summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobbie Harwood <rharwood@redhat.com>2017-09-25 13:54:57 -0400
committerRobbie Harwood <rharwood@redhat.com>2017-09-25 19:24:33 +0000
commitf1e535bb81d5a9dd23468973a599b5daaaa9b679 (patch)
tree8c690749ca90c86028188ac530ae060adea3e055
parent11b90e9e6e42aeb2568fb67e68eb3e398dd4fbcb (diff)
downloadkrb5-f1e535bb81d5a9dd23468973a599b5daaaa9b679.tar.gz
krb5-f1e535bb81d5a9dd23468973a599b5daaaa9b679.tar.xz
krb5-f1e535bb81d5a9dd23468973a599b5daaaa9b679.zip
New upstream release - krb5-1.15.2
Adjust patches as appropriate
Diffstat
-rw-r--r--.gitignore3
-rw-r--r--Add-KDC-policy-pluggable-interface.patch2
-rw-r--r--Add-PKINIT-UPN-tests-to-t_pkinit.py.patch2
-rw-r--r--Add-PKINIT-test-case-for-generic-client-cert.patch2
-rw-r--r--Add-certauth-pluggable-interface.patch6
-rw-r--r--Add-hostname-based-ccselect-module.patch6
-rw-r--r--Add-k5test-expected_msg-expected_trace.patch4
-rw-r--r--Add-support-to-query-the-SSF-of-a-GSS-context.patch2
-rw-r--r--Add-test-case-for-PKINIT-DH-renegotiation.patch2
-rw-r--r--Add-test-cert-generation-to-make-certs.sh.patch2
-rw-r--r--Add-test-cert-with-no-extensions.patch2
-rw-r--r--Add-the-client_name-kdcpreauth-callback.patch2
-rw-r--r--Add-timestamp-helper-functions.patch2
-rw-r--r--Add-timestamp-tests.patch2
-rw-r--r--Add-y2038-documentation.patch2
-rw-r--r--Allow-clock-skew-in-krb5-gss_context_time.patch36
-rw-r--r--Build-with-Werror-implicit-int-where-supported.patch2
-rw-r--r--Convert-some-pkiDebug-messages-to-TRACE-macros.patch2
-rw-r--r--Correct-error-handling-bug-in-prior-commit.patch2
-rw-r--r--Deindent-crypto_retrieve_X509_sans.patch2
-rw-r--r--Fix-bugs-in-kdcpolicy-commit.patch2
-rw-r--r--Fix-certauth-built-in-module-returns.patch2
-rw-r--r--Fix-in_clock_skew-and-use-it-in-AS-client-code.patch2
-rw-r--r--Fix-leaks-in-gss_inquire_cred_by_oid.patch35
-rw-r--r--Fix-more-time-manipulations-for-y2038.patch2
-rw-r--r--Improve-PKINIT-UPN-SAN-matching.patch2
-rw-r--r--Make-timestamp-manipulations-y2038-safe.patch20
-rw-r--r--Preserve-GSS-context-on-init-accept-failure.patch413
-rw-r--r--Prevent-KDC-unset-status-assertion-failures.patch109
-rw-r--r--Remove-incomplete-PKINIT-OCSP-support.patch6
-rw-r--r--Use-GSSAPI-fallback-skiptest.patch2
-rw-r--r--Use-expected_msg-in-test-scripts.patch2
-rw-r--r--Use-expected_trace-in-test-scripts.patch2
-rw-r--r--Use-fallback-realm-for-GSSAPI-ccache-selection.patch2
-rw-r--r--Use-krb5_timestamp-where-appropriate.patch8
-rw-r--r--Use-the-canonical-client-principal-name-for-OTP.patch2
-rw-r--r--kerberos-adm.portreserve1
-rw-r--r--krb5-1.11-kpasswdtest.patch2
-rw-r--r--krb5-1.11-run_user_0.patch2
-rw-r--r--krb5-1.12-api.patch2
-rw-r--r--krb5-1.12-ksu-path.patch2
-rw-r--r--krb5-1.12-ktany.patch2
-rw-r--r--krb5-1.12.1-pam.patch2
-rw-r--r--krb5-1.13-dirsrv-accountlock.patch2
-rw-r--r--krb5-1.15-beta1-buildconf.patch2
-rw-r--r--krb5-1.15.1-selinux-label.patch2
-rw-r--r--krb5-1.3.1-dns.patch2
-rw-r--r--krb5-1.9-debuginfo.patch2
-rw-r--r--krb5.spec46
-rw-r--r--krb5_prop.portreserve1
-rw-r--r--sources6
51 files changed, 91 insertions, 681 deletions
diff --git a/.gitignore b/.gitignore
index 4354ce4..c78f6a3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -151,3 +151,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.15.1-pdfs.tar
/krb5-1.15.1.tar.gz
/krb5-1.15.1.tar.gz.asc
+/krb5-1.15.2-pdfs.tar
+/krb5-1.15.2.tar.gz
+/krb5-1.15.2.tar.gz.asc
diff --git a/Add-KDC-policy-pluggable-interface.patch b/Add-KDC-policy-pluggable-interface.patch
index e43bc0d..a5e029e 100644
--- a/Add-KDC-policy-pluggable-interface.patch
+++ b/Add-KDC-policy-pluggable-interface.patch
@@ -1,4 +1,4 @@
-From 648fa08747a5f2025f47e5b0bc2589f55a65218a Mon Sep 17 00:00:00 2001
+From 78a1f155701f94a228c4f58f98846195a39991c4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 27 Jun 2017 17:15:39 -0400
Subject: [PATCH] Add KDC policy pluggable interface
diff --git a/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch b/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
index ab332a7..94370dc 100644
--- a/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
+++ b/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
@@ -1,4 +1,4 @@
-From 2f84634c8227d2f43daf9a6135766c6e1901851f Mon Sep 17 00:00:00 2001
+From 6ce3a9416ee73fee41d0190e3fd0fde0a097c774 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Fri, 9 Dec 2016 11:43:27 -0500
Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py
diff --git a/Add-PKINIT-test-case-for-generic-client-cert.patch b/Add-PKINIT-test-case-for-generic-client-cert.patch
index e6fb895..e77dd5f 100644
--- a/Add-PKINIT-test-case-for-generic-client-cert.patch
+++ b/Add-PKINIT-test-case-for-generic-client-cert.patch
@@ -1,4 +1,4 @@
-From 22e89e4e2d2819b7371efb848be525914b2750e8 Mon Sep 17 00:00:00 2001
+From e267849bcc3813989470c03565b22d25c71af91e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 25 Aug 2017 12:39:14 -0400
Subject: [PATCH] Add PKINIT test case for generic client cert
diff --git a/Add-certauth-pluggable-interface.patch b/Add-certauth-pluggable-interface.patch
index e1f81b9..a9adc3e 100644
--- a/Add-certauth-pluggable-interface.patch
+++ b/Add-certauth-pluggable-interface.patch
@@ -1,4 +1,4 @@
-From 14455b071bab5ed93e42df84dc0b0e5f889cb98b Mon Sep 17 00:00:00 2001
+From 43418f21de72060932661242126fe611b6b17d84 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Tue, 28 Feb 2017 15:55:24 -0500
Subject: [PATCH] Add certauth pluggable interface
@@ -52,10 +52,10 @@ ticket: 8561 (new)
create mode 100644 src/tests/t_certauth.py
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
-index 653aad613..c0e4349c0 100644
+index 02a935961..1d9bc9e34 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
-@@ -858,6 +858,27 @@ built-in modules exist for this interface:
+@@ -859,6 +859,27 @@ built-in modules exist for this interface:
This module authorizes a principal to a local account if the
principal name maps to the local account name.
diff --git a/Add-hostname-based-ccselect-module.patch b/Add-hostname-based-ccselect-module.patch
index 87a83c1..b56b8d3 100644
--- a/Add-hostname-based-ccselect-module.patch
+++ b/Add-hostname-based-ccselect-module.patch
@@ -1,4 +1,4 @@
-From 624060dabcc06ea40847ffd98c9b05c66e65d6ba Mon Sep 17 00:00:00 2001
+From 632575ab12fc5d6c9bdc83cb8200fb8f4f422b83 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 23 Aug 2017 17:25:17 -0400
Subject: [PATCH] Add hostname-based ccselect module
@@ -21,10 +21,10 @@ ticket: 8613 (new)
create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
-index c0e4349c0..5f1de2e50 100644
+index 1d9bc9e34..9c1ee94a4 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
-@@ -744,6 +744,10 @@ disabled with the disable tag):
+@@ -745,6 +745,10 @@ disabled with the disable tag):
Uses the service realm to guess an appropriate cache from the
collection
diff --git a/Add-k5test-expected_msg-expected_trace.patch b/Add-k5test-expected_msg-expected_trace.patch
index 8caf99c..16c1012 100644
--- a/Add-k5test-expected_msg-expected_trace.patch
+++ b/Add-k5test-expected_msg-expected_trace.patch
@@ -1,4 +1,4 @@
-From 1f7e1ce67d885bce613030099df9a95e7671055e Mon Sep 17 00:00:00 2001
+From 9c6f61e30e11eca5c04daa3f0dce398602ef5801 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Jan 2017 11:24:41 -0500
Subject: [PATCH] Add k5test expected_msg, expected_trace
@@ -17,7 +17,7 @@ substrings in the trace output.
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/src/config/post.in b/src/config/post.in
-index 77a9bffdf..aecac9d3b 100644
+index 7c7d86dc9..3643abad1 100644
--- a/src/config/post.in
+++ b/src/config/post.in
@@ -156,7 +156,7 @@ clean: clean-$(WHAT)
diff --git a/Add-support-to-query-the-SSF-of-a-GSS-context.patch b/Add-support-to-query-the-SSF-of-a-GSS-context.patch
index 294f8c2..299b0a4 100644
--- a/Add-support-to-query-the-SSF-of-a-GSS-context.patch
+++ b/Add-support-to-query-the-SSF-of-a-GSS-context.patch
@@ -1,4 +1,4 @@
-From 2a7ea306e35a35296314484eec9eff5d8e38f02a Mon Sep 17 00:00:00 2001
+From a3408731e3d73f99028f20c3f33caa5a411b430c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 30 Mar 2017 11:27:09 -0400
Subject: [PATCH] Add support to query the SSF of a GSS context
diff --git a/Add-test-case-for-PKINIT-DH-renegotiation.patch b/Add-test-case-for-PKINIT-DH-renegotiation.patch
index e0ac29b..89d695d 100644
--- a/Add-test-case-for-PKINIT-DH-renegotiation.patch
+++ b/Add-test-case-for-PKINIT-DH-renegotiation.patch
@@ -1,4 +1,4 @@
-From 9cd133e626f114c9a11d6d731f7f97072d59e20f Mon Sep 17 00:00:00 2001
+From 5faadd66bb278bcc1c618e199444e3012eeec215 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 11 Jan 2017 10:49:30 -0500
Subject: [PATCH] Add test case for PKINIT DH renegotiation
diff --git a/Add-test-cert-generation-to-make-certs.sh.patch b/Add-test-cert-generation-to-make-certs.sh.patch
index d03a754..eb7df73 100644
--- a/Add-test-cert-generation-to-make-certs.sh.patch
+++ b/Add-test-cert-generation-to-make-certs.sh.patch
@@ -1,4 +1,4 @@
-From d81c0069df0f18574bc0beb7e45139f6d2bc3849 Mon Sep 17 00:00:00 2001
+From 5e3885e9d7c7cd2a19a291cdb1e54312ca7f7e1f Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Mon, 5 Dec 2016 12:22:45 -0500
Subject: [PATCH] Add test cert generation to make-certs.sh
diff --git a/Add-test-cert-with-no-extensions.patch b/Add-test-cert-with-no-extensions.patch
index 3734700..1afd9a1 100644
--- a/Add-test-cert-with-no-extensions.patch
+++ b/Add-test-cert-with-no-extensions.patch
@@ -1,4 +1,4 @@
-From 03402d8462c44c16f85368c803c1a3823507e0f9 Mon Sep 17 00:00:00 2001
+From 565311d74c7532f9948b7b0b803f093aaa40afed Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 25 Aug 2017 12:33:33 -0400
Subject: [PATCH] Add test cert with no extensions
diff --git a/Add-the-client_name-kdcpreauth-callback.patch b/Add-the-client_name-kdcpreauth-callback.patch
index e75d7de..172f5e0 100644
--- a/Add-the-client_name-kdcpreauth-callback.patch
+++ b/Add-the-client_name-kdcpreauth-callback.patch
@@ -1,4 +1,4 @@
-From 405a88caf62483bd077f6d98aa5f1adc9fbdff64 Mon Sep 17 00:00:00 2001
+From 42469712239d3eb0e47d9aa306567464dd1f392a Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Tue, 4 Apr 2017 16:54:56 -0400
Subject: [PATCH] Add the client_name() kdcpreauth callback
diff --git a/Add-timestamp-helper-functions.patch b/Add-timestamp-helper-functions.patch
index 0b36e0b..54e7f59 100644
--- a/Add-timestamp-helper-functions.patch
+++ b/Add-timestamp-helper-functions.patch
@@ -1,4 +1,4 @@
-From 38b7fbd7ee64a205c4dcfc345c30132e73f5b249 Mon Sep 17 00:00:00 2001
+From 9b50a75e97cbe9cc8c0a4e37158b56b58e966f25 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 22 Apr 2017 09:49:12 -0400
Subject: [PATCH] Add timestamp helper functions
diff --git a/Add-timestamp-tests.patch b/Add-timestamp-tests.patch
index b71ac48..ac64115 100644
--- a/Add-timestamp-tests.patch
+++ b/Add-timestamp-tests.patch
@@ -1,4 +1,4 @@
-From 1b351445b4b938f54025728ba786f05ee82c47d1 Mon Sep 17 00:00:00 2001
+From 3a06f6a3cfad62da6dd8878d3446003f8293c3ae Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 29 Apr 2017 17:30:36 -0400
Subject: [PATCH] Add timestamp tests
diff --git a/Add-y2038-documentation.patch b/Add-y2038-documentation.patch
index a87d6e4..693a1fb 100644
--- a/Add-y2038-documentation.patch
+++ b/Add-y2038-documentation.patch
@@ -1,4 +1,4 @@
-From ebedc35a70f184030c4aab32e782fa2a8610cf73 Mon Sep 17 00:00:00 2001
+From 69ca5ff168f24792924b3cab0a9f27ada3eb4c4b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 4 May 2017 17:03:35 -0400
Subject: [PATCH] Add y2038 documentation
diff --git a/Allow-clock-skew-in-krb5-gss_context_time.patch b/Allow-clock-skew-in-krb5-gss_context_time.patch
deleted file mode 100644
index 99e9214..0000000
--- a/Allow-clock-skew-in-krb5-gss_context_time.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 2944d7c0fcc8d3a87d0bb6f544b4a04c358df732 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Sat, 22 Apr 2017 16:51:23 -0400
-Subject: [PATCH] Allow clock skew in krb5 gss_context_time()
-
-Commit b496ce4095133536e0ace36b74130e4b9ecb5e11 (ticket #8268) adds
-the clock skew to krb5 acceptor context lifetimes for
-gss_accept_sec_context() and gss_inquire_context(), but not for
-gss_context_time(). Add the clock skew in gss_context_time() as well.
-
-ticket: 8581 (new)
-target_version: 1.14-next
-target_version: 1.15-next
-tags: pullup
-
-(cherry picked from commit b0a072e6431261734e7350996a363801f180e8ea)
----
- src/lib/gssapi/krb5/context_time.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
-index a18cfb05b..450593288 100644
---- a/src/lib/gssapi/krb5/context_time.c
-+++ b/src/lib/gssapi/krb5/context_time.c
-@@ -51,7 +51,10 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
- return(GSS_S_FAILURE);
- }
-
-- if ((lifetime = ctx->krb_times.endtime - now) <= 0) {
-+ lifetime = ctx->krb_times.endtime - now;
-+ if (!ctx->initiate)
-+ lifetime += ctx->k5_context->clockskew;
-+ if (lifetime <= 0) {
- *time_rec = 0;
- *minor_status = 0;
- return(GSS_S_CONTEXT_EXPIRED);
diff --git a/Build-with-Werror-implicit-int-where-supported.patch b/Build-with-Werror-implicit-int-where-supported.patch
index 800967f..30e3ba8 100644
--- a/Build-with-Werror-implicit-int-where-supported.patch
+++ b/Build-with-Werror-implicit-int-where-supported.patch
@@ -1,4 +1,4 @@
-From b87501b9051a1befbd84165295b8ed775adafd62 Mon Sep 17 00:00:00 2001
+From 5f2ea38f7ecd60184e510558bdb551d0153432e0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 10 Nov 2016 13:20:49 -0500
Subject: [PATCH] Build with -Werror-implicit-int where supported
diff --git a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
index e78029f..e9e27df 100644
--- a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
+++ b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
@@ -1,4 +1,4 @@
-From 4dcab7d706331b469678f3a516cd67fffd331058 Mon Sep 17 00:00:00 2001
+From 686fa6476eb759532d566794fa8d430774d44cf7 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 29 Mar 2017 10:35:13 -0400
Subject: [PATCH] Convert some pkiDebug messages to TRACE macros
diff --git a/Correct-error-handling-bug-in-prior-commit.patch b/Correct-error-handling-bug-in-prior-commit.patch
index 8f66ad8..6878e8c 100644
--- a/Correct-error-handling-bug-in-prior-commit.patch
+++ b/Correct-error-handling-bug-in-prior-commit.patch
@@ -1,4 +1,4 @@
-From 7fa2848a550bda947a6e425babb3f529b7e28ab6 Mon Sep 17 00:00:00 2001
+From 08d995aaf48e75c174525ae0b47e12c3170b3f5f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 23 Mar 2017 13:42:55 -0400
Subject: [PATCH] Correct error handling bug in prior commit
diff --git a/Deindent-crypto_retrieve_X509_sans.patch b/Deindent-crypto_retrieve_X509_sans.patch
index 240dabb..9262e7d 100644
--- a/Deindent-crypto_retrieve_X509_sans.patch
+++ b/Deindent-crypto_retrieve_X509_sans.patch
@@ -1,4 +1,4 @@
-From ca1ab893b3590ab887f7c0f4a41ad6b2fddf3421 Mon Sep 17 00:00:00 2001
+From d5462c96c9918ffa7d3f05de310c5aed34181941 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 4 Jan 2017 11:33:57 -0500
Subject: [PATCH] Deindent crypto_retrieve_X509_sans()
diff --git a/Fix-bugs-in-kdcpolicy-commit.patch b/Fix-bugs-in-kdcpolicy-commit.patch
index b4ccadb..c4c50a1 100644
--- a/Fix-bugs-in-kdcpolicy-commit.patch
+++ b/Fix-bugs-in-kdcpolicy-commit.patch
@@ -1,4 +1,4 @@
-From 7ab7253c617364ffe8facd870e286c5876e6c30f Mon Sep 17 00:00:00 2001
+From c8c704cdaaa15a0908024f0917344048c0df5940 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 19 Aug 2017 19:09:24 -0400
Subject: [PATCH] Fix bugs in kdcpolicy commit
diff --git a/Fix-certauth-built-in-module-returns.patch b/Fix-certauth-built-in-module-returns.patch
index 0c6ac83..1c927d5 100644
--- a/Fix-certauth-built-in-module-returns.patch
+++ b/Fix-certauth-built-in-module-returns.patch
@@ -1,4 +1,4 @@
-From d507d9a78e12418f83c6db6e22052543f3e5db37 Mon Sep 17 00:00:00 2001
+From 0d93e336e2cb8319bfd3e0fa096e5ee8ea3bbbbf Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 24 Aug 2017 11:11:46 -0400
Subject: [PATCH] Fix certauth built-in module returns
diff --git a/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch b/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
index 2547891..a8a53cf 100644
--- a/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
+++ b/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
@@ -1,4 +1,4 @@
-From b0351efa57654f06477ab7540e6c0624e3a64f4e Mon Sep 17 00:00:00 2001
+From e2d34698687c00504b83e1c0deb56dc6232bef42 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 24 Apr 2017 02:02:36 -0400
Subject: [PATCH] Fix in_clock_skew() and use it in AS client code
diff --git a/Fix-leaks-in-gss_inquire_cred_by_oid.patch b/Fix-leaks-in-gss_inquire_cred_by_oid.patch
deleted file mode 100644
index f4ede77..0000000
--- a/Fix-leaks-in-gss_inquire_cred_by_oid.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From e53073b6e1d36b682d8524fcfaec7bdf56b7f81e Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Sun, 12 Mar 2017 12:30:59 -0400
-Subject: [PATCH] Fix leaks in gss_inquire_cred_by_oid()
-
-In the mechglue gss_inquire_cred_by_oid(), remove an unnecessary
-allocation of ret_set which is overwritten by the first mechanism's
-result.
-
-ticket: 8559 (new)
-target_version: 1.15-next
-target_version: 1.14-next
-tags: pullup
-
-(cherry picked from commit 0d39d46852587d36fcc5024d5766586faba9044a)
----
- src/lib/gssapi/mechglue/g_inq_cred_oid.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/src/lib/gssapi/mechglue/g_inq_cred_oid.c b/src/lib/gssapi/mechglue/g_inq_cred_oid.c
-index 4c23dfcbd..df51b44e9 100644
---- a/src/lib/gssapi/mechglue/g_inq_cred_oid.c
-+++ b/src/lib/gssapi/mechglue/g_inq_cred_oid.c
-@@ -85,11 +85,6 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status,
-
- union_cred = (gss_union_cred_t) cred_handle;
-
-- status = gss_create_empty_buffer_set(minor_status, &ret_set);
-- if (status != GSS_S_COMPLETE) {
-- return status;
-- }
--
- status = GSS_S_UNAVAILABLE;
-
- for (i = 0; i < union_cred->count; i++) {
diff --git a/Fix-more-time-manipulations-for-y2038.patch b/Fix-more-time-manipulations-for-y2038.patch
index c202b96..a57a64c 100644
--- a/Fix-more-time-manipulations-for-y2038.patch
+++ b/Fix-more-time-manipulations-for-y2038.patch
@@ -1,4 +1,4 @@
-From c9fca85329f4b25509f83837239bf882841caccc Mon Sep 17 00:00:00 2001
+From 7b28a408650c58d0ea98fddab5034642af32fdaf Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 May 2017 14:52:09 -0400
Subject: [PATCH] Fix more time manipulations for y2038
diff --git a/Improve-PKINIT-UPN-SAN-matching.patch b/Improve-PKINIT-UPN-SAN-matching.patch
index d4bcc2f..26b27f1 100644
--- a/Improve-PKINIT-UPN-SAN-matching.patch
+++ b/Improve-PKINIT-UPN-SAN-matching.patch
@@ -1,4 +1,4 @@
-From 84e4545db26e31ae69da8559128513157f533858 Mon Sep 17 00:00:00 2001
+From 03265620488b84238c31170356b5f41c80f0e9d9 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Mon, 5 Dec 2016 12:17:59 -0500
Subject: [PATCH] Improve PKINIT UPN SAN matching
diff --git a/Make-timestamp-manipulations-y2038-safe.patch b/Make-timestamp-manipulations-y2038-safe.patch
index 7c899ad..26bff26 100644
--- a/Make-timestamp-manipulations-y2038-safe.patch
+++ b/Make-timestamp-manipulations-y2038-safe.patch
@@ -1,4 +1,4 @@
-From 0c0fe06500401d694a4720544c7ed661275d819e Mon Sep 17 00:00:00 2001
+From ac30f4753f157dafe93df2941a216fde591fcb69 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 22 Apr 2017 12:52:17 -0400
Subject: [PATCH] Make timestamp manipulations y2038-safe
@@ -766,7 +766,7 @@ index 2dc4d0c1a..bb1072fe4 100644
/* Make an AS request if we have no creds or it's time to refresh them. */
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
-index 70f7955ae..8e5cc37fb 100644
+index 2a7467f54..1be1b5878 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -214,7 +214,8 @@ static krb5_error_code get_credentials(context, cred, server, now,
@@ -779,7 +779,7 @@ index 70f7955ae..8e5cc37fb 100644
code = KRB5KRB_AP_ERR_TKT_EXPIRED;
goto cleanup;
}
-@@ -575,7 +576,7 @@ kg_new_connection(
+@@ -573,7 +574,7 @@ kg_new_connection(
if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
ctx->krb_times.endtime = 0;
} else {
@@ -788,7 +788,7 @@ index 70f7955ae..8e5cc37fb 100644
}
if ((code = kg_duplicate_name(context, cred->name, &ctx->here)))
-@@ -659,7 +660,7 @@ kg_new_connection(
+@@ -657,7 +658,7 @@ kg_new_connection(
if (time_rec) {
if ((code = krb5_timeofday(context, &now)))
goto cleanup;
@@ -797,7 +797,7 @@ index 70f7955ae..8e5cc37fb 100644
}
/* set the other returns */
-@@ -873,7 +874,7 @@ mutual_auth(
+@@ -871,7 +872,7 @@ mutual_auth(
if (time_rec) {
if ((code = krb5_timeofday(context, &now)))
goto fail;
@@ -879,7 +879,7 @@ index 408b0eb31..1680a5504 100644
time_string = ctime(&until);
if (*(ptr = &time_string[strlen(time_string)-1]) == '\n')
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
-index 59ed0b975..656dddff5 100644
+index 3c2844d14..c4bb16dc7 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -408,13 +408,14 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
@@ -900,7 +900,7 @@ index 59ed0b975..656dddff5 100644
*maskp |= KADM5_PW_EXPIRATION;
}
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index 0640b47c4..f4a9a2ad2 100644
+index 8f4da0e52..137e1fb64 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -400,7 +400,7 @@ kadm5_create_principal_3(void *server_handle,
@@ -948,7 +948,7 @@ index 0640b47c4..f4a9a2ad2 100644
else
kdb->pw_expiration = 0;
} else {
-@@ -2024,7 +2024,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
+@@ -2027,7 +2027,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
}
if (have_pol) {
if (pol.pw_max_life)
@@ -958,10 +958,10 @@ index 0640b47c4..f4a9a2ad2 100644
kdb->pw_expiration = 0;
} else {
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
-index 4adf0fcbb..7f33c7e68 100644
+index 690725765..07392572e 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
-@@ -1296,7 +1296,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now)
+@@ -1297,7 +1297,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now)
* are in the future, we will return the first node; if all are in the
* past, we will return the last node.
*/
diff --git a/Preserve-GSS-context-on-init-accept-failure.patch b/Preserve-GSS-context-on-init-accept-failure.patch
deleted file mode 100644
index 7166561..0000000
--- a/Preserve-GSS-context-on-init-accept-failure.patch
+++ /dev/null
@@ -1,413 +0,0 @@
-From d730a62c2d3f6f75a0fa28b7a8c952fb29dd7aa0 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Fri, 14 Jul 2017 13:02:46 -0400
-Subject: [PATCH] Preserve GSS context on init/accept failure
-
-After gss_init_sec_context() or gss_accept_sec_context() has created a
-context, don't delete the mechglue context on failures from subsequent
-calls, even if the mechanism deletes the mech-specific context (which
-is allowed by RFC 2744 but not preferred). Check for union contexts
-with no mechanism context in each GSS function which accepts a
-gss_ctx_id_t.
-
-CVE-2017-11462:
-
-RFC 2744 permits a GSS-API implementation to delete an existing
-security context on a second or subsequent call to
-gss_init_sec_context() or gss_accept_sec_context() if the call results
-in an error. This API behavior has been found to be dangerous,
-leading to the possibility of memory errors in some callers. For
-safety, GSS-API implementations should instead preserve existing
-security contexts on error until the caller deletes them.
-
-All versions of MIT krb5 prior to this change may delete acceptor
-contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
-1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on
-error.
-
-ticket: 8598 (new)
-target_version: 1.15-next
-target_version: 1.14-next
-tags: pullup
-
-(cherry picked from commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf)
----
- src/lib/gssapi/mechglue/g_accept_sec_context.c | 22 +++++++++++++++-------
- src/lib/gssapi/mechglue/g_complete_auth_token.c | 2 ++
- src/lib/gssapi/mechglue/g_context_time.c | 2 ++
- src/lib/gssapi/mechglue/g_delete_sec_context.c | 14 ++++++++------
- src/lib/gssapi/mechglue/g_exp_sec_context.c | 2 ++
- src/lib/gssapi/mechglue/g_init_sec_context.c | 19 +++++++++++--------
- src/lib/gssapi/mechglue/g_inq_context.c | 2 ++
- src/lib/gssapi/mechglue/g_prf.c | 2 ++
- src/lib/gssapi/mechglue/g_process_context.c | 2 ++
- src/lib/gssapi/mechglue/g_seal.c | 4 ++++
- src/lib/gssapi/mechglue/g_sign.c | 2 ++
- src/lib/gssapi/mechglue/g_unseal.c | 2 ++
- src/lib/gssapi/mechglue/g_unwrap_aead.c | 2 ++
- src/lib/gssapi/mechglue/g_unwrap_iov.c | 4 ++++
- src/lib/gssapi/mechglue/g_verify.c | 2 ++
- src/lib/gssapi/mechglue/g_wrap_aead.c | 2 ++
- src/lib/gssapi/mechglue/g_wrap_iov.c | 8 ++++++++
- 17 files changed, 72 insertions(+), 21 deletions(-)
-
-diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
-index ddaf87412..f28e2b14a 100644
---- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
-+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
-@@ -216,6 +216,8 @@ gss_cred_id_t * d_cred;
- } else {
- union_ctx_id = (gss_union_ctx_id_t)*context_handle;
- selected_mech = union_ctx_id->mech_type;
-+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- }
-
- /* Now create a new context if we didn't get one. */
-@@ -234,9 +236,6 @@ gss_cred_id_t * d_cred;
- free(union_ctx_id);
- return (status);
- }
--
-- /* set the new context handle to caller's data */
-- *context_handle = (gss_ctx_id_t)union_ctx_id;
- }
-
- /*
-@@ -277,8 +276,10 @@ gss_cred_id_t * d_cred;
- d_cred ? &tmp_d_cred : NULL);
-
- /* If there's more work to do, keep going... */
-- if (status == GSS_S_CONTINUE_NEEDED)
-+ if (status == GSS_S_CONTINUE_NEEDED) {
-+ *context_handle = (gss_ctx_id_t)union_ctx_id;
- return GSS_S_CONTINUE_NEEDED;
-+ }
-
- /* if the call failed, return with failure */
- if (status != GSS_S_COMPLETE) {
-@@ -364,14 +365,22 @@ gss_cred_id_t * d_cred;
- *mech_type = gssint_get_public_oid(actual_mech);
- if (ret_flags != NULL)
- *ret_flags = temp_ret_flags;
-- return (status);
-+ *context_handle = (gss_ctx_id_t)union_ctx_id;
-+ return GSS_S_COMPLETE;
- } else {
-
- status = GSS_S_BAD_MECH;
- }
-
- error_out:
-- if (union_ctx_id) {
-+ /*
-+ * RFC 2744 5.1 requires that we not create a context on a failed first
-+ * call to accept, and recommends that on a failed subsequent call we
-+ * make the caller responsible for calling gss_delete_sec_context.
-+ * Even if the mech deleted its context, keep the union context around
-+ * for the caller to delete.
-+ */
-+ if (union_ctx_id && *context_handle == GSS_C_NO_CONTEXT) {
- if (union_ctx_id->mech_type) {
- if (union_ctx_id->mech_type->elements)
- free(union_ctx_id->mech_type->elements);
-@@ -384,7 +393,6 @@ error_out:
- GSS_C_NO_BUFFER);
- }
- free(union_ctx_id);
-- *context_handle = GSS_C_NO_CONTEXT;
- }
-
- if (src_name)
-diff --git a/src/lib/gssapi/mechglue/g_complete_auth_token.c b/src/lib/gssapi/mechglue/g_complete_auth_token.c
-index 918155130..4bcb47e84 100644
---- a/src/lib/gssapi/mechglue/g_complete_auth_token.c
-+++ b/src/lib/gssapi/mechglue/g_complete_auth_token.c
-@@ -52,6 +52,8 @@ gss_complete_auth_token (OM_uint32 *minor_status,
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech != NULL) {
-diff --git a/src/lib/gssapi/mechglue/g_context_time.c b/src/lib/gssapi/mechglue/g_context_time.c
-index 2ff8d0996..c947e7646 100644
---- a/src/lib/gssapi/mechglue/g_context_time.c
-+++ b/src/lib/gssapi/mechglue/g_context_time.c
-@@ -58,6 +58,8 @@ OM_uint32 * time_rec;
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-diff --git a/src/lib/gssapi/mechglue/g_delete_sec_context.c b/src/lib/gssapi/mechglue/g_delete_sec_context.c
-index 4bf0dec5c..574ff0294 100644
---- a/src/lib/gssapi/mechglue/g_delete_sec_context.c
-+++ b/src/lib/gssapi/mechglue/g_delete_sec_context.c
-@@ -87,12 +87,14 @@ gss_buffer_t output_token;
- if (GSSINT_CHK_LOOP(ctx))
- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT);
-
-- status = gssint_delete_internal_sec_context(minor_status,
-- ctx->mech_type,
-- &ctx->internal_ctx_id,
-- output_token);
-- if (status)
-- return status;
-+ if (ctx->internal_ctx_id != GSS_C_NO_CONTEXT) {
-+ status = gssint_delete_internal_sec_context(minor_status,
-+ ctx->mech_type,
-+ &ctx->internal_ctx_id,
-+ output_token);
-+ if (status)
-+ return status;
-+ }
-
- /* now free up the space for the union context structure */
- free(ctx->mech_type->elements);
-diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
-index b63745299..1d7990b1c 100644
---- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
-+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
-@@ -95,6 +95,8 @@ gss_buffer_t interprocess_token;
- */
-
- ctx = (gss_union_ctx_id_t) *context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
- if (!mech)
- return GSS_S_BAD_MECH;
-diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c
-index 9f154b893..e2df1ce26 100644
---- a/src/lib/gssapi/mechglue/g_init_sec_context.c
-+++ b/src/lib/gssapi/mechglue/g_init_sec_context.c
-@@ -192,8 +192,13 @@ OM_uint32 * time_rec;
-
- /* copy the supplied context handle */
- union_ctx_id->internal_ctx_id = GSS_C_NO_CONTEXT;
-- } else
-+ } else {
- union_ctx_id = (gss_union_ctx_id_t)*context_handle;
-+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) {
-+ status = GSS_S_NO_CONTEXT;
-+ goto end;
-+ }
-+ }
-
- /*
- * get the appropriate cred handle from the union cred struct.
-@@ -224,15 +229,13 @@ OM_uint32 * time_rec;
-
- if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) {
- /*
-- * The spec says the preferred method is to delete all context info on
-- * the first call to init, and on all subsequent calls make the caller
-- * responsible for calling gss_delete_sec_context. However, if the
-- * mechanism decided to delete the internal context, we should also
-- * delete the union context.
-+ * RFC 2744 5.19 requires that we not create a context on a failed
-+ * first call to init, and recommends that on a failed subsequent call
-+ * we make the caller responsible for calling gss_delete_sec_context.
-+ * Even if the mech deleted its context, keep the union context around
-+ * for the caller to delete.
- */
- map_error(minor_status, mech);
-- if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
-- *context_handle = GSS_C_NO_CONTEXT;
- if (*context_handle == GSS_C_NO_CONTEXT) {
- free(union_ctx_id->mech_type->elements);
- free(union_ctx_id->mech_type);
-diff --git a/src/lib/gssapi/mechglue/g_inq_context.c b/src/lib/gssapi/mechglue/g_inq_context.c
-index 6f1c71eed..6c0d98dd3 100644
---- a/src/lib/gssapi/mechglue/g_inq_context.c
-+++ b/src/lib/gssapi/mechglue/g_inq_context.c
-@@ -104,6 +104,8 @@ gss_inquire_context(
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (!mech || !mech->gss_inquire_context || !mech->gss_display_name ||
-diff --git a/src/lib/gssapi/mechglue/g_prf.c b/src/lib/gssapi/mechglue/g_prf.c
-index fcca3e44c..9e168adfe 100644
---- a/src/lib/gssapi/mechglue/g_prf.c
-+++ b/src/lib/gssapi/mechglue/g_prf.c
-@@ -59,6 +59,8 @@ gss_pseudo_random (OM_uint32 *minor_status,
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech != NULL) {
-diff --git a/src/lib/gssapi/mechglue/g_process_context.c b/src/lib/gssapi/mechglue/g_process_context.c
-index bc260aeb1..3968b5d9c 100644
---- a/src/lib/gssapi/mechglue/g_process_context.c
-+++ b/src/lib/gssapi/mechglue/g_process_context.c
-@@ -61,6 +61,8 @@ gss_buffer_t token_buffer;
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-diff --git a/src/lib/gssapi/mechglue/g_seal.c b/src/lib/gssapi/mechglue/g_seal.c
-index f17241c90..3db1ee095 100644
---- a/src/lib/gssapi/mechglue/g_seal.c
-+++ b/src/lib/gssapi/mechglue/g_seal.c
-@@ -92,6 +92,8 @@ gss_wrap( OM_uint32 *minor_status,
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-@@ -226,6 +228,8 @@ gss_wrap_size_limit(OM_uint32 *minor_status,
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (!mech)
-diff --git a/src/lib/gssapi/mechglue/g_sign.c b/src/lib/gssapi/mechglue/g_sign.c
-index 86d641aa2..03fbd8c01 100644
---- a/src/lib/gssapi/mechglue/g_sign.c
-+++ b/src/lib/gssapi/mechglue/g_sign.c
-@@ -94,6 +94,8 @@ gss_buffer_t msg_token;
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-diff --git a/src/lib/gssapi/mechglue/g_unseal.c b/src/lib/gssapi/mechglue/g_unseal.c
-index 3e8053c6e..c208635b6 100644
---- a/src/lib/gssapi/mechglue/g_unseal.c
-+++ b/src/lib/gssapi/mechglue/g_unseal.c
-@@ -76,6 +76,8 @@ gss_qop_t * qop_state;
- * call it.
- */
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-diff --git a/src/lib/gssapi/mechglue/g_unwrap_aead.c b/src/lib/gssapi/mechglue/g_unwrap_aead.c
-index e78bff2d3..0682bd899 100644
---- a/src/lib/gssapi/mechglue/g_unwrap_aead.c
-+++ b/src/lib/gssapi/mechglue/g_unwrap_aead.c
-@@ -186,6 +186,8 @@ gss_qop_t *qop_state;
- * call it.
- */
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (!mech)
-diff --git a/src/lib/gssapi/mechglue/g_unwrap_iov.c b/src/lib/gssapi/mechglue/g_unwrap_iov.c
-index c0dd314b1..599be2c7b 100644
---- a/src/lib/gssapi/mechglue/g_unwrap_iov.c
-+++ b/src/lib/gssapi/mechglue/g_unwrap_iov.c
-@@ -89,6 +89,8 @@ int iov_count;
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-@@ -128,6 +130,8 @@ gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-
- /* Select the approprate underlying mechanism routine and call it. */
- ctx = (gss_union_ctx_id_t)context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
- mech = gssint_get_mechanism(ctx->mech_type);
- if (mech == NULL)
- return GSS_S_BAD_MECH;
-diff --git a/src/lib/gssapi/mechglue/g_verify.c b/src/lib/gssapi/mechglue/g_verify.c
-index 1578ae111..8996fce8d 100644
---- a/src/lib/gssapi/mechglue/g_verify.c
-+++ b/src/lib/gssapi/mechglue/g_verify.c
-@@ -65,6 +65,8 @@ gss_qop_t * qop_state;
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c
-index 96cdf3ce6..7fe3b7b35 100644
---- a/src/lib/gssapi/mechglue/g_wrap_aead.c
-+++ b/src/lib/gssapi/mechglue/g_wrap_aead.c
-@@ -256,6 +256,8 @@ gss_buffer_t output_message_buffer;
- * call it.
- */
- ctx = (gss_union_ctx_id_t)context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
- if (!mech)
- return (GSS_S_BAD_MECH);
-diff --git a/src/lib/gssapi/mechglue/g_wrap_iov.c b/src/lib/gssapi/mechglue/g_wrap_iov.c
-index 40cd98fc9..14447c4ee 100644
---- a/src/lib/gssapi/mechglue/g_wrap_iov.c
-+++ b/src/lib/gssapi/mechglue/g_wrap_iov.c
-@@ -93,6 +93,8 @@ int iov_count;
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-@@ -151,6 +153,8 @@ int iov_count;
- */
-
- ctx = (gss_union_ctx_id_t) context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return (GSS_S_NO_CONTEXT);
- mech = gssint_get_mechanism (ctx->mech_type);
-
- if (mech) {
-@@ -190,6 +194,8 @@ gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-
- /* Select the approprate underlying mechanism routine and call it. */
- ctx = (gss_union_ctx_id_t)context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
- mech = gssint_get_mechanism(ctx->mech_type);
- if (mech == NULL)
- return GSS_S_BAD_MECH;
-@@ -218,6 +224,8 @@ gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-
- /* Select the approprate underlying mechanism routine and call it. */
- ctx = (gss_union_ctx_id_t)context_handle;
-+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
-+ return GSS_S_NO_CONTEXT;
- mech = gssint_get_mechanism(ctx->mech_type);
- if (mech == NULL)
- return GSS_S_BAD_MECH;
diff --git a/Prevent-KDC-unset-status-assertion-failures.patch b/Prevent-KDC-unset-status-assertion-failures.patch
deleted file mode 100644
index c259e3f..0000000
--- a/Prevent-KDC-unset-status-assertion-failures.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From af6570ad6c306fe8e2bf425810236dd8c6271885 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Thu, 13 Jul 2017 12:14:20 -0400
-Subject: [PATCH] Prevent KDC unset status assertion failures
-
-Assign status values if S4U2Self padata fails to decode, if an
-S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
-uses an evidence ticket which does not match the canonicalized request
-server principal name. Reported by Samuel Cabrero.
-
-If a status value is not assigned during KDC processing, default to
-"UNKNOWN_REASON" rather than failing an assertion. This change will
-prevent future denial of service bugs due to similar mistakes, and
-will allow us to omit assigning status values for unlikely errors such
-as small memory allocation failures.
-
-CVE-2017-11368:
-
-In MIT krb5 1.7 and later, an authenticated attacker can cause an
-assertion failure in krb5kdc by sending an invalid S4U2Self or
-S4U2Proxy request.
-
- CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
-
-ticket: 8599 (new)
-target_version: 1.15-next
-target_version: 1.14-next
-tags: pullup
-
-(cherry picked from commit a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2)
----
- src/kdc/do_as_req.c | 4 ++--
- src/kdc/do_tgs_req.c | 3 ++-
- src/kdc/kdc_util.c | 10 ++++++++--
- 3 files changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
-index 712ccb794..a4bf91b1b 100644
---- a/src/kdc/do_as_req.c
-+++ b/src/kdc/do_as_req.c
-@@ -365,8 +365,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
- did_log = 1;
-
- egress:
-- if (errcode != 0)
-- assert (state->status != 0);
-+ if (errcode != 0 && state->status == NULL)
-+ state->status = "UNKNOWN_REASON";
-
- au_state->status = state->status;
- au_state->reply = &state->reply;
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index 547a41441..339259fd1 100644
---- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
- free(reply.enc_part.ciphertext.data);
-
- cleanup:
-- assert(status != NULL);
-+ if (status == NULL)
-+ status = "UNKNOWN_REASON";
- if (reply_key)
- krb5_free_keyblock(kdc_context, reply_key);
- if (errcode)
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 29f9dbbf0..30c501c67 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
- req_data.data = (char *)pa_data->contents;
-
- code = decode_krb5_pa_for_user(&req_data, &for_user);
-- if (code)
-+ if (code) {
-+ *status = "DECODE_PA_FOR_USER";
- return code;
-+ }
-
- code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
- if (code) {
-@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
- req_data.data = (char *)pa_data->contents;
-
- code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
-- if (code)
-+ if (code) {
-+ *status = "DECODE_PA_S4U_X509_USER";
- return code;
-+ }
-
- code = verify_s4u_x509_user_checksum(context,
- tgs_subkey ? tgs_subkey :
-@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
- * that is validated previously in validate_tgs_request().
- */
- if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
-+ *status = "INVALID_S4U2PROXY_OPTIONS";
- return KRB5KDC_ERR_BADOPTION;
- }
-
-@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
- if (!krb5_principal_compare(kdc_context,
- server->princ, /* after canon */
- server_princ)) {
-+ *status = "EVIDENCE_TICKET_MISMATCH";
- return KRB5KDC_ERR_SERVER_NOMATCH;
- }
-
diff --git a/Remove-incomplete-PKINIT-OCSP-support.patch b/Remove-incomplete-PKINIT-OCSP-support.patch
index 780353e..2f40965 100644
--- a/Remove-incomplete-PKINIT-OCSP-support.patch
+++ b/Remove-incomplete-PKINIT-OCSP-support.patch
@@ -1,4 +1,4 @@
-From 3a9d6156a57fb17285e238ec0633ea2b24db91d6 Mon Sep 17 00:00:00 2001
+From 466d09c9b2c456d663672cb6d5f661ef86e8536e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 31 Jul 2017 16:03:41 -0400
Subject: [PATCH] Remove incomplete PKINIT OCSP support
@@ -19,7 +19,7 @@ ticket: 8603 (new)
5 files changed, 11 insertions(+), 20 deletions(-)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
-index 13077ecf4..a4b2a5432 100644
+index 4e54f7e1d..d00e7926c 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -765,9 +765,6 @@ For information about the syntax of some of these options, see
@@ -33,7 +33,7 @@ index 13077ecf4..a4b2a5432 100644
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client's
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
-index 10b333c38..166e68f9a 100644
+index d207ebd7f..c47da0117 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -886,9 +886,6 @@ Specifies an authentication indicator to include in the ticket if
diff --git a/Use-GSSAPI-fallback-skiptest.patch b/Use-GSSAPI-fallback-skiptest.patch
index 9071433..118df5a 100644
--- a/Use-GSSAPI-fallback-skiptest.patch
+++ b/Use-GSSAPI-fallback-skiptest.patch
@@ -1,4 +1,4 @@
-From ad17859c5d428be38bb51b6202e1ce256790beb5 Mon Sep 17 00:00:00 2001
+From 6d0b40b26e7fea1cd394618c1ab6d5e366bbc069 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 1 Mar 2017 17:46:22 -0500
Subject: [PATCH] Use GSSAPI fallback skiptest
diff --git a/Use-expected_msg-in-test-scripts.patch b/Use-expected_msg-in-test-scripts.patch
index 245e2b7..d4dc83e 100644
--- a/Use-expected_msg-in-test-scripts.patch
+++ b/Use-expected_msg-in-test-scripts.patch
@@ -1,4 +1,4 @@
-From 9b2d26cf4cfebdce46430a7ab891e3a7faad5f47 Mon Sep 17 00:00:00 2001
+From 24ac588502b1731a7fd2629804f8d9ed1668297e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 18 Jan 2017 11:22:58 -0500
Subject: [PATCH] Use expected_msg in test scripts
diff --git a/Use-expected_trace-in-test-scripts.patch b/Use-expected_trace-in-test-scripts.patch
index 39807c8..74516ea 100644
--- a/Use-expected_trace-in-test-scripts.patch
+++ b/Use-expected_trace-in-test-scripts.patch
@@ -1,4 +1,4 @@
-From 52eeabfdeb9a91c6e4c7124b38fa6915df37f8bf Mon Sep 17 00:00:00 2001
+From 35a00879008457d21ccc6e623835976a21f5000b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Jan 2017 11:25:22 -0500
Subject: [PATCH] Use expected_trace in test scripts
diff --git a/Use-fallback-realm-for-GSSAPI-ccache-selection.patch b/Use-fallback-realm-for-GSSAPI-ccache-selection.patch
index 21fcb7f..bc0591a 100644
--- a/Use-fallback-realm-for-GSSAPI-ccache-selection.patch
+++ b/Use-fallback-realm-for-GSSAPI-ccache-selection.patch
@@ -1,4 +1,4 @@
-From 4963152dc973e8ff74f257f64b0960a7716b480c Mon Sep 17 00:00:00 2001
+From feee4c633a7db348ef99f1f0c99a5c2e6cb70f92 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Fri, 10 Feb 2017 12:53:42 -0500
Subject: [PATCH] Use fallback realm for GSSAPI ccache selection
diff --git a/Use-krb5_timestamp-where-appropriate.patch b/Use-krb5_timestamp-where-appropriate.patch
index 616ed67..c5b4c25 100644
--- a/Use-krb5_timestamp-where-appropriate.patch
+++ b/Use-krb5_timestamp-where-appropriate.patch
@@ -1,4 +1,4 @@
-From f0f0a503f58ed4f6ccf924751b356a70f515dd4b Mon Sep 17 00:00:00 2001
+From 0ae9141d53a8d9fe048542f89d17760990bd5bc4 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 May 2017 15:14:15 -0400
Subject: [PATCH] Use krb5_timestamp where appropriate
@@ -81,7 +81,7 @@ index 16a35d2be..4ecc23481 100644
retval = krb5_crypto_us_timeofday(&now, &now_usec);
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
-index 656dddff5..c2cf69169 100644
+index c4bb16dc7..679fc7c41 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -375,7 +375,7 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
@@ -107,7 +107,7 @@ index 612553ba3..f4b8aef2b 100644
krb5_tl_data tl_data;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index f4a9a2ad2..0d4f0a632 100644
+index 137e1fb64..89f34482b 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle,
@@ -146,7 +146,7 @@ index f4a9a2ad2..0d4f0a632 100644
kadm5_policy_ent_rec pol;
krb5_keysalt keysalt;
int i, kvno, ret;
-@@ -1888,7 +1888,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
+@@ -1891,7 +1891,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
{
krb5_db_entry *kdb;
osa_princ_ent_rec adb;
diff --git a/Use-the-canonical-client-principal-name-for-OTP.patch b/Use-the-canonical-client-principal-name-for-OTP.patch
index eba922a..c96aeb5 100644
--- a/Use-the-canonical-client-principal-name-for-OTP.patch
+++ b/Use-the-canonical-client-principal-name-for-OTP.patch
@@ -1,4 +1,4 @@
-From 1d729e7bd01cd0a5e4db0ba16fc5058b21b4abb2 Mon Sep 17 00:00:00 2001
+From 7998de0b9ccd0c8813159cc3f1d49fe107e3e0ba Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 5 Apr 2017 16:48:55 -0400
Subject: [PATCH] Use the canonical client principal name for OTP
diff --git a/kerberos-adm.portreserve b/kerberos-adm.portreserve
deleted file mode 100644
index eb6080d..0000000
--- a/kerberos-adm.portreserve
+++ /dev/null
@@ -1 +0,0 @@
-kerberos-adm/tcp
diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch
index 19fd77b..e68fb05 100644
--- a/krb5-1.11-kpasswdtest.patch
+++ b/krb5-1.11-kpasswdtest.patch
@@ -1,4 +1,4 @@
-From b932cd580f6c78bcec06620770444b480cb7899c Mon Sep 17 00:00:00 2001
+From fb8f32ebdf3293d8a6bdb9478fe1f902a399ba7a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch
index c886713..ad93b8a 100644
--- a/krb5-1.11-run_user_0.patch
+++ b/krb5-1.11-run_user_0.patch
@@ -1,4 +1,4 @@
-From 85c019fe805d801ad3b65cad61fd9b2f1eef8d7f Mon Sep 17 00:00:00 2001
+From 9c45f66fbc6afb472589dbeb5166f46ad266d319 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH] krb5-1.11-run_user_0.patch
diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch
index 22575e8..c5bc2e5 100644
--- a/krb5-1.12-api.patch
+++ b/krb5-1.12-api.patch
@@ -1,4 +1,4 @@
-From 3bd2daf49b882deeaadd846d138c06d72de589fe Mon Sep 17 00:00:00 2001
+From 107a2b8728f1b76feb16df9201919444482e3981 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH] krb5-1.12-api.patch
diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch
index 53b057b..7f92b1d 100644
--- a/krb5-1.12-ksu-path.patch
+++ b/krb5-1.12-ksu-path.patch
@@ -1,4 +1,4 @@
-From b3b35bbf939f05b9caece64f93c012c2f241f1c7 Mon Sep 17 00:00:00 2001
+From 93b86d94b871aed49b14d7fc1a2a9f23c16cbe0f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch
diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch
index fc63d7c..a941082 100644
--- a/krb5-1.12-ktany.patch
+++ b/krb5-1.12-ktany.patch
@@ -1,4 +1,4 @@
-From 259f691fac41a06c238aea1d812b0f3889f06877 Mon Sep 17 00:00:00 2001
+From efee9f8598ba84f2be0983fc1d07a9a72d0ff1b7 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH] krb5-1.12-ktany.patch
diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch
index f00c797..5372fb4 100644
--- a/krb5-1.12.1-pam.patch
+++ b/krb5-1.12.1-pam.patch
@@ -1,4 +1,4 @@
-From 461ae27581ad3b132b9b2d8c07777102fba015f3 Mon Sep 17 00:00:00 2001
+From e0924e10dd431a898c9c95faa04b51edbe59c5ef Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch
diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch
index eb384f0..9b0178c 100644
--- a/krb5-1.13-dirsrv-accountlock.patch
+++ b/krb5-1.13-dirsrv-accountlock.patch
@@ -1,4 +1,4 @@
-From d183995c587fc0f32a76011858703308d751e17c Mon Sep 17 00:00:00 2001
+From f2df0b75dfbc9796bf8e1477f4661dfb7cdcf8d4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch
index ca6723d..276c254 100644
--- a/krb5-1.15-beta1-buildconf.patch
+++ b/krb5-1.15-beta1-buildconf.patch
@@ -1,4 +1,4 @@
-From 35e09ba633eb14cc207b59de7ce60324ea86554f Mon Sep 17 00:00:00 2001
+From ae5bb11c0f06fdf92f51d237e94c1d410c59aa04 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
diff --git a/krb5-1.15.1-selinux-label.patch b/krb5-1.15.1-selinux-label.patch
index d0bf8f3..2590f8e 100644
--- a/krb5-1.15.1-selinux-label.patch
+++ b/krb5-1.15.1-selinux-label.patch
@@ -1,4 +1,4 @@
-From a3280e7ec607b9eb7b79cf75cd323fbbdd125b02 Mon Sep 17 00:00:00 2001
+From aaf74b66a51cbda90ba40f73eb8def9b192ab262 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.15.1-selinux-label.patch
diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch
index c3a1d07..766226f 100644
--- a/krb5-1.3.1-dns.patch
+++ b/krb5-1.3.1-dns.patch
@@ -1,4 +1,4 @@
-From 2ecbf6ba30520f908188521eb903876bc64905ae Mon Sep 17 00:00:00 2001
+From 1b95f8a488d1e70bf7698c8b49412306a1b8aba0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch
diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch
index 2d70bd5..d3d0080 100644
--- a/krb5-1.9-debuginfo.patch
+++ b/krb5-1.9-debuginfo.patch
@@ -1,4 +1,4 @@
-From 06349d595ba0baa72a9d5aabeedee5926419d6bc Mon Sep 17 00:00:00 2001
+From e1d7fcf9713fe322ad5740045650dac86427e6ae Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch
diff --git a/krb5.spec b/krb5.spec
index dbaa049..3b758ff 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -14,38 +14,38 @@
# Should be in form 5.0, 6.1, etc.
%global kdbversion 6.1
+%global majmin 1.15
+
Summary: The Kerberos network authentication system
Name: krb5
-Version: 1.15.1
-# for prerelease, should be e.g., 0.3.beta2%{?dist}
-Release: 28%{?dist}
-# - Maybe we should explode from the now-available-to-everybody tarball instead?
-# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
-# - The sources below are stored in a lookaside cache. Upload with
-# $ fedpkg upload krb5-1.13.2.tar.gz krb5-1.13.2.tar.gz.asc # (and don't
-# remove, otherwise you can't go back or branch from a previous point)
-Source0: krb5-%{version}%{prerelease}.tar.gz
-Source1: krb5-%{version}%{prerelease}.tar.gz.asc
+Version: %{majmin}.2
+# for prerelease, should be e.g., 0.3.beta2% { ?dist } (without spaces)
+Release: 1%{?dist}
+
+# lookaside-cached sources; two downloads and a build artifact
+Source0: https://web.mit.edu/kerberos/dist/krb5/%{majmin}/krb5-%{version}%{prerelease}.tar.gz
+# rharwood has trust path to signing key and verifies on check-in
+Source1: https://web.mit.edu/kerberos/dist/krb5/%{majmin}/krb5-%{version}%{prerelease}.tar.gz.asc
+# This source is generated during the build because it is documentation.
+# To override this behavior (e.g., new upstream version), do:
+# tar cfT krb5-1.15.2-pdfs.tar /dev/null
+# or the like. This logic persists due to how slow the stranger Fedora
+# architecture builders are. 5 minutes on my laptop, 45 on koji easy.
Source3: krb5-%{version}%{prerelease}-pdfs.tar
+
+# Numbering is a relic of old init systems etc. It's easiest to just leave.
Source2: kprop.service
Source4: kadmin.service
Source5: krb5kdc.service
Source6: krb5.conf
-#Source7: _kpropd
-#Source8: _kadmind
Source10: kdc.conf
Source11: kadm5.acl
Source19: krb5kdc.sysconfig
Source20: kadmin.sysconfig
Source21: kprop.sysconfig
Source29: ksu.pamd
-Source31: kerberos-adm.portreserve
-Source32: krb5_prop.portreserve
Source33: krb5kdc.logrotate
Source34: kadmind.logrotate
-#Source36: kpropd.init
-#Source37: kadmind.init
-#Source38: krb5kdc.init
Source39: krb5-krb5kdc.conf
# Carry this locally until it's available in a packaged form.
@@ -77,11 +77,8 @@ Patch48: Use-the-canonical-client-principal-name-for-OTP.patch
Patch49: Add-certauth-pluggable-interface.patch
Patch50: Correct-error-handling-bug-in-prior-commit.patch
Patch51: Add-k5test-expected_msg-expected_trace.patch
-Patch52: Fix-leaks-in-gss_inquire_cred_by_oid.patch
Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch
-Patch54: Prevent-KDC-unset-status-assertion-failures.patch
Patch55: Remove-incomplete-PKINIT-OCSP-support.patch
-Patch56: Allow-clock-skew-in-krb5-gss_context_time.patch
Patch57: Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
Patch58: Add-timestamp-helper-functions.patch
Patch59: Make-timestamp-manipulations-y2038-safe.patch
@@ -96,7 +93,6 @@ Patch67: Fix-certauth-built-in-module-returns.patch
Patch68: Add-test-cert-with-no-extensions.patch
Patch69: Add-PKINIT-test-case-for-generic-client-cert.patch
Patch70: Add-hostname-based-ccselect-module.patch
-Patch71: Preserve-GSS-context-on-init-accept-failure.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -105,7 +101,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, pkgconfig, sed
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
BuildRequires: gzip, ncurses-devel
-BuildRequires: python2-sphinx, texlive-pdftex
+BuildRequires: python2-sphinx, texlive-pdftex, latexmk
# For autosetup
BuildRequires: git
@@ -124,7 +120,9 @@ BuildRequires: tex(ifthen.sty)
BuildRequires: tex(inputenc.sty)
BuildRequires: tex(longtable.sty)
BuildRequires: tex(multirow.sty)
+BuildRequires: tex(needspace.sty)
BuildRequires: tex(report.cls)
+BuildRequires: tex(tabulary.sty)
BuildRequires: tex(threeparttable.sty)
BuildRequires: tex(times.sty)
BuildRequires: tex(titlesec.sty)
@@ -748,6 +746,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
+* Mon Sep 25 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.2-1
+- New upstream release - krb5-1.15.2
+- Adjust patches as appropriate
+
* Wed Sep 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-28
- Save other programs from worrying about CVE-2017-11462
- Resolves: #1488873
diff --git a/krb5_prop.portreserve b/krb5_prop.portreserve
deleted file mode 100644
index 54eeff2..0000000
--- a/krb5_prop.portreserve
+++ /dev/null
@@ -1 +0,0 @@
-krb5_prop/tcp
diff --git a/sources b/sources
index 81e69c6..a72430d 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (krb5-1.15.1-pdfs.tar) = f014d5da5e4cc74a19d51df658f52c6ae2f6f64663b29342e81f81ddb6e734a44c452b3f0d02f90c43baeb0618438f8b264d4f68424b0d98300a9dbe59a28552
-SHA512 (krb5-1.15.1.tar.gz) = 068b4c012722d8c232049d2a617f7ee28ceeaba6be94a78439e69e37b66cfdc49085641e42cfb03b2fbb72d21517b537e437061ec4dd2bf864f31e55e05fe918
-SHA512 (krb5-1.15.1.tar.gz.asc) = 48d2b1382970d4117340fbfd82a88ecd9342aaddad3e06a26db2b5e4766654e2e4cda03a3af6803e463e6ddcfbfbb32323379d9ccc70561c3f296b406bfee905
+SHA512 (krb5-1.15.2-pdfs.tar) = 5875efde7ed88dcccd6f624a5252c5c70844fe94015ce4acfdf7f6ccabf52c86965c5a661b161c73e37b46e51aa5e9ea19602ab32e8b50682ecb0a450f0553b6
+SHA512 (krb5-1.15.2.tar.gz) = e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2
+SHA512 (krb5-1.15.2.tar.gz.asc) = 37cee442de29229fa821539c3f1724eb4d37fa9ce5eee644869a7311c8fe10218dac36da3a5297d45168d8fb1ad64dbd614f10d3384d54e4070e56e7fe8a1e63
generated by cgit (git 2.34.1) at 2024-04-26 19:36:34 +0000