New upstream version (1.18)

.gitignore

@@ -181,3 +181,5 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.18-beta1.tar.gz.asc
 /krb5-1.18-beta2.tar.gz
 /krb5-1.18-beta2.tar.gz.asc
+/krb5-1.18.tar.gz
+/krb5-1.18.tar.gz.asc

Don-t-assume-OpenSSL-failures-are-memory-errors.patch

@@ -1,44 +0,0 @@
-From 4951953618e5b53a571c4d1e4fcb5e6b14fbe004 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Wed, 5 Feb 2020 12:56:00 -0500
-Subject: [PATCH] Don't assume OpenSSL failures are memory errors
-
-More recent versions of OpenSSL can fail for other reasons.  Indicate
-a crypto-related error occurred rather than a memory error to aid
-debugging.
-
-ticket: 8873 (new)
-tags: pullup
-target_version: 1.18
-target_version: 1.17-next
-
-(cherry picked from commit bf9b2134ceddd6c727362be894b1c95c297a0f17)
----
- src/lib/crypto/openssl/hash_provider/hash_evp.c | 2 +-
- src/lib/crypto/openssl/sha256.c                 | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
-index 915da9dbe..feb5eda99 100644
---- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
-+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
-@@ -63,7 +63,7 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
-     }
-     ok = ok && EVP_DigestFinal_ex(ctx, (uint8_t *)output->data, NULL);
-     EVP_MD_CTX_free(ctx);
--    return ok ? 0 : ENOMEM;
-+    return ok ? 0 : KRB5_CRYPTO_INTERNAL;
- }
- 
- static krb5_error_code
-diff --git a/src/lib/crypto/openssl/sha256.c b/src/lib/crypto/openssl/sha256.c
-index 0edd8b7ba..f9dfc8539 100644
---- a/src/lib/crypto/openssl/sha256.c
-+++ b/src/lib/crypto/openssl/sha256.c
-@@ -48,5 +48,5 @@ k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN])
-         ok = ok && EVP_DigestUpdate(ctx, in[i].data, in[i].length);
-     ok = ok && EVP_DigestFinal_ex(ctx, out, NULL);
-     EVP_MD_CTX_free(ctx);
--    return ok ? 0 : ENOMEM;
-+    return ok ? 0 : KRB5_CRYPTO_INTERNAL;
- }

Put-KDB-authdata-first.patch

@@ -1,44 +0,0 @@
-From 1678270de3fda699114122447b1f06b08fb4e53e Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Sat, 1 Feb 2020 16:13:30 +0100
-Subject: [PATCH] Put KDB authdata first
-
-Windows services, as well as some versions of Samba, may refuse
-tickets if the PAC is not in the first AD-IF-RELEVANT container.  In
-fetch_kdb_authdata(), change the merge order so that authdata from the
-KDB module appears first.
-
-[ghudson@mit.edu: added comment and clarified commit message]
-
-ticket: 8872 (new)
-tags: pullup
-target_version: 1.18
-target_version: 1.17-next
-
-(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
----
- src/kdc/kdc_authdata.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
-index a18e4b4be..1ebe87246 100644
---- a/src/kdc/kdc_authdata.c
-+++ b/src/kdc/kdc_authdata.c
-@@ -372,11 +372,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
-     if (ret)
-         return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
- 
--    /* Add the KDB authdata to the ticket, without copying or filtering. */
--    ret = merge_authdata(context, db_authdata,
--                         &enc_tkt_reply->authorization_data, FALSE, FALSE);
-+    /* Put the KDB authdata first in the ticket.  A successful merge places the
-+     * combined list in db_authdata and releases the old ticket authdata. */
-+    ret = merge_authdata(context, enc_tkt_reply->authorization_data,
-+                         &db_authdata, FALSE, FALSE);
-     if (ret)
-         krb5_free_authdata(context, db_authdata);
-+    else
-+        enc_tkt_reply->authorization_data = db_authdata;
-     return ret;
- }
- 

Test-that-PAC-is-the-first-authdata-element.patch

@@ -1,147 +0,0 @@
-From a3b82f95570e39c8689f5ce1bbcc80ad99483323 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Sat, 1 Feb 2020 13:21:39 +0100
-Subject: [PATCH] Test that PAC is the first authdata element
-
-In the test KDB module, set the PAC as the first authdata element.  In
-adata.c, add PAC service verification and verify that a PAC does not
-appear in authdata elements after the first.
-
-[ghudson@mit.edu: minor style changes; edited commit message]
-
-ticket: 8872
-(cherry picked from commit d40d7c8ee8d7fb547e45c545365b21a818050130)
----
- src/plugins/kdb/test/kdb_test.c |  7 +++--
- src/tests/adata.c               | 54 ++++++++++++++++++++++++++++-----
- 2 files changed, 51 insertions(+), 10 deletions(-)
-
-diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
-index d95a7fa5d..1936cb0e4 100644
---- a/src/plugins/kdb/test/kdb_test.c
-+++ b/src/plugins/kdb/test/kdb_test.c
-@@ -897,10 +897,11 @@ test_sign_authdata(krb5_context context, unsigned int flags,
-     test_ad->contents = (uint8_t *)estrdup("db-authdata-test");
-     test_ad->length = strlen((char *)test_ad->contents);
- 
--    /* Assemble the authdata into a one-element or two-element list. */
-+    /* Assemble the authdata into a one-element or two-element list.
-+     * The PAC must be the first element. */
-     list = ealloc(3 * sizeof(*list));
--    list[0] = test_ad;
--    list[1] = pac_ad;
-+    list[0] = (pac_ad != NULL) ? pac_ad : test_ad;
-+    list[1] = (pac_ad != NULL) ? test_ad : NULL;
-     list[2] = NULL;
-     *signed_auth_data = list;
- 
-diff --git a/src/tests/adata.c b/src/tests/adata.c
-index d3bd08e30..3869aec1d 100644
---- a/src/tests/adata.c
-+++ b/src/tests/adata.c
-@@ -56,7 +56,8 @@
- static krb5_context ctx;
- 
- static void display_authdata_list(krb5_authdata **list, krb5_keyblock *skey,
--                                  krb5_keyblock *tktkey, char prefix_byte);
-+                                  krb5_keyblock *tktkey, char prefix_byte,
-+                                  krb5_boolean pac_expected);
- 
- static void
- check(krb5_error_code code)
-@@ -206,7 +207,7 @@ display_binary_or_ascii(krb5_authdata *ad)
-  * must be the ticket session key. */
- static void
- display_authdata(krb5_authdata *ad, krb5_keyblock *skey, krb5_keyblock *tktkey,
--                 int prefix_byte)
-+                 int prefix_byte, krb5_boolean pac_expected)
- {
-     krb5_authdata **inner_ad;
- 
-@@ -214,13 +215,18 @@ display_authdata(krb5_authdata *ad, krb5_keyblock *skey, krb5_keyblock *tktkey,
-         ad->ad_type == KRB5_AUTHDATA_MANDATORY_FOR_KDC ||
-         ad->ad_type == KRB5_AUTHDATA_KDC_ISSUED ||
-         ad->ad_type == KRB5_AUTHDATA_CAMMAC) {
-+        if (ad->ad_type != KRB5_AUTHDATA_IF_RELEVANT)
-+            pac_expected = FALSE;
-         /* Decode and display the contents. */
-         inner_ad = get_container_contents(ad, skey, tktkey);
--        display_authdata_list(inner_ad, skey, tktkey, get_prefix_byte(ad));
-+        display_authdata_list(inner_ad, skey, tktkey, get_prefix_byte(ad),
-+                              pac_expected);
-         krb5_free_authdata(ctx, inner_ad);
-         return;
-     }
- 
-+    assert(!pac_expected || ad->ad_type == KRB5_AUTHDATA_WIN2K_PAC);
-+
-     printf("%c", prefix_byte);
-     printf("%d: ", (int)ad->ad_type);
- 
-@@ -233,12 +239,43 @@ display_authdata(krb5_authdata *ad, krb5_keyblock *skey, krb5_keyblock *tktkey,
- 
- static void
- display_authdata_list(krb5_authdata **list, krb5_keyblock *skey,
--                      krb5_keyblock *tktkey, char prefix_byte)
-+                      krb5_keyblock *tktkey, char prefix_byte,
-+                      krb5_boolean pac_expected)
- {
-     if (list == NULL)
-         return;
--    for (; *list != NULL; list++)
--        display_authdata(*list, skey, tktkey, prefix_byte);
-+    /* Only expect a PAC in the first element, if at all. */
-+    for (; *list != NULL; list++) {
-+        display_authdata(*list, skey, tktkey, prefix_byte, pac_expected);
-+        pac_expected = FALSE;
-+    }
-+}
-+
-+/* If a PAC is present in enc_part2, verify its service signature with key and
-+ * set *has_pac to true. */
-+static void
-+check_pac(krb5_context context, krb5_enc_tkt_part *enc_part2,
-+          const krb5_keyblock *key, krb5_boolean *has_pac)
-+{
-+    krb5_authdata **authdata;
-+    krb5_pac pac;
-+
-+    *has_pac = FALSE;
-+
-+    check(krb5_find_authdata(context, enc_part2->authorization_data, NULL,
-+                             KRB5_AUTHDATA_WIN2K_PAC, &authdata));
-+    if (authdata == NULL)
-+        return;
-+
-+    assert(authdata[1] == NULL);
-+    check(krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length,
-+                         &pac));
-+    krb5_free_authdata(context, authdata);
-+
-+    check(krb5_pac_verify(context, pac, enc_part2->times.authtime,
-+                          enc_part2->client, key, NULL));
-+    krb5_pac_free(context, pac);
-+    *has_pac = TRUE;
- }
- 
- int
-@@ -252,6 +289,7 @@ main(int argc, char **argv)
-     krb5_ticket *ticket;
-     krb5_authdata **req_authdata = NULL, *ad;
-     krb5_keytab_entry ktent;
-+    krb5_boolean with_pac;
-     size_t count;
-     int c;
- 
-@@ -311,8 +349,10 @@ main(int argc, char **argv)
-                             ticket->enc_part.enctype, &ktent));
-     check(krb5_decrypt_tkt_part(ctx, &ktent.key, ticket));
- 
-+    check_pac(ctx, ticket->enc_part2, &ktent.key, &with_pac);
-     display_authdata_list(ticket->enc_part2->authorization_data,
--                          ticket->enc_part2->session, &ktent.key, ' ');
-+                          ticket->enc_part2->session, &ktent.key, ' ',
-+                          with_pac);
- 
-     while (count > 0) {
-         free(req_authdata[--count]->contents);

downstream-Adjust-build-configuration.patch

@@ -1,4 +1,4 @@
-From 74e18ba4575ed2fbf67dd57c3712f01ecba76932 Mon Sep 17 00:00:00 2001
+From cbfe13d5f0de6e2a3deab2ba0dacda8c952476ab Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:45:26 -0400
 Subject: [PATCH] [downstream] Adjust build configuration

downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch

@@ -1,4 +1,4 @@
-From 494658b52c8aebd7d31d51faa4eb498b6e6843ed Mon Sep 17 00:00:00 2001
+From 5978878bcee5ec39e4357f408470d39e9540d2bf Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
@@ -129,7 +129,7 @@ index a65d57b7a..6ccaca94a 100644
       * The cipher state here is a saved pointer to a struct arcfour_state
       * object, rather than a flat byte array as in most enc providers.  The
 diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
-index 957ed8d9c..915da9dbe 100644
+index 1e0fb8fc3..feb5eda99 100644
 --- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
 +++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
 @@ -49,6 +49,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,

downstream-Remove-3des-support.patch

@@ -1,4 +1,4 @@
-From 0153147f716b8f8710fd307df54908267779c3a4 Mon Sep 17 00:00:00 2001
+From 7dda569170c3f6ab08a9373572b4bc90481eeaf7 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 26 Mar 2019 18:51:10 -0400
 Subject: [PATCH] [downstream] Remove 3des support
@@ -269,7 +269,7 @@ index fc5662767..37eda67fa 100644
  .. |copy| unicode:: U+000A9
  '''
 diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
-index a7e55f206..77c095c75 100644
+index 513ecfd1b..05243f47b 100644
 --- a/doc/mitK5features.rst
 +++ b/doc/mitK5features.rst
 @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB

downstream-SELinux-integration.patch

@@ -1,4 +1,4 @@
-From bbdfaec5156307c791804c6eb5ed8c2eefff1318 Mon Sep 17 00:00:00 2001
+From 4a215a206d1d5af69ea9fbf1e78001971ab18be2 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:30:53 -0400
 Subject: [PATCH] [downstream] SELinux integration

downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch

@@ -1,4 +1,4 @@
-From 6015b8b21da26d4b2845ffad8fee3442402ea709 Mon Sep 17 00:00:00 2001
+From 0a53577ebb24f0f9b05d769b34bdd4ef2ee2a629 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 15 Nov 2019 20:05:16 +0000
 Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF

downstream-fix-debuginfo-with-y.tab.c.patch

@@ -1,4 +1,4 @@
-From c0eb69736c57f791802ba9d2ce8a2c987bb538ba Mon Sep 17 00:00:00 2001
+From ed161c3f3cb642d025f0fee6d4af6f56bba711e9 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:25 -0400
 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c

downstream-ksu-pam-integration.patch

@@ -1,4 +1,4 @@
-From f59ec1fb55c13b0b0da413930d84a7c73019ed2b Mon Sep 17 00:00:00 2001
+From 9a082e1e02ae4efd2404d0672d38b3d4eb2d6660 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:29:58 -0400
 Subject: [PATCH] [downstream] ksu pam integration

downstream-netlib-and-dns.patch

@@ -1,4 +1,4 @@
-From 080082e5a62475fa10da0f9476cac69231f13de0 Mon Sep 17 00:00:00 2001
+From 40553473b674dfbb6328389b6b39ebe3218ed597 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:46:21 -0400
 Subject: [PATCH] [downstream] netlib and dns

krb5.spec

@@ -9,7 +9,7 @@
 %global configured_default_ccache_name KEYRING:persistent:%%{uid}
 
 # leave empty or set to e.g., -beta2
-%global prerelease -beta2
+%global prerelease %{nil}
 
 # Should be in form 5.0, 6.1, etc.
 %global kdbversion 8.0
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 0.beta2.3%{?dist}
+Release: 1
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -50,9 +50,6 @@ Patch4: downstream-fix-debuginfo-with-y.tab.c.patch
 Patch5: downstream-Remove-3des-support.patch
 Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
 Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
-Patch8: Put-KDB-authdata-first.patch
-Patch9: Test-that-PAC-is-the-first-authdata-element.patch
-Patch10: Don-t-assume-OpenSSL-failures-are-memory-errors.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -626,6 +623,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Feb 12 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-1
+- New upstream version (1.18)
+
 * Fri Feb 07 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.3
 - Don't assume OpenSSL failures are memory errors
 

sources

@@ -1,2 +1,2 @@
-SHA512 (krb5-1.18-beta2.tar.gz) = 1805c56dd6bde929aeaaf82fe20a3485daef5b2730bd74b92e3351b63d99f96c8523d43c5814b1e65b5c293252df7a70e9584530f49734ccad433d4c6c5a392e
-SHA512 (krb5-1.18-beta2.tar.gz.asc) = f437c43e7295365f5dc561b66ec67b90b30c2300ca2c89b2bf0570ad8aa2df4f78f160d0026f3e21b36898d74b5434ce55819d8bdf9b4a535c814cedfdb294b2
+SHA512 (krb5-1.18.tar.gz) = 36a01ea310b4b3d0a3d209b641739575239e1ca5e93b3de99cb1fec83e82f9a70ad0761dd6eb77cda5c18c53044ab80168b00725642a0c2dfde0e492c42af6a9
+SHA512 (krb5-1.18.tar.gz.asc) = a9399a0e98a810b0c1c9e47c280edec329018714d60b3be228d125ea6e9d1548030940ca29ffd92a424675b02922a8509ed6ffec30d42da6c0d505d84c5aba63