krb5 1.21.3-1

- New upstream version (1.21.3) - CVE-2024-37370 CVE-2024-37371 Fix vulnerabilities in GSS message token handling Resolves: RHEL-45387 RHEL-45378 - Fix memory leak in GSSAPI interface Resolves: RHEL-47284 - Fix memory leak in PMAP RPC interface Resolves: RHEL-47287 - Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC Resolves: RHEL-47285 - Make TCP waiting time configurable Resolves: RHEL-47278 - Do not include files with "~" termination in krb5-tests Resolves: RHEL-45995 Signed-off-by: Julien Rische <jrische@redhat.com>
2024-07-12 11:45:37 +02:00 · 2024-07-12 11:45:37 +02:00 · 8c423dc9d5
commit 8c423dc9d5
parent 2b58aeee72
26 changed files with 11506 additions and 215 deletions
--- a/.gitignore
+++ b/.gitignore
@ -206,3 +206,5 @@
 /krb5-1.21.tar.gz.asc
 /krb5-1.21.2.tar.gz
 /krb5-1.21.2.tar.gz.asc
 /krb5-1.21.3.tar.gz
 /krb5-1.21.3.tar.gz.asc
--- a/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
+++ b/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
@ -1,7 +1,8 @@
-From 087d150e4afe47a8d269d5e80dcef2204b007ceb Mon Sep 17 00:00:00 2001
+From 6f7fd964539dfe4a885068f43a91db9738661870 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
-Date: Wed, 16 Aug 2023 10:00:30 +0200
+Date: Tue, 9 Jul 2024 11:15:33 +0200
-Subject: [PATCH] Revert "Don't issue session keys with deprecated enctypes"
+Subject: [PATCH] [downstream] Revert "Don't issue session keys with
 deprecated enctypes"
 This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463.
 ---
@ -305,5 +306,5 @@ index 8e5f5ba8e9..2a86c5cdfc 100644
                     'supported_enctypes': 'arcfour-hmac:normal',
                     'master_key_type': 'arcfour-hmac'}}}),
 -- 
-2.41.0
+2.45.1
--- a/0002-downstream-ksu-pam-integration.patch
+++ b/0002-downstream-ksu-pam-integration.patch
@ -1,4 +1,4 @@
-From 2080ff4c57d29e74466987d673aaf25273160534 Mon Sep 17 00:00:00 2001
+From de4205c45e310ceaaa7cd7958af7293322fa43a6 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:29:58 -0400
 Subject: [PATCH] [downstream] ksu pam integration
@ -773,5 +773,5 @@ index 77be7a2025..587221936e 100644
 if test "${localedir+set}" != set; then
     localedir='$(datadir)/locale'
 -- 
-2.41.0
+2.45.1
--- a/0003-downstream-SELinux-integration.patch
+++ b/0003-downstream-SELinux-integration.patch
@ -1,4 +1,4 @@
-From 3efc0e3ce4ccc8a89700f35bef041794982d95ca Mon Sep 17 00:00:00 2001
+From 30ff501e4b519396f5aea25e24919be817863e7c Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:30:53 -0400
 Subject: [PATCH] [downstream] SELinux integration
@ -238,10 +238,10 @@ index 0000000000..dfaaa847cb
 +#endif
 +#endif
 diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-index 9c76780181..dd6430ece8 100644
+index 4e09ed345d..09f800be52 100644
 --- a/src/include/krb5/krb5.hin
 +++ b/src/include/krb5/krb5.hin
-@@ -87,6 +87,12 @@
+@@ -83,6 +83,12 @@
 #define THREEPARAMOPEN(x,y,z) open(x,y,z)
 #endif
@ -1034,5 +1034,5 @@ index 0000000000..807d039da3
 +
 +#endif /* USE_SELINUX */
 -- 
-2.41.0
+2.45.1
--- a/0004-downstream-fix-debuginfo-with-y.tab.c.patch
+++ b/0004-downstream-fix-debuginfo-with-y.tab.c.patch
@ -1,4 +1,4 @@
-From 28677b932c200eba07576358b4e5df2ae22c8ecd Mon Sep 17 00:00:00 2001
+From 393830d96000ed692aa9a99ef87187d6f2863931 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:25 -0400
 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c
@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644
 install:
 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
 -- 
-2.41.0
+2.45.1
--- a/0005-downstream-Remove-3des-support.patch
+++ b/0005-downstream-Remove-3des-support.patch
@ -1,4 +1,4 @@
-From 6734a067c600ea6ad81d08fcc481609c2bad9fbb Mon Sep 17 00:00:00 2001
+From 7d697742abb370cfc7241c1faa78ba08d7650f6a Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 26 Mar 2019 18:51:10 -0400
 Subject: [PATCH] [downstream] Remove 3des support
@ -259,7 +259,7 @@ index 45fe160d7f..b4b1f3bd93 100644
    CKSUMTYPE_NIST_SHA.rst
    CKSUMTYPE_RSA_MD4.rst
 diff --git a/doc/conf.py b/doc/conf.py
-index cd76f5999f..1e1cfce80c 100644
+index ecf9020a72..db7fa377ef 100644
 --- a/doc/conf.py
 +++ b/doc/conf.py
@@ -281,7 +281,7 @@ else:
@ -326,10 +326,10 @@ index 69be9030f8..2561e917a2 100644
 	lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache
 diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-index dd6430ece8..350bcf86f2 100644
+index 09f800be52..c5a625db8f 100644
 --- a/src/include/krb5/krb5.hin
 +++ b/src/include/krb5/krb5.hin
-@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
+@@ -422,8 +422,8 @@ typedef struct _krb5_crypto_iov {
 #define ENCTYPE_DES_CBC_MD4     0x0002  /**< @deprecated no longer supported */
 #define ENCTYPE_DES_CBC_MD5     0x0003  /**< @deprecated no longer supported */
 #define ENCTYPE_DES_CBC_RAW     0x0004  /**< @deprecated no longer supported */
@ -340,7 +340,7 @@ index dd6430ece8..350bcf86f2 100644
 #define ENCTYPE_DES_HMAC_SHA1   0x0008  /**< @deprecated no longer supported */
 /* PKINIT */
 #define ENCTYPE_DSA_SHA1_CMS    0x0009  /**< DSA with SHA1, CMS signature */
-@@ -436,9 +436,9 @@ typedef struct _krb5_crypto_iov {
+@@ -432,9 +432,9 @@ typedef struct _krb5_crypto_iov {
 #define ENCTYPE_RC2_CBC_ENV     0x000c  /**< RC2 cbc mode, CMS enveloped data */
 #define ENCTYPE_RSA_ENV         0x000d  /**< RSA encryption, CMS enveloped data */
 #define ENCTYPE_RSA_ES_OAEP_ENV 0x000e  /**< RSA w/OEAP encryption, CMS enveloped data */
@ -352,7 +352,7 @@ index dd6430ece8..350bcf86f2 100644
 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96     0x0011 /**< RFC 3962 */
 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96     0x0012 /**< RFC 3962 */
 #define ENCTYPE_AES128_CTS_HMAC_SHA256_128  0x0013 /**< RFC 8009 */
-@@ -463,7 +463,7 @@ typedef struct _krb5_crypto_iov {
+@@ -459,7 +459,7 @@ typedef struct _krb5_crypto_iov {
 #define CKSUMTYPE_RSA_MD5       0x0007
 #define CKSUMTYPE_RSA_MD5_DES   0x0008
 #define CKSUMTYPE_NIST_SHA      0x0009
@ -5491,10 +5491,10 @@ index 9b183bc337..f0cc4a6809 100644
     if (sealalg != 0xffff)
         xfree(plain);
 diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
-index 85a9574f36..3ce2a90ce9 100644
+index 21b501731e..6a6585d9af 100644
 --- a/src/lib/gssapi/krb5/k5unsealiov.c
 +++ b/src/lib/gssapi/krb5/k5unsealiov.c
-@@ -102,28 +102,21 @@ kg_unseal_v1_iov(krb5_context context,
+@@ -103,28 +103,21 @@ kg_unseal_v1_iov(krb5_context context,
     }
     if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
@ -5528,7 +5528,7 @@ index 85a9574f36..3ce2a90ce9 100644
     /* get the token parameters */
     code = kg_get_seq_num(context, ctx->seq, ptr + 14, ptr + 6, &direction,
                           &seqnum);
-@@ -181,16 +174,10 @@ kg_unseal_v1_iov(krb5_context context,
+@@ -182,16 +175,10 @@ kg_unseal_v1_iov(krb5_context context,
     /* initialize the checksum */
@ -5548,7 +5548,7 @@ index 85a9574f36..3ce2a90ce9 100644
     code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
     if (code != 0) {
-@@ -209,18 +196,13 @@ kg_unseal_v1_iov(krb5_context context,
+@@ -210,18 +197,13 @@ kg_unseal_v1_iov(krb5_context context,
         goto cleanup;
     }
@ -5917,10 +5917,10 @@ index 7494d7fcdb..2f95d89967 100755
 # because the ticket session key and initiator subkey are
 # non-permitted.  (This is unfortunate if the acceptor's restriction
 diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
-index 9876a11e67..fb8fe55111 100644
+index 882e163634..8192935099 100644
 --- a/src/tests/gssapi/t_invalid.c
 +++ b/src/tests/gssapi/t_invalid.c
-@@ -84,18 +84,6 @@ struct test {
+@@ -94,18 +94,6 @@ struct test {
     size_t toklen;
     const char *token;
 } tests[] = {
@ -6201,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644
      <td>The AES Advanced Encryption Standard
 family, like 3DES, is a symmetric block cipher and was designed
 -- 
-2.41.0
+2.45.1
--- a/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
+++ b/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
@ -1,4 +1,4 @@
-From dc3fd927ccd5b7b40049145c3fc7c610d72e9502 Mon Sep 17 00:00:00 2001
+From 7b6453903c248a761d3ceb538dfacebbf3d3a9ff Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644
     vt->name = "spake";
     vt->pa_type_list = pa_types;
 -- 
-2.41.0
+2.45.1
--- a/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch
+++ b/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch
@ -1,7 +1,8 @@
-From 19db7e5b5d13732c2dfd08b35e2ad3f311553d54 Mon Sep 17 00:00:00 2001
+From 707fa7bd2be6327343dc8fc5c20dc77645524518 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Thu, 5 May 2022 17:15:12 +0200
-Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS
+Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection
 with FIPS
 libkrad allows to establish connections only to UNIX socket in FIPS
 mode, because MD5 digest is not considered safe enough to be used for
@ -77,5 +78,5 @@ index 929f1cef67..063f17a613 100644
         retval = ESOCKTNOSUPPORT;
         goto error;
 -- 
-2.41.0
+2.45.1
--- a/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch
+++ b/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch
@ -1,4 +1,4 @@
-From 16d3f9a54d4707ae9de18f108a7b61965e83ceaf Mon Sep 17 00:00:00 2001
+From 1da88bea558348be2974470774aa688f8be634c0 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Wed, 7 Dec 2022 13:22:42 +0100
 Subject: [PATCH] [downstream] Make tests compatible with
@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644
         fail('URI answers do not match')
     j += 1
 -- 
-2.41.0
+2.45.1
--- a/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch
+++ b/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch
@ -1,4 +1,4 @@
-From 511a6260f0dadc3fe5ebe075f8b548eae026a1cc Mon Sep 17 00:00:00 2001
+From 775ed8588cc21385fb16a4cec4a861f0d578ce04 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Thu, 5 Jan 2023 20:06:47 +0100
 Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644
  * The SPAKE kdcpreauth module uses a secure cookie containing the following
  * concatenated fields (all integer fields are big-endian):
 -- 
-2.41.0
+2.45.1
--- a/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch
+++ b/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch
@ -1,4 +1,4 @@
-From 1b0bb0c3e5575559ea9135af5b9a1e91fe0f79f3 Mon Sep 17 00:00:00 2001
+From 4fd20741afcf76085ea62eb015cd589bb9392a7b Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Mon, 9 Jan 2023 22:39:52 +0100
 Subject: [PATCH] [downstream] Do not set root as ksu file owner
@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644
 ## ${prefix}.
 prefix=@prefix@
 -- 
-2.41.0
+2.45.1
--- a/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
+++ b/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
@ -1,4 +1,4 @@
-From 6e239888cdb938ddda2bf49ec03ad2af3923c381 Mon Sep 17 00:00:00 2001
+From 16f90c007036789d8d9343e8a0cbabfd21853b5a Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Thu, 19 Jan 2023 19:22:27 +0100
 Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode
@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644
         ret = KRB5_CRYPTO_INTERNAL;
         goto done;
 -- 
-2.41.0
+2.45.1
--- a/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
+++ b/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
@ -1,7 +1,8 @@
-From 640492ecb4ee42edf33c343c08c01a549ed68a52 Mon Sep 17 00:00:00 2001
+From 23b58199db429603802e338db530677b61561335 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Wed, 15 Mar 2023 15:56:34 +0100
-Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
+Subject: [PATCH] [downstream] Allow to set PAC ticket signature as
 optional
 MS-PAC states that "The ticket signature SHOULD be included in tickets
 that are not encrypted to the krbtgt account". However, the
@ -73,10 +74,10 @@ index 745b24f351..6075349e5e 100644
 #if !defined(_WIN32)
 diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-index 350bcf86f2..17e1b52266 100644
+index c5a625db8f..2d9b64dc85 100644
 --- a/src/include/krb5/krb5.hin
 +++ b/src/include/krb5/krb5.hin
-@@ -8356,6 +8356,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
+@@ -8329,6 +8329,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
                        const krb5_keyblock *server,
                        const krb5_keyblock *privsvr, krb5_pac *pac_out);
@ -258,7 +259,7 @@ index 4c50e935a2..d4b0455c8c 100644
 krb5_kt_client_default
 krb5_kt_close
 diff --git a/src/man/kadmin.man b/src/man/kadmin.man
-index 461207021b..e8d78309cb 100644
+index 8413e70ccd..f68eb0569d 100644
 --- a/src/man/kadmin.man
 +++ b/src/man/kadmin.man
@@ -724,6 +724,12 @@ encryption type.  It may be necessary to set this value to
@ -275,5 +276,5 @@ index 461207021b..e8d78309cb 100644
 .sp
 This command requires the \fBmodify\fP privilege.
 -- 
-2.41.0
+2.45.1
--- a/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
+++ b/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
@ -1,8 +1,8 @@
-From 1b2f64d66e01c1abeefdb7cbef7b04035c2128c0 Mon Sep 17 00:00:00 2001
+From 31b9debcf2cbd558f8f315fefb69fc8206b115b4 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Tue, 23 May 2023 12:19:54 +0200
-Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification
+Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature
- available in FIPS mode
+ verification available in FIPS mode
 We recommend using the SHA1 crypto-module in order to allow the
 verification of SHA-1 signature for CMS messages. However, this module
@ -20,7 +20,7 @@ curve cryptography is implemented for PKINIT in MIT krb5.
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index f41328763e..263ef7845e 100644
+index cb9c79626c..17dd18e37d 100644
 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context,
@ -43,5 +43,5 @@ index f41328763e..263ef7845e 100644
         goto cleanup;
     }
 -- 
-2.41.0
+2.45.1
--- a/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
+++ b/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
@ -1,4 +1,4 @@
-From d2b061bea524012edde2915aa95fc4cb6a6f3ae9 Mon Sep 17 00:00:00 2001
+From c24c9faf859ddc04910a6bc591d8ddb2ada93e80 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 30 May 2023 01:21:48 -0400
 Subject: [PATCH] Enable PKINIT if at least one group is available
@ -52,7 +52,7 @@ index 9fa315d7a0..8bdbea8e95 100644
 krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
 diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 263ef7845e..d646073d55 100644
+index 17dd18e37d..8cdc40bfb4 100644
 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -47,7 +47,8 @@
@ -139,7 +139,7 @@ index 263ef7845e..d646073d55 100644
 }
 static void
-@@ -2910,11 +2918,11 @@ client_create_dh(krb5_context context,
+@@ -2912,11 +2920,11 @@ client_create_dh(krb5_context context,
     if (cryptoctx->received_params != NULL)
         params = cryptoctx->received_params;
@ -154,7 +154,7 @@ index 263ef7845e..d646073d55 100644
         params = plg_cryptoctx->dh_4096;
     else
         goto cleanup;
-@@ -3210,19 +3218,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
+@@ -3212,19 +3220,23 @@ pkinit_create_td_dh_parameters(krb5_context context,
     krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 };
     krb5_algorithm_identifier *alglist[4];
@ -214,5 +214,5 @@ index 259e95c6c2..5ee39c085c 100644
     TRACE(c, "PKINIT OpenSSL error: {str}", msg)
 -- 
-2.41.0
+2.45.1
--- a/0015-Eliminate-old-style-function-declarations.patch
+++ b/0015-Eliminate-old-style-function-declarations.patch
--- a/0016-Replace-ssl.wrap_socket-for-tests.patch
+++ b/0016-Replace-ssl.wrap_socket-for-tests.patch
@ -1,4 +1,4 @@
-From 42e831da09bd196068aeb7fe6bfe380bb46b846c Mon Sep 17 00:00:00 2001
+From abb95e961f4e6a5482220a64fba843a3adc171df Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Wed, 19 Jul 2023 13:43:17 +0200
 Subject: [PATCH] Replace ssl.wrap_socket() for tests
@ -60,5 +60,5 @@ index 58759696b6..d1d10d733c 100755
 os.write(sys.stdout.fileno(), b'proxy server ready\n')
 server.serve_forever()
 -- 
-2.41.0
+2.45.1
--- a/0017-Fix-unimportant-memory-leaks.patch
+++ b/0017-Fix-unimportant-memory-leaks.patch
@ -1,4 +1,4 @@
-From f0414954d79283075d1f627dbb9fe6e4f43c1aae Mon Sep 17 00:00:00 2001
+From 0628ab09deb09b98c171316c0b9718914e18e9f4 Mon Sep 17 00:00:00 2001
 From: Steve Grubb <sgrubb@redhat.com>
 Date: Thu, 13 Jul 2023 16:22:30 -0400
 Subject: [PATCH] Fix unimportant memory leaks
@ -16,10 +16,10 @@ some unused ksu functions; rewrote commit message]
 src/appl/gss-sample/gss-client.c              | 367 ++++++++----------
 src/appl/gss-sample/gss-server.c              |   3 +-
 src/clients/klist/klist.c                     |  59 +--
- src/clients/ksu/authorization.c               | 140 +++----
+ src/clients/ksu/authorization.c               | 134 +++----
- src/clients/ksu/ccache.c                      | 289 +++++---------
+ src/clients/ksu/ccache.c                      | 283 +++++---------
 src/clients/ksu/heuristic.c                   | 128 +++---
- src/clients/ksu/krb_auth_su.c                 | 137 ++-----
+ src/clients/ksu/krb_auth_su.c                 | 134 ++-----
 src/clients/ksu/ksu.h                         |   6 -
 src/clients/ksu/main.c                        |   3 +-
 src/kadmin/cli/keytab.c                       |   6 +-
@ -32,10 +32,10 @@ some unused ksu functions; rewrote commit message]
 src/lib/krb5/ccache/ccfns.c                   |  12 +-
 src/lib/krb5/keytab/kt_file.c                 |   3 +-
 src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c |   8 +-
- 19 files changed, 520 insertions(+), 684 deletions(-)
+ 19 files changed, 517 insertions(+), 672 deletions(-)
 diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c
-index 6e2aa33690..cf94623d63 100644
+index 0722ae196f..2cfcfc6cc5 100644
 --- a/src/appl/gss-sample/gss-client.c
 +++ b/src/appl/gss-sample/gss-client.c
@@ -182,180 +182,148 @@ client_establish_context(int s, char *service_name, OM_uint32 gss_flags,
@ -345,7 +345,7 @@ index 6e2aa33690..cf94623d63 100644
 }
 static void
-@@ -449,11 +417,11 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -436,11 +404,11 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
 {
     gss_ctx_id_t context = GSS_C_NO_CONTEXT;
     gss_buffer_desc in_buf, out_buf;
@ -360,7 +360,7 @@ index 6e2aa33690..cf94623d63 100644
     OM_uint32 lifetime;
     gss_OID mechanism, name_type;
     int     is_local;
-@@ -467,14 +435,13 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -454,14 +422,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
     /* Open connection */
     if ((s = connect_to_server(host, port)) < 0)
@ -377,7 +377,7 @@ index 6e2aa33690..cf94623d63 100644
     }
     if (auth_flag && verbose) {
-@@ -488,19 +455,19 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -475,19 +442,19 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
                                        &is_local, &is_open);
         if (maj_stat != GSS_S_COMPLETE) {
             display_status("inquiring context", maj_stat, min_stat);
@ -400,7 +400,7 @@ index 6e2aa33690..cf94623d63 100644
         }
         printf("\"%.*s\" to \"%.*s\", lifetime %d, flags %x, %s, %s\n",
                (int) sname.length, (char *) sname.value,
-@@ -509,15 +476,10 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -496,15 +463,10 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
                (is_local) ? "locally initiated" : "remotely initiated",
                (is_open) ? "open" : "closed");
@ -417,7 +417,7 @@ index 6e2aa33690..cf94623d63 100644
         }
         printf("Name type of source name is %.*s.\n",
                (int) oid_name.length, (char *) oid_name.value);
-@@ -528,13 +490,13 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -515,13 +477,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
                                               mechanism, &mech_names);
         if (maj_stat != GSS_S_COMPLETE) {
             display_status("inquiring mech names", maj_stat, min_stat);
@ -433,7 +433,7 @@ index 6e2aa33690..cf94623d63 100644
         }
         printf("Mechanism %.*s supports %d names\n",
                (int) oid_name.length, (char *) oid_name.value,
-@@ -546,7 +508,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -533,7 +495,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
                                       &mech_names->elements[i], &oid_name);
             if (maj_stat != GSS_S_COMPLETE) {
                 display_status("converting oid->string", maj_stat, min_stat);
@ -442,7 +442,7 @@ index 6e2aa33690..cf94623d63 100644
             }
             printf("  %d: %.*s\n", (int) i,
                    (int) oid_name.length, (char *) oid_name.value);
-@@ -571,10 +533,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -558,10 +520,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
                          &in_buf, &state, &out_buf);
             if (maj_stat != GSS_S_COMPLETE) {
                 display_status("wrapping message", maj_stat, min_stat);
@ -454,7 +454,7 @@ index 6e2aa33690..cf94623d63 100644
             } else if (encrypt_flag && !state) {
                 fprintf(stderr, "Warning!  Message not encrypted.\n");
             }
-@@ -588,22 +547,15 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -575,22 +534,15 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
                               (wrap_flag ? TOKEN_WRAPPED : 0) |
                               (encrypt_flag ? TOKEN_ENCRYPTED : 0) |
                               (mic_flag ? TOKEN_SEND_MIC : 0))),
@ -482,7 +482,7 @@ index 6e2aa33690..cf94623d63 100644
         if (mic_flag) {
             /* Verify signature block */
-@@ -611,10 +563,7 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -598,10 +550,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
                                       &out_buf, &qop_state);
             if (maj_stat != GSS_S_COMPLETE) {
                 display_status("verifying signature", maj_stat, min_stat);
@ -494,7 +494,7 @@ index 6e2aa33690..cf94623d63 100644
             }
             if (verbose)
-@@ -634,23 +583,17 @@ call_server(host, port, oid, service_name, gss_flags, auth_flag,
+@@ -621,23 +570,17 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name,
     if (!v1_format)
         (void) send_token(s, TOKEN_NOOP, empty_token);
@ -529,7 +529,7 @@ index 6e2aa33690..cf94623d63 100644
 static void
 diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c
-index 9b6ce9ffb3..ce25df8b40 100644
+index 0e9c857e56..4ba864d9fb 100644
 --- a/src/appl/gss-sample/gss-server.c
 +++ b/src/appl/gss-sample/gss-server.c
@@ -138,13 +138,12 @@ server_acquire_creds(char *service_name, gss_OID mech,
@ -548,7 +548,7 @@ index 9b6ce9ffb3..ce25df8b40 100644
 }
 diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
-index dcdc5a2d59..43392d2337 100644
+index c797b1698f..b5ae96a843 100644
 --- a/src/clients/klist/klist.c
 +++ b/src/clients/klist/klist.c
@@ -469,20 +469,21 @@ do_ccache()
@ -667,7 +667,7 @@ index dcdc5a2d59..43392d2337 100644
      * current.  Otherwise accept any current cred. */
     if (found_tgt)
 diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c
-index fb9d5d0942..6c6a2d007e 100644
+index 17a8a8f2f0..1f2650c2ab 100644
 --- a/src/clients/ksu/authorization.c
 +++ b/src/clients/ksu/authorization.c
@@ -28,7 +28,17 @@
@ -687,9 +687,9 @@ index fb9d5d0942..6c6a2d007e 100644
 +    free(list);
 +}
- krb5_boolean fowner(fp, uid)
+ krb5_boolean
-     FILE *fp;
+ fowner(FILE *fp, uid_t uid)
-@@ -53,10 +63,10 @@ krb5_boolean fowner(fp, uid)
+@@ -52,10 +62,10 @@ fowner(FILE *fp, uid_t uid)
 /*
  * Given a Kerberos principal "principal", and a local username "luser",
@ -703,9 +703,9 @@ index fb9d5d0942..6c6a2d007e 100644
 + * (regardless of its result), non-zero if it encountered an error.
  */
- krb5_error_code krb5_authorization(context, principal, luser,
+ krb5_error_code
-@@ -71,7 +81,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
+@@ -64,7 +74,7 @@ krb5_authorization(krb5_context context, krb5_principal principal,
-     char **out_fcmd;
+                    char **out_fcmd)
 {
     struct passwd *pwd;
 -    char *princname;
@ -713,7 +713,7 @@ index fb9d5d0942..6c6a2d007e 100644
     int k5login_flag =0;
     int k5users_flag =0;
     krb5_boolean retbool =FALSE;
-@@ -83,7 +93,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
+@@ -76,7 +86,7 @@ krb5_authorization(krb5_context context, krb5_principal principal,
     /* no account => no access */
     if ((pwd = getpwnam(luser)) == NULL)
@ -722,7 +722,7 @@ index fb9d5d0942..6c6a2d007e 100644
     retval = krb5_unparse_name(context, principal, &princname);
     if (retval)
-@@ -100,22 +110,19 @@ krb5_error_code krb5_authorization(context, principal, luser,
+@@ -93,22 +103,19 @@ krb5_authorization(krb5_context context, krb5_principal principal,
     /* k5login and k5users must be owned by target user or root */
     if (!k5login_flag){
@ -755,7 +755,7 @@ index fb9d5d0942..6c6a2d007e 100644
     }
     if (auth_debug){
-@@ -134,10 +141,8 @@ krb5_error_code krb5_authorization(context, principal, luser,
+@@ -127,10 +134,8 @@ krb5_authorization(krb5_context context, krb5_principal principal,
                     princname);
         retval = k5login_lookup(login_fp,  princname, &retbool);
@ -768,7 +768,7 @@ index fb9d5d0942..6c6a2d007e 100644
         if (retbool) {
             if (cmd)
                 *out_fcmd = xstrdup(cmd);
-@@ -147,10 +152,8 @@ krb5_error_code krb5_authorization(context, principal, luser,
+@@ -140,10 +145,8 @@ krb5_authorization(krb5_context context, krb5_principal principal,
     if ((!k5users_flag) && (retbool == FALSE) ){
         retval = k5users_lookup (users_fp, princname,
                                  cmd, &retbool, out_fcmd);
@ -781,7 +781,7 @@ index fb9d5d0942..6c6a2d007e 100644
     }
     if (k5login_flag && k5users_flag){
-@@ -166,8 +169,14 @@ krb5_error_code krb5_authorization(context, principal, luser,
+@@ -159,8 +162,14 @@ krb5_authorization(krb5_context context, krb5_principal principal,
     }
     *ok =retbool;
@ -798,8 +798,8 @@ index fb9d5d0942..6c6a2d007e 100644
 }
 /***********************************************************
-@@ -334,10 +343,11 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
+@@ -320,10 +329,11 @@ krb5_boolean
-     char **out_err;
+ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
 {
     char * err;
 -    char ** tmp_fcmd;
@ -811,7 +811,7 @@ index fb9d5d0942..6c6a2d007e 100644
     tmp_fcmd = (char **) xcalloc (MAX_CMD, sizeof(char *));
-@@ -345,7 +355,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
+@@ -331,7 +341,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
         tmp_fcmd[0] = xstrdup(fcmd);
         tmp_fcmd[1] = NULL;
         *out_fcmd = tmp_fcmd;
@ -820,7 +820,7 @@ index fb9d5d0942..6c6a2d007e 100644
     }else{
         /* must be either full path or just the cmd name */
         if (strchr(fcmd, '/')){
-@@ -353,7 +363,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
+@@ -339,7 +349,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
                              "either full path or just the cmd name\n"),
                      fcmd, KRB5_USERS_NAME);
             *out_err = err;
@ -829,7 +829,7 @@ index fb9d5d0942..6c6a2d007e 100644
         }
 #ifndef CMD_PATH
-@@ -361,7 +371,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
+@@ -347,7 +357,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
                          "the cmd name, CMD_PATH must be defined \n"),
                  fcmd, KRB5_USERS_NAME, fcmd);
         *out_err = err;
@ -838,7 +838,7 @@ index fb9d5d0942..6c6a2d007e 100644
 #else
         path = xstrdup (CMD_PATH);
-@@ -375,7 +385,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
+@@ -361,7 +371,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
             asprintf(&err, _("Error: bad entry - %s in %s file, CMD_PATH "
                              "contains no paths \n"), fcmd, KRB5_USERS_NAME);
             *out_err = err;
@ -847,7 +847,7 @@ index fb9d5d0942..6c6a2d007e 100644
         }
         i=0;
-@@ -384,7 +394,7 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
+@@ -370,7 +380,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
                 asprintf(&err, _("Error: bad path %s in CMD_PATH for %s must "
                                  "start with '/' \n"), tc, KRB5_USERS_NAME );
                 *out_err = err;
@ -856,7 +856,7 @@ index fb9d5d0942..6c6a2d007e 100644
             }
             tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd);
-@@ -395,10 +405,15 @@ krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err)
+@@ -381,10 +391,15 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err)
         tmp_fcmd[i] = NULL;
         *out_fcmd = tmp_fcmd;
@ -874,9 +874,9 @@ index fb9d5d0942..6c6a2d007e 100644
 }
 /********************************************
-@@ -524,41 +539,42 @@ int match_commands (fcmd, cmd, match, cmd_out, err_out)
+@@ -503,41 +518,42 @@ int
-     char **cmd_out;
+ match_commands(char *fcmd, char *cmd, krb5_boolean *match,
-     char **err_out;
+                char **cmd_out, char **err_out)
 {
 -    char ** fcmd_arr;
 +    char ** fcmd_arr = NULL;
@ -930,7 +930,7 @@ index fb9d5d0942..6c6a2d007e 100644
 }
 /*********************************************************
-@@ -587,10 +603,7 @@ krb5_error_code get_line (fp, out_line)
+@@ -563,10 +579,7 @@ get_line(FILE *fp, char **out_line)
         }
         else {
             chunk_count ++;
@ -942,14 +942,12 @@ index fb9d5d0942..6c6a2d007e 100644
             line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ;
         }
-@@ -677,21 +690,8 @@ char *  get_next_token (lnext)
+@@ -652,17 +665,6 @@ get_next_token (char **lnext)
     return out_ptr;
 }
-static void auth_cleanup(users_fp, login_fp, princname)
+-static void
-    FILE *users_fp;
+-auth_cleanup(FILE *users_fp, FILE *login_fp, char *princname)
 -    FILE *login_fp;
 -    char *princname;
 -{
 -
 -    free (princname);
@ -959,22 +957,17 @@ index fb9d5d0942..6c6a2d007e 100644
 -        fclose(login_fp);
 -}
 -
-void init_auth_names(pw_dir)
+ void
-    char *pw_dir;
+ init_auth_names(char *pw_dir)
 +void
 +init_auth_names(char *pw_dir)
 {
     const char *sep;
     int r1, r2;
 diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
-index cbb9aa2b85..45667dd24a 100644
+index cca9ce2dfc..76cb1d6aa4 100644
 --- a/src/clients/ksu/ccache.c
 +++ b/src/clients/ksu/ccache.c
-@@ -40,7 +40,19 @@ copies the default cache into the secondary cache,
+@@ -40,6 +40,18 @@ copies the default cache into the secondary cache,
 ************************************************************************/
 -void show_credential();
 +static void
 +free_creds_list(krb5_context context, krb5_creds **list)
 +{
@ -987,13 +980,12 @@ index cbb9aa2b85..45667dd24a 100644
 +    free(list);
 +}
 +
-+void show_credential(krb5_context, krb5_creds *, krb5_ccache);
+ void show_credential(krb5_context, krb5_creds *, krb5_ccache);
 /* modifies only the cc_other, the algorithm may look a bit funny,
-    but I had to do it this way, since remove function did not come
+@@ -53,20 +65,19 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def,
-@@ -59,20 +71,19 @@ krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
+                  krb5_boolean restrict_creds, krb5_principal primary_principal,
-     /* OUT */
+                  krb5_boolean *stored)
     krb5_boolean *stored;
 {
 -    int i=0;
     krb5_error_code retval=0;
@ -1016,7 +1008,7 @@ index cbb9aa2b85..45667dd24a 100644
     if (restrict_creds) {
         retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr,
-@@ -85,22 +96,9 @@ krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
+@@ -79,22 +90,9 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def,
                                       cc_other_creds_arr);
     }
@ -1042,7 +1034,7 @@ index cbb9aa2b85..45667dd24a 100644
     return retval;
 }
-@@ -198,32 +196,29 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
+@@ -184,32 +182,29 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
 {
     krb5_creds creds, temp_tktq, temp_tkt;
@ -1082,7 +1074,7 @@ index cbb9aa2b85..45667dd24a 100644
             }
             if (auth_debug){
                 fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n");
-@@ -233,19 +228,19 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
+@@ -219,19 +214,19 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
             }
         }
         else {   /* these credentials didn't expire */
@ -1111,7 +1103,7 @@ index cbb9aa2b85..45667dd24a 100644
             }
         }
-@@ -253,13 +248,15 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
+@@ -239,13 +234,15 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc,
     temp_creds[count] = NULL;
     *creds_array   = temp_creds;
@ -1127,16 +1119,14 @@ index cbb9aa2b85..45667dd24a 100644
 -
 }
- 
+ krb5_error_code
-@@ -331,97 +328,6 @@ void printtime(krb5_timestamp ts)
+@@ -315,122 +312,33 @@ printtime(krb5_timestamp ts)
         printf("%s", fmtbuf);
 }
 -
 -krb5_error_code
-krb5_get_login_princ(luser, princ_list)
+-krb5_get_login_princ(const char *luser, char ***princ_list)
 -    const char *luser;
 -    char ***princ_list;
 -{
 -    struct stat sbuf;
 -    struct passwd *pwd;
@ -1220,14 +1210,9 @@ index cbb9aa2b85..45667dd24a 100644
 -    fclose(fp);
 -    return 0;
 -}
 -
 -
 -
 void
- show_credential(context, cred, cc)
+ show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc)
     krb5_context context;
@@ -429,31 +335,29 @@ show_credential(context, cred, cc)
     krb5_ccache cc;
 {
     krb5_error_code retval;
 -    char *name, *sname, *flags;
@ -1264,7 +1249,7 @@ index cbb9aa2b85..45667dd24a 100644
     }
     if (!cred->times.starttime)
-@@ -491,8 +395,12 @@ show_credential(context, cred, cc)
+@@ -468,8 +376,12 @@ show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc)
         }
     }
     putchar('\n');
@ -1277,8 +1262,8 @@ index cbb9aa2b85..45667dd24a 100644
 }
 /* Create a random string suitable for a filename extension. */
-@@ -526,37 +434,26 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
+@@ -501,37 +413,26 @@ krb5_ccache_overwrite(krb5_context context, krb5_ccache ccs, krb5_ccache cct,
-     krb5_principal primary_principal;
+                       krb5_principal primary_principal)
 {
     krb5_error_code retval=0;
 -    krb5_principal temp_principal;
@ -1327,8 +1312,8 @@ index cbb9aa2b85..45667dd24a 100644
     return retval;
 }
-@@ -616,45 +513,40 @@ krb5_error_code krb5_ccache_filter (context, cc, prst)
+@@ -585,45 +486,40 @@ krb5_error_code
-     krb5_principal prst;
+ krb5_ccache_filter(krb5_context context, krb5_ccache cc, krb5_principal prst)
 {
 -    int i=0;
@ -1395,10 +1380,10 @@ index cbb9aa2b85..45667dd24a 100644
 +    return retval;
 }
- krb5_boolean  krb5_find_princ_in_cred_list (context, creds_list, princ)
+ krb5_boolean
-@@ -688,17 +580,20 @@ krb5_error_code  krb5_find_princ_in_cache (context, cc, princ, found)
+@@ -654,17 +550,20 @@ krb5_error_code
-     krb5_principal princ;
+ krb5_find_princ_in_cache(krb5_context context, krb5_ccache cc,
-     krb5_boolean *found;
+                          krb5_principal princ, krb5_boolean *found)
 {
 -    krb5_error_code retval;
 +    krb5_error_code retval = 0;
@ -1423,10 +1408,10 @@ index cbb9aa2b85..45667dd24a 100644
 krb5_boolean
 diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
-index 4f7280f4cb..47baa785e5 100644
+index e906de8ef0..6ed94eb887 100644
 --- a/src/clients/ksu/heuristic.c
 +++ b/src/clients/ksu/heuristic.c
-@@ -156,28 +156,31 @@ filter(fp, cmd, k5users_list, k5users_filt_list)
+@@ -149,28 +149,31 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list)
     *k5users_filt_list = NULL;
@ -1464,7 +1449,7 @@ index 4f7280f4cb..47baa785e5 100644
     for(j= 0, k=0; j < i; j++ ) {
         if (k5users_list[j]){
-@@ -191,7 +194,10 @@ filter(fp, cmd, k5users_list, k5users_filt_list)
+@@ -184,7 +187,10 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list)
     free (k5users_list);
     *k5users_filt_list = temp_filt_list;
@ -1476,7 +1461,7 @@ index 4f7280f4cb..47baa785e5 100644
 }
 krb5_error_code
-@@ -335,7 +341,7 @@ krb5_error_code get_closest_principal(context, plist, client, found)
+@@ -318,7 +324,7 @@ get_closest_principal(krb5_context context, char **plist,
         retval = krb5_parse_name(context, plist[i], &temp_client);
         if (retval)
@ -1485,7 +1470,7 @@ index 4f7280f4cb..47baa785e5 100644
         pnelem = krb5_princ_size(context, temp_client);
-@@ -363,6 +369,7 @@ krb5_error_code get_closest_principal(context, plist, client, found)
+@@ -346,6 +352,7 @@ get_closest_principal(krb5_context context, char **plist,
                 if(best_client){
                     if(krb5_princ_size(context, best_client) >
                        krb5_princ_size(context, temp_client)){
@ -1493,7 +1478,7 @@ index 4f7280f4cb..47baa785e5 100644
                         best_client = temp_client;
                     }
                 }else
-@@ -375,9 +382,12 @@ krb5_error_code get_closest_principal(context, plist, client, found)
+@@ -358,9 +365,12 @@ get_closest_principal(krb5_context context, char **plist,
     if (best_client) {
         *found = TRUE;
         *client = best_client;
@ -1507,7 +1492,7 @@ index 4f7280f4cb..47baa785e5 100644
 }
 /****************************************************************
-@@ -499,6 +509,7 @@ krb5_error_code find_princ_in_list (context, princ, plist, found)
+@@ -471,6 +481,7 @@ find_princ_in_list(krb5_context context, krb5_principal princ, char **plist,
         i++;
     }
@ -1515,7 +1500,7 @@ index 4f7280f4cb..47baa785e5 100644
     return 0;
 }
-@@ -534,11 +545,9 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -498,11 +509,9 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
 {
     princ_info princ_trials[10];
@ -1530,7 +1515,7 @@ index 4f7280f4cb..47baa785e5 100644
     krb5_error_code retval;
     char ** aplist =NULL;
     krb5_boolean found = FALSE;
-@@ -555,54 +564,59 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -519,54 +528,59 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
     if (ks_ccache_is_initialized(context, cc_source)) {
         retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
         if (retval)
@ -1609,7 +1594,7 @@ index 4f7280f4cb..47baa785e5 100644
         if (cmd)
             *path_out = NOT_AUTHORIZED;
-@@ -610,26 +624,25 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -574,26 +588,25 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
         if (auth_debug)
             printf(" GET_best_princ_for_target: via no auth files path\n");
@ -1640,7 +1625,7 @@ index 4f7280f4cb..47baa785e5 100644
     /* first see if default principal of the source cache
      * can get us in, then the target_user@realm, then the
-@@ -652,7 +665,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -616,7 +629,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
             retval= find_princ_in_list(context, princ_trials[i].p, aplist,
                                        &found);
             if (retval)
@ -1649,7 +1634,7 @@ index 4f7280f4cb..47baa785e5 100644
             if (found == TRUE){
                 princ_trials[i].found = TRUE;
-@@ -661,12 +674,13 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -625,12 +638,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
                                              princ_trials[i].p,
                                              end_server, &found);
                 if (retval)
@ -1666,7 +1651,7 @@ index 4f7280f4cb..47baa785e5 100644
                 }
             }
         }
-@@ -679,21 +693,23 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -643,21 +657,23 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
     while (aplist[i]){
         retval = krb5_parse_name(context, aplist[i], &temp_client);
         if (retval)
@ -1693,7 +1678,7 @@ index 4f7280f4cb..47baa785e5 100644
         i++;
     }
-@@ -704,11 +720,11 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -668,11 +684,11 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
     for (i=0; i < count; i ++){
         if (princ_trials[i].found == TRUE){
@ -1707,7 +1692,7 @@ index 4f7280f4cb..47baa785e5 100644
         }
     }
-@@ -718,7 +734,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -682,7 +698,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
             retval=krb5_copy_principal(context, princ_trials[i].p,
                                        &temp_client);
             if(retval)
@ -1716,7 +1701,7 @@ index 4f7280f4cb..47baa785e5 100644
             /* get the client name that is the closest
                to the three princ in trials */
-@@ -726,15 +742,15 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -690,15 +706,15 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
             retval=get_closest_principal(context, aplist, &temp_client,
                                          &found);
             if(retval)
@ -1735,7 +1720,7 @@ index 4f7280f4cb..47baa785e5 100644
         }
     }
-@@ -745,5 +761,13 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
+@@ -709,5 +725,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid,
         printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n");
     *path_out = NOT_AUTHORIZED;
@ -1751,12 +1736,12 @@ index 4f7280f4cb..47baa785e5 100644
 +    return retval;
 }
 diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
-index fb848dcab1..a99c4c826c 100644
+index db10251f95..68cfe6b0ed 100644
 --- a/src/clients/ksu/krb_auth_su.c
 +++ b/src/clients/ksu/krb_auth_su.c
-@@ -42,33 +42,31 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
+@@ -37,33 +37,31 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
-     krb5_ccache cc;
+                 char *target_user, krb5_ccache cc, int *path_passwd,
-     int *path_passwd;
+                 uid_t target_uid)
 {
 -    krb5_principal client;
 +    krb5_principal client = NULL;
@ -1794,7 +1779,7 @@ index fb848dcab1..a99c4c826c 100644
     }
     if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); }
-@@ -82,7 +80,7 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
+@@ -77,7 +75,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
         if ((retval != KRB5_CC_NOTFOUND) &&
             (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
             com_err(prog_name, retval, _("while retrieving creds from cache"));
@ -1803,7 +1788,7 @@ index fb848dcab1..a99c4c826c 100644
         }
     } else{
         got_it = 1;
-@@ -93,7 +91,7 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
+@@ -88,7 +86,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
 #ifdef GET_TGT_VIA_PASSWD
         if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
             com_err("ksu", errno, _("while switching to target uid"));
@ -1812,7 +1797,7 @@ index fb848dcab1..a99c4c826c 100644
         }
-@@ -107,19 +105,19 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
+@@ -102,19 +100,19 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
                                    &tgt) == FALSE) {
             krb5_seteuid(0);
@ -1835,7 +1820,7 @@ index fb848dcab1..a99c4c826c 100644
 #endif /* GET_TGT_VIA_PASSWD */
-@@ -131,10 +129,16 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
+@@ -126,10 +124,16 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname,
                                     &vfy_opts);
     if (retval) {
         com_err(prog_name, retval, _("while verifying ticket for server"));
@ -1853,10 +1838,10 @@ index fb848dcab1..a99c4c826c 100644
 +    return ok;
 }
- krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
+ krb5_boolean
-@@ -145,11 +149,12 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
+@@ -137,11 +141,12 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
-     krb5_boolean *zero_password;
+                        krb5_get_init_creds_opt *options,
-     krb5_creds *creds_out;
+                        krb5_boolean *zero_password, krb5_creds *creds_out)
 {
 +    krb5_boolean ok = FALSE;
     krb5_error_code code;
@ -1869,7 +1854,7 @@ index fb848dcab1..a99c4c826c 100644
     int result;
     *zero_password = FALSE;
-@@ -158,14 +163,14 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
+@@ -150,14 +155,14 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
     if ((code = krb5_unparse_name(context, client, &client_name))) {
         com_err (prog_name, code, _("when unparsing name"));
@ -1886,7 +1871,7 @@ index fb848dcab1..a99c4c826c 100644
     }
     result = snprintf(prompt, sizeof(prompt), _("Kerberos password for %s: "),
-@@ -174,7 +179,7 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
+@@ -166,7 +171,7 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
         fprintf(stderr,
                 _("principal name %s too long for internal buffer space\n"),
                 client_name);
@ -1895,7 +1880,7 @@ index fb848dcab1..a99c4c826c 100644
     }
     pwsize = sizeof(password);
-@@ -183,13 +188,13 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
+@@ -175,13 +180,13 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
     if (code ) {
         com_err(prog_name, code, _("while reading password for '%s'\n"),
                 client_name);
@ -1911,7 +1896,7 @@ index fb848dcab1..a99c4c826c 100644
     }
     code = krb5_get_init_creds_password(context, &creds, client, password,
-@@ -203,13 +208,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
+@@ -195,13 +200,19 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client,
             fprintf(stderr, _("%s: Password incorrect\n"), prog_name);
         else
             com_err(prog_name, code, _("while getting initial credentials"));
@ -1935,8 +1920,8 @@ index fb848dcab1..a99c4c826c 100644
 +    return ok;
 }
- 
+ void
-@@ -224,8 +235,10 @@ void dump_principal (context, str, p)
+@@ -213,8 +224,10 @@ dump_principal(krb5_context context, char *str, krb5_principal p)
     if ((retval = krb5_unparse_name(context, p, &stname))) {
         fprintf(stderr, _(" %s while unparsing name\n"),
                 error_message(retval));
@ -1946,8 +1931,8 @@ index fb848dcab1..a99c4c826c 100644
 +    free(stname);
 }
- void plain_dump_principal (context, p)
+ void
-@@ -238,74 +251,8 @@ void plain_dump_principal (context, p)
+@@ -226,71 +239,8 @@ plain_dump_principal (krb5_context context, krb5_principal p)
     if ((retval = krb5_unparse_name(context, p, &stname))) {
         fprintf(stderr, _(" %s while unparsing name\n"),
                 error_message(retval));
@ -1965,11 +1950,8 @@ index fb848dcab1..a99c4c826c 100644
 -
 -**********************************************************************/
 -
-
+-krb5_error_code
-krb5_error_code get_best_principal(context, plist, client)
+-get_best_principal(krb5_context context, char **plist, krb5_principal *client)
 -    krb5_context context;
 -    char **plist;
 -    krb5_principal *client;
 -{
 -    krb5_error_code retval =0;
 -    krb5_principal temp_client, best_client = NULL;
@ -2049,10 +2031,10 @@ index 66fb4bcc6a..32ce11cb85 100644
 (krb5_context, krb5_creds *, krb5_ccache);
 diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
-index 931f054041..a7cb7ed3be 100644
+index 2a351662c8..77703a6a2b 100644
 --- a/src/clients/ksu/main.c
 +++ b/src/clients/ksu/main.c
-@@ -1003,7 +1003,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
+@@ -1002,7 +1002,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
             if (retval) {
                 com_err(prog_name, retval,
                         _("while generating part of the target ccache name"));
@ -2061,7 +2043,7 @@ index 931f054041..a7cb7ed3be 100644
             }
             if (asprintf(&ccname, "%s.%s", target, sym) < 0) {
                 retval = ENOMEM;
-@@ -1015,6 +1015,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
+@@ -1014,6 +1014,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
             free(sym);
         } while (ks_ccache_name_is_initialized(context, ccname));
         retval = krb5_cc_resolve(context, ccname, &ccache);
@ -2070,7 +2052,7 @@ index 931f054041..a7cb7ed3be 100644
         /* Look for a cache in the collection that we can reuse. */
         retval = krb5_cc_cache_match(context, princ, &ccache);
 diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c
-index b0c8378b40..8a59188216 100644
+index 26f340af31..976c8969e8 100644
 --- a/src/kadmin/cli/keytab.c
 +++ b/src/kadmin/cli/keytab.c
@@ -363,7 +363,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab,
@ -2108,10 +2090,10 @@ index b0c8378b40..8a59188216 100644
 }
 diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c
-index 92d7023a4f..782c7289c5 100644
+index 87a69ca145..a1c17d154d 100644
 --- a/src/kadmin/ktutil/ktutil.c
 +++ b/src/kadmin/ktutil/ktutil.c
-@@ -263,6 +263,7 @@ void ktutil_list(argc, argv)
+@@ -254,6 +254,7 @@ ktutil_list(int argc, char *argv[])
                                                buf, sizeof(buf)))) {
                 com_err(argv[0], retval,
                         _("While converting enctype to string"));
@ -2120,7 +2102,7 @@ index 92d7023a4f..782c7289c5 100644
             }
             printf(" (%s) ", buf);
 diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
-index cb9785aaeb..286b3a655e 100644
+index f883ae2df8..9a4826e441 100644
 --- a/src/kprop/kpropd.c
 +++ b/src/kprop/kpropd.c
@@ -1300,19 +1300,20 @@ static krb5_boolean
@ -2187,7 +2169,7 @@ index 96a408c237..bf5cede54a 100644
     if (json_kgcred(context, cred, &jcred))
 diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
-index cb1cb9393a..87a46cd533 100644
+index 83e7634106..d4b070f8c0 100644
 --- a/src/lib/gssapi/krb5/val_cred.c
 +++ b/src/lib/gssapi/krb5/val_cred.c
@@ -35,6 +35,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
@ -2330,5 +2312,5 @@ index 753929b06d..f7fad27867 100644
         }
     }
 -- 
-2.41.0
+2.45.1
--- a/0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
+++ b/0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
@ -0,0 +1,34 @@
 From 6e898b880a0c752f83decf33d64a7d8706e6d6f8 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Fri, 27 Oct 2023 00:44:53 -0400
 Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE
 In sendto_kdc.c:service_fds(), if a message handler indicates that a
 message should be discarded, kill the connection so we don't continue
 waiting on it for more data.
 ticket: 7899
 (cherry picked from commit ca80f64c786341d5871ae1de18142e62af64f7b9)
 ---
 src/lib/krb5/os/sendto_kdc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
 index 0f4bf23a95..262edf09b4 100644
 --- a/src/lib/krb5/os/sendto_kdc.c
 +++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1440,7 +1440,10 @@ service_fds(krb5_context context, struct select_state *selstate,
                 if (msg_handler != NULL) {
                     krb5_data reply = make_data(state->in.buf, state->in.pos);
 -                    stop = (msg_handler(context, &reply, msg_handler_data) != 0);
 +                    if (!msg_handler(context, &reply, msg_handler_data)) {
 +                        kill_conn(context, state, selstate);
 +                        stop = 0;
 +                    }
                 }
                 if (stop) {
 -- 
 2.45.1
--- a/0019-Add-request_timeout-configuration-parameter.patch
+++ b/0019-Add-request_timeout-configuration-parameter.patch
@ -0,0 +1,226 @@
 From fa711b7cb3b7cbb234bd202bc9d9b9d7ca4defad Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 26 Oct 2023 14:20:34 -0400
 Subject: [PATCH] Add request_timeout configuration parameter
 Add a parameter to limit the total amount of time taken for a KDC or
 password change request.
 ticket: 9106 (new)
 (cherry picked from commit 802318cda963456b3ed7856c836e89da891483be)
 ---
 doc/admin/conf_files/krb5_conf.rst |  9 ++++++
 src/include/k5-int.h               |  2 ++
 src/lib/krb5/krb/init_ctx.c        | 14 +++++++-
 src/lib/krb5/os/sendto_kdc.c       | 51 ++++++++++++++++++++----------
 4 files changed, 58 insertions(+), 18 deletions(-)
 diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
 index a33711d918..65fb592d98 100644
 --- a/doc/admin/conf_files/krb5_conf.rst
 +++ b/doc/admin/conf_files/krb5_conf.rst
@@ -356,6 +356,15 @@ The libdefaults section may contain any of the following relations:
     (:ref:`duration` string.)  Sets the default renewable lifetime
     for initial ticket requests.  The default value is 0.
 +**request_timeout**
 +    (:ref:`duration` string.)  Sets the maximum total time for KDC or
 +    password change requests.  This timeout does not affect the
 +    intervals between requests, so setting a low timeout may result in
 +    fewer requests being attempted and/or some servers not being
 +    contacted.  A value of 0 indicates no specific maximum, in which
 +    case requests will time out if no server responds after several
 +    tries.  The default value is 0.  (New in release 1.22.)
 +
 **spake_preauth_groups**
     A whitespace or comma-separated list of words which specifies the
     groups allowed for SPAKE preauthentication.  The possible values
 diff --git a/src/include/k5-int.h b/src/include/k5-int.h
 index b3e07945c1..69d6a6f569 100644
 --- a/src/include/k5-int.h
 +++ b/src/include/k5-int.h
@@ -296,6 +296,7 @@ typedef unsigned char   u_char;
 #define KRB5_CONF_SPAKE_PREAUTH_INDICATOR      "spake_preauth_indicator"
 #define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE  "spake_preauth_kdc_challenge"
 #define KRB5_CONF_SPAKE_PREAUTH_GROUPS         "spake_preauth_groups"
 +#define KRB5_CONF_REQUEST_TIMEOUT              "request_timeout"
 #define KRB5_CONF_TICKET_LIFETIME              "ticket_lifetime"
 #define KRB5_CONF_UDP_PREFERENCE_LIMIT         "udp_preference_limit"
 #define KRB5_CONF_UNLOCKITER                   "unlockiter"
@@ -1200,6 +1201,7 @@ struct _krb5_context {
     kdb5_dal_handle *dal_handle;
     /* allowable clock skew */
     krb5_deltat     clockskew;
 +    krb5_deltat     req_timeout;
     krb5_flags      kdc_default_options;
     krb5_flags      library_options;
     krb5_boolean    profile_secure;
 diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
 index 2b5abcd817..582a2945ff 100644
 --- a/src/lib/krb5/krb/init_ctx.c
 +++ b/src/lib/krb5/krb/init_ctx.c
@@ -157,7 +157,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
     krb5_context ctx = 0;
     krb5_error_code retval;
     int tmp;
 -    char *plugin_dir = NULL;
 +    char *plugin_dir = NULL, *timeout_str = NULL;
     /* Verify some assumptions.  If the assumptions hold and the
        compiler is optimizing, this should result in no code being
@@ -240,6 +240,17 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
     get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp);
     ctx->clockskew = tmp;
 +    retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS,
 +                                KRB5_CONF_REQUEST_TIMEOUT, NULL, NULL,
 +                                &timeout_str);
 +    if (retval)
 +        goto cleanup;
 +    if (timeout_str != NULL) {
 +        retval = krb5_string_to_deltat(timeout_str, &ctx->req_timeout);
 +        if (retval)
 +            goto cleanup;
 +    }
 +
     get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK,
                 &tmp);
     ctx->kdc_default_options = tmp;
@@ -281,6 +292,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
 cleanup:
     profile_release_string(plugin_dir);
 +    profile_release_string(timeout_str);
     krb5_free_context(ctx);
     return retval;
 }
 diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
 index 262edf09b4..98247a1089 100644
 --- a/src/lib/krb5/os/sendto_kdc.c
 +++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1395,34 +1395,41 @@ get_endtime(time_ms endtime, struct conn_state *conns)
 static krb5_boolean
 service_fds(krb5_context context, struct select_state *selstate,
 -            time_ms interval, struct conn_state *conns,
 +            time_ms interval, time_ms timeout, struct conn_state *conns,
             struct select_state *seltemp, const krb5_data *realm,
             int (*msg_handler)(krb5_context, const krb5_data *, void *),
             void *msg_handler_data, struct conn_state **winner_out)
 {
     int e, selret = 0;
 -    time_ms endtime;
 +    time_ms curtime, interval_end, endtime;
     struct conn_state *state;
     *winner_out = NULL;
 -    e = get_curtime_ms(&endtime);
 +    e = get_curtime_ms(&curtime);
     if (e)
         return TRUE;
 -    endtime += interval;
 +    interval_end = curtime + interval;
     e = 0;
     while (selstate->nfds > 0) {
 -        e = cm_select_or_poll(selstate, get_endtime(endtime, conns),
 -                              seltemp, &selret);
 +        endtime = get_endtime(interval_end, conns);
 +        /* Don't wait longer than the whole request should last. */
 +        if (timeout && endtime > timeout)
 +            endtime = timeout;
 +        e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
         if (e == EINTR)
             continue;
         if (e != 0)
             break;
 -        if (selret == 0)
 -            /* Timeout, return to caller.  */
 +        if (selret == 0) {
 +            /* We timed out.  Stop if we hit the overall request timeout. */
 +            if (timeout && (get_curtime_ms(&curtime) || curtime >= timeout))
 +                return TRUE;
 +            /* Otherwise return to the caller to send the next request. */
             return FALSE;
 +        }
         /* Got something on a socket, process it.  */
         for (state = conns; state != NULL; state = state->next) {
@@ -1495,7 +1502,7 @@ k5_sendto(krb5_context context, const krb5_data *message,
           void *msg_handler_data)
 {
     int pass;
 -    time_ms delay;
 +    time_ms delay, timeout = 0;
     krb5_error_code retval;
     struct conn_state *conns = NULL, *state, **tailptr, *next, *winner;
     size_t s;
@@ -1505,6 +1512,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
     *reply = empty_data();
 +    if (context->req_timeout) {
 +        retval = get_curtime_ms(&timeout);
 +        if (retval)
 +            return retval;
 +        timeout += 1000 * context->req_timeout;
 +    }
 +
     /* One for use here, listing all our fds in use, and one for
      * temporary use in service_fds, for the fds of interest.  */
     sel_state = malloc(2 * sizeof(*sel_state));
@@ -1532,8 +1546,9 @@ k5_sendto(krb5_context context, const krb5_data *message,
             if (maybe_send(context, state, message, sel_state, realm,
                            callback_info))
                 continue;
 -            done = service_fds(context, sel_state, 1000, conns, seltemp,
 -                               realm, msg_handler, msg_handler_data, &winner);
 +            done = service_fds(context, sel_state, 1000, timeout, conns,
 +                               seltemp, realm, msg_handler, msg_handler_data,
 +                               &winner);
         }
     }
@@ -1545,13 +1560,13 @@ k5_sendto(krb5_context context, const krb5_data *message,
         if (maybe_send(context, state, message, sel_state, realm,
                        callback_info))
             continue;
 -        done = service_fds(context, sel_state, 1000, conns, seltemp,
 +        done = service_fds(context, sel_state, 1000, timeout, conns, seltemp,
                            realm, msg_handler, msg_handler_data, &winner);
     }
     /* Wait for two seconds at the end of the first pass. */
     if (!done) {
 -        done = service_fds(context, sel_state, 2000, conns, seltemp,
 +        done = service_fds(context, sel_state, 2000, timeout, conns, seltemp,
                            realm, msg_handler, msg_handler_data, &winner);
     }
@@ -1562,15 +1577,17 @@ k5_sendto(krb5_context context, const krb5_data *message,
             if (maybe_send(context, state, message, sel_state, realm,
                            callback_info))
                 continue;
 -            done = service_fds(context, sel_state, 1000, conns, seltemp,
 -                               realm, msg_handler, msg_handler_data, &winner);
 +            done = service_fds(context, sel_state, 1000, timeout, conns,
 +                               seltemp, realm, msg_handler, msg_handler_data,
 +                               &winner);
             if (sel_state->nfds == 0)
                 break;
         }
         /* Wait for the delay backoff at the end of this pass. */
         if (!done) {
 -            done = service_fds(context, sel_state, delay, conns, seltemp,
 -                               realm, msg_handler, msg_handler_data, &winner);
 +            done = service_fds(context, sel_state, delay, timeout, conns,
 +                               seltemp, realm, msg_handler, msg_handler_data,
 +                               &winner);
         }
         if (sel_state->nfds == 0)
             break;
 -- 
 2.45.1
--- a/0020-Wait-indefinitely-on-KDC-TCP-connections.patch
+++ b/0020-Wait-indefinitely-on-KDC-TCP-connections.patch
@ -0,0 +1,138 @@
 From 58b64df22e22b9b89f9c6af96990276a1fc8e3c6 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 26 Oct 2023 16:26:42 -0400
 Subject: [PATCH] Wait indefinitely on KDC TCP connections
 When making a KDC or password change request, wait indefinitely
 (limited only by request_timeout if set) once a KDC has accepted a TCP
 connection.
 ticket: 9105 (new)
 (cherry picked from commit 6436a3808061da787a43c6810f5f0370cdfb6e36)
 ---
 doc/admin/conf_files/krb5_conf.rst |  2 +-
 src/lib/krb5/os/sendto_kdc.c       | 50 ++++++++++++++++--------------
 2 files changed, 27 insertions(+), 25 deletions(-)
 diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
 index 65fb592d98..b7284c47df 100644
 --- a/doc/admin/conf_files/krb5_conf.rst
 +++ b/doc/admin/conf_files/krb5_conf.rst
@@ -357,7 +357,7 @@ The libdefaults section may contain any of the following relations:
     for initial ticket requests.  The default value is 0.
 **request_timeout**
 -    (:ref:`duration` string.)  Sets the maximum total time for KDC or
 +    (:ref:`duration` string.)  Sets the maximum total time for KDC and
     password change requests.  This timeout does not affect the
     intervals between requests, so setting a low timeout may result in
     fewer requests being attempted and/or some servers not being
 diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
 index 98247a1089..924f5b2d26 100644
 --- a/src/lib/krb5/os/sendto_kdc.c
 +++ b/src/lib/krb5/os/sendto_kdc.c
@@ -134,7 +134,6 @@ struct conn_state {
     krb5_data callback_buffer;
     size_t server_index;
     struct conn_state *next;
 -    time_ms endtime;
     krb5_boolean defer;
     struct {
         const char *uri_path;
@@ -344,15 +343,19 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
                   struct select_state *out, int *sret)
 {
 #ifndef USE_POLL
 -    struct timeval tv;
 +    struct timeval tv, *tvp;
 #endif
     krb5_error_code retval;
     time_ms curtime, interval;
 -    retval = get_curtime_ms(&curtime);
 -    if (retval != 0)
 -        return retval;
 -    interval = (curtime < endtime) ? endtime - curtime : 0;
 +    if (endtime != 0) {
 +        retval = get_curtime_ms(&curtime);
 +        if (retval != 0)
 +            return retval;
 +        interval = (curtime < endtime) ? endtime - curtime : 0;
 +    } else {
 +        interval = -1;
 +    }
     /* We don't need a separate copy of the selstate for poll, but use one for
      * consistency with how we use select. */
@@ -361,9 +364,14 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime,
 #ifdef USE_POLL
     *sret = poll(out->fds, out->nfds, interval);
 #else
 -    tv.tv_sec = interval / 1000;
 -    tv.tv_usec = interval % 1000 * 1000;
 -    *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, &tv);
 +    if (interval != -1) {
 +        tv.tv_sec = interval / 1000;
 +        tv.tv_usec = interval % 1000 * 1000;
 +        tvp = &tv;
 +    } else {
 +        tvp = NULL;
 +    }
 +    *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, tvp);
 #endif
     return (*sret < 0) ? SOCKET_ERRNO : 0;
@@ -1099,11 +1107,6 @@ service_tcp_connect(krb5_context context, const krb5_data *realm,
     }
     conn->state = WRITING;
 -
 -    /* Record this connection's timeout for service_fds. */
 -    if (get_curtime_ms(&conn->endtime) == 0)
 -        conn->endtime += 10000;
 -
     return conn->service_write(context, realm, conn, selstate);
 }
@@ -1378,19 +1381,18 @@ kill_conn:
     return FALSE;
 }
 -/* Return the maximum of endtime and the endtime fields of all currently active
 - * TCP connections. */
 -static time_ms
 -get_endtime(time_ms endtime, struct conn_state *conns)
 +/* Return true if conns contains any states with connected TCP sockets. */
 +static krb5_boolean
 +any_tcp_connections(struct conn_state *conns)
 {
     struct conn_state *state;
     for (state = conns; state != NULL; state = state->next) {
 -        if ((state->state == READING || state->state == WRITING) &&
 -            state->endtime > endtime)
 -            endtime = state->endtime;
 +        if (state->addr.transport != UDP &&
 +            (state->state == READING || state->state == WRITING))
 +            return TRUE;
     }
 -    return endtime;
 +    return FALSE;
 }
 static krb5_boolean
@@ -1413,9 +1415,9 @@ service_fds(krb5_context context, struct select_state *selstate,
     e = 0;
     while (selstate->nfds > 0) {
 -        endtime = get_endtime(interval_end, conns);
 +        endtime = any_tcp_connections(conns) ? 0 : interval_end;
         /* Don't wait longer than the whole request should last. */
 -        if (timeout && endtime > timeout)
 +        if (timeout && (!endtime || endtime > timeout))
             endtime = timeout;
         e = cm_select_or_poll(selstate, endtime, seltemp, &selret);
         if (e == EINTR)
 -- 
 2.45.1
--- a/0021-Remove-klist-s-defname-global-variable.patch
+++ b/0021-Remove-klist-s-defname-global-variable.patch
@ -1,4 +1,4 @@
-From c5cdf6f71621569c6c389be720937ac97ace988f Mon Sep 17 00:00:00 2001
+From fa9dfdc9d85e88b6880edde5de45333b97a53a11 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Mon, 8 Jan 2024 16:52:27 +0100
 Subject: [PATCH] Remove klist's defname global variable
@ -13,12 +13,14 @@ Convert "defname" to a local variable initialized at the beginning of
 show_ccache().
 [ghudson@mit.edu: edited commit message]
 (cherry picked from commit 5b00197227231943bd2305328c8260dd0b0dbcf0)
 ---
 src/clients/klist/klist.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
-index 43392d2337..394c75b6b7 100644
+index b5ae96a843..b5808e5c93 100644
 --- a/src/clients/klist/klist.c
 +++ b/src/clients/klist/klist.c
@@ -53,7 +53,6 @@ int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
@ -65,5 +67,5 @@ index 43392d2337..394c75b6b7 100644
     krb5_error_code ret;
     krb5_ticket *tkt = NULL;
 -- 
-2.41.0
+2.45.1
--- a/0022-Fix-two-unlikely-memory-leaks.patch
+++ b/0022-Fix-two-unlikely-memory-leaks.patch
@ -0,0 +1,206 @@
 From 313d7b1afdcfca2bc0f6824cfeb25594c2eae176 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 5 Mar 2024 19:53:07 -0500
 Subject: [PATCH] Fix two unlikely memory leaks
 In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
 could probably never be triggered) leaks plain.data.  Fix this leak
 and use current practices for cleanup throughout the function.
 In xmt_rmtcallres() (unused within the tree and likely elsewhere),
 store port_ptr into crp->port_ptr as soon as it is allocated;
 otherwise it could leak if the subsequent xdr_u_int32() operation
 fails.
 (cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
 ---
 src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
 src/lib/rpc/pmap_rmt.c         | 10 +++---
 2 files changed, 29 insertions(+), 37 deletions(-)
 diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
 index 1fcbdfbb87..d3210c1107 100644
 --- a/src/lib/gssapi/krb5/k5sealv3.c
 +++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
                                 int conf_req_flag, int toktype)
 {
     size_t bufsize = 16;
 -    unsigned char *outbuf = 0;
 +    unsigned char *outbuf = NULL;
     krb5_error_code err;
     int key_usage;
     unsigned char acceptor_flag;
@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
 #endif
     size_t ec;
     unsigned short tok_id;
 -    krb5_checksum sum;
 +    krb5_checksum sum = { 0 };
     krb5_key key;
     krb5_cksumtype cksumtype;
 +    krb5_data plain = empty_data();
 +
 +    token->value = NULL;
 +    token->length = 0;
     acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
     key_usage = (toktype == KG_TOK_WRAP_MSG
@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
 #endif
     if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
 -        krb5_data plain;
         krb5_enc_data cipher;
         size_t ec_max;
         size_t encrypt_size;
         /* 300: Adds some slop.  */
 -        if (SIZE_MAX - 300 < message->length)
 -            return ENOMEM;
 +        if (SIZE_MAX - 300 < message->length) {
 +            err = ENOMEM;
 +            goto cleanup;
 +        }
         ec_max = SIZE_MAX - message->length - 300;
         if (ec_max > 0xffff)
             ec_max = 0xffff;
@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
 #endif
         err = alloc_data(&plain, message->length + 16 + ec);
         if (err)
 -            return err;
 +            goto cleanup;
         /* Get size of ciphertext.  */
         encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
         if (encrypt_size > SIZE_MAX / 2) {
             err = ENOMEM;
 -            goto error;
 +            goto cleanup;
         }
         bufsize = 16 + encrypt_size;
         /* Allocate space for header plus encrypted data.  */
         outbuf = gssalloc_malloc(bufsize);
         if (outbuf == NULL) {
 -            free(plain.data);
 -            return ENOMEM;
 +            err = ENOMEM;
 +            goto cleanup;
         }
         /* TOK_ID */
@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
         cipher.ciphertext.length = bufsize - 16;
         cipher.enctype = key->keyblock.enctype;
         err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
 -        zap(plain.data, plain.length);
 -        free(plain.data);
 -        plain.data = 0;
         if (err)
 -            goto error;
 +            goto cleanup;
         /* Now that we know we're returning a valid token....  */
         ctx->seq_send++;
@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
         /* If the rotate fails, don't worry about it.  */
 #endif
     } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
 -        krb5_data plain;
         size_t cksumsize;
         /* Here, message is the application-supplied data; message2 is
@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
     wrap_with_checksum:
         err = alloc_data(&plain, message->length + 16);
         if (err)
 -            return err;
 +            goto cleanup;
         err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
         if (err)
 -            goto error;
 +            goto cleanup;
         assert(cksumsize <= 0xffff);
         bufsize = 16 + message2->length + cksumsize;
         outbuf = gssalloc_malloc(bufsize);
         if (outbuf == NULL) {
 -            free(plain.data);
 -            plain.data = 0;
             err = ENOMEM;
 -            goto error;
 +            goto cleanup;
         }
         /* TOK_ID */
@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
         if (message2->length)
             memcpy(outbuf + 16, message2->value, message2->length);
 -        sum.contents = outbuf + 16 + message2->length;
 -        sum.length = cksumsize;
 -
         err = krb5_k_make_checksum(context, cksumtype, key,
                                    key_usage, &plain, &sum);
 -        zap(plain.data, plain.length);
 -        free(plain.data);
 -        plain.data = 0;
         if (err) {
             zap(outbuf,bufsize);
 -            goto error;
 +            goto cleanup;
         }
         if (sum.length != cksumsize)
             abort();
         memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
 -        krb5_free_checksum_contents(context, &sum);
 -        sum.contents = 0;
         /* Now that we know we're actually generating the token...  */
         ctx->seq_send++;
@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
     token->value = outbuf;
     token->length = bufsize;
 -    return 0;
 +    outbuf = NULL;
 +    err = 0;
 -error:
 +cleanup:
 +    krb5_free_checksum_contents(context, &sum);
 +    zapfree(plain.data, plain.length);
     gssalloc_free(outbuf);
 -    token->value = NULL;
 -    token->length = 0;
     return err;
 }
 diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
 index 434e4eea65..f55ca46c60 100644
 --- a/src/lib/rpc/pmap_rmt.c
 +++ b/src/lib/rpc/pmap_rmt.c
@@ -161,12 +161,12 @@ xdr_rmtcallres(
 	caddr_t port_ptr;
 	port_ptr = (caddr_t)(void *)crp->port_ptr;
 -	if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
 -			  (xdrproc_t)xdr_u_int32) &&
 -	    xdr_u_int32(xdrs, &crp->resultslen)) {
 -		crp->port_ptr = (uint32_t *)(void *)port_ptr;
 +	if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
 +			   (xdrproc_t)xdr_u_int32))
 +		return (FALSE);
 +	crp->port_ptr = (uint32_t *)(void *)port_ptr;
 +	if (xdr_u_int32(xdrs, &crp->resultslen))
 		return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
 -	}
 	return (FALSE);
 }
 -- 
 2.45.1
--- a/krb5.spec
+++ b/krb5.spec
@ -10,7 +10,7 @@
 #
 # baserelease is what we have standardized across Fedora and what
 # rpmdev-bumpspec knows how to handle.
-%global baserelease 7
+%global baserelease 1
 # This should be e.g. beta1 or %%nil
 %global pre_release %nil
@ -24,7 +24,7 @@
 %global krb5_version_major 1
 %global krb5_version_minor 21
 # For a release without a patch number set to %%nil
-%global krb5_version_patch 2
+%global krb5_version_patch 3
 %global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor}
 %global krb5_version %{krb5_version_major_minor}
@ -59,7 +59,7 @@ Source13: kadmind.logrotate
 Source14: krb5-krb5kdc.conf
 Source15: %{name}-tests
-Patch0001: 0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch
+Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
 Patch0002: 0002-downstream-ksu-pam-integration.patch
 Patch0003: 0003-downstream-SELinux-integration.patch
 Patch0004: 0004-downstream-fix-debuginfo-with-y.tab.c.patch
@ -73,8 +73,14 @@ Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
 Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
 Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
 Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
-Patch0015: 0015-Replace-ssl.wrap_socket-for-tests.patch
+Patch0015: 0015-Eliminate-old-style-function-declarations.patch
-Patch0016: 0016-Fix-unimportant-memory-leaks.patch
+Patch0016: 0016-Replace-ssl.wrap_socket-for-tests.patch
 Patch0017: 0017-Fix-unimportant-memory-leaks.patch
 Patch0018: 0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch
 Patch0019: 0019-Add-request_timeout-configuration-parameter.patch
 Patch0020: 0020-Wait-indefinitely-on-KDC-TCP-connections.patch
 Patch0021: 0021-Remove-klist-s-defname-global-variable.patch
 Patch0022: 0022-Fix-two-unlikely-memory-leaks.patch
 License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision
 URL: https://web.mit.edu/kerberos/www/
@ -711,6 +717,22 @@ exit 0
 %{_datarootdir}/%{name}-tests/%{_arch}
 %changelog
 * Fri Jul 12 2024 Julien Rische <jrische@redhat.com> - 1.21.3-1
 - New upstream version (1.21.3)
 - CVE-2024-37370 CVE-2024-37371
  Fix vulnerabilities in GSS message token handling
  Resolves: RHEL-45387 RHEL-45378
 - Fix memory leak in GSSAPI interface
  Resolves: RHEL-47284
 - Fix memory leak in PMAP RPC interface
  Resolves: RHEL-47287
 - Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
  Resolves: RHEL-47285
 - Make TCP waiting time configurable
  Resolves: RHEL-47278
 - Do not include files with "~" termination in krb5-tests
  Resolves: RHEL-45995
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.21.2-7
 - Bump release for June 2024 mass rebuild
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (krb5-1.21.2.tar.gz) = 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49
+SHA512 (krb5-1.21.3.tar.gz) = 87bc06607f4d95ff604169cea22180703a42d667af05f66f1569b8bd592670c42820b335e5c279e8b4f066d1e7da20f1948a1e4def7c5d295c170cbfc7f49c71
-SHA512 (krb5-1.21.2.tar.gz.asc) = 1cee1ed77047067d7b6fb3620ffa6f5807d4182ae7cfeec6d5cc847c99f30c6dd2a5c1a160d992a13eb6d84754b202895a982111618711f3c14f4aa33c07d9e9
+SHA512 (krb5-1.21.3.tar.gz.asc) = 8992a5f5247315b9846aa73be4ee1ea223c0231a52d5c6c28718b1f3e3b45d62e2dad4aa5543a83163d1369bb79886b6c1c22766f22d8aa2f6b2575c54d0075c
--- a/tests/inplace-upgrade-sanity/runtest.sh
+++ b/tests/inplace-upgrade-sanity/runtest.sh
@ -27,6 +27,7 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # Include Beaker environment
 . /usr/bin/rhts-environment.sh
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 PACKAGE="krb5"
@ -88,17 +89,11 @@ rlJournalStart
        if rlIsRHEL 6; then
            rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
            rlRun "sed -i \"s/kerberos.example.com/$krb5HostName/\" $krb5conf"
            if [ "$krb5DomainName" ]; then
            rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
            fi
        else
            rlRun "sed -i \"s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM1/\" $krb5conf"
            rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM1 = {\n  kdc = $krb5HostName\n  admin_server = $krb5HostName\n }/\" $krb5conf"
            if [ "$krb5DomainName" ]; then
            rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
            else
                rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n $krb5HostName = $krb5REALM1/\" $krb5conf"
            fi
        fi
        rlRun "sed -i s/EXAMPLE.COM/$krb5REALM1/ $krb5kdcconf"
        # Configure the kadmin ACL
@ -259,11 +254,7 @@ _EOF
 #The principal related to kadmin are not created with hostname (kadmin/hostname@REALM) during creating krb5 DB
 #RHEL9 constains only kadmin/admin@REALM - this change was intentional - Don't create hostbased principals in new KDBs
 #https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935
        if rlIsRHEL 9 || rlIsFedora '>=33';then
       kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1"
        else
           kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/.*`hostname`@$krb5REALM1"
        fi
        rlAssertGrep "${kadmin_princ}" kadmind.log.record
        #rlAssertGrep "Request: kadm5_init.*root\/master@$krb5REALM1.*service=kadmin\/(admin|.*`hostname`)@$krb5REALM1" kadmind.log.record -E
        echo "***krb5kdc.log.record***" && cat krb5kdc.log.record
`@ -1,2 +1,2 @@`
	`SHA512 (krb5-1.21.2.tar.gz) = 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49`	`SHA512 (krb5-1.21.3.tar.gz) = 87bc06607f4d95ff604169cea22180703a42d667af05f66f1569b8bd592670c42820b335e5c279e8b4f066d1e7da20f1948a1e4def7c5d295c170cbfc7f49c71`
	`SHA512 (krb5-1.21.2.tar.gz.asc) = 1cee1ed77047067d7b6fb3620ffa6f5807d4182ae7cfeec6d5cc847c99f30c6dd2a5c1a160d992a13eb6d84754b202895a982111618711f3c14f4aa33c07d9e9`	`SHA512 (krb5-1.21.3.tar.gz.asc) = 8992a5f5247315b9846aa73be4ee1ea223c0231a52d5c6c28718b1f3e3b45d62e2dad4aa5543a83163d1369bb79886b6c1c22766f22d8aa2f6b2575c54d0075c`