PR#38: Rebase to 1.21 [f38] - rpms/krb5

rpms / krb5

#38 Rebase to 1.21 [f38]

Merged 10 months ago by jrische. Opened 11 months ago by jrische.

rpms/ jrische/krb5 f38_next into f38

Replace file dependency by package name

Marek Blaha • 11 months ago

a2c0421

New upstream version (1.21)

Julien Rische • a year ago

0b340d0

Add support for MS-PAC extended KDC signature (CVE-2022-37967)

Julien Rische • a year ago

7058594

.gitignore

file modified

		`@@ -202,3 +202,5 @@`
		`/krb5-1.19.2.tar.gz.asc`
		`/krb5-1.20.1.tar.gz`
		`/krb5-1.20.1.tar.gz.asc`
		`+ /krb5-1.21.tar.gz`
		`+ /krb5-1.21.tar.gz.asc`

0001-downstream-ksu-pam-integration.patch

file modified

+5 -5

		`@@ -1,4 +1,4 @@`
		`- From 37d69135d0be7f46732c401cdbb3abc075bf4117 Mon Sep 17 00:00:00 2001`
		`+ From 67c82a09c6c53713c281045cd55de2720cd06907 Mon Sep 17 00:00:00 2001`
		`From: Robbie Harwood <rharwood@redhat.com>`
		`Date: Tue, 23 Aug 2016 16:29:58 -0400`
		`Subject: [PATCH] [downstream] ksu pam integration`
		`@@ -30,7 +30,7 @@`
		`create mode 100644 src/clients/ksu/pam.h`

		`diff --git a/src/aclocal.m4 b/src/aclocal.m4`
		`- index 9920476f91..bf9da35bbc 100644`
		`+ index 3d66a876b3..ce3c5a9bac 100644`
		`--- a/src/aclocal.m4`
		`+++ b/src/aclocal.m4`
		`@@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then`
		`@@ -760,10 +760,10 @@`
		`+void appl_pam_cleanup(void);`
		`+#endif`
		`diff --git a/src/configure.ac b/src/configure.ac`
		`- index f03028b5fd..aa970b0447 100644`
		`+ index 77be7a2025..587221936e 100644`
		`--- a/src/configure.ac`
		`+++ b/src/configure.ac`
		`- @@ -1400,6 +1400,8 @@ AC_SUBST([VERTO_VERSION])`
		`+ @@ -1399,6 +1399,8 @@ AC_SUBST([VERTO_VERSION])`

		`AC_PATH_PROG(GROFF, groff)`

		`@@ -773,5 +773,5 @@`
		`if test "${localedir+set}" != set; then`
		`localedir='$(datadir)/locale'`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0002-downstream-SELinux-integration.patch

file modified

+19 -19

		`@@ -1,4 +1,4 @@`
		`- From c6b58ed180ed91b579d322ff5004f68750f1eb4f Mon Sep 17 00:00:00 2001`
		`+ From dfbac76ab7bb7e6e2c3171eefcaa93573e6b630e Mon Sep 17 00:00:00 2001`
		`From: Robbie Harwood <rharwood@redhat.com>`
		`Date: Tue, 23 Aug 2016 16:30:53 -0400`
		`Subject: [PATCH] [downstream] SELinux integration`
		`@@ -69,7 +69,7 @@`
		`create mode 100644 src/util/support/selinux.c`

		`diff --git a/src/aclocal.m4 b/src/aclocal.m4`
		`- index bf9da35bbc..01283f482e 100644`
		`+ index ce3c5a9bac..3331970930 100644`
		`--- a/src/aclocal.m4`
		`+++ b/src/aclocal.m4`
		`@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag)`
		`@@ -133,10 +133,10 @@`
		`+AC_SUBST(SELINUX_LIBS)`
		`+])dnl`
		`diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in`
		`- index dead0dddce..fef3e054fc 100755`
		`+ index 8e6eb86601..7677f37359 100755`
		`--- a/src/build-tools/krb5-config.in`
		`+++ b/src/build-tools/krb5-config.in`
		`- @@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'`
		`+ @@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@'`
		`DEFCCNAME='@DEFCCNAME@'`
		`DEFKTNAME='@DEFKTNAME@'`
		`DEFCKTNAME='@DEFCKTNAME@'`
		`@@ -144,7 +144,7 @@`

		`LIBS='@LIBS@'`
		`GEN_LIB=@GEN_LIB@`
		`- @@ -254,7 +255,7 @@ if test -n "$do_libs"; then`
		`+ @@ -253,7 +254,7 @@ if test -n "$do_libs"; then`
		`fi`

		`# If we ever support a flag to generate output suitable for static`
		`@@ -175,10 +175,10 @@`
		`GSS_LIBS = $(GSS_KRB5_LIB)`
		`# needs fixing if ever used on macOS!`
		`diff --git a/src/configure.ac b/src/configure.ac`
		`- index aa970b0447..40545f2bfc 100644`
		`+ index 587221936e..69be9030f8 100644`
		`--- a/src/configure.ac`
		`+++ b/src/configure.ac`
		`- @@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff)`
		`+ @@ -1401,6 +1401,8 @@ AC_PATH_PROG(GROFF, groff)`

		`KRB5_WITH_PAM`

		`@@ -188,7 +188,7 @@`
		`if test "${localedir+set}" != set; then`
		`localedir='$(datadir)/locale'`
		`diff --git a/src/include/k5-int.h b/src/include/k5-int.h`
		`- index 44dc1eeb3f..c3aecba7d4 100644`
		`+ index 2f7791b775..9c534faa8a 100644`
		`--- a/src/include/k5-int.h`
		`+++ b/src/include/k5-int.h`
		`@@ -128,6 +128,7 @@ typedef unsigned char u_char;`
		`@@ -238,7 +238,7 @@`
		`+#endif`
		`+#endif`
		`diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin`
		`- index c0194c3c94..7e1dea2cbf 100644`
		`+ index 9c76780181..dd6430ece8 100644`
		`--- a/src/include/krb5/krb5.hin`
		`+++ b/src/include/krb5/krb5.hin`
		`@@ -87,6 +87,12 @@`
		`@@ -290,10 +290,10 @@`
		`com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);`
		`goto cleanup;`
		`diff --git a/src/kdc/main.c b/src/kdc/main.c`
		`- index 38b9299066..085afc9220 100644`
		`+ index bfdfef5c48..b43fe9a082 100644`
		`--- a/src/kdc/main.c`
		`+++ b/src/kdc/main.c`
		`- @@ -848,7 +848,7 @@ write_pid_file(const char *path)`
		`+ @@ -844,7 +844,7 @@ write_pid_file(const char *path)`
		`FILE *file;`
		`unsigned long pid;`

		`@@ -303,7 +303,7 @@`
		`return errno;`
		`pid = (unsigned long) getpid();`
		`diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c`
		`- index f2341d720f..ffdac9f397 100644`
		`+ index aa3c81ea30..cb9785aaeb 100644`
		`--- a/src/kprop/kpropd.c`
		`+++ b/src/kprop/kpropd.c`
		`@@ -488,6 +488,9 @@ doit(int fd)`
		`@@ -333,10 +333,10 @@`
		`KRB5_LOCKMODE_EXCLUSIVE \| KRB5_LOCKMODE_DONTBLOCK);`
		`if (retval) {`
		`diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c`
		`- index c6885edf2a..9aec3c05e8 100644`
		`+ index e14da53790..b879a4049b 100644`
		`--- a/src/lib/kadm5/logger.c`
		`+++ b/src/lib/kadm5/logger.c`
		`- @@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char ename, char whoami, krb5_boolean do`
		`+ @@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char ename, char whoami, krb5_boolean do`
		`*/`
		`append = (cp[4] == ':') ? O_APPEND : 0;`
		`if (append \|\| cp[4] == '=') {`
		`@@ -345,7 +345,7 @@`
		`S_IRUSR \| S_IWUSR \| S_IRGRP);`
		`if (fd != -1)`
		`f = fdopen(fd, append ? "a" : "w");`
		`- @@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext)`
		`+ @@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext)`
		`* In case the old logfile did not get moved out of the`
		`* way, open for append to prevent squashing the old logs.`
		`*/`
		`@@ -439,10 +439,10 @@`
		`goto report_errno;`
		`writevno = 1;`
		`diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c`
		`- index 3369fc4ba6..95f82cda03 100644`
		`+ index 4cbbbb270a..c4058ddc96 100644`
		`--- a/src/lib/krb5/os/trace.c`
		`+++ b/src/lib/krb5/os/trace.c`
		`- @@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)`
		`+ @@ -460,7 +460,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)`
		`fd = malloc(sizeof(*fd));`
		`if (fd == NULL)`
		`return ENOMEM;`
		`@@ -452,7 +452,7 @@`
		`free(fd);`
		`return errno;`
		`diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c`
		`- index 7db30a33b0..2b9d01921d 100644`
		`+ index 9a506e9d44..f92ab47143 100644`
		`--- a/src/plugins/kdb/db2/adb_openclose.c`
		`+++ b/src/plugins/kdb/db2/adb_openclose.c`
		`@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t dbp, char filename, char *lockfilename,`
		`@@ -1034,5 +1034,5 @@`
		`+`
		`+#endif /* USE_SELINUX */`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0003-downstream-fix-debuginfo-with-y.tab.c.patch

file modified

+2 -2

		`@@ -1,4 +1,4 @@`
		`- From c7fe7cbd61f7debf052ddcc6cc5f01bb7e4f5385 Mon Sep 17 00:00:00 2001`
		`+ From a9c463ed5988c860ebb18de212d6c56da1cb1169 Mon Sep 17 00:00:00 2001`
		`From: Robbie Harwood <rharwood@redhat.com>`
		`Date: Tue, 23 Aug 2016 16:49:25 -0400`
		`Subject: [PATCH] [downstream] fix debuginfo with y.tab.c`
		`@@ -40,5 +40,5 @@`
		`install:`
		`$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0004-downstream-Remove-3des-support.patch

file modified

+88 -84

		`@@ -1,4 +1,4 @@`
		`- From 7b40250066bbcc529b5348b68199c58fbad82376 Mon Sep 17 00:00:00 2001`
		`+ From 0691db92e13e0d224c2c9dd72c1421d8f7c3c078 Mon Sep 17 00:00:00 2001`
		`From: Robbie Harwood <rharwood@redhat.com>`
		`Date: Tue, 26 Mar 2019 18:51:10 -0400`
		`Subject: [PATCH] [downstream] Remove 3des support`
		`@@ -32,7 +32,7 @@`
		`src/include/krb5/krb5.hin \| 10 +-`
		`src/kdc/kdc_util.c \| 4 -`
		`src/lib/crypto/Makefile.in \| 8 +-`
		`- src/lib/crypto/builtin/Makefile.in \| 6 +-`
		`+ src/lib/crypto/builtin/Makefile.in \| 4 +-`
		`src/lib/crypto/builtin/des/ISSUES \| 13 -`
		`src/lib/crypto/builtin/des/Makefile.in \| 82 ----`
		`src/lib/crypto/builtin/des/d3_aead.c \| 137 ------`
		`@@ -74,7 +74,7 @@`
		`src/lib/crypto/krb/prf_des.c \| 47 ---`
		`src/lib/crypto/krb/random_to_key.c \| 28 --`
		`src/lib/crypto/libk5crypto.exports \| 1 -`
		`- src/lib/crypto/openssl/Makefile.in \| 8 +-`
		`+ src/lib/crypto/openssl/Makefile.in \| 4 +-`
		`src/lib/crypto/openssl/des/Makefile.in \| 20 -`
		`src/lib/crypto/openssl/des/deps \| 14 -`
		`src/lib/crypto/openssl/des/des_keys.c \| 39 --`
		`@@ -98,18 +98,19 @@`
		`src/plugins/preauth/pkinit/pkinit_crypto.h \| 10 +-`
		`src/plugins/preauth/pkinit/pkinit_kdf_test.c \| 30 --`
		`src/plugins/preauth/spake/t_vectors.c \| 25 --`
		`- src/tests/gssapi/t_enctypes.py \| 33 +-`
		`+ src/tests/gssapi/t_enctypes.py \| 34 +-`
		`src/tests/gssapi/t_invalid.c \| 12 -`
		`src/tests/gssapi/t_pcontok.c \| 16 +-`
		`src/tests/gssapi/t_prf.c \| 7 -`
		`src/tests/t_authdata.py \| 2 +-`
		`- src/tests/t_etype_info.py \| 18 +-`
		`+ src/tests/t_etype_info.py \| 20 +-`
		`src/tests/t_keyrollover.py \| 8 +-`
		`src/tests/t_mkey.py \| 35 --`
		`src/tests/t_salt.py \| 5 +-`
		`+ src/tests/t_sesskeynego.py \| 8 -`
		`src/util/k5test.py \| 7 -`
		`.../leash/htmlhelp/html/Encryption_Types.htm \| 13 -`
		`- 89 files changed, 151 insertions(+), 4713 deletions(-)`
		`+ 90 files changed, 149 insertions(+), 4720 deletions(-)`
		`delete mode 100644 src/lib/crypto/builtin/des/ISSUES`
		`delete mode 100644 src/lib/crypto/builtin/des/Makefile.in`
		`delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c`
		`@@ -199,10 +200,10 @@`

		`While aes128-cts and aes256-cts are supported for all Kerberos`
		`diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst`
		`- index 694922c0d9..c4d5499d3b 100644`
		`+ index dce19ad43e..2b4ed7da0b 100644`
		`--- a/doc/admin/enctypes.rst`
		`+++ b/doc/admin/enctypes.rst`
		`- @@ -129,7 +129,7 @@ enctype weak? krb5 Windows`
		`+ @@ -146,7 +146,7 @@ enctype weak? krb5 Windows`
		`des-cbc-crc weak <1.18 >=2000`
		`des-cbc-md4 weak <1.18 ?`
		`des-cbc-md5 weak <1.18 >=2000`
		`@@ -211,7 +212,7 @@`
		`arcfour-hmac deprecated >=1.3 >=2000`
		`arcfour-hmac-exp weak >=1.3 >=2000`
		`aes128-cts-hmac-sha1-96 >=1.3 >=Vista`
		`- @@ -148,9 +148,11 @@ default.`
		`+ @@ -165,9 +165,11 @@ default.`
		`krb5 releases 1.17 and later flag deprecated encryption types`
		(including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and
		`kadmin output. krb5 release 1.19 issues a warning during initial`
		`@@ -247,7 +248,7 @@`

		`.. _err_cert_chain_cert_expired:`
		`diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst`
		`- index a0d4f26701..5f34dea5e8 100644`
		`+ index 45fe160d7f..b4b1f3bd93 100644`
		`--- a/doc/appdev/refs/macros/index.rst`
		`+++ b/doc/appdev/refs/macros/index.rst`
		`@@ -36,7 +36,6 @@ Public`
		`@@ -259,10 +260,10 @@`
		`CKSUMTYPE_NIST_SHA.rst`
		`CKSUMTYPE_RSA_MD4.rst`
		`diff --git a/doc/conf.py b/doc/conf.py`
		`- index fa0eb80f1f..12168fa695 100644`
		`+ index cd76f5999f..1e1cfce80c 100644`
		`--- a/doc/conf.py`
		`+++ b/doc/conf.py`
		`- @@ -278,7 +278,7 @@ else:`
		`+ @@ -281,7 +281,7 @@ else:`
		`rst_epilog += '''`
		.. \|krb5conf\| replace:: ``/etc/krb5.conf``
		.. \|defkeysalts\| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
		`@@ -272,7 +273,7 @@`
		`.. \|copy\| unicode:: U+000A9`
		`'''`
		`diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst`
		`- index ca2d6ef117..100c64a1c1 100644`
		`+ index 10effcf175..cad0855724 100644`
		`--- a/doc/mitK5features.rst`
		`+++ b/doc/mitK5features.rst`
		`@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB`
		`@@ -307,10 +308,10 @@`
		`##DOS## $(WCONFIG) config < $@.in > $@`
		`##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP)`
		`diff --git a/src/configure.ac b/src/configure.ac`
		`- index 40545f2bfc..8dc864718d 100644`
		`+ index 69be9030f8..2561e917a2 100644`
		`--- a/src/configure.ac`
		`+++ b/src/configure.ac`
		`- @@ -1489,12 +1489,12 @@ V5_AC_OUTPUT_MAKEFILE(.`
		`+ @@ -1513,12 +1513,12 @@ V5_AC_OUTPUT_MAKEFILE(.`
		`lib lib/kdb`

		`lib/crypto lib/crypto/krb lib/crypto/crypto_tests`
		`@@ -326,7 +327,7 @@`

		`lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache`
		`diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin`
		`- index 7e1dea2cbf..fb9f2a366c 100644`
		`+ index dd6430ece8..350bcf86f2 100644`
		`--- a/src/include/krb5/krb5.hin`
		`+++ b/src/include/krb5/krb5.hin`
		`@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {`
		`@@ -362,10 +363,10 @@`
		`#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with`
		`ENCTYPE_AES128_CTS_HMAC_SHA1_96 */`
		`diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c`
		`- index 9f2a67d189..b7a9aa4992 100644`
		`+ index e54cc751f9..ea10e23a95 100644`
		`--- a/src/kdc/kdc_util.c`
		`+++ b/src/kdc/kdc_util.c`
		`- @@ -1111,8 +1111,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)`
		`+ @@ -1164,8 +1164,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen)`
		`name = "rsaEncryption-EnvOID";`
		`else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV)`
		`name = "id-RSAES-OAEP-EnvOID";`
		`@@ -374,7 +375,7 @@`
		`else`
		`return krb5_enctype_to_name(ktype, FALSE, buf, buflen);`

		`- @@ -1704,8 +1702,6 @@ krb5_boolean`
		`+ @@ -1657,8 +1655,6 @@ krb5_boolean`
		`enctype_requires_etype_info_2(krb5_enctype enctype)`
		`{`
		`switch(enctype) {`
		`@@ -414,7 +415,7 @@`
		`all-unix: all-liblinks`
		`install-unix: install-libs`
		`diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in`
		`- index daf19da195..c9e967c807 100644`
		`+ index 243bb17ba3..30bfcd30c0 100644`
		`--- a/src/lib/crypto/builtin/Makefile.in`
		`+++ b/src/lib/crypto/builtin/Makefile.in`
		`@@ -1,6 +1,6 @@`
		`@@ -429,15 +430,6 @@`
		`$(srcdir)/kdf.c \`
		`$(srcdir)/pbkdf2.c`

		`- -STOBJLISTS= des/OBJS.ST md4/OBJS.ST \`
		`- +STOBJLISTS= md4/OBJS.ST \`
		`- md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \`
		`- enc_provider/OBJS.ST \`
		`- hash_provider/OBJS.ST \`
		`- @@ -33,7 +33,7 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \`
		`- camellia/OBJS.ST \`
		`- OBJS.ST`
		`-`
		`-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \`
		`+SUBDIROBJLISTS= md4/OBJS.ST \`
		`md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \`
		`@@ -4862,7 +4854,7 @@`
		`krb5int_camellia_encrypt`
		`krb5int_cmac_checksum`
		`diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in`
		`- index 08de047d0a..88f7fd0a09 100644`
		`+ index cf11f6847b..8e4cdb8bbf 100644`
		`--- a/src/lib/crypto/openssl/Makefile.in`
		`+++ b/src/lib/crypto/openssl/Makefile.in`
		`@@ -1,6 +1,6 @@`
		`@@ -4873,32 +4865,15 @@`
		`LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS)`

		`STLIBOBJS=\`
		`- @@ -24,14 +24,14 @@ SRCS=\`
		`+ @@ -24,7 +24,7 @@ SRCS=\`
		`$(srcdir)/pbkdf2.c \`
		`$(srcdir)/sha256.c`

		`- -STOBJLISTS= des/OBJS.ST md4/OBJS.ST \`
		`- +STOBJLISTS= md4/OBJS.ST \`
		`- md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \`
		`- enc_provider/OBJS.ST \`
		`- hash_provider/OBJS.ST \`
		`- aes/OBJS.ST \`
		`- OBJS.ST`
		`-`
		`-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \`
		`+SUBDIROBJLISTS= md4/OBJS.ST \`
		`md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \`
		`enc_provider/OBJS.ST \`
		`hash_provider/OBJS.ST \`
		`- @@ -42,7 +42,7 @@ includes: depend`
		`-`
		`- depend: $(SRCS)`
		`-`
		`- -clean-unix:: clean-libobjs`
		`- +clean-unix:: clean-libobjsn`
		`-`
		`- @lib_frag@`
		`- @libobj_frag@`
		`diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in`
		`deleted file mode 100644`
		`index a6cece1dd1..0000000000`
		`@@ -5244,10 +5219,10 @@`
		`}`

		`diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c`
		`- index d4e90793f9..1bc807172b 100644`
		`+ index b35e11bfb6..d7c2ad321e 100644`
		`--- a/src/lib/gssapi/krb5/accept_sec_context.c`
		`+++ b/src/lib/gssapi/krb5/accept_sec_context.c`
		`- @@ -1030,7 +1030,6 @@ kg_accept_krb5(minor_status, context_handle,`
		`+ @@ -1026,7 +1026,6 @@ kg_accept_krb5(minor_status, context_handle,`
		`}`

		`switch (negotiated_etype) {`
		`@@ -5256,7 +5231,7 @@`
		`case ENCTYPE_ARCFOUR_HMAC_EXP:`
		`/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer"`
		`diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h`
		`- index a4446530fc..88d41130a7 100644`
		`+ index 7364607198..5aeb69aebc 100644`
		`--- a/src/lib/gssapi/krb5/gssapiP_krb5.h`
		`+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h`
		`@@ -125,14 +125,14 @@ enum sgn_alg {`
		`@@ -5286,10 +5261,10 @@`
		`};`

		`diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c`
		`- index d1cdce486f..7f7146a0a2 100644`
		`+ index 99275be53a..0e5d10b115 100644`
		`--- a/src/lib/gssapi/krb5/k5seal.c`
		`+++ b/src/lib/gssapi/krb5/k5seal.c`
		`- @@ -136,19 +136,12 @@ make_seal_token_v1 (krb5_context context,`
		`+ @@ -142,19 +142,12 @@ make_seal_token_v1 (krb5_context context,`

		`/* pad the plaintext, encrypt if needed, and stick it in the token */`

		`@@ -5315,7 +5290,7 @@`

		`code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);`
		`if (code) {`
		`- @@ -196,20 +189,8 @@ make_seal_token_v1 (krb5_context context,`
		`+ @@ -203,20 +196,8 @@ make_seal_token_v1 (krb5_context context,`
		`gssalloc_free(t);`
		`return(code);`
		`}`
		`@@ -5327,22 +5302,22 @@`
		`- */`
		`- if (md5cksum.length != cksum_size)`
		`- abort ();`
		`- - memcpy (ptr+14, md5cksum.contents, md5cksum.length);`
		`+ - memcpy(checksum, md5cksum.contents, md5cksum.length);`
		`- break;`
		`- case SGN_ALG_HMAC_MD5:`
		`- - memcpy (ptr+14, md5cksum.contents, cksum_size);`
		`+ - memcpy(checksum, md5cksum.contents, cksum_size);`
		`- break;`
		`- }`
		`+`
		`- + memcpy (ptr+14, md5cksum.contents, cksum_size);`
		`+ + memcpy(checksum, md5cksum.contents, cksum_size);`

		`krb5_free_checksum_contents(context, &md5cksum);`

		`diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c`
		`- index 9bb2ee1099..9147bb2c78 100644`
		`+ index 7bf7609a48..d5e12cb436 100644`
		`--- a/src/lib/gssapi/krb5/k5sealiov.c`
		`+++ b/src/lib/gssapi/krb5/k5sealiov.c`
		`- @@ -144,18 +144,11 @@ make_seal_token_v1_iov(krb5_context context,`
		`+ @@ -147,18 +147,11 @@ make_seal_token_v1_iov(krb5_context context,`
		`/* pad the plaintext, encrypt if needed, and stick it in the token */`

		`/* initialize the checksum */`
		`@@ -5366,20 +5341,20 @@`

		`code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen);`
		`if (code != 0)`
		`- @@ -177,15 +170,7 @@ make_seal_token_v1_iov(krb5_context context,`
		`+ @@ -182,15 +175,7 @@ make_seal_token_v1_iov(krb5_context context,`
		`if (code != 0)`
		`goto cleanup;`

		`- switch (ctx->signalg) {`
		`- case SGN_ALG_HMAC_SHA1_DES3_KD:`
		`- assert(md5cksum.length == ctx->cksum_size);`
		`- - memcpy(ptr + 14, md5cksum.contents, md5cksum.length);`
		`+ - memcpy(checksum, md5cksum.contents, md5cksum.length);`
		`- break;`
		`- case SGN_ALG_HMAC_MD5:`
		`- - memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);`
		`+ - memcpy(checksum, md5cksum.contents, ctx->cksum_size);`
		`- break;`
		`- }`
		`- + memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);`
		`+ + memcpy(checksum, md5cksum.contents, ctx->cksum_size);`

		`/* create the seq_num */`
		`code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF,`
		`@@ -5618,7 +5593,7 @@`
		`case ENCTYPE_ARCFOUR_HMAC_EXP:`
		`/* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype,`
		`diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c`
		`- index 87b486c53f..2b5abcd817 100644`
		`+ index a6c2bbeb54..18290b764b 100644`
		`--- a/src/lib/krb5/krb/init_ctx.c`
		`+++ b/src/lib/krb5/krb/init_ctx.c`
		`@@ -59,7 +59,6 @@`
		`@@ -5629,7 +5604,7 @@`
		`ENCTYPE_ARCFOUR_HMAC,`
		`ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC,`
		`0`
		`- @@ -450,8 +449,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,`
		`+ @@ -460,8 +459,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey,`
		`/* Set all enctypes in the default list. */`
		`for (i = 0; default_list[i]; i++)`
		`mod_list(default_list[i], sel, weak, &list);`
		`@@ -5769,10 +5744,10 @@`
		`#define CKK_CAST3 (0x17)`
		`#define CKK_CAST128 (0x18)`
		`diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`- index 94a1b22fb1..65f6210727 100644`
		`+ index e22798f668..9fa315d7a0 100644`
		`--- a/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`- @@ -376,11 +376,11 @@ krb5_error_code server_process_dh`
		`+ @@ -370,11 +370,11 @@ krb5_error_code server_process_dh`
		`* krb5_algorithm_identifier`
		`*/`
		`krb5_error_code create_krb5_supportedCMSTypes`
		`@@ -5874,10 +5849,10 @@`
		`/* initial key, w, x, y, T, S, K */`
		`"8846F7EAEE8FB117AD06BDD830B7586C",`
		`diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py`
		`- index 7494d7fcdb..2f95d89967 100755`
		`+ index f5f11842e2..1bb8c40b6b 100755`
		`--- a/src/tests/gssapi/t_enctypes.py`
		`+++ b/src/tests/gssapi/t_enctypes.py`
		`- @@ -1,24 +1,17 @@`
		`+ @@ -1,25 +1,17 @@`
		`from k5test import *`

		`-# Define some convenience abbreviations for enctypes we will see in`
		`@@ -5901,13 +5876,14 @@`
		`# These tests make assumptions about the default enctype lists, so set`
		`# them explicitly rather than relying on the library defaults.`
		`-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'`
		`- -conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},`
		`+ -conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4',`
		`+ - 'allow_des3': 'true', 'allow_rc4': 'true'},`
		`+supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal'`
		`- +conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'},`
		`+ +conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', 'allow_rc4': 'true'},`
		`'realms': {'$realm': {'supported_enctypes': supp}}}`
		`realm = K5Realm(krb5_conf=conf)`
		`shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))`
		`- @@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',`
		`+ @@ -88,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts',`
		`test_err('acc aes128', None, 'aes128-cts',`
		`'Encryption type aes256-cts-hmac-sha1-96 not permitted')`

		`@@ -5928,7 +5904,7 @@`
		`# subkey.`
		`test('upgrade noargs', None, None,`
		`tktenc=aes256, tktsession=d_rc4,`
		`- @@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,`
		`+ @@ -116,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None,`
		`tktenc=aes256, tktsession=d_rc4,`
		`proto='cfx', isubkey=rc4, asubkey=aes128)`

		`@@ -6019,10 +5995,10 @@`
		`"3BB3AE288C12B3B9D06B208A4151B3B6",`
		`"9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28"`
		`diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py`
		`- index 97e2474bf8..47ea9e4b47 100644`
		`+ index bde1c36844..8fcd30db51 100644`
		`--- a/src/tests/t_authdata.py`
		`+++ b/src/tests/t_authdata.py`
		`- @@ -164,7 +164,7 @@ realm.run([kvno, 'restricted'])`
		`+ @@ -179,7 +179,7 @@ realm.run([kvno, 'restricted'])`
		`# preferred krbtgt enctype changes.`
		`mark('#8139 regression test')`
		`realm.kinit(realm.user_princ, password('user'), ['-f'])`
		`@@ -6032,17 +6008,19 @@`
		`realm.run(['./forward'])`
		`realm.run([kvno, realm.host_princ])`
		`diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py`
		`- index c982508d8b..96e90a69d2 100644`
		`+ index 38cf96ca8f..e82ff7ff07 100644`
		`--- a/src/tests/t_etype_info.py`
		`+++ b/src/tests/t_etype_info.py`
		`- @@ -1,6 +1,6 @@`
		`+ @@ -1,7 +1,7 @@`
		`from k5test import *`

		`-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'`
		`+ -conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'},`
		`+supported_enctypes = 'aes128-cts rc4-hmac'`
		`- conf = {'libdefaults': {'allow_weak_crypto': 'true'},`
		`+ +conf = {'libdefaults': {'allow_rc4': 'true'},`
		`'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}`
		`realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)`
		`+`
		`@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines):`
		`# With no newer enctypes in the request, PA-ETYPE-INFO2,`
		`# PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one`
		`@@ -6081,7 +6059,7 @@`
		`# Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED`
		`# error if the client does optimistic preauth.`
		`diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py`
		`- index 2c825a6922..f29e0d5500 100755`
		`+ index e9840dfae8..583c2fa27e 100755`
		`--- a/src/tests/t_keyrollover.py`
		`+++ b/src/tests/t_keyrollover.py`
		`@@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg)`
		`@@ -6181,24 +6159,50 @@`

		`# Test using different salt types in a principal's key list.`
		`# Parameters from one key in the list must not leak over to later ones.`
		`+ diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py`
		`+ index 5a213617b5..c7dba0ff5b 100755`
		`+ --- a/src/tests/t_sesskeynego.py`
		`+ +++ b/src/tests/t_sesskeynego.py`
		`+ @@ -26,7 +26,6 @@ conf3 = {'libdefaults': {`
		`+ 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}`
		`+ conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}`
		`+ conf5 = {'libdefaults': {'allow_rc4': 'true'}}`
		`+ -conf6 = {'libdefaults': {'allow_des3': 'true'}}`
		`+ # Test with client request and session_enctypes preferring aes128, but`
		`+ # aes256 long-term key.`
		`+ realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)`
		`+ @@ -78,13 +77,6 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac'])`
		`+ test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')`
		`+ realm.stop()`
		`+`
		`+ -# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key.`
		`+ -realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False)`
		`+ -realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])`
		`+ -realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1'])`
		`+ -test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96')`
		`+ -realm.stop()`
		`+ -`
		`+ # 7: default config negotiates aes256-sha1 session key for RC4-only service.`
		`+ realm = K5Realm(create_host=False, get_creds=False)`
		`+ realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server'])`
		`diff --git a/src/util/k5test.py b/src/util/k5test.py`
		`- index 619f1995f8..771f82e3cc 100644`
		`+ index 8e5f5ba8e9..b953827018 100644`
		`--- a/src/util/k5test.py`
		`+++ b/src/util/k5test.py`
		`- @@ -1344,13 +1344,6 @@ _passes = [`
		`+ @@ -1338,13 +1338,6 @@ _passes = [`
		`# No special settings; exercises AES256.`
		`('default', None, None, None),`

		`- # Exercise the DES3 enctype.`
		`- ('des3', None,`
		`- - {'libdefaults': {'permitted_enctypes': 'des3'}},`
		`+ - {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}},`
		`- {'realms': {'$realm': {`
		`- 'supported_enctypes': 'des3-cbc-sha1:normal',`
		`- 'master_key_type': 'des3-cbc-sha1'}}}),`
		`-`
		`# Exercise the arcfour enctype.`
		`('arcfour', None,`
		`- {'libdefaults': {'permitted_enctypes': 'rc4'}},`
		`+ {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}},`
		`diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm`
		`index 1aebdd0b4a..c38eefd2bd 100644`
		`--- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm`
		`@@ -6224,5 +6228,5 @@`
		`<td>The AES Advanced Encryption Standard`
		`family, like 3DES, is a symmetric block cipher and was designed`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch

file modified

+4 -4

		`@@ -1,4 +1,4 @@`
		`- From 239cd24624b801d4fc4bb4686bef8526e7675d77 Mon Sep 17 00:00:00 2001`
		`+ From 53191fd3a1acfeefa8e5c26e7e9d130688daf745 Mon Sep 17 00:00:00 2001`
		`From: Robbie Harwood <rharwood@redhat.com>`
		`Date: Fri, 9 Nov 2018 15:12:21 -0500`
		`Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4`
		`@@ -41,10 +41,10 @@`
		`15 files changed, 155 insertions(+), 33 deletions(-)`

		`diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst`
		`- index d5d6e06ebb..2a4962069f 100644`
		`+ index ecdf917501..b78a3faf0a 100644`
		`--- a/doc/admin/conf_files/krb5_conf.rst`
		`+++ b/doc/admin/conf_files/krb5_conf.rst`
		`- @@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations:`
		`+ @@ -342,6 +342,12 @@ The libdefaults section may contain any of the following relations:`
		`qualification of shortnames, set this relation to the empty string`
		with ``qualify_shortname = ""``. (New in release 1.18.)

		`@@ -608,5 +608,5 @@`
		`vt->name = "spake";`
		`vt->pa_type_list = pa_types;`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch

file modified

+3 -4

		`@@ -1,8 +1,7 @@`
		`- From 5587c755b6ca82bde093523e2d17b255158cd90e Mon Sep 17 00:00:00 2001`
		`+ From c19d0bd35cde40172118c67c38a44f164bce1e16 Mon Sep 17 00:00:00 2001`
		`From: Julien Rische <jrische@redhat.com>`
		`Date: Thu, 5 May 2022 17:15:12 +0200`
		`- Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection`
		`- with FIPS`
		`+ Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS`

		`libkrad allows to establish connections only to UNIX socket in FIPS`
		`mode, because MD5 digest is not considered safe enough to be used for`
		`@@ -78,5 +77,5 @@`
		`retval = ESOCKTNOSUPPORT;`
		`goto error;`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0007-Add-configure-variable-for-default-PKCS-11-module.patch

file removed

-201

		`@@ -1,201 +0,0 @@`
		`- From 842b4c3b5695e2518e6f1a1545db78865c04b59c Mon Sep 17 00:00:00 2001`
		`- From: Julien Rische <jrische@redhat.com>`
		`- Date: Fri, 22 Apr 2022 14:12:37 +0200`
		`- Subject: [PATCH] Add configure variable for default PKCS#11 module`
		`-`
		`- [ghudson@mit.edu: added documentation of configure variable and doc`
		`- substitution; shortened commit message]`
		`-`
		`- ticket: 9058 (new)`
		`- ---`
		`- doc/admin/conf_files/krb5_conf.rst \| 2 +-`
		`- doc/build/options2configure.rst \| 3 +++`
		`- doc/conf.py \| 3 +++`
		`- doc/mitK5defaults.rst \| 25 +++++++++++++------------`
		`- src/configure.ac \| 8 ++++++++`
		`- src/doc/Makefile.in \| 2 ++`
		`- src/man/Makefile.in \| 4 +++-`
		`- src/man/krb5.conf.man \| 2 +-`
		`- src/plugins/preauth/pkinit/pkinit.h \| 1 -`
		`- 9 files changed, 34 insertions(+), 16 deletions(-)`
		`-`
		`- diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst`
		`- index 2a4962069f..a33711d918 100644`
		`- --- a/doc/admin/conf_files/krb5_conf.rst`
		`- +++ b/doc/admin/conf_files/krb5_conf.rst`
		`- @@ -1017,7 +1017,7 @@ information for PKINIT is as follows:`
		`- All keyword/values are optional. modname specifies the location`
		`- of a library implementing PKCS #11. If a value is encountered`
		`- with no keyword, it is assumed to be the modname. If no`
		- - module-name is specified, the default is ``opensc-pkcs11.so``.
		`- + module-name is specified, the default is \|pkcs11_modname\|.`
		- ``slotid=`` and/or ``token=`` may be specified to force the use of
		`- a particular smard card reader or token if there is more than one`
		- available. ``certid=`` and/or ``certlabel=`` may be specified to
		`- diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst`
		`- index 9e355dc2c5..e879b18bd2 100644`
		`- --- a/doc/build/options2configure.rst`
		`- +++ b/doc/build/options2configure.rst`
		`- @@ -137,6 +137,9 @@ Environment variables`
		`- This option allows one to specify libraries to be passed to the`
		- linker (e.g., ``-l<library>``)
		`-`
		`- +PKCS11_MODNAME=\ library`
		`- + Override the built-in default PKCS11 library name.`
		`- +`
		`- SS_LIB=\ libs...`
		- If ``-lss`` is not the correct way to link in your installed ss
		`- library, for example if additional support libraries are needed,`
		`- diff --git a/doc/conf.py b/doc/conf.py`
		`- index 12168fa695..0ab5ff9606 100644`
		`- --- a/doc/conf.py`
		`- +++ b/doc/conf.py`
		`- @@ -242,6 +242,7 @@ if 'mansubs' in tags:`
		- ccache = '``@CCNAME@``'
		- keytab = '``@KTNAME@``'
		- ckeytab = '``@CKTNAME@``'
		- + pkcs11_modname = '``@PKCS11MOD@``'
		`- elif 'pathsubs' in tags:`
		`- # Read configured paths from a file produced by the build system.`
		`- exec(open("paths.py").read())`
		`- @@ -255,6 +256,7 @@ else:`
		- ccache = ':ref:`DEFCCNAME <paths>`'
		- keytab = ':ref:`DEFKTNAME <paths>`'
		- ckeytab = ':ref:`DEFCKTNAME <paths>`'
		- + pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'
		`-`
		`- rst_epilog = '\n'`
		`-`
		`- @@ -275,6 +277,7 @@ else:`
		`- rst_epilog += '.. \|ccache\| replace:: %s\n' % ccache`
		`- rst_epilog += '.. \|keytab\| replace:: %s\n' % keytab`
		`- rst_epilog += '.. \|ckeytab\| replace:: %s\n' % ckeytab`
		`- + rst_epilog += '.. \|pkcs11_modname\| replace:: %s\n' % pkcs11_modname`
		`- rst_epilog += '''`
		- .. \|krb5conf\| replace:: ``/etc/krb5.conf``
		- .. \|defkeysalts\| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
		`- diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst`
		`- index 74e69f4ad0..aea7af3dbb 100644`
		`- --- a/doc/mitK5defaults.rst`
		`- +++ b/doc/mitK5defaults.rst`
		- @@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an
		`- operating system, the paths are generally chosen to match the`
		`- operating system's filesystem layout.`
		`-`
		`- -========================== ============= =========================== ===========================`
		`- -Description Symbolic name Custom build path Typical OS path`
		`- -========================== ============= =========================== ===========================`
		- -User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
		- -Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
		- -Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
		- -Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
		- -Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
		- -Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
		- -Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
		- -Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
		`- -========================== ============= =========================== ===========================`
		`- +========================== ============== =========================== ===========================`
		`- +Description Symbolic name Custom build path Typical OS path`
		`- +========================== ============== =========================== ===========================`
		- +User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
		- +Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
		- +Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
		- +Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
		- +Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
		- +Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
		- +Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
		- +Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
		- +Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so``
		`- +========================== ============== =========================== ===========================`
		`-`
		`- The default client keytab name (DEFCKTNAME) typically defaults to`
		- ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom
		`- diff --git a/src/configure.ac b/src/configure.ac`
		`- index 8dc864718d..9774cb71ae 100644`
		`- --- a/src/configure.ac`
		`- +++ b/src/configure.ac`
		`- @@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])`
		`- AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],`
		`- [Define to default client keytab name])`
		`-`
		`- +AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])`
		`- +if test "${PKCS11_MODNAME+set}" != set; then`
		`- + PKCS11_MODNAME=opensc-pkcs11.so`
		`- +fi`
		`- +AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])`
		`- +AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],`
		`- + [Default PKCS11 module name])`
		`- +`
		`- AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])`
		`- AC_CONFIG_FILES([build-tools/kadm-server.pc`
		`- build-tools/kadm-client.pc`
		`- diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in`
		`- index 379bc36511..a1b0cff0a4 100644`
		`- --- a/src/doc/Makefile.in`
		`- +++ b/src/doc/Makefile.in`
		`- @@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@`
		`- DEFCCNAME=@DEFCCNAME@`
		`- DEFKTNAME=@DEFKTNAME@`
		`- DEFCKTNAME=@DEFCKTNAME@`
		`- +PKCS11_MODNAME=@PKCS11_MODNAME@`
		`-`
		`- RST_SOURCES= _static \`
		`- _templates \`
		`- @@ -118,6 +119,7 @@ paths.py:`
		- echo 'ccache = "``$(DEFCCNAME)``"' >> $@
		- echo 'keytab = "``$(DEFKTNAME)``"' >> $@
		- echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
		- + echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@
		`-`
		`- # Dummy rule that man/Makefile can invoke`
		`- version.py: $(docsrc)/version.py`
		`- diff --git a/src/man/Makefile.in b/src/man/Makefile.in`
		`- index 00b1b2de06..85cae0914e 100644`
		`- --- a/src/man/Makefile.in`
		`- +++ b/src/man/Makefile.in`
		`- @@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@`
		`- DEFCCNAME=@DEFCCNAME@`
		`- DEFKTNAME=@DEFKTNAME@`
		`- DEFCKTNAME=@DEFCKTNAME@`
		`- +PKCS11_MODNAME=@PKCS11_MODNAME@`
		`-`
		`- MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \`
		`- kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \`
		`- @@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h`
		`- -e 's\|@SYSCONFDIR@\|$(sysconfdir)\|g' \`
		`- -e 's\|@CCNAME@\|$(DEFCCNAME)\|g' \`
		`- -e 's\|@KTNAME@\|$(DEFKTNAME)\|g' \`
		`- - -e 's\|@CKTNAME@\|$(DEFCKTNAME)\|g' $? > $@`
		`- + -e 's\|@CKTNAME@\|$(DEFCKTNAME)\|g' \`
		`- + -e 's\|@PKCS11MOD@\|$(PKCS11_MODNAME)\|g' $? > $@`
		`-`
		`- all: $(MANSUBS)`
		`-`
		`- diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man`
		`- index 51acb38815..fd2c6f2bc4 100644`
		`- --- a/src/man/krb5.conf.man`
		`- +++ b/src/man/krb5.conf.man`
		`- @@ -1148,7 +1148,7 @@ user\(aqs certificate and private key.`
		`- All keyword/values are optional. \fImodname\fP specifies the location`
		`- of a library implementing PKCS #11. If a value is encountered`
		`- with no keyword, it is assumed to be the \fImodname\fP\&. If no`
		`- -module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.`
		`- +module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.`
		`- \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of`
		`- a particular smard card reader or token if there is more than one`
		`- available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to`
		`- diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h`
		`- index 8135535e2c..66f92d8f03 100644`
		`- --- a/src/plugins/preauth/pkinit/pkinit.h`
		`- +++ b/src/plugins/preauth/pkinit/pkinit.h`
		`- @@ -42,7 +42,6 @@`
		`- #ifndef WITHOUT_PKCS11`
		`- #include "pkcs11.h"`
		`-`
		`- -#define PKCS11_MODNAME "opensc-pkcs11.so"`
		`- #define PK_SIGLEN_GUESS 1000`
		`- #define PK_NOSLOT 999999`
		`- #endif`
		`- --`
		`- 2.38.1`
		`-`

0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch ~~0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch~~

file renamed

+2 -2

		`@@ -1,4 +1,4 @@`
		`- From 9a536113196d8b32e3143964a655356ac8af1347 Mon Sep 17 00:00:00 2001`
		`+ From 0366e8b5b2f960cb8305fd95839376b6c18aae42 Mon Sep 17 00:00:00 2001`
		`From: Julien Rische <jrische@redhat.com>`
		`Date: Wed, 7 Dec 2022 13:22:42 +0100`
		`Subject: [PATCH] [downstream] Make tests compatible with`
		`@@ -37,5 +37,5 @@`
		`fail('URI answers do not match')`
		`j += 1`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch

file removed

-159

		`@@ -1,159 +0,0 @@`
		`- From 3fb8c4c68274d2ff4addb44b7b95b4698c2c4f34 Mon Sep 17 00:00:00 2001`
		`- From: Julien Rische <jrische@redhat.com>`
		`- Date: Wed, 1 Jun 2022 18:02:04 +0200`
		`- Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT`
		`-`
		`- The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know`
		`- the algorithms it supports for verification of the CMS data signature.`
		`- (The MIT krb5 KDC currently ignores this list, but other`
		`- implementations use it.)`
		`-`
		`- Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption.`
		`-`
		`- [ghudson@mit.edu: simplified code and used appropriate helpers; edited`
		`- commit message]`
		`-`
		`- ticket: 9066 (new)`
		`- ---`
		`- src/plugins/preauth/pkinit/pkinit_constants.c \| 33 ++++++++++++-`
		`- src/plugins/preauth/pkinit/pkinit_crypto.h \| 4 ++`
		`- .../preauth/pkinit/pkinit_crypto_openssl.c \| 49 ++++++++++---------`
		`- 3 files changed, 60 insertions(+), 26 deletions(-)`
		`-`
		`- diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c`
		`- index 652897fa14..1da482e0b4 100644`
		`- --- a/src/plugins/preauth/pkinit/pkinit_constants.c`
		`- +++ b/src/plugins/preauth/pkinit/pkinit_constants.c`
		`- @@ -32,9 +32,14 @@`
		`-`
		`- #include "pkinit.h"`
		`-`
		`- -/* statically declare OID constants for all three algorithms */`
		`- -static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01};`
		`- +/* RFC 8636 id-pkinit-kdf-ah-sha1: iso(1) identified-organization(3) dod(6)`
		`- + * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha1(1) */`
		`- +static char sha1_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x01 };`
		`- +/* RFC 8636 id-pkinit-kdf-ah-sha256: iso(1) identified-organization(3) dod(6)`
		`- + * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha256(2) */`
		`- static char sha256_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x02 };`
		`- +/* RFC 8636 id-pkinit-kdf-ah-sha512: iso(1) identified-organization(3) dod(6)`
		`- + * internet(1) security(5) kerberosv5(2) pkinit(3) kdf(6) sha512(3) */`
		`- static char sha512_oid[8] = { 0x2B, 0x06, 0x01, 0x05, 0x02, 0x03, 0x06, 0x03 };`
		`-`
		`- const krb5_data sha1_id = { KV5M_DATA, sizeof(sha1_oid), sha1_oid };`
		`- @@ -48,6 +53,30 @@ krb5_data const * const supported_kdf_alg_ids[] = {`
		`- NULL`
		`- };`
		`-`
		`- +/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)`
		`- + * rsadsi(113549) pkcs(1) 1 11 */`
		`- +static char sha256WithRSAEncr_oid[9] = {`
		`- + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b`
		`- +};`
		`- +/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)`
		`- + * rsadsi(113549) pkcs(1) 1 13 */`
		`- +static char sha512WithRSAEncr_oid[9] = {`
		`- + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d`
		`- +};`
		`- +`
		`- +const krb5_data sha256WithRSAEncr_id = {`
		`- + KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid`
		`- +};`
		`- +const krb5_data sha512WithRSAEncr_id = {`
		`- + KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid`
		`- +};`
		`- +`
		`- +krb5_data const * const supported_cms_algs[] = {`
		`- + &sha512WithRSAEncr_id,`
		`- + &sha256WithRSAEncr_id,`
		`- + NULL`
		`- +};`
		`- +`
		`- /* RFC 2412 section E.2 (well-known group 2) parameters, DER-encoded as`
		`- * DomainParameters (RFC 3279 section 2.3.3). */`
		`- static const uint8_t o1024[] = {`
		`- diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`- index 65f6210727..64300da856 100644`
		`- --- a/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`- +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`- @@ -620,6 +620,10 @@ extern const krb5_data oakley_4096;`
		`- */`
		`- extern krb5_data const * const supported_kdf_alg_ids[];`
		`-`
		`- +/* CMS signature algorithms supported by this implementation, in order of`
		`- + * decreasing preference. */`
		`- +extern krb5_data const * const supported_cms_algs[];`
		`- +`
		`- krb5_error_code`
		`- crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,`
		`- uint8_t *der_out, size_t der_len);`
		`- diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- index d500455dec..1c2aa02827 100644`
		`- --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- @@ -5475,37 +5475,38 @@ create_krb5_supportedCMSTypes(krb5_context context,`
		`- pkinit_plg_crypto_context plg_cryptoctx,`
		`- pkinit_req_crypto_context req_cryptoctx,`
		`- pkinit_identity_crypto_context id_cryptoctx,`
		`- - krb5_algorithm_identifier ***oids)`
		`- + krb5_algorithm_identifier ***algs_out)`
		`- {`
		`- + krb5_error_code ret;`
		`- + krb5_algorithm_identifier **algs = NULL;`
		`- + size_t i, count;`
		`-`
		`- - krb5_error_code retval = ENOMEM;`
		`- - krb5_algorithm_identifier **loids = NULL;`
		`- - krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };`
		`- + *algs_out = NULL;`
		`-`
		`- - *oids = NULL;`
		`- - loids = malloc(2 * sizeof(krb5_algorithm_identifier *));`
		`- - if (loids == NULL)`
		`- - goto cleanup;`
		`- - loids[1] = NULL;`
		`- - loids[0] = malloc(sizeof(krb5_algorithm_identifier));`
		`- - if (loids[0] == NULL) {`
		`- - free(loids);`
		`- - goto cleanup;`
		`- - }`
		`- - retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid);`
		`- - if (retval) {`
		`- - free(loids[0]);`
		`- - free(loids);`
		`- + /* Count supported OIDs and allocate list (including null terminator). */`
		`- + for (count = 0; supported_cms_algs[count] != NULL; count++);`
		`- + algs = k5calloc(count + 1, sizeof(*algs), &ret);`
		`- + if (algs == NULL)`
		`- goto cleanup;`
		`- +`
		`- + /* Add an algorithm identifier for each OID, with no parameters. */`
		`- + for (i = 0; i < count; i++) {`
		`- + algs[i] = k5alloc(sizeof(*algs[i]), &ret);`
		`- + if (algs[i] == NULL)`
		`- + goto cleanup;`
		`- + ret = krb5int_copy_data_contents(context, supported_cms_algs[i],`
		`- + &algs[i]->algorithm);`
		`- + if (ret)`
		`- + goto cleanup;`
		`- + algs[i]->parameters = empty_data();`
		`- }`
		`- - loids[0]->parameters.length = 0;`
		`- - loids[0]->parameters.data = NULL;`
		`-`
		`- - *oids = loids;`
		`- - retval = 0;`
		`- -cleanup:`
		`- + *algs_out = algs;`
		`- + algs = NULL;`
		`-`
		`- - return retval;`
		`- +cleanup:`
		`- + free_krb5_algorithm_identifiers(&algs);`
		`- + return ret;`
		`- }`
		`-`
		`- krb5_error_code`
		`- --`
		`- 2.38.1`
		`-`

0008-downstream-Include-missing-OpenSSL-FIPS-header.patch ~~0014-downstream-Include-missing-OpenSSL-FIPS-header.patch~~

file renamed

+2 -2

		`@@ -1,4 +1,4 @@`
		`- From d57a804136c5ebf473ce053a9517edd71a56389f Mon Sep 17 00:00:00 2001`
		`+ From a567b9de563cd8ad262f77cf97a8bc528a884745 Mon Sep 17 00:00:00 2001`
		`From: Julien Rische <jrische@redhat.com>`
		`Date: Thu, 5 Jan 2023 20:06:47 +0100`
		`Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header`
		`@@ -116,5 +116,5 @@`
		`* The SPAKE kdcpreauth module uses a secure cookie containing the following`
		`* concatenated fields (all integer fields are big-endian):`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0009-Simplify-plugin-loading-code.patch

file removed

-622

		`@@ -1,622 +0,0 @@`
		`- From ffb47e4120d68aef015453350a3a50a9bab1ec58 Mon Sep 17 00:00:00 2001`
		`- From: Greg Hudson <ghudson@mit.edu>`
		`- Date: Thu, 23 Jun 2022 16:41:40 -0400`
		`- Subject: [PATCH] Simplify plugin loading code`
		`-`
		`- Remove the USE_CFBUNDLE code, which was only used by KfM. Handle`
		`- platform conditionals according to current practice. Use`
		`- k5_dir_filenames() instead of opendir() and remove the Windows`
		`- implementation of opendir().`
		`- ---`
		`- src/util/support/plugins.c \| 507 +++++++++++--------------------------`
		`- 1 file changed, 150 insertions(+), 357 deletions(-)`
		`-`
		`- diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c`
		`- index c6a9a21d57..0850565687 100644`
		`- --- a/src/util/support/plugins.c`
		`- +++ b/src/util/support/plugins.c`
		`- @@ -29,16 +29,6 @@`
		`- #if USE_DLOPEN`
		`- #include <dlfcn.h>`
		`- #endif`
		`- -#include <sys/types.h>`
		`- -#ifdef HAVE_SYS_STAT_H`
		`- -#include <sys/stat.h>`
		`- -#endif`
		`- -#ifdef HAVE_SYS_PARAM_H`
		`- -#include <sys/param.h>`
		`- -#endif`
		`- -#ifdef HAVE_UNISTD_H`
		`- -#include <unistd.h>`
		`- -#endif`
		`-`
		`- #if USE_DLOPEN`
		`- #ifdef RTLD_GROUP`
		`- @@ -68,16 +58,6 @@`
		`- #endif`
		`- #endif`
		`-`
		`- -#if USE_DLOPEN && USE_CFBUNDLE`
		`- -#include <CoreFoundation/CoreFoundation.h>`
		`- -`
		`- -/* Currently CoreFoundation only exists on the Mac so we just use`
		`- - * pthreads directly to avoid creating empty function calls on other`
		`- - * platforms. If a thread initializer ever gets created in the common`
		`- - * plugin code, move this there */`
		`- -static pthread_mutex_t krb5int_bundle_mutex = PTHREAD_MUTEX_INITIALIZER;`
		`- -#endif`
		`- -`
		`- #include <stdarg.h>`
		`- static void Tprintf (const char *fmt, ...)`
		`- {`
		`- @@ -90,374 +70,193 @@ static void Tprintf (const char *fmt, ...)`
		`- }`
		`-`
		`- struct plugin_file_handle {`
		`- -#if USE_DLOPEN`
		`- +#if defined(USE_DLOPEN)`
		`- void *dlhandle;`
		`- -#endif`
		`- -#ifdef _WIN32`
		`- - HMODULE hinstPlugin;`
		`- -#endif`
		`- -#if !defined (USE_DLOPEN) && !defined (_WIN32)`
		`- +#elif defined(_WIN32)`
		`- + HMODULE module;`
		`- +#else`
		`- char dummy;`
		`- #endif`
		`- };`
		`-`
		`- -#ifdef _WIN32`
		`- -struct dirent {`
		`- - long d_ino; /* inode (always 1 in WIN32) */`
		`- - off_t d_off; /* offset to this dirent */`
		`- - unsigned short d_reclen; /* length of d_name */`
		`- - char d_name[_MAX_FNAME+1]; /* filename (null terminated) */`
		`- -};`
		`- -`
		`- -typedef struct {`
		`- - intptr_t handle; /* _findfirst/_findnext handle */`
		`- - short offset; /* offset into directory */`
		`- - short finished; /* 1 if there are not more files */`
		`- - struct _finddata_t fileinfo;/* from _findfirst/_findnext */`
		`- - char dir; / the dir we are reading */`
		`- - struct dirent dent; /* the dirent to return */`
		`- -} DIR;`
		`- +#if defined(USE_DLOPEN)`
		`-`
		`- -DIR * opendir(const char *dir)`
		`- +static long`
		`- +open_plugin_dlfcn(struct plugin_file_handle h, const char filename,`
		`- + struct errinfo *ep)`
		`- {`
		`- - DIR *dp;`
		`- - char *filespec;`
		`- - intptr_t handle;`
		`- - int index;`
		`- -`
		`- - filespec = malloc(strlen(dir) + 2 + 1);`
		`- - strcpy(filespec, dir);`
		`- - index = strlen(filespec) - 1;`
		`- - if (index >= 0 && (filespec[index] == '/' \|\| filespec[index] == '\\'))`
		`- - filespec[index] = '\0';`
		`- - strcat(filespec, "/*");`
		`- -`
		`- - dp = (DIR *)malloc(sizeof(DIR));`
		`- - dp->offset = 0;`
		`- - dp->finished = 0;`
		`- - dp->dir = strdup(dir);`
		`- -`
		`- - if ((handle = _findfirst(filespec, &(dp->fileinfo))) < 0) {`
		`- - if (errno == ENOENT)`
		`- - dp->finished = 1;`
		`- - else {`
		`- - free(filespec);`
		`- - free(dp->dir);`
		`- - free(dp);`
		`- - return NULL;`
		`- - }`
		`- + const char *e;`
		`- +`
		`- + h->dlhandle = dlopen(filename, PLUGIN_DLOPEN_FLAGS);`
		`- + if (h->dlhandle == NULL) {`
		`- + e = dlerror();`
		`- + if (e == NULL)`
		`- + e = _("unknown failure");`
		`- + Tprintf("dlopen(%s): %s\n", filename, e);`
		`- + k5_set_error(ep, ENOENT, _("unable to load plugin [%s]: %s"),`
		`- + filename, e);`
		`- + return ENOENT;`
		`- }`
		`- -`
		`- - dp->handle = handle;`
		`- - free(filespec);`
		`- -`
		`- - return dp;`
		`- + return 0;`
		`- }`
		`- +#define open_plugin open_plugin_dlfcn`
		`-`
		`- -struct dirent * readdir(DIR *dp)`
		`- +static long`
		`- +get_sym_dlfcn(struct plugin_file_handle h, const char csymname,`
		`- + void *sym_out, struct errinfo ep)`
		`- {`
		`- - if (!dp \|\| dp->finished) return NULL;`
		`- -`
		`- - if (dp->offset != 0) {`
		`- - if (_findnext(dp->handle, &(dp->fileinfo)) < 0) {`
		`- - dp->finished = 1;`
		`- - return NULL;`
		`- - }`
		`- + const char *e;`
		`- +`
		`- + if (h->dlhandle == NULL)`
		`- + return ENOENT;`
		`- + *sym_out = dlsym(h->dlhandle, csymname);`
		`- + if (*sym_out == NULL) {`
		`- + e = dlerror();`
		`- + if (e == NULL)`
		`- + e = _("unknown failure");`
		`- + Tprintf("dlsym(%s): %s\n", csymname, e);`
		`- + k5_set_error(ep, ENOENT, "%s", e);`
		`- + return ENOENT;`
		`- }`
		`- - dp->offset++;`
		`- -`
		`- - strncpy(dp->dent.d_name, dp->fileinfo.name, _MAX_FNAME);`
		`- - dp->dent.d_ino = 1;`
		`- - dp->dent.d_reclen = (unsigned short)strlen(dp->dent.d_name);`
		`- - dp->dent.d_off = dp->offset;`
		`- -`
		`- - return &(dp->dent);`
		`- -}`
		`- -`
		`- -int closedir(DIR *dp)`
		`- -{`
		`- - if (!dp) return 0;`
		`- - _findclose(dp->handle);`
		`- - free(dp->dir);`
		`- - free(dp);`
		`- -`
		`- return 0;`
		`- }`
		`- -#endif`
		`- +#define get_sym get_sym_dlfcn`
		`-`
		`- -long KRB5_CALLCONV`
		`- -krb5int_open_plugin (const char filepath, struct plugin_file_handle h, struct errinfo ep)`
		`- +static void`
		`- +close_plugin_dlfcn(struct plugin_file_handle *h)`
		`- {`
		`- - long err = 0;`
		`- - struct plugin_file_handle *htmp = NULL;`
		`- - int got_plugin = 0;`
		`- -#if defined(USE_CFBUNDLE) \|\| defined(_WIN32)`
		`- - struct stat statbuf;`
		`- -`
		`- - if (!err) {`
		`- - if (stat (filepath, &statbuf) < 0) {`
		`- - err = errno;`
		`- - Tprintf ("stat(%s): %s\n", filepath, strerror (err));`
		`- - k5_set_error(ep, err, _("unable to find plugin [%s]: %s"),`
		`- - filepath, strerror(err));`
		`- - }`
		`- - }`
		`- -#endif`
		`- -`
		`- - if (!err) {`
		`- - htmp = calloc (1, sizeof (htmp)); / calloc initializes ptrs to NULL */`
		`- - if (htmp == NULL) { err = ENOMEM; }`
		`- - }`
		`- -`
		`- -#if USE_DLOPEN`
		`- - if (!err`
		`- -#if USE_CFBUNDLE`
		`- - && ((statbuf.st_mode & S_IFMT) == S_IFREG`
		`- - \|\| (statbuf.st_mode & S_IFMT) == S_IFDIR)`
		`- -#endif /* USE_CFBUNDLE */`
		`- - ) {`
		`- - void *handle = NULL;`
		`- -`
		`- -#if USE_CFBUNDLE`
		`- - char executablepath[MAXPATHLEN];`
		`- -`
		`- - if ((statbuf.st_mode & S_IFMT) == S_IFDIR) {`
		`- - int lock_err = 0;`
		`- - CFStringRef pluginString = NULL;`
		`- - CFURLRef pluginURL = NULL;`
		`- - CFBundleRef pluginBundle = NULL;`
		`- - CFURLRef executableURL = NULL;`
		`- -`
		`- - /* Lock around CoreFoundation calls since objects are refcounted`
		`- - * and the refcounts are not thread-safe. Using pthreads directly`
		`- - * because this code is Mac-specific */`
		`- - lock_err = pthread_mutex_lock(&krb5int_bundle_mutex);`
		`- - if (lock_err) { err = lock_err; }`
		`- -`
		`- - if (!err) {`
		`- - pluginString = CFStringCreateWithCString (kCFAllocatorDefault,`
		`- - filepath,`
		`- - kCFStringEncodingASCII);`
		`- - if (pluginString == NULL) { err = ENOMEM; }`
		`- - }`
		`- -`
		`- - if (!err) {`
		`- - pluginURL = CFURLCreateWithFileSystemPath (kCFAllocatorDefault,`
		`- - pluginString,`
		`- - kCFURLPOSIXPathStyle,`
		`- - true);`
		`- - if (pluginURL == NULL) { err = ENOMEM; }`
		`- - }`
		`- -`
		`- - if (!err) {`
		`- - pluginBundle = CFBundleCreate (kCFAllocatorDefault, pluginURL);`
		`- - if (pluginBundle == NULL) { err = ENOENT; } /* XXX need better error */`
		`- - }`
		`- -`
		`- - if (!err) {`
		`- - executableURL = CFBundleCopyExecutableURL (pluginBundle);`
		`- - if (executableURL == NULL) { err = ENOMEM; }`
		`- - }`
		`- -`
		`- - if (!err) {`
		`- - if (!CFURLGetFileSystemRepresentation (executableURL,`
		`- - true, /* absolute */`
		`- - (UInt8 *)executablepath,`
		`- - sizeof (executablepath))) {`
		`- - err = ENOMEM;`
		`- - }`
		`- - }`
		`- -`
		`- - if (!err) {`
		`- - /* override the path the caller passed in */`
		`- - filepath = executablepath;`
		`- - }`
		`- -`
		`- - if (executableURL != NULL) { CFRelease (executableURL); }`
		`- - if (pluginBundle != NULL) { CFRelease (pluginBundle); }`
		`- - if (pluginURL != NULL) { CFRelease (pluginURL); }`
		`- - if (pluginString != NULL) { CFRelease (pluginString); }`
		`- -`
		`- - /* unlock after CFRelease calls since they modify refcounts */`
		`- - if (!lock_err) { pthread_mutex_unlock (&krb5int_bundle_mutex); }`
		`- - }`
		`- -#endif /* USE_CFBUNDLE */`
		`- -`
		`- - if (!err) {`
		`- - handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS);`
		`- - if (handle == NULL) {`
		`- - const char *e = dlerror();`
		`- - if (e == NULL)`
		`- - e = _("unknown failure");`
		`- - Tprintf ("dlopen(%s): %s\n", filepath, e);`
		`- - err = ENOENT; /* XXX */`
		`- - k5_set_error(ep, err, _("unable to load plugin [%s]: %s"),`
		`- - filepath, e);`
		`- - }`
		`- - }`
		`- + if (h->dlhandle != NULL)`
		`- + dlclose(h->dlhandle);`
		`- +}`
		`- +#define close_plugin close_plugin_dlfcn`
		`-`
		`- - if (!err) {`
		`- - got_plugin = 1;`
		`- - htmp->dlhandle = handle;`
		`- - handle = NULL;`
		`- - }`
		`- +#elif defined(_WIN32)`
		`-`
		`- - if (handle != NULL) { dlclose (handle); }`
		`- +static long`
		`- +open_plugin_win32(struct plugin_file_handle h, const char filename,`
		`- + struct errinfo *ep)`
		`- +{`
		`- + h->module = LoadLibrary(filename);`
		`- + if (h == NULL) {`
		`- + Tprintf("Unable to load dll: %s\n", filename);`
		`- + k5_set_error(ep, ENOENT, _("unable to load DLL [%s]"), filename);`
		`- + return ENOENT;`
		`- }`
		`- -#endif /* USE_DLOPEN */`
		`- -`
		`- -#ifdef _WIN32`
		`- - if (!err && (statbuf.st_mode & S_IFMT) == S_IFREG) {`
		`- - HMODULE handle = NULL;`
		`- + return 0;`
		`- +}`
		`- +#define open_plugin open_plugin_win32`
		`-`
		`- - handle = LoadLibrary(filepath);`
		`- - if (handle == NULL) {`
		`- - Tprintf ("Unable to load dll: %s\n", filepath);`
		`- - err = ENOENT; /* XXX */`
		`- - k5_set_error(ep, err, _("unable to load DLL [%s]"), filepath);`
		`- - }`
		`- +static long`
		`- +get_sym_win32(struct plugin_file_handle h, const char csymname,`
		`- + void *sym_out, struct errinfo ep)`
		`- +{`
		`- + LPVOID lpMsgBuf;`
		`- + DWORD dw;`
		`-`
		`- - if (!err) {`
		`- - got_plugin = 1;`
		`- - htmp->hinstPlugin = handle;`
		`- - handle = NULL;`
		`- + if (h->module == NULL)`
		`- + return ENOENT;`
		`- + *sym_out = GetProcAddress(h->module, csymname);`
		`- + if (*sym_out == NULL) {`
		`- + Tprintf("GetProcAddress(%s): %i\n", csymname, GetLastError());`
		`- + dw = GetLastError();`
		`- + if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER \|`
		`- + FORMAT_MESSAGE_FROM_SYSTEM,`
		`- + NULL, dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),`
		`- + (LPTSTR)&lpMsgBuf, 0, NULL)) {`
		`- + k5_set_error(ep, ENOENT, _("unable to get DLL Symbol: %s"),`
		`- + (char *)lpMsgBuf);`
		`- + LocalFree(lpMsgBuf);`
		`- }`
		`- -`
		`- - if (handle != NULL)`
		`- - FreeLibrary(handle);`
		`- - }`
		`- -#endif`
		`- -`
		`- - if (!err && !got_plugin) {`
		`- - err = ENOENT; /* no plugin or no way to load plugins */`
		`- - k5_set_error(ep, err, _("plugin unavailable: %s"), strerror(err));`
		`- + return ENOENT;`
		`- }`
		`- + return 0;`
		`- +}`
		`- +#define get_sym get_sym_win32`
		`-`
		`- - if (!err) {`
		`- - *h = htmp;`
		`- - htmp = NULL; /* h takes ownership */`
		`- - }`
		`- +static void`
		`- +close_plugin_win32(struct plugin_file_handle *h)`
		`- +{`
		`- + if (h->module != NULL)`
		`- + FreeLibrary(h->module);`
		`- +}`
		`- +#define close_plugin close_plugin_win32`
		`-`
		`- - free(htmp);`
		`- +#else`
		`-`
		`- - return err;`
		`- +static long`
		`- +open_plugin_dummy(struct plugin_file_handle h, const char filename,`
		`- + struct errinfo *ep)`
		`- +{`
		`- + k5_set_error(ep, ENOENT, _("plugin loading unavailable"));`
		`- + return ENOENT;`
		`- }`
		`- +#define open_plugin open_plugin_dummy`
		`-`
		`- static long`
		`- -krb5int_get_plugin_sym (struct plugin_file_handle *h,`
		`- - const char csymname, int isfunc, void *ptr,`
		`- - struct errinfo *ep)`
		`- +get_sym_dummy(struct plugin_file_handle h, const char csymname,`
		`- + void *sym_out, struct errinfo ep)`
		`- {`
		`- - long err = 0;`
		`- - void *sym = NULL;`
		`- + return ENOENT;`
		`- +}`
		`- +#define get_sym get_sym_dummy`
		`- +`
		`- +static void`
		`- +close_plugin_dummy(struct plugin_file_handle *h)`
		`- +{`
		`- +}`
		`- +#define close_plugin close_plugin_dummy`
		`-`
		`- -#if USE_DLOPEN`
		`- - if (!err && !sym && (h->dlhandle != NULL)) {`
		`- - /* XXX Do we need to add a leading "_" to the symbol name on any`
		`- - modern platforms? */`
		`- - sym = dlsym (h->dlhandle, csymname);`
		`- - if (sym == NULL) {`
		`- - const char e = dlerror (); / XXX copy and save away */`
		`- - if (e == NULL)`
		`- - e = "unknown failure";`
		`- - Tprintf ("dlsym(%s): %s\n", csymname, e);`
		`- - err = ENOENT; /* XXX */`
		`- - k5_set_error(ep, err, "%s", e);`
		`- - }`
		`- - }`
		`- #endif`
		`-`
		`- -#ifdef _WIN32`
		`- - LPVOID lpMsgBuf;`
		`- - DWORD dw;`
		`- +long KRB5_CALLCONV`
		`- +krb5int_open_plugin(const char *filename,`
		`- + struct plugin_file_handle *handle_out, struct errinfo ep)`
		`- +{`
		`- + long ret;`
		`- + struct plugin_file_handle *h;`
		`-`
		`- - if (!err && !sym && (h->hinstPlugin != NULL)) {`
		`- - sym = GetProcAddress(h->hinstPlugin, csymname);`
		`- - if (sym == NULL) {`
		`- - const char e = "unable to get dll symbol"; / XXX copy and save away */`
		`- - Tprintf ("GetProcAddress(%s): %i\n", csymname, GetLastError());`
		`- - err = ENOENT; /* XXX */`
		`- - k5_set_error(ep, err, "%s", e);`
		`- -`
		`- - dw = GetLastError();`
		`- - if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER \|`
		`- - FORMAT_MESSAGE_FROM_SYSTEM,`
		`- - NULL,`
		`- - dw,`
		`- - MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),`
		`- - (LPTSTR) &lpMsgBuf,`
		`- - 0, NULL )) {`
		`- -`
		`- - fprintf (stderr, "unable to get dll symbol, %s\n", (LPCTSTR)lpMsgBuf);`
		`- - LocalFree(lpMsgBuf);`
		`- - }`
		`- - }`
		`- - }`
		`- -#endif`
		`- + *handle_out = NULL;`
		`-`
		`- - if (!err && (sym == NULL)) {`
		`- - err = ENOENT; /* unimplemented */`
		`- - }`
		`- + h = calloc(1, sizeof(*h));`
		`- + if (h == NULL)`
		`- + return ENOMEM;`
		`-`
		`- - if (!err) {`
		`- - *ptr = sym;`
		`- + ret = open_plugin(h, filename, ep);`
		`- + if (ret) {`
		`- + free(h);`
		`- + return ret;`
		`- }`
		`-`
		`- - return err;`
		`- + *handle_out = h;`
		`- + return 0;`
		`- }`
		`-`
		`- long KRB5_CALLCONV`
		`- -krb5int_get_plugin_data (struct plugin_file_handle h, const char csymname,`
		`- - void *ptr, struct errinfo ep)`
		`- +krb5int_get_plugin_data(struct plugin_file_handle h, const char csymname,`
		`- + void *sym_out, struct errinfo ep)`
		`- {`
		`- - return krb5int_get_plugin_sym (h, csymname, 0, ptr, ep);`
		`- + return get_sym(h, csymname, sym_out, ep);`
		`- }`
		`-`
		`- long KRB5_CALLCONV`
		`- -krb5int_get_plugin_func (struct plugin_file_handle h, const char csymname,`
		`- - void (*ptr)(), struct errinfo ep)`
		`- +krb5int_get_plugin_func(struct plugin_file_handle h, const char csymname,`
		`- + void (*sym_out)(), struct errinfo ep)`
		`- {`
		`- void *dptr = NULL;`
		`- - long err = krb5int_get_plugin_sym (h, csymname, 1, &dptr, ep);`
		`- - if (!err) {`
		`- - /* Cast function pointers to avoid code duplication */`
		`- - ptr = (void ()()) dptr;`
		`- - }`
		`- - return err;`
		`- + long ret = get_sym(h, csymname, &dptr, ep);`
		`- +`
		`- + if (!ret)`
		`- + sym_out = (void ()())dptr;`
		`- + return ret;`
		`- }`
		`-`
		`- void KRB5_CALLCONV`
		`- krb5int_close_plugin (struct plugin_file_handle *h)`
		`- {`
		`- -#if USE_DLOPEN`
		`- - if (h->dlhandle != NULL) { dlclose(h->dlhandle); }`
		`- -#endif`
		`- -#ifdef _WIN32`
		`- - if (h->hinstPlugin != NULL) { FreeLibrary(h->hinstPlugin); }`
		`- -#endif`
		`- - free (h);`
		`- + close_plugin(h);`
		`- + free(h);`
		`- }`
		`-`
		`- -/* autoconf docs suggest using this preference order */`
		`- -#if HAVE_DIRENT_H \|\| USE_DIRENT_H`
		`- -#include <dirent.h>`
		`- -#define NAMELEN(D) strlen((D)->d_name)`
		`- -#else`
		`- -#ifndef _WIN32`
		`- -#define dirent direct`
		`- -#define NAMELEN(D) ((D)->d->namlen)`
		`- -#else`
		`- -#define NAMELEN(D) strlen((D)->d_name)`
		`- -#endif`
		`- -#if HAVE_SYS_NDIR_H`
		`- -# include <sys/ndir.h>`
		`- -#elif HAVE_SYS_DIR_H`
		`- -# include <sys/dir.h>`
		`- -#elif HAVE_NDIR_H`
		`- -# include <ndir.h>`
		`- -#endif`
		`- -#endif`
		`- -`
		`- static long`
		`- krb5int_plugin_file_handle_array_init (struct plugin_file_handle ***harray)`
		`- {`
		`- @@ -619,42 +418,36 @@ krb5int_open_plugin_dirs (const char * const *dirnames,`
		`- if (handle != NULL) { krb5int_close_plugin (handle); }`
		`- }`
		`- } else {`
		`- - /* load all plugins in each directory */`
		`- - DIR *dir = opendir (dirnames[i]);`
		`- + char **fnames = NULL;`
		`- + int j;`
		`-`
		`- - while (dir != NULL && !err) {`
		`- - struct dirent *d = NULL;`
		`- + err = k5_dir_filenames(dirnames[i], &fnames);`
		`- + for (j = 0; !err && fnames[j] != NULL; j++) {`
		`- char *filepath = NULL;`
		`- struct plugin_file_handle *handle = NULL;`
		`-`
		`- - d = readdir (dir);`
		`- - if (d == NULL) { break; }`
		`- -`
		`- - if ((strcmp (d->d_name, ".") == 0) \|\|`
		`- - (strcmp (d->d_name, "..") == 0)) {`
		`- + if (strcmp(fnames[j], ".") == 0 \|\|`
		`- + strcmp(fnames[j], "..") == 0)`
		`- continue;`
		`- - }`
		`-`
		`- - if (!err) {`
		`- - int len = NAMELEN (d);`
		`- - if (asprintf(&filepath, "%s/%*s", dirnames[i], len, d->d_name) < 0) {`
		`- - filepath = NULL;`
		`- - err = ENOMEM;`
		`- - }`
		`- + if (asprintf(&filepath, "%s/%s", dirnames[i], fnames[j]) < 0) {`
		`- + filepath = NULL;`
		`- + err = ENOMEM;`
		`- }`
		`-`
		`- - if (!err) {`
		`- - if (krb5int_open_plugin (filepath, &handle, ep) == 0) {`
		`- - err = krb5int_plugin_file_handle_array_add (&h, &count, handle);`
		`- - if (!err) { handle = NULL; } /* h takes ownership */`
		`- - }`
		`- + if (!err && krb5int_open_plugin(filepath, &handle, ep) == 0) {`
		`- + err = krb5int_plugin_file_handle_array_add(&h, &count,`
		`- + handle);`
		`- + if (!err)`
		`- + handle = NULL; /* h takes ownership */`
		`- }`
		`-`
		`- free(filepath);`
		`- - if (handle != NULL) { krb5int_close_plugin (handle); }`
		`- + if (handle != NULL)`
		`- + krb5int_close_plugin(handle);`
		`- }`
		`-`
		`- - if (dir != NULL) { closedir (dir); }`
		`- + k5_free_filenames(fnames);`
		`- }`
		`- }`
		`-`
		`- --`
		`- 2.38.1`
		`-`

0009-downstream-Do-not-set-root-as-ksu-file-owner.patch ~~0015-downstream-Do-not-set-root-as-ksu-file-owner.patch~~

file renamed

+2 -2

		`@@ -1,4 +1,4 @@`
		`- From 59d3ecdab7210e87ec475f4ae0d64888d5416b29 Mon Sep 17 00:00:00 2001`
		`+ From 6adfd97a3558aae4ace346685266bac9dae8bba9 Mon Sep 17 00:00:00 2001`
		`From: Julien Rische <jrische@redhat.com>`
		`Date: Mon, 9 Jan 2023 22:39:52 +0100`
		`Subject: [PATCH] [downstream] Do not set root as ksu file owner`
		`@@ -27,5 +27,5 @@`
		`## ${prefix}.`
		`prefix=@prefix@`
		`--`
		`- 2.38.1`
		`+ 2.40.1`

0010-Update-error-checking-for-OpenSSL-CMS_verify.patch

file removed

-48

		`@@ -1,48 +0,0 @@`
		`- From 963314f4f449e136195232bdada3109af65d0881 Mon Sep 17 00:00:00 2001`
		`- From: Julien Rische <jrische@redhat.com>`
		`- Date: Thu, 28 Jul 2022 15:20:12 +0200`
		`- Subject: [PATCH] Update error checking for OpenSSL CMS_verify`
		`-`
		`- The code for CMS data verification was initially written for OpenSSL's`
		`- PKCS7_verify() function. It now uses CMS_verify(), but error handling`
		`- is still done using PKCS7_verify() error identifiers. Update the`
		`- recognized error codes so that the KDC generates`
		`- KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.`
		`- Use ERR_peek_last_error() to observe the error generated closest to`
		`- the API surface.`
		`-`
		`- [ghudson@mit.edu: edited commit message]`
		`-`
		`- ticket: 9069 (new)`
		`- tags: pullup`
		`- target_version: 1.20-next`
		`- ---`
		`- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c \| 9 ++++++---`
		`- 1 file changed, 6 insertions(+), 3 deletions(-)`
		`-`
		`- diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- index 1c2aa02827..16edf15cb2 100644`
		`- --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- @@ -2102,12 +2102,15 @@ cms_signeddata_verify(krb5_context context,`
		`- goto cleanup;`
		`- out = BIO_new(BIO_s_mem());`
		`- if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {`
		`- - unsigned long err = ERR_peek_error();`
		`- + unsigned long err = ERR_peek_last_error();`
		`- switch(ERR_GET_REASON(err)) {`
		`- - case PKCS7_R_DIGEST_FAILURE:`
		`- + case RSA_R_DIGEST_NOT_ALLOWED:`
		`- + case CMS_R_UNKNOWN_DIGEST_ALGORITHM:`
		`- + case CMS_R_NO_MATCHING_DIGEST:`
		`- + case CMS_R_NO_MATCHING_SIGNATURE:`
		`- retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;`
		`- break;`
		`- - case PKCS7_R_SIGNATURE_FAILURE:`
		`- + case CMS_R_VERIFICATION_FAILURE:`
		`- default:`
		`- retval = KRB5KDC_ERR_INVALID_SIG;`
		`- }`
		`- --`
		`- 2.38.1`
		`-`

0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch ~~0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch~~

file renamed

+2 -2

		`@@ -1,4 +1,4 @@`
		`- From d8f67df42efd68142aa904040f9e8cc0f9138c10 Mon Sep 17 00:00:00 2001`
		`+ From 73640dc4899494d010b83b080b3a65bd3e69177c Mon Sep 17 00:00:00 2001`
		`From: Julien Rische <jrische@redhat.com>`
		`Date: Thu, 19 Jan 2023 19:22:27 +0100`
		`Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode`
		`@@ -161,5 +161,5 @@`
		`ret = KRB5_CRYPTO_INTERNAL;`
		`goto done;`
		`--`
		`- 2.39.1`
		`+ 2.40.1`

0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch

file added

+279

		`@@ -0,0 +1,279 @@`
		`+ From f47c9eb8618006012600a906367295ed53c558d0 Mon Sep 17 00:00:00 2001`
		`+ From: Julien Rische <jrische@redhat.com>`
		`+ Date: Wed, 15 Mar 2023 15:56:34 +0100`
		`+ Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional`
		`+`
		`+ MS-PAC states that "The ticket signature SHOULD be included in tickets`
		`+ that are not encrypted to the krbtgt account". However, the`
		`+ implementation of krb5_kdc_verify_ticket() will require the ticket`
		`+ signature to be present in case the target of the request is a service`
		`+ principal.`
		`+`
		`+ In gradual upgrade environments, it results in S4U2Proxy requests`
		`+ against a 1.20 KDC using a service ticket generated by an older version`
		`+ KDC to fail.`
		`+`
		`+ This commit adds a krb5_kdc_verify_ticket_ext() function with an extra`
		`+ switch parameter to tolerate the absence of ticket signature in this`
		`+ scenario. If the ticket signature is present, it has to be valid,`
		`+ regardless of this parameter.`
		`+`
		`+ This parameter is set based on the "optional_pac_tkt_chksum" string`
		`+ attribute of the TGT KDB entry.`
		`+ ---`
		`+ doc/admin/admin_commands/kadmin_local.rst \| 6 ++++`
		`+ doc/appdev/refs/api/index.rst \| 1 +`
		`+ src/include/kdb.h \| 1 +`
		`+ src/include/krb5/krb5.hin \| 40 +++++++++++++++++++++++`
		`+ src/kdc/kdc_util.c \| 32 ++++++++++++++----`
		`+ src/lib/krb5/krb/pac.c \| 31 +++++++++++++++---`
		`+ src/lib/krb5/libkrb5.exports \| 1 +`
		`+ src/man/kadmin.man \| 6 ++++`
		`+ 8 files changed, 108 insertions(+), 10 deletions(-)`
		`+`
		`+ diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst`
		`+ index 2435b3c361..58ac79549f 100644`
		`+ --- a/doc/admin/admin_commands/kadmin_local.rst`
		`+ +++ b/doc/admin/admin_commands/kadmin_local.rst`
		`+ @@ -658,6 +658,12 @@ KDC:`
		`+ Directory realm when using aes-sha2 keys on the local krbtgt`
		`+ entry.`
		`+`
		`+ +optional_pac_tkt_chksum`
		`+ + Boolean value defining the behavior of the KDC in case an expected`
		`+ + ticket checksum signed with one of this principal keys is not`
		`+ + present in the PAC. This is typically the case for TGS or`
		`+ + cross-realm TGS principals when processing S4U2Proxy requests.`
		`+ +`
		`+ This command requires the modify privilege.`
		`+`
		`+ Alias: setstr`
		`+ diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst`
		`+ index d12be47c3c..9b95ebd0f9 100644`
		`+ --- a/doc/appdev/refs/api/index.rst`
		`+ +++ b/doc/appdev/refs/api/index.rst`
		`+ @@ -225,6 +225,7 @@ Rarely used public interfaces`
		`+ krb5_is_referral_realm.rst`
		`+ krb5_kdc_sign_ticket.rst`
		`+ krb5_kdc_verify_ticket.rst`
		`+ + krb5_kdc_verify_ticket_ext.rst`
		`+ krb5_kt_add_entry.rst`
		`+ krb5_kt_end_seq_get.rst`
		`+ krb5_kt_get_entry.rst`
		`+ diff --git a/src/include/kdb.h b/src/include/kdb.h`
		`+ index 745b24f351..6075349e5e 100644`
		`+ --- a/src/include/kdb.h`
		`+ +++ b/src/include/kdb.h`
		`+ @@ -136,6 +136,7 @@`
		`+ #define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype"`
		`+ #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"`
		`+ #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"`
		`+ +#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum"`
		`+`
		`+ #if !defined(_WIN32)`
		`+`
		`+ diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin`
		`+ index 350bcf86f2..17e1b52266 100644`
		`+ --- a/src/include/krb5/krb5.hin`
		`+ +++ b/src/include/krb5/krb5.hin`
		`+ @@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,`
		`+ const krb5_keyblock *server,`
		`+ const krb5_keyblock privsvr, krb5_pac pac_out);`
		`+`
		`+ +/**`
		`+ + * Verify a PAC, possibly including ticket signature`
		`+ + *`
		`+ + * @param [in] context Library context`
		`+ + * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC`
		`+ + * @param [in] server_princ Canonicalized name of ticket server`
		`+ + * @param [in] server Key to validate server checksum (or NULL)`
		`+ + * @param [in] privsvr Key to validate KDC checksum (or NULL)`
		`+ + * @paran [in] optional_tkt_chksum Whether to require a ticket checksum`
		`+ + * @param [out] pac_out Verified PAC (NULL if no PAC included)`
		`+ + *`
		`+ + * This function is an extension of krb5_kdc_verify_ticket(), adding the @a`
		`+ + * optional_tkt_chksum parameter allowing to tolerate the absence of the PAC`
		`+ + * ticket signature.`
		`+ + *`
		`+ + * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is`
		`+ + * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service and`
		`+ + * @a optional_tkt_chksum is FALSE, require a ticket signature over @a enc_tkt`
		`+ + * in addition to the KDC signature. Place the verified PAC in @a pac_out. If`
		`+ + * an invalid PAC signature is found, return an error matching the Windows KDC`
		`+ + * protocol code for that condition as closely as possible.`
		`+ + *`
		`+ + * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return`
		`+ + * successfully.`
		`+ + *`
		`+ + * @note This function does not validate the PAC_CLIENT_INFO buffer. If a`
		`+ + * specific value is expected, the caller can make a separate call to`
		`+ + * krb5_pac_verify_ext() with a principal but no keys.`
		`+ + *`
		`+ + * @retval 0 Success; otherwise - Kerberos error codes`
		`+ + */`
		`+ +krb5_error_code KRB5_CALLCONV`
		`+ +krb5_kdc_verify_ticket_ext(krb5_context context,`
		`+ + const krb5_enc_tkt_part *enc_tkt,`
		`+ + krb5_const_principal server_princ,`
		`+ + const krb5_keyblock *server,`
		`+ + const krb5_keyblock *privsvr,`
		`+ + krb5_boolean optional_tkt_chksum,`
		`+ + krb5_pac *pac_out);`
		`+ +`
		`+ /** @deprecated Use krb5_kdc_sign_ticket() instead. */`
		`+ krb5_error_code KRB5_CALLCONV`
		`+ krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,`
		`+ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c`
		`+ index ea10e23a95..c7b6e4090d 100644`
		`+ --- a/src/kdc/kdc_util.c`
		`+ +++ b/src/kdc/kdc_util.c`
		`+ @@ -560,16 +560,36 @@ cleanup:`
		`+ static krb5_error_code`
		`+ try_verify_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,`
		`+ krb5_db_entry server, krb5_keyblock server_key,`
		`+ - const krb5_keyblock tgt_key, krb5_pac pac_out)`
		`+ + krb5_db_entry tgt, const krb5_keyblock tgt_key,`
		`+ + krb5_pac *pac_out)`
		`+ {`
		`+ krb5_error_code ret;`
		`+ + krb5_boolean optional_tkt_chksum;`
		`+ + char *str = NULL;`
		`+ krb5_keyblock *privsvr_key;`
		`+`
		`+ ret = pac_privsvr_key(context, server, tgt_key, &privsvr_key);`
		`+ if (ret)`
		`+ return ret;`
		`+ - ret = krb5_kdc_verify_ticket(context, enc_tkt, server->princ, server_key,`
		`+ - privsvr_key, pac_out);`
		`+ +`
		`+ + /* Check if the absence of ticket signature is tolerated for this realm */`
		`+ + ret = krb5_dbe_get_string(context, tgt,`
		`+ + KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str);`
		`+ + /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not`
		`+ + * available here.`
		`+ + */`
		`+ + optional_tkt_chksum = !ret && str && (strncasecmp(str, "true", 4) == 0`
		`+ + \|\| strncasecmp(str, "t", 1) == 0`
		`+ + \|\| strncasecmp(str, "yes", 3) == 0`
		`+ + \|\| strncasecmp(str, "y", 1) == 0`
		`+ + \|\| strncasecmp(str, "1", 1) == 0`
		`+ + \|\| strncasecmp(str, "on", 2) == 0);`
		`+ +`
		`+ + krb5_dbe_free_string(context, str);`
		`+ +`
		`+ + ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, server->princ,`
		`+ + server_key, privsvr_key,`
		`+ + optional_tkt_chksum, pac_out);`
		`+ krb5_free_keyblock(context, privsvr_key);`
		`+ return ret;`
		`+ }`
		`+ @@ -599,7 +619,7 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,`
		`+ server_key, NULL, pac_out);`
		`+ }`
		`+`
		`+ - ret = try_verify_pac(context, enc_tkt, server, server_key, tgt_key,`
		`+ + ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, tgt_key,`
		`+ pac_out);`
		`+ if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE)`
		`+ return ret;`
		`+ @@ -613,8 +633,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,`
		`+ ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL);`
		`+ if (ret)`
		`+ return ret;`
		`+ - ret = try_verify_pac(context, enc_tkt, server, server_key, &old_key,`
		`+ - pac_out);`
		`+ + ret = try_verify_pac(context, enc_tkt, server, server_key, tgt,`
		`+ + &old_key, pac_out);`
		`+ krb5_free_keyblock_contents(context, &old_key);`
		`+ if (!ret)`
		`+ return 0;`
		`+ diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c`
		`+ index 5d1fdf1ba0..0c0e2ada68 100644`
		`+ --- a/src/lib/krb5/krb/pac.c`
		`+ +++ b/src/lib/krb5/krb/pac.c`
		`+ @@ -594,6 +594,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,`
		`+ krb5_const_principal server_princ,`
		`+ const krb5_keyblock *server,`
		`+ const krb5_keyblock privsvr, krb5_pac pac_out)`
		`+ +{`
		`+ + return krb5_kdc_verify_ticket_ext(context, enc_tkt, server_princ, server,`
		`+ + privsvr, FALSE, pac_out);`
		`+ +}`
		`+ +`
		`+ +krb5_error_code KRB5_CALLCONV`
		`+ +krb5_kdc_verify_ticket_ext(krb5_context context,`
		`+ + const krb5_enc_tkt_part *enc_tkt,`
		`+ + krb5_const_principal server_princ,`
		`+ + const krb5_keyblock *server,`
		`+ + const krb5_keyblock *privsvr,`
		`+ + krb5_boolean optional_tkt_chksum,`
		`+ + krb5_pac *pac_out)`
		`+ {`
		`+ krb5_error_code ret;`
		`+ krb5_pac pac = NULL;`
		`+ @@ -602,7 +615,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,`
		`+ krb5_authdata orig, ifrel = NULL, *recoded_ifrel = NULL;`
		`+ uint8_t z = 0;`
		`+ krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };`
		`+ - krb5_boolean is_service_tkt;`
		`+ + krb5_boolean is_service_tkt, has_tkt_chksum = FALSE;`
		`+ size_t i, j;`
		`+`
		`+ *pac_out = NULL;`
		`+ @@ -667,11 +680,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,`
		`+`
		`+ ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr,`
		`+ KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt);`
		`+ - if (ret)`
		`+ - goto cleanup;`
		`+ + if (ret) {`
		`+ + if (!optional_tkt_chksum)`
		`+ + goto cleanup;`
		`+ + else if (ret != ENOENT)`
		`+ + goto cleanup;`
		`+ + /* Otherwise ticket signature is absent but optional. Proceed... */`
		`+ + } else {`
		`+ + has_tkt_chksum = TRUE;`
		`+ + }`
		`+ }`
		`+ + /* Else, we make the assumption the ticket signature is absent in case this`
		`+ + * is not a service ticket.`
		`+ + */`
		`+`
		`+ - ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr);`
		`+ + ret = verify_pac_checksums(context, pac, has_tkt_chksum, server, privsvr);`
		`+ if (ret)`
		`+ goto cleanup;`
		`+`
		`+ diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports`
		`+ index 4c50e935a2..d4b0455c8c 100644`
		`+ --- a/src/lib/krb5/libkrb5.exports`
		`+ +++ b/src/lib/krb5/libkrb5.exports`
		`+ @@ -463,6 +463,7 @@ krb5_is_thread_safe`
		`+ krb5_kdc_rep_decrypt_proc`
		`+ krb5_kdc_sign_ticket`
		`+ krb5_kdc_verify_ticket`
		`+ +krb5_kdc_verify_ticket_ext`
		`+ krb5_kt_add_entry`
		`+ krb5_kt_client_default`
		`+ krb5_kt_close`
		`+ diff --git a/src/man/kadmin.man b/src/man/kadmin.man`
		`+ index d028dc2975..2c8d10067f 100644`
		`+ --- a/src/man/kadmin.man`
		`+ +++ b/src/man/kadmin.man`
		`+ @@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to`
		`+ "aes256\-sha1" on the cross\-realm krbtgt entry for an Active`
		`+ Directory realm when using aes\-sha2 keys on the local krbtgt`
		`+ entry.`
		`+ +.TP`
		`+ +\fBoptional_pac_tkt_chksum\fP`
		`+ +Boolean value defining the behavior of the KDC in case an expected ticket`
		`+ +checksum signed with one of this principal keys is not present in the PAC. This`
		`+ +is typically the case for TGS or cross-realm TGS principals when processing`
		`+ +S4U2Proxy requests.`
		`+ .UNINDENT`
		`+ .sp`
		`+ This command requires the \fBmodify\fP privilege.`
		`+ --`
		`+ 2.40.1`
		`+`

0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch

file removed

-28

		`@@ -1,28 +0,0 @@`
		`- From c7d2d7c090bc000acd67b358150b9487f606ff20 Mon Sep 17 00:00:00 2001`
		`- From: Julien Rische <jrische@redhat.com>`
		`- Date: Fri, 19 Aug 2022 10:34:52 +0200`
		`- Subject: [PATCH] [downstream] Catch SHA-1 digest disallowed error for`
		`- PKINIT`
		`-`
		`- An OpenSSL patch causes EVP_R_INVALID_DIGEST error to be raised if`
		`- CMS_verify is called to verify a SHA-1 signature. If this error is`
		`- caught, it will now return KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.`
		`- ---`
		`- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c \| 1 +`
		`- 1 file changed, 1 insertion(+)`
		`-`
		`- diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- index 16edf15cb2..bfa3fe8e91 100644`
		`- --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`- @@ -2104,6 +2104,7 @@ cms_signeddata_verify(krb5_context context,`
		`- if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {`
		`- unsigned long err = ERR_peek_last_error();`
		`- switch(ERR_GET_REASON(err)) {`
		`- + case EVP_R_INVALID_DIGEST:`
		`- case RSA_R_DIGEST_NOT_ALLOWED:`
		`- case CMS_R_UNKNOWN_DIGEST_ALGORITHM:`
		`- case CMS_R_NO_MATCHING_DIGEST:`
		`- --`
		`- 2.38.1`
		`-`

0012-Add-and-use-ts_interval-helper.patch

file removed

-239

		`@@ -1,239 +0,0 @@`
		`- From 07ec260c65ec036d44362868df0f796a53495f27 Mon Sep 17 00:00:00 2001`
		`- From: Greg Hudson <ghudson@mit.edu>`
		`- Date: Mon, 19 Sep 2022 15:18:50 -0400`
		`- Subject: [PATCH] Add and use ts_interval() helper`
		`-`
		`- ts_delta() returns a signed result, which cannot hold an interval`
		`- larger than 2^31-1 seconds. Intervals like this have been seen when`
		`- admins set password expiration dates more than 68 years in the future.`
		`-`
		`- Add a second helper ts_interval() which returns a signed result, and`
		`- has the arguments reversed so that the start time is first. Use it in`
		`- warn_pw_expiry() to handle the password expiration case, in the GSS`
		`- krb5 mech where we return an unsigned context or credential lifetime`
		`- to the caller, and in the KEYRING ccache type where we compute an`
		`- unsigned keyring timeout.`
		`-`
		`- ticket: 9071 (new)`
		`- ---`
		`- src/include/k5-int.h \| 9 +++++++++`
		`- src/lib/gssapi/krb5/accept_sec_context.c \| 10 ++++++----`
		`- src/lib/gssapi/krb5/acquire_cred.c \| 3 +--`
		`- src/lib/gssapi/krb5/context_time.c \| 2 +-`
		`- src/lib/gssapi/krb5/init_sec_context.c \| 4 ++--`
		`- src/lib/gssapi/krb5/inq_context.c \| 2 +-`
		`- src/lib/gssapi/krb5/inq_cred.c \| 2 +-`
		`- src/lib/gssapi/krb5/s4u_gss_glue.c \| 2 +-`
		`- src/lib/krb5/ccache/cc_keyring.c \| 4 ++--`
		`- src/lib/krb5/krb/get_in_tkt.c \| 15 +++++++--------`
		`- 10 files changed, 31 insertions(+), 22 deletions(-)`
		`-`
		`- diff --git a/src/include/k5-int.h b/src/include/k5-int.h`
		`- index c3aecba7d4..768110e5ef 100644`
		`- --- a/src/include/k5-int.h`
		`- +++ b/src/include/k5-int.h`
		`- @@ -2325,6 +2325,15 @@ ts_delta(krb5_timestamp a, krb5_timestamp b)`
		`- return (krb5_deltat)((uint32_t)a - (uint32_t)b);`
		`- }`
		`-`
		`- +/* Return (end - start) as an unsigned 32-bit value, or 0 if start > end. */`
		`- +static inline uint32_t`
		`- +ts_interval(krb5_timestamp start, krb5_timestamp end)`
		`- +{`
		`- + if ((uint32_t)start > (uint32_t)end)`
		`- + return 0;`
		`- + return (uint32_t)end - (uint32_t)start;`
		`- +}`
		`- +`
		`- /* Increment a timestamp by a signed 32-bit interval, without relying on`
		`- * undefined behavior. */`
		`- static inline krb5_timestamp`
		`- diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c`
		`- index 1bc807172b..7de2c9fd77 100644`
		`- --- a/src/lib/gssapi/krb5/accept_sec_context.c`
		`- +++ b/src/lib/gssapi/krb5/accept_sec_context.c`
		`- @@ -353,8 +353,8 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,`
		`- *mech_type = ctx->mech_used;`
		`-`
		`- if (time_rec) {`
		`- - *time_rec = ts_delta(ctx->krb_times.endtime, now) +`
		`- - ctx->k5_context->clockskew;`
		`- + *time_rec = ts_interval(now - ctx->k5_context->clockskew,`
		`- + ctx->krb_times.endtime);`
		`- }`
		`-`
		`- /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential`
		`- @@ -1151,8 +1151,10 @@ kg_accept_krb5(minor_status, context_handle,`
		`-`
		`- /* Add the maximum allowable clock skew as a grace period for context`
		`- * expiration, just as we do for the ticket. */`
		`- - if (time_rec)`
		`- - *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew;`
		`- + if (time_rec) {`
		`- + *time_rec = ts_interval(now - context->clockskew,`
		`- + ctx->krb_times.endtime);`
		`- + }`
		`-`
		`- if (ret_flags)`
		`- *ret_flags = ctx->gss_flags;`
		`- diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c`
		`- index e226a02692..006eba114d 100644`
		`- --- a/src/lib/gssapi/krb5/acquire_cred.c`
		`- +++ b/src/lib/gssapi/krb5/acquire_cred.c`
		`- @@ -879,8 +879,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,`
		`- GSS_C_NO_NAME);`
		`- if (GSS_ERROR(ret))`
		`- goto error_out;`
		`- - *time_rec = ts_after(cred->expire, now) ?`
		`- - ts_delta(cred->expire, now) : 0;`
		`- + *time_rec = ts_interval(now, cred->expire);`
		`- k5_mutex_unlock(&cred->lock);`
		`- }`
		`- }`
		`- diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c`
		`- index 1fdb5a16f2..5469d8154c 100644`
		`- --- a/src/lib/gssapi/krb5/context_time.c`
		`- +++ b/src/lib/gssapi/krb5/context_time.c`
		`- @@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)`
		`- return(GSS_S_FAILURE);`
		`- }`
		`-`
		`- - lifetime = ts_delta(ctx->krb_times.endtime, now);`
		`- + lifetime = ts_interval(now, ctx->krb_times.endtime);`
		`- if (!ctx->initiate)`
		`- lifetime += ctx->k5_context->clockskew;`
		`- if (lifetime <= 0) {`
		`- diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c`
		`- index ea87cf6432..f0f094ccb7 100644`
		`- --- a/src/lib/gssapi/krb5/init_sec_context.c`
		`- +++ b/src/lib/gssapi/krb5/init_sec_context.c`
		`- @@ -664,7 +664,7 @@ kg_new_connection(`
		`- if (time_rec) {`
		`- if ((code = krb5_timeofday(context, &now)))`
		`- goto cleanup;`
		`- - *time_rec = ts_delta(ctx->krb_times.endtime, now);`
		`- + *time_rec = ts_interval(now, ctx->krb_times.endtime);`
		`- }`
		`-`
		`- /* set the other returns */`
		`- @@ -878,7 +878,7 @@ mutual_auth(`
		`- if (time_rec) {`
		`- if ((code = krb5_timeofday(context, &now)))`
		`- goto fail;`
		`- - *time_rec = ts_delta(ctx->krb_times.endtime, now);`
		`- + *time_rec = ts_interval(now, ctx->krb_times.endtime);`
		`- }`
		`-`
		`- if (ret_flags)`
		`- diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c`
		`- index cac024da1f..51c484fdfe 100644`
		`- --- a/src/lib/gssapi/krb5/inq_context.c`
		`- +++ b/src/lib/gssapi/krb5/inq_context.c`
		`- @@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,`
		`-`
		`- /* Add the maximum allowable clock skew as a grace period for context`
		`- * expiration, just as we do for the ticket during authentication. */`
		`- - lifetime = ts_delta(ctx->krb_times.endtime, now);`
		`- + lifetime = ts_interval(now, ctx->krb_times.endtime);`
		`- if (!ctx->initiate)`
		`- lifetime += context->clockskew;`
		`- if (lifetime < 0)`
		`- diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c`
		`- index bb63b726c8..0e675959a3 100644`
		`- --- a/src/lib/gssapi/krb5/inq_cred.c`
		`- +++ b/src/lib/gssapi/krb5/inq_cred.c`
		`- @@ -131,7 +131,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,`
		`- }`
		`-`
		`- if (cred->expire != 0) {`
		`- - lifetime = ts_delta(cred->expire, now);`
		`- + lifetime = ts_interval(now, cred->expire);`
		`- if (lifetime < 0)`
		`- lifetime = 0;`
		`- }`
		`- diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c`
		`- index 7dcfe4e1eb..fa7f980af7 100644`
		`- --- a/src/lib/gssapi/krb5/s4u_gss_glue.c`
		`- +++ b/src/lib/gssapi/krb5/s4u_gss_glue.c`
		`- @@ -279,7 +279,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,`
		`- if (code != 0)`
		`- goto cleanup;`
		`-`
		`- - *time_rec = ts_delta(cred->expire, now);`
		`- + *time_rec = ts_interval(now, cred->expire);`
		`- }`
		`-`
		`- major_status = GSS_S_COMPLETE;`
		`- diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c`
		`- index ebef37d607..1dadeef64f 100644`
		`- --- a/src/lib/krb5/ccache/cc_keyring.c`
		`- +++ b/src/lib/krb5/ccache/cc_keyring.c`
		`- @@ -762,7 +762,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id)`
		`-`
		`- /* Setting the timeout to zero would reset the timeout, so we set it to one`
		`- * second instead if creds are already expired. */`
		`- - timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1;`
		`- + timeout = ts_after(endtime, now) ? ts_interval(now, endtime) : 1;`
		`- (void)keyctl_set_timeout(data->cache_id, timeout);`
		`- }`
		`-`
		`- @@ -1343,7 +1343,7 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)`
		`-`
		`- if (ts_after(creds->times.endtime, now)) {`
		`- (void)keyctl_set_timeout(cred_key,`
		`- - ts_delta(creds->times.endtime, now));`
		`- + ts_interval(now, creds->times.endtime));`
		`- }`
		`-`
		`- update_keyring_expiration(context, id);`
		`- diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c`
		`- index 8b5ab595e9..1b420a3ac2 100644`
		`- --- a/src/lib/krb5/krb/get_in_tkt.c`
		`- +++ b/src/lib/krb5/krb/get_in_tkt.c`
		`- @@ -1522,7 +1522,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,`
		`- void *expire_data;`
		`- krb5_timestamp pw_exp, acct_exp, now;`
		`- krb5_boolean is_last_req;`
		`- - krb5_deltat delta;`
		`- + uint32_t interval;`
		`- char ts[256], banner[1024];`
		`-`
		`- if (as_reply == NULL \|\| as_reply->enc_part2 == NULL)`
		`- @@ -1553,8 +1553,8 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,`
		`- ret = krb5_timeofday(context, &now);`
		`- if (ret != 0)`
		`- return;`
		`- - if (!is_last_req &&`
		`- - (ts_after(now, pw_exp) \|\| ts_delta(pw_exp, now) > 7 * 24 * 60 * 60))`
		`- + interval = ts_interval(now, pw_exp);`
		`- + if (!is_last_req && (!interval \|\| interval > 7 * 24 * 60 * 60))`
		`- return;`
		`-`
		`- if (!prompter)`
		`- @@ -1564,19 +1564,18 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,`
		`- if (ret != 0)`
		`- return;`
		`-`
		`- - delta = ts_delta(pw_exp, now);`
		`- - if (delta < 3600) {`
		`- + if (interval < 3600) {`
		`- snprintf(banner, sizeof(banner),`
		`- _("Warning: Your password will expire in less than one hour "`
		`- "on %s"), ts);`
		`- - } else if (delta < 86400 * 2) {`
		`- + } else if (interval < 86400 * 2) {`
		`- snprintf(banner, sizeof(banner),`
		`- _("Warning: Your password will expire in %d hour%s on %s"),`
		`- - delta / 3600, delta < 7200 ? "" : "s", ts);`
		`- + interval / 3600, interval < 7200 ? "" : "s", ts);`
		`- } else {`
		`- snprintf(banner, sizeof(banner),`
		`- _("Warning: Your password will expire in %d days on %s"),`
		`- - delta / 86400, ts);`
		`- + interval / 86400, ts);`
		`- }`
		`-`
		`- /* PROMPTER_INVOCATION */`
		`- --`
		`- 2.38.1`
		`-`

0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch

file added

+47

		`@@ -0,0 +1,47 @@`
		`+ From d1322546dca51100759eac318ce554bd301c50c3 Mon Sep 17 00:00:00 2001`
		`+ From: Julien Rische <jrische@redhat.com>`
		`+ Date: Tue, 23 May 2023 12:19:54 +0200`
		`+ Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification`
		`+ available in FIPS mode`
		`+`
		`+ We recommend using the SHA1 crypto-module in order to allow the`
		`+ verification of SHA-1 signature for CMS messages. However, this module`
		`+ does not work in FIPS mode, because the SHA-1 algorithm is absent from`
		`+ the OpenSSL FIPS provider.`
		`+`
		`+ This commit enables the signature verification process to fetch the`
		`+ algorithm from a non-FIPS OpenSSL provider.`
		`+`
		`+ Support for SHA-1 CMS signature is still required, especially in order`
		`+ to interoperate with Active Directory. At least it is until elliptic`
		`+ curve cryptography is implemented for PKINIT in MIT krb5.`
		`+ ---`
		`+ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c \| 11 ++++++++++-`
		`+ 1 file changed, 10 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`+ index f41328763e..263ef7845e 100644`
		`+ --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`+ +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`+ @@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,`
		`+ if (oid == NULL)`
		`+ goto cleanup;`
		`+`
		`+ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L`
		`+ + /* Do not use FIPS provider (even in FIPS mode) because it keeps from`
		`+ + * allowing SHA-1 signature verification using the SHA1 crypto-module`
		`+ + */`
		`+ + cms = CMS_ContentInfo_new_ex(NULL, "-fips");`
		`+ + if (!cms)`
		`+ + goto cleanup;`
		`+ +#endif`
		`+ +`
		`+ /* decode received CMS message */`
		`+ - if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {`
		`+ + if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) {`
		`+ retval = oerr(context, 0, _("Failed to decode CMS message"));`
		`+ goto cleanup;`
		`+ }`
		`+ --`
		`+ 2.40.1`
		`+`

0013-Enable-PKINIT-if-at-least-one-group-is-available.patch

file added

+218

		`@@ -0,0 +1,218 @@`
		`+ From a378b1970d92692baeddf6a8681f47efb13e343d Mon Sep 17 00:00:00 2001`
		`+ From: Greg Hudson <ghudson@mit.edu>`
		`+ Date: Tue, 30 May 2023 01:21:48 -0400`
		`+ Subject: [PATCH] Enable PKINIT if at least one group is available`
		`+`
		`+ OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman`
		`+ group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL`
		`+ does not know about MODP group 2 (1024-bit), which is considered as a`
		`+ custom group. As a consequence, the PKINIT kdcpreauth module fails to`
		`+ load in FIPS mode.`
		`+`
		`+ Allow initialization of PKINIT plugin if at least one of the MODP`
		`+ well-known group parameters successfully decodes.`
		`+`
		`+ [ghudson@mit.edu: minor commit message and code edits]`
		`+`
		`+ ticket: 9096 (new)`
		`+ (cherry picked from commit 509d8db922e9ad6f108883838473b6178f89874a)`
		`+ ---`
		`+ src/plugins/preauth/pkinit/pkinit_clnt.c \| 2 +-`
		`+ src/plugins/preauth/pkinit/pkinit_crypto.h \| 3 +-`
		`+ .../preauth/pkinit/pkinit_crypto_openssl.c \| 76 +++++++++++--------`
		`+ src/plugins/preauth/pkinit/pkinit_srv.c \| 2 +-`
		`+ src/plugins/preauth/pkinit/pkinit_trace.h \| 3 +`
		`+ 5 files changed, 51 insertions(+), 35 deletions(-)`
		`+`
		`+ diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c`
		`+ index 725d5bc438..ea9ba454df 100644`
		`+ --- a/src/plugins/preauth/pkinit/pkinit_clnt.c`
		`+ +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c`
		`+ @@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context,`
		`+ if (retval)`
		`+ goto errout;`
		`+`
		`+ - retval = pkinit_init_plg_crypto(&ctx->cryptoctx);`
		`+ + retval = pkinit_init_plg_crypto(context, &ctx->cryptoctx);`
		`+ if (retval)`
		`+ goto errout;`
		`+`
		`+ diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`+ index 9fa315d7a0..8bdbea8e95 100644`
		`+ --- a/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`+ +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h`
		`+ @@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data {`
		`+ /*`
		`+ * Functions to initialize and cleanup crypto contexts`
		`+ */`
		`+ -krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *);`
		`+ +krb5_error_code pkinit_init_plg_crypto(krb5_context,`
		`+ + pkinit_plg_crypto_context *);`
		`+ void pkinit_fini_plg_crypto(pkinit_plg_crypto_context);`
		`+`
		`+ krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);`
		`+ diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`+ index 263ef7845e..d646073d55 100644`
		`+ --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`+ +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
		`+ @@ -47,7 +47,8 @@`
		`+ static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );`
		`+ static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );`
		`+`
		`+ -static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context );`
		`+ +static krb5_error_code pkinit_init_dh_params(krb5_context,`
		`+ + pkinit_plg_crypto_context);`
		`+ static void pkinit_fini_dh_params(pkinit_plg_crypto_context );`
		`+`
		`+ static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx);`
		`+ @@ -951,7 +952,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx,`
		`+ }`
		`+`
		`+ krb5_error_code`
		`+ -pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)`
		`+ +pkinit_init_plg_crypto(krb5_context context,`
		`+ + pkinit_plg_crypto_context *cryptoctx)`
		`+ {`
		`+ krb5_error_code retval = ENOMEM;`
		`+ pkinit_plg_crypto_context ctx = NULL;`
		`+ @@ -969,7 +971,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)`
		`+ if (retval)`
		`+ goto out;`
		`+`
		`+ - retval = pkinit_init_dh_params(ctx);`
		`+ + retval = pkinit_init_dh_params(context, ctx);`
		`+ if (retval)`
		`+ goto out;`
		`+`
		`+ @@ -1278,30 +1280,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)`
		`+ ASN1_OBJECT_free(ctx->id_kp_serverAuth);`
		`+ }`
		`+`
		`+ -static krb5_error_code`
		`+ -pkinit_init_dh_params(pkinit_plg_crypto_context plgctx)`
		`+ +static int`
		`+ +try_import_group(krb5_context context, const krb5_data *params,`
		`+ + const char name, EVP_PKEY *pkey_out)`
		`+ {`
		`+ - krb5_error_code retval = ENOMEM;`
		`+ -`
		`+ - plgctx->dh_1024 = decode_dh_params(&oakley_1024);`
		`+ - if (plgctx->dh_1024 == NULL)`
		`+ - goto cleanup;`
		`+ -`
		`+ - plgctx->dh_2048 = decode_dh_params(&oakley_2048);`
		`+ - if (plgctx->dh_2048 == NULL)`
		`+ - goto cleanup;`
		`+ + *pkey_out = decode_dh_params(params);`
		`+ + if (*pkey_out == NULL)`
		`+ + TRACE_PKINIT_DH_GROUP_UNAVAILABLE(context, name);`
		`+ + return (*pkey_out != NULL) ? 1 : 0;`
		`+ +}`
		`+`
		`+ - plgctx->dh_4096 = decode_dh_params(&oakley_4096);`
		`+ - if (plgctx->dh_4096 == NULL)`
		`+ - goto cleanup;`
		`+ +static krb5_error_code`
		`+ +pkinit_init_dh_params(krb5_context context, pkinit_plg_crypto_context plgctx)`
		`+ +{`
		`+ + int n = 0;`
		`+`
		`+ - retval = 0;`
		`+ + n += try_import_group(context, &oakley_1024, "MODP 2 (1024-bit)",`
		`+ + &plgctx->dh_1024);`
		`+ + n += try_import_group(context, &oakley_2048, "MODP 14 (2048-bit)",`
		`+ + &plgctx->dh_2048);`
		`+ + n += try_import_group(context, &oakley_4096, "MODP 16 (4096-bit)",`
		`+ + &plgctx->dh_4096);`
		`+`
		`+ -cleanup:`
		`+ - if (retval)`
		`+ + if (n == 0) {`
		`+ pkinit_fini_dh_params(plgctx);`
		`+ + k5_setmsg(context, ENOMEM,`
		`+ + _("PKINIT cannot initialize any key exchange groups"));`
		`+ + return ENOMEM;`
		`+ + }`
		`+`
		`+ - return retval;`
		`+ + return 0;`
		`+ }`
		`+`
		`+ static void`
		`+ @@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context,`
		`+`
		`+ if (cryptoctx->received_params != NULL)`
		`+ params = cryptoctx->received_params;`
		`+ - else if (dh_size == 1024)`
		`+ + else if (plg_cryptoctx->dh_1024 != NULL && dh_size == 1024)`
		`+ params = plg_cryptoctx->dh_1024;`
		`+ - else if (dh_size == 2048)`
		`+ + else if (plg_cryptoctx->dh_2048 != NULL && dh_size == 2048)`
		`+ params = plg_cryptoctx->dh_2048;`
		`+ - else if (dh_size == 4096)`
		`+ + else if (plg_cryptoctx->dh_4096 != NULL && dh_size == 4096)`
		`+ params = plg_cryptoctx->dh_4096;`
		`+ else`
		`+ goto cleanup;`
		`+ @@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context,`
		`+ krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };`
		`+ krb5_algorithm_identifier *alglist[4];`
		`+`
		`+ - if (opts->dh_min_bits > 4096) {`
		`+ - ret = KRB5KRB_ERR_GENERIC;`
		`+ - goto cleanup;`
		`+ - }`
		`+ -`
		`+ i = 0;`
		`+ - if (opts->dh_min_bits <= 2048)`
		`+ + if (plg_cryptoctx->dh_2048 != NULL && opts->dh_min_bits <= 2048)`
		`+ alglist[i++] = &alg_2048;`
		`+ - alglist[i++] = &alg_4096;`
		`+ - if (opts->dh_min_bits <= 1024)`
		`+ + if (plg_cryptoctx->dh_4096 != NULL && opts->dh_min_bits <= 4096)`
		`+ + alglist[i++] = &alg_4096;`
		`+ + if (plg_cryptoctx->dh_1024 != NULL && opts->dh_min_bits <= 1024)`
		`+ alglist[i++] = &alg_1024;`
		`+ alglist[i] = NULL;`
		`+`
		`+ + if (i == 0) {`
		`+ + ret = KRB5KRB_ERR_GENERIC;`
		`+ + k5_setmsg(context, ret,`
		`+ + _("OpenSSL has no supported key exchange groups for "`
		`+ + "pkinit_dh_min_bits=%d"), opts->dh_min_bits);`
		`+ + goto cleanup;`
		`+ + }`
		`+ +`
		`+ ret = k5int_encode_krb5_td_dh_parameters(alglist, &der_alglist);`
		`+ if (ret)`
		`+ goto cleanup;`
		`+ diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c`
		`+ index 1b3bf6d4d0..768a4e559f 100644`
		`+ --- a/src/plugins/preauth/pkinit/pkinit_srv.c`
		`+ +++ b/src/plugins/preauth/pkinit/pkinit_srv.c`
		`+ @@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname,`
		`+ goto errout;`
		`+ plgctx->realmname_len = strlen(plgctx->realmname);`
		`+`
		`+ - retval = pkinit_init_plg_crypto(&plgctx->cryptoctx);`
		`+ + retval = pkinit_init_plg_crypto(context, &plgctx->cryptoctx);`
		`+ if (retval)`
		`+ goto errout;`
		`+`
		`+ diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h`
		`+ index 259e95c6c2..5ee39c085c 100644`
		`+ --- a/src/plugins/preauth/pkinit/pkinit_trace.h`
		`+ +++ b/src/plugins/preauth/pkinit/pkinit_trace.h`
		`+ @@ -90,6 +90,9 @@`
		`+ #define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \`
		`+ TRACE(c, "PKINIT client trying again with KDC-provided parameters")`
		`+`
		`+ +#define TRACE_PKINIT_DH_GROUP_UNAVAILABLE(c, name) \`
		`+ + TRACE(c, "PKINIT key exchange group {str} unsupported", name)`
		`+ +`
		`+ #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \`
		`+ TRACE(c, "PKINIT OpenSSL error: {str}", msg)`
		`+`
		`+ --`
		`+ 2.40.1`
		`+`

krb5-tests

file modified

+4 -1

		`@@ -5,10 +5,13 @@`
		`export RPM_PACKAGE_VERSION={{ version }}`
		`export RPM_PACKAGE_RELEASE={{ release }}`
		`export RPM_ARCH={{ arch }}`
		`+ export RPM_BUILD_NCPUS="$(getconf _NPROCESSORS_ONLN)"`

		`testdir="$(mktemp -d)"`
		`trap "rm -rf ${testdir}" EXIT`

		`+ build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")"`
		`+`
		`cp -rp /usr/share/{{ name }}-tests "${testdir}/"`
		`- make -C "${testdir}/{{ name }}-tests" $(rpm --eval '%{_smp_mflags}')`
		`+ make -C "${testdir}/{{ name }}-tests" $build_flags`
		`keyctl session - make -C "${testdir}/{{ name }}-tests" check`

krb5.spec

file modified

+97 -79

		`@@ -10,7 +10,7 @@`
		`#`
		`# baserelease is what we have standardized across Fedora and what`
		`# rpmdev-bumpspec knows how to handle.`
		`- %global baserelease 8`
		`+ %global baserelease 2`

		`# This should be e.g. beta1 or %%nil`
		`%global pre_release %nil`
		`@@ -22,9 +22,9 @@`
		`%endif`

		`%global krb5_version_major 1`
		`- %global krb5_version_minor 20`
		`+ %global krb5_version_minor 21`
		`# For a release without a patch number set to %%nil`
		`- %global krb5_version_patch 1`
		`+ %global krb5_version_patch %nil`

		`%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor}`
		`%global krb5_version %{krb5_version_major_minor}`
		`@@ -59,22 +59,19 @@`
		`Source14: krb5-krb5kdc.conf`
		`Source15: %{name}-tests`

		`- Patch1: 0001-downstream-ksu-pam-integration.patch`
		`- Patch2: 0002-downstream-SELinux-integration.patch`
		`- Patch3: 0003-downstream-fix-debuginfo-with-y.tab.c.patch`
		`- Patch4: 0004-downstream-Remove-3des-support.patch`
		`- Patch5: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch`
		`- Patch6: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch`
		`- Patch7: 0007-Add-configure-variable-for-default-PKCS-11-module.patch`
		`- Patch8: 0008-Set-reasonable-supportedCMSTypes-in-PKINIT.patch`
		`- Patch9: 0009-Simplify-plugin-loading-code.patch`
		`- Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch`
		`- Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch`
		`- Patch12: 0012-Add-and-use-ts_interval-helper.patch`
		`- Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch`
		`- Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch`
		`- Patch15: 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch`
		`- Patch16: 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch`
		`+ Patch0001: 0001-downstream-ksu-pam-integration.patch`
		`+ Patch0002: 0002-downstream-SELinux-integration.patch`
		`+ Patch0003: 0003-downstream-fix-debuginfo-with-y.tab.c.patch`
		`+ Patch0004: 0004-downstream-Remove-3des-support.patch`
		`+ Patch0005: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch`
		`+ Patch0006: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch`
		`+ Patch0007: 0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch`
		`+ Patch0008: 0008-downstream-Include-missing-OpenSSL-FIPS-header.patch`
		`+ Patch0009: 0009-downstream-Do-not-set-root-as-ksu-file-owner.patch`
		`+ Patch0010: 0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch`
		`+ Patch0011: 0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch`
		`+ Patch0012: 0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch`
		`+ Patch0013: 0013-Enable-PKINIT-if-at-least-one-group-is-available.patch`

		`License: MIT`
		`URL: https://web.mit.edu/kerberos/www/`
		`@@ -157,8 +154,8 @@`
		`Requires(postun): systemd-units`
		`# we drop files in its directory, but we don't want to own that directory`
		`Requires: logrotate`
		`- # we specify /usr/share/dict/words as the default dict_file in kdc.conf`
		`- Requires: /usr/share/dict/words`
		`+ # we specify /usr/share/dict/words (provided by words) as the default dict_file in kdc.conf`
		`+ Requires: words`
		`# for run-time, and for parts of the test suite`
		`BuildRequires: libverto-module-base`
		`Requires: libverto-module-base`
		`@@ -255,7 +252,7 @@`
		`Requires: python3-pyrad`
		`Requires: resolv_wrapper`
		`Requires: /etc/crypto-policies/back-ends/krb5.config`
		`- Requires: /usr/share/dict/words`
		`+ Requires: words`
		`#Requires: openldap-servers, openldap-clients`

		`%description tests`
		`@@ -711,6 +708,27 @@`
		`%{_datarootdir}/%{name}-tests/`

		`%changelog`
		`+ * Thu Jun 29 2023 Marek Blaha <mblaha@redhat.com> - 1.21-2`
		`+ - Replace file dependency with package name`
		`+ Resolves: rhbz#2216903`
		`+`
		`+ * Mon Jun 12 2023 Julien Rische <jrische@redhat.com> - 1.21-1`
		`+ - New upstream version (1.21)`
		`+ - Do not disable PKINIT if some of the well-known DH groups are unavailable`
		`+ Resolves: rhbz#2214297`
		`+ - Make PKINIT CMS SHA-1 signature verification available in FIPS mode`
		`+ Resolves: rhbz#2214300`
		`+ - Allow to set PAC ticket signature as optional`
		`+ Resolves: rhbz#2181311`
		`+ - Add support for MS-PAC extended KDC signature (CVE-2022-37967)`
		`+ Resolves: rhbz#2166001`
		`+ - Fix syntax error in aclocal.m4`
		`+ Resolves: rhbz#2143306`
		`+`
		`+ * Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-9`
		`+ - Add support for MS-PAC extended KDC signature (CVE-2022-37967)`
		`+ Resolves: rhbz#2166001`
		`+`
		`* Mon Jan 30 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8`
		`- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled`
		`- Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode`
		`@@ -721,7 +739,7 @@`
		`* Wed Jan 18 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6`
		`- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf`
		`- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf`
		`- - Resolves: rhbz#2114771`
		`+ Resolves: rhbz#2114771`

		`* Mon Jan 09 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5`
		`- Strip debugging data from ksu executable file`
		`@@ -738,18 +756,18 @@`

		`* Wed Nov 23 2022 Julien Rische <jrische@redhat.com> - 1.20.1-1`
		`- New upstream version (1.20.1)`
		`- - Resolves: rhbz#2124463`
		`+ Resolves: rhbz#2124463`
		`- Restore "supportedCMSTypes" attribute in PKINIT preauth requests`
		`- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms`
		`- - Resolves: rhbz#2114766`
		`+ Resolves: rhbz#2114766`
		`- Update error checking for OpenSSL CMS_verify`
		`- - Resolves: rhbz#2119704`
		`+ Resolves: rhbz#2119704`
		`- Remove invalid password expiry warning`
		`- - Resolves: rhbz#2129113`
		`+ Resolves: rhbz#2129113`

		`* Wed Nov 09 2022 Julien Rische <jrische@redhat.com> - 1.19.2-13`
		`- Fix integer overflows in PAC parsing (CVE-2022-42898)`
		`- - Resolves: rhbz#2143011`
		`+ Resolves: rhbz#2143011`

		`* Tue Aug 02 2022 Andreas Schneider <asn@redhat.com> - 1.19.2-12`
		`- Use baserelease to set the release number`
		`@@ -761,14 +779,14 @@`

		`* Wed Jun 15 2022 Julien Rische <jrische@redhat.com> - 1.19.2-11`
		`- Allow libkrad UDP/TCP connection to localhost in FIPS mode`
		`- - Resolves: rhbz#2082189`
		`+ Resolves: rhbz#2082189`
		`- Read GSS configuration files with mtime 0`

		`* Mon May 2 2022 Julien Rische <jrische@redhat.com> - 1.19.2-10`
		`- Use p11-kit as default PKCS11 module`
		`- - Resolves: rhbz#2073274`
		`+ Resolves: rhbz#2073274`
		`- Try harder to avoid password change replay errors`
		`- - Resolves: rhbz#2072059`
		`+ Resolves: rhbz#2072059`

		`* Tue Apr 05 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-9`
		`- Fix libkrad client cleanup`
		`@@ -786,7 +804,7 @@`

		`* Wed Feb 02 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-5`
		`- Temporarily remove package note to unblock krb5-dependent packages`
		`- - Resolves: rhbz#2048909`
		`+ Resolves: rhbz#2048909`

		`* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.2-4.1`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild`
		`@@ -904,7 +922,7 @@`

		`* Tue Nov 17 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-30`
		`- Migrate /var/run to /run, an exercise in pointlessness`
		`- - Resolves: #1898410`
		`+ Resolves: rhbz#1898410`

		`* Thu Nov 05 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-29`
		`- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196)`
		`@@ -926,14 +944,14 @@`

		`* Thu Sep 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-23`
		- Use `systemctl reload` to HUP the KDC during logrotate
		`- - Resolves: #1877692`
		`+ Resolves: rhbz#1877692`

		`* Wed Sep 09 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-22`
		`- Fix input length checking in SPNEGO DER decoding`

		`* Fri Aug 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-21`
		`- Mark crypto-polices snippet as missingok`
		`- - Resolves: #1868379`
		`+ Resolves: rhbz#1868379`

		`* Thu Aug 13 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-20`
		`- Temporarily dns_canonicalize_hostname=fallback changes`
		`@@ -950,7 +968,7 @@`

		`* Mon Aug 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-16`
		`- Disable tests on s390x`
		`- - Resolves: #1863952`
		`+ Resolves: rhbz#1863952`

		`* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18.2-15`
		`- Second attempt - Rebuilt for`
		`@@ -971,7 +989,7 @@`

		`* Wed Jul 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-10`
		`- Set qualify_shortname empty in default configuration`
		`- - Resolves: #1852041`
		`+ Resolves: rhbz#1852041`

		`* Mon Jun 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-9`
		`- Use two queues for concurrent t_otp.py daemons`
		`@@ -1145,7 +1163,7 @@`

		`* Mon Jul 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-35`
		`- Don't error on invalid enctypes in keytab`
		`- - Resolves: #1724380`
		`+ Resolves: rhbz#1724380`

		`* Tue Jul 02 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-34`
		`- Remove now-unused checksum functions`
		`@@ -1230,7 +1248,7 @@`

		`* Thu Apr 11 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-8`
		`- Implement krb5_cc_remove_cred for remaining types`
		`- - Resolves: #1693836`
		`+ Resolves: rhbz#1693836`

		`* Mon Apr 01 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-7`
		`- FIPS-aware SPAKE group negotiation`
		`@@ -1265,7 +1283,7 @@`

		`* Mon Dec 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.2`
		`- Restore pdfs source file`
		`- - Resolves: #1659716`
		`+ Resolves: rhbz#1659716`

		`* Thu Dec 06 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.1`
		`- New upstream release (1.17-beta2)`
		`@@ -1279,26 +1297,26 @@`

		`* Thu Nov 08 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta1.1`
		`- Fix spurious errors from kcmio_unix_socket_write`
		`- - Resolves: #1645912`
		`+ Resolves: rhbz#1645912`

		`* Thu Nov 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.17-0.beta1.1`
		`- New upstream beta release`

		`* Wed Oct 24 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-25`
		`- Update man pages to reference kerberos(7)`
		`- - Resolves: #1143767`
		`+ Resolves: rhbz#1143767`

		`* Wed Oct 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-24`
		`- Use port-sockets.h macros in cc_kcm, sendto_kdc`
		`- - Resolves: #1631998`
		`+ Resolves: rhbz#1631998`

		`* Wed Oct 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-23`
		`- Correct kpasswd_server description in krb5.conf(5)`
		`- - Resolves: #1640272`
		`+ Resolves: rhbz#1640272`

		`* Mon Oct 15 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-22`
		`- Prefer TCP to UDP for password changes`
		`- - Resolves: #1637611`
		`+ Resolves: rhbz#1637611`

		`* Tue Oct 09 2018 Adam Williamson <awilliam@redhat.com> - 1.16.1-21`
		`- Revert the patch from -20 for now as it seems to make FreeIPA worse`
		`@@ -1347,18 +1365,18 @@`

		`* Thu Jun 14 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-6`
		`- Switch to python3-sphinx for docs`
		`- - Resolves: #1590928`
		`+ Resolves: rhbz#1590928`

		`* Thu Jun 14 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-5`
		`- Make docs build python3-compatible`
		`- - Resolves: #1590928`
		`+ Resolves: rhbz#1590928`

		`* Thu Jun 07 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-4`
		`- Update includedir processing to match upstream`

		`* Fri Jun 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-3`
		`- Log when non-root ksu authorization fails`
		`- - Resolves: #1575771`
		`+ Resolves: rhbz#1575771`

		`* Fri May 04 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-2`
		`- Remove "-nodes" option from make-certs scripts`
		`@@ -1380,7 +1398,7 @@`

		`* Mon Apr 23 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-23`
		`- Explicitly use openssl rather than builtin crypto`
		`- - Resolves: #1570910`
		`+ Resolves: rhbz#1570910`

		`* Tue Apr 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-22`
		`- Merge duplicate subsections in profile library`
		`@@ -1430,7 +1448,7 @@`

		`* Wed Mar 07 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-8`
		`- Fix capaths "." values on client`
		`- - Resolves: 1551099`
		`+ Resolves: 1551099`

		`* Tue Feb 13 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-7`
		`- Fix flaws in LDAP DN checking`
		`@@ -1439,7 +1457,7 @@`
		`* Mon Feb 12 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-6`
		`- Fix a leak in the previous commit`
		`- Restore dist macro that was accidentally removed`
		`- - Resolves: #1540939`
		`+ Resolves: rhbz#1540939`

		`* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.16-5`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild`
		`@@ -1452,7 +1470,7 @@`

		`* Tue Dec 12 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-2`
		`- Fix network service dependencies`
		`- - Resolves: #1525230`
		`+ Resolves: rhbz#1525230`

		`* Wed Dec 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-1`
		`- New upstream release (1.16)`
		`@@ -1482,12 +1500,12 @@`

		`* Wed Sep 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-28`
		`- Save other programs from worrying about CVE-2017-11462`
		`- - Resolves: #1488873`
		`- - Resolves: #1488874`
		`+ Resolves: rhbz#1488873`
		`+ Resolves: rhbz#1488874`

		`* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-27`
		`- Add hostname-based ccselect module`
		`- - Resolves: #1463665`
		`+ Resolves: rhbz#1463665`

		`* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-26`
		`- Backport upstream certauth EKU fixes`
		`@@ -1538,7 +1556,7 @@`

		`* Fri Jun 23 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-11`
		`- Include more test suite changes from upstream`
		`- - Resolves: #1464381`
		`+ Resolves: rhbz#1464381`

		`* Wed Jun 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-10`
		`- Fix custom build with -DDEBUG`
		`@@ -1554,12 +1572,12 @@`

		`* Thu Apr 13 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-6`
		`- Include fixes for previous commit`
		`- - Resolves: #1433083`
		`+ Resolves: rhbz#1433083`

		`* Thu Apr 13 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-5`
		`- Automatically add includedir where not present`
		`- Try removing sleep statement to see if it is still needed`
		`- - Resolves: #1433083`
		`+ Resolves: rhbz#1433083`

		`* Fri Apr 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-4`
		`- Fix use of enterprise principals with forwarding`
		`@@ -1569,7 +1587,7 @@`

		`* Tue Mar 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-2`
		`- Remove duplication between subpackages`
		`- - Resolves: #1250228`
		`+ Resolves: rhbz#1250228`

		`* Fri Mar 03 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-1`
		`- New upstream release - 1.15.1`
		`@@ -1603,14 +1621,14 @@`
		`* Thu Oct 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.15-beta1-1`
		`- New upstream release`
		`- Update selinux with RHEL hygene`
		`- - Resolves: #1314096`
		`+ Resolves: rhbz#1314096`

		`* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 1.14.4-6`
		`- rebuild with OpenSSL 1.1.0, added backported upstream patch`

		`* Fri Sep 30 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-5`
		`- Properly close krad sockets`
		`- - Resolves: #1380836`
		`+ Resolves: rhbz#1380836`

		`* Fri Sep 30 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.4-4`
		`- Fix backward check in kprop.service`
		`@@ -1629,42 +1647,42 @@`

		`* Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-9`
		`- Add krb5_db_register_keytab`
		`- - Resolves: #1376812`
		`+ Resolves: rhbz#1376812`

		`* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-8`
		`- Use responder for non-preauth AS requests`
		`- - Resolves: #1370622`
		`+ Resolves: rhbz#1370622`

		`* Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-7`
		`- Guess Samba client mutual flag using ap_option`
		`- - Resolves: #1370980`
		`+ Resolves: rhbz#1370980`

		`* Thu Aug 25 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-6`
		`- Fix KDC return code and set prompt types for OTP client preauth`
		`- - Resolves: #1370072`
		`+ Resolves: rhbz#1370072`

		`* Mon Aug 15 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-5`
		`- Turn OFD locks back on with glibc workaround`
		`- - Resolves: #1274922`
		`+ Resolves: rhbz#1274922`

		`* Wed Aug 10 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-4`
		`- Fix use of KKDCPP with SNI`
		`- - Resolves: #1365027`
		`+ Resolves: rhbz#1365027`

		`* Fri Aug 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-3`
		`- Make krb5-devel depend on libkadm5`
		`- - Resolves: #1364487`
		`+ Resolves: rhbz#1364487`

		`* Wed Aug 03 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-2`
		`- Up-port a bunch of stuff from the el-7.3 cycle`
		`- - Resolves: #1255450, #1314989`
		`+ Resolves: rhbz#1255450, rhbz#1314989`

		`* Mon Aug 01 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-1`
		`- New upstream version 1.14.3`

		`* Thu Jul 28 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-9`
		`- Fix CVE-2016-3120`
		`- - Resolves: #1361051`
		`+ Resolves: rhbz#1361051`

		`* Wed Jun 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-8`
		`- Fix incorrect recv() size calculation in libkrad`
		`@@ -1677,18 +1695,18 @@`

		`* Tue Apr 05 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-5`
		`- Use the correct patches this time.`
		`- - Resolves: #1321135`
		`+ Resolves: rhbz#1321135`

		`* Mon Apr 04 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-4`
		`- Add send/receive sendto_kdc hooks and corresponding tests`
		`- - Resolves: #1321135`
		`+ Resolves: rhbz#1321135`

		`* Fri Mar 18 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-3`
		`- Fix CVE-2016-3119 (NULL deref in LDAP module)`

		`* Thu Mar 17 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-2`
		`- Backport OID mech fix`
		`- - Resolves: #1317609`
		`+ Resolves: rhbz#1317609`

		`* Mon Feb 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-1`
		`- New rawhide, new upstream version`
		`@@ -1698,7 +1716,7 @@`

		`* Mon Feb 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-23`
		`- Fix log file permissions patch with our selinux`
		`- - Resolves: #1309421`
		`+ Resolves: rhbz#1309421`

		`* Fri Feb 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-22`
		`- Backport my interposer fixes from upstream`
		`@@ -1707,7 +1725,7 @@`
		`* Tue Feb 16 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-21`
		`- Adjust dependency on crypto-polices to be just the file we want`
		`- Patch courtesy of lslebodn`
		`- - Resolves: #1308984`
		`+ Resolves: rhbz#1308984`

		`* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.14-20`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild`
		`@@ -1715,21 +1733,21 @@`
		`* Thu Jan 28 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-19`
		`- Replace _kadmin/_kprop with systemd macros`
		`- Remove traces of upstart from fedora package per policy`
		`- - Resolves: #1290185`
		`+ Resolves: rhbz#1290185`

		`* Wed Jan 27 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-18`
		`- Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631`

		`* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-17`
		`- Make krb5kdc.log not world-readable by default`
		`- - Resolves: #1276484`
		`+ Resolves: rhbz#1276484`

		`* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-16`
		`- Allow verification of attributes on krb5.conf`

		`* Wed Jan 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-15`
		`- Use "new" systemd macros for service handling. (Thanks vpavlin!)`
		`- - Resolves: #850399`
		`+ Resolves: rhbz#850399`

		`* Wed Jan 20 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-14`
		`- Remove WITH_NSS macro (always false)`
		`@@ -1739,7 +1757,7 @@`

		`* Fri Jan 08 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-13`
		`- Backport fix for chrome crash in spnego_gss_inquire_context`
		`- - Resolves: #1295893`
		`+ Resolves: rhbz#1295893`

		`* Wed Dec 16 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-12`
		`- Backport patch to fix mechglue for gss_inqure_attrs_for_mech()`

sources

file modified

+2 -2

		`@@ -1,2 +1,2 @@`
		`- SHA512 (krb5-1.20.1.tar.gz) = 6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2`
		`- SHA512 (krb5-1.20.1.tar.gz.asc) = 1d3312bd67581e07adfdadf2c5fe394179631d8add8bd075efefe982a0de22369004e60a14422d426382c8c591e4181b9897088afe9d4e86f0b5a97e5954c67a`
		`+ SHA512 (krb5-1.21.tar.gz) = 8ee2366888f6d553a44fc642a89c69a57dbc1ec4c89a36b9ba8b00584a9a32c73a2b0566ba5f21852ad9617046666c276dac402393bf8eb19fbe0c07a838071a`
		`+ SHA512 (krb5-1.21.tar.gz.asc) = 7147a44a13f4f26c5c1d9aba738b32892b50e351ad149dcaf0b6f2c010e3c51d7d51540d0a51b085450ffa31d5027b5f2e5841109d7af8bdaddbdd3a569582d5`

jrische commented 11 months ago

Replace file dependency by package name
Resolves: rhbz#2216903
Do not disable PKINIT if some of the well-known DH groups are unavailable
Resolves: rhbz#2214297
Make PKINIT CMS SHA-1 signature verification available in FIPS mode
Resolves: rhbz#2214300
Allow to set PAC ticket signature as optional
Resolves: rhbz#2181311
Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2166001
Fix syntax error in aclocal.m4
Resolves: rhbz#2143306