New upstream version - 1.17.1
Stop building and packaging PDFs
This commit is contained in:
parent
4aee4bdd71
commit
9d642021d7
2
.gitignore
vendored
2
.gitignore
vendored
@ -175,3 +175,5 @@ krb5-1.8.3-pdf.tar.gz
|
||||
/krb5-1.17-pdfs.tar
|
||||
/krb5-1.17.tar.gz
|
||||
/krb5-1.17.tar.gz.asc
|
||||
/krb5-1.17.1.tar.gz
|
||||
/krb5-1.17.1.tar.gz.asc
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 947ba07fe50c4bb6188d453fd3f6b0b9ef6d5288 Mon Sep 17 00:00:00 2001
|
||||
From b952b5ac5301ed9f4ae49300e90631ae0562b012 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Tue, 4 Dec 2018 15:22:55 -0500
|
||||
Subject: [PATCH] Add dns_canonicalize_hostname=fallback support
|
||||
@ -28,10 +28,10 @@ ticket: 8765 (new)
|
||||
10 files changed, 167 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index 7b4389f6b..e9f7e8c59 100644
|
||||
index 4adb084a6..d1e1a222d 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -201,6 +201,10 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -195,6 +195,10 @@ The libdefaults section may contain any of the following relations:
|
||||
means that short hostnames will not be canonicalized to
|
||||
fully-qualified hostnames. The default value is true.
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 15ac04c3e0d02c36643427ac943d344711cd8b50 Mon Sep 17 00:00:00 2001
|
||||
From 397ce771e195edf63f796f1cf917bc65b4eafd8c Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 15 Jan 2019 16:16:57 -0500
|
||||
Subject: [PATCH] Add function and enctype flag for deprecations
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 98b86c4f1ca794a18cbe957b6d520380fe424240 Mon Sep 17 00:00:00 2001
|
||||
From 6946ea68b719da8434fc4c09b4ed97be91d8464b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 21 May 2019 12:52:26 -0400
|
||||
Subject: [PATCH] Add missing newlines to deprecation warnings
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d80e1a0f07591c1fedc9cfc2cbb6ab7e54b55287 Mon Sep 17 00:00:00 2001
|
||||
From 5ede44dfeffca55c793fe5ea49b438497dff027b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 20 Jun 2019 10:45:18 -0400
|
||||
Subject: [PATCH] Add soft-pkcs11 source code
|
||||
|
@ -1,4 +1,4 @@
|
||||
From bb8109eaafe65f323052493f7539c88204799b70 Mon Sep 17 00:00:00 2001
|
||||
From 0b63afda1a399a37274021115524db1e65675cb9 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Nov 2018 00:27:35 -0500
|
||||
Subject: [PATCH] Add tests for KCM ccache type
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 90cf4ccec641d9bc466d4e404d36d486b3573a07 Mon Sep 17 00:00:00 2001
|
||||
From b99ba3fa4bc99c2925fa4b509004d694e9d7ac68 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 14 Mar 2019 11:26:44 -0400
|
||||
Subject: [PATCH] Add zapfreedata() convenience function
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 842ffb8cd2f47844346c6a88ff7575c6d131644b Mon Sep 17 00:00:00 2001
|
||||
From 95fec44aebd6a4d815f88a0b5a53517c4f3175f4 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 30 Dec 2018 16:40:28 -0500
|
||||
Subject: [PATCH] Address some optimized-out memset() calls
|
||||
@ -60,10 +60,10 @@ index bb1072fe4..47c161ec9 100644
|
||||
iah.cookie = cookie;
|
||||
|
||||
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
|
||||
index 21c53ece1..9ab2c5a74 100644
|
||||
index 8582bbc56..be0922101 100644
|
||||
--- a/src/lib/kadm5/srv/svr_principal.c
|
||||
+++ b/src/lib/kadm5/srv/svr_principal.c
|
||||
@@ -2093,14 +2093,8 @@ static int decrypt_key_data(krb5_context context,
|
||||
@@ -2097,14 +2097,8 @@ static int decrypt_key_data(krb5_context context,
|
||||
ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
|
||||
NULL);
|
||||
if (ret) {
|
||||
|
@ -1,4 +1,4 @@
|
||||
From ceb6a10c14ec83b0d4d1bb6f792917e6945995d6 Mon Sep 17 00:00:00 2001
|
||||
From 399b9ed8ef199b6280bf4d6564928c79a3611cc5 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 6 May 2019 15:14:49 -0400
|
||||
Subject: [PATCH] Avoid alignment warnings in openssl rc4.c
|
||||
|
@ -1,4 +1,4 @@
|
||||
From df3bfd244f8b4601f8750599270eb98cadccdafe Mon Sep 17 00:00:00 2001
|
||||
From c896facca7dd9d0fbbd561d3a723a90216821b72 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 3 Jan 2019 17:19:32 +0100
|
||||
Subject: [PATCH] Avoid allocating a register in zap() assembly
|
||||
@ -17,7 +17,7 @@ Also add explicit_bzero() (glibc, FreeBSD) and explicit_memset()
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 93aec682e..7c309a26b 100644
|
||||
index feae21c3e..505dabb02 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -421,7 +421,7 @@ AC_PROG_LEX
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 8eee70cc192adf9c0c11061c48d708e0157a9399 Mon Sep 17 00:00:00 2001
|
||||
From 57e48b63b1f0b34861c66fb24dafc0feb524f47c Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 22 Apr 2019 14:26:42 -0400
|
||||
Subject: [PATCH] Check more errors in OpenSSL crypto backend
|
||||
|
@ -1,4 +1,4 @@
|
||||
From eb8d1bbf210b159384859dd482657a31de80a787 Mon Sep 17 00:00:00 2001
|
||||
From 037981b197a6046574539ec405cc1d67b9f22473 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 2 Apr 2019 14:18:57 -0400
|
||||
Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 24d3008698d6c654ab079413583c9f1359ad8f59 Mon Sep 17 00:00:00 2001
|
||||
From 54b5eceb45db9cf6ff86eea5efebba66cf48153e Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 15 Nov 2018 13:40:43 -0500
|
||||
Subject: [PATCH] Clear forwardable flag instead of denying request
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 756e069368719f53444b5a819753fdeda5561994 Mon Sep 17 00:00:00 2001
|
||||
From c8b24f222719df0c4b9815d26019ad96c551ec81 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 21 May 2019 13:34:39 -0400
|
||||
Subject: [PATCH] Display unsupported enctype names
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 261e67018b25412c53a290c429612bb55569428e Mon Sep 17 00:00:00 2001
|
||||
From d39897c46818f990eb7752573c309b97d90a983e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 10 Jul 2019 17:10:16 -0400
|
||||
Subject: [PATCH] Don't error on invalid enctypes in keytab
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 675edf995b497d681732a2909df21d8e4fe11e07 Mon Sep 17 00:00:00 2001
|
||||
From 073c20a214df8b416b8d848412256c57feb43ef0 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 16 Jul 2019 00:15:42 -0400
|
||||
Subject: [PATCH] Filter enctypes in gss_set_allowable_enctypes()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 0acc96dccbb4f4e75584ee39239da392b919f5f8 Mon Sep 17 00:00:00 2001
|
||||
From 14bc517f1fbd0bc7b3a6137871c167c595747a3e Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 20 Jul 2019 00:51:52 -0400
|
||||
Subject: [PATCH] Fix Coverity defects in soft-pkcs11 test code
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 48dd1debf9bd7b04195aeb435d54eefde39bc35e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 14 Aug 2019 13:52:27 -0400
|
||||
Subject: [PATCH] Fix KCM client time offset propagation
|
||||
|
||||
An inverted status check in get_kdc_offset() would cause querying the
|
||||
offset time from the ccache to always fail (silently) on KCM. Fix the
|
||||
status check so that KCM can properly handle desync.
|
||||
|
||||
ticket: 8826 (new)
|
||||
tags: pullup
|
||||
target_version: 1.17-next
|
||||
target_verison: 1.16-next
|
||||
|
||||
(cherry picked from commit 323abb6d1ebe5469d6c2167c29aa5d696d099b90)
|
||||
---
|
||||
src/lib/krb5/ccache/cc_kcm.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
|
||||
index 092ab7daf..fe93ca3dc 100644
|
||||
--- a/src/lib/krb5/ccache/cc_kcm.c
|
||||
+++ b/src/lib/krb5/ccache/cc_kcm.c
|
||||
@@ -583,7 +583,7 @@ get_kdc_offset(krb5_context context, krb5_ccache cache)
|
||||
if (cache_call(context, cache, &req, FALSE) != 0)
|
||||
goto cleanup;
|
||||
time_offset = k5_input_get_uint32_be(&req.reply);
|
||||
- if (!req.reply.status)
|
||||
+ if (req.reply.status)
|
||||
goto cleanup;
|
||||
context->os_context.time_offset = time_offset;
|
||||
context->os_context.usec_offset = 0;
|
@ -1,4 +1,4 @@
|
||||
From fd25fce46c2454b7386d2725dba493471a2e3fe8 Mon Sep 17 00:00:00 2001
|
||||
From 2f939727e531f04a24b687b9807b2e23599a2e4f Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 25 Sep 2019 12:57:56 -0400
|
||||
Subject: [PATCH] Fix KDC crash when logging PKINIT enctypes
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 508863ce900694d4a78af60361e23be59143aac8 Mon Sep 17 00:00:00 2001
|
||||
From bde05bf227939691855c025ce3c79cda07093fa7 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 16 Apr 2019 10:47:35 -0400
|
||||
Subject: [PATCH] Fix config realm change logic in FILE remove_cred
|
||||
|
@ -1,45 +0,0 @@
|
||||
From 5e0baa51f69ae9f67865d808213bda5872ee7dc6 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 16 Nov 2019 19:54:51 -0500
|
||||
Subject: [PATCH] Fix kadmin addprinc -randkey -kvno
|
||||
|
||||
Commit f07bca9fc94a5cf2e3c0f58226c7973a4b86b7a9 made addprinc -randkey
|
||||
use a single RPC request, but the server-side handling always creates
|
||||
the random keys with kvno 1. If a kvno is specified in the RPC
|
||||
request, set the kvno of the key data after creating it. Reported by
|
||||
Andreas Ladanyi.
|
||||
|
||||
ticket: 8848
|
||||
tags: pullup
|
||||
target_version: 1.17-next
|
||||
target_version: 1.16-next
|
||||
|
||||
(cherry picked from commit 462e85208d57b8d4120c99e801fbd156b9ccf16f)
|
||||
---
|
||||
src/lib/kadm5/srv/svr_principal.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
|
||||
index 48cac0c11..a1ecdbfc4 100644
|
||||
--- a/src/lib/kadm5/srv/svr_principal.c
|
||||
+++ b/src/lib/kadm5/srv/svr_principal.c
|
||||
@@ -302,7 +302,7 @@ kadm5_create_principal_3(void *server_handle,
|
||||
kadm5_server_handle_t handle = server_handle;
|
||||
krb5_keyblock *act_mkey;
|
||||
krb5_kvno act_kvno;
|
||||
- int new_n_ks_tuple = 0;
|
||||
+ int new_n_ks_tuple = 0, i;
|
||||
krb5_key_salt_tuple *new_ks_tuple = NULL;
|
||||
|
||||
CHECK_HANDLE(server_handle);
|
||||
@@ -468,6 +468,10 @@ kadm5_create_principal_3(void *server_handle,
|
||||
/* Null password means create with random key (new in 1.8). */
|
||||
ret = krb5_dbe_crk(handle->context, &master_keyblock,
|
||||
new_ks_tuple, new_n_ks_tuple, FALSE, kdb);
|
||||
+ if (mask & KADM5_KVNO) {
|
||||
+ for (i = 0; i < kdb->n_key_data; i++)
|
||||
+ kdb->key_data[i].key_data_kvno = entry->kvno;
|
||||
+ }
|
||||
}
|
||||
if (ret)
|
||||
goto cleanup;
|
@ -1,33 +0,0 @@
|
||||
From 0bb94eb7c3b231279d8ded0484ecea10ebe89302 Mon Sep 17 00:00:00 2001
|
||||
From: Corene Casper <C.Casper@Dell.com>
|
||||
Date: Sat, 16 Feb 2019 00:49:26 -0500
|
||||
Subject: [PATCH] Fix memory leak in 'none' replay cache type
|
||||
|
||||
Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
|
||||
leak in the 'none' replay cache type by freeing the outer container,
|
||||
but we also need to free the mutex.
|
||||
|
||||
[ghudson@mit.edu: wrote commit message]
|
||||
|
||||
ticket: 8783
|
||||
tags: pullup
|
||||
target_version: 1.17-next
|
||||
target_version: 1.16-next
|
||||
|
||||
(cherry picked from commit af2a3115cb8feb5174151b4b40223ae45aa9db17)
|
||||
---
|
||||
src/lib/krb5/rcache/rc_none.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c
|
||||
index e30aed09f..0b2274df7 100644
|
||||
--- a/src/lib/krb5/rcache/rc_none.c
|
||||
+++ b/src/lib/krb5/rcache/rc_none.c
|
||||
@@ -50,6 +50,7 @@ krb5_rc_none_noargs(krb5_context ctx, krb5_rcache rc)
|
||||
static krb5_error_code KRB5_CALLCONV
|
||||
krb5_rc_none_close(krb5_context ctx, krb5_rcache rc)
|
||||
{
|
||||
+ k5_mutex_destroy(&rc->lock);
|
||||
free (rc);
|
||||
return 0;
|
||||
}
|
@ -1,4 +1,4 @@
|
||||
From 8087bdce8a5e9912f693ab199198a5bf4db54001 Mon Sep 17 00:00:00 2001
|
||||
From b0acd2918e673a60a88cfed9fe7da08fb7fc4987 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 5 Aug 2019 01:53:51 -0400
|
||||
Subject: [PATCH] Fix memory leaks in soft-pkcs11 code
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 0d27dbf488547b9ca6780f23e5e40fa820928385 Mon Sep 17 00:00:00 2001
|
||||
From 343068058951e343179156e895c7483ab8194236 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 8 Nov 2019 14:28:56 -0500
|
||||
Subject: [PATCH] Fix minor errors in softpkcs11
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 5917d1d1a51c2a4b243661710b3107b1bc43fff0 Mon Sep 17 00:00:00 2001
|
||||
From 20e18b31bac004c13b7f2b5b1e67e80730481aea Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 18 Apr 2019 13:39:37 -0400
|
||||
Subject: [PATCH] Fix potential close(-1) in cc_file.c
|
||||
|
@ -1,103 +0,0 @@
|
||||
From 3612a7873e5e07b51d47c6c38f8a83e0b3d51e20 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 14:05:38 -0400
|
||||
Subject: [PATCH] Fix some return code handling bugs
|
||||
|
||||
Fix five cases where return codes could be set (in unlikely cases) but
|
||||
did not result in error exits.
|
||||
|
||||
[ghudson@mit.edu: squashed commits and rewrote commit message]
|
||||
|
||||
ticket: 8801 (new)
|
||||
tags: pullup
|
||||
target_version: 1.17-next
|
||||
target_version: 1.16-next
|
||||
|
||||
(cherry picked from commit 7c26740f9df3c79c3f01c3a4dda4d9dabba5298d)
|
||||
---
|
||||
src/kdc/fast_util.c | 16 ++++++++--------
|
||||
src/lib/gssapi/krb5/k5unsealiov.c | 1 +
|
||||
src/lib/kadm5/clnt/client_init.c | 3 +++
|
||||
src/tests/gssapi/t_pcontok.c | 1 +
|
||||
4 files changed, 13 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
|
||||
index 6a3fc11b9..c9ba83e5e 100644
|
||||
--- a/src/kdc/fast_util.c
|
||||
+++ b/src/kdc/fast_util.c
|
||||
@@ -47,9 +47,10 @@ static krb5_error_code armor_ap_request
|
||||
if (retval == 0)
|
||||
retval = krb5_auth_con_setflags(kdc_context,
|
||||
authcontext, 0); /*disable replay cache*/
|
||||
- retval = krb5_rd_req(kdc_context, &authcontext,
|
||||
- &armor->armor_value, NULL /*server*/,
|
||||
- kdc_active_realm->realm_keytab, NULL, &ticket);
|
||||
+ if (retval == 0)
|
||||
+ retval = krb5_rd_req(kdc_context, &authcontext, &armor->armor_value,
|
||||
+ NULL /*server*/, kdc_active_realm->realm_keytab,
|
||||
+ NULL, &ticket);
|
||||
if (retval != 0) {
|
||||
const char * errmsg = krb5_get_error_message(kdc_context, retval);
|
||||
k5_setmsg(kdc_context, retval, _("%s while handling ap-request armor"),
|
||||
@@ -132,7 +133,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
|
||||
{
|
||||
krb5_error_code retval = 0;
|
||||
krb5_pa_data *fast_padata;
|
||||
- krb5_data scratch, *inner_body = NULL;
|
||||
+ krb5_data scratch, plaintext, *inner_body = NULL;
|
||||
krb5_fast_req * fast_req = NULL;
|
||||
krb5_kdc_req *request = *requestptr;
|
||||
krb5_fast_armored_req *fast_armored_req = NULL;
|
||||
@@ -183,11 +184,10 @@ kdc_find_fast(krb5_kdc_req **requestptr,
|
||||
}
|
||||
}
|
||||
if (retval == 0) {
|
||||
- krb5_data plaintext;
|
||||
plaintext.length = fast_armored_req->enc_part.ciphertext.length;
|
||||
- plaintext.data = malloc(plaintext.length);
|
||||
- if (plaintext.data == NULL)
|
||||
- retval = ENOMEM;
|
||||
+ plaintext.data = k5alloc(plaintext.length, &retval);
|
||||
+ }
|
||||
+ if (retval == 0) {
|
||||
retval = krb5_c_decrypt(kdc_context,
|
||||
state->armor_key,
|
||||
KRB5_KEYUSAGE_FAST_ENC, NULL,
|
||||
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
|
||||
index 8b6704274..f15d2db69 100644
|
||||
--- a/src/lib/gssapi/krb5/k5unsealiov.c
|
||||
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
|
||||
@@ -281,6 +281,7 @@ kg_unseal_v1_iov(krb5_context context,
|
||||
(!ctx->initiate && direction != 0)) {
|
||||
*minor_status = (OM_uint32)G_BAD_DIRECTION;
|
||||
retval = GSS_S_BAD_SIG;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
code = 0;
|
||||
diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
|
||||
index 6f10db018..aa08918e2 100644
|
||||
--- a/src/lib/kadm5/clnt/client_init.c
|
||||
+++ b/src/lib/kadm5/clnt/client_init.c
|
||||
@@ -465,6 +465,9 @@ gic_iter(kadm5_server_handle_t handle, enum init_type init_type,
|
||||
/* Credentials for kadmin don't need to be forwardable or proxiable. */
|
||||
if (init_type != INIT_CREDS) {
|
||||
code = krb5_get_init_creds_opt_alloc(ctx, &opt);
|
||||
+ if (code)
|
||||
+ goto error;
|
||||
+
|
||||
krb5_get_init_creds_opt_set_forwardable(opt, 0);
|
||||
krb5_get_init_creds_opt_set_proxiable(opt, 0);
|
||||
krb5_get_init_creds_opt_set_out_ccache(ctx, opt, ccache);
|
||||
diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c
|
||||
index b966f8129..c40ea434c 100644
|
||||
--- a/src/tests/gssapi/t_pcontok.c
|
||||
+++ b/src/tests/gssapi/t_pcontok.c
|
||||
@@ -126,6 +126,7 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out)
|
||||
iov.flags = KRB5_CRYPTO_TYPE_DATA;
|
||||
iov.data = make_data(cksum.contents, 16);
|
||||
ret = krb5_k_encrypt_iov(context, seq, 0, NULL, &iov, 1);
|
||||
+ check_k5err(context, "krb5_k_encrypt_iov", ret);
|
||||
memcpy(ptr + 8, cksum.contents + 8, 8);
|
||||
} else {
|
||||
memcpy(ptr + 8, cksum.contents, cksize);
|
@ -1,4 +1,4 @@
|
||||
From 43e56c3442e7601a6e041a010f0ca9acb6021d8f Mon Sep 17 00:00:00 2001
|
||||
From adeba65ff738184656bb9589e1e3ffb079d3adf0 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 1 Apr 2019 14:28:48 -0400
|
||||
Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 3f5781029e48d7f2f5a694a4d3e19691eefde87f Mon Sep 17 00:00:00 2001
|
||||
From 69a09fc7c76f443f08c437043d689669d39f46ca Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 6 May 2019 13:13:16 -0400
|
||||
Subject: [PATCH] Improve error messages from kadmin change_password
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d1bbb1c98c3c2deb3713959281a3eee2b5019480 Mon Sep 17 00:00:00 2001
|
||||
From bcd727fc66e9213e7b6ea4d22f781812033789ba Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 15 Jan 2019 13:41:16 -0500
|
||||
Subject: [PATCH] In kpropd, debug-log proper ticket enctype names
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 803290c5773eb2e6a344f0ad0a01645e30c79031 Mon Sep 17 00:00:00 2001
|
||||
From 7710ba9b6d48ae82a2b2559131c6a8da802a4c0d Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 14 Jan 2019 17:14:42 -0500
|
||||
Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 17d1dbd3b2eb3961c061b140f8a7641405e59d44 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 9 Aug 2019 14:07:22 -0400
|
||||
Subject: [PATCH] Initialize life/rlife in kdcpolicy interface
|
||||
|
||||
A value of 0 indicates that the plugin doesn't wish to modify lifetimes.
|
||||
Make this the default, rather than requiring all plugins to set these
|
||||
values themselves.
|
||||
|
||||
ticket: 8824 (new)
|
||||
tags: pullup
|
||||
target_version: 1.17-next
|
||||
target_version: 1.16-next
|
||||
|
||||
(cherry picked from commit d81c5870013240c04642c8e0cb994b4c49e40ddf)
|
||||
---
|
||||
src/kdc/policy.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/kdc/policy.c b/src/kdc/policy.c
|
||||
index 26c16f97c..a3ff556c5 100644
|
||||
--- a/src/kdc/policy.c
|
||||
+++ b/src/kdc/policy.c
|
||||
@@ -106,7 +106,7 @@ check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
|
||||
krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
|
||||
krb5_ticket_times *times, const char **status)
|
||||
{
|
||||
- krb5_deltat life, rlife;
|
||||
+ krb5_deltat life = 0, rlife = 0;
|
||||
krb5_error_code ret;
|
||||
kdcpolicy_handle *hp, h;
|
||||
char **ais = NULL;
|
||||
@@ -146,7 +146,7 @@ check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
|
||||
krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
|
||||
krb5_ticket_times *times, const char **status)
|
||||
{
|
||||
- krb5_deltat life, rlife;
|
||||
+ krb5_deltat life = 0, rlife = 0;
|
||||
krb5_error_code ret;
|
||||
kdcpolicy_handle *hp, h;
|
||||
char **ais = NULL;
|
@ -1,4 +1,4 @@
|
||||
From e4e58539348e886f9ac39881d576c7512fc37a2b Mon Sep 17 00:00:00 2001
|
||||
From 3f8434553e5bc3551c7be651de196caf98647cf3 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 13:36:38 -0400
|
||||
Subject: [PATCH] Initialize some data structure magic fields
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 78e9d11d8a6c05218d18b9b200d1de888a95503c Mon Sep 17 00:00:00 2001
|
||||
From f4681ed7ec9f22fdbacc5c58a9f12ef567601267 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 27 Sep 2019 16:55:37 -0400
|
||||
Subject: [PATCH] Log unknown enctypes as unsupported in KDC
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a50161ee09ef887493afcf5f3901f9d0a9c20fc5 Mon Sep 17 00:00:00 2001
|
||||
From 87e5a350db1c18a92427a2a7645cc53d5813672d Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 8 Jan 2019 17:42:35 -0500
|
||||
Subject: [PATCH] Make etype names in KDC logs human-readable
|
||||
|
@ -1,4 +1,4 @@
|
||||
From de5bdedc1d27ee3e9ff7072614ea1316064b222a Mon Sep 17 00:00:00 2001
|
||||
From 8e3b86c1e7bdd12c649127a8a44e5a269b5b4453 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 10 Jan 2019 16:34:54 -0500
|
||||
Subject: [PATCH] Mark deprecated enctypes when used
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 4ebd1454a32df78d10c7de4c09ac8dc8ebb4f41b Mon Sep 17 00:00:00 2001
|
||||
From d8a20291fca962dfc88e396f2a60e41ede62be46 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 11 Apr 2019 18:33:04 -0400
|
||||
Subject: [PATCH] Mark the doc/kadm5 tex files as historic
|
||||
|
@ -1,10 +1,11 @@
|
||||
From c547bf2cae39d503de3ac3670d99b2cc324c6567 Mon Sep 17 00:00:00 2001
|
||||
From b90cdec363eae38cb2ea40d40668e3fbc83edeb8 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 11 Apr 2019 18:25:41 -0400
|
||||
Subject: [PATCH] Modernize example enctypes in documentation
|
||||
|
||||
ticket: 8805 (new)
|
||||
(cherry picked from commit ccb4a3e4b35fa9ea63af0e98a42eba4aadb099e2)
|
||||
[rharwood@redhat.com: release version conflict in man pages]
|
||||
---
|
||||
doc/admin/admin_commands/kadmin_local.rst | 8 ++++----
|
||||
doc/admin/admin_commands/kdb5_util.rst | 10 +++++-----
|
||||
@ -70,7 +71,7 @@ index 7dd54f797..444c58bcd 100644
|
||||
|
||||
ENVIRONMENT
|
||||
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
|
||||
index 113a680a6..0eb5ccde7 100644
|
||||
index 33895b857..cea60b009 100644
|
||||
--- a/doc/admin/database.rst
|
||||
+++ b/doc/admin/database.rst
|
||||
@@ -483,7 +483,7 @@ availability. To roll over the master key, follow these steps:
|
||||
@ -126,13 +127,13 @@ index 5d1e70ede..3bec59f96 100644
|
||||
type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
|
||||
|
||||
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
||||
index 849677258..44859a378 100644
|
||||
index 3c4f013fb..44859a378 100644
|
||||
--- a/src/man/kadmin.man
|
||||
+++ b/src/man/kadmin.man
|
||||
@@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
-.TH "KADMIN" "1" " " "1.17" "MIT Kerberos"
|
||||
-.TH "KADMIN" "1" " " "1.17.1" "MIT Kerberos"
|
||||
+.TH "KADMIN" "1" " " "1.18" "MIT Kerberos"
|
||||
.SH NAME
|
||||
kadmin \- Kerberos V5 database administration program
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 8fe3c4bde435c68a74c8075661a432cd1d3c17b9 Mon Sep 17 00:00:00 2001
|
||||
From 762241d6dbcb7b90ecf6a7352553465c30fcab74 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 14:32:33 -0400
|
||||
Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 916861d361be090965e1b4df4f60fce64206cf79 Mon Sep 17 00:00:00 2001
|
||||
From c1b4612565658d64940ba4760e0b47afd21e718f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 14 Feb 2019 11:50:35 -0500
|
||||
Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()
|
||||
|
@ -1,309 +0,0 @@
|
||||
From 35160d8bf1aa1464d7e757c73ed11644478cc4d4 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 29 Nov 2019 20:39:38 -0500
|
||||
Subject: [PATCH] Qualify short hostnames when not using DNS
|
||||
|
||||
When DNS forward canonicalization is turned off or fails, qualify
|
||||
single-component hostnames with the first DNS search domain. Add the
|
||||
qualify_shortname relation to override this suffix.
|
||||
|
||||
For one of the tests we need to disable qualification, which is
|
||||
accomplished with an empty value. Adjust k5test.py to correctly emit
|
||||
empty values when writing profiles.
|
||||
|
||||
ticket: 8855 (new)
|
||||
(cherry picked from commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c)
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 9 +++++++
|
||||
src/include/k5-int.h | 1 +
|
||||
src/lib/krb5/os/dnsglue.c | 23 ++++++++++++++++
|
||||
src/lib/krb5/os/os-proto.h | 2 ++
|
||||
src/lib/krb5/os/sn2princ.c | 43 +++++++++++++++++++++++++++++-
|
||||
src/tests/gssapi/t_ccselect.py | 5 ++--
|
||||
src/tests/t_sn2princ.py | 12 ++++++---
|
||||
src/util/k5test.py | 34 ++++++++++++-----------
|
||||
8 files changed, 106 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index 89f02434b..582ac8df0 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -308,6 +308,15 @@ The libdefaults section may contain any of the following relations:
|
||||
If this flag is true, initial tickets will be proxiable by
|
||||
default, if allowed by the KDC. The default value is false.
|
||||
|
||||
+**qualify_shortname**
|
||||
+ If this string is set, it determines the domain suffix for
|
||||
+ single-component hostnames when DNS canonicalization is not used
|
||||
+ (either because **dns_canonicalize_hostname** is false or because
|
||||
+ forward canonicalization failed). The default value is the first
|
||||
+ search domain of the system's DNS configuration. To disable
|
||||
+ qualification of shortnames, set this relation to the empty string
|
||||
+ with ``qualify_shortname = ""``. (New in release 1.18.)
|
||||
+
|
||||
**rdns**
|
||||
If this flag is true, reverse name lookup will be used in addition
|
||||
to forward name lookup to canonicalizing hostnames for use in
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index cb328785d..7458319fa 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -280,6 +280,7 @@ typedef unsigned char u_char;
|
||||
#define KRB5_CONF_PLUGIN_BASE_DIR "plugin_base_dir"
|
||||
#define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types"
|
||||
#define KRB5_CONF_PROXIABLE "proxiable"
|
||||
+#define KRB5_CONF_QUALIFY_SHORTNAME "qualify_shortname"
|
||||
#define KRB5_CONF_RDNS "rdns"
|
||||
#define KRB5_CONF_REALMS "realms"
|
||||
#define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains"
|
||||
diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c
|
||||
index 59ff92963..e35ca9d76 100644
|
||||
--- a/src/lib/krb5/os/dnsglue.c
|
||||
+++ b/src/lib/krb5/os/dnsglue.c
|
||||
@@ -71,6 +71,7 @@ static int initparse(struct krb5int_dns_state *);
|
||||
* Define macros to use the best available DNS search functions. INIT_HANDLE()
|
||||
* returns true if handle initialization is successful, false if it is not.
|
||||
* SEARCH() returns the length of the response or -1 on error.
|
||||
+ * PRIMARY_DOMAIN() returns the first search domain in allocated memory.
|
||||
* DECLARE_HANDLE() must be used last in the declaration list since it may
|
||||
* evaluate to nothing.
|
||||
*/
|
||||
@@ -81,6 +82,7 @@ static int initparse(struct krb5int_dns_state *);
|
||||
#define DECLARE_HANDLE(h) dns_handle_t h
|
||||
#define INIT_HANDLE(h) ((h = dns_open(NULL)) != NULL)
|
||||
#define SEARCH(h, n, c, t, a, l) dns_search(h, n, c, t, a, l, NULL, NULL)
|
||||
+#define PRIMARY_DOMAIN(h) dns_search_list_domain(h, 0)
|
||||
#define DESTROY_HANDLE(h) dns_free(h)
|
||||
|
||||
#elif HAVE_RES_NINIT && HAVE_RES_NSEARCH
|
||||
@@ -89,6 +91,7 @@ static int initparse(struct krb5int_dns_state *);
|
||||
#define DECLARE_HANDLE(h) struct __res_state h
|
||||
#define INIT_HANDLE(h) (memset(&h, 0, sizeof(h)), res_ninit(&h) == 0)
|
||||
#define SEARCH(h, n, c, t, a, l) res_nsearch(&h, n, c, t, a, l)
|
||||
+#define PRIMARY_DOMAIN(h) strdup(h.dnsrch[0])
|
||||
#if HAVE_RES_NDESTROY
|
||||
#define DESTROY_HANDLE(h) res_ndestroy(&h)
|
||||
#else
|
||||
@@ -101,6 +104,7 @@ static int initparse(struct krb5int_dns_state *);
|
||||
#define DECLARE_HANDLE(h)
|
||||
#define INIT_HANDLE(h) (res_init() == 0)
|
||||
#define SEARCH(h, n, c, t, a, l) res_search(n, c, t, a, l)
|
||||
+#define PRIMARY_DOMAIN(h) strdup(_res.defdname)
|
||||
#define DESTROY_HANDLE(h)
|
||||
|
||||
#endif
|
||||
@@ -433,6 +437,12 @@ cleanup:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+char *
|
||||
+k5_primary_domain()
|
||||
+{
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
#else /* _WIN32 */
|
||||
|
||||
krb5_error_code
|
||||
@@ -485,5 +495,18 @@ errout:
|
||||
return retval;
|
||||
}
|
||||
|
||||
+char *
|
||||
+k5_primary_domain()
|
||||
+{
|
||||
+ char *domain;
|
||||
+ DECLARE_HANDLE(h);
|
||||
+
|
||||
+ if (!INIT_HANDLE(h))
|
||||
+ return NULL;
|
||||
+ domain = PRIMARY_DOMAIN(h);
|
||||
+ DESTROY_HANDLE(h);
|
||||
+ return domain;
|
||||
+}
|
||||
+
|
||||
#endif /* not _WIN32 */
|
||||
#endif /* KRB5_DNS_LOOKUP */
|
||||
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
|
||||
index 066d30221..a16a34b74 100644
|
||||
--- a/src/lib/krb5/os/os-proto.h
|
||||
+++ b/src/lib/krb5/os/os-proto.h
|
||||
@@ -136,6 +136,8 @@ k5_make_uri_query(krb5_context context, const krb5_data *realm,
|
||||
krb5_error_code k5_try_realm_txt_rr(krb5_context context, const char *prefix,
|
||||
const char *name, char **realm);
|
||||
|
||||
+char *k5_primary_domain(void);
|
||||
+
|
||||
int _krb5_use_dns_realm (krb5_context);
|
||||
int _krb5_use_dns_kdc (krb5_context);
|
||||
int _krb5_conf_boolean (const char *);
|
||||
diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
|
||||
index 98d2600aa..a51761d0c 100644
|
||||
--- a/src/lib/krb5/os/sn2princ.c
|
||||
+++ b/src/lib/krb5/os/sn2princ.c
|
||||
@@ -50,15 +50,47 @@ use_reverse_dns(krb5_context context)
|
||||
&value);
|
||||
if (ret)
|
||||
return DEFAULT_RDNS_LOOKUP;
|
||||
+
|
||||
return value;
|
||||
}
|
||||
|
||||
+/* Append a domain suffix to host and return the result in allocated memory.
|
||||
+ * Return NULL if no suffix is configured or on failure. */
|
||||
+static char *
|
||||
+qualify_shortname(krb5_context context, const char *host)
|
||||
+{
|
||||
+ krb5_error_code ret;
|
||||
+ char *fqdn = NULL, *prof_domain = NULL, *os_domain = NULL;
|
||||
+ const char *domain;
|
||||
+
|
||||
+ ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
|
||||
+ KRB5_CONF_QUALIFY_SHORTNAME, NULL, NULL,
|
||||
+ &prof_domain);
|
||||
+ if (ret)
|
||||
+ return NULL;
|
||||
+
|
||||
+#ifdef KRB5_DNS_LOOKUP
|
||||
+ if (prof_domain == NULL)
|
||||
+ os_domain = k5_primary_domain();
|
||||
+#endif
|
||||
+
|
||||
+ domain = (prof_domain != NULL) ? prof_domain : os_domain;
|
||||
+ if (domain != NULL && *domain != '\0') {
|
||||
+ if (asprintf(&fqdn, "%s.%s", host, domain) < 0)
|
||||
+ fqdn = NULL;
|
||||
+ }
|
||||
+
|
||||
+ profile_release_string(prof_domain);
|
||||
+ free(os_domain);
|
||||
+ return fqdn;
|
||||
+}
|
||||
+
|
||||
krb5_error_code
|
||||
k5_expand_hostname(krb5_context context, const char *host,
|
||||
krb5_boolean is_fallback, char **canonhost_out)
|
||||
{
|
||||
struct addrinfo *ai = NULL, hint;
|
||||
- char namebuf[NI_MAXHOST], *copy, *p;
|
||||
+ char namebuf[NI_MAXHOST], *qualified = NULL, *copy, *p;
|
||||
int err;
|
||||
const char *canonhost;
|
||||
krb5_boolean use_dns;
|
||||
@@ -90,6 +122,14 @@ k5_expand_hostname(krb5_context context, const char *host,
|
||||
}
|
||||
}
|
||||
|
||||
+ /* If we didn't use DNS and the name is just one component, try to add a
|
||||
+ * domain suffix. */
|
||||
+ if (canonhost == host && strchr(host, '.') == NULL) {
|
||||
+ qualified = qualify_shortname(context, host);
|
||||
+ if (qualified != NULL)
|
||||
+ canonhost = qualified;
|
||||
+ }
|
||||
+
|
||||
copy = strdup(canonhost);
|
||||
if (copy == NULL)
|
||||
goto cleanup;
|
||||
@@ -113,6 +153,7 @@ cleanup:
|
||||
/* We only return success or ENOMEM. */
|
||||
if (ai != NULL)
|
||||
freeaddrinfo(ai);
|
||||
+ free(qualified);
|
||||
return (*canonhost_out == NULL) ? ENOMEM : 0;
|
||||
}
|
||||
|
||||
diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
|
||||
index 9ca66554f..66d85880c 100755
|
||||
--- a/src/tests/gssapi/t_ccselect.py
|
||||
+++ b/src/tests/gssapi/t_ccselect.py
|
||||
@@ -24,8 +24,9 @@ from k5test import *
|
||||
|
||||
# Create two independent realms (no cross-realm TGTs). For the
|
||||
# fallback realm tests we need to control the precise server hostname,
|
||||
-# so turn off DNS canonicalization.
|
||||
-conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
|
||||
+# so turn off DNS canonicalization and shortname qualification.
|
||||
+conf = {'libdefaults': {'dns_canonicalize_hostname': 'false',
|
||||
+ 'qualify_shortname': ''}}
|
||||
r1 = K5Realm(create_user=False, krb5_conf=conf)
|
||||
r2 = K5Realm(create_user=False, krb5_conf=conf, realm='KRBTEST2.COM',
|
||||
portbase=62000, testdir=os.path.join(r1.testdir, 'r2'))
|
||||
diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py
|
||||
index fe435a2d5..26dcb91c2 100755
|
||||
--- a/src/tests/t_sn2princ.py
|
||||
+++ b/src/tests/t_sn2princ.py
|
||||
@@ -6,7 +6,8 @@ conf = {'domain_realm': {'kerberos.org': 'R1',
|
||||
'example.com': 'R2',
|
||||
'mit.edu': 'R3'}}
|
||||
no_rdns_conf = {'libdefaults': {'rdns': 'false'}}
|
||||
-no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
|
||||
+no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false',
|
||||
+ 'qualify_shortname': 'example.com'}}
|
||||
fallback_canon_conf = {'libdefaults':
|
||||
{'rdns': 'false',
|
||||
'dns_canonicalize_hostname': 'fallback'}}
|
||||
@@ -62,12 +63,15 @@ testu('Example.COM:xyZ', 'Example.COM:xyZ', 'R2')
|
||||
testu('example.com.::123', 'example.com.::123', '')
|
||||
|
||||
# With dns_canonicalize_hostname=false, we downcase and remove
|
||||
-# trailing dots but do not canonicalize the hostname. Trailers do not
|
||||
-# get downcased.
|
||||
+# trailing dots but do not canonicalize the hostname.
|
||||
+# Single-component names are qualified with the configured suffix
|
||||
+# (defaulting to the first OS search domain, but Python cannot easily
|
||||
+# retrieve that value so we don't test it). Trailers do not get
|
||||
+# downcased.
|
||||
mark('dns_canonicalize_host=false')
|
||||
testnc('ptr-mismatch.kerberos.org', 'ptr-mismatch.kerberos.org', 'R1')
|
||||
testnc('Example.COM', 'example.com', 'R2')
|
||||
-testnc('abcde', 'abcde', '')
|
||||
+testnc('abcde', 'abcde.example.com', 'R2')
|
||||
testnc('example.com.:123', 'example.com:123', 'R2')
|
||||
testnc('Example.COM:xyZ', 'example.com:xyZ', 'R2')
|
||||
testnc('example.com.::123', 'example.com.::123', '')
|
||||
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
||||
index feb6df7a0..c7f941303 100644
|
||||
--- a/src/util/k5test.py
|
||||
+++ b/src/util/k5test.py
|
||||
@@ -918,22 +918,24 @@ class K5Realm(object):
|
||||
def _subst_cfg_value(self, value):
|
||||
global buildtop, srctop, hostname
|
||||
template = string.Template(value)
|
||||
- return template.substitute(realm=self.realm,
|
||||
- testdir=self.testdir,
|
||||
- buildtop=buildtop,
|
||||
- srctop=srctop,
|
||||
- plugins=plugins,
|
||||
- hostname=hostname,
|
||||
- port0=self.portbase,
|
||||
- port1=self.portbase + 1,
|
||||
- port2=self.portbase + 2,
|
||||
- port3=self.portbase + 3,
|
||||
- port4=self.portbase + 4,
|
||||
- port5=self.portbase + 5,
|
||||
- port6=self.portbase + 6,
|
||||
- port7=self.portbase + 7,
|
||||
- port8=self.portbase + 8,
|
||||
- port9=self.portbase + 9)
|
||||
+ subst = template.substitute(realm=self.realm,
|
||||
+ testdir=self.testdir,
|
||||
+ buildtop=buildtop,
|
||||
+ srctop=srctop,
|
||||
+ plugins=plugins,
|
||||
+ hostname=hostname,
|
||||
+ port0=self.portbase,
|
||||
+ port1=self.portbase + 1,
|
||||
+ port2=self.portbase + 2,
|
||||
+ port3=self.portbase + 3,
|
||||
+ port4=self.portbase + 4,
|
||||
+ port5=self.portbase + 5,
|
||||
+ port6=self.portbase + 6,
|
||||
+ port7=self.portbase + 7,
|
||||
+ port8=self.portbase + 8,
|
||||
+ port9=self.portbase + 9)
|
||||
+ # Empty values must be quoted to avoid a syntax error.
|
||||
+ return subst if subst else '""'
|
||||
|
||||
def _create_acl(self):
|
||||
global hostname
|
@ -1,4 +1,4 @@
|
||||
From bea06cc4cf4df3d545fb3da1a9429aa28f690d80 Mon Sep 17 00:00:00 2001
|
||||
From 98db8d2582b72fb75023c43c5bee435be960247f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 26 Mar 2019 18:51:10 -0400
|
||||
Subject: [PATCH] Remove 3des support
|
||||
@ -9,12 +9,14 @@ to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
|
||||
their constants.
|
||||
|
||||
(cherry picked from commit 57a8a84e035000b515ca9efd56e5cbe1568b95e7)
|
||||
[rharwood@redhat.com: supported enctypes docs landed first]
|
||||
---
|
||||
doc/admin/advanced/retiring-des.rst | 11 +
|
||||
doc/admin/conf_files/kdc_conf.rst | 7 +-
|
||||
doc/admin/enctypes.rst | 13 +-
|
||||
doc/admin/troubleshoot.rst | 9 +-
|
||||
doc/appdev/refs/macros/index.rst | 1 -
|
||||
doc/conf.py | 4 +-
|
||||
doc/mitK5features.rst | 2 +-
|
||||
src/Makefile.in | 4 +-
|
||||
src/configure.in | 1 -
|
||||
@ -105,7 +107,7 @@ their constants.
|
||||
src/tests/t_salt.py | 5 +-
|
||||
src/util/k5test.py | 10 -
|
||||
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
|
||||
95 files changed, 155 insertions(+), 4829 deletions(-)
|
||||
96 files changed, 157 insertions(+), 4831 deletions(-)
|
||||
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
|
||||
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
|
||||
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
|
||||
@ -163,10 +165,10 @@ index 4a964c15c..cb6258d77 100644
|
||||
-------------
|
||||
|
||||
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
|
||||
index 2c6ea1855..a9ecaf4a9 100644
|
||||
index 9759756a2..cf8a12547 100644
|
||||
--- a/doc/admin/conf_files/kdc_conf.rst
|
||||
+++ b/doc/admin/conf_files/kdc_conf.rst
|
||||
@@ -841,8 +841,6 @@ Encryption types marked as "weak" are available for compatibility but
|
||||
@@ -843,8 +843,6 @@ Encryption types marked as "weak" are available for compatibility but
|
||||
not recommended for use.
|
||||
|
||||
==================================================== =========================================================
|
||||
@ -175,7 +177,7 @@ index 2c6ea1855..a9ecaf4a9 100644
|
||||
aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC
|
||||
aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC
|
||||
aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC
|
||||
@@ -851,7 +849,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
|
||||
@@ -853,7 +851,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
|
||||
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
|
||||
camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC
|
||||
camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC
|
||||
@ -183,7 +185,7 @@ index 2c6ea1855..a9ecaf4a9 100644
|
||||
aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
|
||||
rc4 The RC4 family: arcfour-hmac
|
||||
camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
|
||||
@@ -863,8 +860,8 @@ from the current list by prefixing them with a minus sign ("-").
|
||||
@@ -865,8 +862,8 @@ from the current list by prefixing them with a minus sign ("-").
|
||||
Types or families can be prefixed with a plus sign ("+") for symmetry;
|
||||
it has the same meaning as just listing the type or family. For
|
||||
example, "``DEFAULT -rc4``" would be the default set of encryption
|
||||
@ -254,6 +256,21 @@ index 534795d15..9542611ea 100644
|
||||
CKSUMTYPE_MD5_HMAC_ARCFOUR.rst
|
||||
CKSUMTYPE_NIST_SHA.rst
|
||||
CKSUMTYPE_RSA_MD4.rst
|
||||
diff --git a/doc/conf.py b/doc/conf.py
|
||||
index 759367c21..37eda67fa 100644
|
||||
--- a/doc/conf.py
|
||||
+++ b/doc/conf.py
|
||||
@@ -271,8 +271,8 @@ else:
|
||||
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
|
||||
rst_epilog += '''
|
||||
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
||||
-.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
|
||||
-.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
|
||||
+.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
||||
+.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
|
||||
.. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
|
||||
.. |copy| unicode:: U+000A9
|
||||
'''
|
||||
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
|
||||
index a19068e26..5bfdc3936 100644
|
||||
--- a/doc/mitK5features.rst
|
||||
@ -290,7 +307,7 @@ index 91a5f4bf8..0197e5b6d 100644
|
||||
##DOS## $(WCONFIG) config < $@.in > $@
|
||||
##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 8d781a7c8..a19a0ea97 100644
|
||||
index 9d6825b78..3e3b95e49 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1443,7 +1443,6 @@ V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 2bbf5046e0d1ad4a4927570ebed5aa661e322024 Mon Sep 17 00:00:00 2001
|
||||
From 34aa9b5889a48f05b4dec33d40e72e97390118a5 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 4 Apr 2019 14:37:38 -0400
|
||||
Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a52788c294f56a023b7bc05286990717ec993158 Mon Sep 17 00:00:00 2001
|
||||
From 044e7ea922800bfc17ba816780803b1d67622b7b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 18 Jun 2019 11:40:48 -0400
|
||||
Subject: [PATCH] Remove PKINIT draft 9 ASN.1 code and types
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f00a9416374087dbf135215a13c5316477ca2f45 Mon Sep 17 00:00:00 2001
|
||||
From b13b0e48470e03203afd4133e4be9c6471e2acb4 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 18 Jun 2019 13:06:44 -0400
|
||||
Subject: [PATCH] Remove PKINIT draft 9 support
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 8096d0c97bcb5ac1ad830b6f354b4e32c90ac4cf Mon Sep 17 00:00:00 2001
|
||||
From ac8df1b0977dd5aedfaeb3d10458aaf18cece29f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 3 Apr 2019 16:01:22 -0400
|
||||
Subject: [PATCH] Remove ccapi-related comments in configure.ac
|
||||
@ -12,7 +12,7 @@ is not.
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 7c309a26b..8d781a7c8 100644
|
||||
index 505dabb02..9d6825b78 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1450,7 +1450,6 @@ V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 443754ab8140d87e2e5bbd595f39827461d6498a Mon Sep 17 00:00:00 2001
|
||||
From ee07471fa613fb68ddebc28577870e97cb5190cf Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 13 May 2019 14:19:57 -0400
|
||||
Subject: [PATCH] Remove checksum type profile variables
|
||||
@ -18,6 +18,7 @@ did not impose any limitations.
|
||||
|
||||
ticket: 8804 (new)
|
||||
(cherry picked from commit a5a140dc85201faf1ba3a687553058354722a1b4)
|
||||
[rharwood@redhat.com: release version conflict in man pages]
|
||||
---
|
||||
doc/admin/conf_files/krb5_conf.rst | 37 ------------
|
||||
src/include/k5-int.h | 6 --
|
||||
@ -30,10 +31,10 @@ ticket: 8804 (new)
|
||||
8 files changed, 7 insertions(+), 204 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index e9f7e8c59..5df3bfe36 100644
|
||||
index d1e1a222d..a3fb5d9f2 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -111,14 +111,6 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -105,14 +105,6 @@ The libdefaults section may contain any of the following relations:
|
||||
strong crypto. Users in affected environments should set this tag
|
||||
to true until their infrastructure adopts stronger ciphers.
|
||||
|
||||
@ -48,7 +49,7 @@ index e9f7e8c59..5df3bfe36 100644
|
||||
**canonicalize**
|
||||
If this flag is set to true, initial ticket requests to the KDC
|
||||
will request canonicalization of the client principal name, and
|
||||
@@ -297,26 +289,6 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -291,26 +283,6 @@ The libdefaults section may contain any of the following relations:
|
||||
corrective factor is only used by the Kerberos library; it is not
|
||||
used to change the system clock. The default value is 1.
|
||||
|
||||
@ -75,7 +76,7 @@ index e9f7e8c59..5df3bfe36 100644
|
||||
**noaddresses**
|
||||
If this flag is true, requests for initial tickets will not be
|
||||
made with address restrictions set, allowing the tickets to be
|
||||
@@ -365,15 +337,6 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -359,15 +331,6 @@ The libdefaults section may contain any of the following relations:
|
||||
(:ref:`duration` string.) Sets the default renewable lifetime
|
||||
for initial ticket requests. The default value is 0.
|
||||
|
||||
@ -299,18 +300,18 @@ index a6e48cd25..22be2198b 100644
|
||||
ctx->library_options = 0;
|
||||
ctx->profile_secure = TRUE;
|
||||
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
||||
index d431dce75..aafdf7f83 100644
|
||||
index 2a7af6aa4..433f38d71 100644
|
||||
--- a/src/man/krb5.conf.man
|
||||
+++ b/src/man/krb5.conf.man
|
||||
@@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
-.TH "KRB5.CONF" "5" " " "1.17" "MIT Kerberos"
|
||||
-.TH "KRB5.CONF" "5" " " "1.17.1" "MIT Kerberos"
|
||||
+.TH "KRB5.CONF" "5" " " "1.18" "MIT Kerberos"
|
||||
.SH NAME
|
||||
krb5.conf \- Kerberos configuration file
|
||||
.
|
||||
@@ -202,14 +202,6 @@ failures in existing Kerberos infrastructures that do not support
|
||||
@@ -188,14 +188,6 @@ failures in existing Kerberos infrastructures that do not support
|
||||
strong crypto. Users in affected environments should set this tag
|
||||
to true until their infrastructure adopts stronger ciphers.
|
||||
.TP
|
||||
@ -325,7 +326,7 @@ index d431dce75..aafdf7f83 100644
|
||||
\fBcanonicalize\fP
|
||||
If this flag is set to true, initial ticket requests to the KDC
|
||||
will request canonicalization of the client principal name, and
|
||||
@@ -291,6 +283,10 @@ hostnames for use in service principal names. Setting this flag
|
||||
@@ -277,6 +269,10 @@ hostnames for use in service principal names. Setting this flag
|
||||
to false can improve security by reducing reliance on DNS, but
|
||||
means that short hostnames will not be canonicalized to
|
||||
fully\-qualified hostnames. The default value is true.
|
||||
@ -336,7 +337,7 @@ index d431dce75..aafdf7f83 100644
|
||||
.TP
|
||||
\fBdns_lookup_kdc\fP
|
||||
Indicate whether DNS SRV records should be used to locate the KDCs
|
||||
@@ -384,73 +380,6 @@ requesting service tickets or authenticating to services. This
|
||||
@@ -370,73 +366,6 @@ requesting service tickets or authenticating to services. This
|
||||
corrective factor is only used by the Kerberos library; it is not
|
||||
used to change the system clock. The default value is 1.
|
||||
.TP
|
||||
@ -410,7 +411,7 @@ index d431dce75..aafdf7f83 100644
|
||||
\fBnoaddresses\fP
|
||||
If this flag is true, requests for initial tickets will not be
|
||||
made with address restrictions set, allowing the tickets to be
|
||||
@@ -499,15 +428,6 @@ set. The default is not to search domain components.
|
||||
@@ -485,15 +414,6 @@ set. The default is not to search domain components.
|
||||
(duration string.) Sets the default renewable lifetime
|
||||
for initial ticket requests. The default value is 0.
|
||||
.TP
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 0d471a72541952ebe090919610cf9ba8b31d1291 Mon Sep 17 00:00:00 2001
|
||||
From 1df6ae50de14c8795af7f7aea7f54eede51fd206 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 3 Apr 2019 14:58:19 -0400
|
||||
Subject: [PATCH] Remove confvalidator utility
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 20be29dfddcbc4afda79eae2bcd3d5de3bb0330d Mon Sep 17 00:00:00 2001
|
||||
From 5c9dce0ac1b8b6fcb048404e3830fd4619f4f1c5 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 16:57:51 -0400
|
||||
Subject: [PATCH] Remove dead variable def_kslist from two files
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 33c39a069022eab2d56ccbaf0be31b3b5b0071a2 Mon Sep 17 00:00:00 2001
|
||||
From a0c231f79b0b9c02120802cc5549c8576b5156bd Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 4 Apr 2019 14:15:58 -0400
|
||||
Subject: [PATCH] Remove doxygen-generated HTML output for ccapi
|
||||
|
@ -1,4 +1,4 @@
|
||||
From e1e27c400736ca304c9cbdc52e2946c65e047a21 Mon Sep 17 00:00:00 2001
|
||||
From 620a45acc6ea6c01cce0474883011ed47cb35458 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 4 Apr 2019 16:14:46 -0400
|
||||
Subject: [PATCH] Remove kadmin RPC support for setting v4 key
|
||||
@ -336,10 +336,10 @@ index 64ad5dd69..e3c04e690 100644
|
||||
xdr_ui_4
|
||||
kadm5_init_iprop
|
||||
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
|
||||
index 9ab2c5a74..48cac0c11 100644
|
||||
index be0922101..a1ecdbfc4 100644
|
||||
--- a/src/lib/kadm5/srv/svr_principal.c
|
||||
+++ b/src/lib/kadm5/srv/svr_principal.c
|
||||
@@ -1645,124 +1645,6 @@ done:
|
||||
@@ -1649,124 +1649,6 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 6181039fc3f70c073e4125d98d8a28aec9c223bf Mon Sep 17 00:00:00 2001
|
||||
From 90c702467b0c4373758f235512c67f80f1998e02 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 18 Apr 2019 17:27:07 -0400
|
||||
Subject: [PATCH] Remove krb5int_c_combine_keys()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 067f8685648e4a316ea0dfe90694d5a7b64c8848 Mon Sep 17 00:00:00 2001
|
||||
From e470fc217b19f6d958cc891910527e43651167a3 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 9 May 2019 14:07:24 -0400
|
||||
Subject: [PATCH] Remove more dead code
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 3d6b547ca1454b8113c6f83161def1f995c04616 Mon Sep 17 00:00:00 2001
|
||||
From e9cc0b8762266ed368cb50e7ba48d6196db54da5 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 28 Jun 2019 13:09:47 -0400
|
||||
Subject: [PATCH] Remove now-unused checksum functions
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 13df40bef90954d1c373c5e9cece1d5897c7afcf Mon Sep 17 00:00:00 2001
|
||||
From 61855503e579611b2bb2f322070c2e1e0ca36ce8 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 30 Aug 2019 11:19:52 -0400
|
||||
Subject: [PATCH] Remove null check in krb5_gss_duplicate_name()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 019dc5d64d6e1c0fabaf9957bef5b633eb6fa475 Mon Sep 17 00:00:00 2001
|
||||
From e4c75d01bfdedfe77068a641e0053eef227dc22b Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 22 Jan 2019 18:34:58 -0500
|
||||
Subject: [PATCH] Remove ovsec_adm_export dump format support
|
||||
@ -9,6 +9,7 @@ KDCs.
|
||||
|
||||
ticket: 8798 (new)
|
||||
(cherry picked from commit 23b93fd48bc445005436c5be98a7269b599b1800)
|
||||
[rharwood@redhat.com: release version conflict in man pages]
|
||||
---
|
||||
doc/admin/admin_commands/kdb5_util.rst | 11 +--
|
||||
doc/admin/database.rst | 14 ----
|
||||
@ -63,7 +64,7 @@ index fee68261a..7dd54f797 100644
|
||||
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
|
||||
load_dump version 5"). This was the dump format produced on
|
||||
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
|
||||
index 2b02af3a0..113a680a6 100644
|
||||
index d0be455f8..33895b857 100644
|
||||
--- a/doc/admin/database.rst
|
||||
+++ b/doc/admin/database.rst
|
||||
@@ -393,20 +393,6 @@ To dump a single principal and later load it, updating the database:
|
||||
@ -274,13 +275,13 @@ index accc959e0..e73e2c68e 100644
|
||||
"\tark [-e etype_list] principal\n"
|
||||
"\tadd_mkey [-e etype] [-s]\n"
|
||||
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
|
||||
index 5ebc68a57..9a36ef0df 100644
|
||||
index 9c48c32fb..9a36ef0df 100644
|
||||
--- a/src/man/kdb5_util.man
|
||||
+++ b/src/man/kdb5_util.man
|
||||
@@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
-.TH "KDB5_UTIL" "8" " " "1.17" "MIT Kerberos"
|
||||
-.TH "KDB5_UTIL" "8" " " "1.17.1" "MIT Kerberos"
|
||||
+.TH "KDB5_UTIL" "8" " " "1.18" "MIT Kerberos"
|
||||
.SH NAME
|
||||
kdb5_util \- Kerberos database maintenance utility
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a768fb06f0df69f0b6985058e21c72448587d2a8 Mon Sep 17 00:00:00 2001
|
||||
From ecf80eb7a536c2d78812482d9c974120725ca609 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 9 Oct 2017 15:58:33 -0400
|
||||
Subject: [PATCH] Remove srvtab support
|
||||
@ -8,6 +8,7 @@ name was used.
|
||||
|
||||
ticket: 8793 (new)
|
||||
(cherry picked from commit a23e670b40f69b6be0024f8a60d2afaf7f7a005a)
|
||||
[rharwood@redhat.com: release version conflict in man pages]
|
||||
---
|
||||
doc/admin/admin_commands/ktutil.rst | 22 +-
|
||||
doc/basic/keytab_def.rst | 6 +-
|
||||
@ -206,10 +207,10 @@ index 00c442978..e710852d4 100644
|
||||
plugin_base_dir = __PLUGIN_DIR__
|
||||
allow_weak_crypto = true
|
||||
diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin
|
||||
index c8d866f15..726298351 100755
|
||||
index 273cf6954..8c29bb996 100755
|
||||
--- a/src/kadmin/testing/scripts/env-setup.shin
|
||||
+++ b/src/kadmin/testing/scripts/env-setup.shin
|
||||
@@ -77,7 +77,7 @@ SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL
|
||||
@@ -79,7 +79,7 @@ export QUALNAME
|
||||
|
||||
KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG
|
||||
KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE
|
||||
@ -219,10 +220,10 @@ index c8d866f15..726298351 100755
|
||||
KRB5CCNAME=$K5ROOT/krb5cc_unit-test; export KRB5CCNAME
|
||||
|
||||
diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db
|
||||
index cd7165628..bf119f2ac 100755
|
||||
index c41d290d1..2496be2ab 100755
|
||||
--- a/src/kadmin/testing/scripts/init_db
|
||||
+++ b/src/kadmin/testing/scripts/init_db
|
||||
@@ -218,7 +218,7 @@ changepw/kerberos@$REALM cil
|
||||
@@ -216,7 +216,7 @@ changepw/kerberos@$REALM cil
|
||||
|
||||
EOF
|
||||
|
||||
@ -245,10 +246,10 @@ index dfe0b3a01..c77d61c70 100755
|
||||
replaced by the canonical host name of the local host.";
|
||||
|
||||
diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local
|
||||
index 0cbed462d..809892974 100755
|
||||
index f34444ee8..e502a6a0b 100755
|
||||
--- a/src/kadmin/testing/scripts/start_servers_local
|
||||
+++ b/src/kadmin/testing/scripts/start_servers_local
|
||||
@@ -98,9 +98,6 @@ x=$?
|
||||
@@ -96,9 +96,6 @@ x=$?
|
||||
rm /tmp/start_servers_local$$
|
||||
if test $x != 0 ; then exit 1 ; fi
|
||||
|
||||
@ -952,12 +953,12 @@ index ba57b703e..ed179bbe3 100644
|
||||
verbose "% $SERVER" 1
|
||||
set server_pid [spawn $SERVER $PROT]
|
||||
diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/unit-test/lib/helpers.exp
|
||||
index a1b078374..6ba2b10ae 100644
|
||||
index a7f89f636..f08c73201 100644
|
||||
--- a/src/lib/rpc/unit-test/lib/helpers.exp
|
||||
+++ b/src/lib/rpc/unit-test/lib/helpers.exp
|
||||
@@ -121,8 +121,8 @@ proc setup_database {} {
|
||||
if ![info exists CANON_HOST] {
|
||||
set CANON_HOST [exec $env(QUALNAME)]
|
||||
set CANON_HOST $env(QUALNAME)
|
||||
setup_database
|
||||
- file delete $env(RPC_TEST_SRVTAB)
|
||||
- exec $env(MAKE_KEYTAB) -princ "server/$CANON_HOST" $env(RPC_TEST_SRVTAB)
|
||||
@ -967,7 +968,7 @@ index a1b078374..6ba2b10ae 100644
|
||||
|
||||
|
||||
diff --git a/src/lib/rpc/unit-test/rpc_test_setup.sh b/src/lib/rpc/unit-test/rpc_test_setup.sh
|
||||
index 968f52a67..b610f87ef 100755
|
||||
index d147a337e..d7df0eb2b 100755
|
||||
--- a/src/lib/rpc/unit-test/rpc_test_setup.sh
|
||||
+++ b/src/lib/rpc/unit-test/rpc_test_setup.sh
|
||||
@@ -1,7 +1,7 @@
|
||||
@ -979,7 +980,7 @@ index 968f52a67..b610f87ef 100755
|
||||
# environment.
|
||||
#
|
||||
# $Id$
|
||||
@@ -42,9 +42,9 @@ if test $? != 0 ; then
|
||||
@@ -39,9 +39,9 @@ if test $? != 0 ; then
|
||||
fi
|
||||
rm /tmp/rpc_test_setup$$
|
||||
|
||||
@ -992,13 +993,13 @@ index 968f52a67..b610f87ef 100755
|
||||
# grep -s "$CANON_HOST SECURE-TEST.OV.COM" /etc/krb.realms
|
||||
# if [ $? != 0 ]; then
|
||||
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
|
||||
index 4e174c0fe..233329468 100644
|
||||
index 711a0ed2c..233329468 100644
|
||||
--- a/src/man/ktutil.man
|
||||
+++ b/src/man/ktutil.man
|
||||
@@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
-.TH "KTUTIL" "1" " " "1.17" "MIT Kerberos"
|
||||
-.TH "KTUTIL" "1" " " "1.17.1" "MIT Kerberos"
|
||||
+.TH "KTUTIL" "1" " " "1.18" "MIT Kerberos"
|
||||
.SH NAME
|
||||
ktutil \- Kerberos keytab file maintenance utility
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 1aff5025ec486d1f8239e3a135156e33ea5e764d Mon Sep 17 00:00:00 2001
|
||||
From 128098be731775ecc2a5de6308868fae78059db9 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 6 Jun 2019 11:46:58 -0400
|
||||
Subject: [PATCH] Remove strerror() calls from k5_get_error()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f87c6fabd1073637c4798fcdd3fdab060edb0731 Mon Sep 17 00:00:00 2001
|
||||
From c00274de6de883d74ae231405b6ae5e1486712c9 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 17 Apr 2019 17:07:46 -0400
|
||||
Subject: [PATCH] Remove support for no-flags SAM-2 preauth
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c13f1fde8931a9199a7a15a5b011f02ed2615e9f Mon Sep 17 00:00:00 2001
|
||||
From e73ed142bd5baf15943069346202fe3b1a4d96d6 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 24 May 2019 13:12:03 -0400
|
||||
Subject: [PATCH] Remove support for single-DES and CRC
|
||||
@ -11,13 +11,15 @@ user-visible deprecation warnings were issued starting in release
|
||||
ticket: 8808
|
||||
(cherry picked from commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8)
|
||||
[rharwood@redhat.com: .gitignore removal]
|
||||
[rharwood@redhat.com: In this branch, supported_enctypes changes landed
|
||||
first]
|
||||
---
|
||||
doc/admin/advanced/retiring-des.rst | 5 +
|
||||
doc/admin/conf_files/kdc_conf.rst | 17 +-
|
||||
doc/admin/conf_files/krb5_conf.rst | 17 +-
|
||||
doc/admin/enctypes.rst | 38 +-
|
||||
doc/appdev/refs/macros/index.rst | 1 +
|
||||
doc/conf.py | 2 +-
|
||||
doc/conf.py | 4 +-
|
||||
doc/mitK5features.rst | 2 +-
|
||||
src/include/k5-int.h | 1 -
|
||||
src/include/krb5/krb5.hin | 10 +-
|
||||
@ -67,7 +69,7 @@ ticket: 8808
|
||||
src/man/kdc.conf.man | 47 +-
|
||||
src/man/krb5.conf.man | 6 +-
|
||||
.../leash/htmlhelp/html/Encryption_Types.htm | 14 +-
|
||||
55 files changed, 74 insertions(+), 2180 deletions(-)
|
||||
55 files changed, 75 insertions(+), 2181 deletions(-)
|
||||
delete mode 100644 src/lib/crypto/builtin/enc_provider/des.c
|
||||
delete mode 100644 src/lib/crypto/builtin/hash_provider/hash_crc32.c
|
||||
delete mode 100644 src/lib/crypto/krb/crc32.c
|
||||
@ -93,7 +95,7 @@ index ebac95f24..4a964c15c 100644
|
||||
-------------
|
||||
|
||||
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
|
||||
index 62d1bfc05..2c6ea1855 100644
|
||||
index 7fbc8eb79..9759756a2 100644
|
||||
--- a/doc/admin/conf_files/kdc_conf.rst
|
||||
+++ b/doc/admin/conf_files/kdc_conf.rst
|
||||
@@ -381,13 +381,6 @@ The following tags may be specified in a [realms] subsection:
|
||||
@ -110,7 +112,7 @@ index 62d1bfc05..2c6ea1855 100644
|
||||
**reject_bad_transit**
|
||||
(Boolean value.) If set to true, the KDC will check the list of
|
||||
transited realms for cross-realm tickets against the transit path
|
||||
@@ -848,13 +841,8 @@ Encryption types marked as "weak" are available for compatibility but
|
||||
@@ -850,13 +843,8 @@ Encryption types marked as "weak" are available for compatibility but
|
||||
not recommended for use.
|
||||
|
||||
==================================================== =========================================================
|
||||
@ -124,7 +126,7 @@ index 62d1bfc05..2c6ea1855 100644
|
||||
aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC
|
||||
aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC
|
||||
aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC
|
||||
@@ -863,7 +851,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
|
||||
@@ -865,7 +853,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
|
||||
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
|
||||
camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC
|
||||
camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC
|
||||
@ -132,7 +134,7 @@ index 62d1bfc05..2c6ea1855 100644
|
||||
des3 The triple DES family: des3-cbc-sha1
|
||||
aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
|
||||
rc4 The RC4 family: arcfour-hmac
|
||||
@@ -875,8 +862,8 @@ types for the variable in question. Types or families can be removed
|
||||
@@ -877,8 +864,8 @@ types for the variable in question. Types or families can be removed
|
||||
from the current list by prefixing them with a minus sign ("-").
|
||||
Types or families can be prefixed with a plus sign ("+") for symmetry;
|
||||
it has the same meaning as just listing the type or family. For
|
||||
@ -144,10 +146,10 @@ index 62d1bfc05..2c6ea1855 100644
|
||||
front.
|
||||
|
||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||
index 5df3bfe36..89f02434b 100644
|
||||
index a3fb5d9f2..d5c498c89 100644
|
||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||
@@ -106,10 +106,7 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -100,10 +100,7 @@ The libdefaults section may contain any of the following relations:
|
||||
in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered
|
||||
out of the lists **default_tgs_enctypes**,
|
||||
**default_tkt_enctypes**, and **permitted_enctypes**. The default
|
||||
@ -159,7 +161,7 @@ index 5df3bfe36..89f02434b 100644
|
||||
|
||||
**canonicalize**
|
||||
If this flag is set to true, initial ticket requests to the KDC
|
||||
@@ -163,9 +160,7 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -157,9 +154,7 @@ The libdefaults section may contain any of the following relations:
|
||||
preference from highest to lowest. The list may be delimited with
|
||||
commas or whitespace. See :ref:`Encryption_types` in
|
||||
:ref:`kdc.conf(5)` for a list of the accepted values for this tag.
|
||||
@ -170,7 +172,7 @@ index 5df3bfe36..89f02434b 100644
|
||||
|
||||
Do not set this unless required for specific backward
|
||||
compatibility purposes; stale values of this setting can prevent
|
||||
@@ -177,9 +172,7 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -171,9 +166,7 @@ The libdefaults section may contain any of the following relations:
|
||||
the client should request when making an AS-REQ, in order of
|
||||
preference from highest to lowest. The format is the same as for
|
||||
default_tgs_enctypes. The default value for this tag is
|
||||
@ -181,7 +183,7 @@ index 5df3bfe36..89f02434b 100644
|
||||
|
||||
Do not set this unless required for specific backward
|
||||
compatibility purposes; stale values of this setting can prevent
|
||||
@@ -297,9 +290,7 @@ The libdefaults section may contain any of the following relations:
|
||||
@@ -291,9 +284,7 @@ The libdefaults section may contain any of the following relations:
|
||||
**permitted_enctypes**
|
||||
Identifies all encryption types that are permitted for use in
|
||||
session key encryption. The default value for this tag is
|
||||
@ -273,14 +275,16 @@ index 47c6d4413..534795d15 100644
|
||||
ENCTYPE_DES_CBC_MD4.rst
|
||||
ENCTYPE_DES_CBC_MD5.rst
|
||||
diff --git a/doc/conf.py b/doc/conf.py
|
||||
index c32e33001..759367c21 100644
|
||||
index 7c688d871..759367c21 100644
|
||||
--- a/doc/conf.py
|
||||
+++ b/doc/conf.py
|
||||
@@ -272,7 +272,7 @@ else:
|
||||
@@ -271,8 +271,8 @@ else:
|
||||
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
|
||||
rst_epilog += '''
|
||||
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
||||
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
|
||||
-.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
||||
-.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4``
|
||||
+.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
|
||||
+.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
|
||||
.. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
|
||||
.. |copy| unicode:: U+000A9
|
||||
@ -3186,7 +3190,7 @@ index 39f656322..55491428b 100644
|
||||
goto cleanup;
|
||||
context->clockskew = (krb5_deltat) ibuf;
|
||||
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
|
||||
index 4a75be8cb..8058134ac 100644
|
||||
index fd4dbb2e2..527d5d697 100644
|
||||
--- a/src/man/kdc.conf.man
|
||||
+++ b/src/man/kdc.conf.man
|
||||
@@ -441,13 +441,6 @@ marks the server principal as host\-based or the service is also
|
||||
@ -3203,7 +3207,7 @@ index 4a75be8cb..8058134ac 100644
|
||||
\fBreject_bad_transit\fP
|
||||
(Boolean value.) If set to true, the KDC will check the list of
|
||||
transited realms for cross\-realm tickets against the transit path
|
||||
@@ -969,30 +962,6 @@ center;
|
||||
@@ -970,30 +963,6 @@ center;
|
||||
|l|l|.
|
||||
_
|
||||
T{
|
||||
@ -3234,7 +3238,7 @@ index 4a75be8cb..8058134ac 100644
|
||||
des3\-cbc\-raw
|
||||
T} T{
|
||||
Triple DES cbc mode raw (weak)
|
||||
@@ -1005,12 +974,6 @@ Triple DES cbc mode with HMAC/sha1
|
||||
@@ -1006,12 +975,6 @@ Triple DES cbc mode with HMAC/sha1
|
||||
T}
|
||||
_
|
||||
T{
|
||||
@ -3247,7 +3251,7 @@ index 4a75be8cb..8058134ac 100644
|
||||
aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1
|
||||
T} T{
|
||||
AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
|
||||
@@ -1059,12 +1022,6 @@ Camellia\-128 CTS mode with CMAC
|
||||
@@ -1060,12 +1023,6 @@ Camellia\-128 CTS mode with CMAC
|
||||
T}
|
||||
_
|
||||
T{
|
||||
@ -3260,7 +3264,7 @@ index 4a75be8cb..8058134ac 100644
|
||||
des3
|
||||
T} T{
|
||||
The triple DES family: des3\-cbc\-sha1
|
||||
@@ -1095,8 +1052,8 @@ types for the variable in question. Types or families can be removed
|
||||
@@ -1096,8 +1053,8 @@ types for the variable in question. Types or families can be removed
|
||||
from the current list by prefixing them with a minus sign ("\-").
|
||||
Types or families can be prefixed with a plus sign ("+") for symmetry;
|
||||
it has the same meaning as just listing the type or family. For
|
||||
@ -3272,10 +3276,10 @@ index 4a75be8cb..8058134ac 100644
|
||||
front.
|
||||
.sp
|
||||
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
||||
index aafdf7f83..d6ff91c3b 100644
|
||||
index 433f38d71..4bc190e32 100644
|
||||
--- a/src/man/krb5.conf.man
|
||||
+++ b/src/man/krb5.conf.man
|
||||
@@ -254,7 +254,7 @@ the client should request when making a TGS\-REQ, in order of
|
||||
@@ -240,7 +240,7 @@ the client should request when making a TGS\-REQ, in order of
|
||||
preference from highest to lowest. The list may be delimited with
|
||||
commas or whitespace. See Encryption_types in
|
||||
kdc.conf(5) for a list of the accepted values for this tag.
|
||||
@ -3284,7 +3288,7 @@ index aafdf7f83..d6ff91c3b 100644
|
||||
will be implicitly removed from this list if the value of
|
||||
\fBallow_weak_crypto\fP is false.
|
||||
.sp
|
||||
@@ -268,7 +268,7 @@ Identifies the supported list of session key encryption types that
|
||||
@@ -254,7 +254,7 @@ Identifies the supported list of session key encryption types that
|
||||
the client should request when making an AS\-REQ, in order of
|
||||
preference from highest to lowest. The format is the same as for
|
||||
default_tgs_enctypes. The default value for this tag is
|
||||
@ -3293,7 +3297,7 @@ index aafdf7f83..d6ff91c3b 100644
|
||||
removed from this list if the value of \fBallow_weak_crypto\fP is
|
||||
false.
|
||||
.sp
|
||||
@@ -388,7 +388,7 @@ used across NATs. The default value is true.
|
||||
@@ -374,7 +374,7 @@ used across NATs. The default value is true.
|
||||
\fBpermitted_enctypes\fP
|
||||
Identifies all encryption types that are permitted for use in
|
||||
session key encryption. The default value for this tag is
|
||||
|
@ -1,4 +1,4 @@
|
||||
From cebf1ea82c4d2dc4494ad0af7525fd324e6d92e2 Mon Sep 17 00:00:00 2001
|
||||
From 111e528c68393435be41f71f22f41b7a04ccad1e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 24 May 2019 13:11:44 -0400
|
||||
Subject: [PATCH] Remove the v4 and afs3 salt types
|
||||
@ -12,6 +12,7 @@ krb4 databases.
|
||||
|
||||
ticket: 8808
|
||||
(cherry picked from commit e0a35ff48c09a26ebb9aefd7e98855a84574b8be)
|
||||
[rharwood@redhat.com: release version conflict in man pages]
|
||||
---
|
||||
doc/admin/conf_files/kdc_conf.rst | 2 -
|
||||
src/include/kdb.h | 4 +-
|
||||
@ -33,10 +34,10 @@ ticket: 8808
|
||||
17 files changed, 24 insertions(+), 164 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
|
||||
index c73791ceb..62d1bfc05 100644
|
||||
index 72f002d4d..7fbc8eb79 100644
|
||||
--- a/doc/admin/conf_files/kdc_conf.rst
|
||||
+++ b/doc/admin/conf_files/kdc_conf.rst
|
||||
@@ -917,10 +917,8 @@ follows:
|
||||
@@ -919,10 +919,8 @@ follows:
|
||||
|
||||
================= ============================================
|
||||
normal default for Kerberos Version 5
|
||||
@ -292,18 +293,18 @@ index 7c400be86..3c9168591 100644
|
||||
-
|
||||
success('krb5_get_etype_info() tests')
|
||||
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
|
||||
index ab3ee0289..4a75be8cb 100644
|
||||
index 959f00de5..fd4dbb2e2 100644
|
||||
--- a/src/man/kdc.conf.man
|
||||
+++ b/src/man/kdc.conf.man
|
||||
@@ -1,6 +1,6 @@
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
-.TH "KDC.CONF" "5" " " "1.17" "MIT Kerberos"
|
||||
-.TH "KDC.CONF" "5" " " "1.17.1" "MIT Kerberos"
|
||||
+.TH "KDC.CONF" "5" " " "1.18" "MIT Kerberos"
|
||||
.SH NAME
|
||||
kdc.conf \- Kerberos V5 KDC configuration file
|
||||
.
|
||||
@@ -1148,12 +1148,6 @@ default for Kerberos Version 5
|
||||
@@ -1149,12 +1149,6 @@ default for Kerberos Version 5
|
||||
T}
|
||||
_
|
||||
T{
|
||||
@ -316,7 +317,7 @@ index ab3ee0289..4a75be8cb 100644
|
||||
norealm
|
||||
T} T{
|
||||
same as the default, without using realm information
|
||||
@@ -1166,12 +1160,6 @@ uses only realm information as the salt
|
||||
@@ -1167,12 +1161,6 @@ uses only realm information as the salt
|
||||
T}
|
||||
_
|
||||
T{
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 47fc137981db0b2b9834765e28f70b151a88cb83 Mon Sep 17 00:00:00 2001
|
||||
From 3d8b0bb1469295bd09f8ba81d3fb059a9ef372f2 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:32:09 -0400
|
||||
Subject: [PATCH] Set a more modern default ksu CMD_PATH
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 9c80f80f48f3b761145e97914a4488398435f2d6 Mon Sep 17 00:00:00 2001
|
||||
From f7fb525d762ba42f62f1044f07f38a243980a2ba Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 5 May 2019 18:53:27 -0400
|
||||
Subject: [PATCH] Simplify SAM-2 as_key handling
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 5ff802a443dfd47e2f43a37de0dc439a1c583849 Mon Sep 17 00:00:00 2001
|
||||
From a7cd60bc97b4d9b171eddae391cf9ecd84c58d31 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Aug 2019 16:19:12 -0400
|
||||
Subject: [PATCH] Simplify krb5_dbe_def_search_enctype()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 8cc93c83241cd96a8565c427418f6c3f13609b65 Mon Sep 17 00:00:00 2001
|
||||
From db62fe97a56f8f8476e3202a492d1c3d784d52b2 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 6 May 2019 13:13:06 -0400
|
||||
Subject: [PATCH] Simply OpenSSL PKCS7 decryption code
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 1b251fe463c1284381612aeb7f2271d28d171d9d Mon Sep 17 00:00:00 2001
|
||||
From c58dbf05938b57a729d1b3811424866296f11998 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 3 Aug 2019 13:30:28 -0400
|
||||
Subject: [PATCH] Skip URI tests when using asan
|
||||
|
@ -1,4 +1,4 @@
|
||||
From dabc30f0500718ef39706849b778524d4fa2152d Mon Sep 17 00:00:00 2001
|
||||
From 566fa44c8f53b3c558791bef29d01fb6a02ff559 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 30 Aug 2019 11:16:58 -0400
|
||||
Subject: [PATCH] Squash apparent forward-null in clnttcp_create()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d46ea68d04b91320aa7eb96f85ca77b98fd44e88 Mon Sep 17 00:00:00 2001
|
||||
From a9c73bc1078dc6287a3838220ef1bd435273506e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:47:44 -0400
|
||||
Subject: [PATCH] Support 389ds's lockout model
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 12ffeca5a708add9461e71300d58a08ea99ed6e4 Mon Sep 17 00:00:00 2001
|
||||
From 5e7c6ac2f9ee4dfe182f28c0801811910b63be1d Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 16 Apr 2019 14:16:39 -0400
|
||||
Subject: [PATCH] Update ASN.1 SAM tests to use a modern enctype
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a3e73d1a874ad68c7ef0cb2ac0fa529b87b29710 Mon Sep 17 00:00:00 2001
|
||||
From 04ce158f626a683d60914f464bac24a1bd5687e3 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 20 May 2019 16:52:57 -0400
|
||||
Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype
|
||||
@ -14,10 +14,10 @@ kadmind, which is currently aes256-cts-hmac-sha1-96.
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst
|
||||
index 0342d0d18..455bb6858 100644
|
||||
index 08d40cc0d..631a0de84 100644
|
||||
--- a/doc/admin/admin_commands/krb5kdc.rst
|
||||
+++ b/doc/admin/admin_commands/krb5kdc.rst
|
||||
@@ -39,7 +39,7 @@ LDAP database.
|
||||
@@ -41,7 +41,7 @@ LDAP database.
|
||||
|
||||
The **-k** *keytype* option specifies the key type of the master key
|
||||
to be entered manually as a password when **-m** is given; the default
|
||||
@ -40,10 +40,10 @@ index 60092a0df..04393772f 100644
|
||||
case 'M': /* master key name in DB */
|
||||
mkey_name = optarg;
|
||||
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
|
||||
index 8ace9662f..aa8614698 100644
|
||||
index 9c9b816b3..100f371c4 100644
|
||||
--- a/src/man/krb5kdc.man
|
||||
+++ b/src/man/krb5kdc.man
|
||||
@@ -59,7 +59,7 @@ LDAP database.
|
||||
@@ -61,7 +61,7 @@ LDAP database.
|
||||
.sp
|
||||
The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key
|
||||
to be entered manually as a password when \fB\-m\fP is given; the default
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 73e08f464b5a55c1d86b3d08f1fd0f391253548f Mon Sep 17 00:00:00 2001
|
||||
From 8c38e6a1cef9bee050e42f591a530d077bb11f17 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 12 Nov 2019 13:38:59 -0500
|
||||
Subject: [PATCH] Update test suite cert message digest to sha256
|
||||
|
@ -1,4 +1,4 @@
|
||||
From ec9180a78e84c71940c3ef3834bb22aae1245d91 Mon Sep 17 00:00:00 2001
|
||||
From 99077dd3855832912df7563086cd615ba430e440 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 24 May 2019 13:11:55 -0400
|
||||
Subject: [PATCH] Update test suite to avoid single-DES enctypes
|
||||
|
@ -1,4 +1,4 @@
|
||||
From b4099e1de59730ca7eb022891c1e1cce1d1eb001 Mon Sep 17 00:00:00 2001
|
||||
From bdb78f9d3fbf9abccec9b41709bb0131e9ec28d6 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 15 Nov 2019 20:05:16 +0000
|
||||
Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface
|
||||
@ -10,7 +10,7 @@ Subject: [PATCH] Use backported version of OpenSSL-3 KDF interface
|
||||
3 files changed, 423 insertions(+), 184 deletions(-)
|
||||
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index d0d8c4ed7..6573e8343 100644
|
||||
index 1df6f18fc..3bd5e683d 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -269,6 +269,10 @@ AC_SUBST(CRYPTO_IMPL)
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 3d1f71979d0a41e75f5169ecbdd594e171e8bbf6 Mon Sep 17 00:00:00 2001
|
||||
From 923cafe924fa08c1b35ca11d5473a255d629592d Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 20 Jun 2019 13:41:57 -0400
|
||||
Subject: [PATCH] Use imported soft-pkcs11 for tests
|
||||
@ -21,7 +21,7 @@ integrate it into the build system, and use it for the PKINIT tests.
|
||||
create mode 100644 src/tests/softpkcs11/softpkcs11.exports
|
||||
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index a19a0ea97..d0d8c4ed7 100644
|
||||
index 3e3b95e49..1df6f18fc 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1086,6 +1086,7 @@ int i = 1;
|
||||
|
@ -1,4 +1,4 @@
|
||||
From e2fc380331455d023001d74efbe9563e271cee10 Mon Sep 17 00:00:00 2001
|
||||
From a41dc78bd3a879870eece3bf0a7c66196c90e7e8 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 24 Apr 2019 16:19:50 -0400
|
||||
Subject: [PATCH] Use secure_getenv() where appropriate
|
||||
|
@ -1,142 +0,0 @@
|
||||
From 9e574469b639220a34bbf3dc36a96854ad0c269a Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 23 Nov 2019 11:42:59 -0500
|
||||
Subject: [PATCH] Various gssalloc fixes
|
||||
|
||||
The DEBUG_GSSALLOC version of gssalloc_realloc() must add the sentinel
|
||||
size to the byte count.
|
||||
|
||||
The mechglue gss_decapsulate_token(), gss_encapsulate_token(), and
|
||||
gss_export_sec_context() must use gssalloc_malloc() to allocate
|
||||
output buffers.
|
||||
|
||||
The krb5 mech's gss_export_name_composite() and gss_pseudo_random()
|
||||
implementations must use gssalloc_malloc() to allocate output buffers.
|
||||
|
||||
SPNEGO's gss_display_status() implementation must use gssalloc for the
|
||||
output buffer.
|
||||
|
||||
The sample GSS server must use gss_release_buffer() to free the result
|
||||
of gss_export_sec_context().
|
||||
|
||||
ticket: 8852 (new)
|
||||
tags: pullup
|
||||
target_version: 1.17-next
|
||||
target_version: 1.16-next
|
||||
|
||||
(cherry picked from commit ab5c4259bdbe51dd3f4b5c5aff22628188d04322)
|
||||
---
|
||||
src/appl/gss-sample/gss-server.c | 2 +-
|
||||
src/lib/gssapi/generic/gssapi_alloc.h | 2 +-
|
||||
src/lib/gssapi/krb5/naming_exts.c | 2 +-
|
||||
src/lib/gssapi/krb5/prf.c | 2 +-
|
||||
src/lib/gssapi/mechglue/g_decapsulate_token.c | 2 +-
|
||||
src/lib/gssapi/mechglue/g_encapsulate_token.c | 2 +-
|
||||
src/lib/gssapi/mechglue/g_exp_sec_context.c | 2 +-
|
||||
src/lib/gssapi/spnego/spnego_mech.c | 2 +-
|
||||
8 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c
|
||||
index 6b5959a1c..793fefc9f 100644
|
||||
--- a/src/appl/gss-sample/gss-server.c
|
||||
+++ b/src/appl/gss-sample/gss-server.c
|
||||
@@ -391,7 +391,7 @@ test_import_export_context(gss_ctx_id_t *context)
|
||||
if (verbose && logfile)
|
||||
fprintf(logfile, "Importing context: %7.4f seconds\n",
|
||||
timeval_subtract(&tm1, &tm2));
|
||||
- free(context_token.value);
|
||||
+ (void) gss_release_buffer(&min_stat, &context_token);
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/src/lib/gssapi/generic/gssapi_alloc.h b/src/lib/gssapi/generic/gssapi_alloc.h
|
||||
index 9a5cd9892..d0bd4b2b0 100644
|
||||
--- a/src/lib/gssapi/generic/gssapi_alloc.h
|
||||
+++ b/src/lib/gssapi/generic/gssapi_alloc.h
|
||||
@@ -80,7 +80,7 @@ gssalloc_realloc(void *value, size_t size)
|
||||
return gssalloc_malloc(size);
|
||||
if (memcmp(p, "gssalloc", 8) != 0)
|
||||
abort();
|
||||
- return (char *)realloc(p, size) + 8;
|
||||
+ return (char *)realloc(p, size + 8) + 8;
|
||||
}
|
||||
|
||||
#else /* not _WIN32 or DEBUG_GSSALLOC */
|
||||
diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c
|
||||
index 41752d90b..2ac1aba33 100644
|
||||
--- a/src/lib/gssapi/krb5/naming_exts.c
|
||||
+++ b/src/lib/gssapi/krb5/naming_exts.c
|
||||
@@ -624,7 +624,7 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
|
||||
exp_composite_name->length += 4; /* length of encoded attributes */
|
||||
if (attrs != NULL)
|
||||
exp_composite_name->length += attrs->length;
|
||||
- exp_composite_name->value = malloc(exp_composite_name->length);
|
||||
+ exp_composite_name->value = gssalloc_malloc(exp_composite_name->length);
|
||||
if (exp_composite_name->value == NULL) {
|
||||
code = ENOMEM;
|
||||
goto cleanup;
|
||||
diff --git a/src/lib/gssapi/krb5/prf.c b/src/lib/gssapi/krb5/prf.c
|
||||
index e897074fc..f87957bdf 100644
|
||||
--- a/src/lib/gssapi/krb5/prf.c
|
||||
+++ b/src/lib/gssapi/krb5/prf.c
|
||||
@@ -86,7 +86,7 @@ krb5_gss_pseudo_random(OM_uint32 *minor_status,
|
||||
if (desired_output_len == 0)
|
||||
return GSS_S_COMPLETE;
|
||||
|
||||
- prf_out->value = k5alloc(desired_output_len, &code);
|
||||
+ prf_out->value = gssalloc_malloc(desired_output_len);
|
||||
if (prf_out->value == NULL) {
|
||||
code = KG_INPUT_TOO_LONG;
|
||||
goto cleanup;
|
||||
diff --git a/src/lib/gssapi/mechglue/g_decapsulate_token.c b/src/lib/gssapi/mechglue/g_decapsulate_token.c
|
||||
index 934d2607c..1c04e2f27 100644
|
||||
--- a/src/lib/gssapi/mechglue/g_decapsulate_token.c
|
||||
+++ b/src/lib/gssapi/mechglue/g_decapsulate_token.c
|
||||
@@ -55,7 +55,7 @@ gss_decapsulate_token(gss_const_buffer_t input_token,
|
||||
if (minor != 0)
|
||||
return GSS_S_DEFECTIVE_TOKEN;
|
||||
|
||||
- output_token->value = malloc(body_size);
|
||||
+ output_token->value = gssalloc_malloc(body_size);
|
||||
if (output_token->value == NULL)
|
||||
return GSS_S_FAILURE;
|
||||
|
||||
diff --git a/src/lib/gssapi/mechglue/g_encapsulate_token.c b/src/lib/gssapi/mechglue/g_encapsulate_token.c
|
||||
index 6ce0eeb0f..850e3ee65 100644
|
||||
--- a/src/lib/gssapi/mechglue/g_encapsulate_token.c
|
||||
+++ b/src/lib/gssapi/mechglue/g_encapsulate_token.c
|
||||
@@ -51,7 +51,7 @@ gss_encapsulate_token(gss_const_buffer_t input_token,
|
||||
assert(tokenSize > 2);
|
||||
tokenSize -= 2; /* TOK_ID */
|
||||
|
||||
- output_token->value = malloc(tokenSize);
|
||||
+ output_token->value = gssalloc_malloc(tokenSize);
|
||||
if (output_token->value == NULL)
|
||||
return GSS_S_FAILURE;
|
||||
|
||||
diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
|
||||
index 1d7990b1c..a04afe3d1 100644
|
||||
--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
|
||||
+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
|
||||
@@ -112,7 +112,7 @@ gss_buffer_t interprocess_token;
|
||||
|
||||
length = token.length + 4 + ctx->mech_type->length;
|
||||
interprocess_token->length = length;
|
||||
- interprocess_token->value = malloc(length);
|
||||
+ interprocess_token->value = gssalloc_malloc(length);
|
||||
if (interprocess_token->value == 0) {
|
||||
*minor_status = ENOMEM;
|
||||
status = GSS_S_FAILURE;
|
||||
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
index 9d6027ce8..412b4c41c 100644
|
||||
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||
@@ -3731,7 +3731,7 @@ negotiate_mech(gss_OID_set supported, gss_OID_set received,
|
||||
static spnego_token_t
|
||||
make_spnego_token(const char *name)
|
||||
{
|
||||
- return (spnego_token_t)strdup(name);
|
||||
+ return (spnego_token_t)gssalloc_strdup(name);
|
||||
}
|
||||
|
||||
static gss_buffer_desc
|
@ -1,4 +1,4 @@
|
||||
From c8f2e321b2d8471feee69bbca3179e675228bd8a Mon Sep 17 00:00:00 2001
|
||||
From 5e2837a56bb6bb1fbaf371377dbffa35aa81b3f1 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH] krb5-1.12.1-pam.patch
|
||||
@ -756,7 +756,7 @@ index 000000000..0ab76569c
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 61ef738dc..e9a12ac16 100644
|
||||
index 36df71fa9..cd8ccabcd 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
|
@ -1,4 +1,4 @@
|
||||
From b7ba0fa6a2f8324c58b57dedde33c1ae5d1ddb41 Mon Sep 17 00:00:00 2001
|
||||
From ab2b67102127e448cc1a266fbbe2c738a1a3a158 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:45:26 -0400
|
||||
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From e1c4f8894d22da9c157bfcf31e28f9ceaeebe39e Mon Sep 17 00:00:00 2001
|
||||
From b50a43ef1f09694298ec043104a59082d6f37c8c Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||
Subject: [PATCH] krb5-1.17-beta1-selinux-label.patch
|
||||
@ -172,7 +172,7 @@ index ce87e21ca..917357df9 100644
|
||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||
# needs fixing if ever used on macOS!
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index e9a12ac16..93aec682e 100644
|
||||
index cd8ccabcd..feae21c3e 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 6048ef0ecbf45f239a6df3074975b926ce286e5a Mon Sep 17 00:00:00 2001
|
||||
From c874aa2c7ec16203c0be91e9e789b21221689de2 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||
Subject: [PATCH] krb5-1.17post6 FIPS with PRNG and RADIUS and MD4
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 2cf42007974a9c72e8e6a6cc02295e9c2a89317e Mon Sep 17 00:00:00 2001
|
||||
From 35cd8e40a35ce4546eaffada2f401a7f0f6a83b3 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:46:21 -0400
|
||||
Subject: [PATCH] krb5-1.3.1-dns.patch
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d205539d89b857f7bd2b09dfc875d5cdd79167b7 Mon Sep 17 00:00:00 2001
|
||||
From e0391c7071741e6d59025d8b4a26119f2998d90c Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||
Subject: [PATCH] krb5-1.9-debuginfo.patch
|
||||
|
73
krb5.spec
73
krb5.spec
@ -16,20 +16,13 @@
|
||||
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.17
|
||||
Version: 1.17.1
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 54%{?dist}
|
||||
Release: 1%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
|
||||
# rharwood has trust path to signing key and verifies on check-in
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
|
||||
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz.asc
|
||||
# This source is generated during the build because sphinx doesn't
|
||||
# give me architecture-deterministic documentation builds.
|
||||
# To override this behavior (e.g., new upstream version), do:
|
||||
# tar cfT krb5-1.15.2-pdfs.tar /dev/null
|
||||
# or the like.
|
||||
Source3: krb5-%{version}%{prerelease}-pdfs.tar
|
||||
|
||||
# Numbering is a relic of old init systems etc. It's easiest to just leave.
|
||||
Source2: kprop.service
|
||||
@ -63,7 +56,6 @@ Patch97: Add-function-and-enctype-flag-for-deprecations.patch
|
||||
Patch98: Make-etype-names-in-KDC-logs-human-readable.patch
|
||||
Patch99: Mark-deprecated-enctypes-when-used.patch
|
||||
Patch100: Properly-size-ifdef-in-k5_cccol_lock.patch
|
||||
Patch101: Fix-memory-leak-in-none-replay-cache-type.patch
|
||||
Patch104: Clarify-header-comment-for-krb5_cc_start_seq_get.patch
|
||||
Patch105: Implement-krb5_cc_remove_cred-for-remaining-types.patch
|
||||
Patch106: Remove-srvtab-support.patch
|
||||
@ -80,7 +72,6 @@ Patch116: Clear-forwardable-flag-instead-of-denying-request.patch
|
||||
Patch117: Add-dns_canonicalize_hostname-fallback-support.patch
|
||||
Patch118: Use-secure_getenv-where-appropriate.patch
|
||||
Patch119: Initialize-some-data-structure-magic-fields.patch
|
||||
Patch120: Fix-some-return-code-handling-bugs.patch
|
||||
Patch121: Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
|
||||
Patch122: Simplify-SAM-2-as_key-handling.patch
|
||||
Patch123: Avoid-alignment-warnings-in-openssl-rc4.c.patch
|
||||
@ -115,8 +106,6 @@ Patch155: Use-imported-soft-pkcs11-for-tests.patch
|
||||
Patch156: Fix-Coverity-defects-in-soft-pkcs11-test-code.patch
|
||||
Patch157: Skip-URI-tests-when-using-asan.patch
|
||||
Patch158: Fix-memory-leaks-in-soft-pkcs11-code.patch
|
||||
Patch159: Initialize-life-rlife-in-kdcpolicy-interface.patch
|
||||
Patch160: Fix-KCM-client-time-offset-propagation.patch
|
||||
Patch162: Simplify-krb5_dbe_def_search_enctype.patch
|
||||
Patch163: Squash-apparent-forward-null-in-clnttcp_create.patch
|
||||
Patch164: Remove-null-check-in-krb5_gss_duplicate_name.patch
|
||||
@ -126,9 +115,6 @@ Patch167: Fix-minor-errors-in-softpkcs11.patch
|
||||
Patch168: Update-test-suite-cert-message-digest-to-sha256.patch
|
||||
Patch169: Use-backported-version-of-OpenSSL-3-KDF-interface.patch
|
||||
Patch170: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
|
||||
Patch171: Fix-kadmin-addprinc-randkey-kvno.patch
|
||||
Patch172: Various-gssalloc-fixes.patch
|
||||
Patch173: Qualify-short-hostnames-when-not-using-DNS.patch
|
||||
|
||||
License: MIT
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
@ -136,42 +122,15 @@ BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, pkgconfig, sed
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
|
||||
BuildRequires: gzip, ncurses-devel
|
||||
BuildRequires: python3-sphinx, texlive-pdftex, latexmk
|
||||
|
||||
# For autosetup
|
||||
BuildRequires: git
|
||||
|
||||
# Originally from \usepackage directives produced by sphinx:
|
||||
BuildRequires: tex(babel.sty)
|
||||
BuildRequires: tex(bookmark.sty)
|
||||
BuildRequires: tex(capt-of.sty)
|
||||
BuildRequires: tex(eqparbox.sty)
|
||||
BuildRequires: tex(fancybox.sty)
|
||||
BuildRequires: tex(fncychap.sty)
|
||||
BuildRequires: tex(fontenc.sty)
|
||||
BuildRequires: tex(framed.sty)
|
||||
BuildRequires: tex(hyperref.sty)
|
||||
BuildRequires: tex(ifthen.sty)
|
||||
BuildRequires: tex(inputenc.sty)
|
||||
BuildRequires: tex(longtable.sty)
|
||||
BuildRequires: tex(multirow.sty)
|
||||
BuildRequires: tex(needspace.sty)
|
||||
BuildRequires: tex(report.cls)
|
||||
BuildRequires: tex(tabulary.sty)
|
||||
BuildRequires: tex(threeparttable.sty)
|
||||
BuildRequires: tex(times.sty)
|
||||
BuildRequires: tex(titlesec.sty)
|
||||
BuildRequires: tex(upquote.sty)
|
||||
BuildRequires: tex(wrapfig.sty)
|
||||
|
||||
# Typical fonts, and the commands which we need to have present.
|
||||
BuildRequires: texlive, texlive-latex, texlive-texmf-fonts
|
||||
BuildRequires: /usr/bin/pdflatex /usr/bin/makeindex
|
||||
BuildRequires: python3-sphinx
|
||||
BuildRequires: keyutils, keyutils-libs-devel >= 1.5.8
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: systemd-units
|
||||
|
||||
# For autosetup
|
||||
BuildRequires: git
|
||||
|
||||
# For the test framework.
|
||||
BuildRequires: perl-interpreter, dejagnu, tcl-devel, python3
|
||||
BuildRequires: net-tools, rpcbind
|
||||
@ -291,7 +250,7 @@ contains only the libkadm5clnt and libkadm5serv shared objects. This
|
||||
interface is not considered stable.
|
||||
|
||||
%prep
|
||||
%autosetup -S git -n %{name}-%{version}%{prerelease} -a 3
|
||||
%autosetup -S git -n %{name}-%{version}%{prerelease}
|
||||
ln NOTICE LICENSE
|
||||
|
||||
# Generate an FDS-compatible LDIF file.
|
||||
@ -381,17 +340,10 @@ fi
|
||||
# Build the docs.
|
||||
make -C src/doc paths.py version.py
|
||||
cp src/doc/paths.py doc/
|
||||
mkdir -p build-man build-html build-pdf
|
||||
mkdir -p build-man build-html
|
||||
sphinx-build -a -b man -t pathsubs doc build-man
|
||||
sphinx-build -a -b html -t pathsubs doc build-html
|
||||
rm -fr build-html/_sources
|
||||
sphinx-build -a -b latex -t pathsubs doc build-pdf
|
||||
# Build the PDFs if we don't have pre-built ones
|
||||
for pdf in admin appdev basic build plugindev user ; do
|
||||
test -s build-pdf/$pdf.pdf || make -C build-pdf
|
||||
done
|
||||
# new krb5-version-pdf
|
||||
tar -cf "krb5-%{version}%{prerelease}-pdfs.tar.new" build-pdf/*.pdf
|
||||
|
||||
# We need to cut off any access to locally-running nameservers, too.
|
||||
%{__cc} -fPIC -shared -o noport.so -Wall -Wextra %{SOURCE100}
|
||||
@ -574,7 +526,6 @@ exit 0
|
||||
%doc src/config-files/services.append
|
||||
%doc src/config-files/krb5.conf
|
||||
%doc build-html/*
|
||||
%doc build-pdf/user.pdf build-pdf/basic.pdf
|
||||
%attr(0755,root,root) %doc src/config-files/convert-config-files
|
||||
|
||||
# Clients of the KDC, including tools you're likely to need if you're running
|
||||
@ -606,7 +557,6 @@ exit 0
|
||||
|
||||
%files server
|
||||
%docdir %{_mandir}
|
||||
%doc build-pdf/admin.pdf build-pdf/build.pdf
|
||||
%doc src/config-files/kdc.conf
|
||||
%{_unitdir}/krb5kdc.service
|
||||
%{_unitdir}/kadmin.service
|
||||
@ -712,7 +662,6 @@ exit 0
|
||||
|
||||
%files devel
|
||||
%docdir %{_mandir}
|
||||
%doc build-pdf/appdev.pdf build-pdf/plugindev.pdf
|
||||
|
||||
%{_includedir}/*
|
||||
%{_libdir}/libgssapi_krb5.so
|
||||
@ -736,6 +685,10 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Thu Dec 12 2019 Robbie Harwood <rharwood@redhat.com> - 1.17.1-1
|
||||
- New upstream version - 1.17.1
|
||||
- Stop building and packaging PDFs
|
||||
|
||||
* Fri Dec 06 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-54
|
||||
- Qualify short hostnames when not using DNS
|
||||
|
||||
|
5
sources
5
sources
@ -1,3 +1,2 @@
|
||||
SHA512 (krb5-1.17-pdfs.tar) = 89a5a709720ee9028e9bfbcbc808eec436c4b9c6e105888b37660e97cff48e190bc77affa9809353de9cf2f39e517e8a6ab22792263978b403a4a6317ac24a46
|
||||
SHA512 (krb5-1.17.tar.gz) = 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52
|
||||
SHA512 (krb5-1.17.tar.gz.asc) = 7ee81ccd05559ca1ff945619165297db251010db7c0205855f89ae66a73bc78e98f5e28ea154dcb752f5d4afb9349a293dcf8f64858d2129a869295fa8946e0f
|
||||
SHA512 (krb5-1.17.1.tar.gz) = e0c3dc0a6554ab3105ac32f3f01519f56064500213aa743816235d83250abc1db9a9ca38a2ba93a938d562b4af135a013017ce96346d6742bca0c812b842ceef
|
||||
SHA512 (krb5-1.17.1.tar.gz.asc) = 9665c0b83cc5e8fafbb7f47c383c6bf00e498befa305ab7ed8b867ff6f54a09b6b1f3b7a7f007ceb6dfbc1ebfb797be21cb97ac51c1c8fc8e956d83ce30aa7b1
|
||||
|
Loading…
Reference in New Issue
Block a user