diff --git a/Add-ASN.1-encoders-and-decoders-for-SPAKE-types.patch b/Add-ASN.1-encoders-and-decoders-for-SPAKE-types.patch index 7b61fce..6e78dcc 100644 --- a/Add-ASN.1-encoders-and-decoders-for-SPAKE-types.patch +++ b/Add-ASN.1-encoders-and-decoders-for-SPAKE-types.patch @@ -13,7 +13,6 @@ compiled as part of "make test-vectors" and not as part of the regular build. (cherry picked from commit 78a09d95dff6915da4079bc611f4bb95f6a95f70) -Signed-off-by: Robbie Harwood --- src/include/k5-spake.h | 107 +++++++++++++++++++++++++++ src/lib/krb5/asn.1/asn1_k_encode.c | 52 ++++++++++++- diff --git a/Add-PKINIT-KDC-support-for-freshness-token.patch b/Add-PKINIT-KDC-support-for-freshness-token.patch index 23af740..70782fb 100644 --- a/Add-PKINIT-KDC-support-for-freshness-token.patch +++ b/Add-PKINIT-KDC-support-for-freshness-token.patch @@ -24,7 +24,6 @@ the RSA test. ticket: 8648 (cherry picked from commit 4a9050df0bc34bfb08ba24462d6e2514640f4b8e) -Signed-off-by: Robbie Harwood --- doc/admin/conf_files/kdc_conf.rst | 4 + doc/admin/pkinit.rst | 25 +++++ diff --git a/Add-PKINIT-client-support-for-freshness-token.patch b/Add-PKINIT-client-support-for-freshness-token.patch index 3e34b68..1a00819 100644 --- a/Add-PKINIT-client-support-for-freshness-token.patch +++ b/Add-PKINIT-client-support-for-freshness-token.patch @@ -10,7 +10,6 @@ freshnessToken field of pkAuthenticator ticket: 8648 (cherry picked from commit 085785362e01467cb25c79a90dcebfba9ea019d8) -Signed-off-by: Robbie Harwood --- doc/user/user_commands/kinit.rst | 3 +++ src/include/k5-int-pkinit.h | 1 + diff --git a/Add-SPAKE-preauth-support.patch b/Add-SPAKE-preauth-support.patch index e9f4bc3..ab04539 100644 --- a/Add-SPAKE-preauth-support.patch +++ b/Add-SPAKE-preauth-support.patch @@ -47,7 +47,6 @@ registry contents; implemented P-384 and P-521] ticket: 8647 (new) (cherry picked from commit 7447259401569c92b1fb2e31cb02edbbffd67d35) -Signed-off-by: Robbie Harwood --- NOTICE | 51 + doc/admin/conf_files/kdc_conf.rst | 22 +- diff --git a/Add-doc-index-entries-for-SPAKE-constants.patch b/Add-doc-index-entries-for-SPAKE-constants.patch index c60e9ba..7ac2afe 100644 --- a/Add-doc-index-entries-for-SPAKE-constants.patch +++ b/Add-doc-index-entries-for-SPAKE-constants.patch @@ -5,7 +5,6 @@ Subject: [PATCH] Add doc index entries for SPAKE constants ticket: 8647 (cherry picked from commit c010c9031753f356bb380e8a1324cc34721f8221) -Signed-off-by: Robbie Harwood --- doc/appdev/refs/macros/index.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Add-flag-to-disable-encrypted-timestamp-on-client.patch b/Add-flag-to-disable-encrypted-timestamp-on-client.patch index 2c8768c..adc4f41 100644 --- a/Add-flag-to-disable-encrypted-timestamp-on-client.patch +++ b/Add-flag-to-disable-encrypted-timestamp-on-client.patch @@ -5,7 +5,6 @@ Subject: [PATCH] Add flag to disable encrypted timestamp on client ticket: 8655 (cherry picked from commit 4ad376134b8d456392edbac7a7d351e6c7a7f0e7) -Signed-off-by: Robbie Harwood --- doc/admin/conf_files/krb5_conf.rst | 10 ++++++++++ doc/admin/spake.rst | 8 ++++++++ diff --git a/Add-k5_buf_add_vfmt-to-k5buf-interface.patch b/Add-k5_buf_add_vfmt-to-k5buf-interface.patch index 31c81c1..1a333a7 100644 --- a/Add-k5_buf_add_vfmt-to-k5buf-interface.patch +++ b/Add-k5_buf_add_vfmt-to-k5buf-interface.patch @@ -4,7 +4,6 @@ Date: Thu, 4 Jan 2018 14:35:12 -0500 Subject: [PATCH] Add k5_buf_add_vfmt to k5buf interface (cherry picked from commit f05766469efc2a055085c0bcf9d40c4cdf47fe36) -Signed-off-by: Robbie Harwood --- src/include/k5-buf.h | 8 ++++++ src/util/support/k5buf.c | 26 +++++++++++-------- diff --git a/Add-k5_dir_filenames-to-libkrb5support.patch b/Add-k5_dir_filenames-to-libkrb5support.patch index 953cab1..d420f15 100644 --- a/Add-k5_dir_filenames-to-libkrb5support.patch +++ b/Add-k5_dir_filenames-to-libkrb5support.patch @@ -7,7 +7,6 @@ Add a support function to get a list of filenames from a directory in sorted order. (cherry picked from commit 27534121eb39089ff4335d8b465027e9ba783682) -Signed-off-by: Robbie Harwood --- src/include/k5-platform.h | 7 + src/util/support/Makefile.in | 3 + diff --git a/Add-k5test-mark-function.patch b/Add-k5test-mark-function.patch index 21f5a5f..0b2b9fa 100644 --- a/Add-k5test-mark-function.patch +++ b/Add-k5test-mark-function.patch @@ -8,7 +8,6 @@ by allowing the script to output marks, and displaying the most recent mark with command failures. (cherry picked from commit 4e813204ac3dace93297f47d64dfc0aaecc370f8) -Signed-off-by: Robbie Harwood --- src/util/k5test.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Add-libkrb5support-hex-functions-and-tests.patch b/Add-libkrb5support-hex-functions-and-tests.patch index 6ddba45..d7caab2 100644 --- a/Add-libkrb5support-hex-functions-and-tests.patch +++ b/Add-libkrb5support-hex-functions-and-tests.patch @@ -5,7 +5,6 @@ Subject: [PATCH] Add libkrb5support hex functions and tests (cherry picked from commit 720dea558da0062d3cea4385327161e62cf09a5e) [rharwood@redhat.com Remove .gitignore] -Signed-off-by: Robbie Harwood --- src/include/k5-hex.h | 53 ++++++ src/util/support/Makefile.in | 15 +- diff --git a/Add-vector-support-to-k5_sha256.patch b/Add-vector-support-to-k5_sha256.patch index a77f6a2..f9a3233 100644 --- a/Add-vector-support-to-k5_sha256.patch +++ b/Add-vector-support-to-k5_sha256.patch @@ -8,7 +8,6 @@ to k5_sha256(), for efficient computation of SHA-256 hashes over concatenations of data values. (cherry picked from commit 4f3373e8c55b3e9bdfb5b065e07214c5816c85fa) -Signed-off-by: Robbie Harwood --- src/include/k5-int.h | 4 ++-- src/lib/crypto/builtin/sha2/sha256.c | 6 ++++-- diff --git a/Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch b/Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch index 668b640..692f4ad 100644 --- a/Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch +++ b/Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch @@ -19,7 +19,6 @@ spake_prep_questions() without a prototype. ticket: 8659 (cherry picked from commit f240f1b0d324312be8aa59ead7cfbe0c329ed064) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/spake/spake_client.c | 111 ++++++++++++++--------- 1 file changed, 66 insertions(+), 45 deletions(-) diff --git a/Convert-Python-tests-to-Python-3.patch b/Convert-Python-tests-to-Python-3.patch index ebf0f4c..5f5dc23 100644 --- a/Convert-Python-tests-to-Python-3.patch +++ b/Convert-Python-tests-to-Python-3.patch @@ -9,7 +9,6 @@ test code to conform to Python 3. ticket: 8710 (new) (cherry picked from commit e23d24beacb73581bbf4351250f3955e6fd44361) [rharwood@redhat.com: Context skew due to not having LMDB in tests] -Signed-off-by: Robbie Harwood --- src/Makefile.in | 1 + src/configure.in | 6 ++-- diff --git a/Eliminate-preprocessor-disabled-dead-code.patch b/Eliminate-preprocessor-disabled-dead-code.patch index 83cd935..9c55c67 100644 --- a/Eliminate-preprocessor-disabled-dead-code.patch +++ b/Eliminate-preprocessor-disabled-dead-code.patch @@ -10,7 +10,6 @@ these dead hunks along with the complexity to support them. (cherry picked from commit 2bc951d3c88b460a16249115cbd51d69c3c57e22) [rharwood@redhat.com: context skew] -Signed-off-by: Robbie Harwood --- src/ccapi/common/win/OldCC/ccutils.c | 6 -- src/ccapi/common/win/OldCC/ccutils.h | 3 - diff --git a/Exit-with-status-0-from-kadmind.patch b/Exit-with-status-0-from-kadmind.patch index afc8b69..5fbdff8 100644 --- a/Exit-with-status-0-from-kadmind.patch +++ b/Exit-with-status-0-from-kadmind.patch @@ -14,7 +14,6 @@ weird return code has been present since the addition of the kadmin code, which used a similar event model for signals. (cherry picked from commit f970ad412aca36f8a7d3addb1cd4026ed22e5592) -Signed-off-by: Robbie Harwood --- src/kadmin/server/ovsec_kadmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Explicitly-look-for-python2-in-configure.in.patch b/Explicitly-look-for-python2-in-configure.in.patch index 19c8d1f..cb6620f 100644 --- a/Explicitly-look-for-python2-in-configure.in.patch +++ b/Explicitly-look-for-python2-in-configure.in.patch @@ -15,7 +15,6 @@ doesn't need a #!/usr/bin/python header. ticket: 8709 (new) (cherry picked from commit 2bd410ecdb366083fe9b4e5f6ac4b741b624230b) -Signed-off-by: Robbie Harwood --- src/appl/gss-sample/t_gss_sample.py | 2 -- src/appl/user_user/t_user2user.py | 1 - diff --git a/Fix-SPAKE-memory-leak.patch b/Fix-SPAKE-memory-leak.patch index de172f6..e1cacca 100644 --- a/Fix-SPAKE-memory-leak.patch +++ b/Fix-SPAKE-memory-leak.patch @@ -10,7 +10,6 @@ data object to avoid a harmless uninitialized memory copy. ticket: 8647 (cherry picked from commit 70b88b8018658e052d6eabf06f8fdad17fbe993c) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/spake/openssl.c | 1 + src/plugins/preauth/spake/spake_kdc.c | 1 + diff --git a/Fix-hex-conversion-of-PKINIT-certid-strings.patch b/Fix-hex-conversion-of-PKINIT-certid-strings.patch index 0cf098a..57d561b 100644 --- a/Fix-hex-conversion-of-PKINIT-certid-strings.patch +++ b/Fix-hex-conversion-of-PKINIT-certid-strings.patch @@ -12,7 +12,6 @@ commit message] ticket: 8636 (cherry picked from commit 63e8b8142fd7b3931a7bf2d6448978ca536bafc0) -Signed-off-by: Robbie Harwood --- .../preauth/pkinit/pkinit_crypto_openssl.c | 55 +++++++++++++++---- 1 file changed, 44 insertions(+), 11 deletions(-) diff --git a/Fix-k5test-prompts-for-Python-3.patch b/Fix-k5test-prompts-for-Python-3.patch index fe16746..4adb451 100644 --- a/Fix-k5test-prompts-for-Python-3.patch +++ b/Fix-k5test-prompts-for-Python-3.patch @@ -9,7 +9,6 @@ flushes to make prompts visible in k5test.py. ticket: 8710 (cherry picked from commit 297535b72177dcced036b78107e9d0e37781c7a3) -Signed-off-by: Robbie Harwood --- src/util/k5test.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Fix-read-overflow-in-KDC-sort_pa_data.patch b/Fix-read-overflow-in-KDC-sort_pa_data.patch index d8737c2..4f46827 100644 --- a/Fix-read-overflow-in-KDC-sort_pa_data.patch +++ b/Fix-read-overflow-in-KDC-sort_pa_data.patch @@ -15,7 +15,6 @@ instead get the count from the prior loop by stopping once we move all of the key-replacing modules to the front. (cherry picked from commit b38e318cea18fd65647189eed64aef83bf1cb772) -Signed-off-by: Robbie Harwood --- src/kdc/kdc_preauth.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Fix-securid_sam2-preauth-for-non-default-salt.patch b/Fix-securid_sam2-preauth-for-non-default-salt.patch index 5f0a1b4..610bf4e 100644 --- a/Fix-securid_sam2-preauth-for-non-default-salt.patch +++ b/Fix-securid_sam2-preauth-for-non-default-salt.patch @@ -8,7 +8,6 @@ just the default salt type. ticket: 8629 (cherry picked from commit a2339099ad13c84de0843fd04d0ba612fc194a1e) -Signed-off-by: Robbie Harwood --- src/plugins/preauth/securid_sam2/grail.c | 3 +-- src/plugins/preauth/securid_sam2/securid2.c | 3 +-- diff --git a/Fix-segfault-in-finish_dispatch.patch b/Fix-segfault-in-finish_dispatch.patch index 0225ab3..ff28848 100644 --- a/Fix-segfault-in-finish_dispatch.patch +++ b/Fix-segfault-in-finish_dispatch.patch @@ -12,8 +12,6 @@ dereference state->active_realm. tags: pullup target_version: 1.16-next target_version: 1.15-next - -Signed-off-by: Robbie Harwood --- src/kdc/dispatch.c | 79 ++++++++++++++++++++++++---------------------- 1 file changed, 42 insertions(+), 37 deletions(-) diff --git a/Fix-some-broken-tests-for-Python-3.patch b/Fix-some-broken-tests-for-Python-3.patch index 4f17284..42825b0 100644 --- a/Fix-some-broken-tests-for-Python-3.patch +++ b/Fix-some-broken-tests-for-Python-3.patch @@ -15,7 +15,6 @@ currently not exercised by Travis. ticket: 8710 (cherry picked from commit d1fb3551c0dff5c3e6555b31fcbf04ff04d577fe) [rharwood@redhat.com: .travis.yml] -Signed-off-by: Robbie Harwood --- src/lib/krad/t_daemon.py | 2 +- src/tests/jsonwalker.py | 16 +++++----------- diff --git a/Implement-k5_buf_init_dynamic_zap.patch b/Implement-k5_buf_init_dynamic_zap.patch index ceadd64..28fd16b 100644 --- a/Implement-k5_buf_init_dynamic_zap.patch +++ b/Implement-k5_buf_init_dynamic_zap.patch @@ -7,7 +7,6 @@ Add a variant of dynamic k5buf objects which zeroes memory when reallocating or freeing the buffer. (cherry picked from commit 8ee8246c14702dc03b02e31b9fb5b7c2bb674bfb) -Signed-off-by: Robbie Harwood --- src/include/k5-buf.h | 6 ++- src/util/support/k5buf.c | 41 +++++++++++++++---- diff --git a/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch b/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch new file mode 100644 index 0000000..73ac10d --- /dev/null +++ b/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch @@ -0,0 +1,327 @@ +From a9f547544ae43c2a71f21cab4fa61388c2f67553 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 31 Jul 2018 13:47:26 -0400 +Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint + +--- + src/lib/krad/attr.c | 38 ++++++++++++++++++++++++++++---------- + src/lib/krad/attrset.c | 5 +++-- + src/lib/krad/internal.h | 13 +++++++++++-- + src/lib/krad/packet.c | 18 +++++++++--------- + src/lib/krad/remote.c | 10 ++++++++-- + src/lib/krad/t_attr.c | 3 ++- + src/lib/krad/t_attrset.c | 4 +++- + 7 files changed, 64 insertions(+), 27 deletions(-) + +diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c +index 9c13d9d75..3a2d0243b 100644 +--- a/src/lib/krad/attr.c ++++ b/src/lib/krad/attr.c +@@ -38,7 +38,8 @@ + typedef krb5_error_code + (*attribute_transform_fn)(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + typedef struct { + const char *name; +@@ -51,12 +52,14 @@ typedef struct { + static krb5_error_code + user_password_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + static krb5_error_code + user_password_decode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *ignored); + + static const attribute_record attributes[UCHAR_MAX] = { + {"User-Name", 1, MAX_ATTRSIZE, NULL, NULL}, +@@ -128,7 +131,8 @@ static const attribute_record attributes[UCHAR_MAX] = { + static krb5_error_code + user_password_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + const unsigned char *indx; + krb5_error_code retval; +@@ -156,7 +160,12 @@ user_password_encode(krb5_context ctx, const char *secret, + + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, + &sum); +- if (retval != 0) { ++ if (retval == ENOMEM) { ++ /* I'm Linux, so we know this is a FIPS failure. Taint so we ++ * don't send it later. */ ++ *is_fips = TRUE; ++ sum.contents = calloc(1, BLOCKSIZE); ++ } else if (retval != 0) { + zap(tmp.data, tmp.length); + zap(outbuf, len); + krb5_free_data_contents(ctx, &tmp); +@@ -180,7 +189,8 @@ user_password_encode(krb5_context ctx, const char *secret, + static krb5_error_code + user_password_decode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + const unsigned char *indx; + krb5_error_code retval; +@@ -206,7 +216,12 @@ user_password_decode(krb5_context ctx, const char *secret, + + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, + &tmp, &sum); +- if (retval != 0) { ++ if (retval == ENOMEM) { ++ /* I'm Linux, so we know this is a FIPS failure. Assume the ++ * other side is running locally and move on. */ ++ *is_fips = TRUE; ++ sum.contents = calloc(1, BLOCKSIZE); ++ } else if (retval != 0) { + zap(tmp.data, tmp.length); + zap(outbuf, in->length); + krb5_free_data_contents(ctx, &tmp); +@@ -248,7 +263,7 @@ krb5_error_code + kr_attr_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, krad_attr type, + const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE], +- size_t *outlen) ++ size_t *outlen, krb5_boolean *is_fips) + { + krb5_error_code retval; + +@@ -265,7 +280,8 @@ kr_attr_encode(krb5_context ctx, const char *secret, + return 0; + } + +- return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen); ++ return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen, ++ is_fips); + } + + krb5_error_code +@@ -274,6 +290,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) + { + krb5_error_code retval; ++ krb5_boolean ignored; + + retval = kr_attr_valid(type, in); + if (retval != 0) +@@ -288,7 +305,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + return 0; + } + +- return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen); ++ return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen, ++ &ignored); + } + + krad_attr +diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c +index 03c613716..d89982a13 100644 +--- a/src/lib/krad/attrset.c ++++ b/src/lib/krad/attrset.c +@@ -167,7 +167,8 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy) + krb5_error_code + kr_attrset_encode(const krad_attrset *set, const char *secret, + const unsigned char *auth, +- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + unsigned char buffer[MAX_ATTRSIZE]; + krb5_error_code retval; +@@ -181,7 +182,7 @@ kr_attrset_encode(const krad_attrset *set, const char *secret, + + K5_TAILQ_FOREACH(a, &set->list, list) { + retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr, +- buffer, &attrlen); ++ buffer, &attrlen, is_fips); + if (retval != 0) + return retval; + +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index 996a89372..a53ce31ce 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -49,6 +49,13 @@ + + typedef struct krad_remote_st krad_remote; + ++struct krad_packet_st { ++ char buffer[KRAD_PACKET_SIZE_MAX]; ++ krad_attrset *attrset; ++ krb5_data pkt; ++ krb5_boolean is_fips; ++}; ++ + /* Validate constraints of an attribute. */ + krb5_error_code + kr_attr_valid(krad_attr type, const krb5_data *data); +@@ -57,7 +64,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); + krb5_error_code + kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, + krad_attr type, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + /* Decode an attribute. */ + krb5_error_code +@@ -69,7 +77,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + krb5_error_code + kr_attrset_encode(const krad_attrset *set, const char *secret, + const unsigned char *auth, +- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + /* Decode attributes from a buffer. */ + krb5_error_code +diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c +index c597174b6..2fbf0ee1e 100644 +--- a/src/lib/krad/packet.c ++++ b/src/lib/krad/packet.c +@@ -53,12 +53,6 @@ typedef unsigned char uchar; + #define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH)) + #define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR)) + +-struct krad_packet_st { +- char buffer[KRAD_PACKET_SIZE_MAX]; +- krad_attrset *attrset; +- krb5_data pkt; +-}; +- + typedef struct { + uchar x[(UCHAR_MAX + 1) / 8]; + } idmap; +@@ -190,7 +184,11 @@ auth_generate_response(krb5_context ctx, const char *secret, + retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, + &hash); + free(data.data); +- if (retval != 0) ++ if (retval == ENOMEM) { ++ /* We're on Linux, so this is a FIPS failure, and this checksum ++ * does very little security-wise anyway, so don't taint. */ ++ hash.contents = calloc(1, AUTH_FIELD_SIZE); ++ } else if (retval != 0) + return retval; + + memcpy(rauth, hash.contents, AUTH_FIELD_SIZE); +@@ -276,7 +274,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, + + /* Encode the attributes. */ + retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt), +- &attrset_len); ++ &attrset_len, &pkt->is_fips); + if (retval != 0) + goto error; + +@@ -314,7 +312,7 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code, + + /* Encode the attributes. */ + retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt), +- &attrset_len); ++ &attrset_len, &pkt->is_fips); + if (retval != 0) + goto error; + +@@ -451,6 +449,8 @@ krad_packet_decode_response(krb5_context ctx, const char *secret, + const krb5_data * + krad_packet_encode(const krad_packet *pkt) + { ++ if (pkt->is_fips) ++ return NULL; + return &pkt->pkt; + } + +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index 437f7e91a..0f90443ce 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -263,7 +263,7 @@ on_io_write(krad_remote *rr) + request *r; + + K5_TAILQ_FOREACH(r, &rr->list, list) { +- tmp = krad_packet_encode(r->request); ++ tmp = &r->request->pkt; + + /* If the packet has already been sent, do nothing. */ + if (r->sent == tmp->length) +@@ -359,7 +359,7 @@ on_io_read(krad_remote *rr) + if (req != NULL) { + K5_TAILQ_FOREACH(r, &rr->list, list) { + if (r->request == req && +- r->sent == krad_packet_encode(req)->length) { ++ r->sent == req->pkt.length) { + request_finish(r, 0, rsp); + break; + } +@@ -455,6 +455,12 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + (krad_packet_iter_cb)iterator, &r, &tmp); + if (retval != 0) + goto error; ++ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL && ++ rr->info->ai_family != AF_UNIX) { ++ /* This would expose cleartext passwords, so abort. */ ++ retval = ESOCKTNOSUPPORT; ++ goto error; ++ } + + K5_TAILQ_FOREACH(r, &rr->list, list) { + if (r->request == tmp) { +diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c +index eb2a780c8..4d285ad9d 100644 +--- a/src/lib/krad/t_attr.c ++++ b/src/lib/krad/t_attr.c +@@ -50,6 +50,7 @@ main() + const char *tmp; + krb5_data in; + size_t len; ++ krb5_boolean is_fips = FALSE; + + noerror(krb5_init_context(&ctx)); + +@@ -73,7 +74,7 @@ main() + in = string2data((char *)decoded); + retval = kr_attr_encode(ctx, secret, auth, + krad_attr_name2num("User-Password"), +- &in, outbuf, &len); ++ &in, outbuf, &len, &is_fips); + insist(retval == 0); + insist(len == sizeof(encoded)); + insist(memcmp(outbuf, encoded, len) == 0); +diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c +index 7928335ca..0f9576253 100644 +--- a/src/lib/krad/t_attrset.c ++++ b/src/lib/krad/t_attrset.c +@@ -49,6 +49,7 @@ main() + krb5_context ctx; + size_t len = 0, encode_len; + krb5_data tmp; ++ krb5_boolean is_fips = FALSE; + + noerror(krb5_init_context(&ctx)); + noerror(krad_attrset_new(ctx, &set)); +@@ -62,7 +63,8 @@ main() + noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp)); + + /* Encode attrset. */ +- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len)); ++ noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len, ++ &is_fips)); + krad_attrset_free(set); + + /* Manually encode User-Name. */ diff --git a/Include-etype-info-in-for-hardware-preauth-hints.patch b/Include-etype-info-in-for-hardware-preauth-hints.patch index 788a88a..82aba62 100644 --- a/Include-etype-info-in-for-hardware-preauth-hints.patch +++ b/Include-etype-info-in-for-hardware-preauth-hints.patch @@ -10,7 +10,6 @@ password. ticket: 8629 (cherry picked from commit ba92da05accc524b8037453b63ced1a6c65fd2a1) -Signed-off-by: Robbie Harwood --- src/kdc/kdc_preauth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Include-preauth-name-in-trace-output-if-possible.patch b/Include-preauth-name-in-trace-output-if-possible.patch index 59dfc21..fe88920 100644 --- a/Include-preauth-name-in-trace-output-if-possible.patch +++ b/Include-preauth-name-in-trace-output-if-possible.patch @@ -11,7 +11,6 @@ and use it when formatting {patype} or {patypes}. ticket: 8653 (new) (cherry picked from commit 9c68fe39b018666eabe033b639c1f35d03ba51c7) -Signed-off-by: Robbie Harwood --- src/include/k5-trace.h | 17 +-- src/lib/krb5/os/t_trace.ref | 2 +- diff --git a/Log-when-non-root-ksu-authorization-fails.patch b/Log-when-non-root-ksu-authorization-fails.patch index b4a6c2e..704b5a9 100644 --- a/Log-when-non-root-ksu-authorization-fails.patch +++ b/Log-when-non-root-ksu-authorization-fails.patch @@ -8,7 +8,6 @@ syslog at LOG_WARNING in keeping with other failure messages. ticket: 8270 (cherry picked from commit 6cfa5c113e981f14f70ccafa20abfa5c46b665ba) -Signed-off-by: Robbie Harwood --- src/clients/ksu/main.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Make-docs-build-python3-compatible.patch b/Make-docs-build-python3-compatible.patch index f6e5fa1..58a3e86 100644 --- a/Make-docs-build-python3-compatible.patch +++ b/Make-docs-build-python3-compatible.patch @@ -8,7 +8,6 @@ paths information in docs. Call exec() directly instead. ticket: 8692 (new) (cherry picked from commit a7c6d98480f1e33454173f88381921472d72f80a) -Signed-off-by: Robbie Harwood --- doc/conf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Make-krb5kdc-p-affect-TCP-ports.patch b/Make-krb5kdc-p-affect-TCP-ports.patch index 1b4ae04..ac5bc30 100644 --- a/Make-krb5kdc-p-affect-TCP-ports.patch +++ b/Make-krb5kdc-p-affect-TCP-ports.patch @@ -9,7 +9,6 @@ ports. ticket: 8715 (new) (cherry picked from commit eb514587acc5c357bf0f554199bf0489b5515f8b) -Signed-off-by: Robbie Harwood --- doc/admin/admin_commands/krb5kdc.rst | 12 ++++++------ src/kdc/main.c | 12 ++++-------- diff --git a/Move-zap-definition-to-k5-platform.h.patch b/Move-zap-definition-to-k5-platform.h.patch index 4e93056..f181701 100644 --- a/Move-zap-definition-to-k5-platform.h.patch +++ b/Move-zap-definition-to-k5-platform.h.patch @@ -7,7 +7,6 @@ Make it possible to use zap() in parts of the code which should not include k5-int.h by moving its definition to k5-platform.h. (cherry picked from commit df6bef6f9ea6a5f6f3956a2988cd658c78aae817) -Signed-off-by: Robbie Harwood --- src/include/k5-int.h | 45 ------------------------------------- src/include/k5-platform.h | 47 ++++++++++++++++++++++++++++++++++++++- diff --git a/Process-profile-includedir-in-sorted-order.patch b/Process-profile-includedir-in-sorted-order.patch index 044c046..92efffc 100644 --- a/Process-profile-includedir-in-sorted-order.patch +++ b/Process-profile-includedir-in-sorted-order.patch @@ -9,7 +9,6 @@ within the C locale). ticket: 8686 (cherry picked from commit f574eda48740ad192f51e9a382a205e2ea0e60ad) -Signed-off-by: Robbie Harwood --- doc/admin/conf_files/krb5_conf.rst | 4 ++- src/util/profile/prof_parse.c | 56 +++++------------------------- diff --git a/Refactor-KDC-krb5_pa_data-utility-functions.patch b/Refactor-KDC-krb5_pa_data-utility-functions.patch index b7acc49..41e7cbe 100644 --- a/Refactor-KDC-krb5_pa_data-utility-functions.patch +++ b/Refactor-KDC-krb5_pa_data-utility-functions.patch @@ -16,7 +16,6 @@ callers accordingly, making small simplifications to memory handling where applicable. (cherry picked from commit 4af478c18b02e1d2444a328bb79e6976ef3d312b) -Signed-off-by: Robbie Harwood --- src/kdc/fast_util.c | 28 +------ src/kdc/kdc_preauth.c | 14 ++-- diff --git a/Remove-nodes-option-from-make-certs-scripts.patch b/Remove-nodes-option-from-make-certs-scripts.patch index f45b1b0..402f5fb 100644 --- a/Remove-nodes-option-from-make-certs-scripts.patch +++ b/Remove-nodes-option-from-make-certs-scripts.patch @@ -12,7 +12,6 @@ pkcs12 subcommands, but genrsa creates unencrypted keys by default. [ghudson@mit.edu: edited commit message] (cherry picked from commit 928a36aae326d496c9a73f2cd41b4da45eef577c) -Signed-off-by: Robbie Harwood --- src/tests/dejagnu/pkinit-certs/make-certs.sh | 2 +- src/tests/dejagnu/proxy-certs/make-certs.sh | 2 +- diff --git a/Remove-outdated-note-in-krb5kdc-man-page.patch b/Remove-outdated-note-in-krb5kdc-man-page.patch index b2e8c13..6845b89 100644 --- a/Remove-outdated-note-in-krb5kdc-man-page.patch +++ b/Remove-outdated-note-in-krb5kdc-man-page.patch @@ -13,7 +13,6 @@ tags: pullup target_version: 1.16-next (cherry picked from commit 728b66ab867e31c4c338c6a6309d629d39a4ec3f) -Signed-off-by: Robbie Harwood --- doc/admin/admin_commands/krb5kdc.rst | 7 ------- 1 file changed, 7 deletions(-) diff --git a/Report-extended-errors-in-kinit-k-t-KDB.patch b/Report-extended-errors-in-kinit-k-t-KDB.patch index bc6728d..6859b55 100644 --- a/Report-extended-errors-in-kinit-k-t-KDB.patch +++ b/Report-extended-errors-in-kinit-k-t-KDB.patch @@ -9,7 +9,6 @@ extended error messages. ticket: 8652 (new) (cherry picked from commit d4d902d317a2acc46ee71094a33a9203b6135275) -Signed-off-by: Robbie Harwood --- src/clients/kinit/kinit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/Restrict-pre-authentication-fallback-cases.patch b/Restrict-pre-authentication-fallback-cases.patch index d5c9d86..f519557 100644 --- a/Restrict-pre-authentication-fallback-cases.patch +++ b/Restrict-pre-authentication-fallback-cases.patch @@ -16,7 +16,6 @@ retried after a failure. ticket: 8654 (cherry picked from commit 7a24a088c16d326127dd2b29084d4ca085c70d10) -Signed-off-by: Robbie Harwood --- src/include/krb5/clpreauth_plugin.h | 14 ++++ src/lib/krb5/krb/get_in_tkt.c | 21 +++--- diff --git a/Simplify-kdc_preauth.c-systems-table.patch b/Simplify-kdc_preauth.c-systems-table.patch index c7ff103..08853d4 100644 --- a/Simplify-kdc_preauth.c-systems-table.patch +++ b/Simplify-kdc_preauth.c-systems-table.patch @@ -15,7 +15,6 @@ padata types. The KRB5_PADATA_SERVER_REFERRAL entry has been disabled since it was first added. (cherry picked from commit fea1a488924faa3938ef723feaa1ff12d22a91ff) -Signed-off-by: Robbie Harwood --- src/kdc/kdc_preauth.c | 526 +++++++++++++++--------------------------- 1 file changed, 184 insertions(+), 342 deletions(-) diff --git a/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch b/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch index 061a7fc..26df25a 100644 --- a/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch +++ b/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch @@ -5,7 +5,6 @@ Subject: [PATCH] Use SHA-256 instead of MD5 for audit ticket IDs ticket: 8711 (new) (cherry picked from commit c1e1bfa26bd2f045e88e6013c500fca9428c98f3) -Signed-off-by: Robbie Harwood --- src/kdc/kdc_audit.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/Use-k5_buf_init_dynamic_zap-where-appropriate.patch b/Use-k5_buf_init_dynamic_zap-where-appropriate.patch index 8d8e774..3d3bcd8 100644 --- a/Use-k5_buf_init_dynamic_zap-where-appropriate.patch +++ b/Use-k5_buf_init_dynamic_zap-where-appropriate.patch @@ -4,7 +4,6 @@ Date: Mon, 26 Mar 2018 11:24:49 -0400 Subject: [PATCH] Use k5_buf_init_dynamic_zap where appropriate (cherry picked from commit 9172599008f3a6790d4a9a67acff58049742dcb6) -Signed-off-by: Robbie Harwood --- src/lib/krb5/ccache/cc_file.c | 4 ++-- src/lib/krb5/ccache/cc_keyring.c | 2 +- diff --git a/Use-libkrb5support-hex-functions-where-appropriate.patch b/Use-libkrb5support-hex-functions-where-appropriate.patch index 81c8164..eab05bc 100644 --- a/Use-libkrb5support-hex-functions-where-appropriate.patch +++ b/Use-libkrb5support-hex-functions-where-appropriate.patch @@ -4,7 +4,6 @@ Date: Mon, 19 Feb 2018 00:52:35 -0500 Subject: [PATCH] Use libkrb5support hex functions where appropriate (cherry picked from commit b0c700608be7455041a8afc0e4502e8783ee7f30) -Signed-off-by: Robbie Harwood --- src/kadmin/dbutil/deps | 16 ++--- src/kadmin/dbutil/tabdump.c | 19 +++--- diff --git a/Zap-copy-of-secret-in-RC4-string-to-key.patch b/Zap-copy-of-secret-in-RC4-string-to-key.patch index 7f3bbf4..7502c25 100644 --- a/Zap-copy-of-secret-in-RC4-string-to-key.patch +++ b/Zap-copy-of-secret-in-RC4-string-to-key.patch @@ -11,7 +11,6 @@ freed as the input string typically contains a password. [ghudson@mit.edu: rewrote commit message] ticket: 8713 (new) -Signed-off-by: Robbie Harwood --- src/lib/crypto/krb/s2k_rc4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zap-data-when-freeing-krb5_spake_factor.patch b/Zap-data-when-freeing-krb5_spake_factor.patch index 04652af..9ce2462 100644 --- a/Zap-data-when-freeing-krb5_spake_factor.patch +++ b/Zap-data-when-freeing-krb5_spake_factor.patch @@ -8,7 +8,6 @@ second-factor SPAKE is implemented, so should be zapped when freed. ticket: 8647 (cherry picked from commit 9cc94a3f1ce06a4430f684300a747ec079102403) -Signed-off-by: Robbie Harwood --- src/lib/krb5/krb/kfree.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index 144e3bf..ddd3ec2 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -3,7 +3,6 @@ From: Robbie Harwood Date: Tue, 23 Aug 2016 16:52:01 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch -Signed-off-by: Robbie Harwood --- src/kadmin/testing/proto/krb5.conf.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index 06f2e6e..febb3b3 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -6,8 +6,6 @@ Subject: [PATCH] krb5-1.11-run_user_0.patch A hack: if we're looking at creating a ccache directory directly below the /run/user/0 directory, and /run/user/0 doesn't exist, try to create it, too. - -Signed-off-by: Robbie Harwood --- src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index dbf6183..9eba2ff 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -6,8 +6,6 @@ Subject: [PATCH] krb5-1.12-api.patch Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. - -Signed-off-by: Robbie Harwood --- src/lib/krb5/krb/princ_comp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index b7b1c7e..19b9e73 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -4,8 +4,6 @@ Date: Tue, 23 Aug 2016 16:32:09 -0400 Subject: [PATCH] krb5-1.12-ksu-path.patch Set the default PATH to the one set by login. - -Signed-off-by: Robbie Harwood --- src/clients/ksu/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index 59bb3d6..de59827 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -6,8 +6,6 @@ Subject: [PATCH] krb5-1.12-ktany.patch Adds an "ANY" keytab type which is a list of other keytab locations to search when searching for a specific entry. When iterated through, it only presents the contents of the first keytab. - -Signed-off-by: Robbie Harwood --- src/lib/krb5/keytab/Makefile.in | 3 + src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++ diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index 6060ce9..97c1e8f 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -16,8 +16,6 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges, and to apply on top of changes we're proposing for how it handles cache collections. - -Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 67 +++++++ src/clients/ksu/Makefile.in | 8 +- diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index 7e22280..ff5f73e 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -5,8 +5,6 @@ Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from original version filed as RT#5891. - -Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 9 +++++++++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++ diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch index 3e301c8..a949727 100644 --- a/krb5-1.15-beta1-buildconf.patch +++ b/krb5-1.15-beta1-buildconf.patch @@ -8,8 +8,6 @@ and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. - -Signed-off-by: Robbie Harwood --- src/build-tools/krb5-config.in | 7 +++++++ src/config/pre.in | 2 +- diff --git a/krb5-1.15.1-selinux-label.patch b/krb5-1.15.1-selinux-label.patch index b2f6cb0..728c72e 100644 --- a/krb5-1.15.1-selinux-label.patch +++ b/krb5-1.15.1-selinux-label.patch @@ -35,8 +35,6 @@ stomp all over us. The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. - -Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 49 +++ src/build-tools/krb5-config.in | 3 +- diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index 9fb9df8..1af7c12 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -4,8 +4,6 @@ Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch We want to be able to use --with-netlib and --enable-dns at the same time. - -Signed-off-by: Robbie Harwood --- src/aclocal.m4 | 1 + 1 file changed, 1 insertion(+) diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 4378ff7..5b0f5bc 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -6,8 +6,6 @@ Subject: [PATCH] krb5-1.9-debuginfo.patch We want to keep these y.tab.c files around because the debuginfo points to them. It would be more elegant at the end to use symbolic links, but that could mess up people working in the tree on other things. - -Signed-off-by: Robbie Harwood --- src/kadmin/cli/Makefile.in | 5 +++++ src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- diff --git a/krb5.spec b/krb5.spec index db9f9b0..ae797b0 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.16.1 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 18%{?dist} +Release: 19%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -102,6 +102,7 @@ Patch82: Eliminate-preprocessor-disabled-dead-code.patch Patch83: Make-krb5kdc-p-affect-TCP-ports.patch Patch84: Remove-outdated-note-in-krb5kdc-man-page.patch Patch85: Fix-k5test-prompts-for-Python-3.patch +Patch86: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -748,6 +749,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Aug 01 2018 Robbie Harwood - 1.16.1-19 +- In FIPS mode, add plaintext fallback for RC4 usages and taint + * Thu Jul 26 2018 Robbie Harwood - 1.16.1-18 - Fix k5test prompts for Python 3