Fix DES3 mention in KDFs

Resolves: #1955873

Handle-OpenSSL-3-s-providers.patch

@@ -1,4 +1,4 @@
-From 64a276e3485b7066a3c630d018ca44dabeb7b6c7 Mon Sep 17 00:00:00 2001
+From ea62d96f5b1e47818ab9f33ad143c4ffb460b3af Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Sat, 15 May 2021 21:18:06 -0400
 Subject: [PATCH] Handle OpenSSL 3's providers

Handle-SSL_read-changed-behavior-on-server-hangup.patch

@@ -1,4 +1,4 @@
-From f135f51b0ec59d320f79cd961411231084364489 Mon Sep 17 00:00:00 2001
+From a57ebca127a49869296ee2790e28eb37fdd20488 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 19 May 2021 19:33:34 -0400
 Subject: [PATCH] Handle SSL_read changed behavior on server hangup

Use-OpenSSL-s-KBKDF-and-KRB5KDF-for-deriving-long-te.patch

@@ -1,4 +1,4 @@
-From 454a1a84ad161bd892c5b388edac09322c08cd06 Mon Sep 17 00:00:00 2001
+From d8540c91db499761148ec681eb46a455f0808e22 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 4 Oct 2019 14:49:29 -0400
 Subject: [PATCH] Use OpenSSL's KBKDF and KRB5KDF for deriving long-term keys
@@ -8,12 +8,13 @@ KRB5KDF (3des and aes-sha1).  We already use OpenSSL's PBKDF2 where
 appropriate.  OpenSSL added support for these KDFs in 3.0.
 
 (cherry picked from commit ef8d11f6fb1232201c9efd2ae2ed567023fb85d2)
+[rharwood@redhat.com: 3des removal]
 ---
- src/lib/crypto/krb/derive.c | 411 ++++++++++++++++++++++++++++--------
+ src/lib/crypto/krb/derive.c | 409 ++++++++++++++++++++++++++++--------
- 1 file changed, 326 insertions(+), 85 deletions(-)
+ 1 file changed, 324 insertions(+), 85 deletions(-)
 
 diff --git a/src/lib/crypto/krb/derive.c b/src/lib/crypto/krb/derive.c
-index 6707a7308..1f07464e0 100644
+index 6707a7308..8e474b38e 100644
 --- a/src/lib/crypto/krb/derive.c
 +++ b/src/lib/crypto/krb/derive.c
 @@ -27,6 +27,12 @@
@@ -29,7 +30,7 @@ index 6707a7308..1f07464e0 100644
  static krb5_key
  find_cached_dkey(struct derived_key *list, const krb5_data *constant)
  {
-@@ -77,55 +83,253 @@ cleanup:
+@@ -77,55 +83,251 @@ cleanup:
      return ENOMEM;
  }
  
@@ -195,8 +196,6 @@ index 6707a7308..1f07464e0 100644
 +        cipher = "AES-128-CBC";
 +    } else if (!memcmp(enc, &krb5int_enc_aes256, sizeof(*enc))) {
 +        cipher = "AES-256-CBC";
-+    } else if (!memcmp(enc, &krb5int_enc_des3, sizeof(*enc))) {
-+        cipher = "DES-EDE3-CBC";
 +    } else {
 +        ret = KRB5_CRYPTO_INTERNAL;
 +        goto done;
@@ -320,7 +319,7 @@ index 6707a7308..1f07464e0 100644
      return ret;
  }
  
-@@ -139,9 +343,9 @@ cleanup:
+@@ -139,9 +341,9 @@ cleanup:
   *   - Four bytes are used to encode the output length in the PRF input.
   */
  static krb5_error_code
@@ -333,7 +332,7 @@ index 6707a7308..1f07464e0 100644
  {
      size_t blocksize, keybytes, n;
      krb5_crypto_iov iov[6];
-@@ -204,56 +408,94 @@ cleanup:
+@@ -204,56 +406,94 @@ cleanup:
      return ret;
  }
  
@@ -471,7 +470,7 @@ index 6707a7308..1f07464e0 100644
  }
  
  krb5_error_code
-@@ -268,8 +510,7 @@ krb5int_derive_random(const struct krb5_enc_provider *enc,
+@@ -268,8 +508,7 @@ krb5int_derive_random(const struct krb5_enc_provider *enc,
      case DERIVE_RFC3961:
          return derive_random_rfc3961(enc, inkey, outrnd, in_constant);
      case DERIVE_SP800_108_CMAC:

krb5.spec

@@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.1
-Release: %{?zdpd}4%{?dist}
+Release: %{?zdpd}5%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@@ -640,6 +640,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-5
+- Fix DES3 mention in KDFs
+- Resolves: #1955873
+
 * Wed May 19 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-4
 - Port to OpenSSL 3 (alpha 15)
 - Resolves: #1955873