packages/krb5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!28 【Mainline】Update to 1.19.1

Browse Source 
From: @yixiangzhike
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-06-29 06:24:29 +00:00 committed by Gitee
commit 1a03ba7d93
8 changed files with 153 additions and 260 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

207
Remove-3des-support.patch
View File

@ -1,4 +1,4 @@
From 7dda569170c3f6ab08a9373572b4bc90481eeaf7 Mon Sep 17 00:00:00 2001 From fef4e551d3d2dcb55e58cc182304254c36aa8949 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400 Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] [downstream] Remove 3des support Subject: [PATCH] [downstream] Remove 3des support
@ -8,11 +8,11 @@ des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation
to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
their constants. their constants.
Last-updated: 1.18-beta2 Last-updated: 1.19-beta1
--- ---
doc/admin/advanced/retiring-des.rst | 11 + doc/admin/advanced/retiring-des.rst | 11 +
doc/admin/conf_files/kdc_conf.rst | 7 +- doc/admin/conf_files/kdc_conf.rst | 7 +-
doc/admin/enctypes.rst | 13 +- doc/admin/enctypes.rst | 10 +-
doc/admin/troubleshoot.rst | 9 +- doc/admin/troubleshoot.rst | 9 +-
doc/appdev/refs/macros/index.rst | 1 - doc/appdev/refs/macros/index.rst | 1 -
doc/conf.py | 2 +- doc/conf.py | 2 +-
@ -28,7 +28,7 @@ Last-updated: 1.18-beta2
src/lib/crypto/builtin/des/Makefile.in | 80 ---- src/lib/crypto/builtin/des/Makefile.in | 80 ----
src/lib/crypto/builtin/des/d3_aead.c | 133 ------ src/lib/crypto/builtin/des/d3_aead.c | 133 ------
src/lib/crypto/builtin/des/d3_kysched.c | 51 --- src/lib/crypto/builtin/des/d3_kysched.c | 51 ---
src/lib/crypto/builtin/des/deps | 148 ------- src/lib/crypto/builtin/des/deps | 150 -------
src/lib/crypto/builtin/des/des_int.h | 285 ------------- src/lib/crypto/builtin/des/des_int.h | 285 -------------
src/lib/crypto/builtin/des/des_keys.c | 40 -- src/lib/crypto/builtin/des/des_keys.c | 40 --
src/lib/crypto/builtin/des/destest.c | 240 ----------- src/lib/crypto/builtin/des/destest.c | 240 -----------
@ -45,7 +45,7 @@ Last-updated: 1.18-beta2
src/lib/crypto/builtin/des/t_verify.c | 395 ------------------ src/lib/crypto/builtin/des/t_verify.c | 395 ------------------
src/lib/crypto/builtin/des/weak_key.c | 86 ---- src/lib/crypto/builtin/des/weak_key.c | 86 ----
.../crypto/builtin/enc_provider/Makefile.in | 6 +- .../crypto/builtin/enc_provider/Makefile.in | 6 +-
src/lib/crypto/builtin/enc_provider/deps | 12 - src/lib/crypto/builtin/enc_provider/deps | 13 -
src/lib/crypto/builtin/enc_provider/des3.c | 105 ----- src/lib/crypto/builtin/enc_provider/des3.c | 105 -----
src/lib/crypto/crypto_tests/t_cf2.expected | 1 - src/lib/crypto/crypto_tests/t_cf2.expected | 1 -
src/lib/crypto/crypto_tests/t_cf2.in | 5 - src/lib/crypto/crypto_tests/t_cf2.in | 5 -
@ -83,7 +83,6 @@ Last-updated: 1.18-beta2
.../api.current/randkey-principal-v2.exp | 4 +- .../api.current/randkey-principal-v2.exp | 4 +-
src/lib/krb5/krb/init_ctx.c | 3 - src/lib/krb5/krb/init_ctx.c | 3 -
src/lib/krb5/krb/s4u_creds.c | 2 - src/lib/krb5/krb/s4u_creds.c | 2 -
src/lib/krb5/krb/t_copy_context.c | 2 +-
src/lib/krb5/krb/t_etypes.c | 48 +-- src/lib/krb5/krb/t_etypes.c | 48 +--
src/lib/krb5/os/t_trace.c | 4 +- src/lib/krb5/os/t_trace.c | 4 +-
src/lib/krb5/os/t_trace.ref | 2 +- src/lib/krb5/os/t_trace.ref | 2 +-
@ -106,7 +105,7 @@ Last-updated: 1.18-beta2
src/tests/t_salt.py | 5 +- src/tests/t_salt.py | 5 +-
src/util/k5test.py | 7 - src/util/k5test.py | 7 -
.../leash/htmlhelp/html/Encryption_Types.htm | 13 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 -
96 files changed, 163 insertions(+), 4834 deletions(-) 95 files changed, 160 insertions(+), 4835 deletions(-)
delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/ISSUES
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
@ -135,7 +134,7 @@ Last-updated: 1.18-beta2
delete mode 100644 src/lib/crypto/openssl/enc_provider/des3.c delete mode 100644 src/lib/crypto/openssl/enc_provider/des3.c
diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst
index 4a964c15c..cb6258d77 100644 index 38f76d3f4..d5e3c30c0 100644
--- a/doc/admin/advanced/retiring-des.rst --- a/doc/admin/advanced/retiring-des.rst
+++ b/doc/admin/advanced/retiring-des.rst +++ b/doc/admin/advanced/retiring-des.rst
@@ -10,6 +10,13 @@ ability have rendered DES vulnerable to brute force attacks on its 56-bit @@ -10,6 +10,13 @@ ability have rendered DES vulnerable to brute force attacks on its 56-bit
@ -164,19 +163,19 @@ index 4a964c15c..cb6258d77 100644
------------- -------------
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 9759756a2..cf8a12547 100644 index 1dc958d62..3a72aabef 100644
--- a/doc/admin/conf_files/kdc_conf.rst --- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst
@@ -843,8 +843,6 @@ Encryption types marked as "weak" are available for compatibility but @@ -848,8 +848,6 @@ Encryption types marked as "weak" and "deprecated" are available for
not recommended for use. compatibility but not recommended for use.
==================================================== ========================================================= ==================================================== =========================================================
-des3-cbc-raw Triple DES cbc mode raw (weak) -des3-cbc-raw Triple DES cbc mode raw (weak)
-des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 -des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 (deprecated)
aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC
aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC
aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC
@@ -853,7 +851,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 @@ -858,7 +856,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecat
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC
camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC
@ -184,7 +183,7 @@ index 9759756a2..cf8a12547 100644
aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
rc4 The RC4 family: arcfour-hmac rc4 The RC4 family: arcfour-hmac
camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
@@ -865,8 +862,8 @@ from the current list by prefixing them with a minus sign ("-"). @@ -870,8 +867,8 @@ from the current list by prefixing them with a minus sign ("-").
Types or families can be prefixed with a plus sign ("+") for symmetry; Types or families can be prefixed with a plus sign ("+") for symmetry;
it has the same meaning as just listing the type or family. For it has the same meaning as just listing the type or family. For
example, "``DEFAULT -rc4``" would be the default set of encryption example, "``DEFAULT -rc4``" would be the default set of encryption
@ -196,35 +195,35 @@ index 9759756a2..cf8a12547 100644
While **aes128-cts** and **aes256-cts** are supported for all Kerberos While **aes128-cts** and **aes256-cts** are supported for all Kerberos
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
index caf6d9267..65b55cdb9 100644 index 047185afb..b08d954d9 100644
--- a/doc/admin/enctypes.rst --- a/doc/admin/enctypes.rst
+++ b/doc/admin/enctypes.rst +++ b/doc/admin/enctypes.rst
@@ -129,7 +129,7 @@ enctype weak? krb5 Windows @@ -129,7 +129,7 @@ enctype weak? krb5 Windows
des-cbc-crc weak <1.18 >=2000 des-cbc-crc weak <1.18 >=2000
des-cbc-md4 weak <1.18 ? des-cbc-md4 weak <1.18 ?
des-cbc-md5 weak <1.18 >=2000 des-cbc-md5 weak <1.18 >=2000
-des3-cbc-sha1 >=1.1 none -des3-cbc-sha1 deprecated >=1.1 none
+des3-cbc-sha1 <1.18 none +des3-cbc-sha1 deprecated <1.18 none
arcfour-hmac >=1.3 >=2000 arcfour-hmac deprecated >=1.3 >=2000
arcfour-hmac-exp weak >=1.3 >=2000 arcfour-hmac-exp weak >=1.3 >=2000
aes128-cts-hmac-sha1-96 >=1.3 >=Vista aes128-cts-hmac-sha1-96 >=1.3 >=Vista
@@ -140,7 +140,10 @@ camellia128-cts-cmac >=1.9 none @@ -148,9 +148,11 @@ default.
camellia256-cts-cmac >=1.9 none krb5 releases 1.17 and later flag deprecated encryption types
========================== ===== ======== ======= (including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and
kadmin output. krb5 release 1.19 issues a warning during initial
-krb5 releases 1.18 and later do not support single-DES. krb5 releases -authentication if ``des3-cbc-sha1`` is used. Future releases will
-1.8 and later disable the single-DES enctypes by default. Microsoft -disable ``des3-cbc-sha1`` by default and eventually remove support for
-Windows releases Windows 7 and later disable single-DES enctypes by -it.
-default. +authentication if ``des3-cbc-sha1`` is used.
+krb5 releases 1.8 and later disable the single-DES enctypes by
+default. Microsoft Windows releases Windows 7 and later disable
+single-DES enctypes by default.
+ +
+krb5 releases 1.18 and later remove single-DES and 3DES +krb5 releases 1.18 and later remove single-DES and 3DES
+(downstream-only patch) enctype support. Microsoft Windows never +(downstream-only patch) enctype support. Microsoft Windows never
+supported 3DES. +supported 3DES.
Migrating away from older encryption types
diff --git a/doc/admin/troubleshoot.rst b/doc/admin/troubleshoot.rst diff --git a/doc/admin/troubleshoot.rst b/doc/admin/troubleshoot.rst
index 6a0c7f89b..263fc9c97 100644 index ade5e1f87..e4dc54f7e 100644
--- a/doc/admin/troubleshoot.rst --- a/doc/admin/troubleshoot.rst
+++ b/doc/admin/troubleshoot.rst +++ b/doc/admin/troubleshoot.rst
@@ -73,11 +73,10 @@ credential verification failed: KDC has no support for encryption type @@ -73,11 +73,10 @@ credential verification failed: KDC has no support for encryption type
@ -244,7 +243,7 @@ index 6a0c7f89b..263fc9c97 100644
.. _err_cert_chain_cert_expired: .. _err_cert_chain_cert_expired:
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
index 68debe714..788d094bf 100644 index cebb6644c..4d51e795c 100644
--- a/doc/appdev/refs/macros/index.rst --- a/doc/appdev/refs/macros/index.rst
+++ b/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst
@@ -36,7 +36,6 @@ Public @@ -36,7 +36,6 @@ Public
@ -256,10 +255,10 @@ index 68debe714..788d094bf 100644
CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_NIST_SHA.rst
CKSUMTYPE_RSA_MD4.rst CKSUMTYPE_RSA_MD4.rst
diff --git a/doc/conf.py b/doc/conf.py diff --git a/doc/conf.py b/doc/conf.py
index fc5662767..37eda67fa 100644 index 543202bf4..4fb6aae14 100644
--- a/doc/conf.py --- a/doc/conf.py
+++ b/doc/conf.py +++ b/doc/conf.py
@@ -272,7 +272,7 @@ else: @@ -271,7 +271,7 @@ else:
rst_epilog += ''' rst_epilog += '''
.. |krb5conf| replace:: ``/etc/krb5.conf`` .. |krb5conf| replace:: ``/etc/krb5.conf``
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
@ -269,7 +268,7 @@ index fc5662767..37eda67fa 100644
.. |copy| unicode:: U+000A9 .. |copy| unicode:: U+000A9
''' '''
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index 513ecfd1b..05243f47b 100644 index 4954bb3aa..92ce2a772 100644
--- a/doc/mitK5features.rst --- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst +++ b/doc/mitK5features.rst
@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB
@ -282,7 +281,7 @@ index 513ecfd1b..05243f47b 100644
Interoperability Interoperability
---------------- ----------------
diff --git a/src/Makefile.in b/src/Makefile.in diff --git a/src/Makefile.in b/src/Makefile.in
index 56c7a4e6f..70db82a30 100644 index 7d2507ef8..c16715ac7 100644
--- a/src/Makefile.in --- a/src/Makefile.in
+++ b/src/Makefile.in +++ b/src/Makefile.in
@@ -130,7 +130,7 @@ WINMAKEFILES=Makefile \ @@ -130,7 +130,7 @@ WINMAKEFILES=Makefile \
@ -304,10 +303,10 @@ index 56c7a4e6f..70db82a30 100644
##DOS## $(WCONFIG) config < $@.in > $@ ##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP) ##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)
diff --git a/src/configure.ac b/src/configure.ac diff --git a/src/configure.ac b/src/configure.ac
index 440a22bd9..d4e4da525 100644 index dd2cad3ee..3e1052db7 100644
--- a/src/configure.ac --- a/src/configure.ac
+++ b/src/configure.ac +++ b/src/configure.ac
@@ -1481,7 +1481,6 @@ V5_AC_OUTPUT_MAKEFILE(. @@ -1480,7 +1480,6 @@ V5_AC_OUTPUT_MAKEFILE(.
lib/crypto lib/crypto/krb lib/crypto/$CRYPTO_IMPL lib/crypto lib/crypto/krb lib/crypto/$CRYPTO_IMPL
lib/crypto/$CRYPTO_IMPL/enc_provider lib/crypto/$CRYPTO_IMPL/enc_provider
lib/crypto/$CRYPTO_IMPL/hash_provider lib/crypto/$CRYPTO_IMPL/hash_provider
@ -316,7 +315,7 @@ index 440a22bd9..d4e4da525 100644
lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2 lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2
lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index d1f5661bf..26a3b6ec8 100644 index db80063eb..63e67a2ba 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
@ -365,10 +364,10 @@ index 8a4b87de1..d7f1d076b 100644
+ supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal + supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal
} }
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 221bde1dd..b8d292021 100644 index 60f30c4f4..c65375aef 100644
--- a/src/kdc/kdc_util.c --- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c
@@ -1103,8 +1103,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) @@ -1017,8 +1017,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)
name = "rsaEncryption-EnvOID"; name = "rsaEncryption-EnvOID";
else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)
name = "id-RSAES-OAEP-EnvOID"; name = "id-RSAES-OAEP-EnvOID";
@ -377,7 +376,7 @@ index 221bde1dd..b8d292021 100644
else else
return krb5_enctype_to_name(ktype, FALSE, buf, buflen); return krb5_enctype_to_name(ktype, FALSE, buf, buflen);
@@ -1841,8 +1839,6 @@ krb5_boolean @@ -1605,8 +1603,6 @@ krb5_boolean
enctype_requires_etype_info_2(krb5_enctype enctype) enctype_requires_etype_info_2(krb5_enctype enctype)
{ {
switch(enctype) { switch(enctype) {
@ -470,7 +469,7 @@ index 157891103..000000000
-const? -const?
diff --git a/src/lib/crypto/builtin/des/Makefile.in b/src/lib/crypto/builtin/des/Makefile.in diff --git a/src/lib/crypto/builtin/des/Makefile.in b/src/lib/crypto/builtin/des/Makefile.in
deleted file mode 100644 deleted file mode 100644
index ed25dab7c..000000000 index 54b329d0f..000000000
--- a/src/lib/crypto/builtin/des/Makefile.in --- a/src/lib/crypto/builtin/des/Makefile.in
+++ /dev/null +++ /dev/null
@@ -1,80 +0,0 @@ @@ -1,80 +0,0 @@
@ -527,7 +526,7 @@ index ed25dab7c..000000000
-verify$(EXEEXT): t_verify.$(OBJEXT) $(TOBJS) f_parity.$(OBJEXT) \ -verify$(EXEEXT): t_verify.$(OBJEXT) $(TOBJS) f_parity.$(OBJEXT) \
- $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB) - $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
- $(CC_LINK) -o $@ t_verify.$(OBJEXT) $(TOBJS) f_parity.$(OBJEXT) \ - $(CC_LINK) -o $@ t_verify.$(OBJEXT) $(TOBJS) f_parity.$(OBJEXT) \
- -lcom_err $(SUPPORT_LIB) - $(COM_ERR_LIB) $(SUPPORT_LIB)
- -
-destest$(EXEEXT): destest.$(OBJEXT) $(TOBJS) $(SUPPORT_DEPLIB) -destest$(EXEEXT): destest.$(OBJEXT) $(TOBJS) $(SUPPORT_DEPLIB)
- $(CC_LINK) -o $@ destest.$(OBJEXT) $(TOBJS) $(SUPPORT_LIB) - $(CC_LINK) -o $@ destest.$(OBJEXT) $(TOBJS) $(SUPPORT_LIB)
@ -752,17 +751,18 @@ index ebd1050b1..000000000
-} -}
diff --git a/src/lib/crypto/builtin/des/deps b/src/lib/crypto/builtin/des/deps diff --git a/src/lib/crypto/builtin/des/deps b/src/lib/crypto/builtin/des/deps
deleted file mode 100644 deleted file mode 100644
index df2a31dac..000000000 index a1db1f36e..000000000
--- a/src/lib/crypto/builtin/des/deps --- a/src/lib/crypto/builtin/des/deps
+++ /dev/null +++ /dev/null
@@ -1,148 +0,0 @@ @@ -1,150 +0,0 @@
-# -#
-# Generated makefile dependencies follow. -# Generated makefile dependencies follow.
-# -#
-d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \
- $(srcdir)/../aes/aes.h $(srcdir)/../crypto_mod.h $(srcdir)/../sha2/sha2.h \ - $(srcdir)/../aes/aes.h $(srcdir)/../aes/brg_types.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../sha2/sha2.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
@ -786,19 +786,20 @@ index df2a31dac..000000000
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../aes/aes.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../aes/aes.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../sha2/sha2.h \ - $(srcdir)/../aes/brg_types.h $(srcdir)/../crypto_mod.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- des_int.h des_keys.c - $(top_srcdir)/include/socket-utils.h des_int.h des_keys.c
-f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \
- $(srcdir)/../aes/aes.h $(srcdir)/../crypto_mod.h $(srcdir)/../sha2/sha2.h \ - $(srcdir)/../aes/aes.h $(srcdir)/../aes/brg_types.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../sha2/sha2.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
@ -1489,7 +1490,7 @@ index 52114304e..000000000
-} -}
diff --git a/src/lib/crypto/builtin/des/doc/libdes.doc b/src/lib/crypto/builtin/des/doc/libdes.doc diff --git a/src/lib/crypto/builtin/des/doc/libdes.doc b/src/lib/crypto/builtin/des/doc/libdes.doc
deleted file mode 100644 deleted file mode 100644
index 19c03c1d3..000000000 index 6e9431ed2..000000000
--- a/src/lib/crypto/builtin/des/doc/libdes.doc --- a/src/lib/crypto/builtin/des/doc/libdes.doc
+++ /dev/null +++ /dev/null
@@ -1,208 +0,0 @@ @@ -1,208 +0,0 @@
@ -1644,7 +1645,7 @@ index 19c03c1d3..000000000
- by "*key", then after getting a new key, call the des_set_key() - by "*key", then after getting a new key, call the des_set_key()
- routine when needed. - routine when needed.
- -
- No meaningfull value is returned. Void is not used for compatibility - No meaningful value is returned. Void is not used for compatibility
- with other compilers. - with other compilers.
- -
- -
@ -3625,7 +3626,7 @@ index 7ff34eedc..000000000
-1C587F1C13924FEF 305532286D6F295A 63FAC0D034D9F793 -1C587F1C13924FEF 305532286D6F295A 63FAC0D034D9F793
diff --git a/src/lib/crypto/builtin/des/t_verify.c b/src/lib/crypto/builtin/des/t_verify.c diff --git a/src/lib/crypto/builtin/des/t_verify.c b/src/lib/crypto/builtin/des/t_verify.c
deleted file mode 100644 deleted file mode 100644
index f4332f5c0..000000000 index 4a19933ca..000000000
--- a/src/lib/crypto/builtin/des/t_verify.c --- a/src/lib/crypto/builtin/des/t_verify.c
+++ /dev/null +++ /dev/null
@@ -1,395 +0,0 @@ @@ -1,395 +0,0 @@
@ -3956,7 +3957,7 @@ index f4332f5c0..000000000
- printf("%02x ",cipher_text[j]); - printf("%02x ",cipher_text[j]);
- printf("\n\n"); - printf("\n\n");
- if ( memcmp((char *)cipher_text, (char *)checksum, 8) ) { - if ( memcmp((char *)cipher_text, (char *)checksum, 8) ) {
- printf("verify: error in CBC cheksum\n"); - printf("verify: error in CBC checksum\n");
- exit(-1); - exit(-1);
- } - }
- else - else
@ -4150,17 +4151,18 @@ index 3459e1d0e..af6276b96 100644
$(srcdir)/camellia.c \ $(srcdir)/camellia.c \
$(srcdir)/rc4.c $(srcdir)/rc4.c
diff --git a/src/lib/crypto/builtin/enc_provider/deps b/src/lib/crypto/builtin/enc_provider/deps diff --git a/src/lib/crypto/builtin/enc_provider/deps b/src/lib/crypto/builtin/enc_provider/deps
index 7a3324c44..c1201cc1a 100644 index ea4ffecd8..061289a91 100644
--- a/src/lib/crypto/builtin/enc_provider/deps --- a/src/lib/crypto/builtin/enc_provider/deps
+++ b/src/lib/crypto/builtin/enc_provider/deps +++ b/src/lib/crypto/builtin/enc_provider/deps
@@ -1,18 +1,6 @@ @@ -1,19 +1,6 @@
# #
# Generated makefile dependencies follow. # Generated makefile dependencies follow.
# #
-des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \
- $(srcdir)/../aes/aes.h $(srcdir)/../crypto_mod.h $(srcdir)/../des/des_int.h \ - $(srcdir)/../aes/aes.h $(srcdir)/../aes/brg_types.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../des/des_int.h \
- $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ - $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
@ -4311,7 +4313,7 @@ index 73e2f8fbc..c4d23b506 100644
key1 key1
key2 key2
diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c
index 4da14ea43..84408fb68 100644 index 8297fcbf5..3063d12ec 100644
--- a/src/lib/crypto/crypto_tests/t_cksums.c --- a/src/lib/crypto/crypto_tests/t_cksums.c
+++ b/src/lib/crypto/crypto_tests/t_cksums.c +++ b/src/lib/crypto/crypto_tests/t_cksums.c
@@ -59,16 +59,6 @@ struct test { @@ -59,16 +59,6 @@ struct test {
@ -4593,7 +4595,7 @@ index ecc2e08c9..f5fbe8a2a 100644
"hmac-md5-rc4", { "hmac-md5-enc", "hmac-md5-earcfour" }, "hmac-md5-rc4", { "hmac-md5-enc", "hmac-md5-earcfour" },
"Microsoft HMAC MD5", "Microsoft HMAC MD5",
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index ba693f8a4..5cc1f8e43 100644 index 19f808749..4bc430c7a 100644
--- a/src/lib/crypto/krb/crypto_int.h --- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h +++ b/src/lib/crypto/krb/crypto_int.h
@@ -276,10 +276,6 @@ krb5_error_code krb5int_aes2_string_to_key(const struct krb5_keytypes *enc, @@ -276,10 +276,6 @@ krb5_error_code krb5int_aes2_string_to_key(const struct krb5_keytypes *enc,
@ -4814,7 +4816,7 @@ index 157462526..863090beb 100644
- return 0; - return 0;
-} -}
diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
index 451d5e035..9db181381 100644 index d6cc1b423..f44cb9170 100644
--- a/src/lib/crypto/libk5crypto.exports --- a/src/lib/crypto/libk5crypto.exports
+++ b/src/lib/crypto/libk5crypto.exports +++ b/src/lib/crypto/libk5crypto.exports
@@ -86,7 +86,6 @@ krb5_k_verify_checksum @@ -86,7 +86,6 @@ krb5_k_verify_checksum
@ -5193,10 +5195,10 @@ index 1c439c2cd..000000000
- krb5int_default_free_state - krb5int_default_free_state
-}; -};
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index c821cc830..c5bddb1e8 100644 index 75f071c3e..fcf2c2152 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c --- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1010,7 +1010,6 @@ kg_accept_krb5(minor_status, context_handle, @@ -1039,7 +1039,6 @@ kg_accept_krb5(minor_status, context_handle,
} }
switch (negotiated_etype) { switch (negotiated_etype) {
@ -5205,7 +5207,7 @@ index c821cc830..c5bddb1e8 100644
case ENCTYPE_ARCFOUR_HMAC_EXP: case ENCTYPE_ARCFOUR_HMAC_EXP:
/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer"
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 2e2c775d6..f5b0fede6 100644 index a7e0e63ec..3bacdcd35 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h --- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -125,14 +125,14 @@ enum sgn_alg { @@ -125,14 +125,14 @@ enum sgn_alg {
@ -5552,7 +5554,7 @@ index 85a9574f3..3ce2a90ce 100644
code = 0; code = 0;
retval = GSS_S_BAD_SIG; retval = GSS_S_BAD_SIG;
diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c
index 80954aff7..f7d3e92c4 100644 index 84f194988..32150f5e3 100644
--- a/src/lib/gssapi/krb5/util_crypt.c --- a/src/lib/gssapi/krb5/util_crypt.c
+++ b/src/lib/gssapi/krb5/util_crypt.c +++ b/src/lib/gssapi/krb5/util_crypt.c
@@ -97,17 +97,6 @@ kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey, @@ -97,17 +97,6 @@ kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey,
@ -5623,7 +5625,7 @@ index 2925c1c43..2f76c8b43 100644
if { ! [cmd {kadm5_destroy $server_handle}]} { if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy" perror "$test: unexpected failure in destroy"
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index e7d67cca4..9a4741fa6 100644 index aa35baa3c..bfa99d9eb 100644
--- a/src/lib/krb5/krb/init_ctx.c --- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c
@@ -59,7 +59,6 @@ @@ -59,7 +59,6 @@
@ -5634,7 +5636,7 @@ index e7d67cca4..9a4741fa6 100644
ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC, ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,
0 0
@@ -479,8 +478,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, @@ -467,8 +466,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,
/* Set all enctypes in the default list. */ /* Set all enctypes in the default list. */
for (i = 0; default_list[i]; i++) for (i = 0; default_list[i]; i++)
mod_list(default_list[i], sel, weak, &list); mod_list(default_list[i], sel, weak, &list);
@ -5644,10 +5646,10 @@ index e7d67cca4..9a4741fa6 100644
mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list); mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list);
mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list); mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list);
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 504eb557f..fc5c886d6 100644 index 44d113e7c..966278578 100644
--- a/src/lib/krb5/krb/s4u_creds.c --- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c
@@ -287,8 +287,6 @@ verify_s4u2self_reply(krb5_context context, @@ -288,8 +288,6 @@ verify_s4u2self_reply(krb5_context context,
assert(req_s4u_user != NULL); assert(req_s4u_user != NULL);
switch (subkey->enctype) { switch (subkey->enctype) {
@ -5656,21 +5658,8 @@ index 504eb557f..fc5c886d6 100644
case ENCTYPE_ARCFOUR_HMAC: case ENCTYPE_ARCFOUR_HMAC:
case ENCTYPE_ARCFOUR_HMAC_EXP : case ENCTYPE_ARCFOUR_HMAC_EXP :
not_newer = TRUE; not_newer = TRUE;
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
index 2970a8cea..fb82daf19 100644
--- a/src/lib/krb5/krb/t_copy_context.c
+++ b/src/lib/krb5/krb/t_copy_context.c
@@ -113,7 +113,7 @@ main(int argc, char **argv)
{
krb5_context ctx, ctx2;
krb5_plugin_initvt_fn *mods;
- const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 };
+ const krb5_enctype etypes1[] = { ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 };
const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 };
krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD };
diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c
index f609e938a..248ffea90 100644 index 90c9f626c..935aca12f 100644
--- a/src/lib/krb5/krb/t_etypes.c --- a/src/lib/krb5/krb/t_etypes.c
+++ b/src/lib/krb5/krb/t_etypes.c +++ b/src/lib/krb5/krb/t_etypes.c
@@ -50,17 +50,6 @@ static struct { @@ -50,17 +50,6 @@ static struct {
@ -5787,7 +5776,7 @@ index e3d284631..586661bb7 100644
#define CKK_CAST3 (0x17) #define CKK_CAST3 (0x17)
#define CKK_CAST128 (0x18) #define CKK_CAST128 (0x18)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 1a642139a..2f0431991 100644 index 2817cc213..a385da7c3 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c --- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -212,14 +212,6 @@ pkinit_as_req_create(krb5_context context, @@ -212,14 +212,6 @@ pkinit_as_req_create(krb5_context context,
@ -5806,7 +5795,7 @@ index 1a642139a..2f0431991 100644
case DH_PROTOCOL: case DH_PROTOCOL:
TRACE_PKINIT_CLIENT_REQ_DH(context); TRACE_PKINIT_CLIENT_REQ_DH(context);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index 8064a07d0..a291889b0 100644 index 77d5c61fe..1f9868351 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h --- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -380,18 +380,6 @@ krb5_error_code server_process_dh @@ -380,18 +380,6 @@ krb5_error_code server_process_dh
@ -5829,10 +5818,10 @@ index 8064a07d0..a291889b0 100644
* this functions takes in crypto specific representation of * this functions takes in crypto specific representation of
* trustedCertifiers and creates a list of * trustedCertifiers and creates a list of
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 8c7fd0cca..52976895b 100644 index e5940a513..e1153344e 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5487,44 +5487,6 @@ cleanup: @@ -5486,44 +5486,6 @@ cleanup:
return retval; return retval;
} }
@ -5963,7 +5952,7 @@ index 2279202d3..96b0307d7 100644
/* initial key, w, x, y, T, S, K */ /* initial key, w, x, y, T, S, K */
"8846F7EAEE8FB117AD06BDD830B7586C", "8846F7EAEE8FB117AD06BDD830B7586C",
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index b047ef1f7..4d8c917cd 100644 index 85bbf478a..302dee74c 100644
--- a/src/tests/dejagnu/config/default.exp --- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp
@@ -15,8 +15,6 @@ set timeout 100 @@ -15,8 +15,6 @@ set timeout 100
@ -6100,7 +6089,7 @@ index b047ef1f7..4d8c917cd 100644
# create the admin database lock file # create the admin database lock file
diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/dejagnu/krb-standalone/kprop.exp diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/dejagnu/krb-standalone/kprop.exp
index f71ee8638..8c08cf42f 100644 index 661e3fd9a..2b8f60045 100644
--- a/src/tests/dejagnu/krb-standalone/kprop.exp --- a/src/tests/dejagnu/krb-standalone/kprop.exp
+++ b/src/tests/dejagnu/krb-standalone/kprop.exp +++ b/src/tests/dejagnu/krb-standalone/kprop.exp
@@ -54,7 +54,7 @@ proc doit { } { @@ -54,7 +54,7 @@ proc doit { } {
@ -6258,10 +6247,10 @@ index f71774cdc..d1857c433 100644
"3BB3AE288C12B3B9D06B208A4151B3B6", "3BB3AE288C12B3B9D06B208A4151B3B6",
"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28" "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index 378174a2e..3153ebca3 100644 index 3fa957ad2..2e01f46bc 100644
--- a/src/tests/t_authdata.py --- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py
@@ -172,7 +172,7 @@ realm.run([kvno, 'restricted']) @@ -174,7 +174,7 @@ realm.run([kvno, 'restricted'])
# preferred krbtgt enctype changes. # preferred krbtgt enctype changes.
mark('#8139 regression test') mark('#8139 regression test')
realm.kinit(realm.user_princ, password('user'), ['-f']) realm.kinit(realm.user_princ, password('user'), ['-f'])
@ -6271,7 +6260,7 @@ index 378174a2e..3153ebca3 100644
realm.run(['./forward']) realm.run(['./forward'])
realm.run([kvno, realm.host_princ]) realm.run([kvno, realm.host_princ])
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
index 2a052fc17..ace0edc3c 100644 index c982508d8..96e90a69d 100644
--- a/src/tests/t_etype_info.py --- a/src/tests/t_etype_info.py
+++ b/src/tests/t_etype_info.py +++ b/src/tests/t_etype_info.py
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
@ -6282,7 +6271,7 @@ index 2a052fc17..ace0edc3c 100644
conf = {'libdefaults': {'allow_weak_crypto': 'true'}, conf = {'libdefaults': {'allow_weak_crypto': 'true'},
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
@@ -24,9 +24,9 @@ def test_etinfo(princ, enctypes, expected_lines): @@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines):
# With no newer enctypes in the request, PA-ETYPE-INFO2, # With no newer enctypes in the request, PA-ETYPE-INFO2,
# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one
# key for the most preferred matching enctype. # key for the most preferred matching enctype.
@ -6295,7 +6284,7 @@ index 2a052fc17..ace0edc3c 100644
'asrep pw_salt KRBTEST.COMuser']) 'asrep pw_salt KRBTEST.COMuser'])
# With a newer enctype in the request (even if it is not the most # With a newer enctype in the request (even if it is not the most
@@ -37,9 +37,9 @@ test_etinfo('user', 'rc4 aes256-cts', @@ -39,9 +39,9 @@ test_etinfo('user', 'rc4 aes256-cts',
# In preauth-required errors, PA-PW-SALT does not appear, but the same # In preauth-required errors, PA-PW-SALT does not appear, but the same
# etype-info2 values are expected. # etype-info2 values are expected.
@ -6308,7 +6297,7 @@ index 2a052fc17..ace0edc3c 100644
test_etinfo('preauthuser', 'rc4 aes256-cts', test_etinfo('preauthuser', 'rc4 aes256-cts',
['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser']) ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
@@ -48,8 +48,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts', @@ -50,8 +50,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts',
# (to allow for preauth mechs which don't depend on long-term keys). # (to allow for preauth mechs which don't depend on long-term keys).
# An AS-REP cannot be generated without preauth as there is no reply # An AS-REP cannot be generated without preauth as there is no reply
# key. # key.
@ -6348,7 +6337,7 @@ index 2c825a692..f29e0d550 100755
realm.stop() realm.stop()
diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py
index 99273c907..f84041ca4 100755 index 32f4070bc..da0ed1831 100755
--- a/src/tests/t_mkey.py --- a/src/tests/t_mkey.py
+++ b/src/tests/t_mkey.py +++ b/src/tests/t_mkey.py
@@ -7,7 +7,6 @@ import struct @@ -7,7 +7,6 @@ import struct
@ -6421,10 +6410,10 @@ index 65084bbf3..55ca89745 100755
# Test using different salt types in a principal's key list. # Test using different salt types in a principal's key list.
# Parameters from one key in the list must not leak over to later ones. # Parameters from one key in the list must not leak over to later ones.
diff --git a/src/util/k5test.py b/src/util/k5test.py diff --git a/src/util/k5test.py b/src/util/k5test.py
index 442a4e4f7..eea92275d 100644 index 6afe4b92c..789b0f4b9 100644
--- a/src/util/k5test.py --- a/src/util/k5test.py
+++ b/src/util/k5test.py +++ b/src/util/k5test.py
@@ -1299,13 +1299,6 @@ _passes = [ @@ -1278,13 +1278,6 @@ _passes = [
# No special settings; exercises AES256. # No special settings; exercises AES256.
('default', None, None, None), ('default', None, None, None),

38
SELinux-integration.patch
View File

@ -1,4 +1,4 @@
From 4a215a206d1d5af69ea9fbf1e78001971ab18be2 Mon Sep 17 00:00:00 2001 From e787771b618a344d45ac515927e914602f48946f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400 Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] [downstream] SELinux integration Subject: [PATCH] [downstream] SELinux integration
@ -67,10 +67,10 @@ Last-updated: krb5-1.18-beta1
create mode 100644 src/util/support/selinux.c create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 830203683..6796fec53 100644 index ca9fcf664..5afb96e58 100644
--- a/src/aclocal.m4 --- a/src/aclocal.m4
+++ b/src/aclocal.m4 +++ b/src/aclocal.m4
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl dnl
KRB5_AC_PRAGMA_WEAK_REF KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP WITH_LDAP
@ -78,7 +78,7 @@ index 830203683..6796fec53 100644
KRB5_LIB_PARAMS KRB5_LIB_PARAMS
KRB5_AC_INITFINI KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS KRB5_AC_ENABLE_THREADS
@@ -1743,4 +1744,51 @@ AC_SUBST(PAM_LIBS) @@ -1745,4 +1746,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN) AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN) AC_SUBST(NON_PAM_MAN)
])dnl ])dnl
@ -131,7 +131,7 @@ index 830203683..6796fec53 100644
+AC_SUBST(SELINUX_LIBS) +AC_SUBST(SELINUX_LIBS)
+])dnl +])dnl
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index f6184da3f..c17cb5eb5 100755 index dead0dddc..fef3e054f 100755
--- a/src/build-tools/krb5-config.in --- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' @@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
@ -142,7 +142,7 @@ index f6184da3f..c17cb5eb5 100755
LIBS='@LIBS@' LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@ GEN_LIB=@GEN_LIB@
@@ -255,7 +256,7 @@ if test -n "$do_libs"; then @@ -254,7 +255,7 @@ if test -n "$do_libs"; then
fi fi
# If we ever support a flag to generate output suitable for static # If we ever support a flag to generate output suitable for static
@ -152,7 +152,7 @@ index f6184da3f..c17cb5eb5 100755
echo $lib_flags echo $lib_flags
diff --git a/src/config/pre.in b/src/config/pre.in diff --git a/src/config/pre.in b/src/config/pre.in
index ce87e21ca..917357df9 100644 index 3752174c7..0d2068575 100644
--- a/src/config/pre.in --- a/src/config/pre.in
+++ b/src/config/pre.in +++ b/src/config/pre.in
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@ @@ -177,6 +177,7 @@ LD = $(PURE) @LD@
@ -163,7 +163,7 @@ index ce87e21ca..917357df9 100644
INSTALL=@INSTALL@ INSTALL=@INSTALL@
INSTALL_STRIP= INSTALL_STRIP=
@@ -402,7 +403,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) @@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod... # HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@ HESIOD_LIBS = @HESIOD_LIBS@
@ -173,10 +173,10 @@ index ce87e21ca..917357df9 100644
GSS_LIBS = $(GSS_KRB5_LIB) GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on macOS! # needs fixing if ever used on macOS!
diff --git a/src/configure.ac b/src/configure.ac diff --git a/src/configure.ac b/src/configure.ac
index d1f576124..440a22bd9 100644 index 693f76a81..dd2cad3ee 100644
--- a/src/configure.ac --- a/src/configure.ac
+++ b/src/configure.ac +++ b/src/configure.ac
@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff) @@ -1391,6 +1391,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM KRB5_WITH_PAM
@ -186,7 +186,7 @@ index d1f576124..440a22bd9 100644
if test "${localedir+set}" != set; then if test "${localedir+set}" != set; then
localedir='$(datadir)/locale' localedir='$(datadir)/locale'
diff --git a/src/include/k5-int.h b/src/include/k5-int.h diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 9616b24bf..0d9af3d95 100644 index cf524252f..efb523689 100644
--- a/src/include/k5-int.h --- a/src/include/k5-int.h
+++ b/src/include/k5-int.h +++ b/src/include/k5-int.h
@@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -128,6 +128,7 @@ typedef unsigned char u_char;
@ -236,7 +236,7 @@ index 000000000..dfaaa847c
+#endif +#endif
+#endif +#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index d48685357..d1f5661bf 100644 index 045334a08..db80063eb 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@ @@ -87,6 +87,12 @@
@ -253,7 +253,7 @@ index d48685357..d1f5661bf 100644
#include <stdlib.h> #include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 301e3476d..19f2cc230 100644 index 634ba4a8b..cea7939f4 100644
--- a/src/kadmin/dbutil/dump.c --- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@ -288,7 +288,7 @@ index 301e3476d..19f2cc230 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
goto cleanup; goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c diff --git a/src/kdc/main.c b/src/kdc/main.c
index fdcd694d7..1ede4bf2f 100644 index 3be6dcb07..24d441e16 100644
--- a/src/kdc/main.c --- a/src/kdc/main.c
+++ b/src/kdc/main.c +++ b/src/kdc/main.c
@@ -872,7 +872,7 @@ write_pid_file(const char *path) @@ -872,7 +872,7 @@ write_pid_file(const char *path)
@ -301,7 +301,7 @@ index fdcd694d7..1ede4bf2f 100644
return errno; return errno;
pid = (unsigned long) getpid(); pid = (unsigned long) getpid();
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 5622d56e1..356e3e0e6 100644 index 498ca599a..c6b8efc28 100644
--- a/src/kprop/kpropd.c --- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c
@@ -487,6 +487,9 @@ doit(int fd) @@ -487,6 +487,9 @@ doit(int fd)
@ -416,7 +416,7 @@ index 7b100a0ec..5683a0433 100644
_("Credential cache directory %s does not exist"), _("Credential cache directory %s does not exist"),
dirname); dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 021c94398..aaf573439 100644 index e510211fc..f3ea28c8e 100644
--- a/src/lib/krb5/keytab/kt_file.c --- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c
@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) @@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
@ -437,7 +437,7 @@ index 021c94398..aaf573439 100644
goto report_errno; goto report_errno;
writevno = 1; writevno = 1;
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 2a03ae980..85dbfeb47 100644 index 7073459f0..e9b99f4ca 100644
--- a/src/lib/krb5/os/trace.c --- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) @@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
@ -463,7 +463,7 @@ index 7db30a33b..2b9d01921 100644
* maybe someone took away write permission so we could only * maybe someone took away write permission so we could only
* get shared locks? * get shared locks?
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index 5106a5c99..e481e8121 100644 index 1a476b586..b40bb2240 100644
--- a/src/plugins/kdb/db2/kdb_db2.c --- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) @@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
@ -542,7 +542,7 @@ index d8b26e701..b0daa7c02 100644
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index b92cb58c7..0a95101ad 100644 index e87688d66..30f7c00ab 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) @@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)

98
backport-CVE-2020-28196.patch
View File

@ -1,98 +0,0 @@
From 57415dda6cf04e73ffc3723be518eddfae599bfd Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 31 Oct 2020 17:07:05 -0400
Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths
The libkrb5 ASN.1 decoder supports BER indefinite lengths. It
computes the tag length using recursion; the lack of a recursion limit
allows an attacker to overrun the stack and cause the process to
crash. Reported by Demi Obenour.
CVE-2020-28196:
In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
cause a denial of service for any client or server to which it can
send an ASN.1-encoded Kerberos message of sufficient length.
ticket: 8959 (new)
tags: pullup
target_version: 1.18-next
target_version: 1.17-next
---
src/lib/krb5/asn.1/asn1_encode.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
index a160cf4..cd6b879 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len)
static krb5_error_code
get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
const uint8_t **contents_out, size_t *clen_out,
- const uint8_t **remainder_out, size_t *rlen_out)
+ const uint8_t **remainder_out, size_t *rlen_out, int recursion)
{
krb5_error_code ret;
uint8_t o;
@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
/* Indefinite form (should not be present in DER, but we accept it). */
if (tag_out->construction != CONSTRUCTED)
return ASN1_MISMATCH_INDEF;
+ if (recursion >= 32)
+ return ASN1_OVERFLOW;
p = asn1;
while (!(len >= 2 && p[0] == 0 && p[1] == 0)) {
- ret = get_tag(p, len, &t, &c, &clen, &p, &len);
+ ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1);
if (ret)
return ret;
}
@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out)
const uint8_t *contents, *remainder;
size_t clen, rlen;
- ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen);
+ ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0);
if (ret)
return ret;
if (rlen != 0)
@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, size_t len,
const uint8_t *rem;
size_t rlen;
if (!tag->implicit) {
- ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen);
+ ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0);
if (ret)
return ret;
/* Note: we don't check rlen (it should be 0). */
@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq,
for (i = 0; i < seq->n_fields; i++) {
if (len == 0)
break;
- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
+ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
if (ret)
goto error;
/*
@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len,
*seq_out = NULL;
*count_out = 0;
while (len > 0) {
- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
+ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
if (ret)
goto error;
if (!check_atype_tag(elemtype, &t)) {
@@ -1584,7 +1586,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a,
*retrep = NULL;
ret = get_tag((uint8_t *)code->data, code->length, &t, &contents,
- &clen, &remainder, &rlen);
+ &clen, &remainder, &rlen, 0);
if (ret)
return ret;
/* rlen should be 0, but we don't check it (and due to padding in
--
1.8.3.1

16
krb5-1.18.2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl7H9FAACgkQDLoIV1+D
ct+rjxAAqLlDjeExNw1sJyyjaAKzo7vGzK0tFVouMglmmGcyluVwsqu9B2uHw3UC
TIm4bn1rgGtUB5oKWmbeD+hiuoAghLDa6gSrmDDkJfFR+o/K/vE7BGZewrrp7QJ5
jJnEhjuY9O+ZFM/ZNEwHa4/RNG1ga5uJUrfdlNkTUMFje5d1TXvx/ozuSk4bAUTF
nqHuJsyRAuhKcqTOZ9nr5a54me97CbWj7Be6sA7LQVaFDPyWcJCQsBHjFyextTOF
3ewsF7330B3oO8yE9/f+nxFq/x9ot6CctMXZqLzhbvdzcO2GwmwbvXy73ibhvjVU
w9n/zQ1xDjRO0z1wfM54Vq1upQW78+YXA33fEX6od0WBzdiR/o7hfU3arg/WraUy
pVcD9V7jvYhGPpqYwEdRhs4qROhAh/yvebZ+MVe/1Pd8kA4tTXtR+VmVkp21X3cq
+19eTz7actQemfdsUvfcL8guub0Mea/l+1l3cEHl20FOEeZ8RjpPMisYS9IrJ52O
3lro26vYFSWS4+U9j4gwdjuQwLS3xHuPZFwS7aykKGsIQ1r8l5Yb0xorDXXKKLjm
z4DNPaZbxxfcGhDWKTlDudrXEIAGTOD4FC1SJBV3hbqUsv4EH+EJnf92rmVMJ5z/
AmeUKsL02Abl3BjhwaLWmhIwoXIUhcI/5xNsoI6ePCAT2HLyJlE=
=fGT7
-----END PGP SIGNATURE-----

BIN
krb5-1.18.2.tar.gz → krb5-1.19.1.tar.gz
View File

Binary file not shown.

16
krb5-1.19.1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmAuntAACgkQDLoIV1+D
ct8TIhAArFittFBcz4ZfMxqhHVGdK6kOeQXrrV27d3FW6y28BvS7yHJ8CkyK+I3g
4rsaaf7srkH8jaiCjmjHC2rWJIuceOwkD4GRqXtb2CiqKxXI9eZ+g9ipB7DGKixg
+1nki7mOhd3oaeUkCRFXgyiOqSE/ird7/itLYzEoAroLpTazNp6Kk4gXmhJIENlq
dj1God+JxhuwzzWZRdsy2SyvMQPQMOTIilsXRboObZFvPrhZKkJmgNm+RzU/YRSg
/1Po7takBXq8qhgnwPHTnTPb+BYRdrqQc/a2WcmEdgbzeMpijNmkFsgAFeKDijSz
1nmFO4SQd/rAfgUovkDd+GMAYZ6DCLFqoI/WeKOgCrRMxJMMRbLlr48bTvMwjuIl
xE5gy8h2Iju/UP1lxz8KheCm/FyNzNw4pe74zbGgK5fdiEQ8xNlKZOs9LRrtvyfL
j1G+IX6cK+5yTo/NceYjnHVAatbuW6C6xJmsIQ1GYdMPvto7Wctq/4/BmwxqgFAJ
HCPuQgAGi875JpPYvi/c3tioRiIPwOz54CXCrcFyKELvgHi6lGN6MRNSzAP4QdA0
HlXZQ4/4NFOJxjLGu9ZXKUbYPaGizhI+ayzg5/RJLHPIgW7yLvwFqkBIa1xs26bA
xiP5JKuDC4mqDPwVjwpufkUBH6SoBFnbiIWEYSKVPLJFw+Dbhv0=
=PP6r
-----END PGP SIGNATURE-----

12
krb5.spec
View File

@ -2,13 +2,13 @@
%global WITH_DIRSRV 1 %global WITH_DIRSRV 1
Name: krb5 Name: krb5
Version: 1.18.2 Version: 1.19.1
Release: 3 Release: 1
Summary: The Kerberos network authentication protocol Summary: The Kerberos network authentication protocol
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/%{name}-%{version}.tar.gz Source0: https://web.mit.edu/kerberos/dist/krb5/1.19/%{name}-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.18/%{name}-%{version}.tar.gz.asc Source1: https://web.mit.edu/kerberos/dist/krb5/1.19/%{name}-%{version}.tar.gz.asc
Source2: kprop.service Source2: kprop.service
Source3: kadmin.service Source3: kadmin.service
Source4: krb5kdc.service Source4: krb5kdc.service
@ -26,7 +26,6 @@ Patch3: netlib-and-dns.patch
Patch4: fix-debuginfo-with-y.tab.c.patch Patch4: fix-debuginfo-with-y.tab.c.patch
Patch5: Remove-3des-support.patch Patch5: Remove-3des-support.patch
Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch7: backport-CVE-2020-28196.patch
BuildRequires: gettext BuildRequires: gettext
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -318,6 +317,9 @@ make -C src check || :
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Sat Jun 26 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.19.1-1
- Upgrade upstream to 1.19.1
* Wed May 26 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.18.2-3 * Wed May 26 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.18.2-3
- Add gettext to BuildRequires - Add gettext to BuildRequires

26
ksu-pam-integration.patch
View File

@ -1,11 +1,11 @@
From 9a082e1e02ae4efd2404d0672d38b3d4eb2d6660 Mon Sep 17 00:00:00 2001 From 90ba715be48c2e1b6c7ca53cb1d75f3af2c388d6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400 Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] [downstream] ksu pam integration Subject: [PATCH] [downstream] ksu pam integration
Modify ksu so that it performs account and session management on behalf of Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default the target user account, mimicking the action of regular su. The default
service name is "ksu", because on at least the configuration used service name is "ksu", because on Fedora at least the configuration used
is determined by whether or not a login shell is being opened, and so is determined by whether or not a login shell is being opened, and so
this may need to vary, too. At run-time, ksu's behavior can be reset to this may need to vary, too. At run-time, ksu's behavior can be reset to
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1
create mode 100644 src/clients/ksu/pam.h create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4 diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 2394f7e33..830203683 100644 index 024d6370c..ca9fcf664 100644
--- a/src/aclocal.m4 --- a/src/aclocal.m4
+++ b/src/aclocal.m4 +++ b/src/aclocal.m4
@@ -1675,3 +1675,72 @@ if test "$with_ldap" = yes; then @@ -1677,3 +1677,72 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes OPENLDAP_PLUGIN=yes
fi fi
])dnl ])dnl
@ -145,11 +145,11 @@ index 8b4edce4d..9d58f29b5 100644
clean: clean:
$(RM) ksu $(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 4f03dd8ed..21a4d02bb 100644 index af1286172..931f05404 100644
--- a/src/clients/ksu/main.c --- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@ @@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu * KSU was written by: Ari Medvinsky, ari@isi.edu
*/ */
+#include "autoconf.h" +#include "autoconf.h"
@ -175,7 +175,7 @@ index 4f03dd8ed..21a4d02bb 100644
/***********/ /***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu" #define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -535,6 +541,23 @@ main (argc, argv) @@ -536,6 +542,23 @@ main (argc, argv)
prog_name,target_user,client_name, prog_name,target_user,client_name,
source_user,ontty()); source_user,ontty());
@ -199,7 +199,7 @@ index 4f03dd8ed..21a4d02bb 100644
/* Run authorization as target.*/ /* Run authorization as target.*/
if (krb5_seteuid(target_uid)) { if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for " com_err(prog_name, errno, _("while switching to target for "
@@ -595,6 +618,24 @@ main (argc, argv) @@ -596,6 +619,24 @@ main (argc, argv)
exit(1); exit(1);
} }
@ -224,7 +224,7 @@ index 4f03dd8ed..21a4d02bb 100644
} }
if( some_rest_copy){ if( some_rest_copy){
@@ -652,6 +693,30 @@ main (argc, argv) @@ -653,6 +694,30 @@ main (argc, argv)
exit(1); exit(1);
} }
@ -255,7 +255,7 @@ index 4f03dd8ed..21a4d02bb 100644
/* set permissions */ /* set permissions */
if (setgid(target_pwd->pw_gid) < 0) { if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid"); perror("ksu: setgid");
@@ -749,7 +814,7 @@ main (argc, argv) @@ -750,7 +815,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]); fprintf(stderr, "program to be execed %s\n",params[0]);
} }
@ -264,7 +264,7 @@ index 4f03dd8ed..21a4d02bb 100644
execv(params[0], params); execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]); com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target); sweep_up(ksu_context, cc_target);
@@ -779,16 +844,35 @@ main (argc, argv) @@ -780,16 +845,35 @@ main (argc, argv)
if (ret_pid == -1) { if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid")); com_err(prog_name, errno, _("while calling waitpid"));
} }
@ -760,10 +760,10 @@ index 000000000..0ab76569c
+void appl_pam_cleanup(void); +void appl_pam_cleanup(void);
+#endif +#endif
diff --git a/src/configure.ac b/src/configure.ac diff --git a/src/configure.ac b/src/configure.ac
index 234f4281c..d1f576124 100644 index 4eb080784..693f76a81 100644
--- a/src/configure.ac --- a/src/configure.ac
+++ b/src/configure.ac +++ b/src/configure.ac
@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION]) @@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff) AC_PATH_PROG(GROFF, groff)