FIPS-aware SPAKE group negotiation
This commit is contained in:
parent
bf081fdccd
commit
caa2dd1a26
@ -1,202 +0,0 @@
|
||||
Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
===================================================================
|
||||
--- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455)
|
||||
+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy)
|
||||
@@ -691,8 +691,7 @@
|
||||
krb5_reply_key_pack *key_pack = NULL;
|
||||
krb5_reply_key_pack_draft9 *key_pack9 = NULL;
|
||||
krb5_data *encoded_key_pack = NULL;
|
||||
- unsigned int num_types;
|
||||
- krb5_cksumtype *cksum_types = NULL;
|
||||
+ krb5_cksumtype cksum_type;
|
||||
|
||||
pkinit_kdc_context plgctx;
|
||||
pkinit_kdc_req_context reqctx;
|
||||
@@ -882,14 +881,25 @@
|
||||
retval = ENOMEM;
|
||||
goto cleanup;
|
||||
}
|
||||
- /* retrieve checksums for a given enctype of the reply key */
|
||||
- retval = krb5_c_keyed_checksum_types(context,
|
||||
- encrypting_key->enctype, &num_types, &cksum_types);
|
||||
- if (retval)
|
||||
- goto cleanup;
|
||||
|
||||
- /* pick the first of acceptable enctypes for the checksum */
|
||||
- retval = krb5_c_make_checksum(context, cksum_types[0],
|
||||
+ switch (encrypting_key->enctype) {
|
||||
+ case ENCTYPE_DES_CBC_MD4:
|
||||
+ cksum_type = CKSUMTYPE_RSA_MD4_DES;
|
||||
+ break;
|
||||
+ case ENCTYPE_DES_CBC_MD5:
|
||||
+ case ENCTYPE_DES_CBC_CRC:
|
||||
+ cksum_type = CKSUMTYPE_RSA_MD5_DES;
|
||||
+ break;
|
||||
+ default:
|
||||
+ retval = krb5int_c_mandatory_cksumtype(context,
|
||||
+ encrypting_key->enctype,
|
||||
+ &cksum_type);
|
||||
+ if (retval)
|
||||
+ goto cleanup;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ retval = krb5_c_make_checksum(context, cksum_type,
|
||||
encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
|
||||
req_pkt, &key_pack->asChecksum);
|
||||
if (retval) {
|
||||
@@ -1033,7 +1043,6 @@
|
||||
krb5_free_data(context, encoded_key_pack);
|
||||
free(dh_pubkey);
|
||||
free(server_key);
|
||||
- free(cksum_types);
|
||||
|
||||
switch ((int)padata->pa_type) {
|
||||
case KRB5_PADATA_PK_AS_REQ:
|
||||
Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c
|
||||
===================================================================
|
||||
--- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455)
|
||||
+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy)
|
||||
@@ -101,7 +101,7 @@
|
||||
|
||||
{ CKSUMTYPE_MD5_HMAC_ARCFOUR,
|
||||
"md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC",
|
||||
- NULL, &krb5int_hash_md5,
|
||||
+ &krb5int_enc_arcfour, &krb5int_hash_md5,
|
||||
krb5int_hmacmd5_checksum, NULL,
|
||||
16, 16, 0 },
|
||||
};
|
||||
Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c
|
||||
===================================================================
|
||||
--- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455)
|
||||
+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy)
|
||||
@@ -35,6 +35,13 @@
|
||||
{
|
||||
if (ctp->flags & CKSUM_UNKEYED)
|
||||
return FALSE;
|
||||
+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be
|
||||
+ * conservative with RC4. */
|
||||
+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC ||
|
||||
+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) &&
|
||||
+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR &&
|
||||
+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR)
|
||||
+ return FALSE;
|
||||
return (!ctp->enc || ktp->enc == ctp->enc);
|
||||
}
|
||||
|
||||
Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c
|
||||
===================================================================
|
||||
--- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455)
|
||||
+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy)
|
||||
@@ -91,6 +91,8 @@
|
||||
blocksize = enc->block_size;
|
||||
keybytes = enc->keybytes;
|
||||
|
||||
+ if (blocksize == 1)
|
||||
+ return KRB5_BAD_ENCTYPE;
|
||||
if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
|
||||
return KRB5_CRYPTO_INTERNAL;
|
||||
|
||||
Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c
|
||||
===================================================================
|
||||
--- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455)
|
||||
+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy)
|
||||
@@ -119,10 +119,22 @@
|
||||
if (code != 0)
|
||||
return code;
|
||||
|
||||
- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype,
|
||||
- cksumtype);
|
||||
- if (code != 0)
|
||||
- return code;
|
||||
+ switch (subkey->keyblock.enctype) {
|
||||
+ case ENCTYPE_DES_CBC_MD4:
|
||||
+ *cksumtype = CKSUMTYPE_RSA_MD4_DES;
|
||||
+ break;
|
||||
+ case ENCTYPE_DES_CBC_MD5:
|
||||
+ case ENCTYPE_DES_CBC_CRC:
|
||||
+ *cksumtype = CKSUMTYPE_RSA_MD5_DES;
|
||||
+ break;
|
||||
+ default:
|
||||
+ code = (*kaccess.mandatory_cksumtype)(context,
|
||||
+ subkey->keyblock.enctype,
|
||||
+ cksumtype);
|
||||
+ if (code != 0)
|
||||
+ return code;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
switch (subkey->keyblock.enctype) {
|
||||
case ENCTYPE_DES_CBC_MD5:
|
||||
Index: krb5-1.8/src/lib/krb5/krb/pac.c
|
||||
===================================================================
|
||||
--- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455)
|
||||
+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy)
|
||||
@@ -582,6 +582,8 @@
|
||||
checksum.checksum_type = load_32_le(p);
|
||||
checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH;
|
||||
checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH;
|
||||
+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type))
|
||||
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||
|
||||
pac_data.length = pac->data.length;
|
||||
pac_data.data = malloc(pac->data.length);
|
||||
Index: krb5-1.8/src/lib/krb5/krb/preauth2.c
|
||||
===================================================================
|
||||
--- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455)
|
||||
+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy)
|
||||
@@ -1578,7 +1578,9 @@
|
||||
|
||||
cksum = sc2->sam_cksum;
|
||||
|
||||
- while (*cksum) {
|
||||
+ for (; *cksum; cksum++) {
|
||||
+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type))
|
||||
+ continue;
|
||||
/* Check this cksum */
|
||||
retval = krb5_c_verify_checksum(context, as_key,
|
||||
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM,
|
||||
@@ -1592,7 +1594,6 @@
|
||||
}
|
||||
if (valid_cksum)
|
||||
break;
|
||||
- cksum++;
|
||||
}
|
||||
|
||||
if (!valid_cksum) {
|
||||
Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c
|
||||
===================================================================
|
||||
--- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455)
|
||||
+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy)
|
||||
@@ -215,10 +215,28 @@
|
||||
for (i = 0; i < nsumtypes; i++)
|
||||
if (auth_context->safe_cksumtype == sumtypes[i])
|
||||
break;
|
||||
- if (i == nsumtypes)
|
||||
- i = 0;
|
||||
- sumtype = sumtypes[i];
|
||||
krb5_free_cksumtypes (context, sumtypes);
|
||||
+ if (i < nsumtypes)
|
||||
+ sumtype = auth_context->safe_cksumtype;
|
||||
+ else {
|
||||
+ switch (enctype) {
|
||||
+ case ENCTYPE_DES_CBC_MD4:
|
||||
+ sumtype = CKSUMTYPE_RSA_MD4_DES;
|
||||
+ break;
|
||||
+ case ENCTYPE_DES_CBC_MD5:
|
||||
+ case ENCTYPE_DES_CBC_CRC:
|
||||
+ sumtype = CKSUMTYPE_RSA_MD5_DES;
|
||||
+ break;
|
||||
+ default:
|
||||
+ retval = krb5int_c_mandatory_cksumtype(context, enctype,
|
||||
+ &sumtype);
|
||||
+ if (retval) {
|
||||
+ CLEANUP_DONE();
|
||||
+ goto error;
|
||||
+ }
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
|
||||
plocal_fulladdr, premote_fulladdr,
|
@ -1,4 +1,4 @@
|
||||
From 71c582c1490d128ed0ee1c817ecb15ed425aca46 Mon Sep 17 00:00:00 2001
|
||||
From 15d1cbd15d4ea8113fc5dd7bc446ca2b99ab4085 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 15 Jan 2019 16:16:57 -0500
|
||||
Subject: [PATCH] Add function and enctype flag for deprecations
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 5ecbe8d3ab4f53c0923a0442273bf18a9ff04fd5 Mon Sep 17 00:00:00 2001
|
||||
From e863c1e068775d066241edacff2bdb50cf1be27c Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Nov 2018 00:27:35 -0500
|
||||
Subject: [PATCH] Add tests for KCM ccache type
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 1dfff7202448a950c9133cdfe43d650092d930fd Mon Sep 17 00:00:00 2001
|
||||
From d3690641a5eecf8ee031053bdedbaa4e249cc771 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sun, 30 Dec 2018 16:40:28 -0500
|
||||
Subject: [PATCH] Address some optimized-out memset() calls
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 623414ccbb47eb6c334d838aa9023f16f0df5322 Mon Sep 17 00:00:00 2001
|
||||
From d8cba3893687a3976569fef97c1614b9b51ad573 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 3 Jan 2019 17:19:32 +0100
|
||||
Subject: [PATCH] Avoid allocating a register in zap() assembly
|
||||
|
@ -1,7 +1,7 @@
|
||||
From d8db85101c535a32937136118561aeb5646d2136 Mon Sep 17 00:00:00 2001
|
||||
From 9f5fbf191d74cae9b28d318fff4c80d3d3e49c86 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 9 Nov 2018 15:12:21 -0500
|
||||
Subject: [PATCH] Become FIPS-aware
|
||||
Subject: [PATCH] Become FIPS-aware (with 3DES)
|
||||
|
||||
A lot of the FIPS error conditions from OpenSSL are incredibly
|
||||
mysterious (at best, things return NULL unexpectedly; at worst,
|
||||
@ -10,17 +10,16 @@ ENOMEM). In order to cope with this, we need to have some level of
|
||||
awareness of what we can and can't safely call.
|
||||
|
||||
This will slow down some calls slightly (FIPS_mode() takes multiple
|
||||
locks), but not for any crypto we care about - AES is fine, for
|
||||
instance.
|
||||
|
||||
(cherry picked from commit ce06474e3b12430480374f923c25bae9581fb146)
|
||||
locks), but not for any crypto we care about - which is to say that
|
||||
AES is fine.
|
||||
---
|
||||
src/lib/crypto/openssl/enc_provider/camellia.c | 6 ++++++
|
||||
src/lib/crypto/openssl/enc_provider/des.c | 9 +++++++++
|
||||
src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++
|
||||
src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++++++++++++-
|
||||
src/lib/crypto/openssl/hash_provider/hash_evp.c | 4 ++++
|
||||
src/lib/crypto/openssl/hmac.c | 6 +++++-
|
||||
5 files changed, 36 insertions(+), 2 deletions(-)
|
||||
6 files changed, 42 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
|
||||
index 2da691329..f79679a0b 100644
|
||||
@ -80,6 +79,30 @@ index a662db512..7d17d287e 100644
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
index 1c439c2cd..8be555a8d 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
|
||||
@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
krb5_boolean empty;
|
||||
|
||||
+ if (FIPS_mode())
|
||||
+ return KRB5_CRYPTO_INTERNAL;
|
||||
+
|
||||
ret = validate(key, ivec, data, num_data, &empty);
|
||||
if (ret != 0 || empty)
|
||||
return ret;
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
index 7f3c086ed..a3f2a7442 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
42
FIPS-aware-SPAKE-group-negotiation.patch
Normal file
42
FIPS-aware-SPAKE-group-negotiation.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From 59269fca96168aa89dc32834d188a54eea8953ac Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 1 Apr 2019 13:13:09 -0400
|
||||
Subject: [PATCH] FIPS-aware SPAKE group negotiation
|
||||
|
||||
---
|
||||
src/plugins/preauth/spake/groups.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
|
||||
index a195cc195..8a913cb5a 100644
|
||||
--- a/src/plugins/preauth/spake/groups.c
|
||||
+++ b/src/plugins/preauth/spake/groups.c
|
||||
@@ -56,6 +56,8 @@
|
||||
#include "trace.h"
|
||||
#include "groups.h"
|
||||
|
||||
+#include <openssl/crypto.h>
|
||||
+
|
||||
#define DEFAULT_GROUPS_CLIENT "edwards25519"
|
||||
#define DEFAULT_GROUPS_KDC ""
|
||||
|
||||
@@ -102,6 +104,9 @@ find_gdef(int32_t group)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
+ if (group == builtin_edwards25519.reg->id && FIPS_mode())
|
||||
+ return NULL;
|
||||
+
|
||||
for (i = 0; groupdefs[i] != NULL; i++) {
|
||||
if (groupdefs[i]->reg->id == group)
|
||||
return groupdefs[i];
|
||||
@@ -116,6 +121,9 @@ find_gnum(const char *name)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
+ if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
|
||||
+ return 0;
|
||||
+
|
||||
for (i = 0; groupdefs[i] != NULL; i++) {
|
||||
if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
|
||||
return groupdefs[i]->reg->id;
|
@ -1,4 +1,4 @@
|
||||
From ff79351c4755d6df7c3245274708454311c25731 Mon Sep 17 00:00:00 2001
|
||||
From 472131596213337ae01b792aef2fb2580738a1df Mon Sep 17 00:00:00 2001
|
||||
From: Corene Casper <C.Casper@Dell.com>
|
||||
Date: Sat, 16 Feb 2019 00:49:26 -0500
|
||||
Subject: [PATCH] Fix memory leak in 'none' replay cache type
|
||||
|
@ -1,4 +1,4 @@
|
||||
From e44494c87ea3086b824e972df5566cedf5ad7e15 Mon Sep 17 00:00:00 2001
|
||||
From 1382f982a18aec4bc14780b175638d44969ac1d2 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 31 Jul 2018 13:47:26 -0400
|
||||
Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 5331faee19a97508f1089f113ecaee852e73c83c Mon Sep 17 00:00:00 2001
|
||||
From 220762a0bdc5151a0d4a25bc7e56251ef351b560 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 15 Jan 2019 13:41:16 -0500
|
||||
Subject: [PATCH] In kpropd, debug-log proper ticket enctype names
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 8ca2006679539a7675c94148ff338a178d7689eb Mon Sep 17 00:00:00 2001
|
||||
From 28528d8169d9af3830b3a162c525a8e1a71f05f4 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Mon, 14 Jan 2019 17:14:42 -0500
|
||||
Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 809ecc10090688d78fc45d611c58db15aae053ad Mon Sep 17 00:00:00 2001
|
||||
From d32d0cfbbe1386b2cf9b31682df4c35ccc029bda Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 8 Jan 2019 17:42:35 -0500
|
||||
Subject: [PATCH] Make etype names in KDC logs human-readable
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 2af719291eb4344ee9e87b883390433539d59ada Mon Sep 17 00:00:00 2001
|
||||
From 0f4d9265c808a1e78fb90b54d39e58f3f89e672f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 10 Jan 2019 16:34:54 -0500
|
||||
Subject: [PATCH] Mark deprecated enctypes when used
|
||||
|
@ -1,4 +1,4 @@
|
||||
From e2a0e04fb3be9297a8c532dd35a7c1045cae88f4 Mon Sep 17 00:00:00 2001
|
||||
From 8bdcbe143adc71918bd6e5f2e075df6b8e31267a Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 14 Feb 2019 11:50:35 -0500
|
||||
Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 31277d79675a76612015ea00d420b41b9a232d5a Mon Sep 17 00:00:00 2001
|
||||
From 9724b7f409410a7c3cc0330089009d7b9aa92ae6 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Fri, 4 Jan 2019 17:00:15 -0500
|
||||
Subject: [PATCH] Use openssl's PRNG in FIPS mode
|
||||
|
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.17
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -60,7 +60,6 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch
|
||||
Patch34: krb5-1.9-debuginfo.patch
|
||||
Patch35: krb5-1.11-run_user_0.patch
|
||||
Patch36: krb5-1.11-kpasswdtest.patch
|
||||
Patch88: Become-FIPS-aware.patch
|
||||
Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
|
||||
Patch90: Add-tests-for-KCM-ccache-type.patch
|
||||
Patch92: Address-some-optimized-out-memset-calls.patch
|
||||
@ -73,6 +72,8 @@ Patch98: Make-etype-names-in-KDC-logs-human-readable.patch
|
||||
Patch99: Mark-deprecated-enctypes-when-used.patch
|
||||
Patch100: Properly-size-ifdef-in-k5_cccol_lock.patch
|
||||
Patch101: Fix-memory-leak-in-none-replay-cache-type.patch
|
||||
Patch102: Become-FIPS-aware-with-3DES.patch
|
||||
Patch103: FIPS-aware-SPAKE-group-negotiation.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -712,6 +713,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Mon Apr 01 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-7
|
||||
- FIPS-aware SPAKE group negotiation
|
||||
|
||||
* Mon Feb 25 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-6
|
||||
- Fix memory leak in 'none' replay cache type
|
||||
- Silence a coverity warning while we're here.
|
||||
|
Loading…
Reference in New Issue
Block a user