From 34c8bac7e35ced21002c388742dcb1844342cf05 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 15 Nov 2012 15:23:18 -0500 Subject: [PATCH] drop backported fix for clock skew errors - drop backported fix for avoiding spurious clock skew when a TGT is decrypted long after the KDC sent it to the client which decrypts it --- krb5-1.10.3-as_rep_skew.patch | 57 ----------------------------------- krb5.spec | 4 +-- 2 files changed, 2 insertions(+), 59 deletions(-) delete mode 100644 krb5-1.10.3-as_rep_skew.patch diff --git a/krb5-1.10.3-as_rep_skew.patch b/krb5-1.10.3-as_rep_skew.patch deleted file mode 100644 index d3fbf92..0000000 --- a/krb5-1.10.3-as_rep_skew.patch +++ /dev/null @@ -1,57 +0,0 @@ -commit 2626c89efd8019853edab29c52bac951f5ba2794 -Author: ghudson -Date: Wed Jan 11 21:20:08 2012 +0000 - - ticket: 7063 - - Fix spurious clock skew caused by gak_fct delay - - In get_in_tkt.c, a time offset is computed between the KDC's auth_time - and the current system time after the reply is decrypted. Time may - have elapsed between these events because of a gak_fct invocation - which blocks on user input. The resulting spurious time offset can - cause subsequent TGS-REQs to fail and can also cause the end time of - the next AS request to be in the past (issue #889) in cases where the - old ccache is opened to find the default principal. - - Use the system time, without offset, for the request time of an AS - request, for more predictable kinit behavior. Use this request time, - rather than the current time, when computing the clock skew after the - reply is decrypted. - - git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25644 dc483132-0cff-0310-8789-dd5450dbe970 - -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index 2dd3947..fc8df83 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -154,6 +154,7 @@ verify_as_reply(krb5_context context, - krb5_error_code retval; - int canon_req; - int canon_ok; -+ krb5_timestamp time_offset; - - /* check the contents for sanity: */ - if (!as_reply->enc_part2->times.starttime) -@@ -216,8 +217,8 @@ verify_as_reply(krb5_context context, - } - - if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { -- retval = krb5_set_real_time(context, -- as_reply->enc_part2->times.authtime, -1); -+ time_offset = as_reply->enc_part2->times.authtime - time_now; -+ retval = krb5_set_time_offsets(context, time_offset, 0); - if (retval) - return retval; - } else { -@@ -742,9 +743,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, - if (code != 0) - goto cleanup; - -- code = krb5_timeofday(context, &ctx->request_time); -- if (code != 0) -- goto cleanup; -+ ctx->request_time = time(NULL); - - code = krb5int_fast_as_armor(context, ctx->fast_state, - ctx->opte, ctx->request); diff --git a/krb5.spec b/krb5.spec index a4bf276..18f573c 100644 --- a/krb5.spec +++ b/krb5.spec @@ -71,7 +71,6 @@ Patch71: krb5-1.9-dirsrv-accountlock.patch Patch75: krb5-pkinit-debug.patch Patch86: krb5-1.9-debuginfo.patch Patch105: krb5-kvno-230379.patch -Patch109: krb5-1.10.3-as_rep_skew.patch Patch112: krb5-1.10.3-timeout_over.patch License: MIT @@ -260,7 +259,6 @@ ln -s NOTICE LICENSE #%patch75 -p1 -b .pkinit-debug %patch86 -p0 -b .debuginfo %patch105 -p1 -b .kvno -%patch109 -p1 -b .as_rep_skew %patch112 -p1 -b .timeout_over # Take the execute bit off of documentation. @@ -829,6 +827,8 @@ exit 0 - drop backported patches to make keytab-based authentication attempts work better when the client tells the KDC that it supports a particular cipher, but doesn't have a key for it in the keytab + - drop backported fix for avoiding spurious clock skew when a TGT is + decrypted long after the KDC sent it to the client which decrypts it * Wed Oct 17 2012 Nalin Dahyabhai 1.10.3-7 - tag a couple of other patches which we still need to be applied during