- actually pull up the patch for RT#7063, and not some other ticket (#773496)

This commit is contained in:
Nalin Dahyabhai 2012-09-25 02:02:35 -04:00
parent 3e1f3982d4
commit 51b608140a
2 changed files with 50 additions and 50 deletions

View File

@ -1,60 +1,57 @@
Test suite hunks dropped because we didn't previously have a skew test.
commit 2626c89efd8019853edab29c52bac951f5ba2794
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Jan 11 21:20:08 2012 +0000
commit 39629e9df44ce8c4ad72fde951390acc6864407d
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri May 11 18:07:30 2012 +0000
Omit start time in common AS requests
ticket: 7063
MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.
Fix spurious clock skew caused by gak_fct delay
This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.
In get_in_tkt.c, a time offset is computed between the KDC's auth_time
and the current system time after the reply is decrypted. Time may
have elapsed between these events because of a gak_fct invocation
which blocks on user input. The resulting spurious time offset can
cause subsequent TGS-REQs to fail and can also cause the end time of
the next AS request to be in the past (issue #889) in cases where the
old ccache is opened to find the default principal.
Code changes from stefw@gnome.org with slight modifications.
Use the system time, without offset, for the request time of an AS
request, for more predictable kinit behavior. Use this request time,
rather than the current time, when computing the clock skew after the
reply is decrypted.
ticket: 7130
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25644 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 21b92e0..1ae8021 100644
index 2dd3947..fc8df83 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -666,6 +666,8 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
krb5_error_code code = 0;
unsigned char random_buf[4];
krb5_data random_data;
+ krb5_timestamp from;
+
if (ctx->preauth_to_use) {
krb5_free_pa_data(context, ctx->preauth_to_use);
ctx->preauth_to_use = NULL;
@@ -728,14 +730,16 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
/* give the preauth plugins a chance to prep the request body */
krb5_preauth_prepare_request(context, ctx->opte, ctx->request);
@@ -154,6 +154,7 @@ verify_as_reply(krb5_context context,
krb5_error_code retval;
int canon_req;
int canon_ok;
+ krb5_timestamp time_offset;
- ctx->request->from = krb5int_addint32(ctx->request_time,
- ctx->start_time);
- ctx->request->till = krb5int_addint32(ctx->request->from,
- ctx->tkt_life);
+ /* Omit request start time in the common case. MIT and Heimdal KDCs will
+ * ignore it for non-postdated tickets anyway. */
+ from = krb5int_addint32(ctx->request_time, ctx->start_time);
+ if (ctx->start_time != 0)
+ ctx->request->from = from;
+ ctx->request->till = krb5int_addint32(from, ctx->tkt_life);
/* check the contents for sanity: */
if (!as_reply->enc_part2->times.starttime)
@@ -216,8 +217,8 @@ verify_as_reply(krb5_context context,
}
if (ctx->renew_life > 0) {
ctx->request->rtime =
- krb5int_addint32(ctx->request->from, ctx->renew_life);
+ krb5int_addint32(from, ctx->renew_life);
if (ctx->request->rtime < ctx->request->till) {
/* don't ask for a smaller renewable time than the lifetime */
ctx->request->rtime = ctx->request->till;
if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) {
- retval = krb5_set_real_time(context,
- as_reply->enc_part2->times.authtime, -1);
+ time_offset = as_reply->enc_part2->times.authtime - time_now;
+ retval = krb5_set_time_offsets(context, time_offset, 0);
if (retval)
return retval;
} else {
@@ -742,9 +743,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
if (code != 0)
goto cleanup;
- code = krb5_timeofday(context, &ctx->request_time);
- if (code != 0)
- goto cleanup;
+ ctx->request_time = time(NULL);
code = krb5int_fast_as_armor(context, ctx->fast_state,
ctx->opte, ctx->request);

View File

@ -29,7 +29,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.3
Release: 5%{?dist}
Release: 6%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar
Source0: krb5-%{version}.tar.gz
@ -852,6 +852,9 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Tue Sep 25 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-6
- actually pull up the patch for RT#7063, and not some other ticket (#773496)
* Mon Sep 10 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-5
- add patch based on one from Filip Krska to not call poll() with a negative
timeout when the caller's intent is for us to just stop calling it (#838548)