Backport fixes for timesync with keyring caches

add patch to always retrieve the KDC time offsets from keyring caches,
so that we don't mistakenly interpret creds as expired before their
time when our clock is ahead of the KDC's (RT#7820, #1030607)
This commit is contained in:
Nalin Dahyabhai 2014-01-17 10:58:19 -05:00
parent 4dec248a05
commit 792d78fa47
2 changed files with 114 additions and 0 deletions

View File

@ -0,0 +1,108 @@
commit 2ac550e648ff88f84cc2da3c573202845f14e655
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Jan 16 17:48:54 2014 -0500
Get time offsets for all keyring ccaches
Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.
ticket: 7820
target_version: 1.12.2
tags: pullup
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index a0c8035..27bad9d 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id)
/* Create a cache handle for a cache ID. */
static krb5_error_code
-make_cache(key_serial_t collection_id, key_serial_t cache_id,
- const char *anchor_name, const char *collection_name,
- const char *subsidiary_name, krb5_ccache *cache_out)
+make_cache(krb5_context context, key_serial_t collection_id,
+ key_serial_t cache_id, const char *anchor_name,
+ const char *collection_name, const char *subsidiary_name,
+ krb5_ccache *cache_out)
{
krb5_error_code ret;
+ krb5_os_context os_ctx = &context->os_context;
krb5_ccache ccache = NULL;
krb5_krcc_data *d;
key_serial_t pkey = 0;
@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
ccache->data = d;
ccache->magic = KV5M_CCACHE;
*cache_out = ccache;
+
+ /* Lookup time offsets if necessary. */
+ if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
+ !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
+ if (krb5_krcc_get_time_offsets(context, ccache,
+ &os_ctx->time_offset,
+ &os_ctx->usec_offset) == 0) {
+ os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
+ os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
+ }
+ }
+
return 0;
}
@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
static krb5_error_code KRB5_CALLCONV
krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
{
- krb5_os_context os_ctx = &context->os_context;
krb5_error_code ret;
key_serial_t collection_id, cache_id;
char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
if (cache_id < 0)
cache_id = 0;
- ret = make_cache(collection_id, cache_id, anchor_name, collection_name,
- subsidiary_name, id);
+ ret = make_cache(context, collection_id, cache_id, anchor_name,
+ collection_name, subsidiary_name, id);
if (ret)
goto cleanup;
- /* Lookup time offsets if necessary. */
- if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
- !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
- if (krb5_krcc_get_time_offsets(context, *id,
- &os_ctx->time_offset,
- &os_ctx->usec_offset) == 0) {
- os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
- os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
- }
- }
-
cleanup:
free(anchor_name);
free(collection_name);
@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING,
first_name, 0);
if (cache_id != -1) {
- return make_cache(data->collection_id, cache_id, data->anchor_name,
- data->collection_name, first_name, cache_out);
+ return make_cache(context, data->collection_id, cache_id,
+ data->anchor_name, data->collection_name,
+ first_name, cache_out);
}
}
@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
/* We found a valid key */
data->next_key++;
- ret = make_cache(data->collection_id, key, data->anchor_name,
+ ret = make_cache(context, data->collection_id, key, data->anchor_name,
data->collection_name, subsidiary_name, cache_out);
free(description);
return ret;

View File

@ -90,6 +90,7 @@ Patch86: krb5-1.9-debuginfo.patch
Patch105: krb5-kvno-230379.patch
Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch135: krb5-master-keyring-kdcsync.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -315,6 +316,8 @@ ln -s NOTICE LICENSE
%patch134 -p1 -b .kpasswdtest
%patch135 -p1 -b .keyring-kdcsync
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt
@ -971,6 +974,9 @@ exit 0
- drop patch for RT#7807, included now
- drop patch for RT#7045, included now
- drop patches for RT#7813 and RT#7815, included now
- add patch to always retrieve the KDC time offsets from keyring caches,
so that we don't mistakenly interpret creds as expired before their
time when our clock is ahead of the KDC's (RT#7820, #1030607)
* Mon Jan 13 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-11
- update the PIC patch for iaesx86.s to not use ELF relocations to the version