(Patch consolidation; hopefully no changes)
This commit is contained in:
Robbie Harwood
parent
4b3d9079ae
commit
aa55266a84
@ -1,4 +1,4 @@
|
||||
From 05672fdc2530618441710361daba097bccf51f61 Mon Sep 17 00:00:00 2001
|
||||
From f256aeea76ad81305d005d3a052e7d2e0250dccc Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Tue, 4 Dec 2018 15:22:55 -0500
|
||||
Subject: [PATCH] Add dns_canonicalize_hostname=fallback support
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 4cd829c935319049142052ac45f252a8c3c54b49 Mon Sep 17 00:00:00 2001
|
||||
From 81fe68ce11a676f93c101ddd7523e8de9b419deb Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 15 Jan 2019 16:16:57 -0500
|
||||
Subject: [PATCH] Add function and enctype flag for deprecations
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 306c0260dca7809c90dfa9e8889a6bd2401cee84 Mon Sep 17 00:00:00 2001
|
||||
From deedc59d6ab6dd4f988db931a3a0d43f977ca708 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Nov 2018 00:27:35 -0500
|
||||
Subject: [PATCH] Add tests for KCM ccache type
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 3dd99db324de1492444aab3e5468aea5f1767c6d Mon Sep 17 00:00:00 2001
|
||||
From 3909d11478c7bbfc988b5c09ed7b2d32a5959947 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 30 Dec 2018 16:40:28 -0500
|
||||
Subject: [PATCH] Address some optimized-out memset() calls
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 05c4ea24fa8603572ea1bffc767886bb26b8d542 Mon Sep 17 00:00:00 2001
|
||||
From 041a4f3507ffe9f19bb69f8c1959230753b73f90 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 6 May 2019 15:14:49 -0400
|
||||
Subject: [PATCH] Avoid alignment warnings in openssl rc4.c
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 273475be9d8aafb41edf417f6317c9537a03c3fa Mon Sep 17 00:00:00 2001
|
||||
From e66fc8b903cded3aed007310815a8f1fac7e6c30 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 3 Jan 2019 17:19:32 +0100
|
||||
Subject: [PATCH] Avoid allocating a register in zap() assembly
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From b87d0cd119732b9066606d388b4fdebde2facbe5 Mon Sep 17 00:00:00 2001
|
||||
From f48e578e443cf0217360dee6cef1fe2869059be4 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 22 Apr 2019 14:26:42 -0400
|
||||
Subject: [PATCH] Check more errors in OpenSSL crypto backend
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From dc0ff969a963c0dcbf203a636cf12030ea2845d9 Mon Sep 17 00:00:00 2001
|
||||
From b804c5ec00580cf62fd3660939f0f3baf71822fe Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 2 Apr 2019 14:18:57 -0400
|
||||
Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get()
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 561ac441f046a01a4e71e3c475760cc2d42b8213 Mon Sep 17 00:00:00 2001
|
||||
From 6a23d8a1cf2ff7e247dbd4a737b87c792f78e5ab Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 15 Nov 2018 13:40:43 -0500
|
||||
Subject: [PATCH] Clear forwardable flag instead of denying request
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 7eb42e3fbdb854b085eceaa500f1c18569bd044d Mon Sep 17 00:00:00 2001
|
||||
From 5215fad65699527aaea73add2cbbbb40de770fa6 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 16 Apr 2019 10:47:35 -0400
|
||||
Subject: [PATCH] Fix config realm change logic in FILE remove_cred
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From aeae5941ff8beea66516a31cd16fe4df6e8165f9 Mon Sep 17 00:00:00 2001
|
||||
From 7e3cb737332fad7803205035a90237a9b50e0a36 Mon Sep 17 00:00:00 2001
|
||||
From: Corene Casper <C.Casper@Dell.com>
|
||||
Date: Sat, 16 Feb 2019 00:49:26 -0500
|
||||
Subject: [PATCH] Fix memory leak in 'none' replay cache type
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From c1fe784e79b847a7e9ae9009193dee66bc1b6164 Mon Sep 17 00:00:00 2001
|
||||
From cfe28dcc4a478fa99639b48476316936db87d69e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 18 Apr 2019 13:39:37 -0400
|
||||
Subject: [PATCH] Fix potential close(-1) in cc_file.c
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 202a4ef4b2d1fa88d1a5c7f0b673bc4f563c57cd Mon Sep 17 00:00:00 2001
|
||||
From 0bbbeeacc3c8bf22064db4d049e2069a81ab4270 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 14:05:38 -0400
|
||||
Subject: [PATCH] Fix some return code handling bugs
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From fd67573d4f0e2ac155752697ebf750c43fab3c59 Mon Sep 17 00:00:00 2001
|
||||
From 78bfdbba03bbeb3c86c41273a3c3157bfbab7878 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 1 Apr 2019 14:28:48 -0400
|
||||
Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a479ad01696f97114cdc1734a7fe5f3d4bd80e80 Mon Sep 17 00:00:00 2001
|
||||
From 93717ffc7a5f213e3040e60431df199a5f6e9c76 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 6 May 2019 13:13:16 -0400
|
||||
Subject: [PATCH] Improve error messages from kadmin change_password
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From fe497f16d8da570dea363dacb18cfc2fcfa52f24 Mon Sep 17 00:00:00 2001
|
||||
From 7483ca4dbac8fedca5bd5ac1ea310e020df0d843 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 15 Jan 2019 13:41:16 -0500
|
||||
Subject: [PATCH] In kpropd, debug-log proper ticket enctype names
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From d868f6753cd6e9de447f097626f5e5155c727414 Mon Sep 17 00:00:00 2001
|
||||
From 9503055f4caad2ab71db488ec434494cc23ce74e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 14 Jan 2019 17:14:42 -0500
|
||||
Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a1327230380d0c73ebb9a22e4c6bbb1b6f3e0c64 Mon Sep 17 00:00:00 2001
|
||||
From 7973ef9891219a5179592db7081b7ffd6db95103 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 13:36:38 -0400
|
||||
Subject: [PATCH] Initialize some data structure magic fields
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From c14796879b9c4601a3333444c9aa6388031e6ab2 Mon Sep 17 00:00:00 2001
|
||||
From 64843356847cc944d246eedd45e34d65c3336e05 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 8 Jan 2019 17:42:35 -0500
|
||||
Subject: [PATCH] Make etype names in KDC logs human-readable
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 5b81e75e1c5ec39a070df7c87c64aa74b5b9c0ba Mon Sep 17 00:00:00 2001
|
||||
From a3df9ce1ebe05300aaf930d11d53bd354561f044 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 10 Jan 2019 16:34:54 -0500
|
||||
Subject: [PATCH] Mark deprecated enctypes when used
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From ae9b51bc4f4ca5e88d7675d373e35fde8470e223 Mon Sep 17 00:00:00 2001
|
||||
From 50116db1dcf88ad7a5fbe03e5045c6d3059e2bb0 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 14:32:33 -0400
|
||||
Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache()
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 85577bdae928613c87828fff79d5d6c6b9b8b291 Mon Sep 17 00:00:00 2001
|
||||
From 3e750e184a870a7bc96dac75e2da61ca4414ddd1 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 14 Feb 2019 11:50:35 -0500
|
||||
Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 6bd60d3985df4e327f86d2a19349f52058d09a17 Mon Sep 17 00:00:00 2001
|
||||
From 69c1393e9077ecedea84cffc4d2721981aa9205a Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 4 Apr 2019 14:37:38 -0400
|
||||
Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 74c45a65b34e49aecfedfb8451b857350fbbe616 Mon Sep 17 00:00:00 2001
|
||||
From fad2355105eaa8ec34cd4c4d3bed05f66d0157ce Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 3 Apr 2019 16:01:22 -0400
|
||||
Subject: [PATCH] Remove ccapi-related comments in configure.ac
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 443b8989c5d554f5347b72364d704d4626ca9a92 Mon Sep 17 00:00:00 2001
|
||||
From 9d0403155222b7815d5db6063cecd79d530f7e93 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 13 May 2019 14:19:57 -0400
|
||||
Subject: [PATCH] Remove checksum type profile variables
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 841be050c7f02d09aade0ed2c708bff8787afcd2 Mon Sep 17 00:00:00 2001
|
||||
From 6d289b110c39c1d617c5e8252cc0bb1d25450b0e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 3 Apr 2019 14:58:19 -0400
|
||||
Subject: [PATCH] Remove confvalidator utility
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From f18a482eec20369d7bcb4a7b2b6440c907215eff Mon Sep 17 00:00:00 2001
|
||||
From 29262595f5c603276dbeb016b122141839304755 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 May 2019 16:57:51 -0400
|
||||
Subject: [PATCH] Remove dead variable def_kslist from two files
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 33acfff1a6ec51f2d60933c362ec8afb89d5d548 Mon Sep 17 00:00:00 2001
|
||||
From 7e85faa6d1df1af351c00a92219e789939d2924c Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 4 Apr 2019 14:15:58 -0400
|
||||
Subject: [PATCH] Remove doxygen-generated HTML output for ccapi
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 76b39ce5081eb3b288532d615c356ab508e93495 Mon Sep 17 00:00:00 2001
|
||||
From 93ee33d4b7ab08c041868a2e43111924c578b5b5 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 4 Apr 2019 16:14:46 -0400
|
||||
Subject: [PATCH] Remove kadmin RPC support for setting v4 key
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From eb6d9cd533d087d38b7f3c1b7086a712cb0bfe46 Mon Sep 17 00:00:00 2001
|
||||
From dbc7e1a5ca3afad7ac6d057266358c6cbe517db5 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 9 May 2019 14:07:24 -0400
|
||||
Subject: [PATCH] Remove more dead code
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From e7766b4c1df19738a4cf34d498046cfa8dd91637 Mon Sep 17 00:00:00 2001
|
||||
From 17d6296546fc363731e10c986ba19e0d85bd9e0c Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 22 Jan 2019 18:34:58 -0500
|
||||
Subject: [PATCH] Remove ovsec_adm_export dump format support
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From e74dc82235b3948dee706310ebf5b1878d08d7df Mon Sep 17 00:00:00 2001
|
||||
From aec66c783ddba8b036ea1077bb852832cffcc432 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 9 Oct 2017 15:58:33 -0400
|
||||
Subject: [PATCH] Remove srvtab support
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 4f9e21c9daf505f5147dcab2fb4d1b241e1b90f8 Mon Sep 17 00:00:00 2001
|
||||
From c63484d9ff8199261e778169474af50883ea11f5 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 5 May 2019 18:53:27 -0400
|
||||
Subject: [PATCH] Simplify SAM-2 as_key handling
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 89470cb724edb9a3c9d31f6fb5c967fed73e38a1 Mon Sep 17 00:00:00 2001
|
||||
From bcc55c108502402d2d1f6e4a6ce9a348dd655609 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 6 May 2019 13:13:06 -0400
|
||||
Subject: [PATCH] Simply OpenSSL PKCS7 decryption code
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From ec428980300c85ba2c4b220174c2c05447cf4bd8 Mon Sep 17 00:00:00 2001
|
||||
From d7cb05ad91e778c1de0c977b053a22060e6ed579 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 24 Apr 2019 16:19:50 -0400
|
||||
Subject: [PATCH] Use secure_getenv() where appropriate
|
||||
|
||||
@ -1,250 +0,0 @@
|
||||
From dff44c20d9d9ed6a3e71888406b2913d9309e738 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||
Subject: [PATCH] krb5-1.17post1 FIPS with PRNG and SPAKE
|
||||
|
||||
NB: Use openssl's PRNG in FIPS mode, and be aware during SPAKE group
|
||||
negotiation.
|
||||
|
||||
A lot of the FIPS error conditions from OpenSSL are incredibly
|
||||
mysterious (at best, things return NULL unexpectedly; at worst,
|
||||
internal assertions are tripped; most of the time, you just get
|
||||
ENOMEM). In order to cope with this, we need to have some level of
|
||||
awareness of what we can and can't safely call.
|
||||
|
||||
This will slow down some calls slightly (FIPS_mode() takes multiple
|
||||
locks), but not for any ciphers we care about - which is to say that
|
||||
AES is fine. Shame about the SPAKE groups though.
|
||||
---
|
||||
src/lib/crypto/krb/prng.c | 11 ++++++++++-
|
||||
src/lib/crypto/openssl/enc_provider/camellia.c | 6 ++++++
|
||||
src/lib/crypto/openssl/enc_provider/des.c | 9 +++++++++
|
||||
src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++
|
||||
src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++++++++++++-
|
||||
src/lib/crypto/openssl/hash_provider/hash_evp.c | 4 ++++
|
||||
src/lib/crypto/openssl/hmac.c | 6 +++++-
|
||||
src/plugins/preauth/spake/groups.c | 8 ++++++++
|
||||
8 files changed, 60 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||
index cb9ca9b98..f0e9984ca 100644
|
||||
--- a/src/lib/crypto/krb/prng.c
|
||||
+++ b/src/lib/crypto/krb/prng.c
|
||||
@@ -26,6 +26,8 @@
|
||||
|
||||
#include "crypto_int.h"
|
||||
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
krb5_c_random_seed(krb5_context context, krb5_data *data)
|
||||
{
|
||||
@@ -99,9 +101,16 @@ krb5_boolean
|
||||
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
|
||||
{
|
||||
const char *device;
|
||||
-#if defined(__linux__) && defined(SYS_getrandom)
|
||||
int r;
|
||||
|
||||
+ /* A wild FIPS mode appeared! */
|
||||
+ if (FIPS_mode()) {
|
||||
+ /* The return codes on this API are not good */
|
||||
+ r = RAND_bytes(buf, len);
|
||||
+ return r == 1;
|
||||
+ }
|
||||
+
|
||||
+#if defined(__linux__) && defined(SYS_getrandom)
|
||||
while (len > 0) {
|
||||
/*
|
||||
* Pull from the /dev/urandom pool, but require it to have been seeded.
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
index 2da691329..f79679a0b 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
@@ -304,6 +304,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
|
||||
unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE];
|
||||
struct iov_cursor cursor;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
if (output->length < CAMELLIA_BLOCK_SIZE)
|
||||
return KRB5_BAD_MSIZE;
|
||||
|
||||
@@ -331,6 +334,9 @@ static krb5_error_code
|
||||
krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage,
|
||||
krb5_data *state)
|
||||
{
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
state->length = 16;
|
||||
state->data = (void *) malloc(16);
|
||||
if (state->data == NULL)
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
|
||||
index a662db512..7d17d287e 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/des.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/des.c
|
||||
@@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
@@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
@@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
|
||||
DES_key_schedule sched;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
index 1c439c2cd..8be555a8d 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
index a65d57b7a..6ccaca94a 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
@@ -66,6 +66,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
struct arcfour_state *arcstate;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
arcstate = (state != NULL) ? (void *)state->data : NULL;
|
||||
if (arcstate != NULL) {
|
||||
ctx = arcstate->ctx;
|
||||
@@ -113,7 +116,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||
static void
|
||||
k5_arcfour_free_state(krb5_data *state)
|
||||
{
|
||||
- struct arcfour_state *arcstate = (void *)state->data;
|
||||
+ struct arcfour_state *arcstate;
|
||||
+
|
||||
+ if (FIPS_mode())
|
||||
+ return;
|
||||
+
|
||||
+ arcstate = (void *) state->data;
|
||||
|
||||
EVP_CIPHER_CTX_free(arcstate->ctx);
|
||||
free(arcstate);
|
||||
@@ -125,6 +133,9 @@ k5_arcfour_init_state(const krb5_keyblock *key,
|
||||
{
|
||||
struct arcfour_state *arcstate;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
/*
|
||||
* The cipher state here is a saved pointer to a struct arcfour_state
|
||||
* object, rather than a flat byte array as in most enc providers. The
|
||||
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
index 957ed8d9c..8c1fd7f59 100644
|
||||
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
@@ -64,12 +64,16 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
|
||||
static krb5_error_code
|
||||
hash_md4(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
|
||||
{
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
return hash_evp(EVP_md4(), data, num_data, output);
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
|
||||
{
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
return hash_evp(EVP_md5(), data, num_data, output);
|
||||
}
|
||||
|
||||
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
|
||||
index 7dc59dcc0..769a50c00 100644
|
||||
--- a/src/lib/crypto/openssl/hmac.c
|
||||
+++ b/src/lib/crypto/openssl/hmac.c
|
||||
@@ -103,7 +103,11 @@ map_digest(const struct krb5_hash_provider *hash)
|
||||
return EVP_sha256();
|
||||
else if (!strncmp(hash->hash_name, "SHA-384",7))
|
||||
return EVP_sha384();
|
||||
- else if (!strncmp(hash->hash_name, "MD5", 3))
|
||||
+
|
||||
+ if (FIPS_mode())
|
||||
+ return NULL;
|
||||
+
|
||||
+ if (!strncmp(hash->hash_name, "MD5", 3))
|
||||
return EVP_md5();
|
||||
else if (!strncmp(hash->hash_name, "MD4", 3))
|
||||
return EVP_md4();
|
||||
diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
|
||||
index a195cc195..8a913cb5a 100644
|
||||
--- a/src/plugins/preauth/spake/groups.c
|
||||
+++ b/src/plugins/preauth/spake/groups.c
|
||||
@@ -56,6 +56,8 @@
|
||||
#include "trace.h"
|
||||
#include "groups.h"
|
||||
|
||||
+#include <openssl/crypto.h>
|
||||
+
|
||||
#define DEFAULT_GROUPS_CLIENT "edwards25519"
|
||||
#define DEFAULT_GROUPS_KDC ""
|
||||
|
||||
@@ -102,6 +104,9 @@ find_gdef(int32_t group)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
+ if (group == builtin_edwards25519.reg->id && FIPS_mode())
|
||||
+ return NULL;
|
||||
+
|
||||
for (i = 0; groupdefs[i] != NULL; i++) {
|
||||
if (groupdefs[i]->reg->id == group)
|
||||
return groupdefs[i];
|
||||
@@ -116,6 +121,9 @@ find_gnum(const char *name)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
+ if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
|
||||
+ return 0;
|
||||
+
|
||||
for (i = 0; groupdefs[i] != NULL; i++) {
|
||||
if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
|
||||
return groupdefs[i]->reg->id;
|
||||
@ -1,19 +1,227 @@
|
||||
From 105bd2c8be23ab94ba6e0601ee8e531f013389d6 Mon Sep 17 00:00:00 2001
|
||||
From 0c6860f5213e35226670772b53d70c858258a63e Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 31 Jul 2018 13:47:26 -0400
|
||||
Subject: [PATCH] krb5-1.17 In FIPS mode, add plaintext fallback for RC4 usages
|
||||
and taint
|
||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||
Subject: [PATCH] krb5-1.17post2 FIPS with PRNG, SPAKE, and RADIUS
|
||||
|
||||
NB: Use openssl's PRNG in FIPS mode, be aware during SPAKE group
|
||||
negotiation, and taint within krad.
|
||||
|
||||
A lot of the FIPS error conditions from OpenSSL are incredibly
|
||||
mysterious (at best, things return NULL unexpectedly; at worst,
|
||||
internal assertions are tripped; most of the time, you just get
|
||||
ENOMEM). In order to cope with this, we need to have some level of
|
||||
awareness of what we can and can't safely call.
|
||||
|
||||
This will slow down some calls slightly (FIPS_mode() takes multiple
|
||||
locks), but not for any ciphers we care about - which is to say that
|
||||
AES is fine. Shame about the SPAKE groups though.
|
||||
---
|
||||
src/lib/krad/attr.c | 45 +++++++++++++++++++++++++++++-----------
|
||||
src/lib/krad/attrset.c | 5 +++--
|
||||
src/lib/krad/internal.h | 13 ++++++++++--
|
||||
src/lib/krad/packet.c | 22 +++++++++++---------
|
||||
src/lib/krad/remote.c | 10 +++++++--
|
||||
src/lib/krad/t_attr.c | 3 ++-
|
||||
src/lib/krad/t_attrset.c | 4 +++-
|
||||
7 files changed, 72 insertions(+), 30 deletions(-)
|
||||
src/lib/crypto/krb/prng.c | 11 ++++-
|
||||
.../crypto/openssl/enc_provider/camellia.c | 6 +++
|
||||
src/lib/crypto/openssl/enc_provider/des.c | 9 ++++
|
||||
src/lib/crypto/openssl/enc_provider/des3.c | 6 +++
|
||||
src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++-
|
||||
.../crypto/openssl/hash_provider/hash_evp.c | 4 ++
|
||||
src/lib/crypto/openssl/hmac.c | 6 ++-
|
||||
src/lib/krad/attr.c | 45 ++++++++++++++-----
|
||||
src/lib/krad/attrset.c | 5 ++-
|
||||
src/lib/krad/internal.h | 13 +++++-
|
||||
src/lib/krad/packet.c | 22 ++++-----
|
||||
src/lib/krad/remote.c | 10 ++++-
|
||||
src/lib/krad/t_attr.c | 3 +-
|
||||
src/lib/krad/t_attrset.c | 4 +-
|
||||
src/plugins/preauth/spake/groups.c | 8 ++++
|
||||
15 files changed, 132 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
|
||||
index cb9ca9b98..f0e9984ca 100644
|
||||
--- a/src/lib/crypto/krb/prng.c
|
||||
+++ b/src/lib/crypto/krb/prng.c
|
||||
@@ -26,6 +26,8 @@
|
||||
|
||||
#include "crypto_int.h"
|
||||
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
krb5_c_random_seed(krb5_context context, krb5_data *data)
|
||||
{
|
||||
@@ -99,9 +101,16 @@ krb5_boolean
|
||||
k5_get_os_entropy(unsigned char *buf, size_t len, int strong)
|
||||
{
|
||||
const char *device;
|
||||
-#if defined(__linux__) && defined(SYS_getrandom)
|
||||
int r;
|
||||
|
||||
+ /* A wild FIPS mode appeared! */
|
||||
+ if (FIPS_mode()) {
|
||||
+ /* The return codes on this API are not good */
|
||||
+ r = RAND_bytes(buf, len);
|
||||
+ return r == 1;
|
||||
+ }
|
||||
+
|
||||
+#if defined(__linux__) && defined(SYS_getrandom)
|
||||
while (len > 0) {
|
||||
/*
|
||||
* Pull from the /dev/urandom pool, but require it to have been seeded.
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
index 2da691329..f79679a0b 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
@@ -304,6 +304,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
|
||||
unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE];
|
||||
struct iov_cursor cursor;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
if (output->length < CAMELLIA_BLOCK_SIZE)
|
||||
return KRB5_BAD_MSIZE;
|
||||
|
||||
@@ -331,6 +334,9 @@ static krb5_error_code
|
||||
krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage,
|
||||
krb5_data *state)
|
||||
{
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
state->length = 16;
|
||||
state->data = (void *) malloc(16);
|
||||
if (state->data == NULL)
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
|
||||
index a662db512..7d17d287e 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/des.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/des.c
|
||||
@@ -85,6 +85,9 @@ k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
@@ -133,6 +136,9 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
@@ -182,6 +188,9 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
|
||||
DES_key_schedule sched;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
index 1c439c2cd..8be555a8d 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
index a65d57b7a..6ccaca94a 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
@@ -66,6 +66,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
struct arcfour_state *arcstate;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
arcstate = (state != NULL) ? (void *)state->data : NULL;
|
||||
if (arcstate != NULL) {
|
||||
ctx = arcstate->ctx;
|
||||
@@ -113,7 +116,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||
static void
|
||||
k5_arcfour_free_state(krb5_data *state)
|
||||
{
|
||||
- struct arcfour_state *arcstate = (void *)state->data;
|
||||
+ struct arcfour_state *arcstate;
|
||||
+
|
||||
+ if (FIPS_mode())
|
||||
+ return;
|
||||
+
|
||||
+ arcstate = (void *) state->data;
|
||||
|
||||
EVP_CIPHER_CTX_free(arcstate->ctx);
|
||||
free(arcstate);
|
||||
@@ -125,6 +133,9 @@ k5_arcfour_init_state(const krb5_keyblock *key,
|
||||
{
|
||||
struct arcfour_state *arcstate;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
/*
|
||||
* The cipher state here is a saved pointer to a struct arcfour_state
|
||||
* object, rather than a flat byte array as in most enc providers. The
|
||||
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
index 957ed8d9c..8c1fd7f59 100644
|
||||
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
@@ -64,12 +64,16 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
|
||||
static krb5_error_code
|
||||
hash_md4(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
|
||||
{
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
return hash_evp(EVP_md4(), data, num_data, output);
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
|
||||
{
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
return hash_evp(EVP_md5(), data, num_data, output);
|
||||
}
|
||||
|
||||
diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
|
||||
index 7dc59dcc0..769a50c00 100644
|
||||
--- a/src/lib/crypto/openssl/hmac.c
|
||||
+++ b/src/lib/crypto/openssl/hmac.c
|
||||
@@ -103,7 +103,11 @@ map_digest(const struct krb5_hash_provider *hash)
|
||||
return EVP_sha256();
|
||||
else if (!strncmp(hash->hash_name, "SHA-384",7))
|
||||
return EVP_sha384();
|
||||
- else if (!strncmp(hash->hash_name, "MD5", 3))
|
||||
+
|
||||
+ if (FIPS_mode())
|
||||
+ return NULL;
|
||||
+
|
||||
+ if (!strncmp(hash->hash_name, "MD5", 3))
|
||||
return EVP_md5();
|
||||
else if (!strncmp(hash->hash_name, "MD4", 3))
|
||||
return EVP_md4();
|
||||
diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c
|
||||
index 9c13d9d75..275327e67 100644
|
||||
--- a/src/lib/krad/attr.c
|
||||
@ -351,3 +559,36 @@ index 7928335ca..0f9576253 100644
|
||||
krad_attrset_free(set);
|
||||
|
||||
/* Manually encode User-Name. */
|
||||
diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
|
||||
index a195cc195..8a913cb5a 100644
|
||||
--- a/src/plugins/preauth/spake/groups.c
|
||||
+++ b/src/plugins/preauth/spake/groups.c
|
||||
@@ -56,6 +56,8 @@
|
||||
#include "trace.h"
|
||||
#include "groups.h"
|
||||
|
||||
+#include <openssl/crypto.h>
|
||||
+
|
||||
#define DEFAULT_GROUPS_CLIENT "edwards25519"
|
||||
#define DEFAULT_GROUPS_KDC ""
|
||||
|
||||
@@ -102,6 +104,9 @@ find_gdef(int32_t group)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
+ if (group == builtin_edwards25519.reg->id && FIPS_mode())
|
||||
+ return NULL;
|
||||
+
|
||||
for (i = 0; groupdefs[i] != NULL; i++) {
|
||||
if (groupdefs[i]->reg->id == group)
|
||||
return groupdefs[i];
|
||||
@@ -116,6 +121,9 @@ find_gnum(const char *name)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
+ if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
|
||||
+ return 0;
|
||||
+
|
||||
for (i = 0; groupdefs[i] != NULL; i++) {
|
||||
if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
|
||||
return groupdefs[i]->reg->id;
|
||||
10
krb5.spec
10
krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.17
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 19%{?dist}
|
||||
Release: 20%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -59,7 +59,6 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch
|
||||
Patch34: krb5-1.9-debuginfo.patch
|
||||
Patch35: krb5-1.11-run_user_0.patch
|
||||
Patch36: krb5-1.11-kpasswdtest.patch
|
||||
Patch37: krb5-1.17-In-FIPS-mode-add-plaintext-fallback-for-RC.patch
|
||||
Patch90: Add-tests-for-KCM-ccache-type.patch
|
||||
Patch92: Address-some-optimized-out-memset-calls.patch
|
||||
Patch94: Avoid-allocating-a-register-in-zap-assembly.patch
|
||||
@ -93,12 +92,12 @@ Patch123: Avoid-alignment-warnings-in-openssl-rc4.c.patch
|
||||
Patch124: Simply-OpenSSL-PKCS7-decryption-code.patch
|
||||
Patch125: Improve-error-messages-from-kadmin-change_password.patch
|
||||
Patch126: Remove-more-dead-code.patch
|
||||
Patch127: krb5-1.17post1-FIPS-with-PRNG-and-SPAKE.patch
|
||||
Patch127: krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
|
||||
Patch128: Remove-checksum-type-profile-variables.patch
|
||||
Patch129: Remove-dead-variable-def_kslist-from-two-files.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, pkgconfig, sed
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
|
||||
@ -702,6 +701,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Tue May 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-20
|
||||
- (Patch consolidation; hopefully no changes)
|
||||
|
||||
* Tue May 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-19
|
||||
- Remove checksum type profile variables
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user