From 89ca3e2fde5361bef11bcaa598307da376cd63b1 Mon Sep 17 00:00:00 2001
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Sat, 21 Mar 2020 11:09:00 -0700
Subject: [PATCH] Update patches for 1.8.6pre1

Change-Id: I93d74e43d1354c1752c5c168ebf835595a9d730f
---
 ...t-in-to-enable-single-DES-in-libkrb5.patch | 219 ------------------
 debian/patches/series                         |   1 -
 2 files changed, 220 deletions(-)
 delete mode 100644 debian/patches/0002-aklog-require-opt-in-to-enable-single-DES-in-libkrb5.patch

diff --git a/debian/patches/0002-aklog-require-opt-in-to-enable-single-DES-in-libkrb5.patch b/debian/patches/0002-aklog-require-opt-in-to-enable-single-DES-in-libkrb5.patch
deleted file mode 100644
index f92a5ca4f..000000000
--- a/debian/patches/0002-aklog-require-opt-in-to-enable-single-DES-in-libkrb5.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-From: Benjamin Kaduk <kaduk@mit.edu>
-Date: Thu, 11 Jul 2019 21:07:35 -0700
-Subject: aklog: require opt-in to enable single-DES in libkrb5
-
-Since the introduction of rxkad-k5 in response to OPENAFS-SA-2013-003,
-it is not strictly necessary to configure libkrb5 to allow weak crypto
-in order to obtain an AFS token.  A sufficient amount of time has passed
-since then that it is safe to assume that the default behavior is the
-more-secure one, and require opt-in for the insecure behavior.
-
-To indicate that the use of single-DES is quite risky, add the
-"-insecure_des" argument to both klog and aklog, to gate the
-preexisting calls that enable weak crypto/single-DES.
-These calls, and the -insecure_des option, may be removed entirely
-in a future commit.
-
-Change-Id: If175d0f95f0ede0f252844086a2a023da5580732
-Reviewed-on: https://gerrit.openafs.org/13689
-Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
-Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
-Tested-by: Benjamin Kaduk <kaduk@mit.edu>
-(cherry picked from commit eaae6eba8ca10ba7a5a20ee0d1b5f91bc2bac6c6)
----
- doc/man-pages/pod1/aklog.pod     |  9 +++++++--
- doc/man-pages/pod1/klog.krb5.pod | 10 ++++++++--
- src/aklog/aklog.c                | 39 +++++++++++++++++++++++++--------------
- src/aklog/klog.c                 | 13 +++++++++----
- 4 files changed, 49 insertions(+), 22 deletions(-)
-
-diff --git a/doc/man-pages/pod1/aklog.pod b/doc/man-pages/pod1/aklog.pod
-index eb1727b..0d67ea1 100644
---- a/doc/man-pages/pod1/aklog.pod
-+++ b/doc/man-pages/pod1/aklog.pod
-@@ -8,11 +8,11 @@ aklog - Obtain tokens for authentication to AFS
- <div class="synopsis">
- 
- B<aklog> [B<-d>] [B<-hosts>] [B<-zsubs>] [B<-noprdb>] [B<-noauth>] [B<-linked>]
--    [B<-force>] [B<-524>] [B<-setpag>]
-+    [B<-force>] [B<-524>] [B<-setpag>] [B<-insecure_des>]
-     S<<< [[B<-cell> | B<-c>] <I<cell>> [B<-k> <I<Kerberos realm>>]]+ >>>
- 
- B<aklog> [B<-d>] [B<-hosts>] [B<-zsubs>] [B<-noprdb>] [B<-noauth>] [B<-linked>]
--    [B<-force>] [B<-524>] [B<-setpag>] [B<-path> | B<-p>] <I<path>>+
-+    [B<-force>] [B<-524>] [B<-setpag>] [B<-insecure_des>] [B<-path> | B<-p>] <I<path>>+
- 
- =for html
- </div>
-@@ -119,6 +119,11 @@ normally won't be necessary.
- 
- If the AFS cell is linked to another AFS cell, get tokens for both.
- 
-+-item B<-insecure_des>
-+
-+Configure libkrb5 to allow the use of the (insecure) single-DES encryption
-+types.  When rxkad-k5 is in use, this is not needed.
-+
- =item B<-noauth>
- 
- Don't actually authenticate, just do everything else B<aklog> does up to
-diff --git a/doc/man-pages/pod1/klog.krb5.pod b/doc/man-pages/pod1/klog.krb5.pod
-index 023deee..05d671c 100644
---- a/doc/man-pages/pod1/klog.krb5.pod
-+++ b/doc/man-pages/pod1/klog.krb5.pod
-@@ -11,14 +11,15 @@ B<klog.krb5> [B<-x>] S<<< [B<-principal> <I<user name>>] >>>
-     [-password <I<user's password>>] S<<< [B<-cell> <I<cell name>>] >>>
-     S<<< [B<-k> <I<realm>>] >>> [B<-pipe>] [B<-silent>]
-     S<<< [B<-lifetime> <I<ticket lifetime in hh[:mm[:ss]]>>] >>>
--    [B<-setpag>] [B<-tmp>] [B<-noprdb>] [B<-unwrap>] [B<-help>]
-+    [B<-setpag>] [B<-tmp>] [B<-noprdb>] [B<-unwrap>] [B<-insecure_des>]
-+    [B<-help>]
- 
- B<klog.krb5> [B<-x>] S<<< [B<-pr> <I<user name>>] >>>
-     S<<< [B<-pa> <I<user's password>>] >>>
-     S<<< [B<-c> <I<cell name>>] >>>
-     B<<< [B<-k> <I<realm>>] >>> [B<-pi>] [B<-si>]
-     S<<< [B<-l> <I<ticket lifetime in hh[:mm[:ss]]>>] >>>
--    [B<-se>] [B<-t>] [B<-n>] [B<-u>] [B<-h>]
-+    [B<-se>] [B<-t>] [B<-n>] [B<-u>] [B<-i>] [B<-h>]
- 
- =for html
- </div>
-@@ -227,6 +228,11 @@ sizes in conjunction with Active Directory as the Kerberos server, using
- B<-unwrap> can shrink the AFS token size so that older software can handle
- it more easily.
- 
-+=item B<-insecure_des>
-+
-+Configures libkrb5 to allow the use of the (insecure) single-DES encryption
-+types.  When rxkad-k5 is in use, this is not needed.
-+
- =item B<-help>
- 
- Prints the online help for this command. All other valid options are
-diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c
-index 49cb782..8d2ac35 100644
---- a/src/aklog/aklog.c
-+++ b/src/aklog/aklog.c
-@@ -1427,7 +1427,7 @@ usage(void)
- 	    "[-d] [[-cell | -c] cell [-k krb_realm]] ",
- 	    "[[-p | -path] pathname]\n",
- 	    "    [-zsubs] [-hosts] [-noauth] [-noprdb] [-force] [-setpag] \n"
--		"    [-linked]"
-+		"    [-linked] [-insecure_des]"
- #ifndef HAVE_NO_KRB5_524
- 		" [-524]"
- #endif
-@@ -1446,6 +1446,7 @@ usage(void)
- #ifndef HAVE_NO_KRB5_524
-     fprintf(stderr, "    -524 means use the 524 converter instead of V5 directly\n");
- #endif
-+    fprintf(stderr, "    -insecure_des enables insecure single-DES for krb5.\n");
-     fprintf(stderr, "    No commandline arguments means ");
-     fprintf(stderr, "authenticate to the local cell.\n");
-     fprintf(stderr, "\n");
-@@ -1459,6 +1460,7 @@ main(int argc, char *argv[])
-     int status = AKLOG_SUCCESS;
-     int i;
-     int somethingswrong = FALSE;
-+    int insecure_des = 0;
- 
-     cellinfo_t cellinfo;
- 
-@@ -1538,19 +1540,6 @@ main(int argc, char *argv[])
-     initialize_PT_error_table();
-     afs_set_com_err_hook(redirect_errors);
- 
--    /*
--     * Enable DES enctypes, which are currently still required for AFS.
--     * krb5_allow_weak_crypto is MIT Kerberos 1.8.  krb5_enctype_enable is
--     * Heimdal.
--     */
--#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
--    i = krb5_enctype_valid(context, ETYPE_DES_CBC_CRC);
--    if (i)
--        krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
--#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
--    krb5_allow_weak_crypto(context, 1);
--#endif
--
-     /* Initialize list of cells to which we have authenticated */
-     ll_init(&authedcells);
- 
-@@ -1610,6 +1599,8 @@ main(int argc, char *argv[])
- 	    }
- 	    else
- 		usage();
-+	else if (strcmp(argv[i], "-insecure_des") == 0)
-+	    insecure_des = 1;
- 	else if (argv[i][0] == '-')
- 	    usage();
- 	else if (!pmode && !cmode) {
-@@ -1626,6 +1617,26 @@ main(int argc, char *argv[])
- 	else
- 	    usage();
- 
-+    /*
-+     * Enable DES enctypes if requested.  This is not required when rxkad-k5
-+     * is used, but some sites may not have updated.
-+     * krb5_allow_weak_crypto is MIT Kerberos 1.8.  krb5_enctype_enable is
-+     * Heimdal.
-+     */
-+    if (insecure_des) {
-+#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
-+	i = krb5_enctype_valid(context, ETYPE_DES_CBC_CRC);
-+	if (i)
-+	    krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
-+#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
-+	krb5_allow_weak_crypto(context, 1);
-+#else
-+	fprintf(stderr,
-+	    "%s: -insecure_des is not supported by this libkrb5\n", progname);
-+	exit(AKLOG_MISC);
-+#endif
-+    }
-+
- 	if (cmode) {
- 	    if (((i + 1) < argc) && (strcmp(argv[i + 1], "-k") == 0)) {
- 		i+=2;
-diff --git a/src/aklog/klog.c b/src/aklog/klog.c
-index 9677ffa..edf16e0 100644
---- a/src/aklog/klog.c
-+++ b/src/aklog/klog.c
-@@ -116,6 +116,7 @@ main(int argc, char *argv[])
- #define aUNWRAP 11
- #define aK5 12
- #define aK4 13
-+#define aDES 14
- 
-     cmd_AddParm(ts, "-x", CMD_FLAG, CMD_OPTIONAL, "obsolete, noop");
-     cmd_Seek(ts, aPRINCIPAL);
-@@ -141,6 +142,8 @@ main(int argc, char *argv[])
-     ++ts->nParms;	/* skip -k5 */
-     cmd_AddParm(ts, "-k4", CMD_FLAG, CMD_OPTIONAL|CMD_HIDDEN, 0);
- #endif
-+    cmd_AddParm(ts, "-insecure_des", CMD_FLAG, CMD_OPTIONAL,
-+		"enable insecure single-DES for krb5");
- 
-     code = cmd_Dispatch(argc, argv);
-     KLOGEXIT(code);
-@@ -413,13 +416,15 @@ CommandProc(struct cmd_syndesc *as, void *arock)
-      * krb5_allow_weak_crypto is MIT Kerberos 1.8.  krb5_enctype_enable is
-      * Heimdal.
-      */
-+    if (as->parms[aDES].items) {
- #if defined(HAVE_KRB5_ENCTYPE_ENABLE)
--    i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
--    if (i)
--        krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
-+	i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
-+	if (i)
-+	    krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
- #elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
--    krb5_allow_weak_crypto(k5context, 1);
-+	krb5_allow_weak_crypto(k5context, 1);
- #endif
-+    }
- 
-     /* Parse remaining arguments. */
- 
diff --git a/debian/patches/series b/debian/patches/series
index db39d2047..d74aab87a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
 0003-Catch-up-to-roken-s-rename-of-base64-symbols.patch
-0002-aklog-require-opt-in-to-enable-single-DES-in-libkrb5.patch
-- 
2.39.5