From 792d78fa470f667fca376d5c2c47cf8533ea1131 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 17 Jan 2014 10:58:19 -0500 Subject: [PATCH] Backport fixes for timesync with keyring caches add patch to always retrieve the KDC time offsets from keyring caches, so that we don't mistakenly interpret creds as expired before their time when our clock is ahead of the KDC's (RT#7820, #1030607) --- krb5-master-keyring-kdcsync.patch | 108 ++++++++++++++++++++++++++++++ krb5.spec | 6 ++ 2 files changed, 114 insertions(+) create mode 100644 krb5-master-keyring-kdcsync.patch diff --git a/krb5-master-keyring-kdcsync.patch b/krb5-master-keyring-kdcsync.patch new file mode 100644 index 0000000..d0c9f7c --- /dev/null +++ b/krb5-master-keyring-kdcsync.patch @@ -0,0 +1,108 @@ +commit 2ac550e648ff88f84cc2da3c573202845f14e655 +Author: Greg Hudson +Date: Thu Jan 16 17:48:54 2014 -0500 + + Get time offsets for all keyring ccaches + + Move the time offset lookup from krb5_krcc_resolve to make_cache, so + that we fetch time offsets for caches created by + krb5_krcc_ptcursor_next. + + ticket: 7820 + target_version: 1.12.2 + tags: pullup + +diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c +index a0c8035..27bad9d 100644 +--- a/src/lib/krb5/ccache/cc_keyring.c ++++ b/src/lib/krb5/ccache/cc_keyring.c +@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id) + + /* Create a cache handle for a cache ID. */ + static krb5_error_code +-make_cache(key_serial_t collection_id, key_serial_t cache_id, +- const char *anchor_name, const char *collection_name, +- const char *subsidiary_name, krb5_ccache *cache_out) ++make_cache(krb5_context context, key_serial_t collection_id, ++ key_serial_t cache_id, const char *anchor_name, ++ const char *collection_name, const char *subsidiary_name, ++ krb5_ccache *cache_out) + { + krb5_error_code ret; ++ krb5_os_context os_ctx = &context->os_context; + krb5_ccache ccache = NULL; + krb5_krcc_data *d; + key_serial_t pkey = 0; +@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id, + ccache->data = d; + ccache->magic = KV5M_CCACHE; + *cache_out = ccache; ++ ++ /* Lookup time offsets if necessary. */ ++ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) && ++ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) { ++ if (krb5_krcc_get_time_offsets(context, ccache, ++ &os_ctx->time_offset, ++ &os_ctx->usec_offset) == 0) { ++ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME; ++ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID; ++ } ++ } ++ + return 0; + } + +@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id, + static krb5_error_code KRB5_CALLCONV + krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual) + { +- krb5_os_context os_ctx = &context->os_context; + krb5_error_code ret; + key_serial_t collection_id, cache_id; + char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL; +@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual) + if (cache_id < 0) + cache_id = 0; + +- ret = make_cache(collection_id, cache_id, anchor_name, collection_name, +- subsidiary_name, id); ++ ret = make_cache(context, collection_id, cache_id, anchor_name, ++ collection_name, subsidiary_name, id); + if (ret) + goto cleanup; + +- /* Lookup time offsets if necessary. */ +- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) && +- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) { +- if (krb5_krcc_get_time_offsets(context, *id, +- &os_ctx->time_offset, +- &os_ctx->usec_offset) == 0) { +- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME; +- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID; +- } +- } +- + cleanup: + free(anchor_name); + free(collection_name); +@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, + cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING, + first_name, 0); + if (cache_id != -1) { +- return make_cache(data->collection_id, cache_id, data->anchor_name, +- data->collection_name, first_name, cache_out); ++ return make_cache(context, data->collection_id, cache_id, ++ data->anchor_name, data->collection_name, ++ first_name, cache_out); + } + } + +@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, + + /* We found a valid key */ + data->next_key++; +- ret = make_cache(data->collection_id, key, data->anchor_name, ++ ret = make_cache(context, data->collection_id, key, data->anchor_name, + data->collection_name, subsidiary_name, cache_out); + free(description); + return ret; diff --git a/krb5.spec b/krb5.spec index 4680343..db829f6 100644 --- a/krb5.spec +++ b/krb5.spec @@ -90,6 +90,7 @@ Patch86: krb5-1.9-debuginfo.patch Patch105: krb5-kvno-230379.patch Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch +Patch135: krb5-master-keyring-kdcsync.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -315,6 +316,8 @@ ln -s NOTICE LICENSE %patch134 -p1 -b .kpasswdtest +%patch135 -p1 -b .keyring-kdcsync + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt @@ -971,6 +974,9 @@ exit 0 - drop patch for RT#7807, included now - drop patch for RT#7045, included now - drop patches for RT#7813 and RT#7815, included now + - add patch to always retrieve the KDC time offsets from keyring caches, + so that we don't mistakenly interpret creds as expired before their + time when our clock is ahead of the KDC's (RT#7820, #1030607) * Mon Jan 13 2014 Nalin Dahyabhai - 1.12-11 - update the PIC patch for iaesx86.s to not use ELF relocations to the version