change_set_password() was changed to prefer TCP. However, because
UDP_LAST falls back to UDP after one second, we can still get a replay
error due to a dropped packet, before the TCP layer has a chance to
retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
Resolves: rhbz#2076965
Signed-off-by: Julien Rische <jrische@redhat.com>
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
Otherwise attributes longer than 125 characters will be rejected with
EBADMSG.
Add a 253-character-long NAS-Identifier attribute to the tests to make
sure that attributes with the maximal number of characters are working
as expected.
[ghudson@mit.edu: used uint8_t cast per current practices; edited
commit message]
ticket: 9036 (new)
From upstream, needed in preparation for OAuth2 support for FreeIPA and
SSSD.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
CMS digest and signature algorithm for the anonymous PKINIT is changed
from SHA-1 to SHA-256. SHA-1 hasn't been considered secure anymore for
this kind of purposes for some years already.
Resolves: rhbz#2067121
Signed-off-by: Julien Rische <jrische@redhat.com>
1.15.1 was ~2017, so there is no need to support upgrades from such old
systemd. This allows the dependency on grep to be dropped. grep pulls
in pcre, but most other programs in the core group depend on the newer
pcre2, so it's nicer to avoid pulling in pcre in minimal installations.
Currently the gating file prevents building:
rharwood@eesha:~/krb5.fedora/rawhide$ fedpkg build
Could not execute build: Found a gating.yaml file in your repo with additional Greenwave policies, but it is not valid.
Please fix the file or skip this check using the option --skip-remote-rules-validation.
Error response from Greenwave: YAML Parser Error: mapping values are not allowed here
in "<unicode string>", line 2, column 18:
product_versions:
^
rharwood@eesha:~/krb5.fedora/rawhide$
Patches to add it back will be considered if and only if they don't
break the build.
Because krb5 is auto-synced via DistroBaker, we need to add
downstream gating configuration in Fedora.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>