Accepting request 213903 from home:ckornacker:branches:network

- update to version 1.12
  * Add GSSAPI extensions for constructing MIC tokens using IOV lists
  * Add a FAST OTP preauthentication module for the KDC which uses
    RADIUS to validate OTP token values.
  * The AES-based encryption types will use AES-NI instructions
    when possible for improved performance.
- revert dependency on libcom_err-mini-devel since it's not yet
  available
- update and rebase patches

OBS-URL: https://build.opensuse.org/request/show/213903
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=114

krb5-1.11.4.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1d9ef56b9280c5af103e24310a2bc79fca8de40fd4ebc1edae3d21e59c6afda3
-size 9449691

krb5-1.12-api.patch

@@ -0,0 +1,27 @@
+Reference docs don't define what happens if you call krb5_realm_compare() with
+malformed krb5_principal structures.  Define a behavior which keeps it from
+crashing if applications don't check ahead of time.
+
+--- krb5/src/lib/krb5/krb/princ_comp.c
++++ krb5/src/lib/krb5/krb/princ_comp.c
+@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context
+     const krb5_data *realm1 = &princ1->realm;
+     const krb5_data *realm2 = &princ2->realm;
+ 
++    if (princ1 == NULL || princ2 == NULL)
++        return FALSE;
++    if (realm1 == NULL || realm2 == NULL)
++        return FALSE;
+     if (realm1->length != realm2->length)
+         return FALSE;
+     if (realm1->length == 0)
+@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
+     krb5_principal upn2 = NULL;
+     krb5_boolean ret = FALSE;
+ 
++    if (princ1 == NULL || princ2 == NULL)
++        return FALSE;
++
+     if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
+         /* Treat UPNs as if they were real principals */
+         if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {

krb5-1.12-buildconf.patch

@@ -4,10 +4,8 @@ the -L/usr/lib* and PIE flags where they might leak out and affect
 apps which just want to link with the libraries. FIXME: needs to check and
 not just assume that the compiler supports using these flags.
 
-Index: krb5-1.11/src/config/shlib.conf
-===================================================================
---- krb5-1.11.orig/src/config/shlib.conf
-+++ krb5-1.11/src/config/shlib.conf
+--- krb5/src/config/shlib.conf
++++ krb5/src/config/shlib.conf
 @@ -419,7 +419,7 @@ mips-*-netbsd*)
  	SHLIBEXT=.so
  	# Linux ld doesn't default to stuffing the SONAME field...
@@ -17,7 +15,7 @@ Index: krb5-1.11/src/config/shlib.conf
  	# 
  	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
  	SHLIB_EXPORT_FILE_DEP=binutils.versions
-@@ -430,7 +430,8 @@ mips-*-netbsd*)
+@@ -430,7 +430,8 @@
  	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
  	PROFFLAGS=-pg
  	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
@@ -27,11 +25,9 @@ Index: krb5-1.11/src/config/shlib.conf
  	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
  	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
  	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
-Index: krb5-1.11/src/krb5-config.in
-===================================================================
---- krb5-1.11.orig/src/krb5-config.in
-+++ krb5-1.11/src/krb5-config.in
-@@ -221,6 +221,13 @@ if test -n "$do_libs"; then
+--- krb5/src/build-tools/krb5-config.in
++++ krb5/src/build-tools/krb5-config.in
+@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
  	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
  	    -e 's#\$(CFLAGS)##'`
  
@@ -45,11 +41,9 @@ Index: krb5-1.11/src/krb5-config.in
      if test $library = 'kdb'; then
  	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
  	library=krb5
-Index: krb5-1.11/src/config/pre.in
-===================================================================
---- krb5-1.11.orig/src/config/pre.in
-+++ krb5-1.11/src/config/pre.in
-@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
+--- krb5/src/config/pre.in
++++ krb5/src/config/pre.in
+@@ -188,7 +188,7 @@
  INSTALL_SCRIPT=@INSTALL_PROGRAM@
  INSTALL_DATA=@INSTALL_DATA@
  INSTALL_SHLIB=@INSTALL_SHLIB@

krb5-1.12-copy_context.patch

@@ -0,0 +1,306 @@
+Adjusted for 1.12, which still had vtbl, locate_fptrs, and (vestigial)
+profile_in_memory fields, and drop the hunk that touched .gitignore.
+
+commit c452644d91d57d8b05ef396a029e34d0c7a48920
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Wed Dec 18 15:03:03 2013 -0500
+
+    Fix krb5_copy_context
+    
+    krb5_copy_context has been broken since 1.8 (it broke in r22456)
+    because k5_copy_etypes crashes on null enctype lists.  Subsequent
+    additions to the context structure were not reflected in
+    krb5_copy_context, creating double-free bugs.  Make k5_copy_etypes
+    handle null input and account for all new fields in krb5_copy_context.
+    Reported by Arran Cudbard-Bell.
+    
+    ticket: 7807 (new)
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c
+index 0bc92f8..4237023 100644
+--- a/src/lib/krb5/krb/copy_ctx.c
++++ b/src/lib/krb5/krb/copy_ctx.c
+@@ -77,13 +77,26 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
+     nctx->ser_ctx_count = 0;
+     nctx->ser_ctx = NULL;
+     nctx->prompt_types = NULL;
++    nctx->preauth_context = NULL;
++    nctx->ccselect_handles = NULL;
++    nctx->localauth_handles = NULL;
++    nctx->hostrealm_handles = NULL;
++    nctx->kdblog_context = NULL;
++    nctx->trace_callback = NULL;
++    nctx->trace_callback_data = NULL;
++    nctx->plugin_base_dir = NULL;
+     nctx->os_context.default_ccname = NULL;
+ 
++#ifdef KRB5_DNS_LOOKUP
++    nctx->profile_in_memory = 0;
++#endif /* KRB5_DNS_LOOKUP */
++
+     memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins));
+     nctx->vtbl = NULL;
+     nctx->locate_fptrs = NULL;
+ 
+     memset(&nctx->err, 0, sizeof(nctx->err));
++    memset(&nctx->plugins, 0, sizeof(nctx->plugins));
+ 
+     ret = k5_copy_etypes(ctx->in_tkt_etypes, &nctx->in_tkt_etypes);
+     if (ret)
+@@ -101,6 +109,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)
+     ret = krb5_get_profile(ctx, &nctx->profile);
+     if (ret)
+         goto errout;
++    nctx->plugin_base_dir = strdup(ctx->plugin_base_dir);
++    if (nctx->plugin_base_dir == NULL) {
++        ret = ENOMEM;
++        goto errout;
++    }
+ 
+ errout:
+     if (ret) {
+diff --git a/src/lib/krb5/krb/etype_list.c b/src/lib/krb5/krb/etype_list.c
+index 9efe2e0..71f664f 100644
+--- a/src/lib/krb5/krb/etype_list.c
++++ b/src/lib/krb5/krb/etype_list.c
+@@ -49,6 +49,8 @@ k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list)
+     krb5_enctype *list;
+ 
+     *new_list = NULL;
++    if (old_list == NULL)
++        return 0;
+     count = k5_count_etypes(old_list);
+     list = malloc(sizeof(krb5_enctype) * (count + 1));
+     if (list == NULL)
+
+commit b78c3c8c5025aec870d20472f80d4a652062f921
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Wed Dec 18 13:08:25 2013 -0500
+
+    Add a test program for krb5_copy_context
+    
+    This test program isn't completely proof against the kind of mistakes
+    we've made with krb5_copy_context in the past, but it at least
+    exercises krb5_copy_context and can detect some kinds of bugs.
+    
+    ticket: 7807
+
+diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
+index 7d1682d..3b58219 100644
+--- a/src/lib/krb5/krb/Makefile.in
++++ b/src/lib/krb5/krb/Makefile.in
+@@ -349,6 +349,7 @@ SRCS=	$(srcdir)/addr_comp.c	\
+ 	$(srcdir)/t_expire_warn.c \
+ 	$(srcdir)/t_authdata.c	\
+ 	$(srcdir)/t_cc_config.c	\
++	$(srcdir)/t_copy_context.c \
+ 	$(srcdir)/t_in_ccache.c	\
+ 	$(srcdir)/t_response_items.c \
+ 	$(srcdir)/t_vfy_increds.c
+@@ -429,11 +430,14 @@ t_in_ccache: t_in_ccache.o $(KRB5_BASE_DEPLIBS)
+ t_cc_config: t_cc_config.o $(KRB5_BASE_DEPLIBS)
+ 	$(CC_LINK) -o $@ t_cc_config.o $(KRB5_BASE_LIBS)
+ 
++t_copy_context: t_copy_context.o $(KRB5_BASE_DEPLIBS)
++	$(CC_LINK) -o $@ t_copy_context.o $(KRB5_BASE_LIBS)
++
+ t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS)
+ 	$(CC_LINK) -o $@ t_response_items.o response_items.o $(KRB5_BASE_LIBS)
+ 
+ TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \
+-	t_in_ccache t_cc_config \
++	t_in_ccache t_cc_config t_copy_context \
+ 	t_princ t_etypes t_vfy_increds t_response_items
+ 
+ check-unix:: $(TEST_PROGS)
+@@ -473,6 +477,8 @@ check-unix:: $(TEST_PROGS)
+ 	$(RUN_SETUP) $(VALGRIND) ./t_princ
+ 	$(RUN_SETUP) $(VALGRIND) ./t_etypes
+ 	$(RUN_SETUP) $(VALGRIND) ./t_response_items
++	KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\
++		$(RUN_SETUP) $(VALGRIND) ./t_copy_context
+ 
+ check-pytests:: t_expire_warn t_vfy_increds
+ 	$(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
+@@ -491,6 +497,7 @@ clean::
+ 		$(OUTPRE)t_princ$(EXEEXT) $(OUTPRE)t_princ.$(OBJEXT)	\
+ 	$(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT)	\
+ 	$(OUTPRE)t_cc_config$(EXEEXT) $(OUTPRE)t_cc_config.$(OBJEXT)	\
++	$(OUTPRE)t_copy_context(EXEEXT) $(OUTPRE)t_copy_context.$(OBJEXT) \
+ 	$(OUTPRE)t_in_ccache$(EXEEXT) $(OUTPRE)t_in_ccache.$(OBJEXT)	\
+ 	$(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \
+ 	$(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \
+diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
+new file mode 100644
+index 0000000..522fa0c
+--- /dev/null
++++ b/src/lib/krb5/krb/t_copy_context.c
+@@ -0,0 +1,166 @@
++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
++/* lib/krb5/krb/t_copy_context.C - Test program for krb5_copy_context */
++/*
++ * Copyright (C) 2013 by the Massachusetts Institute of Technology.
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * * Redistributions of source code must retain the above copyright
++ *   notice, this list of conditions and the following disclaimer.
++ *
++ * * Redistributions in binary form must reproduce the above copyright
++ *   notice, this list of conditions and the following disclaimer in
++ *   the documentation and/or other materials provided with the
++ *   distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include <k5-int.h>
++
++static void
++trace(krb5_context ctx, const krb5_trace_info *info, void *data)
++{
++}
++
++static void
++check(int cond)
++{
++    if (!cond)
++        abort();
++}
++
++static void
++compare_string(const char *str1, const char *str2)
++{
++    check((str1 == NULL) == (str2 == NULL));
++    if (str1 != NULL)
++        check(strcmp(str1, str2) == 0);
++}
++
++static void
++compare_etypes(krb5_enctype *list1, krb5_enctype *list2)
++{
++    check((list1 == NULL) == (list2 == NULL));
++    if (list1 == NULL)
++        return;
++    while (*list1 != ENCTYPE_NULL && *list1 == *list2)
++        list1++, list2++;
++    check(*list1 == *list2);
++}
++
++/* Check that the context c is a valid copy of the reference context r. */
++static void
++check_context(krb5_context c, krb5_context r)
++{
++    int i;
++
++    /* Check fields which should have been propagated from r. */
++    compare_etypes(c->in_tkt_etypes, r->in_tkt_etypes);
++    compare_etypes(c->tgs_etypes, r->tgs_etypes);
++    check(c->os_context.time_offset == r->os_context.time_offset);
++    check(c->os_context.usec_offset == r->os_context.usec_offset);
++    check(c->os_context.os_flags == r->os_context.os_flags);
++    compare_string(c->os_context.default_ccname, r->os_context.default_ccname);
++    check(c->clockskew == r->clockskew);
++    check(c->kdc_req_sumtype == r->kdc_req_sumtype);
++    check(c->default_ap_req_sumtype == r->default_ap_req_sumtype);
++    check(c->default_safe_sumtype == r->default_safe_sumtype);
++    check(c->kdc_default_options == r->kdc_default_options);
++    check(c->library_options == r->library_options);
++    check(c->profile_secure == r->profile_secure);
++    check(c->fcc_default_format == r->fcc_default_format);
++    check(c->udp_pref_limit == r->udp_pref_limit);
++    check(c->use_conf_ktypes == r->use_conf_ktypes);
++    check(c->allow_weak_crypto == r->allow_weak_crypto);
++    check(c->ignore_acceptor_hostname == r->ignore_acceptor_hostname);
++    check(c->dns_canonicalize_hostname == r->dns_canonicalize_hostname);
++    compare_string(c->plugin_base_dir, r->plugin_base_dir);
++
++    /* Check fields which don't propagate. */
++    check(c->dal_handle == NULL);
++    check(c->ser_ctx_count == 0);
++    check(c->ser_ctx == NULL);
++    check(c->prompt_types == NULL);
++    check(c->libkrb5_plugins.files == NULL);
++    check(c->preauth_context == NULL);
++    check(c->ccselect_handles == NULL);
++    check(c->localauth_handles == NULL);
++    check(c->hostrealm_handles == NULL);
++    check(c->err.code == 0);
++    check(c->err.msg == NULL);
++    check(c->kdblog_context == NULL);
++    check(c->trace_callback == NULL);
++    check(c->trace_callback_data == NULL);
++    for (i = 0; i < PLUGIN_NUM_INTERFACES; i++) {
++        check(c->plugins[i].modules == NULL);
++        check(!c->plugins[i].configured);
++    }
++}
++
++int
++main(int argc, char **argv)
++{
++    krb5_context ctx, ctx2;
++    krb5_plugin_initvt_fn *mods;
++    const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 };
++    const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++                                     ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 };
++    krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD };
++
++    /* Copy a default context and verify the result. */
++    check(krb5_init_context(&ctx) == 0);
++    check(krb5_copy_context(ctx, &ctx2) == 0);
++    check_context(ctx2, ctx);
++    krb5_free_context(ctx2);
++
++    /* Set non-default values for all of the propagated fields in ctx. */
++    ctx->allow_weak_crypto = TRUE;
++    check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0);
++    check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0);
++    check(krb5_set_debugging_time(ctx, 1234, 5678) == 0);
++    check(krb5_cc_set_default_name(ctx, "defccname") == 0);
++    check(krb5_set_default_realm(ctx, "defrealm") == 0);
++    ctx->clockskew = 18;
++    ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA;
++    ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
++    ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256;
++    ctx->kdc_default_options = KDC_OPT_FORWARDABLE;
++    ctx->library_options = 0;
++    ctx->profile_secure = TRUE;
++    ctx->udp_pref_limit = 2345;
++    ctx->use_conf_ktypes = TRUE;
++    ctx->ignore_acceptor_hostname = TRUE;
++    ctx->dns_canonicalize_hostname = FALSE;
++    free(ctx->plugin_base_dir);
++    check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL);
++
++    /* Also set some of the non-propagated fields. */
++    ctx->prompt_types = ptypes;
++    check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0);
++    k5_plugin_free_modules(ctx, mods);
++    krb5_set_error_message(ctx, ENOMEM, "nooooooooo");
++    krb5_set_trace_callback(ctx, trace, ctx);
++
++    /* Copy the intentionally messy context and verify the result. */
++    check(krb5_copy_context(ctx, &ctx2) == 0);
++    check_context(ctx2, ctx);
++    krb5_free_context(ctx2);
++
++    krb5_free_context(ctx);
++    return 0;
++}

krb5-1.12-enable-NX.patch

@@ -0,0 +1,57 @@
+commit c64e39c69a9a7ee32c00b0cf7918f6274a565544
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Fri Jan 3 13:50:48 2014 -0500
+
+    Mark AESNI files as not needing executable stacks
+    
+    Some Linux systems now come with facilities to mark the stack as
+    non-executable, making it more difficult to exploit buffer overrun
+    bugs.  For this to work, object files built from assembly need a
+    section added to note whether they require an executable stack.
+    
+    Patch from Dhiru Kholia with comments added.  More information at:
+    https://bugzilla.redhat.com/show_bug.cgi?id=1045699
+    https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
+    
+    ticket: 7813
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
+index 1c091c1..d03c859 100644
+--- a/src/lib/crypto/builtin/aes/iaesx64.s
++++ b/src/lib/crypto/builtin/aes/iaesx64.s
+@@ -834,3 +834,14 @@ lp256encsingle_CBC:
+ 	movdqu [r9],xmm1
+ 	add rsp,16*16+8
+ 	ret
++
++; Mark this file as not needing an executable stack.
++%ifidn __OUTPUT_FORMAT__,elf
++section .note.GNU-stack noalloc noexec nowrite progbits
++%endif
++%ifidn __OUTPUT_FORMAT__,elf32
++section .note.GNU-stack noalloc noexec nowrite progbits
++%endif
++%ifidn __OUTPUT_FORMAT__,elf64
++section .note.GNU-stack noalloc noexec nowrite progbits
++%endif
+diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
+index b667acd..1aa12e6 100644
+--- a/src/lib/crypto/builtin/aes/iaesx86.s
++++ b/src/lib/crypto/builtin/aes/iaesx86.s
+@@ -871,3 +871,14 @@ lp256encsingle_CBC:
+ 	movdqu	[ecx],xmm1 ; store last iv for chaining
+ 
+ 	ret
++
++; Mark this file as not needing an executable stack.
++%ifidn __OUTPUT_FORMAT__,elf
++section .note.GNU-stack noalloc noexec nowrite progbits
++%endif
++%ifidn __OUTPUT_FORMAT__,elf32
++section .note.GNU-stack noalloc noexec nowrite progbits
++%endif
++%ifidn __OUTPUT_FORMAT__,elf64
++section .note.GNU-stack noalloc noexec nowrite progbits
++%endif

krb5-1.12-ksu-path.patch

@@ -0,0 +1,12 @@
+Set the default PATH to the one set by login.
+
+--- krb5/src/clients/ksu/Makefile.in
++++ krb5/src/clients/ksu/Makefile.in
+@@ -1,6 +1,6 @@
+ mydir=clients$(S)ksu
+ BUILDTOP=$(REL)..$(S)..
+-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
++DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
+ 
+ KSU_LIBS=@KSU_LIBS@
+ PAM_LIBS=@PAM_LIBS@

krb5-1.12-pam.patch

@@ -11,11 +11,10 @@ When enabled, ksu gains a dependency on libpam.
 Originally RT#5939, though it's changed since then to perform the account
 and session management before dropping privileges.
 
-Index: krb5-1.11.1/src/aclocal.m4
-===================================================================
---- krb5-1.11.1.orig/src/aclocal.m4
-+++ krb5-1.11.1/src/aclocal.m4
-@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
+diff -Naur krb5/src/aclocal.m4 krb5/src/aclocal.m4
+--- krb5/src/aclocal.m4	2014-01-13 17:12:47.509022000 +0100
++++ krb5/src/aclocal.m4	2014-01-13 17:13:24.552689000 +0100
+@@ -1668,3 +1668,70 @@
        ]))
  ])dnl
  dnl
@@ -86,10 +85,9 @@ Index: krb5-1.11.1/src/aclocal.m4
 +AC_SUBST(PAM_MAN)
 +AC_SUBST(NON_PAM_MAN)
 +])dnl
-Index: krb5-1.11.1/src/clients/ksu/main.c
-===================================================================
---- krb5-1.11.1.orig/src/clients/ksu/main.c
-+++ krb5-1.11.1/src/clients/ksu/main.c
+diff -Naur krb5/src/clients/ksu/main.c krb5/src/clients/ksu/main.c
+--- krb5/src/clients/ksu/main.c	2014-01-13 17:12:44.864970000 +0100
++++ krb5/src/clients/ksu/main.c	2014-01-13 17:13:24.563692000 +0100
 @@ -26,6 +26,7 @@
   * KSU was writen by:  Ari Medvinsky, ari@isi.edu
   */
@@ -109,7 +107,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
  /* globals */
  char * prog_name;
  int auth_debug =0;
-@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
+@@ -40,6 +45,7 @@
  char k5users_path[MAXPATHLEN];
  char * gb_err = NULL;
  int quiet = 0;
@@ -117,7 +115,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
  /***********/
  
  #define _DEF_CSH "/bin/csh"
-@@ -584,6 +590,25 @@ main (argc, argv)
+@@ -584,6 +590,25 @@
                 prog_name,target_user,client_name,
                 source_user,ontty());
  
@@ -143,7 +141,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
          /* Run authorization as target.*/
          if (krb5_seteuid(target_uid)) {
              com_err(prog_name, errno, _("while switching to target for "
-@@ -648,6 +673,26 @@ main (argc, argv)
+@@ -648,6 +673,26 @@
              sweep_up(ksu_context, cc_target);
              exit(1);
          }
@@ -170,7 +168,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
      }
  
      if( some_rest_copy){
-@@ -717,6 +762,32 @@ main (argc, argv)
+@@ -717,6 +762,32 @@
          exit(1);
      }
  
@@ -203,7 +201,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
      /* set permissions */
      if (setgid(target_pwd->pw_gid) < 0) {
          perror("ksu: setgid");
-@@ -789,7 +860,7 @@ main (argc, argv)
+@@ -789,7 +860,7 @@
          fprintf(stderr, "program to be execed %s\n",params[0]);
      }
  
@@ -212,7 +210,7 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
          execv(params[0], params);
          com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
          sweep_up(ksu_context, cc_target);
-@@ -819,16 +890,35 @@ main (argc, argv)
+@@ -819,16 +890,35 @@
              if (ret_pid == -1) {
                  com_err(prog_name, errno, _("while calling waitpid"));
              }
@@ -249,12 +247,11 @@ Index: krb5-1.11.1/src/clients/ksu/main.c
              exit (1);
          }
      }
-Index: krb5-1.11.1/src/clients/ksu/Makefile.in
-===================================================================
---- krb5-1.11.1.orig/src/clients/ksu/Makefile.in
-+++ krb5-1.11.1/src/clients/ksu/Makefile.in
-@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
- PROG_RPATH=$(KRB5_LIBDIR)
+diff -Naur krb5/src/clients/ksu/Makefile.in krb5/src/clients/ksu/Makefile.in
+--- krb5/src/clients/ksu/Makefile.in	2014-01-13 17:12:44.868981000 +0100
++++ krb5/src/clients/ksu/Makefile.in	2014-01-13 17:13:24.580690000 +0100
+@@ -3,12 +3,14 @@
+ DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
  
  KSU_LIBS=@KSU_LIBS@
 +PAM_LIBS=@PAM_LIBS@
@@ -268,7 +265,7 @@ Index: krb5-1.11.1/src/clients/ksu/Makefile.in
  	$(srcdir)/heuristic.c \
  	$(srcdir)/xmalloc.c \
  	$(srcdir)/setenv.c
-@@ -21,13 +23,17 @@ OBJS = \
+@@ -17,13 +19,17 @@
  	ccache.o \
  	authorization.o \
  	main.o \
@@ -287,10 +284,9 @@ Index: krb5-1.11.1/src/clients/ksu/Makefile.in
  
  clean::
  	$(RM) ksu
-Index: krb5-1.11.1/src/clients/ksu/pam.c
-===================================================================
---- /dev/null
-+++ krb5-1.11.1/src/clients/ksu/pam.c
+diff -Naur krb5/src/clients/ksu/pam.c krb5/src/clients/ksu/pam.c
+--- krb5/src/clients/ksu/pam.c	1970-01-01 01:00:00.000000000 +0100
++++ krb5/src/clients/ksu/pam.c	2014-01-13 17:13:24.589692000 +0100
 @@ -0,0 +1,389 @@
 +/*
 + * src/clients/ksu/pam.c
@@ -681,10 +677,9 @@ Index: krb5-1.11.1/src/clients/ksu/pam.c
 +	return ret;
 +}
 +#endif
-Index: krb5-1.11.1/src/clients/ksu/pam.h
-===================================================================
---- /dev/null
-+++ krb5-1.11.1/src/clients/ksu/pam.h
+diff -Naur krb5/src/clients/ksu/pam.h krb5/src/clients/ksu/pam.h
+--- krb5/src/clients/ksu/pam.h	1970-01-01 01:00:00.000000000 +0100
++++ krb5/src/clients/ksu/pam.h	2014-01-13 17:13:24.595690000 +0100
 @@ -0,0 +1,57 @@
 +/*
 + * src/clients/ksu/pam.h
@@ -743,11 +738,10 @@ Index: krb5-1.11.1/src/clients/ksu/pam.h
 +int appl_pam_cred_init(void);
 +void appl_pam_cleanup(void);
 +#endif
-Index: krb5-1.11.1/src/configure.in
-===================================================================
---- krb5-1.11.1.orig/src/configure.in
-+++ krb5-1.11.1/src/configure.in
-@@ -1244,6 +1244,8 @@ AC_SUBST([VERTO_VERSION])
+diff -Naur krb5/src/configure.in krb5/src/configure.in
+--- krb5/src/configure.in	2014-01-13 17:12:48.401059000 +0100
++++ krb5/src/configure.in	2014-01-13 17:13:24.603693000 +0100
+@@ -1281,6 +1281,8 @@
  
  AC_PATH_PROG(GROFF, groff)
  

krb5-1.12-pic-aes-ni.patch

@@ -0,0 +1,70 @@
+--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
++++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
+@@ -256,6 +256,7 @@ DD 0
+ section .text
+ 
+ 
++extern _GLOBAL_OFFSET_TABLE_
+ 
+ align 16
+ key_expansion256:
+@@ -318,12 +319,18 @@ _iEncExpandKey128:
+ 
+ 	mov ecx,[esp-4+8]		;input
+ 	mov edx,[esp-4+12]		;ctx
++	push ebx
+ 
+         movdqu xmm1, [ecx]    ; loading the key
+ 
+         movdqu [edx], xmm1
+ 
+-        movdqa xmm5, [shuffle_mask]
++        call .get_GOT
++.get_GOT:
++        pop ebx
++        add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
++
++        movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff]
+ 
+         add edx,16
+ 
+@@ -348,6 +355,8 @@ _iEncExpandKey128:
+         aeskeygenassist xmm2, xmm1, 0x36    ; Generating round key 10
+         call key_expansion128
+ 
++	pop ebx
++
+ 	ret
+ 
+ 
+@@ -412,6 +421,7 @@ global _iEncExpandKey256
+ _iEncExpandKey256:
+ 	mov ecx, [esp-4+8]		;input
+ 	mov edx, [esp-4+12]		;expanded key
++	push ebx
+ 
+ 
+     movdqu xmm1, [ecx]    ; loading the key
+@@ -421,7 +431,12 @@ _iEncExpandKey256:
+ 
+     add edx,32
+ 
+-    movdqa xmm5, [shuffle_mask]  ; this mask is used by key_expansion
++    call .get_GOT
++.get_GOT:
++    pop ebx
++    add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
++
++    movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion
+ 
+     aeskeygenassist xmm2, xmm3, 0x1     ;
+     call key_expansion256
+@@ -452,6 +467,8 @@ _iEncExpandKey256:
+     movdqu [edx], xmm1
+ 
+ 
++	pop ebx
++
+ 	ret
+ 
+ 

krb5-1.12-selinux-label.patch

@@ -31,11 +31,9 @@ The selabel APIs for looking up the context should be thread-safe (per
 Red Hat #273081), so switching to using them instead of matchpathcon(),
 which we used earlier, is some improvement.
 
-Index: krb5-1.11.1/src/aclocal.m4
-===================================================================
---- krb5-1.11.1.orig/src/aclocal.m4
-+++ krb5-1.11.1/src/aclocal.m4
-@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
+--- krb5/src/aclocal.m4
++++ krb5/src/aclocal.m4
+@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
  dnl
  KRB5_AC_PRAGMA_WEAK_REF
  WITH_LDAP
@@ -43,7 +41,7 @@ Index: krb5-1.11.1/src/aclocal.m4
  KRB5_LIB_PARAMS
  KRB5_AC_INITFINI
  KRB5_AC_ENABLE_THREADS
-@@ -1731,3 +1732,51 @@ AC_SUBST(PAM_LIBS)
+@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir)
  AC_SUBST(PAM_MAN)
  AC_SUBST(NON_PAM_MAN)
  ])dnl
@@ -95,19 +93,17 @@ Index: krb5-1.11.1/src/aclocal.m4
 +LIBS="$old_LIBS"
 +AC_SUBST(SELINUX_LIBS)
 +])dnl
-Index: krb5-1.11.1/src/config/pre.in
-===================================================================
---- krb5-1.11.1.orig/src/config/pre.in
-+++ krb5-1.11.1/src/config/pre.in
-@@ -178,6 +178,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
- LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
- LDARGS = @LDARGS@
+--- krb5/src/config/pre.in
++++ krb5/src/config/pre.in
+@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
+ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
+ LDFLAGS = @LDFLAGS@
  LIBS = @LIBS@
 +SELINUX_LIBS=@SELINUX_LIBS@
  
  INSTALL=@INSTALL@
  INSTALL_STRIP=
-@@ -403,7 +404,7 @@ SUPPORT_LIB			= -l$(SUPPORT_LIBNAME)
+@@ -379,7 +380,7 @@ SUPPORT_LIB			= -l$(SUPPORT_LIBNAME)
  # HESIOD_LIBS is -lhesiod...
  HESIOD_LIBS	= @HESIOD_LIBS@
  
@@ -116,11 +112,9 @@ Index: krb5-1.11.1/src/config/pre.in
  KDB5_LIBS	= $(KDB5_LIB) $(GSSRPC_LIBS)
  GSS_LIBS	= $(GSS_KRB5_LIB)
  # needs fixing if ever used on Mac OS X!
-Index: krb5-1.11.1/src/configure.in
-===================================================================
---- krb5-1.11.1.orig/src/configure.in
-+++ krb5-1.11.1/src/configure.in
-@@ -1246,6 +1246,8 @@ AC_PATH_PROG(GROFF, groff)
+--- krb5/src/configure.in
++++ krb5/src/configure.in
+@@ -1053,6 +1053,8 @@ fi
  
  KRB5_WITH_PAM
  
@@ -129,22 +123,18 @@ Index: krb5-1.11.1/src/configure.in
  # Make localedir work in autoconf 2.5x.
  if test "${localedir+set}" != set; then
      localedir='$(datadir)/locale'
-Index: krb5-1.11.1/src/include/k5-int.h
-===================================================================
---- krb5-1.11.1.orig/src/include/k5-int.h
-+++ krb5-1.11.1/src/include/k5-int.h
+--- krb5/src/include/k5-int.h
++++ krb5/src/include/k5-int.h
 @@ -133,6 +133,7 @@ typedef unsigned char   u_char;
  typedef UINT64_TYPE krb5_ui_8;
  typedef INT64_TYPE krb5_int64;
  
 +#include "k5-label.h"
  
- #define DEFAULT_PWD_STRING1 "Enter password"
- #define DEFAULT_PWD_STRING2 "Re-enter password for verification"
-Index: krb5-1.11.1/src/include/k5-label.h
-===================================================================
---- /dev/null
-+++ krb5-1.11.1/src/include/k5-label.h
+ #define KRB5_KDB_MAX_LIFE       (60*60*24) /* one day */
+ #define KRB5_KDB_MAX_RLIFE      (60*60*24*7) /* one week */
+--- krb5/src/include/k5-label.h
++++ krb5/src/include/k5-label.h
 @@ -0,0 +1,32 @@
 +#ifndef _KRB5_LABEL_H
 +#define _KRB5_LABEL_H
@@ -178,10 +168,8 @@ Index: krb5-1.11.1/src/include/k5-label.h
 +#define THREEPARAMOPEN(x,y,z) open(x,y,z)
 +#endif
 +#endif
-Index: krb5-1.11.1/src/include/krb5/krb5.hin
-===================================================================
---- krb5-1.11.1.orig/src/include/krb5/krb5.hin
-+++ krb5-1.11.1/src/include/krb5/krb5.hin
+--- krb5/src/include/krb5/krb5.hin
++++ krb5/src/include/krb5/krb5.hin
 @@ -87,6 +87,12 @@
  #define THREEPARAMOPEN(x,y,z) open(x,y,z)
  #endif
@@ -195,10 +183,8 @@ Index: krb5-1.11.1/src/include/krb5/krb5.hin
  #define KRB5_OLD_CRYPTO
  
  #include <stdlib.h>
-Index: krb5-1.11.1/src/kadmin/dbutil/dump.c
-===================================================================
---- krb5-1.11.1.orig/src/kadmin/dbutil/dump.c
-+++ krb5-1.11.1/src/kadmin/dbutil/dump.c
+--- krb5/src/kadmin/dbutil/dump.c
++++ krb5/src/kadmin/dbutil/dump.c
 @@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname
  {
      int fd = -1;
@@ -221,7 +207,7 @@ Index: krb5-1.11.1/src/kadmin/dbutil/dump.c
      if (fd == -1)
          goto error;
  
-@@ -505,7 +514,7 @@ prep_ok_file(krb5_context context, char
+@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char
          return 0;
      }
  
@@ -230,11 +216,9 @@ Index: krb5-1.11.1/src/kadmin/dbutil/dump.c
      if (*fd == -1) {
          com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
          exit_status++;
-Index: krb5-1.11.1/src/krb5-config.in
-===================================================================
---- krb5-1.11.1.orig/src/krb5-config.in
-+++ krb5-1.11.1/src/krb5-config.in
-@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
+--- krb5/src/build-tools/krb5-config.in
++++ krb5/src/build-tools/krb5-config.in
+@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
  DEFCCNAME='@DEFCCNAME@'
  DEFKTNAME='@DEFKTNAME@'
  DEFCKTNAME='@DEFCKTNAME@'
@@ -242,7 +226,7 @@ Index: krb5-1.11.1/src/krb5-config.in
  
  LIBS='@LIBS@'
  GEN_LIB=@GEN_LIB@
-@@ -258,7 +259,7 @@ if test -n "$do_libs"; then
+@@ -218,7 +219,7 @@
      fi
  
      # If we ever support a flag to generate output suitable for static
@@ -251,11 +235,9 @@ Index: krb5-1.11.1/src/krb5-config.in
      # here.
  
      echo $lib_flags
-Index: krb5-1.11.1/src/lib/kadm5/logger.c
-===================================================================
---- krb5-1.11.1.orig/src/lib/kadm5/logger.c
-+++ krb5-1.11.1/src/lib/kadm5/logger.c
-@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
+--- krb5/src/lib/kadm5/logger.c
++++ krb5/src/lib/kadm5/logger.c
+@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
                       * Check for append/overwrite, then open the file.
                       */
                      if (cp[4] == ':' || cp[4] == '=') {
@@ -264,7 +246,7 @@ Index: krb5-1.11.1/src/lib/kadm5/logger.c
                          if (f) {
                              set_cloexec_file(f);
                              log_control.log_entries[i].lfu_filep = f;
-@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
+@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
               * In case the old logfile did not get moved out of the
               * way, open for append to prevent squashing the old logs.
               */
@@ -273,11 +255,9 @@ Index: krb5-1.11.1/src/lib/kadm5/logger.c
              if (f) {
                  set_cloexec_file(f);
                  log_control.log_entries[lindex].lfu_filep = f;
-Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
-===================================================================
---- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
-+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
-@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context
+--- krb5/src/lib/krb5/keytab/kt_file.c
++++ krb5/src/lib/krb5/keytab/kt_file.c
+@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context
  
      KTCHECKLOCK(id);
      errno = 0;
@@ -286,20 +266,18 @@ Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
                          (mode == KRB5_LOCKMODE_EXCLUSIVE) ?
                          fopen_mode_rbplus : fopen_mode_rb);
      if (!KTFILEP(id)) {
-@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context
+@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context
              /* try making it first time around */
-             krb5_create_secure_file(context, KTFILENAME(id));
+             k5_create_secure_file(context, KTFILENAME(id));
              errno = 0;
 -            KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
 +            KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
              if (!KTFILEP(id))
                  goto report_errno;
              writevno = 1;
-Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
-===================================================================
---- krb5-1.11.1.orig/src/plugins/kdb/db2/adb_openclose.c
-+++ krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
-@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
+--- krb5/src/plugins/kdb/db2/adb_openclose.c
++++ krb5/src/plugins/kdb/db2/adb_openclose.c
+@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char 
           * POSIX systems
           */
          lockp->lockinfo.filename = strdup(lockfilename);
@@ -308,10 +286,8 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
              /*
               * maybe someone took away write permission so we could only
               * get shared locks?
-Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
-===================================================================
---- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
-+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
++++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
 @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c	8.
  
  #include "k5-platform.h"	/* mkstemp? */
@@ -320,7 +296,7 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
  #include "db-int.h"
  #include "btree.h"
  
-@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
+@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, 
  			goto einval;
  		}
  
@@ -329,11 +305,9 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
  			goto err;
  
  	} else {
-Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
-===================================================================
---- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
-+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
-@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c	8.12
+--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
++++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
+@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c	8.12 
  #include <assert.h>
  #endif
  
@@ -350,24 +324,8 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
  			RETURN_ERROR(errno, error0);
  		(void)fcntl(hashp->fp, F_SETFD, 1);
  	}
-Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
-===================================================================
---- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
-+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
-@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
- 
- KRB5_RUN_ENV= @KRB5_RUN_ENV@
- 
--DB_LIB		= -ldb
-+DB_LIB		= -ldb $(SUPPORT_DEPLIB)
-+
- DB_DEPLIB	= ../libdb$(DEPLIBEXT)
- 
- all::
-Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-===================================================================
---- krb5-1.11.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-+++ krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
++++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
 @@ -179,7 +179,7 @@ done:
  
      /* set password in the file */
@@ -401,11 +359,9 @@ Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
          umask (omask);
          if (newfile == NULL) {
              com_err(me, errno, _("Error creating file %s"), tmp_file);
-Index: krb5-1.11.1/src/slave/kpropd.c
-===================================================================
---- krb5-1.11.1.orig/src/slave/kpropd.c
-+++ krb5-1.11.1/src/slave/kpropd.c
-@@ -459,6 +459,9 @@ void doit(fd)
+--- krb5/src/slave/kpropd.c
++++ krb5/src/slave/kpropd.c
+@@ -437,6 +437,9 @@ void doit(fd)
      krb5_enctype etype;
      int database_fd;
      char host[INET6_ADDRSTRLEN+1];
@@ -415,7 +371,7 @@ Index: krb5-1.11.1/src/slave/kpropd.c
  
      signal_wrapper(SIGALRM, alarm_handler);
      alarm(params.iprop_resync_timeout);
-@@ -516,9 +519,15 @@ void doit(fd)
+@@ -515,9 +518,15 @@ void doit(fd)
          free(name);
          exit(1);
      }
@@ -431,10 +387,8 @@ Index: krb5-1.11.1/src/slave/kpropd.c
      retval = krb5_lock_file(kpropd_context, lock_fd,
                              KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
      if (retval) {
-Index: krb5-1.11.1/src/util/profile/prof_file.c
-===================================================================
---- krb5-1.11.1.orig/src/util/profile/prof_file.c
-+++ krb5-1.11.1/src/util/profile/prof_file.c
+--- krb5/src/util/profile/prof_file.c
++++ krb5/src/util/profile/prof_file.c
 @@ -30,6 +30,7 @@
  #endif
  
@@ -443,7 +397,7 @@ Index: krb5-1.11.1/src/util/profile/prof_file.c
  
  struct global_shared_profile_data {
      /* This is the head of the global list of shared trees */
-@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
+@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
  
      errno = 0;
  
@@ -452,11 +406,9 @@ Index: krb5-1.11.1/src/util/profile/prof_file.c
      if (!f) {
          retval = errno;
          if (retval == 0)
-Index: krb5-1.11.1/src/util/support/Makefile.in
-===================================================================
---- krb5-1.11.1.orig/src/util/support/Makefile.in
-+++ krb5-1.11.1/src/util/support/Makefile.in
-@@ -64,6 +64,7 @@ IPC_SYMS= \
+--- krb5/src/util/support/Makefile.in
++++ krb5/src/util/support/Makefile.in
+@@ -54,6 +54,7 @@ IPC_SYMS= \
  
  STLIBOBJS= \
  	threads.o \
@@ -464,22 +416,20 @@ Index: krb5-1.11.1/src/util/support/Makefile.in
  	init-addrinfo.o \
  	plugins.o \
  	errors.o \
-@@ -135,7 +136,7 @@ SRCS=\
+@@ -108,7 +109,7 @@ SRCS=\
  
  SHLIB_EXPDEPS =
  # Add -lm if dumping thread stats, for sqrt.
 -SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
 +SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
- SHLIB_DIRS=
- SHLIB_RDIRS=$(KRB5_LIBDIR)
  
-Index: krb5-1.11.1/src/util/support/selinux.c
-===================================================================
---- /dev/null
-+++ krb5-1.11.1/src/util/support/selinux.c
-@@ -0,0 +1,405 @@
+ DEPLIBS=
+ 
+--- krb5/src/util/support/selinux.c
++++ krb5/src/util/support/selinux.c
+@@ -0,0 +1,381 @@
 +/*
-+ * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc.  All Rights Reserved.
++ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc.  All Rights Reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions are met:
@@ -735,15 +685,12 @@ Index: krb5-1.11.1/src/util/support/selinux.c
 +	struct stat st;
 +	void *retval;
 +	k5_once(&labeled_once, label_mutex_init);
-+	if (k5_mutex_lock(&labeled_mutex) == 0) {
-+		if (stat(pathname, &st) != 0) {
-+			st.st_mode = S_IRUSR | S_IWUSR;
-+		}
-+		retval = push_fscreatecon(pathname, st.st_mode);
-+		return retval ? retval : (void *) -1;
-+	} else {
-+		return NULL;
++	k5_mutex_lock(&labeled_mutex);
++	if (stat(pathname, &st) != 0) {
++		st.st_mode = S_IRUSR | S_IWUSR;
 +	}
++	retval = push_fscreatecon(pathname, st.st_mode);
++	return retval ? retval : (void *) -1;
 +}
 +
 +void
@@ -768,17 +715,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
 +	}
 +
 +	k5_once(&labeled_once, label_mutex_init);
-+	if (k5_mutex_lock(&labeled_mutex) == 0) {
-+		ctx = push_fscreatecon(path, 0);
-+		fp = fopen(path, mode);
-+		errno_save = errno;
-+		pop_fscreatecon(ctx);
-+		k5_mutex_unlock(&labeled_mutex);
-+		errno = errno_save;
-+	} else {
-+		fp = fopen(path, mode);
-+	}
-+
++	k5_mutex_lock(&labeled_mutex);
++	ctx = push_fscreatecon(path, 0);
++	fp = fopen(path, mode);
++	errno_save = errno;
++	pop_fscreatecon(ctx);
++	k5_mutex_unlock(&labeled_mutex);
++	errno = errno_save;
 +	return fp;
 +}
 +
@@ -790,16 +733,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
 +	security_context_t ctx;
 +
 +	k5_once(&labeled_once, label_mutex_init);
-+	if (k5_mutex_lock(&labeled_mutex) == 0) {
-+		ctx = push_fscreatecon(path, 0);
-+		fd = creat(path, mode);
-+		errno_save = errno;
-+		pop_fscreatecon(ctx);
-+		k5_mutex_unlock(&labeled_mutex);
-+		errno = errno_save;
-+	} else {
-+		fd = creat(path, mode);
-+	}
++	k5_mutex_lock(&labeled_mutex);
++	ctx = push_fscreatecon(path, 0);
++	fd = creat(path, mode);
++	errno_save = errno;
++	pop_fscreatecon(ctx);
++	k5_mutex_unlock(&labeled_mutex);
++	errno = errno_save;
 +	return fd;
 +}
 +
@@ -811,16 +751,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
 +	security_context_t ctx;
 +
 +	k5_once(&labeled_once, label_mutex_init);
-+	if (k5_mutex_lock(&labeled_mutex) == 0) {
-+		ctx = push_fscreatecon(path, mode);
-+		ret = mknod(path, mode, dev);
-+		errno_save = errno;
-+		pop_fscreatecon(ctx);
-+		k5_mutex_unlock(&labeled_mutex);
-+		errno = errno_save;
-+	} else {
-+		ret = mknod(path, mode, dev);
-+	}
++	k5_mutex_lock(&labeled_mutex);
++	ctx = push_fscreatecon(path, mode);
++	ret = mknod(path, mode, dev);
++	errno_save = errno;
++	pop_fscreatecon(ctx);
++	k5_mutex_unlock(&labeled_mutex);
++	errno = errno_save;
 +	return ret;
 +}
 +
@@ -832,16 +769,13 @@ Index: krb5-1.11.1/src/util/support/selinux.c
 +	security_context_t ctx;
 +
 +	k5_once(&labeled_once, label_mutex_init);
-+	if (k5_mutex_lock(&labeled_mutex) == 0) {
-+		ctx = push_fscreatecon(path, S_IFDIR);
-+		ret = mkdir(path, mode);
-+		errno_save = errno;
-+		pop_fscreatecon(ctx);
-+		k5_mutex_unlock(&labeled_mutex);
-+		errno = errno_save;
-+	} else {
-+		ret = mkdir(path, mode);
-+	}
++	k5_mutex_lock(&labeled_mutex);
++	ctx = push_fscreatecon(path, S_IFDIR);
++	ret = mkdir(path, mode);
++	errno_save = errno;
++	pop_fscreatecon(ctx);
++	k5_mutex_unlock(&labeled_mutex);
++	errno = errno_save;
 +	return ret;
 +}
 +
@@ -859,35 +793,25 @@ Index: krb5-1.11.1/src/util/support/selinux.c
 +	}
 +
 +	k5_once(&labeled_once, label_mutex_init);
-+	if (k5_mutex_lock(&labeled_mutex) == 0) {
-+		ctx = push_fscreatecon(path, 0);
++	k5_mutex_lock(&labeled_mutex);
++	ctx = push_fscreatecon(path, 0);
 +
-+		va_start(ap, flags);
-+		mode = va_arg(ap, mode_t);
-+		fd = open(path, flags, mode);
-+		va_end(ap);
++	va_start(ap, flags);
++	mode = va_arg(ap, mode_t);
++	fd = open(path, flags, mode);
++	va_end(ap);
 +
-+		errno_save = errno;
-+		pop_fscreatecon(ctx);
-+		k5_mutex_unlock(&labeled_mutex);
-+		errno = errno_save;
-+	} else {
-+		va_start(ap, flags);
-+		mode = va_arg(ap, mode_t);
-+		fd = open(path, flags, mode);
-+		errno_save = errno;
-+		va_end(ap);
-+		errno = errno_save;
-+	}
++	errno_save = errno;
++	pop_fscreatecon(ctx);
++	k5_mutex_unlock(&labeled_mutex);
++	errno = errno_save;
 +	return fd;
 +}
 +
 +#endif
-Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
-===================================================================
---- krb5-1.11.1.orig/src/lib/krb5/rcache/rc_dfl.c
-+++ krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
-@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
+--- krb5/src/lib/krb5/rcache/rc_dfl.c
++++ krb5/src/lib/krb5/rcache/rc_dfl.c
+@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context 
      krb5_error_code retval = 0;
      krb5_rcache tmp;
      krb5_deltat lifespan = t->lifespan;  /* save original lifespan */
@@ -897,7 +821,7 @@ Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
  
      if (! t->recovering) {
          name = t->name;
-@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
+@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context 
      retval = krb5_rc_resolve(context, tmp, 0);
      if (retval)
          goto cleanup;
@@ -915,10 +839,8 @@ Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
      if (retval)
          goto cleanup;
      for (q = t->a; q; q = q->na) {
-Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
-===================================================================
---- krb5-1.11.1.orig/src/lib/krb5/ccache/cc_dir.c
-+++ krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
+--- krb5/src/lib/krb5/ccache/cc_dir.c
++++ krb5/src/lib/krb5/ccache/cc_dir.c
 @@ -185,10 +185,19 @@ write_primary_file(const char *primary_p
      char *newpath = NULL;
      FILE *fp = NULL;
@@ -939,10 +861,34 @@ Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
      if (fd < 0)
          goto cleanup;
  #ifdef HAVE_CHMOD
-Index: krb5-1.11.1/src/lib/krb5/os/trace.c
-===================================================================
---- krb5-1.11.1.orig/src/lib/krb5/os/trace.c
-+++ krb5-1.11.1/src/lib/krb5/os/trace.c
+@@ -223,10 +232,23 @@
+ verify_dir(krb5_context context, const char *dirname)
+ {
+     struct stat st;
++    int status;
++#ifdef USE_SELINUX
++    void *selabel;
++#endif
+ 
+     if (stat(dirname, &st) < 0) {
+-        if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
+-            return 0;
++        if (errno == ENOENT) {
++#ifdef USE_SELINUX
++            selabel = krb5int_push_fscreatecon_for(dirname);
++#endif
++            status = mkdir(dirname, S_IRWXU);
++#ifdef USE_SELINUX
++            krb5int_pop_fscreatecon(selabel);
++#endif
++            if (status == 0)
++                return 0;
++        }
+         krb5_set_error_message(context, KRB5_FCC_NOFILE,
+                                _("Credential cache directory %s does not "
+                                  "exist"), dirname);
+--- krb5/src/lib/krb5/os/trace.c
++++ krb5/src/lib/krb5/os/trace.c
 @@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
      fd = malloc(sizeof(*fd));
      if (fd == NULL)
@@ -952,11 +898,9 @@ Index: krb5-1.11.1/src/lib/krb5/os/trace.c
      if (*fd == -1) {
          free(fd);
          return errno;
-Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
-===================================================================
---- krb5-1.11.1.orig/src/plugins/kdb/db2/kdb_db2.c
-+++ krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
-@@ -681,8 +681,8 @@ ctx_create_db(krb5_context context, krb5
+--- krb5/src/plugins/kdb/db2/kdb_db2.c
++++ krb5/src/plugins/kdb/db2/kdb_db2.c
+@@ -683,8 +683,8 @@
      if (retval)
          return retval;
  
@@ -967,11 +911,9 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
      if (dbc->db_lf_file < 0) {
          retval = errno;
          goto cleanup;
-Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-===================================================================
---- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c	8
+--- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
++++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+@@ -51,6 +51,7 @@
  #include <stdio.h>
  #include <unistd.h>
  
@@ -979,7 +921,7 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
  #include "db-int.h"
  #include "recno.h"
  
-@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
+@@ -68,7 +69,8 @@
  	int rfd = -1, sverrno;
  
  	/* Open the user's file -- if this fails, we're done. */
@@ -989,11 +931,9 @@ Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
  		return (NULL);
  
  	if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
-Index: krb5-1.11.1/src/kdc/main.c
-===================================================================
---- krb5-1.11.1.orig/src/kdc/main.c
-+++ krb5-1.11.1/src/kdc/main.c
-@@ -902,7 +902,7 @@ write_pid_file(const char *path)
+--- krb5/src/kdc/main.c
++++ krb5/src/kdc/main.c
+@@ -905,7 +905,7 @@ write_pid_file(const char *path)
      FILE *file;
      unsigned long pid;
  
@@ -1002,24 +942,20 @@ Index: krb5-1.11.1/src/kdc/main.c
      if (file == NULL)
          return errno;
      pid = (unsigned long) getpid();
-Index: krb5-1.11.1/src/lib/kdb/kdb_log.c
-===================================================================
---- krb5-1.11.1.orig/src/lib/kdb/kdb_log.c
-+++ krb5-1.11.1/src/lib/kdb/kdb_log.c
-@@ -604,7 +604,7 @@ ulog_map(krb5_context context, const cha
-             return (errno);
-         }
+--- krb5/src/lib/kdb/kdb_log.c
++++ krb5/src/lib/kdb/kdb_log.c
+@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
+         if (caller == FKPROPLOG)
+             return errno;
  
 -        ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
 +        ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
-         if (ulogfd == -1) {
-             return (errno);
-         }
-Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
-===================================================================
---- krb5-1.11.1.orig/src/util/gss-kernel-lib/Makefile.in
-+++ krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
-@@ -66,6 +66,7 @@ HEADERS= \
+         if (ulogfd == -1)
+             return errno;
+ 
+--- krb5/src/util/gss-kernel-lib/Makefile.in
++++ krb5/src/util/gss-kernel-lib/Makefile.in
+@@ -60,6 +60,7 @@ HEADERS= \
  	gssapi_err_generic.h \
  	k5-int.h \
  	k5-int-pkinit.h \
@@ -1027,7 +963,7 @@ Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
  	k5-thread.h \
  	k5-platform.h \
  	k5-buf.h \
-@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
+@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
  	$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
  gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
  	$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@

krb5-1.12.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7199ba74bdfd06caf02d1ee189563c33aa0274b809ab511ab0f1fb3e05ccce5a
+size 11925134

krb5-1.8-api.patch

@@ -1,31 +0,0 @@
-Reference docs don't define what happens if you call krb5_realm_compare() with
-malformed krb5_principal structures.  Define a behavior which keeps it from
-crashing if applications don't check ahead of time.
-
-Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
-===================================================================
---- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c
-+++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
-@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context
-     const krb5_data *realm1 = krb5_princ_realm(context, princ1);
-     const krb5_data *realm2 = krb5_princ_realm(context, princ2);
- 
-+    if ((princ1 == NULL) || (princ2 == NULL))
-+        return FALSE;
-+
-+    if ((realm1 == NULL) || (realm2 == NULL))
-+        return FALSE;
-+
-     if (realm1->length != realm2->length)
-         return FALSE;
- 
-@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex
-     krb5_principal upn2 = NULL;
-     krb5_boolean ret = FALSE;
- 
-+    if ((princ1 == NULL) || (princ2 == NULL))
-+        return FALSE;
-+
-     if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
-         /* Treat UPNs as if they were real principals */
-         if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {

krb5-1.9-debuginfo.patch

@@ -6,7 +6,7 @@ Index: src/kadmin/cli/Makefile.in
 ===================================================================
 --- src/kadmin/cli/Makefile.in.orig
 +++ src/kadmin/cli/Makefile.in
-@@ -40,3 +40,8 @@ clean-unix::
+@@ -43,3 +43,8 @@ clean-unix::
  # CC_LINK is not meant for compilation and this use may break in the future.
  datetest: getdate.c
  	$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c

krb5-1.9-kprop-mktemp.patch

@@ -4,7 +4,7 @@ Index: krb5-1.11/src/slave/kprop.c
 ===================================================================
 --- krb5-1.11.orig/src/slave/kprop.c
 +++ krb5-1.11/src/slave/kprop.c
-@@ -187,9 +187,8 @@ void PRS(argc, argv)
+@@ -202,9 +202,8 @@ void PRS(argc, argv)
  void get_tickets(context)
      krb5_context context;
  {
@@ -15,7 +15,7 @@ Index: krb5-1.11/src/slave/kprop.c
      krb5_keytab keytab = NULL;
  
      /*
-@@ -230,11 +229,8 @@ void get_tickets(context)
+@@ -229,11 +228,8 @@ void get_tickets(context)
  #endif
  
      /*

krb5-1.9-ksu-path.patch

@@ -1,13 +0,0 @@
-Set the default PATH to the one set by login.
-
-diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in
---- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path	2010-03-05 10:58:25.000000000 -0500
-+++ krb5-1.9/src/clients/ksu/Makefile.in	2010-03-05 10:58:25.000000000 -0500
-@@ -1,6 +1,6 @@
- mydir=clients$(S)ksu
- BUILDTOP=$(REL)..$(S)..
--DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
-+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"'
- DEFS=
- 
- PROG_LIBPATH=-L$(TOPLIBD)

krb5-kvno-230379.patch

@@ -12,7 +12,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
 ===================================================================
 --- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c
 +++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c
-@@ -140,7 +140,7 @@ void ktutil_add_entry(argc, argv)
+@@ -155,7 +155,7 @@ void ktutil_add_entry(argc, argv)
      char *princ = NULL;
      char *enctype = NULL;
      krb5_kvno kvno = 0;
@@ -21,7 +21,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
  
      for (i = 1; i < argc; i++) {
          if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
-@@ -149,6 +149,7 @@ void ktutil_add_entry(argc, argv)
+@@ -164,6 +164,7 @@ void ktutil_add_entry(argc, argv)
          }
          if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
              kvno = (krb5_kvno) atoi(argv[++i]);
@@ -29,7 +29,7 @@ Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
              continue;
          }
          if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
-@@ -165,7 +166,7 @@ void ktutil_add_entry(argc, argv)
+@@ -180,7 +181,7 @@ void ktutil_add_entry(argc, argv)
          }
      }
  
@@ -42,7 +42,7 @@ Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
 ===================================================================
 --- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
 +++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
-@@ -376,7 +376,7 @@ krb5_ktfile_get_entry(krb5_context conte
+@@ -349,7 +349,7 @@ krb5_ktfile_get_entry(krb5_context conte
                 higher than that.  Short-term workaround: only compare
                 the low 8 bits.  */
  

krb5-master-gss_oid_leak.patch

@@ -0,0 +1,28 @@
+commit 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a
+Author: Simo Sorce <simo@redhat.com>
+Date:   Fri Dec 13 12:00:41 2013 -0500
+
+    Fix memory leak in SPNEGO initiator
+    
+    If we eliminate a mechanism from the initiator list because
+    gss_init_sec_context fails, free the memory for that mech OID before
+    removing it from the list.
+    
+    [ghudson@mit.edu: clarified commit message]
+    
+    ticket: 7803 (new)
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 818a1b4..06cfab0 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -890,6 +890,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
+ 	 * can do this with recursion.  If all mechanisms produce errors, the
+ 	 * caller should get the error from the first mech in the list.
+ 	 */
++	gssalloc_free(sc->mech_set->elements->elements);
+ 	memmove(sc->mech_set->elements, sc->mech_set->elements + 1,
+ 		--sc->mech_set->count * sizeof(*sc->mech_set->elements));
+ 	if (sc->mech_set->count == 0)

krb5-master-ignore-empty-unnecessary-final-token.patch

@@ -0,0 +1,37 @@
+commit 37af638b742dbd642eb70092e4f7781c3f69d86d
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Tue Dec 10 12:04:18 2013 -0500
+
+    Fix SPNEGO one-hop interop against old IIS
+    
+    IIS 6.0 and similar return a zero length reponse buffer in the last
+    SPNEGO packet when context initiation is performed without mutual
+    authentication.  In this case the underlying Kerberos mechanism has
+    already completed successfully on the first invocation, and SPNEGO
+    does not expect a mech response token in the answer.  If we get an
+    empty mech response token when the mech is complete during
+    negotiation, ignore it.
+    
+    [ghudson@mit.edu: small code style and commit message changes]
+    
+    ticket: 7797 (new)
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 3937662..d82934b 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -760,6 +760,12 @@ init_ctx_nego(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 			map_errcode(minor_status);
+ 			ret = GSS_S_DEFECTIVE_TOKEN;
+ 		}
++	} else if ((*responseToken)->length == 0 && sc->mech_complete) {
++		/* Handle old IIS servers returning empty token instead of
++		 * null tokens in the non-mutual auth case. */
++		*negState = ACCEPT_COMPLETE;
++		*tokflag = NO_TOKEN_SEND;
++		ret = GSS_S_COMPLETE;
+ 	} else if (sc->mech_complete) {
+ 		/* Reject spurious mech token. */
+ 		ret = GSS_S_DEFECTIVE_TOKEN;

krb5-master-keytab_close.patch

@@ -0,0 +1,39 @@
+commit decccbcb5075f8fbc28a535a9b337afc84a15dee
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Mon Dec 16 15:37:56 2013 -0500
+
+    Fix GSS krb5 acceptor acquire_cred error handling
+    
+    When acquiring acceptor creds with a specified name, if we fail to
+    open a replay cache, we leak the keytab handle.  If there is no
+    specified name and we discover that there is no content in the keytab,
+    we leak the keytab handle and return the wrong major code.  Memory
+    leak reported by Andrea Campi.
+    
+    ticket: 7805
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index 0efcad4..9547207 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
+         code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
+                                       &cred->rcache);
+         if (code) {
++            krb5_kt_close(context, kt);
+             *minor_status = code;
+             return GSS_S_FAILURE;
+         }
+@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
+         /* Make sure we have a keytab with keys in it. */
+         code = krb5_kt_have_content(context, kt);
+         if (code) {
++            krb5_kt_close(context, kt);
+             *minor_status = code;
+-            return GSS_S_FAILURE;
++            return GSS_S_CRED_UNAVAIL;
+         }
+     }
+ 

krb5-master-no-malloc0.patch

@@ -0,0 +1,39 @@
+commit 13fd26e1863c79f616653f6a10a58c01f65fceff
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Fri Dec 6 18:56:56 2013 -0500
+
+    Avoid malloc(0) in SPNEGO get_input_token
+    
+    If we read a zero-length token in spnego_mech.c's get_input_token(),
+    set the value pointer to NULL instead of calling malloc(0).
+    
+    ticket: 7794 (new)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 24c3440..3937662 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length)
+ 		return (NULL);
+ 
+ 	input_token->length = len;
+-	input_token->value = gssalloc_malloc(input_token->length);
++	if (input_token->length > 0) {
++		input_token->value = gssalloc_malloc(input_token->length);
++		if (input_token->value == NULL) {
++			free(input_token);
++			return (NULL);
++		}
+ 
+-	if (input_token->value == NULL) {
+-		free(input_token);
+-		return (NULL);
++		memcpy(input_token->value, *buff_in, input_token->length);
++	} else {
++		input_token->value = NULL;
+ 	}
+-
+-	(void) memcpy(input_token->value, *buff_in, input_token->length);
+ 	*buff_in += input_token->length;
+ 	return (input_token);
+ }

krb5-master-spnego_error_messages.patch

@@ -0,0 +1,44 @@
+commit 4faca53e3a8ee213d43da8998f6889e7bfd36248
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Wed Dec 18 16:03:16 2013 -0500
+
+    Test SPNEGO error message in t_s4u.py
+    
+    Now that #7045 is fixed, we can check for the correct error message
+    from t_s4u2proxy_krb5 with --spnego.
+    
+    ticket: 7045
+
+diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
+index 67dc810..e4aa259 100644
+--- a/src/tests/gssapi/t_s4u.py
++++ b/src/tests/gssapi/t_s4u.py
+@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or
+     'NOT_ALLOWED_TO_DELEGATE' not in output):
+     fail('krb5 -> s4u2proxy')
+ 
+-# Again with SPNEGO.  Bug #7045 prevents us from checking the error
+-# message, but we can at least exercise the code.
++# Again with SPNEGO.
+ output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
+                     '-', pservice1, pservice2],
+                    expected_code=1)
+-if ('auth1: ' + realm.user_princ not in output):
++if ('auth1: ' + realm.user_princ not in output or
++    'NOT_ALLOWED_TO_DELEGATE' not in output):
+     fail('krb5 -> s4u2proxy (SPNEGO)')
+ 
+ # Try krb5 -> S4U2Proxy without forwardable user creds.  This should
+@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
+     fail('s4u2self')
+ 
+ # Again with SPNEGO.  This uses SPNEGO for the initial authentication,
+-# but still uses krb5 for S4U2Proxy (the delegated cred is returned as
++# but still uses krb5 for S4U2Proxy--the delegated cred is returned as
+ # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
+-# directly rather than saving and reacquiring it) so bug #7045 does
+-# not apply and we can verify the error message.
++# directly rather than saving and reacquiring it.
+ output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
+ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
+     fail('s4u2self')

krb5-mini.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Jan 13 15:40:18 UTC 2014 - ckornacker@suse.com
+
+- update to version 1.12
+  * Add GSSAPI extensions for constructing MIC tokens using IOV lists
+  * Add a FAST OTP preauthentication module for the KDC which uses
+    RADIUS to validate OTP token values.
+  * The AES-based encryption types will use AES-NI instructions
+    when possible for improved performance.
+- revert dependency on libcom_err-mini-devel since it's not yet
+  available
+- update and rebase patches
+
 -------------------------------------------------------------------
 Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com
 

krb5-mini.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5-mini
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 %define build_mini 1
-%define srcRoot krb5-1.11.4
+%define srcRoot krb5-1.12
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5
 
@@ -27,14 +27,10 @@ BuildRequires:  autoconf
 BuildRequires:  bison
 BuildRequires:  keyutils
 BuildRequires:  keyutils-devel
-%if 0%{?suse_version} >= 1310
-BuildRequires:  libcom_err-mini-devel
-%else
 BuildRequires:  libcom_err-devel
-%endif
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.11.4
+Version:        1.12
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@@ -62,25 +58,34 @@ Conflicts:      krb5-client
 Conflicts:      krb5-server
 Conflicts:      krb5-plugin-kdb-ldap
 Conflicts:      krb5-plugin-preauth-pkinit
+Conflicts:      krb5-plugin-preauth-otp
 %endif
-Source:         krb5-%{version}.tar.bz2
+Source:         krb5-%{version}.tar.gz
 Source1:        vendor-files.tar.bz2
 Source2:        baselibs.conf
 Source5:        krb5-rpmlintrc
-Patch1:         krb5-1.11-pam.patch
+Patch1:         krb5-1.12-pam.patch
 Patch2:         krb5-1.9-manpaths.dif
-Patch3:         krb5-1.10-buildconf.patch
+Patch3:         krb5-1.12-buildconf.patch
 Patch4:         krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch5:         krb5-1.10-kpasswd_tcp.patch
 Patch6:         krb5-1.6.3-ktutil-manpage.dif
 Patch7:         krb5-1.7-doublelog.patch
-Patch8:         krb5-1.8-api.patch
+Patch8:         krb5-1.12-api.patch
 Patch9:         krb5-1.9-kprop-mktemp.patch
 Patch10:        krb5-1.10-ksu-access.patch
-Patch11:        krb5-1.9-ksu-path.patch
-Patch12:        krb5-1.11-selinux-label.patch
+Patch11:        krb5-1.12-ksu-path.patch
+Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
+Patch15:        krb5-1.12-copy_context.patch
+Patch16:        krb5-1.12-enable-NX.patch
+Patch17:        krb5-1.12-pic-aes-ni.patch
+Patch18:        krb5-master-no-malloc0.patch
+Patch19:        krb5-master-ignore-empty-unnecessary-final-token.patch
+Patch20:        krb5-master-gss_oid_leak.patch
+Patch21:        krb5-master-keytab_close.patch
+Patch22:        krb5-master-spnego_error_messages.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -138,6 +143,15 @@ Kerberos V5 is a trusted-third-party network authentication system,
 which can improve your network's security by eliminating the insecure
 practice of cleartext passwords. This package includes a PKINIT plugin.
 
+%package plugin-preauth-otp
+Summary:        MIT Kerberos5 Implementation--OTP preauth Plugin
+Group:          Productivity/Networking/Security
+
+%description plugin-preauth-otp
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve your network's security by eliminating the insecure
+practice of cleartext passwords. This package includes a OTP plugin.
+
 %package doc
 Summary:        MIT Kerberos5 Implementation--Documentation
 Group:          Documentation/Other
@@ -191,6 +205,14 @@ Include Files for Development
 %patch12 -p1
 %patch13 -p0
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
 
 %build
 # needs to be re-generated
@@ -319,6 +341,11 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
 rm -f  %{buildroot}/usr/share/man/man1/tmac.doc*
 rm -f  /usr/share/man/man1/tmac.doc*
 rm -rf %{buildroot}/usr/lib/mit/share/examples
+%if %{build_mini}
+# manually remove otp plugin for krb5-mini since configure
+# doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
+%endif
 
 %find_lang mit-krb5
 
@@ -429,6 +456,15 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 %{_libdir}/libkrb5.so
 %{_libdir}/libkrb5support.so
 %{_libdir}/libverto.so
+%{_libdir}/libkrad.so
+%{_libdir}/pkgconfig/gssrpc.pc
+%{_libdir}/pkgconfig/kadm-client.pc
+%{_libdir}/pkgconfig/kadm-server.pc
+%{_libdir}/pkgconfig/kdb.pc
+%{_libdir}/pkgconfig/krb5-gssapi.pc
+%{_libdir}/pkgconfig/krb5.pc
+%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
+%{_libdir}/pkgconfig/mit-krb5.pc
 %{_includedir}/*
 /usr/lib/mit/bin/krb5-config
 /usr/lib/mit/sbin/krb5-send-pr
@@ -480,6 +516,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 %{_libdir}/libkrb5.so.*
 %{_libdir}/libkrb5support.so.*
 %{_libdir}/libverto.so.*
+%{_libdir}/libkrad.so.*
 %{_libdir}/krb5/plugins/kdb/*
 #/usr/lib/mit/sbin/*
 /usr/lib/mit/sbin/kadmin.local
@@ -551,6 +588,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 %{_libdir}/libkrb5.so.*
 %{_libdir}/libkrb5support.so.*
 %{_libdir}/libverto.so.*
+%{_libdir}/libkrad.so.*
 
 %files server
 %defattr(-,root,root)
@@ -662,6 +700,13 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 %dir %{_libdir}/krb5/plugins/preauth
 %{_libdir}/krb5/plugins/preauth/pkinit.so
 
+%files plugin-preauth-otp
+%defattr(-,root,root)
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/otp.so
+
 %files doc
 %defattr(-,root,root)
 %doc html doc/CHANGES doc/README

krb5.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
+
+- update to version 1.12
+  * Add GSSAPI extensions for constructing MIC tokens using IOV lists
+  * Add a FAST OTP preauthentication module for the KDC which uses
+    RADIUS to validate OTP token values.
+  * The AES-based encryption types will use AES-NI instructions
+    when possible for improved performance.
+- revert dependency on libcom_err-mini-devel since it's not yet
+  available
+- update and rebase patches
+
 -------------------------------------------------------------------
 Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com
 

krb5.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 %define build_mini 0
-%define srcRoot krb5-1.11.4
+%define srcRoot krb5-1.12
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5
 
@@ -27,14 +27,10 @@ BuildRequires:  autoconf
 BuildRequires:  bison
 BuildRequires:  keyutils
 BuildRequires:  keyutils-devel
-%if 0%{?suse_version} >= 1310
-BuildRequires:  libcom_err-mini-devel
-%else
-BuildRequires:  libcom_err-mini-devel
-%endif
+BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.11.4
+Version:        1.12
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@@ -62,25 +58,34 @@ Conflicts:      krb5-client
 Conflicts:      krb5-server
 Conflicts:      krb5-plugin-kdb-ldap
 Conflicts:      krb5-plugin-preauth-pkinit
+Conflicts:      krb5-plugin-preauth-otp
 %endif
-Source:         krb5-%{version}.tar.bz2
+Source:         krb5-%{version}.tar.gz
 Source1:        vendor-files.tar.bz2
 Source2:        baselibs.conf
 Source5:        krb5-rpmlintrc
-Patch1:         krb5-1.11-pam.patch
+Patch1:         krb5-1.12-pam.patch
 Patch2:         krb5-1.9-manpaths.dif
-Patch3:         krb5-1.10-buildconf.patch
+Patch3:         krb5-1.12-buildconf.patch
 Patch4:         krb5-1.6.3-gssapi_improve_errormessages.dif
 Patch5:         krb5-1.10-kpasswd_tcp.patch
 Patch6:         krb5-1.6.3-ktutil-manpage.dif
 Patch7:         krb5-1.7-doublelog.patch
-Patch8:         krb5-1.8-api.patch
+Patch8:         krb5-1.12-api.patch
 Patch9:         krb5-1.9-kprop-mktemp.patch
 Patch10:        krb5-1.10-ksu-access.patch
-Patch11:        krb5-1.9-ksu-path.patch
-Patch12:        krb5-1.11-selinux-label.patch
+Patch11:        krb5-1.12-ksu-path.patch
+Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
+Patch15:        krb5-1.12-copy_context.patch
+Patch16:        krb5-1.12-enable-NX.patch
+Patch17:        krb5-1.12-pic-aes-ni.patch
+Patch18:        krb5-master-no-malloc0.patch
+Patch19:        krb5-master-ignore-empty-unnecessary-final-token.patch
+Patch20:        krb5-master-gss_oid_leak.patch
+Patch21:        krb5-master-keytab_close.patch
+Patch22:        krb5-master-spnego_error_messages.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %insserv_prereq %fillup_prereq 
@@ -138,6 +143,15 @@ Kerberos V5 is a trusted-third-party network authentication system,
 which can improve your network's security by eliminating the insecure
 practice of cleartext passwords. This package includes a PKINIT plugin.
 
+%package plugin-preauth-otp
+Summary:        MIT Kerberos5 Implementation--OTP preauth Plugin
+Group:          Productivity/Networking/Security
+
+%description plugin-preauth-otp
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve your network's security by eliminating the insecure
+practice of cleartext passwords. This package includes a OTP plugin.
+
 %package doc
 Summary:        MIT Kerberos5 Implementation--Documentation
 Group:          Documentation/Other
@@ -191,6 +205,14 @@ Include Files for Development
 %patch12 -p1
 %patch13 -p0
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
 
 %build
 # needs to be re-generated
@@ -319,6 +341,11 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
 rm -f  %{buildroot}/usr/share/man/man1/tmac.doc*
 rm -f  /usr/share/man/man1/tmac.doc*
 rm -rf %{buildroot}/usr/lib/mit/share/examples
+%if %{build_mini}
+# manually remove otp plugin for krb5-mini since configure
+# doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
+%endif
 
 %find_lang mit-krb5
 
@@ -429,6 +456,15 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 %{_libdir}/libkrb5.so
 %{_libdir}/libkrb5support.so
 %{_libdir}/libverto.so
+%{_libdir}/libkrad.so
+%{_libdir}/pkgconfig/gssrpc.pc
+%{_libdir}/pkgconfig/kadm-client.pc
+%{_libdir}/pkgconfig/kadm-server.pc
+%{_libdir}/pkgconfig/kdb.pc
+%{_libdir}/pkgconfig/krb5-gssapi.pc
+%{_libdir}/pkgconfig/krb5.pc
+%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
+%{_libdir}/pkgconfig/mit-krb5.pc
 %{_includedir}/*
 /usr/lib/mit/bin/krb5-config
 /usr/lib/mit/sbin/krb5-send-pr
@@ -480,6 +516,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 %{_libdir}/libkrb5.so.*
 %{_libdir}/libkrb5support.so.*
 %{_libdir}/libverto.so.*
+%{_libdir}/libkrad.so.*
 %{_libdir}/krb5/plugins/kdb/*
 #/usr/lib/mit/sbin/*
 /usr/lib/mit/sbin/kadmin.local
@@ -551,6 +588,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 %{_libdir}/libkrb5.so.*
 %{_libdir}/libkrb5support.so.*
 %{_libdir}/libverto.so.*
+%{_libdir}/libkrad.so.*
 
 %files server
 %defattr(-,root,root)
@@ -662,6 +700,13 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 %dir %{_libdir}/krb5/plugins/preauth
 %{_libdir}/krb5/plugins/preauth/pkinit.so
 
+%files plugin-preauth-otp
+%defattr(-,root,root)
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/otp.so
+
 %files doc
 %defattr(-,root,root)
 %doc html doc/CHANGES doc/README