +9,7 @@ KDCs.
 ticket: 8798 (new)
 (cherry picked from commit 23b93fd48bc445005436c5be98a7269b599b1800)
 [rharwood@redhat.com: release version conflict in man pages]
 ---
 doc/admin/admin_commands/kdb5_util.rst |  11 +--
 doc/admin/database.rst                 |  14 ----
@ -63,7 +64,7 @@ index fee68261a..7dd54f797 100644
     requires the database to be in Kerberos 5 1.3 format ("kdb5_util
     load_dump version 5").  This was the dump format produced on
 diff --git a/doc/admin/database.rst b/doc/admin/database.rst
-index 2b02af3a0..113a680a6 100644
+index d0be455f8..33895b857 100644
 --- a/doc/admin/database.rst
 +++ b/doc/admin/database.rst
@@ -393,20 +393,6 @@ To dump a single principal and later load it, updating the database:
@ -274,13 +275,13 @@ index accc959e0..e73e2c68e 100644
               "\tark     [-e etype_list] principal\n"
               "\tadd_mkey [-e etype] [-s]\n"
 diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
-index 5ebc68a57..9a36ef0df 100644
+index 9c48c32fb..9a36ef0df 100644
 --- a/src/man/kdb5_util.man
 +++ b/src/man/kdb5_util.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDB5_UTIL" "8" " " "1.17" "MIT Kerberos"
+-.TH "KDB5_UTIL" "8" " " "1.17.1" "MIT Kerberos"
 +.TH "KDB5_UTIL" "8" " " "1.18" "MIT Kerberos"
 .SH NAME
 kdb5_util \- Kerberos database maintenance utility
--- a/Remove-srvtab-support.patch
+++ b/Remove-srvtab-support.patch
@ -1,4 +1,4 @@
-From a768fb06f0df69f0b6985058e21c72448587d2a8 Mon Sep 17 00:00:00 2001
+From ecf80eb7a536c2d78812482d9c974120725ca609 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 9 Oct 2017 15:58:33 -0400
 Subject: [PATCH] Remove srvtab support
@ -8,6 +8,7 @@ name was used.
 ticket: 8793 (new)
 (cherry picked from commit a23e670b40f69b6be0024f8a60d2afaf7f7a005a)
 [rharwood@redhat.com: release version conflict in man pages]
 ---
 doc/admin/admin_commands/ktutil.rst           |  22 +-
 doc/basic/keytab_def.rst                      |   6 +-
@ -206,10 +207,10 @@ index 00c442978..e710852d4 100644
 	plugin_base_dir = __PLUGIN_DIR__
 	allow_weak_crypto = true
 diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin
-index c8d866f15..726298351 100755
+index 273cf6954..8c29bb996 100755
 --- a/src/kadmin/testing/scripts/env-setup.shin
 +++ b/src/kadmin/testing/scripts/env-setup.shin
-@@ -77,7 +77,7 @@ SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL
+@@ -79,7 +79,7 @@ export QUALNAME
 KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG
 KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE
@ -219,10 +220,10 @@ index c8d866f15..726298351 100755
 KRB5CCNAME=$K5ROOT/krb5cc_unit-test; export KRB5CCNAME
 diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db
-index cd7165628..bf119f2ac 100755
+index c41d290d1..2496be2ab 100755
 --- a/src/kadmin/testing/scripts/init_db
 +++ b/src/kadmin/testing/scripts/init_db
-@@ -218,7 +218,7 @@ changepw/kerberos@$REALM	cil
+@@ -216,7 +216,7 @@ changepw/kerberos@$REALM	cil
 EOF
@ -245,10 +246,10 @@ index dfe0b3a01..c77d61c70 100755
 	  replaced by the canonical host name of the local host.";
 diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local
-index 0cbed462d..809892974 100755
+index f34444ee8..e502a6a0b 100755
 --- a/src/kadmin/testing/scripts/start_servers_local
 +++ b/src/kadmin/testing/scripts/start_servers_local
-@@ -98,9 +98,6 @@ x=$?
+@@ -96,9 +96,6 @@ x=$?
 rm /tmp/start_servers_local$$
 if test $x != 0 ; then exit 1 ; fi
@ -952,12 +953,12 @@ index ba57b703e..ed179bbe3 100644
  	verbose "% $SERVER" 1
 	set server_pid [spawn $SERVER $PROT]
 diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/unit-test/lib/helpers.exp
-index a1b078374..6ba2b10ae 100644
+index a7f89f636..f08c73201 100644
 --- a/src/lib/rpc/unit-test/lib/helpers.exp
 +++ b/src/lib/rpc/unit-test/lib/helpers.exp
@@ -121,8 +121,8 @@ proc setup_database {} {
 if ![info exists CANON_HOST] {
-     set CANON_HOST [exec $env(QUALNAME)]
+     set CANON_HOST $env(QUALNAME)
     setup_database
 -    file delete $env(RPC_TEST_SRVTAB)
 -    exec $env(MAKE_KEYTAB) -princ "server/$CANON_HOST" $env(RPC_TEST_SRVTAB)
@ -967,7 +968,7 @@ index a1b078374..6ba2b10ae 100644
 diff --git a/src/lib/rpc/unit-test/rpc_test_setup.sh b/src/lib/rpc/unit-test/rpc_test_setup.sh
-index 968f52a67..b610f87ef 100755
+index d147a337e..d7df0eb2b 100755
 --- a/src/lib/rpc/unit-test/rpc_test_setup.sh
 +++ b/src/lib/rpc/unit-test/rpc_test_setup.sh
@@ -1,7 +1,7 @@
@ -979,7 +980,7 @@ index 968f52a67..b610f87ef 100755
 # environment. 
 #
 # $Id$
-@@ -42,9 +42,9 @@ if test $? != 0 ; then
+@@ -39,9 +39,9 @@ if test $? != 0 ; then
 fi
 rm /tmp/rpc_test_setup$$
@ -992,13 +993,13 @@ index 968f52a67..b610f87ef 100755
 # grep -s "$CANON_HOST SECURE-TEST.OV.COM" /etc/krb.realms
 # if [ $? != 0 ]; then
 diff --git a/src/man/ktutil.man b/src/man/ktutil.man
-index 4e174c0fe..233329468 100644
+index 711a0ed2c..233329468 100644
 --- a/src/man/ktutil.man
 +++ b/src/man/ktutil.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KTUTIL" "1" " " "1.17" "MIT Kerberos"
+-.TH "KTUTIL" "1" " " "1.17.1" "MIT Kerberos"
 +.TH "KTUTIL" "1" " " "1.18" "MIT Kerberos"
 .SH NAME
 ktutil \- Kerberos keytab file maintenance utility
--- a/Remove-strerror-calls-from-k5_get_error.patch
+++ b/Remove-strerror-calls-from-k5_get_error.patch
@ -1,4 +1,4 @@
-From 1aff5025ec486d1f8239e3a135156e33ea5e764d Mon Sep 17 00:00:00 2001
+From 128098be731775ecc2a5de6308868fae78059db9 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 6 Jun 2019 11:46:58 -0400
 Subject: [PATCH] Remove strerror() calls from k5_get_error()
--- a/Remove-support-for-no-flags-SAM-2-preauth.patch
+++ b/Remove-support-for-no-flags-SAM-2-preauth.patch
@ -1,4 +1,4 @@
-From f87c6fabd1073637c4798fcdd3fdab060edb0731 Mon Sep 17 00:00:00 2001
+From c00274de6de883d74ae231405b6ae5e1486712c9 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 17 Apr 2019 17:07:46 -0400
 Subject: [PATCH] Remove support for no-flags SAM-2 preauth
--- a/Remove-support-for-single-DES-and-CRC.patch
+++ b/Remove-support-for-single-DES-and-CRC.patch
@ -1,4 +1,4 @@
-From c13f1fde8931a9199a7a15a5b011f02ed2615e9f Mon Sep 17 00:00:00 2001
+From e73ed142bd5baf15943069346202fe3b1a4d96d6 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 24 May 2019 13:12:03 -0400
 Subject: [PATCH] Remove support for single-DES and CRC
@ -11,13 +11,15 @@ user-visible deprecation warnings were issued starting in release
 ticket: 8808
 (cherry picked from commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8)
 [rharwood@redhat.com: .gitignore removal]
 [rharwood@redhat.com: In this branch, supported_enctypes changes landed
 first]
 ---
 doc/admin/advanced/retiring-des.rst           |   5 +
 doc/admin/conf_files/kdc_conf.rst             |  17 +-
 doc/admin/conf_files/krb5_conf.rst            |  17 +-
 doc/admin/enctypes.rst                        |  38 +-
 doc/appdev/refs/macros/index.rst              |   1 +
- doc/conf.py                                   |   2 +-
+ doc/conf.py                                   |   4 +-
 doc/mitK5features.rst                         |   2 +-
 src/include/k5-int.h                          |   1 -
 src/include/krb5/krb5.hin                     |  10 +-
@ -67,7 +69,7 @@ ticket: 8808
 src/man/kdc.conf.man                          |  47 +-
 src/man/krb5.conf.man                         |   6 +-
 .../leash/htmlhelp/html/Encryption_Types.htm  |  14 +-
- 55 files changed, 74 insertions(+), 2180 deletions(-)
+ 55 files changed, 75 insertions(+), 2181 deletions(-)
 delete mode 100644 src/lib/crypto/builtin/enc_provider/des.c
 delete mode 100644 src/lib/crypto/builtin/hash_provider/hash_crc32.c
 delete mode 100644 src/lib/crypto/krb/crc32.c
@ -93,7 +95,7 @@ index ebac95f24..4a964c15c 100644
 -------------
 diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
-index 62d1bfc05..2c6ea1855 100644
+index 7fbc8eb79..9759756a2 100644
 --- a/doc/admin/conf_files/kdc_conf.rst
 +++ b/doc/admin/conf_files/kdc_conf.rst
@@ -381,13 +381,6 @@ The following tags may be specified in a [realms] subsection:
@ -110,7 +112,7 @@ index 62d1bfc05..2c6ea1855 100644
 **reject_bad_transit**
     (Boolean value.)  If set to true, the KDC will check the list of
     transited realms for cross-realm tickets against the transit path
-@@ -848,13 +841,8 @@ Encryption types marked as "weak" are available for compatibility but
+@@ -850,13 +843,8 @@ Encryption types marked as "weak" are available for compatibility but
 not recommended for use.
 ==================================================== =========================================================
@ -124,7 +126,7 @@ index 62d1bfc05..2c6ea1855 100644
 aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1       AES-256 CTS mode with 96-bit SHA-1 HMAC
 aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1       AES-128 CTS mode with 96-bit SHA-1 HMAC
 aes256-cts-hmac-sha384-192 aes256-sha2               AES-256 CTS mode with 192-bit SHA-384 HMAC
-@@ -863,7 +851,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5               RC4 with HMAC/MD5
+@@ -865,7 +853,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5               RC4 with HMAC/MD5
 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp   Exportable RC4 with HMAC/MD5 (weak)
 camellia256-cts-cmac camellia256-cts                 Camellia-256 CTS mode with CMAC
 camellia128-cts-cmac camellia128-cts                 Camellia-128 CTS mode with CMAC
@ -132,7 +134,7 @@ index 62d1bfc05..2c6ea1855 100644
 des3                                                 The triple DES family: des3-cbc-sha1
 aes                                                  The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
 rc4                                                  The RC4 family: arcfour-hmac
-@@ -875,8 +862,8 @@ types for the variable in question.  Types or families can be removed
+@@ -877,8 +864,8 @@ types for the variable in question.  Types or families can be removed
 from the current list by prefixing them with a minus sign ("-").
 Types or families can be prefixed with a plus sign ("+") for symmetry;
 it has the same meaning as just listing the type or family.  For
@ -144,10 +146,10 @@ index 62d1bfc05..2c6ea1855 100644
 front.
 diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
-index 5df3bfe36..89f02434b 100644
+index a3fb5d9f2..d5c498c89 100644
 --- a/doc/admin/conf_files/krb5_conf.rst
 +++ b/doc/admin/conf_files/krb5_conf.rst
-@@ -106,10 +106,7 @@ The libdefaults section may contain any of the following relations:
+@@ -100,10 +100,7 @@ The libdefaults section may contain any of the following relations:
     in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered
     out of the lists **default_tgs_enctypes**,
     **default_tkt_enctypes**, and **permitted_enctypes**.  The default
@ -159,7 +161,7 @@ index 5df3bfe36..89f02434b 100644
 **canonicalize**
     If this flag is set to true, initial ticket requests to the KDC
-@@ -163,9 +160,7 @@ The libdefaults section may contain any of the following relations:
+@@ -157,9 +154,7 @@ The libdefaults section may contain any of the following relations:
     preference from highest to lowest.  The list may be delimited with
     commas or whitespace.  See :ref:`Encryption_types` in
     :ref:`kdc.conf(5)` for a list of the accepted values for this tag.
@ -170,7 +172,7 @@ index 5df3bfe36..89f02434b 100644
     Do not set this unless required for specific backward
     compatibility purposes; stale values of this setting can prevent
-@@ -177,9 +172,7 @@ The libdefaults section may contain any of the following relations:
+@@ -171,9 +166,7 @@ The libdefaults section may contain any of the following relations:
     the client should request when making an AS-REQ, in order of
     preference from highest to lowest.  The format is the same as for
     default_tgs_enctypes.  The default value for this tag is
@ -181,7 +183,7 @@ index 5df3bfe36..89f02434b 100644
     Do not set this unless required for specific backward
     compatibility purposes; stale values of this setting can prevent
-@@ -297,9 +290,7 @@ The libdefaults section may contain any of the following relations:
+@@ -291,9 +284,7 @@ The libdefaults section may contain any of the following relations:
 **permitted_enctypes**
     Identifies all encryption types that are permitted for use in
     session key encryption.  The default value for this tag is
@ -273,14 +275,16 @@ index 47c6d4413..534795d15 100644
    ENCTYPE_DES_CBC_MD4.rst
    ENCTYPE_DES_CBC_MD5.rst
 diff --git a/doc/conf.py b/doc/conf.py
-index c32e33001..759367c21 100644
+index 7c688d871..759367c21 100644
 --- a/doc/conf.py
 +++ b/doc/conf.py
-@@ -272,7 +272,7 @@ else:
+@@ -271,8 +271,8 @@ else:
     rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
     rst_epilog += '''
 .. |krb5conf| replace:: ``/etc/krb5.conf``
- .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
+-.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
 -.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4``
 +.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
 +.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
 .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
 .. |copy| unicode:: U+000A9
@ -3186,7 +3190,7 @@ index 39f656322..55491428b 100644
         goto cleanup;
     context->clockskew = (krb5_deltat) ibuf;
 diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
-index 4a75be8cb..8058134ac 100644
+index fd4dbb2e2..527d5d697 100644
 --- a/src/man/kdc.conf.man
 +++ b/src/man/kdc.conf.man
@@ -441,13 +441,6 @@ marks the server principal as host\-based or the service is also
@ -3203,7 +3207,7 @@ index 4a75be8cb..8058134ac 100644
 \fBreject_bad_transit\fP
 (Boolean value.)  If set to true, the KDC will check the list of
 transited realms for cross\-realm tickets against the transit path
-@@ -969,30 +962,6 @@ center;
+@@ -970,30 +963,6 @@ center;
 |l|l|.
 _
 T{
@ -3234,7 +3238,7 @@ index 4a75be8cb..8058134ac 100644
 des3\-cbc\-raw
 T}	T{
 Triple DES cbc mode raw (weak)
-@@ -1005,12 +974,6 @@ Triple DES cbc mode with HMAC/sha1
+@@ -1006,12 +975,6 @@ Triple DES cbc mode with HMAC/sha1
 T}
 _
 T{
@ -3247,7 +3251,7 @@ index 4a75be8cb..8058134ac 100644
 aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1
 T}	T{
 AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
-@@ -1059,12 +1022,6 @@ Camellia\-128 CTS mode with CMAC
+@@ -1060,12 +1023,6 @@ Camellia\-128 CTS mode with CMAC
 T}
 _
 T{
@ -3260,7 +3264,7 @@ index 4a75be8cb..8058134ac 100644
 des3
 T}	T{
 The triple DES family: des3\-cbc\-sha1
-@@ -1095,8 +1052,8 @@ types for the variable in question.  Types or families can be removed
+@@ -1096,8 +1053,8 @@ types for the variable in question.  Types or families can be removed
 from the current list by prefixing them with a minus sign ("\-").
 Types or families can be prefixed with a plus sign ("+") for symmetry;
 it has the same meaning as just listing the type or family.  For
@ -3272,10 +3276,10 @@ index 4a75be8cb..8058134ac 100644
 front.
 .sp
 diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
-index aafdf7f83..d6ff91c3b 100644
+index 433f38d71..4bc190e32 100644
 --- a/src/man/krb5.conf.man
 +++ b/src/man/krb5.conf.man
-@@ -254,7 +254,7 @@ the client should request when making a TGS\-REQ, in order of
+@@ -240,7 +240,7 @@ the client should request when making a TGS\-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
 commas or whitespace.  See Encryption_types in
 kdc.conf(5) for a list of the accepted values for this tag.
@ -3284,7 +3288,7 @@ index aafdf7f83..d6ff91c3b 100644
 will be implicitly removed from this list if the value of
 \fBallow_weak_crypto\fP is false.
 .sp
-@@ -268,7 +268,7 @@ Identifies the supported list of session key encryption types that
+@@ -254,7 +254,7 @@ Identifies the supported list of session key encryption types that
 the client should request when making an AS\-REQ, in order of
 preference from highest to lowest.  The format is the same as for
 default_tgs_enctypes.  The default value for this tag is
@ -3293,7 +3297,7 @@ index aafdf7f83..d6ff91c3b 100644
 removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .sp
-@@ -388,7 +388,7 @@ used across NATs.  The default value is true.
+@@ -374,7 +374,7 @@ used across NATs.  The default value is true.
 \fBpermitted_enctypes\fP
 Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
--- a/Remove-the-v4-and-afs3-salt-types.patch
+++ b/Remove-the-v4-and-afs3-salt-types.patch
@ -1,4 +1,4 @@
-From cebf1ea82c4d2dc4494ad0af7525fd324e6d92e2 Mon Sep 17 00:00:00 2001
+From 111e528c68393435be41f71f22f41b7a04ccad1e Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 24 May 2019 13:11:44 -0400
 Subject: [PATCH] Remove the v4 and afs3 salt types
@ -12,6 +12,7 @@ krb4 databases.
 ticket: 8808
 (cherry picked from commit e0a35ff48c09a26ebb9aefd7e98855a84574b8be)
 [rharwood@redhat.com: release version conflict in man pages]
 ---
 doc/admin/conf_files/kdc_conf.rst             |  2 -
 src/include/kdb.h                             |  4 +-
@ -33,10 +34,10 @@ ticket: 8808
 17 files changed, 24 insertions(+), 164 deletions(-)
 diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
-index c73791ceb..62d1bfc05 100644
+index 72f002d4d..7fbc8eb79 100644
 --- a/doc/admin/conf_files/kdc_conf.rst
 +++ b/doc/admin/conf_files/kdc_conf.rst
-@@ -917,10 +917,8 @@ follows:
+@@ -919,10 +919,8 @@ follows:
 ================= ============================================
 normal            default for Kerberos Version 5
@ -292,18 +293,18 @@ index 7c400be86..3c9168591 100644
 -
 success('krb5_get_etype_info() tests')
 diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
-index ab3ee0289..4a75be8cb 100644
+index 959f00de5..fd4dbb2e2 100644
 --- a/src/man/kdc.conf.man
 +++ b/src/man/kdc.conf.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDC.CONF" "5" " " "1.17" "MIT Kerberos"
+-.TH "KDC.CONF" "5" " " "1.17.1" "MIT Kerberos"
 +.TH "KDC.CONF" "5" " " "1.18" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .
-@@ -1148,12 +1148,6 @@ default for Kerberos Version 5
+@@ -1149,12 +1149,6 @@ default for Kerberos Version 5
 T}
 _
 T{
@ -316,7 +317,7 @@ index ab3ee0289..4a75be8cb 100644
 norealm
 T}	T{
 same as the default, without using realm information
-@@ -1166,12 +1160,6 @@ uses only realm information as the salt
+@@ -1167,12 +1161,6 @@ uses only realm information as the salt
 T}
 _
 T{
--- a/Set-a-more-modern-default-ksu-CMD_PATH.patch
+++ b/Set-a-more-modern-default-ksu-CMD_PATH.patch
@ -1,4 +1,4 @@
-From 47fc137981db0b2b9834765e28f70b151a88cb83 Mon Sep 17 00:00:00 2001
+From 3d8b0bb1469295bd09f8ba81d3fb059a9ef372f2 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:32:09 -0400
 Subject: [PATCH] Set a more modern default ksu CMD_PATH
--- a/Simplify-SAM-2-as_key-handling.patch
+++ b/Simplify-SAM-2-as_key-handling.patch
@ -1,4 +1,4 @@
-From 9c80f80f48f3b761145e97914a4488398435f2d6 Mon Sep 17 00:00:00 2001
+From f7fb525d762ba42f62f1044f07f38a243980a2ba Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sun, 5 May 2019 18:53:27 -0400
 Subject: [PATCH] Simplify SAM-2 as_key handling
--- a/Simplify-krb5_dbe_def_search_enctype.patch
+++ b/Simplify-krb5_dbe_def_search_enctype.patch
@ -1,4 +1,4 @@
-From 5ff802a443dfd47e2f43a37de0dc439a1c583849 Mon Sep 17 00:00:00 2001
+From a7cd60bc97b4d9b171eddae391cf9ecd84c58d31 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 22 Aug 2019 16:19:12 -0400
 Subject: [PATCH] Simplify krb5_dbe_def_search_enctype()
--- a/Simply-OpenSSL-PKCS7-decryption-code.patch
+++ b/Simply-OpenSSL-PKCS7-decryption-code.patch
@ -1,4 +1,4 @@
-From 8cc93c83241cd96a8565c427418f6c3f13609b65 Mon Sep 17 00:00:00 2001
+From db62fe97a56f8f8476e3202a492d1c3d784d52b2 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 6 May 2019 13:13:06 -0400
 Subject: [PATCH] Simply OpenSSL PKCS7 decryption code
--- a/Skip-URI-tests-when-using-asan.patch
+++ b/Skip-URI-tests-when-using-asan.patch
@ -1,4 +1,4 @@
-From 1b251fe463c1284381612aeb7f2271d28d171d9d Mon Sep 17 00:00:00 2001
+From c58dbf05938b57a729d1b3811424866296f11998 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sat, 3 Aug 2019 13:30:28 -0400
 Subject: [PATCH] Skip URI tests when using asan
--- a/Squash-apparent-forward-null-in-clnttcp_create.patch
+++ b/Squash-apparent-forward-null-in-clnttcp_create.patch
@ -1,4 +1,4 @@
-From dabc30f0500718ef39706849b778524d4fa2152d Mon Sep 17 00:00:00 2001
+From 566fa44c8f53b3c558791bef29d01fb6a02ff559 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 30 Aug 2019 11:16:58 -0400
 Subject: [PATCH] Squash apparent forward-null in clnttcp_create()
--- a/Support-389ds-s-lockout-model.patch
+++ b/Support-389ds-s-lockout-model.patch
@ -1,4 +1,4 @@
-From d46ea68d04b91320aa7eb96f85ca77b98fd44e88 Mon Sep 17 00:00:00 2001
+From a9c73bc1078dc6287a3838220ef1bd435273506e Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:47:44 -0400
 Subject: [PATCH] Support 389ds's lockout model
--- a/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch
+++ b/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch
@ -1,4 +1,4 @@
-From 12ffeca5a708add9461e71300d58a08ea99ed6e4 Mon Sep 17 00:00:00 2001
+From 5e7c6ac2f9ee4dfe182f28c0801811910b63be1d Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 16 Apr 2019 14:16:39 -0400
 Subject: [PATCH] Update ASN.1 SAM tests to use a modern enctype
--- a/Update-default-krb5kdc-mkey-manual-entry-enctype.patch
+++ b/Update-default-krb5kdc-mkey-manual-entry-enctype.patch
@ -1,4 +1,4 @@
-From a3e73d1a874ad68c7ef0cb2ac0fa529b87b29710 Mon Sep 17 00:00:00 2001
+From 04ce158f626a683d60914f464bac24a1bd5687e3 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 20 May 2019 16:52:57 -0400
 Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype
@ -14,10 +14,10 @@ kadmind, which is currently aes256-cts-hmac-sha1-96.
 3 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst
-index 0342d0d18..455bb6858 100644
+index 08d40cc0d..631a0de84 100644
 --- a/doc/admin/admin_commands/krb5kdc.rst
 +++ b/doc/admin/admin_commands/krb5kdc.rst
-@@ -39,7 +39,7 @@ LDAP database.
+@@ -41,7 +41,7 @@ LDAP database.
 The **-k** *keytype* option specifies the key type of the master key
 to be entered manually as a password when **-m** is given; the default
@ -40,10 +40,10 @@ index 60092a0df..04393772f 100644
         case 'M':                       /* master key name in DB */
             mkey_name = optarg;
 diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
-index 8ace9662f..aa8614698 100644
+index 9c9b816b3..100f371c4 100644
 --- a/src/man/krb5kdc.man
 +++ b/src/man/krb5kdc.man
-@@ -59,7 +59,7 @@ LDAP database.
+@@ -61,7 +61,7 @@ LDAP database.
 .sp
 The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key
 to be entered manually as a password when \fB\-m\fP is given; the default
--- a/Update-test-suite-cert-message-digest-to-sha256.patch
+++ b/Update-test-suite-cert-message-digest-to-sha256.patch
@ -1,4 +1,4 @@
-From 73e08f464b5a55c1d86b3d08f1fd0f391253548f Mon Sep 17 00:00:00 2001
+From 8c38e6a1cef9bee050e42f591a530d077bb11f17 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 12 Nov 2019 13:38:59 -0500
 Subject: [PATCH] Update test suite cert message digest to sha256
--- a/Update-test-suite-to-avoid-single-DES-enctypes.patch
+++ b/Update-test-suite-to-avoid-single-DES-enctypes.patch
@ -1,4 +1,4 @@
-From ec9180a78e84c71940c3ef3834bb22aae1245d91 Mon Sep 17 00:00:00 2001
+From 99077dd3855832912df7563086cd615ba430e440 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 24 May 2019 13:11:55 -0400
 Subject: [PATCH] Update test suite to avoid single-DES enctypes
--- a/Use-backported-version-of-OpenSSL-3-KDF-interface.patch
+++ b/Use-backported-version-of-OpenSSL-3-KDF-interface.patch
@ -1,4 +1,4 @@
-From b4099e1de59730ca7eb022891c1e1cce1d1eb001 Mon Sep 17 00:00:00 2001
+From bdb78f9d3fbf9abccec9b41709bb0131e9ec28d6 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 15 Nov 2019 20:05:16 +0000
 Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface
@ -10,7 +10,7 @@ Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface
 3 files changed, 423 insertions(+), 184 deletions(-)
 diff --git a/src/configure.in b/src/configure.in
-index d0d8c4ed7..6573e8343 100644
+index 1df6f18fc..3bd5e683d 100644
 --- a/src/configure.in
 +++ b/src/configure.in
@@ -269,6 +269,10 @@ AC_SUBST(CRYPTO_IMPL)
--- a/Use-imported-soft-pkcs11-for-tests.patch
+++ b/Use-imported-soft-pkcs11-for-tests.patch
@ -1,4 +1,4 @@
-From 3d1f71979d0a41e75f5169ecbdd594e171e8bbf6 Mon Sep 17 00:00:00 2001
+From 923cafe924fa08c1b35ca11d5473a255d629592d Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 20 Jun 2019 13:41:57 -0400
 Subject: [PATCH] Use imported soft-pkcs11 for tests
@ -21,7 +21,7 @@ integrate it into the build system, and use it for the PKINIT tests.
 create mode 100644 src/tests/softpkcs11/softpkcs11.exports
 diff --git a/src/configure.in b/src/configure.in
-index a19a0ea97..d0d8c4ed7 100644
+index 3e3b95e49..1df6f18fc 100644
 --- a/src/configure.in
 +++ b/src/configure.in
@@ -1086,6 +1086,7 @@ int i = 1;
--- a/Use-secure_getenv-where-appropriate.patch
+++ b/Use-secure_getenv-where-appropriate.patch
@ -1,4 +1,4 @@
-From e2fc380331455d023001d74efbe9563e271cee10 Mon Sep 17 00:00:00 2001
+From a41dc78bd3a879870eece3bf0a7c66196c90e7e8 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Wed, 24 Apr 2019 16:19:50 -0400
 Subject: [PATCH] Use secure_getenv() where appropriate
--- a/Various-gssalloc-fixes.patch
+++ b/Various-gssalloc-fixes.patch
@ -1,142 +0,0 @@
 From 9e574469b639220a34bbf3dc36a96854ad0c269a Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sat, 23 Nov 2019 11:42:59 -0500
 Subject: [PATCH] Various gssalloc fixes
 The DEBUG_GSSALLOC version of gssalloc_realloc() must add the sentinel
 size to the byte count.
 The mechglue gss_decapsulate_token(), gss_encapsulate_token(), and
 gss_export_sec_context() must use gssalloc_malloc() to allocate
 output buffers.
 The krb5 mech's gss_export_name_composite() and gss_pseudo_random()
 implementations must use gssalloc_malloc() to allocate output buffers.
 SPNEGO's gss_display_status() implementation must use gssalloc for the
 output buffer.
 The sample GSS server must use gss_release_buffer() to free the result
 of gss_export_sec_context().
 ticket: 8852 (new)
 tags: pullup
 target_version: 1.17-next
 target_version: 1.16-next
 (cherry picked from commit ab5c4259bdbe51dd3f4b5c5aff22628188d04322)
 ---
 src/appl/gss-sample/gss-server.c              | 2 +-
 src/lib/gssapi/generic/gssapi_alloc.h         | 2 +-
 src/lib/gssapi/krb5/naming_exts.c             | 2 +-
 src/lib/gssapi/krb5/prf.c                     | 2 +-
 src/lib/gssapi/mechglue/g_decapsulate_token.c | 2 +-
 src/lib/gssapi/mechglue/g_encapsulate_token.c | 2 +-
 src/lib/gssapi/mechglue/g_exp_sec_context.c   | 2 +-
 src/lib/gssapi/spnego/spnego_mech.c           | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)
 diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c
 index 6b5959a1c..793fefc9f 100644
 --- a/src/appl/gss-sample/gss-server.c
 +++ b/src/appl/gss-sample/gss-server.c
@@ -391,7 +391,7 @@ test_import_export_context(gss_ctx_id_t *context)
     if (verbose && logfile)
         fprintf(logfile, "Importing context: %7.4f seconds\n",
                 timeval_subtract(&tm1, &tm2));
 -    free(context_token.value);
 +    (void) gss_release_buffer(&min_stat, &context_token);
     return 0;
 }
 diff --git a/src/lib/gssapi/generic/gssapi_alloc.h b/src/lib/gssapi/generic/gssapi_alloc.h
 index 9a5cd9892..d0bd4b2b0 100644
 --- a/src/lib/gssapi/generic/gssapi_alloc.h
 +++ b/src/lib/gssapi/generic/gssapi_alloc.h
@@ -80,7 +80,7 @@ gssalloc_realloc(void *value, size_t size)
         return gssalloc_malloc(size);
     if (memcmp(p, "gssalloc", 8) != 0)
         abort();
 -    return (char *)realloc(p, size) + 8;
 +    return (char *)realloc(p, size + 8) + 8;
 }
 #else /* not _WIN32 or DEBUG_GSSALLOC */
 diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c
 index 41752d90b..2ac1aba33 100644
 --- a/src/lib/gssapi/krb5/naming_exts.c
 +++ b/src/lib/gssapi/krb5/naming_exts.c
@@ -624,7 +624,7 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
     exp_composite_name->length += 4; /* length of encoded attributes */
     if (attrs != NULL)
         exp_composite_name->length += attrs->length;
 -    exp_composite_name->value = malloc(exp_composite_name->length);
 +    exp_composite_name->value = gssalloc_malloc(exp_composite_name->length);
     if (exp_composite_name->value == NULL) {
         code = ENOMEM;
         goto cleanup;
 diff --git a/src/lib/gssapi/krb5/prf.c b/src/lib/gssapi/krb5/prf.c
 index e897074fc..f87957bdf 100644
 --- a/src/lib/gssapi/krb5/prf.c
 +++ b/src/lib/gssapi/krb5/prf.c
@@ -86,7 +86,7 @@ krb5_gss_pseudo_random(OM_uint32 *minor_status,
     if (desired_output_len == 0)
         return GSS_S_COMPLETE;
 -    prf_out->value = k5alloc(desired_output_len, &code);
 +    prf_out->value = gssalloc_malloc(desired_output_len);
     if (prf_out->value == NULL) {
         code = KG_INPUT_TOO_LONG;
         goto cleanup;
 diff --git a/src/lib/gssapi/mechglue/g_decapsulate_token.c b/src/lib/gssapi/mechglue/g_decapsulate_token.c
 index 934d2607c..1c04e2f27 100644
 --- a/src/lib/gssapi/mechglue/g_decapsulate_token.c
 +++ b/src/lib/gssapi/mechglue/g_decapsulate_token.c
@@ -55,7 +55,7 @@ gss_decapsulate_token(gss_const_buffer_t input_token,
     if (minor != 0)
         return GSS_S_DEFECTIVE_TOKEN;
 -    output_token->value = malloc(body_size);
 +    output_token->value = gssalloc_malloc(body_size);
     if (output_token->value == NULL)
         return GSS_S_FAILURE;
 diff --git a/src/lib/gssapi/mechglue/g_encapsulate_token.c b/src/lib/gssapi/mechglue/g_encapsulate_token.c
 index 6ce0eeb0f..850e3ee65 100644
 --- a/src/lib/gssapi/mechglue/g_encapsulate_token.c
 +++ b/src/lib/gssapi/mechglue/g_encapsulate_token.c
@@ -51,7 +51,7 @@ gss_encapsulate_token(gss_const_buffer_t input_token,
     assert(tokenSize > 2);
     tokenSize -= 2; /* TOK_ID */
 -    output_token->value = malloc(tokenSize);
 +    output_token->value = gssalloc_malloc(tokenSize);
     if (output_token->value == NULL)
         return GSS_S_FAILURE;
 diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
 index 1d7990b1c..a04afe3d1 100644
 --- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
 +++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
@@ -112,7 +112,7 @@ gss_buffer_t		interprocess_token;
     length = token.length + 4 + ctx->mech_type->length;
     interprocess_token->length = length;
 -    interprocess_token->value = malloc(length);
 +    interprocess_token->value = gssalloc_malloc(length);
     if (interprocess_token->value == 0) {
 	*minor_status = ENOMEM;
 	status = GSS_S_FAILURE;
 diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
 index 9d6027ce8..412b4c41c 100644
 --- a/src/lib/gssapi/spnego/spnego_mech.c
 +++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3731,7 +3731,7 @@ negotiate_mech(gss_OID_set supported, gss_OID_set received,
 static spnego_token_t
 make_spnego_token(const char *name)
 {
 -	return (spnego_token_t)strdup(name);
 +	return (spnego_token_t)gssalloc_strdup(name);
 }
 static gss_buffer_desc
--- a/krb5-1.12.1-pam.patch
+++ b/krb5-1.12.1-pam.patch
@ -1,4 +1,4 @@
-From c8f2e321b2d8471feee69bbca3179e675228bd8a Mon Sep 17 00:00:00 2001
+From 5e2837a56bb6bb1fbaf371377dbffa35aa81b3f1 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:29:58 -0400
 Subject: [PATCH] krb5-1.12.1-pam.patch
@ -756,7 +756,7 @@ index 000000000..0ab76569c
 +void appl_pam_cleanup(void);
 +#endif
 diff --git a/src/configure.in b/src/configure.in
-index 61ef738dc..e9a12ac16 100644
+index 36df71fa9..cd8ccabcd 100644
 --- a/src/configure.in
 +++ b/src/configure.in
@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
--- a/krb5-1.15-beta1-buildconf.patch
+++ b/krb5-1.15-beta1-buildconf.patch
@ -1,4 +1,4 @@
-From b7ba0fa6a2f8324c58b57dedde33c1ae5d1ddb41 Mon Sep 17 00:00:00 2001
+From ab2b67102127e448cc1a266fbbe2c738a1a3a158 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:45:26 -0400
 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
--- a/krb5-1.17-beta1-selinux-label.patch
+++ b/krb5-1.17-beta1-selinux-label.patch
@ -1,4 +1,4 @@
-From e1c4f8894d22da9c157bfcf31e28f9ceaeebe39e Mon Sep 17 00:00:00 2001
+From b50a43ef1f09694298ec043104a59082d6f37c8c Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:30:53 -0400
 Subject: [PATCH] krb5-1.17-beta1-selinux-label.patch
@ -172,7 +172,7 @@ index ce87e21ca..917357df9 100644
 GSS_LIBS	= $(GSS_KRB5_LIB)
 # needs fixing if ever used on macOS!
 diff --git a/src/configure.in b/src/configure.in
-index e9a12ac16..93aec682e 100644
+index cd8ccabcd..feae21c3e 100644
 --- a/src/configure.in
 +++ b/src/configure.in
@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
--- a/krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
+++ b/krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
@ -1,4 +1,4 @@
-From 6048ef0ecbf45f239a6df3074975b926ce286e5a Mon Sep 17 00:00:00 2001
+From c874aa2c7ec16203c0be91e9e789b21221689de2 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
 Subject: [PATCH] krb5-1.17post6 FIPS with PRNG and RADIUS and MD4
--- a/krb5-1.3.1-dns.patch
+++ b/krb5-1.3.1-dns.patch
@ -1,4 +1,4 @@
-From 2cf42007974a9c72e8e6a6cc02295e9c2a89317e Mon Sep 17 00:00:00 2001
+From 35cd8e40a35ce4546eaffada2f401a7f0f6a83b3 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:46:21 -0400
 Subject: [PATCH] krb5-1.3.1-dns.patch
--- a/krb5-1.9-debuginfo.patch
+++ b/krb5-1.9-debuginfo.patch
@ -1,4 +1,4 @@
-From d205539d89b857f7bd2b09dfc875d5cdd79167b7 Mon Sep 17 00:00:00 2001
+From e0391c7071741e6d59025d8b4a26119f2998d90c Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:25 -0400
 Subject: [PATCH] krb5-1.9-debuginfo.patch
--- a/krb5.spec
+++ b/krb5.spec
@ -16,20 +16,13 @@
 Summary: The Kerberos network authentication system
 Name: krb5
-Version: 1.17
+Version: 1.17.1
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 54%{?dist}
+Release: 1%{?dist}
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
 Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz.asc
 # This source is generated during the build because sphinx doesn't
 # give me architecture-deterministic documentation builds.
 # To override this behavior (e.g., new upstream version), do:
 #     tar cfT krb5-1.15.2-pdfs.tar /dev/null
 # or the like.
 Source3: krb5-%{version}%{prerelease}-pdfs.tar
 # Numbering is a relic of old init systems etc.  It's easiest to just leave.
 Source2: kprop.service
@ -63,7 +56,6 @@ Patch97: Add-function-and-enctype-flag-for-deprecations.patch
 Patch98: Make-etype-names-in-KDC-logs-human-readable.patch
 Patch99: Mark-deprecated-enctypes-when-used.patch
 Patch100: Properly-size-ifdef-in-k5_cccol_lock.patch
 Patch101: Fix-memory-leak-in-none-replay-cache-type.patch
 Patch104: Clarify-header-comment-for-krb5_cc_start_seq_get.patch
 Patch105: Implement-krb5_cc_remove_cred-for-remaining-types.patch
 Patch106: Remove-srvtab-support.patch
@ -80,7 +72,6 @@ Patch116: Clear-forwardable-flag-instead-of-denying-request.patch
 Patch117: Add-dns_canonicalize_hostname-fallback-support.patch
 Patch118: Use-secure_getenv-where-appropriate.patch
 Patch119: Initialize-some-data-structure-magic-fields.patch
 Patch120: Fix-some-return-code-handling-bugs.patch
 Patch121: Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
 Patch122: Simplify-SAM-2-as_key-handling.patch
 Patch123: Avoid-alignment-warnings-in-openssl-rc4.c.patch
@ -115,8 +106,6 @@ Patch155: Use-imported-soft-pkcs11-for-tests.patch
 Patch156: Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
 Patch157: Skip-URI-tests-when-using-asan.patch
 Patch158: Fix-memory-leaks-in-soft-pkcs11-code.patch
 Patch159: Initialize-life-rlife-in-kdcpolicy-interface.patch
 Patch160: Fix-KCM-client-time-offset-propagation.patch
 Patch162: Simplify-krb5_dbe_def_search_enctype.patch
 Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch
 Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch
@ -126,9 +115,6 @@ Patch167: Fix-minor-errors-in-softpkcs11.patch
 Patch168: Update-test-suite-cert-message-digest-to-sha256.patch
 Patch169: Use-backported-version-of-OpenSSL-3-KDF-interface.patch
 Patch170: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
 Patch171: Fix-kadmin-addprinc-randkey-kvno.patch
 Patch172: Various-gssalloc-fixes.patch
 Patch173: Qualify-short-hostnames-when-not-using-DNS.patch
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -136,42 +122,15 @@ BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, pkgconfig, sed
 BuildRequires: gcc
 BuildRequires: libcom_err-devel, libedit-devel, libss-devel
 BuildRequires: gzip, ncurses-devel
-BuildRequires: python3-sphinx, texlive-pdftex, latexmk
+BuildRequires: python3-sphinx
 # For autosetup
 BuildRequires: git
 # Originally from \usepackage directives produced by sphinx:
 BuildRequires: tex(babel.sty)
 BuildRequires: tex(bookmark.sty)
 BuildRequires: tex(capt-of.sty)
 BuildRequires: tex(eqparbox.sty)
 BuildRequires: tex(fancybox.sty)
 BuildRequires: tex(fncychap.sty)
 BuildRequires: tex(fontenc.sty)
 BuildRequires: tex(framed.sty)
 BuildRequires: tex(hyperref.sty)
 BuildRequires: tex(ifthen.sty)
 BuildRequires: tex(inputenc.sty)
 BuildRequires: tex(longtable.sty)
 BuildRequires: tex(multirow.sty)
 BuildRequires: tex(needspace.sty)
 BuildRequires: tex(report.cls)
 BuildRequires: tex(tabulary.sty)
 BuildRequires: tex(threeparttable.sty)
 BuildRequires: tex(times.sty)
 BuildRequires: tex(titlesec.sty)
 BuildRequires: tex(upquote.sty)
 BuildRequires: tex(wrapfig.sty)
 # Typical fonts, and the commands which we need to have present.
 BuildRequires: texlive, texlive-latex, texlive-texmf-fonts
 BuildRequires: /usr/bin/pdflatex /usr/bin/makeindex
 BuildRequires: keyutils, keyutils-libs-devel >= 1.5.8
 BuildRequires: libselinux-devel
 BuildRequires: pam-devel
 BuildRequires: systemd-units
 # For autosetup
 BuildRequires: git
 # For the test framework.
 BuildRequires: perl-interpreter, dejagnu, tcl-devel, python3
 BuildRequires: net-tools, rpcbind
@ -291,7 +250,7 @@ contains only the libkadm5clnt and libkadm5serv shared objects. This
 interface is not considered stable.
 %prep
-%autosetup -S git -n %{name}-%{version}%{prerelease} -a 3
+%autosetup -S git -n %{name}-%{version}%{prerelease}
 ln NOTICE LICENSE
 # Generate an FDS-compatible LDIF file.
@ -381,17 +340,10 @@ fi
 # Build the docs.
 make -C src/doc paths.py version.py
 cp src/doc/paths.py doc/
-mkdir -p build-man build-html build-pdf
+mkdir -p build-man build-html
 sphinx-build -a -b man   -t pathsubs doc build-man
 sphinx-build -a -b html  -t pathsubs doc build-html
 rm -fr build-html/_sources
 sphinx-build -a -b latex -t pathsubs doc build-pdf
 # Build the PDFs if we don't have pre-built ones
 for pdf in admin appdev basic build plugindev user ; do
    test -s build-pdf/$pdf.pdf || make -C build-pdf
 done
 # new krb5-version-pdf
 tar -cf "krb5-%{version}%{prerelease}-pdfs.tar.new" build-pdf/*.pdf
 # We need to cut off any access to locally-running nameservers, too.
 %{__cc} -fPIC -shared -o noport.so -Wall -Wextra %{SOURCE100}
@ -574,7 +526,6 @@ exit 0
 %doc src/config-files/services.append
 %doc src/config-files/krb5.conf
 %doc build-html/*
 %doc build-pdf/user.pdf build-pdf/basic.pdf
 %attr(0755,root,root) %doc src/config-files/convert-config-files
 # Clients of the KDC, including tools you're likely to need if you're running
@ -606,7 +557,6 @@ exit 0
 %files server
 %docdir %{_mandir}
 %doc build-pdf/admin.pdf build-pdf/build.pdf
 %doc src/config-files/kdc.conf
 %{_unitdir}/krb5kdc.service
 %{_unitdir}/kadmin.service
@ -712,7 +662,6 @@ exit 0
 %files devel
 %docdir %{_mandir}
 %doc build-pdf/appdev.pdf build-pdf/plugindev.pdf
 %{_includedir}/*
 %{_libdir}/libgssapi_krb5.so
@ -736,6 +685,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 %changelog
 * Thu Dec 12 2019 Robbie Harwood <rharwood@redhat.com> - 1.17.1-1
 - New upstream version - 1.17.1
 - Stop building and packaging PDFs
 * Fri Dec 06 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-54
 - Qualify short hostnames when not using DNS
--- a/5
+++ b/5
@ -1,3 +1,2 @@
-SHA512 (krb5-1.17-pdfs.tar) = 89a5a709720ee9028e9bfbcbc808eec436c4b9c6e105888b37660e97cff48e190bc77affa9809353de9cf2f39e517e8a6ab22792263978b403a4a6317ac24a46
+SHA512 (krb5-1.17.1.tar.gz) = e0c3dc0a6554ab3105ac32f3f01519f56064500213aa743816235d83250abc1db9a9ca38a2ba93a938d562b4af135a013017ce96346d6742bca0c812b842ceef
-SHA512 (krb5-1.17.tar.gz) = 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52
+SHA512 (krb5-1.17.1.tar.gz.asc) = 9665c0b83cc5e8fafbb7f47c383c6bf00e498befa305ab7ed8b867ff6f54a09b6b1f3b7a7f007ceb6dfbc1ebfb797be21cb97ac51c1c8fc8e956d83ce30aa7b1
 SHA512 (krb5-1.17.tar.gz.asc) = 7ee81ccd05559ca1ff945619165297db251010db7c0205855f89ae66a73bc78e98f5e28ea154dcb752f5d4afb9349a293dcf8f64858d2129a869295fa8946e0f