diff --git a/SOURCES/Add-configure-variable-for-default-PKCS-11-module.patch b/SOURCES/Add-configure-variable-for-default-PKCS-11-module.patch
new file mode 100644
index 0000000..2300bd2
--- /dev/null
+++ b/SOURCES/Add-configure-variable-for-default-PKCS-11-module.patch
@@ -0,0 +1,201 @@
+From 2a6a4568ed1df4ed89604b09fa11785c9ae38c67 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Fri, 22 Apr 2022 14:12:37 +0200
+Subject: [PATCH] Add configure variable for default PKCS#11 module
+
+[ghudson@mit.edu: added documentation of configure variable and doc
+substitution; shortened commit message]
+
+ticket: 9058 (new)
+---
+ doc/admin/conf_files/krb5_conf.rst | 2 +-
+ doc/build/options2configure.rst | 3 +++
+ doc/conf.py | 3 +++
+ doc/mitK5defaults.rst | 25 +++++++++++++------------
+ src/configure.ac | 8 ++++++++
+ src/doc/Makefile.in | 2 ++
+ src/man/Makefile.in | 4 +++-
+ src/man/krb5.conf.man | 2 +-
+ src/plugins/preauth/pkinit/pkinit.h | 1 -
+ 9 files changed, 34 insertions(+), 16 deletions(-)
+
+diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
+index adba8238d..3d25c9a12 100644
+--- a/doc/admin/conf_files/krb5_conf.rst
++++ b/doc/admin/conf_files/krb5_conf.rst
+@@ -1020,7 +1020,7 @@ information for PKINIT is as follows:
+ All keyword/values are optional. *modname* specifies the location
+ of a library implementing PKCS #11. If a value is encountered
+ with no keyword, it is assumed to be the *modname*. If no
+- module-name is specified, the default is ``opensc-pkcs11.so``.
++ module-name is specified, the default is |pkcs11_modname|.
+ ``slotid=`` and/or ``token=`` may be specified to force the use of
+ a particular smard card reader or token if there is more than one
+ available. ``certid=`` and/or ``certlabel=`` may be specified to
+diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
+index a8959626d..8f8ac911c 100644
+--- a/doc/build/options2configure.rst
++++ b/doc/build/options2configure.rst
+@@ -143,6 +143,9 @@ Environment variables
+ This option allows one to specify libraries to be passed to the
+ linker (e.g., ``-l<library>``)
+
++**PKCS11_MODNAME=**\ *library*
++ Override the built-in default PKCS11 library name.
++
+ **SS_LIB=**\ *libs*...
+ If ``-lss`` is not the correct way to link in your installed ss
+ library, for example if additional support libraries are needed,
+diff --git a/doc/conf.py b/doc/conf.py
+index 4fb6aae14..29fd53375 100644
+--- a/doc/conf.py
++++ b/doc/conf.py
+@@ -235,6 +235,7 @@ if 'mansubs' in tags:
+ ccache = '``@CCNAME@``'
+ keytab = '``@KTNAME@``'
+ ckeytab = '``@CKTNAME@``'
++ pkcs11_modname = '``@PKCS11MOD@``'
+ elif 'pathsubs' in tags:
+ # Read configured paths from a file produced by the build system.
+ exec(open("paths.py").read())
+@@ -248,6 +249,7 @@ else:
+ ccache = ':ref:`DEFCCNAME <paths>`'
+ keytab = ':ref:`DEFKTNAME <paths>`'
+ ckeytab = ':ref:`DEFCKTNAME <paths>`'
++ pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'
+
+ rst_epilog = '\n'
+
+@@ -268,6 +270,7 @@ else:
+ rst_epilog += '.. |ccache| replace:: %s\n' % ccache
+ rst_epilog += '.. |keytab| replace:: %s\n' % keytab
+ rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
++ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
+ rst_epilog += '''
+ .. |krb5conf| replace:: ``/etc/krb5.conf``
+ .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
+diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
+index 74e69f4ad..aea7af3db 100644
+--- a/doc/mitK5defaults.rst
++++ b/doc/mitK5defaults.rst
+@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an
+ operating system, the paths are generally chosen to match the
+ operating system's filesystem layout.
+
+-========================== ============= =========================== ===========================
+-Description Symbolic name Custom build path Typical OS path
+-========================== ============= =========================== ===========================
+-User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
+-Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
+-Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
+-Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
+-Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
+-Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
+-Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
+-Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
+-========================== ============= =========================== ===========================
++========================== ============== =========================== ===========================
++Description Symbolic name Custom build path Typical OS path
++========================== ============== =========================== ===========================
++User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
++Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
++Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
++Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
++Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
++Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
++Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
++Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
++Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so``
++========================== ============== =========================== ===========================
+
+ The default client keytab name (DEFCKTNAME) typically defaults to
+ ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom
+diff --git a/src/configure.ac b/src/configure.ac
+index 363d5d62d..3a0633177 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -1466,6 +1466,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])
+ AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
+ [Define to default client keytab name])
+
++AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])
++if test "${PKCS11_MODNAME+set}" != set; then
++ PKCS11_MODNAME=opensc-pkcs11.so
++fi
++AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])
++AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],
++ [Default PKCS11 module name])
++
+ AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])
+ AC_CONFIG_FILES([build-tools/kadm-server.pc
+ build-tools/kadm-client.pc
+diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
+index 379bc3651..a1b0cff0a 100644
+--- a/src/doc/Makefile.in
++++ b/src/doc/Makefile.in
+@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@
+ DEFCCNAME=@DEFCCNAME@
+ DEFKTNAME=@DEFKTNAME@
+ DEFCKTNAME=@DEFCKTNAME@
++PKCS11_MODNAME=@PKCS11_MODNAME@
+
+ RST_SOURCES= _static \
+ _templates \
+@@ -118,6 +119,7 @@ paths.py:
+ echo 'ccache = "``$(DEFCCNAME)``"' >> $@
+ echo 'keytab = "``$(DEFKTNAME)``"' >> $@
+ echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
++ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@
+
+ # Dummy rule that man/Makefile can invoke
+ version.py: $(docsrc)/version.py
+diff --git a/src/man/Makefile.in b/src/man/Makefile.in
+index 00b1b2de0..85cae0914 100644
+--- a/src/man/Makefile.in
++++ b/src/man/Makefile.in
+@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@
+ DEFCCNAME=@DEFCCNAME@
+ DEFKTNAME=@DEFKTNAME@
+ DEFCKTNAME=@DEFCKTNAME@
++PKCS11_MODNAME=@PKCS11_MODNAME@
+
+ MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
+ kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
+@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
+ -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
+ -e 's|@CCNAME@|$(DEFCCNAME)|g' \
+ -e 's|@KTNAME@|$(DEFKTNAME)|g' \
+- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@
++ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
++ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@
+
+ all: $(MANSUBS)
+
+diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
+index 3a702ca8f..e4202723f 100644
+--- a/src/man/krb5.conf.man
++++ b/src/man/krb5.conf.man
+@@ -1151,7 +1151,7 @@ user\(aqs certificate and private key.
+ All keyword/values are optional. \fImodname\fP specifies the location
+ of a library implementing PKCS #11. If a value is encountered
+ with no keyword, it is assumed to be the \fImodname\fP\&. If no
+-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
++module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.
+ \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
+ a particular smard card reader or token if there is more than one
+ available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
+diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
+index b437fd53f..a2018cb10 100644
+--- a/src/plugins/preauth/pkinit/pkinit.h
++++ b/src/plugins/preauth/pkinit/pkinit.h
+@@ -42,7 +42,6 @@
+ #ifndef WITHOUT_PKCS11
+ #include "pkcs11.h"
+
+-#define PKCS11_MODNAME "opensc-pkcs11.so"
+ #define PK_SIGLEN_GUESS 1000
+ #define PK_NOSLOT 999999
+ #endif
+--
+2.35.1
+
diff --git a/SOURCES/Set-reasonable-supportedCMSTypes-in-PKINIT.patch b/SOURCES/Set-reasonable-supportedCMSTypes-in-PKINIT.patch
new file mode 100644
index 0000000..6e87e04
--- /dev/null
+++ b/SOURCES/Set-reasonable-supportedCMSTypes-in-PKINIT.patch
@@ -0,0 +1,188 @@
+From dea9421ccdbe5c8f63aae85341a8f091c6019407 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Wed, 1 Jun 2022 18:02:04 +0200
+Subject: [PATCH] Set reasonable supportedCMSTypes in PKINIT
+
+The PKINIT client uses AuthPack.supportedCMSTypes to let the KDC know
+the algorithms it supports for verification of the CMS data signature.
+(The MIT krb5 KDC currently ignores this list, but other
+implementations use it.)
+
+Replace 3DES with sha512WithRSAEncryption and sha256WithRSAEncryption.
+
+[ghudson@mit.edu: simplified code and used appropriate helpers; edited
+commit message]
+
+ticket: 9066 (new)
+---
+ src/plugins/preauth/pkinit/Makefile.in | 4 +-
+ src/plugins/preauth/pkinit/pkinit_clnt.c | 8 ++++
+ ...nit_kdf_constants.c => pkinit_constants.c} | 24 ++++++++++++
+ src/plugins/preauth/pkinit/pkinit_crypto.h | 16 ++++++++
+ .../preauth/pkinit/pkinit_crypto_openssl.c | 39 +++++++++++++++++++
+ 5 files changed, 89 insertions(+), 2 deletions(-)
+ rename src/plugins/preauth/pkinit/{pkinit_kdf_constants.c => pkinit_constants.c} (76%)
+
+diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in
+index d20fb18a8..97aaded03 100644
+--- a/src/plugins/preauth/pkinit/Makefile.in
++++ b/src/plugins/preauth/pkinit/Makefile.in
+@@ -18,7 +18,7 @@ STLIBOBJS= \
+ pkinit_srv.o \
+ pkinit_lib.o \
+ pkinit_clnt.o \
+- pkinit_kdf_constants.o \
++ pkinit_constants.o \
+ pkinit_profile.o \
+ pkinit_identity.o \
+ pkinit_matching.o \
+@@ -29,7 +29,7 @@ SRCS= \
+ $(srcdir)/pkinit_srv.c \
+ $(srcdir)/pkinit_lib.c \
+ $(srcdir)/pkinit_kdf_test.c \
+- $(srcdir)/pkinit_kdf_constants.c \
++ $(srcdir)/pkinit_constants.c \
+ $(srcdir)/pkinit_clnt.c \
+ $(srcdir)/pkinit_profile.c \
+ $(srcdir)/pkinit_identity.c \
+diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
+index a385da7c3..2817cc213 100644
+--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
+@@ -212,6 +212,14 @@ pkinit_as_req_create(krb5_context context,
+ auth_pack.clientPublicValue = &info;
+ auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids;
+
++ /* add List of CMS algorithms */
++ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
++ reqctx->cryptoctx,
++ reqctx->idctx, &cmstypes);
++ auth_pack.supportedCMSTypes = cmstypes;
++ if (retval)
++ goto cleanup;
++
+ switch(protocol) {
+ case DH_PROTOCOL:
+ TRACE_PKINIT_CLIENT_REQ_DH(context);
+diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c
+similarity index 76%
+rename from src/plugins/preauth/pkinit/pkinit_kdf_constants.c
+rename to src/plugins/preauth/pkinit/pkinit_constants.c
+index 1604f1670..1832e8f7b 100644
+--- a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c
++++ b/src/plugins/preauth/pkinit/pkinit_constants.c
+@@ -57,3 +57,27 @@ krb5_data const * const supported_kdf_alg_ids[] = {
+ &sha512_id,
+ NULL
+ };
++
++/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
++ * rsadsi(113549) pkcs(1) 1 11 */
++static char sha256WithRSAEncr_oid[9] = {
++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
++};
++/* RFC 4055 sha256WithRSAEncryption: iso(1) member-body(2) us(840)
++ * rsadsi(113549) pkcs(1) 1 13 */
++static char sha512WithRSAEncr_oid[9] = {
++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
++};
++
++const krb5_data sha256WithRSAEncr_id = {
++ KV5M_DATA, sizeof(sha256WithRSAEncr_oid), sha256WithRSAEncr_oid
++};
++const krb5_data sha512WithRSAEncr_id = {
++ KV5M_DATA, sizeof(sha512WithRSAEncr_oid), sha512WithRSAEncr_oid
++};
++
++krb5_data const * const supported_cms_algs[] = {
++ &sha512WithRSAEncr_id,
++ &sha256WithRSAEncr_id,
++ NULL
++};
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
+index 1f9868351..f38a77093 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
+@@ -380,6 +380,18 @@ krb5_error_code server_process_dh
+ unsigned int *server_key_len_out); /* OUT
+ receives length of DH secret key */
+
++/*
++ * this functions takes in crypto specific representation of
++ * supportedCMSTypes and creates a list of
++ * krb5_algorithm_identifier
++ */
++krb5_error_code create_krb5_supportedCMSTypes
++ (krb5_context context, /* IN */
++ pkinit_plg_crypto_context plg_cryptoctx, /* IN */
++ pkinit_req_crypto_context req_cryptoctx, /* IN */
++ pkinit_identity_crypto_context id_cryptoctx, /* IN */
++ krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */
++
+ /*
+ * this functions takes in crypto specific representation of
+ * trustedCertifiers and creates a list of
+@@ -617,6 +629,10 @@ extern const size_t krb5_pkinit_sha512_oid_len;
+ */
+ extern krb5_data const * const supported_kdf_alg_ids[];
+
++/* CMS signature algorithms supported by this implementation, in order of
++ * decreasing preference. */
++extern krb5_data const * const supported_cms_algs[];
++
+ krb5_error_code
+ crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
+ uint8_t **der_out, size_t *der_len);
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 2a6ef4aaa..41a7464b5 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -5582,6 +5582,45 @@ cleanup:
+ return retval;
+ }
+
++krb5_error_code
++create_krb5_supportedCMSTypes(krb5_context context,
++ pkinit_plg_crypto_context plg_cryptoctx,
++ pkinit_req_crypto_context req_cryptoctx,
++ pkinit_identity_crypto_context id_cryptoctx,
++ krb5_algorithm_identifier ***algs_out)
++{
++ krb5_error_code ret;
++ krb5_algorithm_identifier **algs = NULL;
++ size_t i, count;
++
++ *algs_out = NULL;
++
++ /* Count supported OIDs and allocate list (including null terminator). */
++ for (count = 0; supported_cms_algs[count] != NULL; count++);
++ algs = k5calloc(count + 1, sizeof(*algs), &ret);
++ if (algs == NULL)
++ goto cleanup;
++
++ /* Add an algorithm identifier for each OID, with no parameters. */
++ for (i = 0; i < count; i++) {
++ algs[i] = k5alloc(sizeof(*algs[i]), &ret);
++ if (algs[i] == NULL)
++ goto cleanup;
++ ret = krb5int_copy_data_contents(context, supported_cms_algs[i],
++ &algs[i]->algorithm);
++ if (ret)
++ goto cleanup;
++ algs[i]->parameters = empty_data();
++ }
++
++ *algs_out = algs;
++ algs = NULL;
++
++cleanup:
++ free_krb5_algorithm_identifiers(&algs);
++ return ret;
++}
++
+ krb5_error_code
+ create_krb5_trustedCertifiers(krb5_context context,
+ pkinit_plg_crypto_context plg_cryptoctx,
+--
+2.35.3
+
diff --git a/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch b/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch
new file mode 100644
index 0000000..814043e
--- /dev/null
+++ b/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch
@@ -0,0 +1,91 @@
+From ad8e02485791023dcf66ef4612616f03895ceeb3 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 4 Mar 2022 00:45:00 -0500
+Subject: [PATCH] Try harder to avoid password change replay errors
+
+Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed
+change_set_password() to prefer TCP. However, because UDP_LAST falls
+back to UDP after one second, we can still get a replay error due to a
+dropped packet, before the TCP layer has a chance to retry.
+
+Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
+TCP fails completely without reaching a server. In sendto_kdc.c,
+implement an ONLY_UDP transport strategy to allow the UDP fallback.
+
+ticket: 9037
+---
+ src/lib/krb5/os/changepw.c | 9 ++++++++-
+ src/lib/krb5/os/os-proto.h | 1 +
+ src/lib/krb5/os/sendto_kdc.c | 12 ++++++++----
+ 3 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
+index 9f968da7f..c59232586 100644
+--- a/src/lib/krb5/os/changepw.c
++++ b/src/lib/krb5/os/changepw.c
+@@ -255,9 +255,16 @@ change_set_password(krb5_context context,
+ callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
+ krb5_free_data_contents(callback_ctx.context, &chpw_rep);
+
++ /* UDP retransmits may be seen as replays. Only try UDP after other
++ * transports fail completely. */
+ code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
+- &sl, UDP_LAST, &callback_info, &chpw_rep,
++ &sl, NO_UDP, &callback_info, &chpw_rep,
+ ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
++ if (code == KRB5_KDC_UNREACH) {
++ code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
++ &sl, ONLY_UDP, &callback_info, &chpw_rep,
++ ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
++ }
+ if (code)
+ goto cleanup;
+
+diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
+index a985f2aec..91d2791ce 100644
+--- a/src/lib/krb5/os/os-proto.h
++++ b/src/lib/krb5/os/os-proto.h
+@@ -49,6 +49,7 @@ typedef enum {
+ UDP_FIRST = 0,
+ UDP_LAST,
+ NO_UDP,
++ ONLY_UDP
+ } k5_transport_strategy;
+
+ /* A single server hostname or address. */
+diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
+index 0eedec175..c7f5d861a 100644
+--- a/src/lib/krb5/os/sendto_kdc.c
++++ b/src/lib/krb5/os/sendto_kdc.c
+@@ -802,11 +802,14 @@ resolve_server(krb5_context context, const krb5_data *realm,
+ int err, result;
+ char portbuf[PORT_LENGTH];
+
+- /* Skip UDP entries if we don't want UDP. */
++ /* Skip entries excluded by the strategy. */
+ if (strategy == NO_UDP && entry->transport == UDP)
+ return 0;
++ if (strategy == ONLY_UDP && entry->transport != UDP &&
++ entry->transport != TCP_OR_UDP)
++ return 0;
+
+- transport = (strategy == UDP_FIRST) ? UDP : TCP;
++ transport = (strategy == UDP_FIRST || strategy == ONLY_UDP) ? UDP : TCP;
+ if (entry->hostname == NULL) {
+ /* Added by a module, so transport is either TCP or UDP. */
+ ai.ai_socktype = socktype_for_transport(entry->transport);
+@@ -850,8 +853,9 @@ resolve_server(krb5_context context, const krb5_data *realm,
+ }
+
+ /* For TCP_OR_UDP entries, add each address again with the non-preferred
+- * transport, unless we are avoiding UDP. Flag these as deferred. */
+- if (retval == 0 && entry->transport == TCP_OR_UDP && strategy != NO_UDP) {
++ * transport, if there is one. Flag these as deferred. */
++ if (retval == 0 && entry->transport == TCP_OR_UDP &&
++ (strategy == UDP_FIRST || strategy == UDP_LAST)) {
+ transport = (strategy == UDP_FIRST) ? TCP : UDP;
+ for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
+ a->ai_socktype = socktype_for_transport(transport);
+--
+2.35.1
+
diff --git a/SOURCES/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch b/SOURCES/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
new file mode 100644
index 0000000..78922f6
--- /dev/null
+++ b/SOURCES/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
@@ -0,0 +1,82 @@
+From 790f485cf57e4de65351c29c41666db6370ef367 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Thu, 5 May 2022 17:15:12 +0200
+Subject: [PATCH] Allow krad UDP/TCP localhost connection with FIPS
+
+libkrad allows to establish connections only to UNIX socket in FIPS
+mode, because MD5 digest is not considered safe enough to be used for
+network communication. However, FreeRadius requires connection on TCP or
+UDP ports.
+
+This commit allows TCP or UDP connections in FIPS mode if destination is
+localhost.
+
+Resolves: rhbz#2068458
+---
+ src/lib/krad/remote.c | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
+index eca432424..c8912892c 100644
+--- a/src/lib/krad/remote.c
++++ b/src/lib/krad/remote.c
+@@ -33,6 +33,7 @@
+
+ #include <string.h>
+ #include <unistd.h>
++#include <stdbool.h>
+
+ #include <sys/un.h>
+
+@@ -74,6 +75,36 @@ on_io(verto_ctx *ctx, verto_ev *ev);
+ static void
+ on_timeout(verto_ctx *ctx, verto_ev *ev);
+
++static in_addr_t get_in_addr(struct addrinfo *info)
++{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
++
++static struct in6_addr *get_in6_addr(struct addrinfo *info)
++{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
++
++static bool is_inet_localhost(struct addrinfo *info)
++{
++ struct addrinfo *p;
++
++ for (p = info; p; p = p->ai_next) {
++ switch (p->ai_family) {
++ case AF_INET:
++ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
++ >> IN_CLASSA_NSHIFT))
++ return false;
++ break;
++ case AF_INET6:
++ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
++ return false;
++ break;
++ default:
++ return false;
++ }
++ }
++
++ return true;
++}
++
++
+ /* Iterate over the set of outstanding packets. */
+ static const krad_packet *
+ iterator(request **out)
+@@ -455,8 +486,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
+ (krad_packet_iter_cb)iterator, &r, &tmp);
+ if (retval != 0)
+ goto error;
+- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
+- rr->info->ai_family != AF_UNIX) {
++ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
++ && rr->info->ai_family != AF_UNIX
++ && !is_inet_localhost(rr->info)) {
+ /* This would expose cleartext passwords, so abort. */
+ retval = ESOCKTNOSUPPORT;
+ goto error;
+--
+2.35.1
+
diff --git a/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
index a1f5629..ba49d8c 100644
--- a/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
+++ b/SOURCES/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
@@ -1,4 +1,4 @@
-From a7318c3cd6e1f58adb80493c05b59e6c180cd584 Mon Sep 17 00:00:00 2001
+From 4f8cba1780bc167c52de2a791cad6a1817508bbe Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 23 Feb 2022 17:34:33 +0100
Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4
@@ -28,24 +28,26 @@ global context.
Remove EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag since does not have any
effect anymore.
+post9 load both default and legacy provider into library context
+
Last-updated: krb5-1.19
---
doc/admin/conf_files/krb5_conf.rst | 6 ++
src/lib/crypto/krb/prng.c | 11 ++-
.../crypto/openssl/enc_provider/camellia.c | 6 ++
- src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++-
- .../crypto/openssl/hash_provider/hash_evp.c | 85 ++++++++++++++++++-
+ src/lib/crypto/openssl/enc_provider/rc4.c | 13 ++-
+ .../crypto/openssl/hash_provider/hash_evp.c | 93 ++++++++++++++++++-
src/lib/crypto/openssl/hmac.c | 6 +-
- src/lib/krad/attr.c | 46 ++++++++---
+ src/lib/krad/attr.c | 46 ++++++---
src/lib/krad/attrset.c | 5 +-
- src/lib/krad/internal.h | 28 ++++++-
- src/lib/krad/packet.c | 22 +++---
- src/lib/krad/remote.c | 10 ++-
+ src/lib/krad/internal.h | 28 +++++-
+ src/lib/krad/packet.c | 22 +++--
+ src/lib/krad/remote.c | 10 +-
src/lib/krad/t_attr.c | 3 +-
src/lib/krad/t_attrset.c | 4 +-
src/plugins/preauth/spake/spake_client.c | 6 ++
src/plugins/preauth/spake/spake_kdc.c | 6 ++
- 15 files changed, 218 insertions(+), 35 deletions(-)
+ 15 files changed, 230 insertions(+), 35 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 675175955..adba8238d 100644
@@ -158,10 +160,10 @@ index bc87c6f42..9bf407899 100644
* The cipher state here is a saved pointer to a struct arcfour_state
* object, rather than a flat byte array as in most enc providers. The
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
-index 1e0fb8fc3..4b8e1a6b2 100644
+index 1e0fb8fc3..57bca3fec 100644
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
+++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c
-@@ -32,6 +32,50 @@
+@@ -32,6 +32,46 @@
#include "crypto_int.h"
#include <openssl/evp.h>
@@ -170,8 +172,8 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+
+typedef struct ossl_lib_md_context {
+ OSSL_LIB_CTX *libctx;
++ OSSL_PROVIDER *default_provider;
+ OSSL_PROVIDER *legacy_provider;
-+ EVP_MD *md;
+} ossl_md_context_t;
+
+static thread_local ossl_md_context_t *ossl_md_ctx = NULL;
@@ -183,15 +185,11 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+ if (!ctx->libctx)
+ return KRB5_CRYPTO_INTERNAL;
+
-+ /*
-+ * Load both legacy and default provider as both may be needed.
-+ * If they fail keep going and an error will be raised when we try to
-+ * fetch the cipher later.
-+ */
++ /* Load both legacy and default provider as both may be needed. */
++ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default");
+ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy");
+
-+ ctx->md = EVP_MD_fetch(ctx->libctx, algo, NULL);
-+ if (!ctx->md)
++ if (!(ctx->default_provider && ctx->legacy_provider))
+ return KRB5_CRYPTO_INTERNAL;
+
+ return 0;
@@ -200,19 +198,19 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+static void
+deinit_ossl_ctx(ossl_md_context_t *ctx)
+{
-+ if (ctx->md)
-+ EVP_MD_free(ctx->md);
-+
+ if (ctx->legacy_provider)
+ OSSL_PROVIDER_unload(ctx->legacy_provider);
+
++ if (ctx->default_provider)
++ OSSL_PROVIDER_unload(ctx->default_provider);
++
+ if (ctx->libctx)
+ OSSL_LIB_CTX_free(ctx->libctx);
+}
static krb5_error_code
hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
-@@ -61,16 +104,53 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
+@@ -61,16 +101,65 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data,
return ok ? 0 : KRB5_CRYPTO_INTERNAL;
}
@@ -221,11 +219,14 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+ krb5_data *output)
+{
+ krb5_error_code err;
++ EVP_MD *md = NULL;
+
+ if (!ossl_md_ctx) {
+ ossl_md_ctx = malloc(sizeof(ossl_md_context_t));
-+ if (!ossl_md_ctx)
-+ return ENOMEM;
++ if (!ossl_md_ctx) {
++ err = ENOMEM;
++ goto end;
++ }
+
+ err = init_ossl_md_ctx(ossl_md_ctx, algo);
+ if (err) {
@@ -236,9 +237,18 @@ index 1e0fb8fc3..4b8e1a6b2 100644
+ }
+ }
+
-+ err = hash_evp(ossl_md_ctx->md, data, num_data, output);
++ md = EVP_MD_fetch(ossl_md_ctx->libctx, algo, NULL);
++ if (!md) {
++ err = KRB5_CRYPTO_INTERNAL;
++ goto end;
++ }
++
++ err = hash_evp(md, data, num_data, output);
+
+end:
++ if (md)
++ EVP_MD_free(md);
++
+ return err;
+}
+
@@ -684,3 +694,6 @@ index 88c964ce1..c7df0392f 100644
vt = (krb5_kdcpreauth_vtable)vtable;
vt->name = "spake";
vt->pa_type_list = pa_types;
+--
+2.35.1
+
diff --git a/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
new file mode 100644
index 0000000..bdb22f9
--- /dev/null
+++ b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
@@ -0,0 +1,727 @@
+From 20cbbd0b273af56c6d527c8e6b9d96eef49926f2 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Thu, 31 Mar 2022 18:24:39 +0200
+Subject: [PATCH] Use newly enforced dejagnu path naming convention
+
+Since version 1.6.3, dejagnu started to enforce a naming convention that
+was already in place, but not mandatory: dejagnu test directories have
+to be named "testsuite". If they don't implicit relative sub-paths
+resolution (e.g. "lib", "config") is not forking.
+
+This commit renames kadm5 library's unit tests and global tests
+directories to match this requirement.
+
+Resolves: rhbz#2053133
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+---
+ src/configure.ac | 4 +--
+ src/lib/kadm5/Makefile.in | 2 +-
+ .../{unit-test => testsuite}/Makefile.in | 28 +++++++++---------
+ .../api.2/crte-policy.exp | 0
+ .../api.2/get-policy.exp | 0
+ .../api.2/mod-policy.exp | 0
+ .../api.current/chpass-principal-v2.exp | 0
+ .../api.current/chpass-principal.exp | 0
+ .../api.current/crte-policy.exp | 0
+ .../api.current/crte-principal.exp | 0
+ .../api.current/destroy.exp | 0
+ .../api.current/dlte-policy.exp | 0
+ .../api.current/dlte-principal.exp | 0
+ .../api.current/get-policy.exp | 0
+ .../api.current/get-principal-v2.exp | 0
+ .../api.current/get-principal.exp | 0
+ .../api.current/init-v2.exp | 0
+ .../api.current/init.exp | 0
+ .../api.current/mod-policy.exp | 0
+ .../api.current/mod-principal-v2.exp | 0
+ .../api.current/mod-principal.exp | 0
+ .../api.current/randkey-principal-v2.exp | 0
+ .../api.current/randkey-principal.exp | 0
+ .../{unit-test => testsuite}/config/unix.exp | 0
+ src/lib/kadm5/{unit-test => testsuite}/deps | 0
+ .../{unit-test => testsuite}/destroy-test.c | 0
+ .../diff-files/destroy-1 | 0
+ .../diff-files/no-diffs | 0
+ .../{unit-test => testsuite}/handle-test.c | 0
+ .../{unit-test => testsuite}/init-test.c | 0
+ .../{unit-test => testsuite}/iter-test.c | 0
+ .../kadm5/{unit-test => testsuite}/lib/lib.t | 2 +-
+ .../{unit-test => testsuite}/lock-test.c | 0
+ .../{unit-test => testsuite}/randkey-test.c | 0
+ .../{unit-test => testsuite}/setkey-test.c | 0
+ .../kadm5/{unit-test => testsuite}/site.exp | 0
+ src/tests/Makefile.in | 2 +-
+ src/tests/t_authdata.py | 2 +-
+ src/tests/t_certauth.py | 2 +-
+ src/tests/t_pkinit.py | 2 +-
+ src/tests/t_proxy.py | 12 ++++----
+ src/tests/{dejagnu => testsuite}/Makefile.in | 4 +--
+ .../{dejagnu => testsuite}/config/default.exp | 2 +-
+ src/tests/{dejagnu => testsuite}/deps | 0
+ .../krb-standalone/gssapi.exp | 2 +-
+ .../krb-standalone/kprop.exp | 0
+ .../krb-standalone/princexpire.exp | 0
+ .../krb-standalone/sample.exp | 2 +-
+ .../krb-standalone/simple.exp | 2 +-
+ .../krb-standalone/standalone.exp | 0
+ .../krb-standalone/tcp.exp | 0
+ .../pkinit-certs/ca.pem | 0
+ .../pkinit-certs/generic.p12 | Bin
+ .../pkinit-certs/generic.pem | 0
+ .../pkinit-certs/kdc.pem | 0
+ .../pkinit-certs/make-certs.sh | 0
+ .../pkinit-certs/privkey-enc.pem | 0
+ .../pkinit-certs/privkey.pem | 0
+ .../pkinit-certs/user-enc.p12 | Bin
+ .../pkinit-certs/user-upn.p12 | Bin
+ .../pkinit-certs/user-upn.pem | 0
+ .../pkinit-certs/user-upn2.p12 | Bin
+ .../pkinit-certs/user-upn2.pem | 0
+ .../pkinit-certs/user-upn3.p12 | Bin
+ .../pkinit-certs/user-upn3.pem | 0
+ .../pkinit-certs/user.p12 | Bin
+ .../pkinit-certs/user.pem | 0
+ .../{dejagnu => testsuite}/proxy-certs/ca.pem | 0
+ .../proxy-certs/make-certs.sh | 0
+ .../proxy-certs/proxy-badsig.pem | 0
+ .../proxy-certs/proxy-ideal.pem | 0
+ .../proxy-certs/proxy-no-match.pem | 0
+ .../proxy-certs/proxy-san.pem | 0
+ .../proxy-certs/proxy-subject.pem | 0
+ src/tests/{dejagnu => testsuite}/t_inetd.c | 2 +-
+ src/util/k5test.py | 2 +-
+ 76 files changed, 36 insertions(+), 36 deletions(-)
+ rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/deps (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%)
+ rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%)
+ rename src/tests/{dejagnu => testsuite}/Makefile.in (92%)
+ rename src/tests/{dejagnu => testsuite}/config/default.exp (99%)
+ rename src/tests/{dejagnu => testsuite}/deps (100%)
+ rename src/tests/{dejagnu => testsuite}/krb-standalone/gssapi.exp (98%)
+ rename src/tests/{dejagnu => testsuite}/krb-standalone/kprop.exp (100%)
+ rename src/tests/{dejagnu => testsuite}/krb-standalone/princexpire.exp (100%)
+ rename src/tests/{dejagnu => testsuite}/krb-standalone/sample.exp (98%)
+ rename src/tests/{dejagnu => testsuite}/krb-standalone/simple.exp (98%)
+ rename src/tests/{dejagnu => testsuite}/krb-standalone/standalone.exp (100%)
+ rename src/tests/{dejagnu => testsuite}/krb-standalone/tcp.exp (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/ca.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/generic.p12 (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/generic.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/kdc.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/make-certs.sh (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/privkey-enc.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/privkey.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-enc.p12 (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn.p12 (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn2.p12 (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn2.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn3.p12 (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user-upn3.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user.p12 (100%)
+ rename src/tests/{dejagnu => testsuite}/pkinit-certs/user.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/proxy-certs/ca.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/proxy-certs/make-certs.sh (100%)
+ rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-badsig.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-ideal.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-no-match.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-san.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/proxy-certs/proxy-subject.pem (100%)
+ rename src/tests/{dejagnu => testsuite}/t_inetd.c (99%)
+
+diff --git a/src/configure.ac b/src/configure.ac
+index 20066918b..363d5d62d 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -1500,7 +1500,7 @@ V5_AC_OUTPUT_MAKEFILE(.
+
+ lib/rpc lib/rpc/unit-test
+
+- lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test
++ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite
+ lib/krad
+ lib/apputils
+
+@@ -1544,5 +1544,5 @@ V5_AC_OUTPUT_MAKEFILE(.
+ appl/gss-sample appl/user_user
+
+ tests tests/asn.1 tests/create tests/hammer tests/verify tests/gssapi
+- tests/dejagnu tests/threads tests/shlib tests/gss-threads tests/misc
++ tests/testsuite tests/threads tests/shlib tests/gss-threads tests/misc
+ )
+diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in
+index c4eaad38d..76fc4b548 100644
+--- a/src/lib/kadm5/Makefile.in
++++ b/src/lib/kadm5/Makefile.in
+@@ -1,6 +1,6 @@
+ mydir=lib$(S)kadm5
+ BUILDTOP=$(REL)..$(S)..
+-SUBDIRS = clnt srv unit-test
++SUBDIRS = clnt srv testsuite
+
+ ##DOSBUILDTOP = ..\..
+
+diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in
+similarity index 86%
+rename from src/lib/kadm5/unit-test/Makefile.in
+rename to src/lib/kadm5/testsuite/Makefile.in
+index 68fa097ff..5a55b786b 100644
+--- a/src/lib/kadm5/unit-test/Makefile.in
++++ b/src/lib/kadm5/testsuite/Makefile.in
+@@ -1,4 +1,4 @@
+-mydir=lib$(S)kadm5$(S)unit-test
++mydir=lib$(S)kadm5$(S)testsuite
+ BUILDTOP=$(REL)..$(S)..$(S)..
+ KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS)
+
+@@ -61,7 +61,7 @@ runenv.exp: Makefile
+ eval echo "set env\($$i\) \$$$$i"; done > runenv.exp
+
+ #
+-# The unit-test targets
++# The testsuite targets
+ #
+
+ check: check-@DO_TEST@
+@@ -72,13 +72,13 @@ check-:
+ @echo "+++ Either tcl, runtest, or Perl is unavailable."
+ @echo "+++"
+
+-check-ok unit-test: unit-test-client unit-test-server
++check-ok testsuite: testsuite-client testsuite-server
+
+-unit-test-client: unit-test-client-setup unit-test-client-body \
+- unit-test-client-cleanup
++testsuite-client: testsuite-client-setup testsuite-client-body \
++ testsuite-client-cleanup
+
+-unit-test-server: unit-test-server-setup unit-test-server-body \
+- unit-test-server-cleanup
++testsuite-server: testsuite-server-setup testsuite-server-body \
++ testsuite-server-cleanup
+
+ test-randkey: randkey-test
+ $(ENV_SETUP) $(VALGRIND) ./randkey-test
+@@ -98,19 +98,19 @@ test-destroy: destroy-test
+ test-setkey-client: client-setkey-test
+ $(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin
+
+-unit-test-client-setup: runenv.sh
++testsuite-client-setup: runenv.sh
+ $(ENV_SETUP) $(VALGRIND) $(START_SERVERS)
+
+-unit-test-client-cleanup:
++testsuite-client-cleanup:
+ $(ENV_SETUP) $(STOP_SERVERS)
+
+-unit-test-server-setup: runenv.sh
++testsuite-server-setup: runenv.sh
+ $(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL)
+
+-unit-test-server-cleanup:
++testsuite-server-cleanup:
+ $(ENV_SETUP) $(STOP_SERVERS_LOCAL)
+
+-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
++testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \
+ test-setkey-client runenv.exp
+ $(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \
+ KINIT=$(BUILDTOP)/clients/kinit/kinit \
+@@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
+ -mv api.log capi.log
+ -mv api.sum capi.sum
+
+-unit-test-server-body: site.exp test-handle-server lock-test
++testsuite-server-body: site.exp test-handle-server lock-test
+ $(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \
+ LOCKTEST=./lock-test \
+ KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \
+@@ -140,4 +140,4 @@ clean:
+ $(RM) lock-test lock-test.o
+ $(RM) server-iter-test iter-test.o
+ $(RM) server-setkey-test client-setkey-test setkey-test.o
+- $(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp
++ $(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/get-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/get-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/destroy.exp
+rename to src/lib/kadm5/testsuite/api.current/destroy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/get-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/get-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/init-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/init-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/init.exp
+rename to src/lib/kadm5/testsuite/api.current/init.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp
+diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/config/unix.exp
+rename to src/lib/kadm5/testsuite/config/unix.exp
+diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps
+similarity index 100%
+rename from src/lib/kadm5/unit-test/deps
+rename to src/lib/kadm5/testsuite/deps
+diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/destroy-test.c
+rename to src/lib/kadm5/testsuite/destroy-test.c
+diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1
+similarity index 100%
+rename from src/lib/kadm5/unit-test/diff-files/destroy-1
+rename to src/lib/kadm5/testsuite/diff-files/destroy-1
+diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs
+similarity index 100%
+rename from src/lib/kadm5/unit-test/diff-files/no-diffs
+rename to src/lib/kadm5/testsuite/diff-files/no-diffs
+diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/handle-test.c
+rename to src/lib/kadm5/testsuite/handle-test.c
+diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/init-test.c
+rename to src/lib/kadm5/testsuite/init-test.c
+diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/iter-test.c
+rename to src/lib/kadm5/testsuite/iter-test.c
+diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t
+similarity index 99%
+rename from src/lib/kadm5/unit-test/lib/lib.t
+rename to src/lib/kadm5/testsuite/lib/lib.t
+index 3444775cf..327946849 100644
+--- a/src/lib/kadm5/unit-test/lib/lib.t
++++ b/src/lib/kadm5/testsuite/lib/lib.t
+@@ -226,7 +226,7 @@ proc end_dump_compare {name} {
+ global RPC
+
+ if { ! $RPC } {
+-# set file $TOP/admin/lib/unit-test/diff-files/$name
++# set file $TOP/admin/lib/testsuite/diff-files/$name
+ # exec $env(SIMPLE_DUMP) > /tmp/dump.after
+ # exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file
+ }
+diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/lock-test.c
+rename to src/lib/kadm5/testsuite/lock-test.c
+diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/randkey-test.c
+rename to src/lib/kadm5/testsuite/randkey-test.c
+diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/setkey-test.c
+rename to src/lib/kadm5/testsuite/setkey-test.c
+diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/site.exp
+rename to src/lib/kadm5/testsuite/site.exp
+diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
+index 20f27d748..1198dca0c 100644
+--- a/src/tests/Makefile.in
++++ b/src/tests/Makefile.in
+@@ -1,6 +1,6 @@
+ mydir=tests
+ BUILDTOP=$(REL)..
+-SUBDIRS = asn.1 create hammer verify gssapi dejagnu shlib gss-threads misc \
++SUBDIRS = asn.1 create hammer verify gssapi testsuite shlib gss-threads misc \
+ threads softpkcs11
+
+ RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
+diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
+index 2e01f46bc..e5135f435 100644
+--- a/src/tests/t_authdata.py
++++ b/src/tests/t_authdata.py
+@@ -57,7 +57,7 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
+ skipped('anonymous ticket authdata tests', 'PKINIT not built')
+ else:
+ # Set up a realm with PKINIT support and get anonymous tickets.
+- certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
++ certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
+ ca_pem = os.path.join(certs, 'ca.pem')
+ kdc_pem = os.path.join(certs, 'kdc.pem')
+ privkey_pem = os.path.join(certs, 'privkey.pem')
+diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
+index 0fe0fdb4a..bfa5bfc96 100644
+--- a/src/tests/t_certauth.py
++++ b/src/tests/t_certauth.py
+@@ -4,7 +4,7 @@ from k5test import *
+ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
+ skip_rest('certauth tests', 'PKINIT module not built')
+
+-certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
++certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
+ ca_pem = os.path.join(certs, 'ca.pem')
+ kdc_pem = os.path.join(certs, 'kdc.pem')
+ privkey_pem = os.path.join(certs, 'privkey.pem')
+diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
+index aee4da2b1..8763ce484 100755
+--- a/src/tests/t_pkinit.py
++++ b/src/tests/t_pkinit.py
+@@ -7,7 +7,7 @@ if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
+ soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so')
+
+ # Construct a krb5.conf fragment configuring pkinit.
+-certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
++certs = os.path.join(srctop, 'tests', 'testsuite', 'pkinit-certs')
+ ca_pem = os.path.join(certs, 'ca.pem')
+ kdc_pem = os.path.join(certs, 'kdc.pem')
+ user_pem = os.path.join(certs, 'user.pem')
+diff --git a/src/tests/t_proxy.py b/src/tests/t_proxy.py
+index 3069eaa8f..6ae5c8c8e 100755
+--- a/src/tests/t_proxy.py
++++ b/src/tests/t_proxy.py
+@@ -10,17 +10,17 @@ except:
+
+ # Construct a krb5.conf fragment configuring the client to use a local proxy
+ # server.
+-proxysubjectpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++proxysubjectpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
+ 'proxy-subject.pem')
+-proxysanpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++proxysanpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
+ 'proxy-san.pem')
+-proxyidealpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++proxyidealpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
+ 'proxy-ideal.pem')
+-proxywrongpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++proxywrongpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
+ 'proxy-no-match.pem')
+-proxybadpem = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs',
++proxybadpem = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs',
+ 'proxy-badsig.pem')
+-proxyca = os.path.join(srctop, 'tests', 'dejagnu', 'proxy-certs', 'ca.pem')
++proxyca = os.path.join(srctop, 'tests', 'testsuite', 'proxy-certs', 'ca.pem')
+ proxyurl = 'https://localhost:$port5/KdcProxy'
+ proxyurlupcase = 'https://LocalHost:$port5/KdcProxy'
+ proxyurl4 = 'https://127.0.0.1:$port5/KdcProxy'
+diff --git a/src/tests/dejagnu/Makefile.in b/src/tests/testsuite/Makefile.in
+similarity index 92%
+rename from src/tests/dejagnu/Makefile.in
+rename to src/tests/testsuite/Makefile.in
+index e78e270ed..d3efe3606 100644
+--- a/src/tests/dejagnu/Makefile.in
++++ b/src/tests/testsuite/Makefile.in
+@@ -1,4 +1,4 @@
+-mydir=tests$(S)dejagnu
++mydir=tests$(S)testsuite
+ BUILDTOP=$(REL)..$(S)..
+ RUNTEST = @RUNTEST@ $(DEJAFLAGS)
+ RUNTESTFLAGS =
+@@ -13,7 +13,7 @@ check: check-runtest-@HAVE_RUNTEST@
+
+ check-runtest-no:
+ @echo "+++"
+- @echo "+++ WARNING: tests/dejagnu tests not run."
++ @echo "+++ WARNING: tests/testsuite tests not run."
+ @echo "+++ runtest is unavailable."
+ @echo "+++"
+ @echo 'Skipped dejagnu tests: runtest not found' >> $(SKIPTESTS)
+diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/testsuite/config/default.exp
+similarity index 99%
+rename from src/tests/dejagnu/config/default.exp
+rename to src/tests/testsuite/config/default.exp
+index 302dee74c..1492fac32 100644
+--- a/src/tests/dejagnu/config/default.exp
++++ b/src/tests/testsuite/config/default.exp
+@@ -256,7 +256,7 @@ verbose "Test realm is $REALMNAME"
+
+ # Find some programs we need. We use the binaries from the build tree
+ # if they exist. If they do not, then they must be in PATH. We
+-# expect $objdir to be ...tests/dejagnu.
++# expect $objdir to be ...tests/testsuite.
+
+ foreach i {
+ {KDB5_UTIL $objdir/../../kadmin/dbutil/kdb5_util}
+diff --git a/src/tests/dejagnu/deps b/src/tests/testsuite/deps
+similarity index 100%
+rename from src/tests/dejagnu/deps
+rename to src/tests/testsuite/deps
+diff --git a/src/tests/dejagnu/krb-standalone/gssapi.exp b/src/tests/testsuite/krb-standalone/gssapi.exp
+similarity index 98%
+rename from src/tests/dejagnu/krb-standalone/gssapi.exp
+rename to src/tests/testsuite/krb-standalone/gssapi.exp
+index e3357e769..d176e210c 100644
+--- a/src/tests/dejagnu/krb-standalone/gssapi.exp
++++ b/src/tests/testsuite/krb-standalone/gssapi.exp
+@@ -2,7 +2,7 @@
+ # This is a DejaGnu test script.
+ # This script tests that the GSS-API tester functions correctly.
+
+-# This mostly just calls procedures in test/dejagnu/config/default.exp.
++# This mostly just calls procedures in test/testsuite/config/default.exp.
+
+ if ![info exists KDESTROY] {
+ set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
+diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/testsuite/krb-standalone/kprop.exp
+similarity index 100%
+rename from src/tests/dejagnu/krb-standalone/kprop.exp
+rename to src/tests/testsuite/krb-standalone/kprop.exp
+diff --git a/src/tests/dejagnu/krb-standalone/princexpire.exp b/src/tests/testsuite/krb-standalone/princexpire.exp
+similarity index 100%
+rename from src/tests/dejagnu/krb-standalone/princexpire.exp
+rename to src/tests/testsuite/krb-standalone/princexpire.exp
+diff --git a/src/tests/dejagnu/krb-standalone/sample.exp b/src/tests/testsuite/krb-standalone/sample.exp
+similarity index 98%
+rename from src/tests/dejagnu/krb-standalone/sample.exp
+rename to src/tests/testsuite/krb-standalone/sample.exp
+index 93a75f1d0..009de5ddb 100644
+--- a/src/tests/dejagnu/krb-standalone/sample.exp
++++ b/src/tests/testsuite/krb-standalone/sample.exp
+@@ -2,7 +2,7 @@
+ # This is a DejaGnu test script.
+ # This script tests that sample user-user communication works.
+
+-# This mostly just calls procedures in test/dejagnu/config/default.exp.
++# This mostly just calls procedures in test/testsuite/config/default.exp.
+
+ if ![info exists KLIST] {
+ set KLIST [findfile $objdir/../../clients/klist/klist]
+diff --git a/src/tests/dejagnu/krb-standalone/simple.exp b/src/tests/testsuite/krb-standalone/simple.exp
+similarity index 98%
+rename from src/tests/dejagnu/krb-standalone/simple.exp
+rename to src/tests/testsuite/krb-standalone/simple.exp
+index d8b218248..92b33066e 100644
+--- a/src/tests/dejagnu/krb-standalone/simple.exp
++++ b/src/tests/testsuite/krb-standalone/simple.exp
+@@ -2,7 +2,7 @@
+ # This is a DejaGnu test script.
+ # This script tests that krb-safe and krb-priv messages work.
+
+-# This mostly just calls procedures in test/dejagnu/config/default.exp.
++# This mostly just calls procedures in test/testsuite/config/default.exp.
+
+ if ![info exists KLIST] {
+ set KLIST [findfile $objdir/../../clients/klist/klist]
+diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/testsuite/krb-standalone/standalone.exp
+similarity index 100%
+rename from src/tests/dejagnu/krb-standalone/standalone.exp
+rename to src/tests/testsuite/krb-standalone/standalone.exp
+diff --git a/src/tests/dejagnu/krb-standalone/tcp.exp b/src/tests/testsuite/krb-standalone/tcp.exp
+similarity index 100%
+rename from src/tests/dejagnu/krb-standalone/tcp.exp
+rename to src/tests/testsuite/krb-standalone/tcp.exp
+diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/testsuite/pkinit-certs/ca.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/ca.pem
+rename to src/tests/testsuite/pkinit-certs/ca.pem
+diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/testsuite/pkinit-certs/generic.p12
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/generic.p12
+rename to src/tests/testsuite/pkinit-certs/generic.p12
+diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/testsuite/pkinit-certs/generic.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/generic.pem
+rename to src/tests/testsuite/pkinit-certs/generic.pem
+diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/testsuite/pkinit-certs/kdc.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/kdc.pem
+rename to src/tests/testsuite/pkinit-certs/kdc.pem
+diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/testsuite/pkinit-certs/make-certs.sh
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/make-certs.sh
+rename to src/tests/testsuite/pkinit-certs/make-certs.sh
+diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/testsuite/pkinit-certs/privkey-enc.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/privkey-enc.pem
+rename to src/tests/testsuite/pkinit-certs/privkey-enc.pem
+diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/testsuite/pkinit-certs/privkey.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/privkey.pem
+rename to src/tests/testsuite/pkinit-certs/privkey.pem
+diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/testsuite/pkinit-certs/user-enc.p12
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user-enc.p12
+rename to src/tests/testsuite/pkinit-certs/user-enc.p12
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/testsuite/pkinit-certs/user-upn.p12
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user-upn.p12
+rename to src/tests/testsuite/pkinit-certs/user-upn.p12
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/testsuite/pkinit-certs/user-upn.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user-upn.pem
+rename to src/tests/testsuite/pkinit-certs/user-upn.pem
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/testsuite/pkinit-certs/user-upn2.p12
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user-upn2.p12
+rename to src/tests/testsuite/pkinit-certs/user-upn2.p12
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/testsuite/pkinit-certs/user-upn2.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user-upn2.pem
+rename to src/tests/testsuite/pkinit-certs/user-upn2.pem
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/testsuite/pkinit-certs/user-upn3.p12
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user-upn3.p12
+rename to src/tests/testsuite/pkinit-certs/user-upn3.p12
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/testsuite/pkinit-certs/user-upn3.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user-upn3.pem
+rename to src/tests/testsuite/pkinit-certs/user-upn3.pem
+diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/testsuite/pkinit-certs/user.p12
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user.p12
+rename to src/tests/testsuite/pkinit-certs/user.p12
+diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/testsuite/pkinit-certs/user.pem
+similarity index 100%
+rename from src/tests/dejagnu/pkinit-certs/user.pem
+rename to src/tests/testsuite/pkinit-certs/user.pem
+diff --git a/src/tests/dejagnu/proxy-certs/ca.pem b/src/tests/testsuite/proxy-certs/ca.pem
+similarity index 100%
+rename from src/tests/dejagnu/proxy-certs/ca.pem
+rename to src/tests/testsuite/proxy-certs/ca.pem
+diff --git a/src/tests/dejagnu/proxy-certs/make-certs.sh b/src/tests/testsuite/proxy-certs/make-certs.sh
+similarity index 100%
+rename from src/tests/dejagnu/proxy-certs/make-certs.sh
+rename to src/tests/testsuite/proxy-certs/make-certs.sh
+diff --git a/src/tests/dejagnu/proxy-certs/proxy-badsig.pem b/src/tests/testsuite/proxy-certs/proxy-badsig.pem
+similarity index 100%
+rename from src/tests/dejagnu/proxy-certs/proxy-badsig.pem
+rename to src/tests/testsuite/proxy-certs/proxy-badsig.pem
+diff --git a/src/tests/dejagnu/proxy-certs/proxy-ideal.pem b/src/tests/testsuite/proxy-certs/proxy-ideal.pem
+similarity index 100%
+rename from src/tests/dejagnu/proxy-certs/proxy-ideal.pem
+rename to src/tests/testsuite/proxy-certs/proxy-ideal.pem
+diff --git a/src/tests/dejagnu/proxy-certs/proxy-no-match.pem b/src/tests/testsuite/proxy-certs/proxy-no-match.pem
+similarity index 100%
+rename from src/tests/dejagnu/proxy-certs/proxy-no-match.pem
+rename to src/tests/testsuite/proxy-certs/proxy-no-match.pem
+diff --git a/src/tests/dejagnu/proxy-certs/proxy-san.pem b/src/tests/testsuite/proxy-certs/proxy-san.pem
+similarity index 100%
+rename from src/tests/dejagnu/proxy-certs/proxy-san.pem
+rename to src/tests/testsuite/proxy-certs/proxy-san.pem
+diff --git a/src/tests/dejagnu/proxy-certs/proxy-subject.pem b/src/tests/testsuite/proxy-certs/proxy-subject.pem
+similarity index 100%
+rename from src/tests/dejagnu/proxy-certs/proxy-subject.pem
+rename to src/tests/testsuite/proxy-certs/proxy-subject.pem
+diff --git a/src/tests/dejagnu/t_inetd.c b/src/tests/testsuite/t_inetd.c
+similarity index 99%
+rename from src/tests/dejagnu/t_inetd.c
+rename to src/tests/testsuite/t_inetd.c
+index abcde50fa..2bad2cf65 100644
+--- a/src/tests/dejagnu/t_inetd.c
++++ b/src/tests/testsuite/t_inetd.c
+@@ -1,5 +1,5 @@
+ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+-/* tests/dejagnu/t_inetd.c */
++/* tests/testsuite/t_inetd.c */
+ /*
+ * Copyright 1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+diff --git a/src/util/k5test.py b/src/util/k5test.py
+index 251d11a9d..908a1495c 100644
+--- a/src/util/k5test.py
++++ b/src/util/k5test.py
+@@ -1383,7 +1383,7 @@ kswitch = os.path.join(buildtop, 'clients', 'kswitch', 'kswitch')
+ kvno = os.path.join(buildtop, 'clients', 'kvno', 'kvno')
+ kdestroy = os.path.join(buildtop, 'clients', 'kdestroy', 'kdestroy')
+ kpasswd = os.path.join(buildtop, 'clients', 'kpasswd', 'kpasswd')
+-t_inetd = os.path.join(buildtop, 'tests', 'dejagnu', 't_inetd')
++t_inetd = os.path.join(buildtop, 'tests', 'testsuite', 't_inetd')
+ kproplog = os.path.join(buildtop, 'kprop', 'kproplog')
+ kpropd = os.path.join(buildtop, 'kprop', 'kpropd')
+ kprop = os.path.join(buildtop, 'kprop', 'kprop')
+--
+2.35.1
+
diff --git a/SOURCES/krb5-krad-larger-attrs.patch b/SOURCES/krb5-krad-larger-attrs.patch
new file mode 100644
index 0000000..ff9a2ad
--- /dev/null
+++ b/SOURCES/krb5-krad-larger-attrs.patch
@@ -0,0 +1,69 @@
+From 0ac0fd2d349e4d5ef7379182f4d7ce480edd8d2b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 8 Nov 2021 17:48:50 +0100
+Subject: [PATCH 2/2] Support larger RADIUS attributes in libkrad
+
+In kr_attrset_decode(), explicitly treat the length byte as unsigned.
+Otherwise attributes longer than 125 characters will be rejected with
+EBADMSG.
+
+Add a 253-character-long NAS-Identifier attribute to the tests to make
+sure that attributes with the maximal number of characters are working
+as expected.
+
+[ghudson@mit.edu: used uint8_t cast per current practices; edited
+commit message]
+
+ticket: 9036 (new)
+---
+ src/lib/krad/attrset.c | 2 +-
+ src/lib/krad/t_packet.c | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
+index d89982a13..6ec031e32 100644
+--- a/src/lib/krad/attrset.c
++++ b/src/lib/krad/attrset.c
+@@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
+
+ for (i = 0; i + 2 < in->length; ) {
+ type = in->data[i++];
+- tmp = make_data(&in->data[i + 1], in->data[i] - 2);
++ tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2);
+ i += tmp.length + 1;
+
+ retval = (in->length < i) ? EBADMSG : 0;
+diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
+index 0a92e9cc2..c22489144 100644
+--- a/src/lib/krad/t_packet.c
++++ b/src/lib/krad/t_packet.c
+@@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username,
+ krb5_error_code retval;
+ const krb5_data *data;
+ int i = 0;
++ krb5_data nas_id;
++
++ nas_id = string2data("12345678901234567890123456789012345678901234567890"
++ "12345678901234567890123456789012345678901234567890"
++ "12345678901234567890123456789012345678901234567890"
++ "12345678901234567890123456789012345678901234567890"
++ "12345678901234567890123456789012345678901234567890"
++ "123");
+
+ retval = krad_attrset_new(ctx, &set);
+ if (retval != 0)
+@@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username,
+ if (retval != 0)
+ goto out;
+
++ retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
++ &nas_id);
++ if (retval != 0)
++ goto out;
++
+ retval = krad_packet_new_request(ctx, "foo",
+ krad_code_name2num("Access-Request"),
+ set, iterator, &i, &tmp);
+--
+2.35.3
+
diff --git a/SOURCES/krb5-krad-remote.patch b/SOURCES/krb5-krad-remote.patch
new file mode 100644
index 0000000..b5b071f
--- /dev/null
+++ b/SOURCES/krb5-krad-remote.patch
@@ -0,0 +1,171 @@
+From a8551b609fd50458ca3c06a9dd345b6cdf18689b Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 9 Nov 2021 13:00:43 -0500
+Subject: [PATCH 1/2] Avoid use after free during libkrad cleanup
+
+libkrad client requests contain a list of references to remotes, with
+no back-references or reference counts. To prevent accesses to
+dangling references during cleanup, cancel all requests on all remotes
+before freeing any remotes.
+
+Remove the code for aging out unused servers. This code was fairly
+safe as all requests referencing a remote should have completed or
+timed out during an hour of disuse, but in the current design we have
+no way to guarantee or check that. The set of addresses we send
+RADIUS requests to will generally be small, so aging out servers is
+unnecessary.
+
+ticket: 9035 (new)
+---
+ src/lib/krad/client.c | 42 ++++++++++++++---------------------------
+ src/lib/krad/internal.h | 4 ++++
+ src/lib/krad/remote.c | 11 ++++++++---
+ 3 files changed, 26 insertions(+), 31 deletions(-)
+
+diff --git a/src/lib/krad/client.c b/src/lib/krad/client.c
+index 6365dd1c6..810940afc 100644
+--- a/src/lib/krad/client.c
++++ b/src/lib/krad/client.c
+@@ -64,7 +64,6 @@ struct request_st {
+
+ struct server_st {
+ krad_remote *serv;
+- time_t last;
+ K5_LIST_ENTRY(server_st) list;
+ };
+
+@@ -81,15 +80,10 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
+ krad_remote **out)
+ {
+ krb5_error_code retval;
+- time_t currtime;
+ server *srv;
+
+- if (time(&currtime) == (time_t)-1)
+- return errno;
+-
+ K5_LIST_FOREACH(srv, &rc->servers, list) {
+ if (kr_remote_equals(srv->serv, ai, secret)) {
+- srv->last = currtime;
+ *out = srv->serv;
+ return 0;
+ }
+@@ -98,7 +92,6 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
+ srv = calloc(1, sizeof(server));
+ if (srv == NULL)
+ return ENOMEM;
+- srv->last = currtime;
+
+ retval = kr_remote_new(rc->kctx, rc->vctx, ai, secret, &srv->serv);
+ if (retval != 0) {
+@@ -173,28 +166,12 @@ request_new(krad_client *rc, krad_code code, const krad_attrset *attrs,
+ return 0;
+ }
+
+-/* Close remotes that haven't been used in a while. */
+-static void
+-age(struct server_head *head, time_t currtime)
+-{
+- server *srv, *tmp;
+-
+- K5_LIST_FOREACH_SAFE(srv, head, list, tmp) {
+- if (currtime == (time_t)-1 || currtime - srv->last > 60 * 60) {
+- K5_LIST_REMOVE(srv, list);
+- kr_remote_free(srv->serv);
+- free(srv);
+- }
+- }
+-}
+-
+ /* Handle a response from a server (or related errors). */
+ static void
+ on_response(krb5_error_code retval, const krad_packet *reqp,
+ const krad_packet *rspp, void *data)
+ {
+ request *req = data;
+- time_t currtime;
+ size_t i;
+
+ /* Do nothing if we are already completed. */
+@@ -221,10 +198,6 @@ on_response(krb5_error_code retval, const krad_packet *reqp,
+ for (i = 0; req->remotes[i].remote != NULL; i++)
+ kr_remote_cancel(req->remotes[i].remote, req->remotes[i].packet);
+
+- /* Age out servers that haven't been used in a while. */
+- if (time(&currtime) != (time_t)-1)
+- age(&req->rc->servers, currtime);
+-
+ request_free(req);
+ }
+
+@@ -247,10 +220,23 @@ krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **out)
+ void
+ krad_client_free(krad_client *rc)
+ {
++ server *srv;
++
+ if (rc == NULL)
+ return;
+
+- age(&rc->servers, -1);
++ /* Cancel all requests before freeing any remotes, since each request's
++ * callback data may contain references to multiple remotes. */
++ K5_LIST_FOREACH(srv, &rc->servers, list)
++ kr_remote_cancel_all(srv->serv);
++
++ while (!K5_LIST_EMPTY(&rc->servers)) {
++ srv = K5_LIST_FIRST(&rc->servers);
++ K5_LIST_REMOVE(srv, list);
++ kr_remote_free(srv->serv);
++ free(srv);
++ }
++
+ free(rc);
+ }
+
+diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
+index 223ffd730..fa012db78 100644
+--- a/src/lib/krad/internal.h
++++ b/src/lib/krad/internal.h
+@@ -120,6 +120,10 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
+ void
+ kr_remote_cancel(krad_remote *rr, const krad_packet *pkt);
+
++/* Cancel all requests awaiting responses. */
++void
++kr_remote_cancel_all(krad_remote *rr);
++
+ /* Determine if this remote object refers to the remote resource identified
+ * by the addrinfo struct and the secret. */
+ krb5_boolean
+diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
+index c8912892c..01a5fd2a4 100644
+--- a/src/lib/krad/remote.c
++++ b/src/lib/krad/remote.c
+@@ -452,15 +452,20 @@ error:
+ return retval;
+ }
+
++void
++kr_remote_cancel_all(krad_remote *rr)
++{
++ while (!K5_TAILQ_EMPTY(&rr->list))
++ request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
++}
++
+ void
+ kr_remote_free(krad_remote *rr)
+ {
+ if (rr == NULL)
+ return;
+
+- while (!K5_TAILQ_EMPTY(&rr->list))
+- request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
+-
++ kr_remote_cancel_all(rr);
+ free(rr->secret);
+ if (rr->info != NULL)
+ free(rr->info->ai_addr);
+--
+2.35.3
+
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index 7464cab..ee8f670 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -42,7 +42,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.19.1
-Release: %{?zdpd}15%{?dist}
+Release: %{?zdpd}22%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@@ -91,6 +91,13 @@ Patch26: Fix-kadmin-k-with-fallback-or-referral-realm.patch
Patch27: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
Patch28: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
+Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
+Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
+Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
+Patch33: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
+Patch34: krb5-krad-remote.patch
+Patch35: krb5-krad-larger-attrs.patch
+Patch36: Set-reasonable-supportedCMSTypes-in-PKINIT.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@@ -250,7 +257,7 @@ popd
# builds going on the same host don't step on each other.
cfg="src/kadmin/testing/proto/kdc.conf.proto \
src/kadmin/testing/proto/krb5.conf.proto \
- src/lib/kadm5/unit-test/api.current/init-v2.exp \
+ src/lib/kadm5/testsuite/api.current/init-v2.exp \
src/util/k5test.py"
LONG_BIT=`getconf LONG_BIT`
PORT=`expr 61000 + $LONG_BIT - 48`
@@ -284,6 +291,7 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
CFLAGS="$CFLAGS" \
CPPFLAGS="$CPPFLAGS" \
SS_LIB="-lss" \
+ PKCS11_MODNAME="p11-kit-proxy.so" \
--enable-shared \
--runstatedir=/run \
--localstatedir=%{_var}/kerberos \
@@ -647,6 +655,29 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
+* Fri Jul 08 2022 Julien Rische <jrische@redhat.com> - 1.19.1-22
+- Restore "supportedCMSTypes" attribute in PKINIT preauth requests
+- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms
+- Resolves: rhbz#2068935
+
+* Thu Jun 23 2022 Julien Rische <jrische@redhat.com> - 1.19.1-21
+- Fix libkrad client cleanup
+- Allow use of larger RADIUS attributes in krad library
+- Resolves: rhbz#2100351
+
+* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
+- Fix OpenSSL 3 MD5 encyption in FIPS mode
+- Allow libkrad UDP/TCP connection to localhost in FIPS mode
+- Resolves: rhbz#2068458
+
+* Mon May 02 2022 Julien Rische <jrische@redhat.com> - 1.19.1-19
+- Use p11-kit as default PKCS11 module
+- Resolves: rhbz#2030981
+
+* Tue Apr 26 2022 Julien Rische <jrische@redhat.com> - 1.19.1-18
+- Try harder to avoid password change replay errors
+- Resolves: rhbz#2075186
+
* Mon Mar 14 2022 Julien Rische <jrische@redhat.com> - 1.19.1-15
- Use SHA-256 instead of SHA-1 for PKINIT CMS digest