diff --git a/FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/FIPS-with-PRNG-and-RADIUS-and-MD4.patch deleted file mode 100644 index 573d222..0000000 --- a/FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ /dev/null @@ -1,568 +0,0 @@ -From 5978878bcee5ec39e4357f408470d39e9540d2bf Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 9 Nov 2018 15:12:21 -0500 -Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 - -NB: Use openssl's PRNG in FIPS mode and taint within krad. - -A lot of the FIPS error conditions from OpenSSL are incredibly -mysterious (at best, things return NULL unexpectedly; at worst, -internal assertions are tripped; most of the time, you just get -ENOMEM). In order to cope with this, we need to have some level of -awareness of what we can and can't safely call. - -This will slow down some calls slightly (FIPS_mode() takes multiple -locks), but not for any ciphers we care about - which is to say that -AES is fine. Shame about SPAKE though. - -post6 restores MD4 (and therefore keygen-only RC4). - -Last-updated: krb5-1.17 ---- - src/lib/crypto/krb/prng.c | 11 ++++- - .../crypto/openssl/enc_provider/camellia.c | 6 +++ - src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++- - .../crypto/openssl/hash_provider/hash_evp.c | 12 +++++ - src/lib/crypto/openssl/hmac.c | 6 ++- - src/lib/krad/attr.c | 45 ++++++++++++++----- - src/lib/krad/attrset.c | 5 ++- - src/lib/krad/internal.h | 13 +++++- - src/lib/krad/packet.c | 22 ++++----- - src/lib/krad/remote.c | 10 ++++- - src/lib/krad/t_attr.c | 3 +- - src/lib/krad/t_attrset.c | 4 +- - src/plugins/preauth/spake/spake_client.c | 6 +++ - src/plugins/preauth/spake/spake_kdc.c | 6 +++ - 14 files changed, 129 insertions(+), 33 deletions(-) - -diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c -index cb9ca9b98..f0e9984ca 100644 ---- a/src/lib/crypto/krb/prng.c -+++ b/src/lib/crypto/krb/prng.c -@@ -26,6 +26,8 @@ - - #include "crypto_int.h" - -+#include -+ - krb5_error_code KRB5_CALLCONV - krb5_c_random_seed(krb5_context context, krb5_data *data) - { -@@ -99,9 +101,16 @@ krb5_boolean - k5_get_os_entropy(unsigned char *buf, size_t len, int strong) - { - const char *device; --#if defined(__linux__) && defined(SYS_getrandom) - int r; - -+ /* A wild FIPS mode appeared! */ -+ if (FIPS_mode()) { -+ /* The return codes on this API are not good */ -+ r = RAND_bytes(buf, len); -+ return r == 1; -+ } -+ -+#if defined(__linux__) && defined(SYS_getrandom) - while (len > 0) { - /* - * Pull from the /dev/urandom pool, but require it to have been seeded. -diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c -index 2da691329..f79679a0b 100644 ---- a/src/lib/crypto/openssl/enc_provider/camellia.c -+++ b/src/lib/crypto/openssl/enc_provider/camellia.c -@@ -304,6 +304,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data, - unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE]; - struct iov_cursor cursor; - -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; -+ - if (output->length < CAMELLIA_BLOCK_SIZE) - return KRB5_BAD_MSIZE; - -@@ -331,6 +334,9 @@ static krb5_error_code - krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage, - krb5_data *state) - { -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; -+ - state->length = 16; - state->data = (void *) malloc(16); - if (state->data == NULL) -diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c -index a65d57b7a..6ccaca94a 100644 ---- a/src/lib/crypto/openssl/enc_provider/rc4.c -+++ b/src/lib/crypto/openssl/enc_provider/rc4.c -@@ -66,6 +66,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, - EVP_CIPHER_CTX *ctx = NULL; - struct arcfour_state *arcstate; - -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; -+ - arcstate = (state != NULL) ? (void *)state->data : NULL; - if (arcstate != NULL) { - ctx = arcstate->ctx; -@@ -113,7 +116,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, - static void - k5_arcfour_free_state(krb5_data *state) - { -- struct arcfour_state *arcstate = (void *)state->data; -+ struct arcfour_state *arcstate; -+ -+ if (FIPS_mode()) -+ return; -+ -+ arcstate = (void *) state->data; - - EVP_CIPHER_CTX_free(arcstate->ctx); - free(arcstate); -@@ -125,6 +133,9 @@ k5_arcfour_init_state(const krb5_keyblock *key, - { - struct arcfour_state *arcstate; - -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; -+ - /* - * The cipher state here is a saved pointer to a struct arcfour_state - * object, rather than a flat byte array as in most enc providers. The -diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c -index 1e0fb8fc3..feb5eda99 100644 ---- a/src/lib/crypto/openssl/hash_provider/hash_evp.c -+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c -@@ -49,6 +49,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, - if (ctx == NULL) - return ENOMEM; - -+ if (type == EVP_md4()) { -+ /* See comment below in hash_md4(). */ -+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); -+ } -+ - ok = EVP_DigestInit_ex(ctx, type, NULL); - for (i = 0; i < num_data; i++) { - if (!SIGN_IOV(&data[i])) -@@ -64,12 +69,19 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, - static krb5_error_code - hash_md4(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) - { -+ /* -+ * MD4 is needed in FIPS mode to perform key generation for RC4 keys used -+ * by IPA. These keys are only used along a (separately) secured channel -+ * for legacy reasons when performing trusts to Active Directory. -+ */ - return hash_evp(EVP_md4(), data, num_data, output); - } - - static krb5_error_code - hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) - { -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; - return hash_evp(EVP_md5(), data, num_data, output); - } - -diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c -index 7dc59dcc0..769a50c00 100644 ---- a/src/lib/crypto/openssl/hmac.c -+++ b/src/lib/crypto/openssl/hmac.c -@@ -103,7 +103,11 @@ map_digest(const struct krb5_hash_provider *hash) - return EVP_sha256(); - else if (!strncmp(hash->hash_name, "SHA-384",7)) - return EVP_sha384(); -- else if (!strncmp(hash->hash_name, "MD5", 3)) -+ -+ if (FIPS_mode()) -+ return NULL; -+ -+ if (!strncmp(hash->hash_name, "MD5", 3)) - return EVP_md5(); - else if (!strncmp(hash->hash_name, "MD4", 3)) - return EVP_md4(); -diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c -index 9c13d9d75..275327e67 100644 ---- a/src/lib/krad/attr.c -+++ b/src/lib/krad/attr.c -@@ -30,6 +30,7 @@ - #include - #include "internal.h" - -+#include - #include - - /* RFC 2865 */ -@@ -38,7 +39,8 @@ - typedef krb5_error_code - (*attribute_transform_fn)(krb5_context ctx, const char *secret, - const unsigned char *auth, const krb5_data *in, -- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); -+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, -+ krb5_boolean *is_fips); - - typedef struct { - const char *name; -@@ -51,12 +53,14 @@ typedef struct { - static krb5_error_code - user_password_encode(krb5_context ctx, const char *secret, - const unsigned char *auth, const krb5_data *in, -- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); -+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, -+ krb5_boolean *is_fips); - - static krb5_error_code - user_password_decode(krb5_context ctx, const char *secret, - const unsigned char *auth, const krb5_data *in, -- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); -+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, -+ krb5_boolean *ignored); - - static const attribute_record attributes[UCHAR_MAX] = { - {"User-Name", 1, MAX_ATTRSIZE, NULL, NULL}, -@@ -128,7 +132,8 @@ static const attribute_record attributes[UCHAR_MAX] = { - static krb5_error_code - user_password_encode(krb5_context ctx, const char *secret, - const unsigned char *auth, const krb5_data *in, -- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) -+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, -+ krb5_boolean *is_fips) - { - const unsigned char *indx; - krb5_error_code retval; -@@ -154,8 +159,14 @@ user_password_encode(krb5_context ctx, const char *secret, - for (blck = 0, indx = auth; blck * BLOCKSIZE < len; blck++) { - memcpy(tmp.data + seclen, indx, BLOCKSIZE); - -- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, -- &sum); -+ if (FIPS_mode()) { -+ /* Skip encryption here. Taint so that we won't pass it out of -+ * the machine by accident. */ -+ *is_fips = TRUE; -+ sum.contents = calloc(1, BLOCKSIZE); -+ } else -+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, -+ &sum); - if (retval != 0) { - zap(tmp.data, tmp.length); - zap(outbuf, len); -@@ -180,7 +191,8 @@ user_password_encode(krb5_context ctx, const char *secret, - static krb5_error_code - user_password_decode(krb5_context ctx, const char *secret, - const unsigned char *auth, const krb5_data *in, -- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) -+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, -+ krb5_boolean *is_fips) - { - const unsigned char *indx; - krb5_error_code retval; -@@ -204,8 +216,14 @@ user_password_decode(krb5_context ctx, const char *secret, - for (blck = 0, indx = auth; blck * BLOCKSIZE < in->length; blck++) { - memcpy(tmp.data + seclen, indx, BLOCKSIZE); - -- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, -- &tmp, &sum); -+ if (FIPS_mode()) { -+ /* Skip encryption here. Taint so that we won't pass it out of -+ * the machine by accident. */ -+ *is_fips = TRUE; -+ sum.contents = calloc(1, BLOCKSIZE); -+ } else -+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, -+ &tmp, &sum); - if (retval != 0) { - zap(tmp.data, tmp.length); - zap(outbuf, in->length); -@@ -248,7 +266,7 @@ krb5_error_code - kr_attr_encode(krb5_context ctx, const char *secret, - const unsigned char *auth, krad_attr type, - const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE], -- size_t *outlen) -+ size_t *outlen, krb5_boolean *is_fips) - { - krb5_error_code retval; - -@@ -265,7 +283,8 @@ kr_attr_encode(krb5_context ctx, const char *secret, - return 0; - } - -- return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen); -+ return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen, -+ is_fips); - } - - krb5_error_code -@@ -274,6 +293,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, - unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) - { - krb5_error_code retval; -+ krb5_boolean ignored; - - retval = kr_attr_valid(type, in); - if (retval != 0) -@@ -288,7 +308,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, - return 0; - } - -- return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen); -+ return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen, -+ &ignored); - } - - krad_attr -diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c -index 03c613716..d89982a13 100644 ---- a/src/lib/krad/attrset.c -+++ b/src/lib/krad/attrset.c -@@ -167,7 +167,8 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy) - krb5_error_code - kr_attrset_encode(const krad_attrset *set, const char *secret, - const unsigned char *auth, -- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen) -+ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, -+ krb5_boolean *is_fips) - { - unsigned char buffer[MAX_ATTRSIZE]; - krb5_error_code retval; -@@ -181,7 +182,7 @@ kr_attrset_encode(const krad_attrset *set, const char *secret, - - K5_TAILQ_FOREACH(a, &set->list, list) { - retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr, -- buffer, &attrlen); -+ buffer, &attrlen, is_fips); - if (retval != 0) - return retval; - -diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h -index 996a89372..a53ce31ce 100644 ---- a/src/lib/krad/internal.h -+++ b/src/lib/krad/internal.h -@@ -49,6 +49,13 @@ - - typedef struct krad_remote_st krad_remote; - -+struct krad_packet_st { -+ char buffer[KRAD_PACKET_SIZE_MAX]; -+ krad_attrset *attrset; -+ krb5_data pkt; -+ krb5_boolean is_fips; -+}; -+ - /* Validate constraints of an attribute. */ - krb5_error_code - kr_attr_valid(krad_attr type, const krb5_data *data); -@@ -57,7 +64,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); - krb5_error_code - kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, - krad_attr type, const krb5_data *in, -- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); -+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, -+ krb5_boolean *is_fips); - - /* Decode an attribute. */ - krb5_error_code -@@ -69,7 +77,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, - krb5_error_code - kr_attrset_encode(const krad_attrset *set, const char *secret, - const unsigned char *auth, -- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen); -+ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, -+ krb5_boolean *is_fips); - - /* Decode attributes from a buffer. */ - krb5_error_code -diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c -index c597174b6..794ac84c4 100644 ---- a/src/lib/krad/packet.c -+++ b/src/lib/krad/packet.c -@@ -32,6 +32,7 @@ - #include - - #include -+#include - - typedef unsigned char uchar; - -@@ -53,12 +54,6 @@ typedef unsigned char uchar; - #define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH)) - #define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR)) - --struct krad_packet_st { -- char buffer[KRAD_PACKET_SIZE_MAX]; -- krad_attrset *attrset; -- krb5_data pkt; --}; -- - typedef struct { - uchar x[(UCHAR_MAX + 1) / 8]; - } idmap; -@@ -187,8 +182,13 @@ auth_generate_response(krb5_context ctx, const char *secret, - memcpy(data.data + response->pkt.length, secret, strlen(secret)); - - /* Hash it. */ -- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, -- &hash); -+ if (FIPS_mode()) { -+ /* This checksum does very little security-wise anyway, so don't -+ * taint. */ -+ hash.contents = calloc(1, AUTH_FIELD_SIZE); -+ } else -+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, -+ &hash); - free(data.data); - if (retval != 0) - return retval; -@@ -276,7 +276,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, - - /* Encode the attributes. */ - retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt), -- &attrset_len); -+ &attrset_len, &pkt->is_fips); - if (retval != 0) - goto error; - -@@ -314,7 +314,7 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code, - - /* Encode the attributes. */ - retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt), -- &attrset_len); -+ &attrset_len, &pkt->is_fips); - if (retval != 0) - goto error; - -@@ -451,6 +451,8 @@ krad_packet_decode_response(krb5_context ctx, const char *secret, - const krb5_data * - krad_packet_encode(const krad_packet *pkt) - { -+ if (pkt->is_fips) -+ return NULL; - return &pkt->pkt; - } - -diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c -index 437f7e91a..0f90443ce 100644 ---- a/src/lib/krad/remote.c -+++ b/src/lib/krad/remote.c -@@ -263,7 +263,7 @@ on_io_write(krad_remote *rr) - request *r; - - K5_TAILQ_FOREACH(r, &rr->list, list) { -- tmp = krad_packet_encode(r->request); -+ tmp = &r->request->pkt; - - /* If the packet has already been sent, do nothing. */ - if (r->sent == tmp->length) -@@ -359,7 +359,7 @@ on_io_read(krad_remote *rr) - if (req != NULL) { - K5_TAILQ_FOREACH(r, &rr->list, list) { - if (r->request == req && -- r->sent == krad_packet_encode(req)->length) { -+ r->sent == req->pkt.length) { - request_finish(r, 0, rsp); - break; - } -@@ -455,6 +455,12 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, - (krad_packet_iter_cb)iterator, &r, &tmp); - if (retval != 0) - goto error; -+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL && -+ rr->info->ai_family != AF_UNIX) { -+ /* This would expose cleartext passwords, so abort. */ -+ retval = ESOCKTNOSUPPORT; -+ goto error; -+ } - - K5_TAILQ_FOREACH(r, &rr->list, list) { - if (r->request == tmp) { -diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c -index eb2a780c8..4d285ad9d 100644 ---- a/src/lib/krad/t_attr.c -+++ b/src/lib/krad/t_attr.c -@@ -50,6 +50,7 @@ main() - const char *tmp; - krb5_data in; - size_t len; -+ krb5_boolean is_fips = FALSE; - - noerror(krb5_init_context(&ctx)); - -@@ -73,7 +74,7 @@ main() - in = string2data((char *)decoded); - retval = kr_attr_encode(ctx, secret, auth, - krad_attr_name2num("User-Password"), -- &in, outbuf, &len); -+ &in, outbuf, &len, &is_fips); - insist(retval == 0); - insist(len == sizeof(encoded)); - insist(memcmp(outbuf, encoded, len) == 0); -diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c -index 7928335ca..0f9576253 100644 ---- a/src/lib/krad/t_attrset.c -+++ b/src/lib/krad/t_attrset.c -@@ -49,6 +49,7 @@ main() - krb5_context ctx; - size_t len = 0, encode_len; - krb5_data tmp; -+ krb5_boolean is_fips = FALSE; - - noerror(krb5_init_context(&ctx)); - noerror(krad_attrset_new(ctx, &set)); -@@ -62,7 +63,8 @@ main() - noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp)); - - /* Encode attrset. */ -- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len)); -+ noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len, -+ &is_fips)); - krad_attrset_free(set); - - /* Manually encode User-Name. */ -diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c -index 00734a13b..a3ce22b70 100644 ---- a/src/plugins/preauth/spake/spake_client.c -+++ b/src/plugins/preauth/spake/spake_client.c -@@ -38,6 +38,8 @@ - #include "groups.h" - #include - -+#include -+ - typedef struct reqstate_st { - krb5_pa_spake *msg; /* set in prep_questions, used in process */ - krb5_keyblock *initial_key; -@@ -375,6 +377,10 @@ clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, - - if (maj_ver != 1) - return KRB5_PLUGIN_VER_NOTSUPP; -+ -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; -+ - vt = (krb5_clpreauth_vtable)vtable; - vt->name = "spake"; - vt->pa_type_list = pa_types; -diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c -index 88c964ce1..c7df0392f 100644 ---- a/src/plugins/preauth/spake/spake_kdc.c -+++ b/src/plugins/preauth/spake/spake_kdc.c -@@ -41,6 +41,8 @@ - - #include - -+#include -+ - /* - * The SPAKE kdcpreauth module uses a secure cookie containing the following - * concatenated fields (all integer fields are big-endian): -@@ -571,6 +573,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, - - if (maj_ver != 1) - return KRB5_PLUGIN_VER_NOTSUPP; -+ -+ if (FIPS_mode()) -+ return KRB5_CRYPTO_INTERNAL; -+ - vt = (krb5_kdcpreauth_vtable)vtable; - vt->name = "spake"; - vt->pa_type_list = pa_types; diff --git a/Remove-3des-support.patch b/Remove-3des-support.patch index 2bc2479..4ec3a0f 100644 --- a/Remove-3des-support.patch +++ b/Remove-3des-support.patch @@ -1,4 +1,4 @@ -From fef4e551d3d2dcb55e58cc182304254c36aa8949 Mon Sep 17 00:00:00 2001 +From 7b40250066bbcc529b5348b68199c58fbad82376 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -8,7 +8,17 @@ des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain their constants. -Last-updated: 1.19-beta1 +Last-updated: 1.20-final +[antorres@redhat.com: remove diffs for: + - src/kdamin/testing/proto/kdc.conf.proto + - src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp + - src/lib/kadm5/unit-test/api.current/get-principal-v2.exp + - src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp + since they were removed by Remove-TCL-based-libkadm5-API-tests.patch] +[jrische@redhat.com: restore supportedCMSTypes (not using 3DES any more): + - src/plugins/preauth/pkinit/pkinit_crypto.h + - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c + - src/plugins/preauth/pkinit/pkinit_clnt.c] --- doc/admin/advanced/retiring-des.rst | 11 + doc/admin/conf_files/kdc_conf.rst | 7 +- @@ -18,35 +28,34 @@ Last-updated: 1.19-beta1 doc/conf.py | 2 +- doc/mitK5features.rst | 2 +- src/Makefile.in | 4 +- - src/configure.ac | 1 - + src/configure.ac | 4 +- src/include/krb5/krb5.hin | 10 +- - src/kadmin/testing/proto/kdc.conf.proto | 4 +- src/kdc/kdc_util.c | 4 - src/lib/crypto/Makefile.in | 8 +- src/lib/crypto/builtin/Makefile.in | 6 +- src/lib/crypto/builtin/des/ISSUES | 13 - - src/lib/crypto/builtin/des/Makefile.in | 80 ---- - src/lib/crypto/builtin/des/d3_aead.c | 133 ------ - src/lib/crypto/builtin/des/d3_kysched.c | 51 --- - src/lib/crypto/builtin/des/deps | 150 ------- + src/lib/crypto/builtin/des/Makefile.in | 82 ---- + src/lib/crypto/builtin/des/d3_aead.c | 137 ------ + src/lib/crypto/builtin/des/d3_kysched.c | 55 --- + src/lib/crypto/builtin/des/deps | 146 ------- src/lib/crypto/builtin/des/des_int.h | 285 ------------- - src/lib/crypto/builtin/des/des_keys.c | 40 -- + src/lib/crypto/builtin/des/des_keys.c | 38 -- src/lib/crypto/builtin/des/destest.c | 240 ----------- src/lib/crypto/builtin/des/doc/libdes.doc | 208 --------- - src/lib/crypto/builtin/des/f_aead.c | 173 -------- + src/lib/crypto/builtin/des/f_aead.c | 177 -------- src/lib/crypto/builtin/des/f_cbc.c | 256 ------------ - src/lib/crypto/builtin/des/f_cksum.c | 136 ------ - src/lib/crypto/builtin/des/f_parity.c | 56 --- - src/lib/crypto/builtin/des/f_sched.c | 359 ---------------- - src/lib/crypto/builtin/des/f_tables.c | 370 ---------------- + src/lib/crypto/builtin/des/f_cksum.c | 141 ------- + src/lib/crypto/builtin/des/f_parity.c | 64 --- + src/lib/crypto/builtin/des/f_sched.c | 363 ---------------- + src/lib/crypto/builtin/des/f_tables.c | 375 ----------------- src/lib/crypto/builtin/des/f_tables.h | 285 ------------- - src/lib/crypto/builtin/des/key_sched.c | 62 --- + src/lib/crypto/builtin/des/key_sched.c | 66 --- src/lib/crypto/builtin/des/keytest.data | 171 -------- src/lib/crypto/builtin/des/t_verify.c | 395 ------------------ - src/lib/crypto/builtin/des/weak_key.c | 86 ---- - .../crypto/builtin/enc_provider/Makefile.in | 6 +- - src/lib/crypto/builtin/enc_provider/deps | 13 - - src/lib/crypto/builtin/enc_provider/des3.c | 105 ----- + src/lib/crypto/builtin/des/weak_key.c | 90 ---- + .../crypto/builtin/enc_provider/Makefile.in | 5 +- + src/lib/crypto/builtin/enc_provider/deps | 11 - + src/lib/crypto/builtin/enc_provider/des3.c | 109 ----- src/lib/crypto/crypto_tests/t_cf2.expected | 1 - src/lib/crypto/crypto_tests/t_cf2.in | 5 - src/lib/crypto/crypto_tests/t_cksums.c | 10 - @@ -55,45 +64,40 @@ Last-updated: 1.19-beta1 src/lib/crypto/crypto_tests/t_encrypt.c | 1 - src/lib/crypto/crypto_tests/t_short.c | 1 - src/lib/crypto/crypto_tests/t_str2key.c | 52 --- + src/lib/crypto/crypto_tests/vectors.c | 4 - src/lib/crypto/krb/Makefile.in | 3 - src/lib/crypto/krb/cksumtypes.c | 6 - - src/lib/crypto/krb/crypto_int.h | 16 - + src/lib/crypto/krb/crypto_int.h | 11 - src/lib/crypto/krb/default_state.c | 10 - src/lib/crypto/krb/enctype_util.c | 3 + src/lib/crypto/krb/etypes.c | 21 - src/lib/crypto/krb/prf_des.c | 47 --- - src/lib/crypto/krb/random_to_key.c | 45 -- + src/lib/crypto/krb/random_to_key.c | 28 -- src/lib/crypto/libk5crypto.exports | 1 - src/lib/crypto/openssl/Makefile.in | 8 +- src/lib/crypto/openssl/des/Makefile.in | 20 - - src/lib/crypto/openssl/des/deps | 15 - - src/lib/crypto/openssl/des/des_keys.c | 40 -- + src/lib/crypto/openssl/des/deps | 14 - + src/lib/crypto/openssl/des/des_keys.c | 39 -- .../crypto/openssl/enc_provider/Makefile.in | 3 - src/lib/crypto/openssl/enc_provider/deps | 11 - - src/lib/crypto/openssl/enc_provider/des3.c | 184 -------- + src/lib/crypto/openssl/enc_provider/des3.c | 188 --------- + src/lib/crypto/openssl/kdf.c | 2 - src/lib/gssapi/krb5/accept_sec_context.c | 1 - src/lib/gssapi/krb5/gssapiP_krb5.h | 6 +- src/lib/gssapi/krb5/k5seal.c | 35 +- src/lib/gssapi/krb5/k5sealiov.c | 27 +- - src/lib/gssapi/krb5/k5unseal.c | 102 ++--- + src/lib/gssapi/krb5/k5unseal.c | 88 ++-- src/lib/gssapi/krb5/k5unsealiov.c | 38 +- src/lib/gssapi/krb5/util_crypt.c | 11 - - .../api.current/chpass-principal-v2.exp | 4 +- - .../api.current/get-principal-v2.exp | 4 +- - .../api.current/randkey-principal-v2.exp | 4 +- src/lib/krb5/krb/init_ctx.c | 3 - src/lib/krb5/krb/s4u_creds.c | 2 - src/lib/krb5/krb/t_etypes.c | 48 +-- src/lib/krb5/os/t_trace.c | 4 +- src/lib/krb5/os/t_trace.ref | 2 +- src/plugins/preauth/pkinit/pkcs11.h | 6 +- - src/plugins/preauth/pkinit/pkinit_clnt.c | 8 - - src/plugins/preauth/pkinit/pkinit_crypto.h | 12 - - .../preauth/pkinit/pkinit_crypto_openssl.c | 38 -- - src/plugins/preauth/pkinit/pkinit_kdf_test.c | 31 -- + src/plugins/preauth/pkinit/pkinit_crypto.h | 10 +- + src/plugins/preauth/pkinit/pkinit_kdf_test.c | 30 -- src/plugins/preauth/spake/t_vectors.c | 25 -- - src/tests/dejagnu/config/default.exp | 78 ---- - src/tests/dejagnu/krb-standalone/kprop.exp | 2 +- src/tests/gssapi/t_enctypes.py | 33 +- src/tests/gssapi/t_invalid.c | 12 - src/tests/gssapi/t_pcontok.c | 16 +- @@ -105,7 +109,7 @@ Last-updated: 1.19-beta1 src/tests/t_salt.py | 5 +- src/util/k5test.py | 7 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 - - 95 files changed, 160 insertions(+), 4835 deletions(-) + 89 files changed, 151 insertions(+), 4713 deletions(-) delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c @@ -134,7 +138,7 @@ Last-updated: 1.19-beta1 delete mode 100644 src/lib/crypto/openssl/enc_provider/des3.c diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst -index 38f76d3f4..d5e3c30c0 100644 +index 38f76d3f45..d5e3c30c04 100644 --- a/doc/admin/advanced/retiring-des.rst +++ b/doc/admin/advanced/retiring-des.rst @@ -10,6 +10,13 @@ ability have rendered DES vulnerable to brute force attacks on its 56-bit @@ -163,10 +167,10 @@ index 38f76d3f4..d5e3c30c0 100644 ------------- diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst -index 1dc958d62..3a72aabef 100644 +index 74a0a2acef..846c58ed82 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst -@@ -848,8 +848,6 @@ Encryption types marked as "weak" and "deprecated" are available for +@@ -854,8 +854,6 @@ Encryption types marked as "weak" and "deprecated" are available for compatibility but not recommended for use. ==================================================== ========================================================= @@ -175,7 +179,7 @@ index 1dc958d62..3a72aabef 100644 aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC -@@ -858,7 +856,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecat +@@ -864,7 +862,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecat arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC @@ -183,7 +187,7 @@ index 1dc958d62..3a72aabef 100644 aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 rc4 The RC4 family: arcfour-hmac camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac -@@ -870,8 +867,8 @@ from the current list by prefixing them with a minus sign ("-"). +@@ -876,8 +873,8 @@ from the current list by prefixing them with a minus sign ("-"). Types or families can be prefixed with a plus sign ("+") for symmetry; it has the same meaning as just listing the type or family. For example, "``DEFAULT -rc4``" would be the default set of encryption @@ -195,7 +199,7 @@ index 1dc958d62..3a72aabef 100644 While **aes128-cts** and **aes256-cts** are supported for all Kerberos diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst -index 047185afb..b08d954d9 100644 +index 694922c0d9..c4d5499d3b 100644 --- a/doc/admin/enctypes.rst +++ b/doc/admin/enctypes.rst @@ -129,7 +129,7 @@ enctype weak? krb5 Windows @@ -223,7 +227,7 @@ index 047185afb..b08d954d9 100644 Migrating away from older encryption types diff --git a/doc/admin/troubleshoot.rst b/doc/admin/troubleshoot.rst -index ade5e1f87..e4dc54f7e 100644 +index ade5e1f87a..e4dc54f7e5 100644 --- a/doc/admin/troubleshoot.rst +++ b/doc/admin/troubleshoot.rst @@ -73,11 +73,10 @@ credential verification failed: KDC has no support for encryption type @@ -243,7 +247,7 @@ index ade5e1f87..e4dc54f7e 100644 .. _err_cert_chain_cert_expired: diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst -index cebb6644c..4d51e795c 100644 +index a0d4f26701..5f34dea5e8 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -36,7 +36,6 @@ Public @@ -255,10 +259,10 @@ index cebb6644c..4d51e795c 100644 CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst diff --git a/doc/conf.py b/doc/conf.py -index 543202bf4..4fb6aae14 100644 +index fa0eb80f1f..12168fa695 100644 --- a/doc/conf.py +++ b/doc/conf.py -@@ -271,7 +271,7 @@ else: +@@ -278,7 +278,7 @@ else: rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` @@ -268,7 +272,7 @@ index 543202bf4..4fb6aae14 100644 .. |copy| unicode:: U+000A9 ''' diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst -index 4954bb3aa..92ce2a772 100644 +index ca2d6ef117..100c64a1c1 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB @@ -281,7 +285,7 @@ index 4954bb3aa..92ce2a772 100644 Interoperability ---------------- diff --git a/src/Makefile.in b/src/Makefile.in -index 7d2507ef8..c16715ac7 100644 +index 8f14e9bf2c..ba3bb18eec 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -130,7 +130,7 @@ WINMAKEFILES=Makefile \ @@ -303,19 +307,26 @@ index 7d2507ef8..c16715ac7 100644 ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP) diff --git a/src/configure.ac b/src/configure.ac -index dd2cad3ee..3e1052db7 100644 +index 40545f2bfc..8dc864718d 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1480,7 +1480,6 @@ V5_AC_OUTPUT_MAKEFILE(. - lib/crypto lib/crypto/krb lib/crypto/$CRYPTO_IMPL - lib/crypto/$CRYPTO_IMPL/enc_provider - lib/crypto/$CRYPTO_IMPL/hash_provider -- lib/crypto/$CRYPTO_IMPL/des - lib/crypto/$CRYPTO_IMPL/md4 lib/crypto/$CRYPTO_IMPL/md5 - lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2 - lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia +@@ -1489,12 +1489,12 @@ V5_AC_OUTPUT_MAKEFILE(. + lib lib/kdb + + lib/crypto lib/crypto/krb lib/crypto/crypto_tests +- lib/crypto/builtin lib/crypto/builtin/des ++ lib/crypto/builtin + lib/crypto/builtin/aes lib/crypto/builtin/camellia + lib/crypto/builtin/md4 lib/crypto/builtin/md5 + lib/crypto/builtin/sha1 lib/crypto/builtin/sha2 + lib/crypto/builtin/enc_provider lib/crypto/builtin/hash_provider +- lib/crypto/openssl lib/crypto/openssl/des ++ lib/crypto/openssl + lib/crypto/openssl/enc_provider lib/crypto/openssl/hash_provider + + lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index db80063eb..63e67a2ba 100644 +index 7e1dea2cbf..fb9f2a366c 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { @@ -341,33 +352,20 @@ index db80063eb..63e67a2ba 100644 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */ #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */ #define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */ -@@ -458,7 +458,7 @@ typedef struct _krb5_crypto_iov { +@@ -463,7 +463,7 @@ typedef struct _krb5_crypto_iov { #define CKSUMTYPE_RSA_MD5 0x0007 #define CKSUMTYPE_RSA_MD5_DES 0x0008 #define CKSUMTYPE_NIST_SHA 0x0009 -#define CKSUMTYPE_HMAC_SHA1_DES3 0x000c +#define CKSUMTYPE_HMAC_SHA1_DES3 0x000c /* @deprecated removed */ + #define CKSUMTYPE_SHA1 0x000e /**< RFC 3961 */ #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ - #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 /**< RFC 3962. Used with -diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto -index 8a4b87de1..d7f1d076b 100644 ---- a/src/kadmin/testing/proto/kdc.conf.proto -+++ b/src/kadmin/testing/proto/kdc.conf.proto -@@ -11,6 +11,6 @@ - dict_file = __K5ROOT__/ovsec_adm.dict - kadmind_port = 1751 - kpasswd_port = 1752 -- master_key_type = des3-hmac-sha1 -- supported_enctypes = des3-hmac-sha1:normal aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal -+ master_key_type = aes256-cts -+ supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal - } diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 60f30c4f4..c65375aef 100644 +index 9f2a67d189..b7a9aa4992 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c -@@ -1017,8 +1017,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) +@@ -1111,8 +1111,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) name = "rsaEncryption-EnvOID"; else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) name = "id-RSAES-OAEP-EnvOID"; @@ -376,7 +374,7 @@ index 60f30c4f4..c65375aef 100644 else return krb5_enctype_to_name(ktype, FALSE, buf, buflen); -@@ -1605,8 +1603,6 @@ krb5_boolean +@@ -1704,8 +1702,6 @@ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { switch(enctype) { @@ -386,28 +384,25 @@ index 60f30c4f4..c65375aef 100644 case ENCTYPE_ARCFOUR_HMAC_EXP : return 0; diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in -index c3fcfd7e8..890d54adf 100644 +index 10e8c74cf8..25c4f40cc3 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in -@@ -13,7 +13,7 @@ STOBJLISTS=$(CRYPTO_IMPL)/enc_provider/OBJS.ST \ - $(CRYPTO_IMPL)/hash_provider/OBJS.ST \ - $(CRYPTO_IMPL)/md4/OBJS.ST $(CRYPTO_IMPL)/md5/OBJS.ST \ - $(CRYPTO_IMPL)/sha1/OBJS.ST $(CRYPTO_IMPL)/sha2/OBJS.ST \ -- $(CRYPTO_IMPL)/aes/OBJS.ST $(CRYPTO_IMPL)/des/OBJS.ST \ -+ $(CRYPTO_IMPL)/aes/OBJS.ST \ - $(CRYPTO_IMPL)/camellia/OBJS.ST krb/OBJS.ST \ - $(CRYPTO_IMPL)/OBJS.ST +@@ -10,12 +10,12 @@ LIBMINOR=1 + RELDIR=crypto -@@ -21,7 +21,7 @@ SUBDIROBJLISTS=$(CRYPTO_IMPL)/enc_provider/OBJS.ST \ - $(CRYPTO_IMPL)/hash_provider/OBJS.ST \ - $(CRYPTO_IMPL)/md4/OBJS.ST $(CRYPTO_IMPL)/md5/OBJS.ST \ - $(CRYPTO_IMPL)/sha1/OBJS.ST $(CRYPTO_IMPL)/sha2/OBJS.ST \ -- $(CRYPTO_IMPL)/aes/OBJS.ST $(CRYPTO_IMPL)/des/OBJS.ST \ -+ $(CRYPTO_IMPL)/aes/OBJS.ST \ - $(CRYPTO_IMPL)/camellia/OBJS.ST krb/OBJS.ST \ - $(CRYPTO_IMPL)/OBJS.ST + STOBJLISTS=krb/OBJS.ST \ +- builtin/OBJS.ST builtin/des/OBJS.ST \ ++ builtin/OBJS.ST \ + builtin/aes/OBJS.ST builtin/camellia/OBJS.ST \ + builtin/md4/OBJS.ST builtin/md5/OBJS.ST \ + builtin/sha1/OBJS.ST builtin/sha2/OBJS.ST \ + builtin/enc_provider/OBJS.ST builtin/hash_provider/OBJS.ST \ +- openssl/OBJS.ST openssl/des/OBJS.ST \ ++ openssl/OBJS.ST \ + openssl/enc_provider/OBJS.ST openssl/hash_provider/OBJS.ST -@@ -34,8 +34,8 @@ SHLIB_EXPDEPLIBS= $(SUPPORT_DEPLIB) + SUBDIROBJLISTS=$(STOBJLISTS) +@@ -28,8 +28,8 @@ SHLIB_EXPDEPLIBS= $(SUPPORT_DEPLIB) SHLIB_LDFLAGS= $(LDFLAGS) @SHLIB_RPATH_DIRS@ ##DOS##LIBNAME=$(OUTPRE)crypto.lib @@ -419,7 +414,7 @@ index c3fcfd7e8..890d54adf 100644 all-unix: all-liblinks install-unix: install-libs diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in -index baf5d974f..82adf1dec 100644 +index daf19da195..c9e967c807 100644 --- a/src/lib/crypto/builtin/Makefile.in +++ b/src/lib/crypto/builtin/Makefile.in @@ -1,6 +1,6 @@ @@ -427,11 +422,11 @@ index baf5d974f..82adf1dec 100644 BUILDTOP=$(REL)..$(S)..$(S).. -SUBDIRS=camellia des aes md4 md5 sha1 sha2 enc_provider hash_provider +SUBDIRS=camellia aes md4 md5 sha1 sha2 enc_provider hash_provider - LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir) + LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS) ##DOS##BUILDTOP = ..\..\.. -@@ -22,7 +22,7 @@ SRCS=\ - $(srcdir)/init.c \ +@@ -25,7 +25,7 @@ SRCS=\ + $(srcdir)/kdf.c \ $(srcdir)/pbkdf2.c -STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ @@ -439,7 +434,7 @@ index baf5d974f..82adf1dec 100644 md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ enc_provider/OBJS.ST \ hash_provider/OBJS.ST \ -@@ -30,7 +30,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ +@@ -33,7 +33,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ camellia/OBJS.ST \ OBJS.ST @@ -450,7 +445,7 @@ index baf5d974f..82adf1dec 100644 hash_provider/OBJS.ST \ diff --git a/src/lib/crypto/builtin/des/ISSUES b/src/lib/crypto/builtin/des/ISSUES deleted file mode 100644 -index 157891103..000000000 +index 1578911033..0000000000 --- a/src/lib/crypto/builtin/des/ISSUES +++ /dev/null @@ -1,13 +0,0 @@ @@ -469,13 +464,13 @@ index 157891103..000000000 -const? diff --git a/src/lib/crypto/builtin/des/Makefile.in b/src/lib/crypto/builtin/des/Makefile.in deleted file mode 100644 -index 54b329d0f..000000000 +index 397ac87ed4..0000000000 --- a/src/lib/crypto/builtin/des/Makefile.in +++ /dev/null -@@ -1,80 +0,0 @@ +@@ -1,82 +0,0 @@ -mydir=lib$(S)crypto$(S)builtin$(S)des -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. --LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb +-LOCALINCLUDES=-I$(srcdir)/../../krb $(CRYPTO_IMPL_CFLAGS) - -##DOS##BUILDTOP = ..\..\..\.. -##DOS##PREFIXDIR = builtin\des @@ -533,7 +528,9 @@ index 54b329d0f..000000000 - -all-unix: all-libobjs - --check-unix: verify destest +-check-unix: check-unix-@CRYPTO_BUILTIN_TESTS@ +-check-unix-no: +-check-unix-yes: verify destest - $(RUN_TEST) ./verify -z - $(RUN_TEST) ./verify -m - $(RUN_TEST) ./verify @@ -555,10 +552,10 @@ index 54b329d0f..000000000 - diff --git a/src/lib/crypto/builtin/des/d3_aead.c b/src/lib/crypto/builtin/des/d3_aead.c deleted file mode 100644 -index bddf75a47..000000000 +index fb83f73b43..0000000000 --- a/src/lib/crypto/builtin/des/d3_aead.c +++ /dev/null -@@ -1,133 +0,0 @@ +@@ -1,137 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 2008 by the Massachusetts Institute of Technology. @@ -587,6 +584,8 @@ index bddf75a47..000000000 -#include "des_int.h" -#include "f_tables.h" - +-#ifdef K5_BUILTIN_DES +- -void -krb5int_des3_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, - const mit_des_key_schedule ks1, @@ -692,12 +691,14 @@ index bddf75a47..000000000 - store_32_be(ocipherr, ivec + 4); - } -} +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/des/d3_kysched.c b/src/lib/crypto/builtin/des/d3_kysched.c deleted file mode 100644 -index ebd1050b1..000000000 +index 55fb9449b5..0000000000 --- a/src/lib/crypto/builtin/des/d3_kysched.c +++ /dev/null -@@ -1,51 +0,0 @@ +@@ -1,55 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright 1995 by Richard P. Basch. All Rights Reserved. @@ -721,9 +722,11 @@ index ebd1050b1..000000000 - * express or implied warranty. - */ - --#include "k5-int.h" +-#include "crypto_int.h" -#include "des_int.h" - +-#ifdef K5_BUILTIN_DES +- -int -mit_des3_key_sched(mit_des3_cblock k, mit_des3_key_schedule schedule) -{ @@ -749,20 +752,20 @@ index ebd1050b1..000000000 - /* if key was good, return 0 */ - return 0; -} +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/des/deps b/src/lib/crypto/builtin/des/deps deleted file mode 100644 -index a1db1f36e..000000000 +index 1c1239d696..0000000000 --- a/src/lib/crypto/builtin/des/deps +++ /dev/null -@@ -1,150 +0,0 @@ +@@ -1,146 +0,0 @@ -# -# Generated makefile dependencies follow. -# -d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ -- $(srcdir)/../aes/aes.h $(srcdir)/../aes/brg_types.h \ -- $(srcdir)/../crypto_mod.h $(srcdir)/../sha2/sha2.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ @@ -774,20 +777,18 @@ index a1db1f36e..000000000 -d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- d3_kysched.c des_int.h +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h d3_kysched.c des_int.h -des_keys.so des_keys.po $(OUTPRE)des_keys.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../aes/aes.h \ -- $(srcdir)/../aes/brg_types.h $(srcdir)/../crypto_mod.h \ -- $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ @@ -798,8 +799,6 @@ index a1db1f36e..000000000 -f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ -- $(srcdir)/../aes/aes.h $(srcdir)/../aes/brg_types.h \ -- $(srcdir)/../crypto_mod.h $(srcdir)/../sha2/sha2.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ @@ -810,69 +809,71 @@ index a1db1f36e..000000000 - des_int.h f_aead.c f_tables.h -f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h des_int.h f_cksum.c \ -- f_tables.h +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- des_int.h f_cksum.c f_tables.h -f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- des_int.h f_parity.c --f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h des_int.h f_sched.c +- $(top_srcdir)/include/socket-utils.h des_int.h f_parity.c +-f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- des_int.h f_sched.c -f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- des_int.h f_tables.c f_tables.h +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h f_tables.c \ +- f_tables.h -key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- des_int.h key_sched.c +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h key_sched.c -weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- des_int.h weak_key.c +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h weak_key.c -destest.so destest.po $(OUTPRE)destest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -907,7 +908,7 @@ index a1db1f36e..000000000 - des_int.h t_verify.c diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h deleted file mode 100644 -index f8dc6b296..000000000 +index f8dc6b296a..0000000000 --- a/src/lib/crypto/builtin/des/des_int.h +++ /dev/null @@ -1,285 +0,0 @@ @@ -1198,10 +1199,10 @@ index f8dc6b296..000000000 -#endif /*DES_INTERNAL_DEFS*/ diff --git a/src/lib/crypto/builtin/des/des_keys.c b/src/lib/crypto/builtin/des/des_keys.c deleted file mode 100644 -index 32b119aad..000000000 +index 027b09d728..0000000000 --- a/src/lib/crypto/builtin/des/des_keys.c +++ /dev/null -@@ -1,40 +0,0 @@ +@@ -1,38 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/builtin/des/des_keys.c - Key functions used by Kerberos code */ -/* @@ -1231,20 +1232,18 @@ index 32b119aad..000000000 -#include "crypto_int.h" -#include "des_int.h" - +-#ifdef K5_BUILTIN_DES_KEY_PARITY +- -void -k5_des_fixup_key_parity(unsigned char *keybits) -{ - mit_des_fixup_key_parity(keybits); -} - --krb5_boolean --k5_des_is_weak_key(unsigned char *keybits) --{ -- return mit_des_is_weak_key(keybits); --} +-#endif /* K5_BUILTIN_DES_KEY_PARITY */ diff --git a/src/lib/crypto/builtin/des/destest.c b/src/lib/crypto/builtin/des/destest.c deleted file mode 100644 -index 52114304e..000000000 +index 52114304e3..0000000000 --- a/src/lib/crypto/builtin/des/destest.c +++ /dev/null @@ -1,240 +0,0 @@ @@ -1490,7 +1489,7 @@ index 52114304e..000000000 -} diff --git a/src/lib/crypto/builtin/des/doc/libdes.doc b/src/lib/crypto/builtin/des/doc/libdes.doc deleted file mode 100644 -index 6e9431ed2..000000000 +index 6e9431ed2e..0000000000 --- a/src/lib/crypto/builtin/des/doc/libdes.doc +++ /dev/null @@ -1,208 +0,0 @@ @@ -1704,10 +1703,10 @@ index 6e9431ed2..000000000 -string length desired. diff --git a/src/lib/crypto/builtin/des/f_aead.c b/src/lib/crypto/builtin/des/f_aead.c deleted file mode 100644 -index 71b8dff4d..000000000 +index f887735820..0000000000 --- a/src/lib/crypto/builtin/des/f_aead.c +++ /dev/null -@@ -1,173 +0,0 @@ +@@ -1,177 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 2008 by the Massachusetts Institute of Technology. @@ -1736,6 +1735,8 @@ index 71b8dff4d..000000000 -#include "des_int.h" -#include "f_tables.h" - +-#ifdef K5_BUILTIN_DES +- -const mit_des_cblock mit_des_zeroblock /* = all zero */; - -void @@ -1881,9 +1882,11 @@ index 71b8dff4d..000000000 - DES_DO_DECRYPT_1 (*left, *right, kp); -} -#endif +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/des/f_cbc.c b/src/lib/crypto/builtin/des/f_cbc.c deleted file mode 100644 -index 84d5382f2..000000000 +index 84d5382f22..0000000000 --- a/src/lib/crypto/builtin/des/f_cbc.c +++ /dev/null @@ -1,256 +0,0 @@ @@ -2145,10 +2148,10 @@ index 84d5382f2..000000000 -} diff --git a/src/lib/crypto/builtin/des/f_cksum.c b/src/lib/crypto/builtin/des/f_cksum.c deleted file mode 100644 -index cb482b009..000000000 +index 615a947f4a..0000000000 --- a/src/lib/crypto/builtin/des/f_cksum.c +++ /dev/null -@@ -1,136 +0,0 @@ +@@ -1,141 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/builtin/des/f_cksum.c */ -/* @@ -2180,9 +2183,12 @@ index cb482b009..000000000 -/* - * des_cbc_cksum.c - compute an 8 byte checksum using DES in CBC mode - */ +-#include "crypto_int.h" -#include "des_int.h" -#include "f_tables.h" - +-#ifdef K5_BUILTIN_DES +- -/* - * This routine performs DES cipher-block-chaining checksum operation, - * a.k.a. Message Authentication Code. It ALWAYS encrypts from input @@ -2285,12 +2291,14 @@ index cb482b009..000000000 - */ - return right & 0xFFFFFFFFUL; -} +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/des/f_parity.c b/src/lib/crypto/builtin/des/f_parity.c deleted file mode 100644 -index 460b5061b..000000000 +index a658878f6f..0000000000 --- a/src/lib/crypto/builtin/des/f_parity.c +++ /dev/null -@@ -1,56 +0,0 @@ +@@ -1,64 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * These routines check and fix parity of encryption keys for the DES @@ -2302,9 +2310,11 @@ index 460b5061b..000000000 - * Mark Eichin -- Cygnus Support - */ - -- +-#include "crypto_int.h" -#include "des_int.h" - +-#ifdef K5_BUILTIN_DES_KEY_PARITY +- -/* - * des_fixup_key_parity: Forces odd parity per byte; parity is bits - * 8,16,...64 in des order, implies 0, 8, 16, ... @@ -2327,6 +2337,10 @@ index 460b5061b..000000000 - return; -} - +-#endif /* K5_BUILTIN_DES_KEY_PARITY */ +- +-#ifdef K5_BUILTIN_DES +- -/* - * des_check_key_parity: returns true iff key has the correct des parity. - * See des_fix_key_parity for the definition of @@ -2347,12 +2361,14 @@ index 460b5061b..000000000 - - return(1); -} +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/des/f_sched.c b/src/lib/crypto/builtin/des/f_sched.c deleted file mode 100644 -index 666a510fb..000000000 +index bbc88a1c8d..0000000000 --- a/src/lib/crypto/builtin/des/f_sched.c +++ /dev/null -@@ -1,359 +0,0 @@ +@@ -1,363 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/builtin/des/f_sched.c */ -/* @@ -2384,9 +2400,11 @@ index 666a510fb..000000000 -/* - * des_make_sched.c - permute a DES key, returning the resulting key schedule - */ --#include "k5-int.h" +-#include "crypto_int.h" -#include "des_int.h" - +-#ifdef K5_BUILTIN_DES +- -/* - * Permuted choice 1 tables. These are used to extract bits - * from the left and right parts of the key to form Ci and Di. @@ -2712,12 +2730,14 @@ index 666a510fb..000000000 - } - return (0); -} +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/des/f_tables.c b/src/lib/crypto/builtin/des/f_tables.c deleted file mode 100644 -index 6308cb0d5..000000000 +index e50ab1fc60..0000000000 --- a/src/lib/crypto/builtin/des/f_tables.c +++ /dev/null -@@ -1,370 +0,0 @@ +@@ -1,375 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/builtin/des/f_tables.c */ -/* @@ -2754,9 +2774,12 @@ index 6308cb0d5..000000000 - * Include the header file so something will complain if the - * declarations get out of sync - */ +-#include "crypto_int.h" -#include "des_int.h" -#include "f_tables.h" - +-#ifdef K5_BUILTIN_DES +- -/* - * These tables may be declared const if you want. Many compilers - * don't support this, though. @@ -3088,9 +3111,11 @@ index 6308cb0d5..000000000 - 0x40000000, 0x40080010, 0x40084010, 0x00084000 - }, -}; +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/des/f_tables.h b/src/lib/crypto/builtin/des/f_tables.h deleted file mode 100644 -index fc91b566c..000000000 +index fc91b566cf..0000000000 --- a/src/lib/crypto/builtin/des/f_tables.h +++ /dev/null @@ -1,285 +0,0 @@ @@ -3381,10 +3406,10 @@ index fc91b566c..000000000 -#endif /* __DES_TABLES_H__ */ diff --git a/src/lib/crypto/builtin/des/key_sched.c b/src/lib/crypto/builtin/des/key_sched.c deleted file mode 100644 -index 87f02b6a9..000000000 +index d6dedd93c6..0000000000 --- a/src/lib/crypto/builtin/des/key_sched.c +++ /dev/null -@@ -1,62 +0,0 @@ +@@ -1,66 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/builtin/des/key_sched.c */ -/* @@ -3430,9 +3455,11 @@ index 87f02b6a9..000000000 - * Originally written 6/85 by Steve Miller, MIT Project Athena. - */ - --#include "k5-int.h" +-#include "crypto_int.h" -#include "des_int.h" - +-#ifdef K5_BUILTIN_DES +- -int -mit_des_key_sched(mit_des_cblock k, mit_des_key_schedule schedule) -{ @@ -3447,9 +3474,11 @@ index 87f02b6a9..000000000 - /* if key was good, return 0 */ - return 0; -} +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/des/keytest.data b/src/lib/crypto/builtin/des/keytest.data deleted file mode 100644 -index 7ff34eedc..000000000 +index 7ff34eedcf..0000000000 --- a/src/lib/crypto/builtin/des/keytest.data +++ /dev/null @@ -1,171 +0,0 @@ @@ -3626,7 +3655,7 @@ index 7ff34eedc..000000000 -1C587F1C13924FEF 305532286D6F295A 63FAC0D034D9F793 diff --git a/src/lib/crypto/builtin/des/t_verify.c b/src/lib/crypto/builtin/des/t_verify.c deleted file mode 100644 -index 4a19933ca..000000000 +index 4a19933cad..0000000000 --- a/src/lib/crypto/builtin/des/t_verify.c +++ /dev/null @@ -1,395 +0,0 @@ @@ -4027,10 +4056,10 @@ index 4a19933ca..000000000 -} diff --git a/src/lib/crypto/builtin/des/weak_key.c b/src/lib/crypto/builtin/des/weak_key.c deleted file mode 100644 -index eb41b267d..000000000 +index f8304a3638..0000000000 --- a/src/lib/crypto/builtin/des/weak_key.c +++ /dev/null -@@ -1,86 +0,0 @@ +@@ -1,90 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/builtin/des/weak_key.c */ -/* @@ -4066,9 +4095,11 @@ index eb41b267d..000000000 - * Originally written 8/85 by Steve Miller, MIT Project Athena. - */ - --#include "k5-int.h" +-#include "crypto_int.h" -#include "des_int.h" - +-#ifdef K5_BUILTIN_DES +- -/* - * The following are the weak DES keys: - */ @@ -4117,20 +4148,21 @@ index eb41b267d..000000000 - - return 0; -} +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/builtin/enc_provider/Makefile.in b/src/lib/crypto/builtin/enc_provider/Makefile.in -index 3459e1d0e..af6276b96 100644 +index 6ad7cbd4e0..655966b255 100644 --- a/src/lib/crypto/builtin/enc_provider/Makefile.in +++ b/src/lib/crypto/builtin/enc_provider/Makefile.in -@@ -1,7 +1,6 @@ +@@ -1,6 +1,6 @@ mydir=lib$(S)crypto$(S)builtin$(S)enc_provider BUILDTOP=$(REL)..$(S)..$(S)..$(S).. --LOCALINCLUDES = -I$(srcdir)/../des \ -- -I$(srcdir)/../aes \ -+LOCALINCLUDES = -I$(srcdir)/../aes \ - -I$(srcdir)/../camellia \ - -I$(srcdir)/../../krb \ - -I$(srcdir)/.. -@@ -11,19 +10,16 @@ LOCALINCLUDES = -I$(srcdir)/../des \ +-LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../aes -I$(srcdir)/../camellia \ ++LOCALINCLUDES = -I$(srcdir)/../aes -I$(srcdir)/../camellia \ + -I$(srcdir)/../../krb $(CRYPTO_IMPL_CFLAGS) + + ##DOS##BUILDTOP = ..\..\..\.. +@@ -8,19 +8,16 @@ LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../aes -I$(srcdir)/../camellia \ ##DOS##OBJFILE = ..\..\$(OUTPRE)enc_provider.lst STLIBOBJS= \ @@ -4151,19 +4183,17 @@ index 3459e1d0e..af6276b96 100644 $(srcdir)/camellia.c \ $(srcdir)/rc4.c diff --git a/src/lib/crypto/builtin/enc_provider/deps b/src/lib/crypto/builtin/enc_provider/deps -index ea4ffecd8..061289a91 100644 +index a3414a38ec..dc29d9fce8 100644 --- a/src/lib/crypto/builtin/enc_provider/deps +++ b/src/lib/crypto/builtin/enc_provider/deps -@@ -1,19 +1,6 @@ +@@ -1,17 +1,6 @@ # # Generated makefile dependencies follow. # -des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ -- $(srcdir)/../aes/aes.h $(srcdir)/../aes/brg_types.h \ -- $(srcdir)/../crypto_mod.h $(srcdir)/../des/des_int.h \ -- $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ +- $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ @@ -4176,10 +4206,10 @@ index ea4ffecd8..061289a91 100644 $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ diff --git a/src/lib/crypto/builtin/enc_provider/des3.c b/src/lib/crypto/builtin/enc_provider/des3.c deleted file mode 100644 -index 9b8244223..000000000 +index c2634d5e10..0000000000 --- a/src/lib/crypto/builtin/enc_provider/des3.c +++ /dev/null -@@ -1,105 +0,0 @@ +@@ -1,109 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. @@ -4210,6 +4240,8 @@ index 9b8244223..000000000 -#include "crypto_int.h" -#include "des_int.h" - +-#ifdef K5_BUILTIN_DES +- -static krb5_error_code -validate_and_schedule(krb5_key key, const krb5_data *ivec, - const krb5_crypto_iov *data, size_t num_data, @@ -4285,8 +4317,10 @@ index 9b8244223..000000000 - krb5int_des_init_state, - krb5int_default_free_state -}; +- +-#endif /* K5_BUILTIN_DES */ diff --git a/src/lib/crypto/crypto_tests/t_cf2.expected b/src/lib/crypto/crypto_tests/t_cf2.expected -index f8251a16c..bc6aa50c8 100644 +index f8251a16cb..bc6aa50c84 100644 --- a/src/lib/crypto/crypto_tests/t_cf2.expected +++ b/src/lib/crypto/crypto_tests/t_cf2.expected @@ -1,6 +1,5 @@ @@ -4297,7 +4331,7 @@ index f8251a16c..bc6aa50c8 100644 edd02a39d2dbde31611c16e610be062c 67f6ea530aea85a37dcbb23349ea52dcc61ca8493ff557252327fd8304341584 diff --git a/src/lib/crypto/crypto_tests/t_cf2.in b/src/lib/crypto/crypto_tests/t_cf2.in -index 73e2f8fbc..c4d23b506 100644 +index 73e2f8fbc9..c4d23b506b 100644 --- a/src/lib/crypto/crypto_tests/t_cf2.in +++ b/src/lib/crypto/crypto_tests/t_cf2.in @@ -8,11 +8,6 @@ key1 @@ -4313,7 +4347,7 @@ index 73e2f8fbc..c4d23b506 100644 key1 key2 diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c -index 8297fcbf5..3063d12ec 100644 +index 557340ec5e..9f9a177ef0 100644 --- a/src/lib/crypto/crypto_tests/t_cksums.c +++ b/src/lib/crypto/crypto_tests/t_cksums.c @@ -59,16 +59,6 @@ struct test { @@ -4334,7 +4368,7 @@ index 8297fcbf5..3063d12ec 100644 { KV5M_DATA, 37, "eight nine ten eleven twelve thirteen" }, CKSUMTYPE_HMAC_SHA1_96_AES128, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 3, diff --git a/src/lib/crypto/crypto_tests/t_decrypt.c b/src/lib/crypto/crypto_tests/t_decrypt.c -index a40a85500..716f2c337 100644 +index a40a855007..716f2c337a 100644 --- a/src/lib/crypto/crypto_tests/t_decrypt.c +++ b/src/lib/crypto/crypto_tests/t_decrypt.c @@ -39,62 +39,6 @@ struct test { @@ -4409,7 +4443,7 @@ index a40a85500..716f2c337 100644 ENCTYPE_ARCFOUR_HMAC_EXP, ENCTYPE_AES128_CTS_HMAC_SHA1_96, diff --git a/src/lib/crypto/crypto_tests/t_derive.c b/src/lib/crypto/crypto_tests/t_derive.c -index afbf7477f..93ce30da2 100644 +index afbf7477f6..93ce30da20 100644 --- a/src/lib/crypto/crypto_tests/t_derive.c +++ b/src/lib/crypto/crypto_tests/t_derive.c @@ -38,41 +38,6 @@ struct test { @@ -4463,7 +4497,7 @@ index afbf7477f..93ce30da2 100644 case ENCTYPE_AES256_CTS_HMAC_SHA1_96: return &krb5int_enc_aes256; case ENCTYPE_CAMELLIA128_CTS_CMAC: return &krb5int_enc_camellia128; diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c -index bd9b94691..290a72e1e 100644 +index bd9b94691c..290a72e1e0 100644 --- a/src/lib/crypto/crypto_tests/t_encrypt.c +++ b/src/lib/crypto/crypto_tests/t_encrypt.c @@ -37,7 +37,6 @@ @@ -4475,7 +4509,7 @@ index bd9b94691..290a72e1e 100644 ENCTYPE_ARCFOUR_HMAC_EXP, ENCTYPE_AES256_CTS_HMAC_SHA1_96, diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c -index d4c2b97df..4466b7115 100644 +index d4c2b97dfd..4466b71158 100644 --- a/src/lib/crypto/crypto_tests/t_short.c +++ b/src/lib/crypto/crypto_tests/t_short.c @@ -34,7 +34,6 @@ @@ -4487,7 +4521,7 @@ index d4c2b97df..4466b7115 100644 ENCTYPE_ARCFOUR_HMAC_EXP, ENCTYPE_AES256_CTS_HMAC_SHA1_96, diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c -index cdb1acc6d..ef4c4a7d3 100644 +index cdb1acc6d0..ef4c4a7d3b 100644 --- a/src/lib/crypto/crypto_tests/t_str2key.c +++ b/src/lib/crypto/crypto_tests/t_str2key.c @@ -35,58 +35,6 @@ struct test { @@ -4549,11 +4583,33 @@ index cdb1acc6d..ef4c4a7d3 100644 /* Test vectors from RFC 3962 appendix B. */ { ENCTYPE_AES128_CTS_HMAC_SHA1_96, +diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c +index bcf5c9106f..eb107dbcd2 100644 +--- a/src/lib/crypto/crypto_tests/vectors.c ++++ b/src/lib/crypto/crypto_tests/vectors.c +@@ -190,8 +190,6 @@ test_s2k (krb5_enctype enctype) + } + } + +-static void test_des3_s2k () { test_s2k (ENCTYPE_DES3_CBC_SHA1); } +- + static void + keyToData (krb5_keyblock *k, krb5_data *d) + { +@@ -208,8 +206,6 @@ void check_error (int r, int line) { + } + #define CHECK check_error(r, __LINE__) + +-extern struct krb5_enc_provider krb5int_enc_des3; +-struct krb5_enc_provider *enc = &krb5int_enc_des3; + extern struct krb5_enc_provider krb5int_enc_aes128, krb5int_enc_aes256; + + void DK (krb5_keyblock *out, krb5_keyblock *in, const krb5_data *usage) { diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in -index b74e6f7cc..2b0c4163d 100644 +index cb2e40a3a5..f66698bd53 100644 --- a/src/lib/crypto/krb/Makefile.in +++ b/src/lib/crypto/krb/Makefile.in -@@ -50,7 +50,6 @@ STLIBOBJS=\ +@@ -47,7 +47,6 @@ STLIBOBJS=\ prf.o \ prf_aes2.o \ prf_cmac.o \ @@ -4561,7 +4617,7 @@ index b74e6f7cc..2b0c4163d 100644 prf_dk.o \ prf_rc4.o \ prng.o \ -@@ -109,7 +108,6 @@ OBJS=\ +@@ -103,7 +102,6 @@ OBJS=\ $(OUTPRE)prf.$(OBJEXT) \ $(OUTPRE)prf_aes2.$(OBJEXT) \ $(OUTPRE)prf_cmac.$(OBJEXT) \ @@ -4569,7 +4625,7 @@ index b74e6f7cc..2b0c4163d 100644 $(OUTPRE)prf_dk.$(OBJEXT) \ $(OUTPRE)prf_rc4.$(OBJEXT) \ $(OUTPRE)prng.$(OBJEXT) \ -@@ -168,7 +166,6 @@ SRCS=\ +@@ -159,7 +157,6 @@ SRCS=\ $(srcdir)/prf.c \ $(srcdir)/prf_aes2.c \ $(srcdir)/prf_cmac.c \ @@ -4578,10 +4634,10 @@ index b74e6f7cc..2b0c4163d 100644 $(srcdir)/prf_rc4.c \ $(srcdir)/prng.c \ diff --git a/src/lib/crypto/krb/cksumtypes.c b/src/lib/crypto/krb/cksumtypes.c -index ecc2e08c9..f5fbe8a2a 100644 +index f7ba322f24..25a3ffd2d2 100644 --- a/src/lib/crypto/krb/cksumtypes.c +++ b/src/lib/crypto/krb/cksumtypes.c -@@ -46,12 +46,6 @@ const struct krb5_cksumtypes krb5int_cksumtypes_list[] = { +@@ -52,12 +52,6 @@ const struct krb5_cksumtypes krb5int_cksumtypes_list[] = { krb5int_unkeyed_checksum, NULL, 20, 20, CKSUM_UNKEYED }, @@ -4595,21 +4651,19 @@ index ecc2e08c9..f5fbe8a2a 100644 "hmac-md5-rc4", { "hmac-md5-enc", "hmac-md5-earcfour" }, "Microsoft HMAC MD5", diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h -index 19f808749..4bc430c7a 100644 +index 3629616d96..1ee4b30e02 100644 --- a/src/lib/crypto/krb/crypto_int.h +++ b/src/lib/crypto/krb/crypto_int.h -@@ -276,10 +276,6 @@ krb5_error_code krb5int_aes2_string_to_key(const struct krb5_keytypes *enc, +@@ -332,8 +332,6 @@ krb5_error_code krb5int_aes2_string_to_key(const struct krb5_keytypes *enc, /* Random to key */ krb5_error_code k5_rand2key_direct(const krb5_data *randombits, krb5_keyblock *keyblock); --krb5_error_code k5_rand2key_des(const krb5_data *randombits, -- krb5_keyblock *keyblock); -krb5_error_code k5_rand2key_des3(const krb5_data *randombits, - krb5_keyblock *keyblock); /* Pseudo-random function */ krb5_error_code krb5int_des_prf(const struct krb5_keytypes *ktp, -@@ -368,11 +364,6 @@ krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage); +@@ -411,11 +409,6 @@ krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage); /* Ensure library initialization has occurred. */ int krb5int_crypto_init(void); @@ -4621,7 +4675,7 @@ index 19f808749..4bc430c7a 100644 /* Default state cleanup handler (used by module enc providers). */ void krb5int_default_free_state(krb5_data *state); -@@ -425,7 +416,6 @@ void k5_iov_cursor_put(struct iov_cursor *cursor, unsigned char *block); +@@ -468,7 +461,6 @@ void k5_iov_cursor_put(struct iov_cursor *cursor, unsigned char *block); /* Modules must implement the k5_sha256() function prototyped in k5-int.h. */ /* Modules must implement the following enc_providers and hash_providers: */ @@ -4629,21 +4683,18 @@ index 19f808749..4bc430c7a 100644 extern const struct krb5_enc_provider krb5int_enc_arcfour; extern const struct krb5_enc_provider krb5int_enc_aes128; extern const struct krb5_enc_provider krb5int_enc_aes256; -@@ -442,12 +432,6 @@ extern const struct krb5_hash_provider krb5int_hash_sha384; +@@ -485,9 +477,6 @@ extern const struct krb5_hash_provider krb5int_hash_sha384; /* Modules must implement the following functions. */ -/* Set the parity bits to the correct values in keybits. */ -void k5_des_fixup_key_parity(unsigned char *keybits); -- --/* Return true if keybits is a weak or semi-weak DES key. */ --krb5_boolean k5_des_is_weak_key(unsigned char *keybits); - /* Compute an HMAC using the provided hash function, key, and data, storing the * result into output (caller-allocated). */ krb5_error_code krb5int_hmac(const struct krb5_hash_provider *hash, diff --git a/src/lib/crypto/krb/default_state.c b/src/lib/crypto/krb/default_state.c -index 0757c8b02..f89dc7902 100644 +index 0757c8b02c..f89dc79023 100644 --- a/src/lib/crypto/krb/default_state.c +++ b/src/lib/crypto/krb/default_state.c @@ -32,16 +32,6 @@ @@ -4664,7 +4715,7 @@ index 0757c8b02..f89dc7902 100644 krb5int_default_free_state(krb5_data *state) { diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c -index 1542d4062..a0037912a 100644 +index 1542d40629..a0037912a7 100644 --- a/src/lib/crypto/krb/enctype_util.c +++ b/src/lib/crypto/krb/enctype_util.c @@ -45,6 +45,9 @@ struct { @@ -4678,7 +4729,7 @@ index 1542d4062..a0037912a 100644 }; diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c -index fc278783b..7635393a4 100644 +index fc278783b9..7635393a41 100644 --- a/src/lib/crypto/krb/etypes.c +++ b/src/lib/crypto/krb/etypes.c @@ -35,27 +35,6 @@ @@ -4711,7 +4762,7 @@ index fc278783b..7635393a4 100644 { ENCTYPE_ARCFOUR_HMAC, diff --git a/src/lib/crypto/krb/prf_des.c b/src/lib/crypto/krb/prf_des.c deleted file mode 100644 -index 7a2d719c5..000000000 +index 7a2d719c5f..0000000000 --- a/src/lib/crypto/krb/prf_des.c +++ /dev/null @@ -1,47 +0,0 @@ @@ -4763,10 +4814,10 @@ index 7a2d719c5..000000000 - return ktp->enc->encrypt(key, NULL, &iov, 1); -} diff --git a/src/lib/crypto/krb/random_to_key.c b/src/lib/crypto/krb/random_to_key.c -index 157462526..863090beb 100644 +index 9394385aa0..863090beb2 100644 --- a/src/lib/crypto/krb/random_to_key.c +++ b/src/lib/crypto/krb/random_to_key.c -@@ -71,48 +71,3 @@ k5_rand2key_direct(const krb5_data *randombits, krb5_keyblock *keyblock) +@@ -71,31 +71,3 @@ k5_rand2key_direct(const krb5_data *randombits, krb5_keyblock *keyblock) memcpy(keyblock->contents, randombits->data, randombits->length); return 0; } @@ -4780,23 +4831,6 @@ index 157462526..863090beb 100644 -} - -krb5_error_code --k5_rand2key_des(const krb5_data *randombits, krb5_keyblock *keyblock) --{ -- if (randombits->length != 7) -- return(KRB5_CRYPTO_INTERNAL); -- -- keyblock->magic = KV5M_KEYBLOCK; -- -- /* Take the seven bytes, move them around into the top 7 bits of the -- * 8 key bytes, then compute the parity bits. */ -- memcpy(keyblock->contents, randombits->data, randombits->length); -- eighth_byte(keyblock->contents); -- k5_des_fixup_key_parity(keyblock->contents); -- -- return 0; --} -- --krb5_error_code -k5_rand2key_des3(const krb5_data *randombits, krb5_keyblock *keyblock) -{ - int i; @@ -4816,7 +4850,7 @@ index 157462526..863090beb 100644 - return 0; -} diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports -index d6cc1b423..f44cb9170 100644 +index 052f4d4b51..d8ffa63304 100644 --- a/src/lib/crypto/libk5crypto.exports +++ b/src/lib/crypto/libk5crypto.exports @@ -86,7 +86,6 @@ krb5_k_verify_checksum @@ -4825,23 +4859,23 @@ index d6cc1b423..f44cb9170 100644 krb5int_aes_decrypt -krb5int_enc_des3 krb5int_arcfour_gsscrypt - krb5int_camellia_cbc_mac + krb5int_camellia_encrypt krb5int_cmac_checksum diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in -index aa434b168..234fc0e76 100644 +index 08de047d0a..88f7fd0a09 100644 --- a/src/lib/crypto/openssl/Makefile.in +++ b/src/lib/crypto/openssl/Makefile.in @@ -1,6 +1,6 @@ mydir=lib$(S)crypto$(S)openssl BUILDTOP=$(REL)..$(S)..$(S).. --SUBDIRS=camellia des aes md4 md5 sha1 sha2 enc_provider hash_provider -+SUBDIRS=camellia aes md4 md5 sha1 sha2 enc_provider hash_provider - LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir) +-SUBDIRS=des enc_provider hash_provider ++SUBDIRS=enc_provider hash_provider + LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS) STLIBOBJS=\ @@ -24,14 +24,14 @@ SRCS=\ - $(srcdir)/sha256.c \ - $(srcdir)/stubs.c + $(srcdir)/pbkdf2.c \ + $(srcdir)/sha256.c -STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ +STOBJLISTS= md4/OBJS.ST \ @@ -4867,13 +4901,13 @@ index aa434b168..234fc0e76 100644 @libobj_frag@ diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in deleted file mode 100644 -index 4392fb8ea..000000000 +index a6cece1dd1..0000000000 --- a/src/lib/crypto/openssl/des/Makefile.in +++ /dev/null @@ -1,20 +0,0 @@ -mydir=lib$(S)crypto$(S)openssl$(S)des -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. --LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. +-LOCALINCLUDES = -I$(srcdir)/../../krb $(CRYPTO_IMPL_CFLAGS) - -STLIBOBJS= des_keys.o - @@ -4893,31 +4927,30 @@ index 4392fb8ea..000000000 - diff --git a/src/lib/crypto/openssl/des/deps b/src/lib/crypto/openssl/des/deps deleted file mode 100644 -index 21b904f89..000000000 +index 723c268082..0000000000 --- a/src/lib/crypto/openssl/des/deps +++ /dev/null -@@ -1,15 +0,0 @@ +@@ -1,14 +0,0 @@ -# -# Generated makefile dependencies follow. -# -des_keys.so des_keys.po $(OUTPRE)des_keys.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ -- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ -- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ -- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ -- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ -- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ -- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ -- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ -- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ -- des_keys.c +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_keys.c diff --git a/src/lib/crypto/openssl/des/des_keys.c b/src/lib/crypto/openssl/des/des_keys.c deleted file mode 100644 -index 51d9db216..000000000 +index 83f1cbf22a..0000000000 --- a/src/lib/crypto/openssl/des/des_keys.c +++ /dev/null -@@ -1,40 +0,0 @@ +@@ -1,39 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/openssl/des/des_keys.c - Key functions used by Kerberos code */ -/* @@ -4945,6 +4978,9 @@ index 51d9db216..000000000 - */ - -#include "crypto_int.h" +- +-#ifdef K5_OPENSSL_DES_KEY_PARITY +- -#include - -void @@ -4953,17 +4989,13 @@ index 51d9db216..000000000 - DES_set_odd_parity((DES_cblock *)keybits); -} - --krb5_boolean --k5_des_is_weak_key(unsigned char *keybits) --{ -- return DES_is_weak_key((DES_cblock *)keybits); --} +-#endif diff --git a/src/lib/crypto/openssl/enc_provider/Makefile.in b/src/lib/crypto/openssl/enc_provider/Makefile.in -index a9069d22d..2b32c3ac4 100644 +index 26827cfed5..f0d37c1213 100644 --- a/src/lib/crypto/openssl/enc_provider/Makefile.in +++ b/src/lib/crypto/openssl/enc_provider/Makefile.in @@ -3,19 +3,16 @@ BUILDTOP=$(REL)..$(S)..$(S)..$(S).. - LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. + LOCALINCLUDES = -I$(srcdir)/../../krb $(CRYPTO_IMPL_CFLAGS) STLIBOBJS= \ - des3.o \ @@ -4983,7 +5015,7 @@ index a9069d22d..2b32c3ac4 100644 $(srcdir)/camellia.c \ $(srcdir)/rc4.c diff --git a/src/lib/crypto/openssl/enc_provider/deps b/src/lib/crypto/openssl/enc_provider/deps -index 1c28cc842..91ba48234 100644 +index 1c87a526d0..a502990a0c 100644 --- a/src/lib/crypto/openssl/enc_provider/deps +++ b/src/lib/crypto/openssl/enc_provider/deps @@ -1,17 +1,6 @@ @@ -4993,23 +5025,23 @@ index 1c28cc842..91ba48234 100644 -des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ -- $(srcdir)/../crypto_mod.h $(top_srcdir)/include/k5-buf.h \ -- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ -- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ -- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ -- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ -- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ -- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ -- $(top_srcdir)/include/socket-utils.h des3.c +- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- des3.c aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c deleted file mode 100644 -index 1c439c2cd..000000000 +index 90fcf9acb5..0000000000 --- a/src/lib/crypto/openssl/enc_provider/des3.c +++ /dev/null -@@ -1,184 +0,0 @@ +@@ -1,188 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/openssl/enc_provider/des3.c */ -/* @@ -5062,8 +5094,10 @@ index 1c439c2cd..000000000 - */ - -#include "crypto_int.h" --#include - +-#ifdef K5_OPENSSL_DES +- +-#include - -#define DES3_BLOCK_SIZE 8 -#define DES3_KEY_SIZE 24 @@ -5194,11 +5228,26 @@ index 1c439c2cd..000000000 - krb5int_des_init_state, - krb5int_default_free_state -}; +- +-#endif /* K5_OPENSSL_DES */ +diff --git a/src/lib/crypto/openssl/kdf.c b/src/lib/crypto/openssl/kdf.c +index 41e845eae0..5a43c3d9eb 100644 +--- a/src/lib/crypto/openssl/kdf.c ++++ b/src/lib/crypto/openssl/kdf.c +@@ -60,8 +60,6 @@ enc_name(const struct krb5_enc_provider *enc) + return "AES-128-CBC"; + if (enc == &krb5int_enc_aes256) + return "AES-256-CBC"; +- if (enc == &krb5int_enc_des3) +- return "DES-EDE3-CBC"; + return NULL; + } + diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index 75f071c3e..fcf2c2152 100644 +index d4e90793f9..1bc807172b 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -1039,7 +1039,6 @@ kg_accept_krb5(minor_status, context_handle, +@@ -1030,7 +1030,6 @@ kg_accept_krb5(minor_status, context_handle, } switch (negotiated_etype) { @@ -5207,7 +5256,7 @@ index 75f071c3e..fcf2c2152 100644 case ENCTYPE_ARCFOUR_HMAC_EXP: /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index a7e0e63ec..3bacdcd35 100644 +index a4446530fc..88d41130a7 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -125,14 +125,14 @@ enum sgn_alg { @@ -5237,7 +5286,7 @@ index a7e0e63ec..3bacdcd35 100644 }; diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c -index d1cdce486..7f7146a0a 100644 +index d1cdce486f..7f7146a0a2 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -136,19 +136,12 @@ make_seal_token_v1 (krb5_context context, @@ -5290,7 +5339,7 @@ index d1cdce486..7f7146a0a 100644 krb5_free_checksum_contents(context, &md5cksum); diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c -index 9bb2ee109..9147bb2c7 100644 +index 9bb2ee1099..9147bb2c78 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c @@ -144,18 +144,11 @@ make_seal_token_v1_iov(krb5_context context, @@ -5335,7 +5384,7 @@ index 9bb2ee109..9147bb2c7 100644 /* create the seq_num */ code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF, diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c -index 9b183bc33..f0cc4a680 100644 +index 9b183bc337..f0cc4a6809 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -131,28 +131,21 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, @@ -5400,13 +5449,15 @@ index 9b183bc33..f0cc4a680 100644 + if (signalg != SGN_ALG_HMAC_MD5) { *minor_status = 0; return(GSS_S_DEFECTIVE_TOKEN); -- ++ } + - case SGN_ALG_HMAC_SHA1_DES3_KD: - case SGN_ALG_HMAC_MD5: - /* compute the checksum of the message */ - - /* 8 = bytes of token body to be checksummed according to spec */ -- ++ /* compute the checksum of the message */ + - if (! (data_ptr = xmalloc(8 + plainlen))) { - if (sealalg != 0xffff) - xfree(plain); @@ -5415,33 +5466,9 @@ index 9b183bc33..f0cc4a680 100644 - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } -- -- (void) memcpy(data_ptr, ptr-2, 8); -- -- (void) memcpy(data_ptr+8, plain, plainlen); -- -- plaind.length = 8 + plainlen; -- plaind.data = data_ptr; -- code = krb5_k_make_checksum(context, md5cksum.checksum_type, -- ctx->seq, sign_usage, -- &plaind, &md5cksum); -- xfree(data_ptr); -- -- if (code) { -- if (toktype == KG_TOK_SEAL_MSG) -- gssalloc_free(token.value); -- *minor_status = code; -- return(GSS_S_FAILURE); -- } -- -- code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len); -- break; - } - -+ /* compute the checksum of the message */ -+ + /* 8 = bytes of token body to be checksummed according to spec */ -+ + +- (void) memcpy(data_ptr, ptr-2, 8); + if (! (data_ptr = xmalloc(8 + plainlen))) { + if (sealalg != 0xffff) + xfree(plain); @@ -5450,32 +5477,47 @@ index 9b183bc33..f0cc4a680 100644 + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } -+ + +- (void) memcpy(data_ptr+8, plain, plainlen); + (void) memcpy(data_ptr, ptr-2, 8); -+ + +- plaind.length = 8 + plainlen; +- plaind.data = data_ptr; +- code = krb5_k_make_checksum(context, md5cksum.checksum_type, +- ctx->seq, sign_usage, +- &plaind, &md5cksum); +- xfree(data_ptr); + (void) memcpy(data_ptr+8, plain, plainlen); -+ + +- if (code) { +- if (toktype == KG_TOK_SEAL_MSG) +- gssalloc_free(token.value); +- *minor_status = code; +- return(GSS_S_FAILURE); +- } + plaind.length = 8 + plainlen; + plaind.data = data_ptr; + code = krb5_k_make_checksum(context, md5cksum.checksum_type, + ctx->seq, sign_usage, + &plaind, &md5cksum); + xfree(data_ptr); -+ + +- code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len); +- break; + if (code) { + if (toktype == KG_TOK_SEAL_MSG) + gssalloc_free(token.value); + *minor_status = code; + return(GSS_S_FAILURE); -+ } -+ + } + + code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len); + krb5_free_checksum_contents(context, &md5cksum); if (sealalg != 0xffff) xfree(plain); diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c -index 85a9574f3..3ce2a90ce 100644 +index 85a9574f36..3ce2a90ce9 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -102,28 +102,21 @@ kg_unseal_v1_iov(krb5_context context, @@ -5554,7 +5596,7 @@ index 85a9574f3..3ce2a90ce 100644 code = 0; retval = GSS_S_BAD_SIG; diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c -index 84f194988..32150f5e3 100644 +index 84f1949887..32150f5e34 100644 --- a/src/lib/gssapi/krb5/util_crypt.c +++ b/src/lib/gssapi/krb5/util_crypt.c @@ -97,17 +97,6 @@ kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey, @@ -5575,57 +5617,8 @@ index 84f194988..32150f5e3 100644 case ENCTYPE_ARCFOUR_HMAC: case ENCTYPE_ARCFOUR_HMAC_EXP: /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype, -diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -index 740425c69..6b45f5f72 100644 ---- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp -@@ -53,10 +53,10 @@ proc test200 {} { - } - - # XXX Perhaps I should actually check the key type returned. -- if {$num_keys == 5} { -+ if {$num_keys == 4} { - pass "$test" - } else { -- fail "$test: $num_keys keys, should be 5" -+ fail "$test: $num_keys keys, should be 4" - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" -diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -index 3ea1ba29b..d2c6d1afa 100644 ---- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp -@@ -143,8 +143,8 @@ proc test101_102 {rpc} { - } - - set failed 0 -- if {$num_keys != 5} { -- fail "$test: num_keys $num_keys should be 5" -+ if {$num_keys != 4} { -+ fail "$test: num_keys $num_keys should be 4" - set failed 1 - } - for {set i 0} {$i < $num_keys} {incr i} { -diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp -index 2925c1c43..2f76c8b43 100644 ---- a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp -+++ b/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp -@@ -46,10 +46,10 @@ proc test100 {} { - } - - # XXX Perhaps I should actually check the key type returned. -- if {$num_keys == 5} { -+ if {$num_keys == 4} { - pass "$test" - } else { -- fail "$test: $num_keys keys, should be 5" -+ fail "$test: $num_keys keys, should be 4" - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index aa35baa3c..bfa99d9eb 100644 +index 87b486c53f..2b5abcd817 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -59,7 +59,6 @@ @@ -5636,7 +5629,7 @@ index aa35baa3c..bfa99d9eb 100644 ENCTYPE_ARCFOUR_HMAC, ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC, 0 -@@ -467,8 +466,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, +@@ -450,8 +449,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, /* Set all enctypes in the default list. */ for (i = 0; default_list[i]; i++) mod_list(default_list[i], sel, weak, &list); @@ -5646,7 +5639,7 @@ index aa35baa3c..bfa99d9eb 100644 mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list); mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list); diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c -index 44d113e7c..966278578 100644 +index 44d113e7c5..9662785783 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -288,8 +288,6 @@ verify_s4u2self_reply(krb5_context context, @@ -5659,7 +5652,7 @@ index 44d113e7c..966278578 100644 case ENCTYPE_ARCFOUR_HMAC_EXP : not_newer = TRUE; diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c -index 90c9f626c..935aca12f 100644 +index 90c9f626c6..935aca12f5 100644 --- a/src/lib/krb5/krb/t_etypes.c +++ b/src/lib/krb5/krb/t_etypes.c @@ -50,17 +50,6 @@ static struct { @@ -5731,7 +5724,7 @@ index 90c9f626c..935aca12f 100644 { NULL, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, diff --git a/src/lib/krb5/os/t_trace.c b/src/lib/krb5/os/t_trace.c -index 10ba8d0ac..24064ffcf 100644 +index 10ba8d0ac7..24064ffcfd 100644 --- a/src/lib/krb5/os/t_trace.c +++ b/src/lib/krb5/os/t_trace.c @@ -65,8 +65,8 @@ main (int argc, char *argv[]) @@ -5746,7 +5739,7 @@ index 10ba8d0ac..24064ffcf 100644 krb5_keytab keytab; krb5_creds creds; diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref -index 044a66999..98fb14f3f 100644 +index 044a66999e..98fb14f3f7 100644 --- a/src/lib/krb5/os/t_trace.ref +++ b/src/lib/krb5/os/t_trace.ref @@ -41,7 +41,7 @@ int, krb5_principal type: ? @@ -5759,7 +5752,7 @@ index 044a66999..98fb14f3f 100644 krb5_ccache, display type:name: FILE:/path/to/ccache krb5_keytab, display name: FILE:/etc/krb5.keytab diff --git a/src/plugins/preauth/pkinit/pkcs11.h b/src/plugins/preauth/pkinit/pkcs11.h -index e3d284631..586661bb7 100644 +index e3d2846315..586661bb7e 100644 --- a/src/plugins/preauth/pkinit/pkcs11.h +++ b/src/plugins/preauth/pkinit/pkcs11.h @@ -339,9 +339,9 @@ typedef unsigned long ck_key_type_t; @@ -5775,99 +5768,29 @@ index e3d284631..586661bb7 100644 #define CKK_CAST (0x16) #define CKK_CAST3 (0x17) #define CKK_CAST128 (0x18) -diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c -index 2817cc213..a385da7c3 100644 ---- a/src/plugins/preauth/pkinit/pkinit_clnt.c -+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c -@@ -212,14 +212,6 @@ pkinit_as_req_create(krb5_context context, - auth_pack.clientPublicValue = &info; - auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; - -- /* add List of CMS algorithms */ -- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, -- reqctx->cryptoctx, -- reqctx->idctx, &cmstypes); -- auth_pack.supportedCMSTypes = cmstypes; -- if (retval) -- goto cleanup; -- - switch(protocol) { - case DH_PROTOCOL: - TRACE_PKINIT_CLIENT_REQ_DH(context); diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 77d5c61fe..1f9868351 100644 +index 94a1b22fb1..65f6210727 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -380,18 +380,6 @@ krb5_error_code server_process_dh - unsigned int *server_key_len_out); /* OUT - receives length of DH secret key */ - --/* -- * this functions takes in crypto specific representation of -- * supportedCMSTypes and creates a list of -- * krb5_algorithm_identifier -- */ --krb5_error_code create_krb5_supportedCMSTypes +@@ -376,11 +376,11 @@ krb5_error_code server_process_dh + * krb5_algorithm_identifier + */ + krb5_error_code create_krb5_supportedCMSTypes - (krb5_context context, /* IN */ - pkinit_plg_crypto_context plg_cryptoctx, /* IN */ - pkinit_req_crypto_context req_cryptoctx, /* IN */ - pkinit_identity_crypto_context id_cryptoctx, /* IN */ - krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ -- ++ (krb5_context context, /* IN */ ++ pkinit_plg_crypto_context plg_cryptoctx, /* IN */ ++ pkinit_req_crypto_context req_cryptoctx, /* IN */ ++ pkinit_identity_crypto_context id_cryptoctx, /* IN */ ++ krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ + /* * this functions takes in crypto specific representation of - * trustedCertifiers and creates a list of -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index e5940a513..e1153344e 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -5486,44 +5486,6 @@ cleanup: - return retval; - } - --krb5_error_code --create_krb5_supportedCMSTypes(krb5_context context, -- pkinit_plg_crypto_context plg_cryptoctx, -- pkinit_req_crypto_context req_cryptoctx, -- pkinit_identity_crypto_context id_cryptoctx, -- krb5_algorithm_identifier ***oids) --{ -- -- krb5_error_code retval = ENOMEM; -- krb5_algorithm_identifier **loids = NULL; -- krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" }; -- -- *oids = NULL; -- loids = malloc(2 * sizeof(krb5_algorithm_identifier *)); -- if (loids == NULL) -- goto cleanup; -- loids[1] = NULL; -- loids[0] = malloc(sizeof(krb5_algorithm_identifier)); -- if (loids[0] == NULL) { -- free(loids); -- goto cleanup; -- } -- retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid); -- if (retval) { -- free(loids[0]); -- free(loids); -- goto cleanup; -- } -- loids[0]->parameters.length = 0; -- loids[0]->parameters.data = NULL; -- -- *oids = loids; -- retval = 0; --cleanup: -- -- return retval; --} -- - krb5_error_code - create_krb5_trustedCertifiers(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_test.c b/src/plugins/preauth/pkinit/pkinit_kdf_test.c -index 7acbd0d28..cd998a29a 100644 +index 7f38e84910..99c93ac128 100644 --- a/src/plugins/preauth/pkinit/pkinit_kdf_test.c +++ b/src/plugins/preauth/pkinit/pkinit_kdf_test.c @@ -49,7 +49,6 @@ char eighteen_bs[9]; @@ -5878,14 +5801,13 @@ index 7acbd0d28..cd998a29a 100644 const krb5_data lha_data = DATA_FROM_STRING("lha"); krb5_octet key1_hex[] = -@@ -185,36 +184,6 @@ main(int argc, char **argv) +@@ -187,35 +186,6 @@ main(int argc, char **argv) goto cleanup; } - /* TEST 3: SHA-512/DES3 */ - /* set up algorithm id */ -- alg_id.algorithm.data = (char *)krb5_pkinit_sha512_oid; -- alg_id.algorithm.length = krb5_pkinit_sha512_oid_len; +- alg_id.algorithm = sha512_id; - - enctype = enctype_des3; - @@ -5895,7 +5817,7 @@ index 7acbd0d28..cd998a29a 100644 - u_principal, v_principal, - enctype, &as_req, &pk_as_rep, - &key_block))) { -- printf("ERROR in pkinit_kdf_test: kdf call failed, retval = %d", +- printf("ERROR in pkinit_kdf_test: kdf call failed, retval = %d\n", - retval); - goto cleanup; - } @@ -5916,7 +5838,7 @@ index 7acbd0d28..cd998a29a 100644 /* release all allocated resources, whether good or bad return */ free(secret.data); diff --git a/src/plugins/preauth/spake/t_vectors.c b/src/plugins/preauth/spake/t_vectors.c -index 2279202d3..96b0307d7 100644 +index 2279202d3a..96b0307d78 100644 --- a/src/plugins/preauth/spake/t_vectors.c +++ b/src/plugins/preauth/spake/t_vectors.c @@ -56,31 +56,6 @@ struct test { @@ -5951,158 +5873,8 @@ index 2279202d3..96b0307d7 100644 { ENCTYPE_ARCFOUR_HMAC, SPAKE_GROUP_EDWARDS25519, /* initial key, w, x, y, T, S, K */ "8846F7EAEE8FB117AD06BDD830B7586C", -diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp -index 85bbf478a..302dee74c 100644 ---- a/src/tests/dejagnu/config/default.exp -+++ b/src/tests/dejagnu/config/default.exp -@@ -15,8 +15,6 @@ set timeout 100 - set stty_init {erase \^h kill \^u} - set env(TERM) dumb - --set des3_krbtgt 0 -- - if { [string length $VALGRIND] } { - rename spawn valgrind_aux_spawn - proc spawn { args } { -@@ -105,17 +103,9 @@ if { $PRIOCNTL_HACK } { - # particularly with regards to encryption types. - - set passes { -- { -- des3 -- mode=udp -- des3_krbtgt=1 -- {supported_enctypes=des3-cbc-sha1:normal} -- {dummy=[verbose -log "DES3 TGT, DES3 enctype"]} -- } - { - aes-only - mode=udp -- des3_krbtgt=0 - {supported_enctypes=aes256-cts-hmac-sha1-96:normal} - {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96} - {permitted_enctypes(client)=aes256-cts-hmac-sha1-96} -@@ -130,7 +120,6 @@ set passes { - { - aes-sha2-only - mode=udp -- des3_krbtgt=0 - {supported_enctypes=aes256-sha2:normal} - {permitted_enctypes(kdc)=aes256-sha2} - {permitted_enctypes(replica)=aes256-sha2} -@@ -146,7 +135,6 @@ set passes { - { - camellia-only - mode=udp -- des3_krbtgt=0 - {supported_enctypes=camellia256-cts:normal} - {permitted_enctypes(kdc)=camellia256-cts} - {permitted_enctypes(replica)=camellia256-cts} -@@ -159,32 +147,9 @@ set passes { - {master_key_type=camellia256-cts} - {dummy=[verbose -log "Camellia-256 enctype"]} - } -- { -- aes-des3 -- mode=udp -- des3_krbtgt=0 -- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal} -- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -- {master_key_type=aes256-cts-hmac-sha1-96} -- {dummy=[verbose -log "AES + DES3 + DES enctypes"]} -- } -- { -- aes-des3tgt -- mode=udp -- des3_krbtgt=1 -- {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal} -- {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -- {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -- {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1} -- {master_key_type=aes256-cts-hmac-sha1-96} -- {dummy=[verbose -log "AES enctypes, DES3 TGT"]} -- } - { - all-enctypes - mode=udp -- des3_krbtgt=0 - {allow_weak_crypto(kdc)=false} - {allow_weak_crypto(replica)=false} - {allow_weak_crypto(client)=false} -@@ -946,7 +911,6 @@ proc setup_kerberos_db { standalone } { - global REALMNAME KDB5_UTIL KADMIN_LOCAL KEY - global tmppwd hostname - global spawn_id -- global des3_krbtgt - global multipass_name last_passname_db - - set failall 0 -@@ -1143,48 +1107,6 @@ proc setup_kerberos_db { standalone } { - } - } - -- if $des3_krbtgt { -- # Set the TGT key to DES3. -- set test "kadmin.local TGT to DES3" -- set body { -- if $failall { -- break -- } -- spawn $KADMIN_LOCAL -r $REALMNAME -e des3-cbc-sha1:normal -- verbose "starting $test" -- expect_after $def_exp_after -- -- expect "kadmin.local: " -- send "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r" -- # It echos... -- expect "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r" -- expect { -- "Key for \"krbtgt/$REALMNAME@$REALMNAME\" randomized." { } -- } -- expect "kadmin.local: " -- send "quit\r" -- expect eof -- catch expect_after -- if ![check_exit_status kadmin_local] { -- break -- } -- } -- set ret [catch $body] -- catch "expect eof" -- catch expect_after -- if $ret { -- set failall 1 -- if $standalone { -- fail $test -- } else { -- delete_db -- } -- } else { -- if $standalone { -- pass $test -- } -- } -- } - envstack_pop - - # create the admin database lock file -diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/dejagnu/krb-standalone/kprop.exp -index 661e3fd9a..2b8f60045 100644 ---- a/src/tests/dejagnu/krb-standalone/kprop.exp -+++ b/src/tests/dejagnu/krb-standalone/kprop.exp -@@ -54,7 +54,7 @@ proc doit { } { - global REALMNAME KEY - global KADMIN_LOCAL KTUTIL KDB5_UTIL KPROPLOG KPROP kpropd_spawn_id - global hostname tmppwd spawn_id timeout -- global KRBIV supported_enctypes portbase mode ulog des3_krbtgt -+ global KRBIV supported_enctypes portbase mode ulog - - # Delete any db, ulog files - delete_db diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py -index 7494d7fcd..2f95d8996 100755 +index 7494d7fcdb..2f95d89967 100755 --- a/src/tests/gssapi/t_enctypes.py +++ b/src/tests/gssapi/t_enctypes.py @@ -1,24 +1,17 @@ @@ -6171,7 +5943,7 @@ index 7494d7fcd..2f95d8996 100755 # because the ticket session key and initiator subkey are # non-permitted. (This is unfortunate if the acceptor's restriction diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c -index 9876a11e6..fb8fe5511 100644 +index 9876a11e67..fb8fe55111 100644 --- a/src/tests/gssapi/t_invalid.c +++ b/src/tests/gssapi/t_invalid.c @@ -84,18 +84,6 @@ struct test { @@ -6194,7 +5966,7 @@ index 9876a11e6..fb8fe5511 100644 ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC, SEAL_ALG_MICROSOFT_RC4, SGN_ALG_HMAC_MD5, 8, diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c -index 7368f752f..bf22bd3da 100644 +index 7368f752f0..bf22bd3da1 100644 --- a/src/tests/gssapi/t_pcontok.c +++ b/src/tests/gssapi/t_pcontok.c @@ -43,7 +43,6 @@ @@ -6229,7 +6001,7 @@ index 7368f752f..bf22bd3da 100644 tlen = 20 + mech_krb5.length + cksize; token = malloc(tlen); diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c -index f71774cdc..d1857c433 100644 +index f71774cdc9..d1857c433f 100644 --- a/src/tests/gssapi/t_prf.c +++ b/src/tests/gssapi/t_prf.c @@ -41,13 +41,6 @@ static struct { @@ -6247,10 +6019,10 @@ index f71774cdc..d1857c433 100644 "3BB3AE288C12B3B9D06B208A4151B3B6", "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28" diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py -index 3fa957ad2..2e01f46bc 100644 +index 97e2474bf8..47ea9e4b47 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py -@@ -174,7 +174,7 @@ realm.run([kvno, 'restricted']) +@@ -164,7 +164,7 @@ realm.run([kvno, 'restricted']) # preferred krbtgt enctype changes. mark('#8139 regression test') realm.kinit(realm.user_princ, password('user'), ['-f']) @@ -6260,7 +6032,7 @@ index 3fa957ad2..2e01f46bc 100644 realm.run(['./forward']) realm.run([kvno, realm.host_princ]) diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py -index c982508d8..96e90a69d 100644 +index c982508d8b..96e90a69d2 100644 --- a/src/tests/t_etype_info.py +++ b/src/tests/t_etype_info.py @@ -1,6 +1,6 @@ @@ -6309,7 +6081,7 @@ index c982508d8..96e90a69d 100644 # Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED # error if the client does optimistic preauth. diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py -index 2c825a692..f29e0d550 100755 +index 2c825a6922..f29e0d5500 100755 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg) @@ -6337,7 +6109,7 @@ index 2c825a692..f29e0d550 100755 realm.stop() diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py -index 32f4070bc..da0ed1831 100755 +index 32f4070bcb..da0ed1831e 100755 --- a/src/tests/t_mkey.py +++ b/src/tests/t_mkey.py @@ -7,7 +7,6 @@ import struct @@ -6390,7 +6162,7 @@ index 32f4070bc..da0ed1831 100755 # master key fetch does not segfault. mark('#8395 regression test') diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py -index 65084bbf3..55ca89745 100755 +index 65084bbf35..55ca897459 100755 --- a/src/tests/t_salt.py +++ b/src/tests/t_salt.py @@ -16,13 +16,12 @@ def test_salt(realm, e1, salt, e2): @@ -6410,10 +6182,10 @@ index 65084bbf3..55ca89745 100755 # Test using different salt types in a principal's key list. # Parameters from one key in the list must not leak over to later ones. diff --git a/src/util/k5test.py b/src/util/k5test.py -index 6afe4b92c..789b0f4b9 100644 +index 619f1995f8..771f82e3cc 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py -@@ -1278,13 +1278,6 @@ _passes = [ +@@ -1344,13 +1344,6 @@ _passes = [ # No special settings; exercises AES256. ('default', None, None, None), @@ -6428,7 +6200,7 @@ index 6afe4b92c..789b0f4b9 100644 ('arcfour', None, {'libdefaults': {'permitted_enctypes': 'rc4'}}, diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm -index 1aebdd0b4..c38eefd2b 100644 +index 1aebdd0b4a..c38eefd2bd 100644 --- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm +++ b/src/windows/leash/htmlhelp/html/Encryption_Types.htm @@ -79,19 +79,6 @@ will have an entry in the Encryption type column.
@@ -6451,3 +6223,6 @@ index 1aebdd0b4..c38eefd2b 100644 aes The AES Advanced Encryption Standard family, like 3DES, is a symmetric block cipher and was designed +-- +2.38.1 + diff --git a/SELinux-integration.patch b/SELinux-integration.patch index 0ba8b6c..4271d66 100644 --- a/SELinux-integration.patch +++ b/SELinux-integration.patch @@ -1,4 +1,4 @@ -From e787771b618a344d45ac515927e914602f48946f Mon Sep 17 00:00:00 2001 +From c6b58ed180ed91b579d322ff5004f68750f1eb4f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration @@ -36,7 +36,9 @@ The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. -Last-updated: krb5-1.18-beta1 +Last-updated: krb5-1.20.1 +[jrische@redhat.com: Replace deprecated security_context_t by char *: + - src/util/support/selinux.c] --- src/aclocal.m4 | 48 +++ src/build-tools/krb5-config.in | 3 +- @@ -61,13 +63,13 @@ Last-updated: krb5-1.18-beta1 .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- src/util/profile/prof_file.c | 3 +- src/util/support/Makefile.in | 3 +- - src/util/support/selinux.c | 406 ++++++++++++++++++ - 24 files changed, 573 insertions(+), 21 deletions(-) + src/util/support/selinux.c | 405 ++++++++++++++++++ + 24 files changed, 572 insertions(+), 21 deletions(-) create mode 100644 src/include/k5-label.h create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index ca9fcf664..5afb96e58 100644 +index bf9da35bbc..01283f482e 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -78,7 +80,7 @@ index ca9fcf664..5afb96e58 100644 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1745,4 +1746,51 @@ AC_SUBST(PAM_LIBS) +@@ -1526,4 +1527,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -131,7 +133,7 @@ index ca9fcf664..5afb96e58 100644 +AC_SUBST(SELINUX_LIBS) +])dnl diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in -index dead0dddc..fef3e054f 100755 +index dead0dddce..fef3e054fc 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in @@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' @@ -152,7 +154,7 @@ index dead0dddc..fef3e054f 100755 echo $lib_flags diff --git a/src/config/pre.in b/src/config/pre.in -index 3752174c7..0d2068575 100644 +index a0c60c70b3..7eaa2f351c 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -177,6 +177,7 @@ LD = $(PURE) @LD@ @@ -163,7 +165,7 @@ index 3752174c7..0d2068575 100644 INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -173,10 +175,10 @@ index 3752174c7..0d2068575 100644 GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! diff --git a/src/configure.ac b/src/configure.ac -index 693f76a81..dd2cad3ee 100644 +index aa970b0447..40545f2bfc 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1391,6 +1391,8 @@ AC_PATH_PROG(GROFF, groff) +@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -186,7 +188,7 @@ index 693f76a81..dd2cad3ee 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index cf524252f..efb523689 100644 +index 44dc1eeb3f..c3aecba7d4 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -199,7 +201,7 @@ index cf524252f..efb523689 100644 #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ diff --git a/src/include/k5-label.h b/src/include/k5-label.h new file mode 100644 -index 000000000..dfaaa847c +index 0000000000..dfaaa847cb --- /dev/null +++ b/src/include/k5-label.h @@ -0,0 +1,32 @@ @@ -236,7 +238,7 @@ index 000000000..dfaaa847c +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 045334a08..db80063eb 100644 +index c0194c3c94..7e1dea2cbf 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -253,7 +255,7 @@ index 045334a08..db80063eb 100644 #include diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index 634ba4a8b..cea7939f4 100644 +index a89b5144f6..4d6cc0bdf9 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -288,10 +290,10 @@ index 634ba4a8b..cea7939f4 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; diff --git a/src/kdc/main.c b/src/kdc/main.c -index 3be6dcb07..24d441e16 100644 +index 38b9299066..085afc9220 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -872,7 +872,7 @@ write_pid_file(const char *path) +@@ -848,7 +848,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -301,10 +303,10 @@ index 3be6dcb07..24d441e16 100644 return errno; pid = (unsigned long) getpid(); diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c -index 498ca599a..c6b8efc28 100644 +index f2341d720f..ffdac9f397 100644 --- a/src/kprop/kpropd.c +++ b/src/kprop/kpropd.c -@@ -487,6 +487,9 @@ doit(int fd) +@@ -488,6 +488,9 @@ doit(int fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN + 1]; @@ -314,7 +316,7 @@ index 498ca599a..c6b8efc28 100644 signal_wrapper(SIGALRM, alarm_handler); alarm(params.iprop_resync_timeout); -@@ -542,9 +545,15 @@ doit(int fd) +@@ -543,9 +546,15 @@ doit(int fd) free(name); exit(1); } @@ -331,7 +333,7 @@ index 498ca599a..c6b8efc28 100644 KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index c6885edf2..9aec3c05e 100644 +index c6885edf2a..9aec3c05e8 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do @@ -353,7 +355,7 @@ index c6885edf2..9aec3c05e 100644 set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c -index 2659a2501..e9b95fce5 100644 +index 2659a25018..e9b95fce59 100644 --- a/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c @@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) @@ -366,7 +368,7 @@ index 2659a2501..e9b95fce5 100644 retval = errno; goto cleanup; diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c -index 7b100a0ec..5683a0433 100644 +index 1da40b51d0..f3ab7340a6 100644 --- a/src/lib/krb5/ccache/cc_dir.c +++ b/src/lib/krb5/ccache/cc_dir.c @@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) @@ -416,7 +418,7 @@ index 7b100a0ec..5683a0433 100644 _("Credential cache directory %s does not exist"), dirname); diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index e510211fc..f3ea28c8e 100644 +index e510211fc5..f3ea28c8ec 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) @@ -437,10 +439,10 @@ index e510211fc..f3ea28c8e 100644 goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 7073459f0..e9b99f4ca 100644 +index 3369fc4ba6..95f82cda03 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c -@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) +@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) fd = malloc(sizeof(*fd)); if (fd == NULL) return ENOMEM; @@ -450,7 +452,7 @@ index 7073459f0..e9b99f4ca 100644 free(fd); return errno; diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c -index 7db30a33b..2b9d01921 100644 +index 7db30a33b0..2b9d01921d 100644 --- a/src/plugins/kdb/db2/adb_openclose.c +++ b/src/plugins/kdb/db2/adb_openclose.c @@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, @@ -463,7 +465,7 @@ index 7db30a33b..2b9d01921 100644 * maybe someone took away write permission so we could only * get shared locks? diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c -index 1a476b586..b40bb2240 100644 +index 2c163d91cc..9a344a603e 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) @@ -478,7 +480,7 @@ index 1a476b586..b40bb2240 100644 retval = errno; goto cleanup; diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c -index 2977b17f3..d5809a5a9 100644 +index 2977b17f3a..d5809a5a93 100644 --- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c +++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; @@ -499,7 +501,7 @@ index 2977b17f3..d5809a5a9 100644 } else { diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c -index 862dbb164..686a960c9 100644 +index 862dbb1640..686a960c96 100644 --- a/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; @@ -520,7 +522,7 @@ index 862dbb164..686a960c9 100644 (void)fcntl(hashp->fp, F_SETFD, 1); } diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c -index d8b26e701..b0daa7c02 100644 +index d8b26e7011..b0daa7c021 100644 --- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c +++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; @@ -542,7 +544,7 @@ index d8b26e701..b0daa7c02 100644 if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -index e87688d66..30f7c00ab 100644 +index e87688d666..30f7c00ab5 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) @@ -579,7 +581,7 @@ index e87688d66..30f7c00ab 100644 if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c -index aa951df05..79f9500f6 100644 +index aa951df05f..79f9500f69 100644 --- a/src/util/profile/prof_file.c +++ b/src/util/profile/prof_file.c @@ -33,6 +33,7 @@ @@ -600,7 +602,7 @@ index aa951df05..79f9500f6 100644 retval = errno; if (retval == 0) diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in -index 86d5a950a..1052d53a1 100644 +index 86d5a950a6..1052d53a1e 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in @@ -74,6 +74,7 @@ IPC_SYMS= \ @@ -622,10 +624,10 @@ index 86d5a950a..1052d53a1 100644 diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c new file mode 100644 -index 000000000..6d41f3244 +index 0000000000..807d039da3 --- /dev/null +++ b/src/util/support/selinux.c -@@ -0,0 +1,406 @@ +@@ -0,0 +1,405 @@ +/* + * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved. + * @@ -724,17 +726,16 @@ index 000000000..6d41f3244 + } +} + -+static security_context_t ++static char * +push_fscreatecon(const char *pathname, mode_t mode) +{ -+ security_context_t previous, configuredsc, currentsc, derivedsc; ++ char *previous, *configuredsc, *currentsc, *genpath; ++ const char *derivedsc, *fullpath, *currentuser; + context_t current, derived; -+ const char *fullpath, *currentuser; -+ char *genpath; + -+ previous = configuredsc = currentsc = derivedsc = NULL; ++ previous = configuredsc = currentsc = genpath = NULL; ++ derivedsc = NULL; + current = derived = NULL; -+ genpath = NULL; + + fullpath = pathname; + @@ -862,7 +863,7 @@ index 000000000..6d41f3244 +} + +static void -+pop_fscreatecon(security_context_t previous) ++pop_fscreatecon(char *previous) +{ + if (!is_selinux_enabled()) { + return; @@ -916,7 +917,7 @@ index 000000000..6d41f3244 +{ + FILE *fp; + int errno_save; -+ security_context_t ctx; ++ char *ctx; + + if ((strcmp(mode, "r") == 0) || + (strcmp(mode, "rb") == 0)) { @@ -942,7 +943,7 @@ index 000000000..6d41f3244 +{ + int fd; + int errno_save; -+ security_context_t ctx; ++ char *ctx; + + k5_once(&labeled_once, label_mutex_init); + k5_mutex_lock(&labeled_mutex); @@ -963,7 +964,7 @@ index 000000000..6d41f3244 +{ + int ret; + int errno_save; -+ security_context_t ctx; ++ char *ctx; + + k5_once(&labeled_once, label_mutex_init); + k5_mutex_lock(&labeled_mutex); @@ -984,7 +985,7 @@ index 000000000..6d41f3244 +{ + int ret; + int errno_save; -+ security_context_t ctx; ++ char *ctx; + + k5_once(&labeled_once, label_mutex_init); + k5_mutex_lock(&labeled_mutex); @@ -1005,7 +1006,7 @@ index 000000000..6d41f3244 +{ + int fd; + int errno_save; -+ security_context_t ctx; ++ char *ctx; + mode_t mode; + va_list ap; + @@ -1032,3 +1033,6 @@ index 000000000..6d41f3244 +} + +#endif /* USE_SELINUX */ +-- +2.38.1 + diff --git a/backport-CVE-2021-37750.patch b/backport-CVE-2021-37750.patch deleted file mode 100644 index 8f9293d..0000000 --- a/backport-CVE-2021-37750.patch +++ /dev/null @@ -1,46 +0,0 @@ -From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 3 Aug 2021 01:15:27 -0400 -Subject: [PATCH] Fix KDC null deref on TGS inner body null server - -After the KDC decodes a FAST inner body, it does not check for a null -server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this -would typically result in an error from krb5_unparse_name(), but with -the addition of get_local_tgt() it results in a null dereference. Add -a null check. - -Reported by Joseph Sutton of Catalyst. - -CVE-2021-37750: - -In MIT krb5 releases 1.14 and later, an authenticated attacker can -cause a null dereference in the KDC by sending a FAST TGS request with -no server field. - -ticket: 9008 (new) -tags: pullup -target_version: 1.19-next -target_version: 1.18-next ---- - src/kdc/do_tgs_req.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 582e497..32dc65f 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -207,6 +207,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - status = "FIND_FAST"; - goto cleanup; - } -+ if (sprinc == NULL) { -+ status = "NULL_SERVER"; -+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; -+ goto cleanup; -+ } - - errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, - &local_tgt, &local_tgt_storage, &local_tgt_key); --- -1.8.3.1 - diff --git a/fix-debuginfo-with-y.tab.c.patch b/fix-debuginfo-with-y.tab.c.patch index e8e1870..3c58cc1 100644 --- a/fix-debuginfo-with-y.tab.c.patch +++ b/fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From ed161c3f3cb642d025f0fee6d4af6f56bba711e9 Mon Sep 17 00:00:00 2001 +From c7fe7cbd61f7debf052ddcc6cc5f01bb7e4f5385 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c @@ -14,7 +14,7 @@ Last-updated: krb5-1.9 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in -index adfea6e2b..d1327e400 100644 +index adfea6e2b5..d1327e400b 100644 --- a/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in @@ -37,3 +37,8 @@ clean-unix:: @@ -27,7 +27,7 @@ index adfea6e2b..d1327e400 100644 + $(YACC.y) $< + $(CP) y.tab.c $@ diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in -index 8669c2436..a22f23c02 100644 +index 8669c2436c..a22f23c02c 100644 --- a/src/plugins/kdb/ldap/ldap_util/Makefile.in +++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in @@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) @@ -39,3 +39,6 @@ index 8669c2436..a22f23c02 100644 install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) +-- +2.38.1 + diff --git a/krb5-1.19.2.tar.gz.asc b/krb5-1.19.2.tar.gz.asc deleted file mode 100644 index 8b892e6..0000000 --- a/krb5-1.19.2.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmD5qLoACgkQDLoIV1+D -ct9NEw//XhDJPE38UzvURT/RsuL3TQZoHGHtRA/seXcKkrX1wFLUjnOUK39RxzkS -5y0BGOBoByGlqMxcpBlQv3mdtOAkdbgUtb9sT90eUObsG3cqa/0ou3Nm2ta+UNb7 -UC72UC9ZCXzUEl3be2/q/geHHE69e62t4YGcnwZ4koI3b/cZU6xL3N0ox9Gxdi37 -+rUe7i5TZAKvKo+eKhLpC/k1F0HSvLzxcPyRlfpAYb607lvc4MYNvbOZZUk8aNEt -0OhoSak1mXSdYwt4HHTj2NY1q5d+wviGOYby/Q1Wv7qVZHLFvCCr7Lr7ba0bIWas -cYl13OgLq2uwA85k9/BzAxIgPVpMpt0aRaoTeiH2fKm8kNA9YfIagyRgX4vNfFWp -RKXpVu5SFNMgFVAHJu/QID8Lf8YV/PU4H7kdMyFy9gA66nTN4KvdeoRyrHgv2r1c -c5MhV9bJDDFalC1VLYTJ3iSZFy5Y95wrr59KI2OTQKgQxsylfGXW+OR1hWKua5Y5 -nqF0b/TKiryrdah3aw2Ac78MggC+3RDHQ8yHG4tC0/nJzbf4WnP6lqUJhQIat+lE -g62Kh+fAUjuYw/8tuxVUFlMMa9cDHV7XGGYQS/JoUq/BaGWheNYrvPXxr4u0oSOa -kJyOUfZuJvgiDakbEAuVNm8Gr6lKDH/omn8dl9r/CHdyEANqvi0= -=QM0F ------END PGP SIGNATURE----- diff --git a/krb5-1.19.2.tar.gz b/krb5-1.20.1.tar.gz similarity index 53% rename from krb5-1.19.2.tar.gz rename to krb5-1.20.1.tar.gz index a96d447..091717f 100644 Binary files a/krb5-1.19.2.tar.gz and b/krb5-1.20.1.tar.gz differ diff --git a/krb5-1.20.1.tar.gz.asc b/krb5-1.20.1.tar.gz.asc new file mode 100644 index 0000000..b928cb8 --- /dev/null +++ b/krb5-1.20.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D +ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc +UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg +jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn +6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK +0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/ +YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL +SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR +jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R +Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH +CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m +twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU= +=1WIq +-----END PGP SIGNATURE----- diff --git a/krb5.spec b/krb5.spec index cbcff9f..69c7c9b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -2,13 +2,13 @@ %global WITH_DIRSRV 1 Name: krb5 -Version: 1.19.2 -Release: 2 +Version: 1.20.1 +Release: 1 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ -Source0: https://web.mit.edu/kerberos/dist/krb5/1.19/%{name}-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.19/%{name}-%{version}.tar.gz.asc +Source0: https://web.mit.edu/kerberos/dist/krb5/1.20/%{name}-%{version}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/1.20/%{name}-%{version}.tar.gz.asc Source2: kprop.service Source3: kadmin.service Source4: krb5kdc.service @@ -25,8 +25,6 @@ Patch2: Adjust-build-configuration.patch Patch3: netlib-and-dns.patch Patch4: fix-debuginfo-with-y.tab.c.patch Patch5: Remove-3des-support.patch -Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch -Patch7: backport-CVE-2021-37750.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -318,6 +316,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Wed Feb 1 2023 zhouchenchen123 - 1.20.1-1 +- update to 1.20.1 + * Tue Mar 8 2022 yixiangzhike - 1.19.2-2 - Add ExecStartPost option to krb5kdc.service for solving error message when krb5kdc starting diff --git a/ksu-pam-integration.patch b/ksu-pam-integration.patch index 7490bf2..2b737c0 100644 --- a/ksu-pam-integration.patch +++ b/ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From 90ba715be48c2e1b6c7ca53cb1d75f3af2c388d6 Mon Sep 17 00:00:00 2001 +From 37d69135d0be7f46732c401cdbb3abc075bf4117 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration @@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1 create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 024d6370c..ca9fcf664 100644 +index 9920476f91..bf9da35bbc 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1677,3 +1677,72 @@ if test "$with_ldap" = yes; then +@@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then OPENLDAP_PLUGIN=yes fi ])dnl @@ -107,7 +107,7 @@ index 024d6370c..ca9fcf664 100644 +])dnl + diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in -index 8b4edce4d..9d58f29b5 100644 +index 8b4edce4d8..9d58f29b5d 100644 --- a/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in @@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. @@ -145,7 +145,7 @@ index 8b4edce4d..9d58f29b5 100644 clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index af1286172..931f05404 100644 +index af12861729..931f054041 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ @@ -303,7 +303,7 @@ index af1286172..931f05404 100644 } diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c new file mode 100644 -index 000000000..cbfe48704 +index 0000000000..cbfe487047 --- /dev/null +++ b/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ @@ -698,7 +698,7 @@ index 000000000..cbfe48704 +#endif diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h new file mode 100644 -index 000000000..0ab76569c +index 0000000000..0ab76569cb --- /dev/null +++ b/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ @@ -760,10 +760,10 @@ index 000000000..0ab76569c +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.ac b/src/configure.ac -index 4eb080784..693f76a81 100644 +index f03028b5fd..aa970b0447 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1400,6 +1400,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -772,3 +772,6 @@ index 4eb080784..693f76a81 100644 # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' +-- +2.38.1 +