Package: krb5 / 1.17-6

Metadata

Package Version Patches format
krb5 1.17-6 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
debian local/0001 Add .gitignore.patch | (download)

.gitignore | 591 591 + 0 - 0 !
1 file changed, 591 insertions(+)

 add .gitignore


debian local/0001 Debian HURD compatibility.patch | (download)

src/clients/ksu/ksu.h | 4 4 + 0 - 0 !
src/include/k5-int.h | 3 3 + 0 - 0 !
src/kadmin/ktutil/ktutil_funcs.c | 4 4 + 0 - 0 !
src/kprop/kprop_util.c | 4 4 + 0 - 0 !
src/lib/gssapi/spnego/spnego_mech.c | 3 3 + 0 - 0 !
src/lib/krb5/os/sn2princ.c | 4 4 + 0 - 0 !
src/plugins/kdb/db2/libdb2/include/db-int.h | 4 4 + 0 - 0 !
src/tests/resolve/resolve.c | 4 4 + 0 - 0 !
8 files changed, 30 insertions(+)

 debian: hurd compatibility

HURD has no MAXPATHLEN or MAXHOSTLEN.

Patch-Category: debian-local

debian local/0002 debian Handle multi arch paths in krb5 config.patch | (download)

src/build-tools/krb5-config.in | 17 10 + 7 - 0 !
1 file changed, 10 insertions(+), 7 deletions(-)

 debian: handle multi-arch paths in krb5-config

We cannot use @libdir@ because that will include the
multi-arch prefix in the built krb5-config, but we want krb5-config to
be identical on all arches so that krb5-multidev can be multi-arch:
same.  So, instead, figure out our multi-arch tripple by calling CC
directly.

Based on an approach suggested by Hugh McMaster.

Also include --deps in the usage output, since it is a valid argument.

Patch-Category: debian-local

debian local/0003 debian osconf.hin path changes.patch | (download)

src/include/osconf.hin | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 debian: osconf.hin path changes

Patch-Category: debian-local

debian local/0004 debian install ldap library in subdirectory.patch | (download)

src/plugins/kdb/ldap/Makefile.in | 1 1 + 0 - 0 !
src/plugins/kdb/ldap/ldap_util/Makefile.in | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 debian: install ldap library in subdirectory

Debian received a request to install the internal ldap library not in
the main lib directory.

We are changing SHLIB_DIRS from the default that upstream sets in the
makefile includes; assign unconditionally the full value.

Patch-Category: debian-local

debian local/0005 gssapi never unload mechanisms.patch | (download)

src/lib/gssapi/mechglue/g_initialize.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 gssapi: never unload mechanisms

It turns out that many GSSAPI mechanisms link to the main gss-api
library creating a circular reference. Depending on how the linker
breaks the cycle at process exit time, the linker may unload the GSS
library after unloading the mechanisms. The explicit dlclose from the
GSS library tends to cause a libdl assertion failure at that
point. So, never unload plugins. They are refcounted, so dlopen
handles will not leak, although obviously the memory from the plugin
is never reclaimed.

ticket: 7135

Patch-Category: debian-local

debian local/0006 Add substpdf target.patch | (download)

src/doc/Makefile.in | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 add substpdf target

Akin to substhtml, so that we can build PDF documents without
overwriting the upstream-provided versions and causing debian/rules clean
to not return to the original state.

Patch-Category: debian-local

debian local/0007 Fix pkg config library include paths.patch | (download)

src/build-tools/gssrpc.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-client.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-server.pc.in | 4 2 + 2 - 0 !
src/build-tools/kdb.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5.pc.in | 4 2 + 2 - 0 !
6 files changed, 12 insertions(+), 12 deletions(-)

 fix pkg-config library/include paths

Include library and include flags in pkg-config files, so they work when the
symlinks provided by libkrb5-dev are not installed.

Patch-Category: debian-local

debian local/0008 Use isystem for include paths.patch | (download)

src/build-tools/gssrpc.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-client.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-server.pc.in | 2 1 + 1 - 0 !
src/build-tools/kdb.pc.in | 2 1 + 1 - 0 !
src/build-tools/krb5-config.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5.pc.in | 2 1 + 1 - 0 !
7 files changed, 7 insertions(+), 7 deletions(-)

 use -isystem for include paths

 This is necessary so Kerberos headers files are classified as "system headers"
 by the compiler, and thus not subject to the same strict warnings as
 other headers (which breaks compilation if -Werror is specified).
 .
 This fixes the build of folks using -Werror and including Kerberos headers
 when the latter are installed in a non-standard location (e.g.
 /usr/include/tuple/mit-krb5, as Debian is doing).
(cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232)

upstream/0009 Remove erroneous text from kinit man page.patch | (download)

doc/user/user_commands/kinit.rst | 3 1 + 2 - 0 !
src/man/kinit.man | 5 2 + 3 - 0 !
2 files changed, 3 insertions(+), 5 deletions(-)

 remove erroneous text from kinit man page

Commit 4c4859fa83295db5c26f47b96c719060cfd9e2b1 changed the kinit man
page to state that kinit -E (enterprise) implies -C (canonicalize).
The client does not automatically set the canonicalize option when
getting tickets for an enterprise principal, and Windows KDCs can
issue tickets for enterprise principals without canonicalizing the
principal (contrary to the implication of RFC 6806 section 5).  Remove
the misleading text.

[ghudson@mit.edu: updated RST man page and regenerated nroff file;
rewrote commit message]

(cherry picked from commit 8e31335a7722a2f7f1722506befe4fd26d3e3f3f)

ticket: 8779
version_fixed: 1.17.1

Patch-Category: upstream

upstream/0010 Fix memory leak in none replay cache type.patch | (download)

src/lib/krb5/rcache/rc_none.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix memory leak in 'none' replay cache type

Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
leak in the 'none' replay cache type by freeing the outer container,
but we also need to free the mutex.

[ghudson@mit.edu: wrote commit message]

(cherry picked from commit af2a3115cb8feb5174151b4b40223ae45aa9db17)

ticket: 8783
version_fixed: 1.17.1

Patch-Category: upstream

upstream/0011 Document the double colon behavior of DIR ccaches.patch | (download)

doc/basic/ccache_def.rst | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 document the double-colon behavior of dir ccaches

(cherry picked from commit 5ba6e02a7b96ddd15dde01db0f9aff3d65773a8e)

ticket: 8789
version_fixed: 1.17.1

Patch-Category: upstream

upstream/0013 Update test suite to avoid single DES enctypes.patch | (download)

src/kadmin/testing/proto/kdc.conf.proto | 2 1 + 1 - 0 !
src/kadmin/testing/util/tcl_kadm5.c | 2 0 + 2 - 0 !
src/lib/crypto/crypto_tests/CRC.pm | 156 0 + 156 - 0 !
src/lib/crypto/crypto_tests/Makefile.in | 31 4 + 27 - 0 !
src/lib/crypto/crypto_tests/crc.pl | 111 0 + 111 - 0 !
src/lib/crypto/crypto_tests/deps | 24 0 + 24 - 0 !
src/lib/crypto/crypto_tests/t_cf2.expected | 1 0 + 1 - 0 !
src/lib/crypto/crypto_tests/t_cf2.in | 5 0 + 5 - 0 !
src/lib/crypto/crypto_tests/t_cksum.c | 160 0 + 160 - 0 !
src/lib/crypto/crypto_tests/t_cksums.c | 8 1 + 7 - 0 !
src/lib/crypto/crypto_tests/t_combine.c | 18 0 + 18 - 0 !
src/lib/crypto/crypto_tests/t_crc.c | 148 0 + 148 - 0 !
src/lib/crypto/crypto_tests/t_decrypt.c | 148 0 + 148 - 0 !
src/lib/crypto/crypto_tests/t_encrypt.c | 3 0 + 3 - 0 !
src/lib/crypto/crypto_tests/t_short.c | 3 0 + 3 - 0 !
src/lib/crypto/crypto_tests/t_str2key.c | 274 0 + 274 - 0 !
src/lib/crypto/crypto_tests/vectors.c | 3 2 + 1 - 0 !
src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp | 10 5 + 5 - 0 !
src/lib/kadm5/unit-test/api.current/get-principal-v2.exp | 5 3 + 2 - 0 !
src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp | 11 5 + 6 - 0 !
src/lib/kadm5/unit-test/setkey-test.c | 6 3 + 3 - 0 !
src/lib/krb5/keytab/t_keytab.c | 40 21 + 19 - 0 !
src/lib/krb5/krb/t_etypes.c | 67 10 + 57 - 0 !
src/lib/krb5/krb/t_ser.c | 2 1 + 1 - 0 !
src/lib/krb5/os/t_trace.c | 2 1 + 1 - 0 !
src/lib/krb5/os/t_trace.ref | 2 1 + 1 - 0 !
src/tests/asn.1/ktest.c | 2 1 + 1 - 0 !
src/tests/asn.1/pkinit_encode.out | 2 1 + 1 - 0 !
src/tests/asn.1/pkinit_trval.out | 2 1 + 1 - 0 !
src/tests/dejagnu/config/default.exp | 227 18 + 209 - 0 !
src/tests/gssapi/t_ccselect.py | 3 1 + 2 - 0 !
src/tests/gssapi/t_invalid.c | 20 1 + 19 - 0 !
src/tests/gssapi/t_pcontok.c | 16 2 + 14 - 0 !
src/tests/gssapi/t_prf.c | 7 0 + 7 - 0 !
src/tests/t_etype_info.py | 4 2 + 2 - 0 !
src/tests/t_keyrollover.py | 7 4 + 3 - 0 !
src/tests/t_salt.py | 2 1 + 1 - 0 !
src/tests/t_sesskeynego.py | 18 2 + 16 - 0 !
src/util/k5test.py | 12 1 + 11 - 0 !
39 files changed, 93 insertions(+), 1471 deletions(-)

 update test suite to avoid single-des enctypes

Remove the CRC exercise code, since CRC is DES-only.

Updated byp Sam Hartman for 1.17.

ticket: 8808
(cherry picked from commit 50588db5d26e81f3d564d1f69435af34ae80d9b2)

upstream/0014 Remove support for single DES and CRC.patch | (download)

doc/admin/advanced/retiring-des.rst | 5 5 + 0 - 0 !
doc/admin/conf_files/kdc_conf.rst | 17 2 + 15 - 0 !
doc/admin/conf_files/krb5_conf.rst | 17 4 + 13 - 0 !
doc/admin/enctypes.rst | 38 17 + 21 - 0 !
doc/appdev/refs/macros/index.rst | 1 1 + 0 - 0 !
doc/conf.py | 2 1 + 1 - 0 !
doc/mitK5features.rst | 2 1 + 1 - 0 !
src/include/k5-int.h | 1 0 + 1 - 0 !
src/include/krb5/krb5.hin | 10 5 + 5 - 0 !
src/include/win-mac.h | 12 0 + 12 - 0 !
src/kdc/kdc_util.c | 14 0 + 14 - 0 !
src/kdc/main.c | 6 0 + 6 - 0 !
src/kdc/realm_data.h | 1 0 + 1 - 0 !
src/lib/crypto/builtin/des/des_int.h | 1 0 + 1 - 0 !
src/lib/crypto/builtin/enc_provider/Makefile.in | 3 0 + 3 - 0 !
src/lib/crypto/builtin/enc_provider/deps | 12 0 + 12 - 0 !
src/lib/crypto/builtin/enc_provider/des.c | 120 0 + 120 - 0 !
src/lib/crypto/builtin/hash_provider/Makefile.in | 7 2 + 5 - 0 !
src/lib/crypto/builtin/hash_provider/deps | 13 0 + 13 - 0 !
src/lib/crypto/builtin/hash_provider/hash_crc32.c | 56 0 + 56 - 0 !
src/lib/crypto/krb/Makefile.in | 9 0 + 9 - 0 !
src/lib/crypto/krb/cksumtypes.c | 24 0 + 24 - 0 !
src/lib/crypto/krb/combine_keys.c | 3 0 + 3 - 0 !
src/lib/crypto/krb/crc32.c | 165 0 + 165 - 0 !
src/lib/crypto/krb/crypto_int.h | 16 0 + 16 - 0 !
src/lib/crypto/krb/default_state.c | 4 0 + 4 - 0 !
src/lib/crypto/krb/deps | 36 0 + 36 - 0 !
src/lib/crypto/krb/enc_old.c | 181 0 + 181 - 0 !
src/lib/crypto/krb/etypes.c | 46 0 + 46 - 0 !
src/lib/crypto/krb/s2k_des.c | 691 0 + 691 - 0 !
src/lib/crypto/libk5crypto.exports | 1 0 + 1 - 0 !
src/lib/crypto/openssl/enc_provider/Makefile.in | 3 0 + 3 - 0 !
src/lib/crypto/openssl/enc_provider/deps | 11 0 + 11 - 0 !
src/lib/crypto/openssl/enc_provider/des.c | 218 0 + 218 - 0 !
src/lib/crypto/openssl/hash_provider/Makefile.in | 10 3 + 7 - 0 !
src/lib/crypto/openssl/hash_provider/deps | 12 0 + 12 - 0 !
src/lib/crypto/openssl/hash_provider/hash_crc32.c | 56 0 + 56 - 0 !
src/lib/gssapi/krb5/accept_sec_context.c | 3 0 + 3 - 0 !
src/lib/gssapi/krb5/gssapiP_krb5.h | 20 10 + 10 - 0 !
src/lib/gssapi/krb5/k5seal.c | 28 1 + 27 - 0 !
src/lib/gssapi/krb5/k5sealiov.c | 20 0 + 20 - 0 !
src/lib/gssapi/krb5/k5unseal.c | 112 0 + 112 - 0 !
src/lib/gssapi/krb5/k5unsealiov.c | 34 2 + 32 - 0 !
src/lib/gssapi/krb5/util_crypt.c | 41 0 + 41 - 0 !
src/lib/kadm5/kadm_rpc_xdr.c | 10 0 + 10 - 0 !
src/lib/krb5/ccache/cc_mslsa.c | 11 6 + 5 - 0 !
src/lib/krb5/krb/auth_con.c | 23 3 + 20 - 0 !
src/lib/krb5/krb/gic_keytab.c | 4 0 + 4 - 0 !
src/lib/krb5/krb/init_ctx.c | 9 0 + 9 - 0 !
src/lib/krb5/krb/mk_req_ext.c | 43 4 + 39 - 0 !
src/lib/krb5/krb/s4u_creds.c | 3 0 + 3 - 0 !
src/lib/krb5/krb/ser_ctx.c | 2 1 + 1 - 0 !
src/man/kdc.conf.man | 47 2 + 45 - 0 !
src/man/krb5.conf.man | 6 3 + 3 - 0 !
src/windows/leash/htmlhelp/html/Encryption_Types.htm | 14 1 + 13 - 0 !
55 files changed, 74 insertions(+), 2180 deletions(-)

 remove support for single-des and crc

Single-DES removal brings us closer to compliance with RFC 6649.
Single-DES was disabled by default starting in release 1.8, and
user-visible deprecation warnings were issued starting in release
1.17.

ticket: 8808
(cherry picked from commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8)

debian local/0015 Some more des test failures.patch | (download)

src/lib/krb5/krb/t_get_etype_info.py | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 some more des test failures

Fix some more des related test failures.


I have not actually gotten make check working but I've convinced
myself the remaining failures are test failures not code failures.
This will all clean up after the 1.18 release and we don't currently
run make check during the build anyway.

0016 Filter enctypes in gss_set_allowable_enctypes.patch | (download)

src/lib/gssapi/krb5/set_allowable_enctypes.c | 29 14 + 15 - 0 !
1 file changed, 14 insertions(+), 15 deletions(-)

 filter enctypes in gss_set_allowable_enctypes()

Instead of erroring out when any invalid enctypes are present in the
caller's list, filter out the invalid ones and only error if no
enctype remains.

ticket: 8819

0017 Don t error on invalid enctypes in keytab.patch | (download)

src/lib/krb5/keytab/kt_file.c | 27 5 + 22 - 0 !
1 file changed, 5 insertions(+), 22 deletions(-)

 don't error on invalid enctypes in keytab

krb5_ktfile_get_entry() used krb5_c_enctype_compare() to compare
enctypes, in order to share keys between single-DES enctypes.  As
key-sharing between enctypes is no longer done and single-DES support
has been removed, use a simple equality test to match the enctype.
This fixes a bug where krb5_kt_get_entry() would error out if the
keytab contained any entries with invalid enctypes (include single-DES
entries, after commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8) even
if a matching entry is found.

[ghudson@mit.edu: rewrote commit message]

ticket: 8808