From caa2dd1a263f12a2d3ddd369380118d25ef3fc02 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 1 Apr 2019 13:13:49 -0400 Subject: [PATCH] FIPS-aware SPAKE group negotiation --- 2010-007-patch.txt | 202 ------------------ ...on-and-enctype-flag-for-deprecations.patch | 2 +- Add-tests-for-KCM-ccache-type.patch | 2 +- Address-some-optimized-out-memset-calls.patch | 2 +- ...llocating-a-register-in-zap-assembly.patch | 2 +- ...patch => Become-FIPS-aware-with-3DES.patch | 37 +++- FIPS-aware-SPAKE-group-negotiation.patch | 42 ++++ ...emory-leak-in-none-replay-cache-type.patch | 2 +- ...-plaintext-fallback-for-RC4-usages-a.patch | 2 +- ...ebug-log-proper-ticket-enctype-names.patch | 2 +- ...ec-always-log-non-permitted-enctypes.patch | 2 +- ...ype-names-in-KDC-logs-human-readable.patch | 2 +- Mark-deprecated-enctypes-when-used.patch | 2 +- Properly-size-ifdef-in-k5_cccol_lock.patch | 2 +- Use-openssl-s-PRNG-in-FIPS-mode.patch | 2 +- krb5.spec | 8 +- 16 files changed, 90 insertions(+), 223 deletions(-) delete mode 100644 2010-007-patch.txt rename Become-FIPS-aware.patch => Become-FIPS-aware-with-3DES.patch (82%) create mode 100644 FIPS-aware-SPAKE-group-negotiation.patch diff --git a/2010-007-patch.txt b/2010-007-patch.txt deleted file mode 100644 index b1c3793..0000000 --- a/2010-007-patch.txt +++ /dev/null @@ -1,202 +0,0 @@ -Index: krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c -=================================================================== ---- krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (revision 24455) -+++ krb5-1.8/src/plugins/preauth/pkinit/pkinit_srv.c (working copy) -@@ -691,8 +691,7 @@ - krb5_reply_key_pack *key_pack = NULL; - krb5_reply_key_pack_draft9 *key_pack9 = NULL; - krb5_data *encoded_key_pack = NULL; -- unsigned int num_types; -- krb5_cksumtype *cksum_types = NULL; -+ krb5_cksumtype cksum_type; - - pkinit_kdc_context plgctx; - pkinit_kdc_req_context reqctx; -@@ -882,14 +881,25 @@ - retval = ENOMEM; - goto cleanup; - } -- /* retrieve checksums for a given enctype of the reply key */ -- retval = krb5_c_keyed_checksum_types(context, -- encrypting_key->enctype, &num_types, &cksum_types); -- if (retval) -- goto cleanup; - -- /* pick the first of acceptable enctypes for the checksum */ -- retval = krb5_c_make_checksum(context, cksum_types[0], -+ switch (encrypting_key->enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ cksum_type = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ cksum_type = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ retval = krb5int_c_mandatory_cksumtype(context, -+ encrypting_key->enctype, -+ &cksum_type); -+ if (retval) -+ goto cleanup; -+ break; -+ } -+ -+ retval = krb5_c_make_checksum(context, cksum_type, - encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - req_pkt, &key_pack->asChecksum); - if (retval) { -@@ -1033,7 +1043,6 @@ - krb5_free_data(context, encoded_key_pack); - free(dh_pubkey); - free(server_key); -- free(cksum_types); - - switch ((int)padata->pa_type) { - case KRB5_PADATA_PK_AS_REQ: -Index: krb5-1.8/src/lib/crypto/krb/cksumtypes.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/cksumtypes.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/cksumtypes.c (working copy) -@@ -101,7 +101,7 @@ - - { CKSUMTYPE_MD5_HMAC_ARCFOUR, - "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC", -- NULL, &krb5int_hash_md5, -+ &krb5int_enc_arcfour, &krb5int_hash_md5, - krb5int_hmacmd5_checksum, NULL, - 16, 16, 0 }, - }; -Index: krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/keyed_checksum_types.c (working copy) -@@ -35,6 +35,13 @@ - { - if (ctp->flags & CKSUM_UNKEYED) - return FALSE; -+ /* Stream ciphers do not play well with RFC 3961 key derivation, so be -+ * conservative with RC4. */ -+ if ((ktp->etype == ENCTYPE_ARCFOUR_HMAC || -+ ktp->etype == ENCTYPE_ARCFOUR_HMAC_EXP) && -+ ctp->ctype != CKSUMTYPE_HMAC_MD5_ARCFOUR && -+ ctp->ctype != CKSUMTYPE_MD5_HMAC_ARCFOUR) -+ return FALSE; - return (!ctp->enc || ktp->enc == ctp->enc); - } - -Index: krb5-1.8/src/lib/crypto/krb/dk/derive.c -=================================================================== ---- krb5-1.8/src/lib/crypto/krb/dk/derive.c (revision 24455) -+++ krb5-1.8/src/lib/crypto/krb/dk/derive.c (working copy) -@@ -91,6 +91,8 @@ - blocksize = enc->block_size; - keybytes = enc->keybytes; - -+ if (blocksize == 1) -+ return KRB5_BAD_ENCTYPE; - if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes) - return KRB5_CRYPTO_INTERNAL; - -Index: krb5-1.8/src/lib/gssapi/krb5/util_crypt.c -=================================================================== ---- krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (revision 24455) -+++ krb5-1.8/src/lib/gssapi/krb5/util_crypt.c (working copy) -@@ -119,10 +119,22 @@ - if (code != 0) - return code; - -- code = (*kaccess.mandatory_cksumtype)(context, subkey->keyblock.enctype, -- cksumtype); -- if (code != 0) -- return code; -+ switch (subkey->keyblock.enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ *cksumtype = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ *cksumtype = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ code = (*kaccess.mandatory_cksumtype)(context, -+ subkey->keyblock.enctype, -+ cksumtype); -+ if (code != 0) -+ return code; -+ break; -+ } - - switch (subkey->keyblock.enctype) { - case ENCTYPE_DES_CBC_MD5: -Index: krb5-1.8/src/lib/krb5/krb/pac.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/pac.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/pac.c (working copy) -@@ -582,6 +582,8 @@ - checksum.checksum_type = load_32_le(p); - checksum.length = checksum_data.length - PAC_SIGNATURE_DATA_LENGTH; - checksum.contents = p + PAC_SIGNATURE_DATA_LENGTH; -+ if (!krb5_c_is_keyed_cksum(checksum.checksum_type)) -+ return KRB5KRB_AP_ERR_INAPP_CKSUM; - - pac_data.length = pac->data.length; - pac_data.data = malloc(pac->data.length); -Index: krb5-1.8/src/lib/krb5/krb/preauth2.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/preauth2.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/preauth2.c (working copy) -@@ -1578,7 +1578,9 @@ - - cksum = sc2->sam_cksum; - -- while (*cksum) { -+ for (; *cksum; cksum++) { -+ if (!krb5_c_is_keyed_cksum((*cksum)->checksum_type)) -+ continue; - /* Check this cksum */ - retval = krb5_c_verify_checksum(context, as_key, - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, -@@ -1592,7 +1594,6 @@ - } - if (valid_cksum) - break; -- cksum++; - } - - if (!valid_cksum) { -Index: krb5-1.8/src/lib/krb5/krb/mk_safe.c -=================================================================== ---- krb5-1.8/src/lib/krb5/krb/mk_safe.c (revision 24455) -+++ krb5-1.8/src/lib/krb5/krb/mk_safe.c (working copy) -@@ -215,10 +215,28 @@ - for (i = 0; i < nsumtypes; i++) - if (auth_context->safe_cksumtype == sumtypes[i]) - break; -- if (i == nsumtypes) -- i = 0; -- sumtype = sumtypes[i]; - krb5_free_cksumtypes (context, sumtypes); -+ if (i < nsumtypes) -+ sumtype = auth_context->safe_cksumtype; -+ else { -+ switch (enctype) { -+ case ENCTYPE_DES_CBC_MD4: -+ sumtype = CKSUMTYPE_RSA_MD4_DES; -+ break; -+ case ENCTYPE_DES_CBC_MD5: -+ case ENCTYPE_DES_CBC_CRC: -+ sumtype = CKSUMTYPE_RSA_MD5_DES; -+ break; -+ default: -+ retval = krb5int_c_mandatory_cksumtype(context, enctype, -+ &sumtype); -+ if (retval) { -+ CLEANUP_DONE(); -+ goto error; -+ } -+ break; -+ } -+ } - } - if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, diff --git a/Add-function-and-enctype-flag-for-deprecations.patch b/Add-function-and-enctype-flag-for-deprecations.patch index b4462c5..687eba4 100644 --- a/Add-function-and-enctype-flag-for-deprecations.patch +++ b/Add-function-and-enctype-flag-for-deprecations.patch @@ -1,4 +1,4 @@ -From 71c582c1490d128ed0ee1c817ecb15ed425aca46 Mon Sep 17 00:00:00 2001 +From 15d1cbd15d4ea8113fc5dd7bc446ca2b99ab4085 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 15 Jan 2019 16:16:57 -0500 Subject: [PATCH] Add function and enctype flag for deprecations diff --git a/Add-tests-for-KCM-ccache-type.patch b/Add-tests-for-KCM-ccache-type.patch index 3cc9e70..177a042 100644 --- a/Add-tests-for-KCM-ccache-type.patch +++ b/Add-tests-for-KCM-ccache-type.patch @@ -1,4 +1,4 @@ -From 5ecbe8d3ab4f53c0923a0442273bf18a9ff04fd5 Mon Sep 17 00:00:00 2001 +From e863c1e068775d066241edacff2bdb50cf1be27c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Nov 2018 00:27:35 -0500 Subject: [PATCH] Add tests for KCM ccache type diff --git a/Address-some-optimized-out-memset-calls.patch b/Address-some-optimized-out-memset-calls.patch index 6e260ad..60cd6a0 100644 --- a/Address-some-optimized-out-memset-calls.patch +++ b/Address-some-optimized-out-memset-calls.patch @@ -1,4 +1,4 @@ -From 1dfff7202448a950c9133cdfe43d650092d930fd Mon Sep 17 00:00:00 2001 +From d3690641a5eecf8ee031053bdedbaa4e249cc771 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 30 Dec 2018 16:40:28 -0500 Subject: [PATCH] Address some optimized-out memset() calls diff --git a/Avoid-allocating-a-register-in-zap-assembly.patch b/Avoid-allocating-a-register-in-zap-assembly.patch index 6673530..3406b63 100644 --- a/Avoid-allocating-a-register-in-zap-assembly.patch +++ b/Avoid-allocating-a-register-in-zap-assembly.patch @@ -1,4 +1,4 @@ -From 623414ccbb47eb6c334d838aa9023f16f0df5322 Mon Sep 17 00:00:00 2001 +From d8cba3893687a3976569fef97c1614b9b51ad573 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 3 Jan 2019 17:19:32 +0100 Subject: [PATCH] Avoid allocating a register in zap() assembly diff --git a/Become-FIPS-aware.patch b/Become-FIPS-aware-with-3DES.patch similarity index 82% rename from Become-FIPS-aware.patch rename to Become-FIPS-aware-with-3DES.patch index 4011e25..8bf76c1 100644 --- a/Become-FIPS-aware.patch +++ b/Become-FIPS-aware-with-3DES.patch @@ -1,7 +1,7 @@ -From d8db85101c535a32937136118561aeb5646d2136 Mon Sep 17 00:00:00 2001 +From 9f5fbf191d74cae9b28d318fff4c80d3d3e49c86 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 -Subject: [PATCH] Become FIPS-aware +Subject: [PATCH] Become FIPS-aware (with 3DES) A lot of the FIPS error conditions from OpenSSL are incredibly mysterious (at best, things return NULL unexpectedly; at worst, @@ -10,17 +10,16 @@ ENOMEM). In order to cope with this, we need to have some level of awareness of what we can and can't safely call. This will slow down some calls slightly (FIPS_mode() takes multiple -locks), but not for any crypto we care about - AES is fine, for -instance. - -(cherry picked from commit ce06474e3b12430480374f923c25bae9581fb146) +locks), but not for any crypto we care about - which is to say that +AES is fine. --- src/lib/crypto/openssl/enc_provider/camellia.c | 6 ++++++ src/lib/crypto/openssl/enc_provider/des.c | 9 +++++++++ + src/lib/crypto/openssl/enc_provider/des3.c | 6 ++++++ src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++++++++++++- src/lib/crypto/openssl/hash_provider/hash_evp.c | 4 ++++ src/lib/crypto/openssl/hmac.c | 6 +++++- - 5 files changed, 36 insertions(+), 2 deletions(-) + 6 files changed, 42 insertions(+), 2 deletions(-) diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c index 2da691329..f79679a0b 100644 @@ -80,6 +79,30 @@ index a662db512..7d17d287e 100644 ret = validate(key, ivec, data, num_data, &empty); if (ret != 0) return ret; +diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c +index 1c439c2cd..8be555a8d 100644 +--- a/src/lib/crypto/openssl/enc_provider/des3.c ++++ b/src/lib/crypto/openssl/enc_provider/des3.c +@@ -84,6 +84,9 @@ k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + EVP_CIPHER_CTX *ctx; + krb5_boolean empty; + ++ if (FIPS_mode()) ++ return KRB5_CRYPTO_INTERNAL; ++ + ret = validate(key, ivec, data, num_data, &empty); + if (ret != 0 || empty) + return ret; +@@ -133,6 +136,9 @@ k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + EVP_CIPHER_CTX *ctx; + krb5_boolean empty; + ++ if (FIPS_mode()) ++ return KRB5_CRYPTO_INTERNAL; ++ + ret = validate(key, ivec, data, num_data, &empty); + if (ret != 0 || empty) + return ret; diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c index 7f3c086ed..a3f2a7442 100644 --- a/src/lib/crypto/openssl/enc_provider/rc4.c diff --git a/FIPS-aware-SPAKE-group-negotiation.patch b/FIPS-aware-SPAKE-group-negotiation.patch new file mode 100644 index 0000000..6017f4b --- /dev/null +++ b/FIPS-aware-SPAKE-group-negotiation.patch @@ -0,0 +1,42 @@ +From 59269fca96168aa89dc32834d188a54eea8953ac Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 1 Apr 2019 13:13:09 -0400 +Subject: [PATCH] FIPS-aware SPAKE group negotiation + +--- + src/plugins/preauth/spake/groups.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c +index a195cc195..8a913cb5a 100644 +--- a/src/plugins/preauth/spake/groups.c ++++ b/src/plugins/preauth/spake/groups.c +@@ -56,6 +56,8 @@ + #include "trace.h" + #include "groups.h" + ++#include ++ + #define DEFAULT_GROUPS_CLIENT "edwards25519" + #define DEFAULT_GROUPS_KDC "" + +@@ -102,6 +104,9 @@ find_gdef(int32_t group) + { + size_t i; + ++ if (group == builtin_edwards25519.reg->id && FIPS_mode()) ++ return NULL; ++ + for (i = 0; groupdefs[i] != NULL; i++) { + if (groupdefs[i]->reg->id == group) + return groupdefs[i]; +@@ -116,6 +121,9 @@ find_gnum(const char *name) + { + size_t i; + ++ if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode()) ++ return 0; ++ + for (i = 0; groupdefs[i] != NULL; i++) { + if (strcasecmp(name, groupdefs[i]->reg->name) == 0) + return groupdefs[i]->reg->id; diff --git a/Fix-memory-leak-in-none-replay-cache-type.patch b/Fix-memory-leak-in-none-replay-cache-type.patch index c093c4a..8141247 100644 --- a/Fix-memory-leak-in-none-replay-cache-type.patch +++ b/Fix-memory-leak-in-none-replay-cache-type.patch @@ -1,4 +1,4 @@ -From ff79351c4755d6df7c3245274708454311c25731 Mon Sep 17 00:00:00 2001 +From 472131596213337ae01b792aef2fb2580738a1df Mon Sep 17 00:00:00 2001 From: Corene Casper Date: Sat, 16 Feb 2019 00:49:26 -0500 Subject: [PATCH] Fix memory leak in 'none' replay cache type diff --git a/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch b/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch index a24904f..99acb66 100644 --- a/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch +++ b/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch @@ -1,4 +1,4 @@ -From e44494c87ea3086b824e972df5566cedf5ad7e15 Mon Sep 17 00:00:00 2001 +From 1382f982a18aec4bc14780b175638d44969ac1d2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 31 Jul 2018 13:47:26 -0400 Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint diff --git a/In-kpropd-debug-log-proper-ticket-enctype-names.patch b/In-kpropd-debug-log-proper-ticket-enctype-names.patch index 0df245e..1450698 100644 --- a/In-kpropd-debug-log-proper-ticket-enctype-names.patch +++ b/In-kpropd-debug-log-proper-ticket-enctype-names.patch @@ -1,4 +1,4 @@ -From 5331faee19a97508f1089f113ecaee852e73c83c Mon Sep 17 00:00:00 2001 +From 220762a0bdc5151a0d4a25bc7e56251ef351b560 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 15 Jan 2019 13:41:16 -0500 Subject: [PATCH] In kpropd, debug-log proper ticket enctype names diff --git a/In-rd_req_dec-always-log-non-permitted-enctypes.patch b/In-rd_req_dec-always-log-non-permitted-enctypes.patch index e84e0d0..b36321a 100644 --- a/In-rd_req_dec-always-log-non-permitted-enctypes.patch +++ b/In-rd_req_dec-always-log-non-permitted-enctypes.patch @@ -1,4 +1,4 @@ -From 8ca2006679539a7675c94148ff338a178d7689eb Mon Sep 17 00:00:00 2001 +From 28528d8169d9af3830b3a162c525a8e1a71f05f4 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 14 Jan 2019 17:14:42 -0500 Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes diff --git a/Make-etype-names-in-KDC-logs-human-readable.patch b/Make-etype-names-in-KDC-logs-human-readable.patch index f596034..9915f69 100644 --- a/Make-etype-names-in-KDC-logs-human-readable.patch +++ b/Make-etype-names-in-KDC-logs-human-readable.patch @@ -1,4 +1,4 @@ -From 809ecc10090688d78fc45d611c58db15aae053ad Mon Sep 17 00:00:00 2001 +From d32d0cfbbe1386b2cf9b31682df4c35ccc029bda Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 8 Jan 2019 17:42:35 -0500 Subject: [PATCH] Make etype names in KDC logs human-readable diff --git a/Mark-deprecated-enctypes-when-used.patch b/Mark-deprecated-enctypes-when-used.patch index c797d05..6faf378 100644 --- a/Mark-deprecated-enctypes-when-used.patch +++ b/Mark-deprecated-enctypes-when-used.patch @@ -1,4 +1,4 @@ -From 2af719291eb4344ee9e87b883390433539d59ada Mon Sep 17 00:00:00 2001 +From 0f4d9265c808a1e78fb90b54d39e58f3f89e672f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 10 Jan 2019 16:34:54 -0500 Subject: [PATCH] Mark deprecated enctypes when used diff --git a/Properly-size-ifdef-in-k5_cccol_lock.patch b/Properly-size-ifdef-in-k5_cccol_lock.patch index 5e6bac8..23fb478 100644 --- a/Properly-size-ifdef-in-k5_cccol_lock.patch +++ b/Properly-size-ifdef-in-k5_cccol_lock.patch @@ -1,4 +1,4 @@ -From e2a0e04fb3be9297a8c532dd35a7c1045cae88f4 Mon Sep 17 00:00:00 2001 +From 8bdcbe143adc71918bd6e5f2e075df6b8e31267a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 14 Feb 2019 11:50:35 -0500 Subject: [PATCH] Properly size #ifdef in k5_cccol_lock() diff --git a/Use-openssl-s-PRNG-in-FIPS-mode.patch b/Use-openssl-s-PRNG-in-FIPS-mode.patch index f78744c..837a747 100644 --- a/Use-openssl-s-PRNG-in-FIPS-mode.patch +++ b/Use-openssl-s-PRNG-in-FIPS-mode.patch @@ -1,4 +1,4 @@ -From 31277d79675a76612015ea00d420b41b9a232d5a Mon Sep 17 00:00:00 2001 +From 9724b7f409410a7c3cc0330089009d7b9aa92ae6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 4 Jan 2019 17:00:15 -0500 Subject: [PATCH] Use openssl's PRNG in FIPS mode diff --git a/krb5.spec b/krb5.spec index 0e6c34d..76cf5ae 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 6%{?dist} +Release: 7%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -60,7 +60,6 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch Patch34: krb5-1.9-debuginfo.patch Patch35: krb5-1.11-run_user_0.patch Patch36: krb5-1.11-kpasswdtest.patch -Patch88: Become-FIPS-aware.patch Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch Patch90: Add-tests-for-KCM-ccache-type.patch Patch92: Address-some-optimized-out-memset-calls.patch @@ -73,6 +72,8 @@ Patch98: Make-etype-names-in-KDC-logs-human-readable.patch Patch99: Mark-deprecated-enctypes-when-used.patch Patch100: Properly-size-ifdef-in-k5_cccol_lock.patch Patch101: Fix-memory-leak-in-none-replay-cache-type.patch +Patch102: Become-FIPS-aware-with-3DES.patch +Patch103: FIPS-aware-SPAKE-group-negotiation.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -712,6 +713,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Apr 01 2019 Robbie Harwood - 1.17-7 +- FIPS-aware SPAKE group negotiation + * Mon Feb 25 2019 Robbie Harwood - 1.17-6 - Fix memory leak in 'none' replay cache type - Silence a coverity warning while we're here.