diff --git a/krb5-1.10.3-as_rep_skew.patch b/krb5-1.10.3-as_rep_skew.patch index 4ed02a4..d3fbf92 100644 --- a/krb5-1.10.3-as_rep_skew.patch +++ b/krb5-1.10.3-as_rep_skew.patch @@ -1,60 +1,57 @@ -Test suite hunks dropped because we didn't previously have a skew test. +commit 2626c89efd8019853edab29c52bac951f5ba2794 +Author: ghudson +Date: Wed Jan 11 21:20:08 2012 +0000 -commit 39629e9df44ce8c4ad72fde951390acc6864407d -Author: Greg Hudson -Date: Fri May 11 18:07:30 2012 +0000 - - Omit start time in common AS requests + ticket: 7063 - MIT and Heimdal KDCs ignore the start time for non-postdated ticket - requests, but AD yields an error if the start time is in the KDC's - future, defeating the kdc_timesync option. Omit the start time if the - caller did not specify a start time offset. + Fix spurious clock skew caused by gak_fct delay - This change reenables the client check for too much clock skew in the - KDC reply in the non-timesync configuration. That check had been - unintentionally suppressed since the introduction of the - get_init_creds interfaces. Adjust the t_skew test script to expect - the new error behavior. + In get_in_tkt.c, a time offset is computed between the KDC's auth_time + and the current system time after the reply is decrypted. Time may + have elapsed between these events because of a gak_fct invocation + which blocks on user input. The resulting spurious time offset can + cause subsequent TGS-REQs to fail and can also cause the end time of + the next AS request to be in the past (issue #889) in cases where the + old ccache is opened to find the default principal. - Code changes from stefw@gnome.org with slight modifications. + Use the system time, without offset, for the request time of an AS + request, for more predictable kinit behavior. Use this request time, + rather than the current time, when computing the clock skew after the + reply is decrypted. - ticket: 7130 - - git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970 + git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25644 dc483132-0cff-0310-8789-dd5450dbe970 diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index 21b92e0..1ae8021 100644 +index 2dd3947..fc8df83 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -666,6 +666,8 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, - krb5_error_code code = 0; - unsigned char random_buf[4]; - krb5_data random_data; -+ krb5_timestamp from; -+ - if (ctx->preauth_to_use) { - krb5_free_pa_data(context, ctx->preauth_to_use); - ctx->preauth_to_use = NULL; -@@ -728,14 +730,16 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, - /* give the preauth plugins a chance to prep the request body */ - krb5_preauth_prepare_request(context, ctx->opte, ctx->request); +@@ -154,6 +154,7 @@ verify_as_reply(krb5_context context, + krb5_error_code retval; + int canon_req; + int canon_ok; ++ krb5_timestamp time_offset; -- ctx->request->from = krb5int_addint32(ctx->request_time, -- ctx->start_time); -- ctx->request->till = krb5int_addint32(ctx->request->from, -- ctx->tkt_life); -+ /* Omit request start time in the common case. MIT and Heimdal KDCs will -+ * ignore it for non-postdated tickets anyway. */ -+ from = krb5int_addint32(ctx->request_time, ctx->start_time); -+ if (ctx->start_time != 0) -+ ctx->request->from = from; -+ ctx->request->till = krb5int_addint32(from, ctx->tkt_life); + /* check the contents for sanity: */ + if (!as_reply->enc_part2->times.starttime) +@@ -216,8 +217,8 @@ verify_as_reply(krb5_context context, + } - if (ctx->renew_life > 0) { - ctx->request->rtime = -- krb5int_addint32(ctx->request->from, ctx->renew_life); -+ krb5int_addint32(from, ctx->renew_life); - if (ctx->request->rtime < ctx->request->till) { - /* don't ask for a smaller renewable time than the lifetime */ - ctx->request->rtime = ctx->request->till; + if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { +- retval = krb5_set_real_time(context, +- as_reply->enc_part2->times.authtime, -1); ++ time_offset = as_reply->enc_part2->times.authtime - time_now; ++ retval = krb5_set_time_offsets(context, time_offset, 0); + if (retval) + return retval; + } else { +@@ -742,9 +743,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, + if (code != 0) + goto cleanup; + +- code = krb5_timeofday(context, &ctx->request_time); +- if (code != 0) +- goto cleanup; ++ ctx->request_time = time(NULL); + + code = krb5int_fast_as_armor(context, ctx->fast_state, + ctx->opte, ctx->request); diff --git a/krb5.spec b/krb5.spec index a929402..31b4c13 100644 --- a/krb5.spec +++ b/krb5.spec @@ -29,7 +29,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.3 -Release: 5%{?dist} +Release: 6%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -852,6 +852,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Sep 25 2012 Nalin Dahyabhai 1.10.3-6 +- actually pull up the patch for RT#7063, and not some other ticket (#773496) + * Mon Sep 10 2012 Nalin Dahyabhai 1.10.3-5 - add patch based on one from Filip Krska to not call poll() with a negative timeout when the caller's intent is for us to just stop calling it (#838548)