Backport kdc policy plugin, but this time with dependencies

This commit is contained in:
Robbie Harwood 2017-08-21 18:43:49 +00:00
parent 48ad53c66e
commit 95b80fb0b9
11 changed files with 3245 additions and 18 deletions

View File

@ -1,4 +1,4 @@
From 387ac75a30b679d6f0b0408b6c8e46ec2df30088 Mon Sep 17 00:00:00 2001 From 648fa08747a5f2025f47e5b0bc2589f55a65218a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 27 Jun 2017 17:15:39 -0400 Date: Tue, 27 Jun 2017 17:15:39 -0400
Subject: [PATCH] Add KDC policy pluggable interface Subject: [PATCH] Add KDC policy pluggable interface
@ -18,8 +18,7 @@ Also authored by Matt Rogers <mrogers@redhat.com>.
ticket: 8606 (new) ticket: 8606 (new)
(cherry picked from commit d0969f6a8170344031ef58fd2a161190f1edfb96) (cherry picked from commit d0969f6a8170344031ef58fd2a161190f1edfb96)
[rharwood@redhat.com: plugin numbering for not having kadmin auth, and [rharwood@redhat.com: mention but do not use kadm_auth]
conflict in tests]
--- ---
doc/plugindev/index.rst | 1 + doc/plugindev/index.rst | 1 +
doc/plugindev/kdcpolicy.rst | 24 +++ doc/plugindev/kdcpolicy.rst | 24 +++
@ -95,7 +94,7 @@ index 000000000..74f21f08f
+explicitly not as stable as other public interfaces, modules which do +explicitly not as stable as other public interfaces, modules which do
+this may not retain compatibility across releases. +this may not retain compatibility across releases.
diff --git a/src/Makefile.in b/src/Makefile.in diff --git a/src/Makefile.in b/src/Makefile.in
index b0249778c..84856debb 100644 index ad8565056..e47bddcb1 100644
--- a/src/Makefile.in --- a/src/Makefile.in
+++ b/src/Makefile.in +++ b/src/Makefile.in
@@ -21,6 +21,7 @@ SUBDIRS=util include lib \ @@ -21,6 +21,7 @@ SUBDIRS=util include lib \
@ -107,10 +106,10 @@ index b0249778c..84856debb 100644
plugins/preauth/pkinit \ plugins/preauth/pkinit \
plugins/preauth/test \ plugins/preauth/test \
diff --git a/src/configure.in b/src/configure.in diff --git a/src/configure.in b/src/configure.in
index 24f653f0d..a3881e93f 100644 index 4ae2c07d5..ee1983043 100644
--- a/src/configure.in --- a/src/configure.in
+++ b/src/configure.in +++ b/src/configure.in
@@ -1467,6 +1467,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test @@ -1470,6 +1470,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
plugins/kdb/db2/libdb2/recno plugins/kdb/db2/libdb2/recno
plugins/kdb/db2/libdb2/test plugins/kdb/db2/libdb2/test
plugins/kdb/test plugins/kdb/test
@ -131,7 +130,7 @@ index 0239338a1..6a3fa8242 100644
$(INSTALL_DATA) $(srcdir)/krb5/localauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)localauth_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/localauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)localauth_plugin.h
$(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h
diff --git a/src/include/k5-int.h b/src/include/k5-int.h diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 06ca2b66d..a157ff03f 100644 index ed9c7bf75..39ffb9568 100644
--- a/src/include/k5-int.h --- a/src/include/k5-int.h
+++ b/src/include/k5-int.h +++ b/src/include/k5-int.h
@@ -1157,7 +1157,9 @@ struct plugin_interface { @@ -1157,7 +1157,9 @@ struct plugin_interface {
@ -294,7 +293,7 @@ index 000000000..c7592c5db
+ +
+#endif /* KRB5_POLICY_PLUGIN_H */ +#endif /* KRB5_POLICY_PLUGIN_H */
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index a4bf91b1b..7636bfb52 100644 index f85da6da6..f5cf8ad89 100644
--- a/src/kdc/do_as_req.c --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c
@@ -207,6 +207,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) @@ -207,6 +207,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
@ -312,7 +311,7 @@ index a4bf91b1b..7636bfb52 100644
* Find the server key * Find the server key
*/ */
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 339259fd1..b2d5952bf 100644 index ac5864603..0009a9319 100644
--- a/src/kdc/do_tgs_req.c --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c
@@ -518,6 +518,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, @@ -518,6 +518,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
@ -329,7 +328,7 @@ index 339259fd1..b2d5952bf 100644
* Set authtime to be the same as header or evidence ticket's * Set authtime to be the same as header or evidence ticket's
*/ */
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 30c501c67..f7212d7a3 100644 index b710aefe4..5455e2a67 100644
--- a/src/kdc/kdc_util.c --- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c
@@ -642,7 +642,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm, @@ -642,7 +642,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
@ -354,7 +353,7 @@ index 30c501c67..f7212d7a3 100644
} }
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index bcf05fc27..b499a04e1 100644 index 672f94380..dcedfd538 100644
--- a/src/kdc/kdc_util.h --- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h
@@ -166,17 +166,6 @@ kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...) @@ -166,17 +166,6 @@ kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...)
@ -735,10 +734,10 @@ index 6b000dc90..2a57b0a01 100644
#endif /* __KRB5_KDC_POLICY__ */ #endif /* __KRB5_KDC_POLICY__ */
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index a30cacc66..ea285376f 100644 index d0f25d1b7..33cfbcd81 100644
--- a/src/kdc/tgs_policy.c --- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c +++ b/src/kdc/tgs_policy.c
@@ -374,11 +374,5 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, @@ -375,11 +375,5 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
return errcode_to_protocol(ret); return errcode_to_protocol(ret);
@ -919,13 +918,13 @@ index 000000000..9682ec74f
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+kdcpolicy_test_initvt +kdcpolicy_test_initvt
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 0e93d6b59..60e39dd14 100644 index 2b3112537..a2093108b 100644
--- a/src/tests/Makefile.in --- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in +++ b/src/tests/Makefile.in
@@ -168,6 +168,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter @@ -169,6 +169,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
$(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS)
clean: clean:

View File

@ -0,0 +1,80 @@
From 38b7fbd7ee64a205c4dcfc345c30132e73f5b249 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 22 Apr 2017 09:49:12 -0400
Subject: [PATCH] Add timestamp helper functions
Add k5-int.h helper functions to manipulate krb5_timestamp values,
avoiding undefined behavior and treating negative timestamp values as
times between 2038 and 2106. Add a doxygen comment for krb5_timestamp
indicating how third-party code should use it safely.
ticket: 8352
(cherry picked from commit 58e9155060cd93b1a7557e37fbc9b077b76465c2)
---
src/include/k5-int.h | 31 +++++++++++++++++++++++++++++++
src/include/krb5/krb5.hin | 9 +++++++++
2 files changed, 40 insertions(+)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 06ca2b66d..82ee20760 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2353,6 +2353,37 @@ k5memdup0(const void *in, size_t len, krb5_error_code *code)
return ptr;
}
+/* Convert a krb5_timestamp to a time_t value, treating the negative range of
+ * krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */
+static inline time_t
+ts2tt(krb5_timestamp timestamp)
+{
+ return (time_t)(uint32_t)timestamp;
+}
+
+/* Return the delta between two timestamps (a - b) as a signed 32-bit value,
+ * without relying on undefined behavior. */
+static inline krb5_deltat
+ts_delta(krb5_timestamp a, krb5_timestamp b)
+{
+ return (krb5_deltat)((uint32_t)a - (uint32_t)b);
+}
+
+/* Increment a timestamp by a signed 32-bit interval, without relying on
+ * undefined behavior. */
+static inline krb5_timestamp
+ts_incr(krb5_timestamp ts, krb5_deltat delta)
+{
+ return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta);
+}
+
+/* Return true if a comes after b. */
+static inline krb5_boolean
+ts_after(krb5_timestamp a, krb5_timestamp b)
+{
+ return (uint32_t)a > (uint32_t)b;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
krb5_ccache ccache,
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index cf60d6c41..53ad85384 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -187,7 +187,16 @@ typedef krb5_int32 krb5_cryptotype;
typedef krb5_int32 krb5_preauthtype; /* This may change, later on */
typedef krb5_int32 krb5_flags;
+
+/**
+ * Represents a timestamp in seconds since the POSIX epoch. This legacy type
+ * is used frequently in the ABI, but cannot represent timestamps after 2038 as
+ * a positive number. Code which uses this type should cast values of it to
+ * uint32_t so that negative values are treated as timestamps between 2038 and
+ * 2106 on platforms with 64-bit time_t.
+ */
typedef krb5_int32 krb5_timestamp;
+
typedef krb5_int32 krb5_deltat;
/**

599
Add-timestamp-tests.patch Normal file
View File

@ -0,0 +1,599 @@
From 1b351445b4b938f54025728ba786f05ee82c47d1 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 29 Apr 2017 17:30:36 -0400
Subject: [PATCH] Add timestamp tests
Add a test program for krb5int_validate_times() covering cases before
and across the y2038 boundary. Add a GSSAPI test program to exercise
lifetime queries, and tests using it in t_gssapi.py for ticket end
times after y2038. Add a new test script t_y2038.py which only runs
on platforms with 64-bit time_t to exercise end-user operations across
and after y2038. Add an LDAP test case to test storage of post-y2038
timestamps.
ticket: 8352
(cherry picked from commit 8ca62e54e89e2fbd6a089e8ab20b4e374a486003)
[rharwood@redhat.com: prune gitignore]
---
src/Makefile.in | 1 +
src/config/pre.in | 2 +
src/configure.in | 3 +
src/lib/krb5/krb/Makefile.in | 14 ++--
src/lib/krb5/krb/t_valid_times.c | 109 ++++++++++++++++++++++++++++++
src/tests/Makefile.in | 1 +
src/tests/gssapi/Makefile.in | 27 ++++----
src/tests/gssapi/t_gssapi.py | 32 +++++++++
src/tests/gssapi/t_lifetime.c | 140 +++++++++++++++++++++++++++++++++++++++
src/tests/t_kdb.py | 7 ++
src/tests/t_y2038.py | 75 +++++++++++++++++++++
11 files changed, 395 insertions(+), 16 deletions(-)
create mode 100644 src/lib/krb5/krb/t_valid_times.c
create mode 100644 src/tests/gssapi/t_lifetime.c
create mode 100644 src/tests/t_y2038.py
diff --git a/src/Makefile.in b/src/Makefile.in
index b0249778c..ad8565056 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -521,6 +521,7 @@ pyrunenv.vals: Makefile
done > $@
echo "tls_impl = '$(TLS_IMPL)'" >> $@
echo "have_sasl = '$(HAVE_SASL)'" >> $@
+ echo "sizeof_time_t = $(SIZEOF_TIME_T)" >> $@
runenv.py: pyrunenv.vals
echo 'env = {}' > $@
diff --git a/src/config/pre.in b/src/config/pre.in
index d961b5621..f23c07d9d 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -452,6 +452,8 @@ HAVE_SASL = @HAVE_SASL@
# Whether we have libresolv 1.1.5 for URI discovery tests
HAVE_RESOLV_WRAPPER = @HAVE_RESOLV_WRAPPER@
+SIZEOF_TIME_T = @SIZEOF_TIME_T@
+
# error table rules
#
### /* these are invoked as $(...) foo.et, which works, but could be better */
diff --git a/src/configure.in b/src/configure.in
index 24f653f0d..4ae2c07d5 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -744,6 +744,9 @@ fi
AC_HEADER_TIME
AC_CHECK_TYPE(time_t, long)
+AC_CHECK_SIZEOF(time_t)
+SIZEOF_TIME_T=$ac_cv_sizeof_time_t
+AC_SUBST(SIZEOF_TIME_T)
# Determine where to put the replay cache.
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 0fe02a95d..55f82b147 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -364,6 +364,7 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/t_in_ccache.c \
$(srcdir)/t_response_items.c \
$(srcdir)/t_sname_match.c \
+ $(srcdir)/t_valid_times.c \
$(srcdir)/t_vfy_increds.c
# Someday, when we have a "maintainer mode", do this right:
@@ -457,9 +458,12 @@ t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS)
t_sname_match: t_sname_match.o sname_match.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ t_sname_match.o sname_match.o $(KRB5_BASE_LIBS)
+t_valid_times: t_valid_times.o valid_times.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ t_valid_times.o valid_times.o $(KRB5_BASE_LIBS)
+
TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \
- t_in_ccache t_cc_config t_copy_context \
- t_princ t_etypes t_vfy_increds t_response_items t_sname_match
+ t_in_ccache t_cc_config t_copy_context t_princ t_etypes t_vfy_increds \
+ t_response_items t_sname_match t_valid_times
check-unix: $(TEST_PROGS)
$(RUN_TEST_LOCAL_CONF) ./t_kerb \
@@ -496,6 +500,7 @@ check-unix: $(TEST_PROGS)
$(RUN_TEST) ./t_response_items
$(RUN_TEST) ./t_copy_context
$(RUN_TEST) ./t_sname_match
+ $(RUN_TEST) ./t_valid_times
check-pytests: t_expire_warn t_vfy_increds
$(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
@@ -522,8 +527,9 @@ clean:
$(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \
$(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \
$(OUTPRE)t_response_items$(EXEEXT) \
- $(OUTPRE)t_response_items.$(OBJEXT) $(OUTPRE)t_sname_match$(EXEEXT) \
- $(OUTPRE)t_sname_match.$(OBJEXT) \
+ $(OUTPRE)t_response_items.$(OBJEXT) \
+ $(OUTPRE)t_sname_match$(EXEEXT) $(OUTPRE)t_sname_match.$(OBJEXT) \
+ $(OUTPRE)t_valid_times$(EXEEXT) $(OUTPRE)t_valid_times.$(OBJECT) \
$(OUTPRE)t_parse_host_string$(EXEEXT) \
$(OUTPRE)t_parse_host_string.$(OBJEXT)
diff --git a/src/lib/krb5/krb/t_valid_times.c b/src/lib/krb5/krb/t_valid_times.c
new file mode 100644
index 000000000..1b469ffc2
--- /dev/null
+++ b/src/lib/krb5/krb/t_valid_times.c
@@ -0,0 +1,109 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/krb/t_valid_times.c - test program for krb5int_validate_times() */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "int-proto.h"
+
+#define BOUNDARY (uint32_t)INT32_MIN
+
+int
+main()
+{
+ krb5_error_code ret;
+ krb5_context context;
+ krb5_ticket_times times = { 0, 0, 0, 0 };
+
+ ret = krb5_init_context(&context);
+ assert(!ret);
+
+ /* Current time is within authtime and end time. */
+ ret = krb5_set_debugging_time(context, 1000, 0);
+ times.authtime = 500;
+ times.endtime = 1500;
+ ret = krb5int_validate_times(context, &times);
+ assert(!ret);
+
+ /* Current time is before starttime, but within clock skew. */
+ times.starttime = 1100;
+ ret = krb5int_validate_times(context, &times);
+ assert(!ret);
+
+ /* Current time is before starttime by more than clock skew. */
+ times.starttime = 1400;
+ ret = krb5int_validate_times(context, &times);
+ assert(ret == KRB5KRB_AP_ERR_TKT_NYV);
+
+ /* Current time is after end time, but within clock skew. */
+ times.starttime = 500;
+ times.endtime = 800;
+ ret = krb5int_validate_times(context, &times);
+ assert(!ret);
+
+ /* Current time is after end time by more than clock skew. */
+ times.endtime = 600;
+ ret = krb5int_validate_times(context, &times);
+ assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED);
+
+ /* Current time is within starttime and endtime; current time and
+ * endtime are across y2038 boundary. */
+ ret = krb5_set_debugging_time(context, BOUNDARY - 100, 0);
+ assert(!ret);
+ times.starttime = BOUNDARY - 200;
+ times.endtime = BOUNDARY + 500;
+ ret = krb5int_validate_times(context, &times);
+ assert(!ret);
+
+ /* Current time is before starttime, but by less than clock skew. */
+ times.starttime = BOUNDARY + 100;
+ ret = krb5int_validate_times(context, &times);
+ assert(!ret);
+
+ /* Current time is before starttime by more than clock skew. */
+ times.starttime = BOUNDARY + 250;
+ ret = krb5int_validate_times(context, &times);
+ assert(ret == KRB5KRB_AP_ERR_TKT_NYV);
+
+ /* Current time is after endtime, but by less than clock skew. */
+ ret = krb5_set_debugging_time(context, BOUNDARY + 100, 0);
+ assert(!ret);
+ times.starttime = BOUNDARY - 1000;
+ times.endtime = BOUNDARY - 100;
+ ret = krb5int_validate_times(context, &times);
+ assert(!ret);
+
+ /* Current time is after endtime by more than clock skew. */
+ times.endtime = BOUNDARY - 300;
+ ret = krb5int_validate_times(context, &times);
+ assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED);
+
+ return 0;
+}
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 0e93d6b59..2b3112537 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -168,6 +168,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
$(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
clean:
$(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
index 6c1464297..604f926de 100644
--- a/src/tests/gssapi/Makefile.in
+++ b/src/tests/gssapi/Makefile.in
@@ -15,15 +15,16 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
$(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \
$(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
$(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
- $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c $(srcdir)/t_pcontok.c \
- $(srcdir)/t_prf.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \
- $(srcdir)/t_saslname.c $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
+ $(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \
+ $(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \
+ $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \
+ $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_ciflags.o \
t_credstore.o t_enctypes.o t_err.o t_export_cred.o t_export_name.o \
t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \
- t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \
- t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
+ t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o \
+ t_oid.o t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
t_spnego.o t_srcattrs.o
COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
@@ -31,9 +32,9 @@ COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
all: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore t_enctypes \
t_err t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \
- t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_namingexts \
- t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \
- t_srcattrs
+ t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime \
+ t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname \
+ t_spnego t_srcattrs
check-unix: t_oid
$(RUN_TEST) ./t_invalid
@@ -42,8 +43,8 @@ check-unix: t_oid
check-pytests: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore \
t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \
- t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \
- t_spnego t_srcattrs
+ t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_pcontok t_s4u \
+ t_s4u2proxy_krb5 t_spnego t_srcattrs
$(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
@@ -88,6 +89,8 @@ t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS)
t_iov: t_iov.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS)
+t_lifetime: t_lifetime.o $(COMMON_DEPS)
+ $(CC_LINK) -o $@ t_lifetime.o $(COMMON_LIBS)
t_namingexts: t_namingexts.o $(COMMON_DEPS)
$(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS)
t_pcontok: t_pcontok.o $(COMMON_DEPS)
@@ -111,5 +114,5 @@ clean:
$(RM) ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore
$(RM) t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred
$(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov
- $(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5
- $(RM) t_saslname t_spnego t_srcattrs
+ $(RM) t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u
+ $(RM) t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 397e58962..98c8df25c 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -185,4 +185,36 @@ realm.run(['./t_ciflags', 'p:' + realm.host_princ])
# contexts.
realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ])
+# Test lifetime results, using a realm with a large maximum lifetime
+# so that we can test ticket end dates after y2038. There are no
+# time_t conversions involved, so we can run these tests on platforms
+# with 32-bit time_t.
+realm.stop()
+conf = {'realms': {'$realm': {'max_life': '9000d'}}}
+realm = K5Realm(kdc_conf=conf, get_creds=False)
+
+# Check a lifetime string result against an expected number value (or None).
+# Allow some variance due to time elapsed during the tests.
+def check_lifetime(msg, val, expected):
+ if expected is None and val != 'indefinite':
+ fail('%s: expected indefinite, got %s' % (msg, val))
+ if expected is not None and val == 'indefinite':
+ fail('%s: expected %d, got indefinite' % (msg, expected))
+ if expected is not None and abs(int(val) - expected) > 100:
+ fail('%s: expected %d, got %s' % (msg, expected, val))
+
+realm.kinit(realm.user_princ, password('user'), flags=['-l', '8500d'])
+out = realm.run(['./t_lifetime', 'p:' + realm.host_princ, str(8000 * 86400)])
+ln = out.split('\n')
+check_lifetime('icred gss_acquire_cred', ln[0], 8500 * 86400)
+check_lifetime('icred gss_inquire_cred', ln[1], 8500 * 86400)
+check_lifetime('acred gss_acquire_cred', ln[2], None)
+check_lifetime('acred gss_inquire_cred', ln[3], None)
+check_lifetime('ictx gss_init_sec_context', ln[4], 8000 * 86400)
+check_lifetime('ictx gss_inquire_context', ln[5], 8000 * 86400)
+check_lifetime('ictx gss_context_time', ln[6], 8000 * 86400)
+check_lifetime('actx gss_accept_sec_context', ln[7], 8000 * 86400 + 300)
+check_lifetime('actx gss_inquire_context', ln[8], 8000 * 86400 + 300)
+check_lifetime('actx gss_context_time', ln[9], 8000 * 86400 + 300)
+
success('GSSAPI tests')
diff --git a/src/tests/gssapi/t_lifetime.c b/src/tests/gssapi/t_lifetime.c
new file mode 100644
index 000000000..8dcf18621
--- /dev/null
+++ b/src/tests/gssapi/t_lifetime.c
@@ -0,0 +1,140 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/gssapi/t_lifetime.c - display cred and context lifetimes */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include "common.h"
+
+/*
+ * Using the default credential, exercise the GSS functions which accept or
+ * produce lifetimes. Display the following results, one per line, as ASCII
+ * integers or the string "indefinite":
+ *
+ * initiator cred lifetime according to gss_acquire_cred()
+ * initiator cred lifetime according to gss_inquire_cred()
+ * acceptor cred lifetime according to gss_acquire_cred()
+ * acceptor cred lifetime according to gss_inquire_cred()
+ * initiator context lifetime according to gss_init_sec_context()
+ * initiator context lifetime according to gss_inquire_context()
+ * initiator context lifetime according to gss_context_time()
+ * acceptor context lifetime according to gss_init_sec_context()
+ * acceptor context lifetime according to gss_inquire_context()
+ * acceptor context lifetime according to gss_context_time()
+ */
+
+static void
+display_time(OM_uint32 tval)
+{
+ if (tval == GSS_C_INDEFINITE)
+ puts("indefinite");
+ else
+ printf("%u\n", (unsigned int)tval);
+}
+
+int
+main(int argc, char *argv[])
+{
+ OM_uint32 minor, major;
+ gss_cred_id_t icred, acred;
+ gss_name_t tname;
+ gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
+ gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER;
+ OM_uint32 time_req = GSS_C_INDEFINITE, time_rec;
+
+ if (argc < 2 || argc > 3) {
+ fprintf(stderr, "Usage: %s targetname [time_req]\n", argv[0]);
+ return 1;
+ }
+ tname = import_name(argv[1]);
+ if (argc >= 3)
+ time_req = atoll(argv[2]);
+
+ /* Get initiator cred and display its lifetime according to
+ * gss_acquire_cred and gss_inquire_cred. */
+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
+ GSS_C_INITIATE, &icred, NULL, &time_rec);
+ check_gsserr("gss_acquire_cred(initiate)", major, minor);
+ display_time(time_rec);
+ major = gss_inquire_cred(&minor, icred, NULL, &time_rec, NULL, NULL);
+ check_gsserr("gss_inquire_cred(initiate)", major, minor);
+ display_time(time_rec);
+
+ /* Get acceptor cred and display its lifetime according to gss_acquire_cred
+ * and gss_inquire_cred. */
+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
+ GSS_C_ACCEPT, &acred, NULL, &time_rec);
+ check_gsserr("gss_acquire_cred(accept)", major, minor);
+ display_time(time_rec);
+ major = gss_inquire_cred(&minor, acred, NULL, &time_rec, NULL, NULL);
+ check_gsserr("gss_inquire_cred(accept)", major, minor);
+ display_time(time_rec);
+
+ /* Make an initiator context and display its lifetime according to
+ * gss_init_sec_context, gss_inquire_context, and gss_context_time. */
+ major = gss_init_sec_context(&minor, icred, &ictx, tname, &mech_krb5, 0,
+ time_req, GSS_C_NO_CHANNEL_BINDINGS, &atok,
+ NULL, &itok, NULL, &time_rec);
+ check_gsserr("gss_init_sec_context", major, minor);
+ assert(major == GSS_S_COMPLETE);
+ display_time(time_rec);
+ major = gss_inquire_context(&minor, ictx, NULL, NULL, &time_rec, NULL,
+ NULL, NULL, NULL);
+ check_gsserr("gss_inquire_context(initiate)", major, minor);
+ display_time(time_rec);
+ major = gss_context_time(&minor, ictx, &time_rec);
+ check_gsserr("gss_context_time(initiate)", major, minor);
+ display_time(time_rec);
+
+ major = gss_accept_sec_context(&minor, &actx, acred, &itok,
+ GSS_C_NO_CHANNEL_BINDINGS, NULL,
+ NULL, &atok, NULL, &time_rec, NULL);
+ check_gsserr("gss_accept_sec_context", major, minor);
+ assert(major == GSS_S_COMPLETE);
+ display_time(time_rec);
+ major = gss_inquire_context(&minor, actx, NULL, NULL, &time_rec, NULL,
+ NULL, NULL, NULL);
+ check_gsserr("gss_inquire_context(accept)", major, minor);
+ display_time(time_rec);
+ major = gss_context_time(&minor, actx, &time_rec);
+ check_gsserr("gss_context_time(accept)", major, minor);
+ display_time(time_rec);
+
+ (void)gss_release_buffer(&minor, &itok);
+ (void)gss_release_buffer(&minor, &atok);
+ (void)gss_release_name(&minor, &tname);
+ (void)gss_release_cred(&minor, &icred);
+ (void)gss_release_cred(&minor, &acred);
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+ return 0;
+}
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 44635b089..ffc043709 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -414,6 +414,13 @@ realm.run([kadminl, 'addprinc', '-policy', 'keepoldpasspol', '-pw', 'aaaa',
for p in ('bbbb', 'cccc', 'aaaa'):
realm.run([kadminl, 'cpw', '-keepold', '-pw', p, 'keepoldpassprinc'])
+if runenv.sizeof_time_t <= 4:
+ skipped('y2038 LDAP test', 'platform has 32-bit time_t')
+else:
+ # Test storage of timestamps after y2038.
+ realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user'])
+ realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n')
+
realm.stop()
# Briefly test dump and load.
diff --git a/src/tests/t_y2038.py b/src/tests/t_y2038.py
new file mode 100644
index 000000000..02e946df4
--- /dev/null
+++ b/src/tests/t_y2038.py
@@ -0,0 +1,75 @@
+#!/usr/bin/python
+from k5test import *
+
+# These tests will become much less important after the y2038 boundary
+# has elapsed, and may start exhibiting problems around the year 2075.
+
+if runenv.sizeof_time_t <= 4:
+ skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t')
+
+# Start a KDC running roughly 21 years in the future, after the y2038
+# boundary. Set long maximum lifetimes for later tests.
+conf = {'realms': {'$realm': {'max_life': '9000d',
+ 'max_renewable_life': '9000d'}}}
+realm = K5Realm(start_kdc=False, kdc_conf=conf)
+realm.start_kdc(['-T', '662256000'])
+
+# kinit without preauth should succeed with clock skew correction, but
+# will result in an expired ticket, because we sent an absolute end
+# time and didn't get a chance to correct it..
+realm.kinit(realm.user_princ, password('user'))
+realm.run([kvno, realm.host_princ], expected_code=1,
+ expected_msg='Ticket expired')
+
+# kinit with preauth should succeed and result in a valid ticket, as
+# we get a chance to correct the end time based on the KDC time. Try
+# with encrypted timestamp and encrypted challenge.
+realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
+realm.kinit(realm.user_princ, password('user'))
+realm.run([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run([kvno, realm.host_princ])
+
+# Test that expiration warning works after y2038, by setting a
+# password expiration time ten minutes after the KDC time.
+realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user'])
+out = realm.kinit(realm.user_princ, password('user'))
+if 'will expire in less than one hour' not in out:
+ fail('password expiration message')
+year = int(out.split()[-1])
+if year < 2038 or year > 9999:
+ fail('password expiration year')
+
+realm.stop_kdc()
+realm.start_kdc()
+realm.start_kadmind()
+realm.prep_kadmin()
+
+# Test getdate parsing of absolute timestamps after 2038 and
+# marshalling over the kadmin protocol. The local time zone will
+# affect the display time by a little bit, so just look for the year.
+realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ])
+realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n')
+
+# Get a ticket whose lifetime crosses the y2038 boundary and
+# range-check the expiration year as reported by klist.
+realm.kinit(realm.user_princ, password('user'),
+ flags=['-l', '8000d', '-r', '8500d'])
+realm.run([kvno, realm.host_princ])
+out = realm.run([klist])
+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
+ fail('unexpected tgt expiration year')
+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
+ fail('unexpected tgt rtill year')
+if int(out.split('\n')[6].split()[2].split('/')[2]) < 39:
+ fail('unexpected service ticket expiration year')
+if int(out.split('\n')[7].split()[2].split('/')[2]) < 40:
+ fail('unexpected service ticket rtill year')
+realm.kinit(realm.user_princ, None, ['-R'])
+out = realm.run([klist])
+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
+ fail('unexpected renewed tgt expiration year')
+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
+ fail('unexpected renewed tgt rtill year')
+
+success('y2038 tests')

View File

@ -0,0 +1,59 @@
From ebedc35a70f184030c4aab32e782fa2a8610cf73 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 4 May 2017 17:03:35 -0400
Subject: [PATCH] Add y2038 documentation
ticket: 8352
(cherry picked from commit 85d64c43dbf7a7faa56a1999494cdfa49e8bd2c9)
---
doc/appdev/index.rst | 1 +
doc/appdev/y2038.rst | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
create mode 100644 doc/appdev/y2038.rst
diff --git a/doc/appdev/index.rst b/doc/appdev/index.rst
index 3d62045ca..961bb1e9e 100644
--- a/doc/appdev/index.rst
+++ b/doc/appdev/index.rst
@@ -5,6 +5,7 @@ For application developers
:maxdepth: 1
gssapi.rst
+ y2038.rst
h5l_mit_apidiff.rst
init_creds.rst
princ_handle.rst
diff --git a/doc/appdev/y2038.rst b/doc/appdev/y2038.rst
new file mode 100644
index 000000000..bc4122dad
--- /dev/null
+++ b/doc/appdev/y2038.rst
@@ -0,0 +1,28 @@
+Year 2038 considerations for uses of krb5_timestamp
+===================================================
+
+POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038. This documentation describes considerations
+for consumers of the MIT krb5 libraries.
+
+Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+:c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values. To behave properly for time
+values after January 2038, calling code should cast krb5_timestamp
+values to uint32_t, and then to time_t::
+
+ (time_t)(uint32_t)timestamp
+
+Used in this way, krb5_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time_t type. This usage will also remain safe if a later
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
+integer.
+
+The GSSAPI only uses representations of time intervals, not absolute
+times. Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.

View File

@ -0,0 +1,36 @@
From 2944d7c0fcc8d3a87d0bb6f544b4a04c358df732 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 22 Apr 2017 16:51:23 -0400
Subject: [PATCH] Allow clock skew in krb5 gss_context_time()
Commit b496ce4095133536e0ace36b74130e4b9ecb5e11 (ticket #8268) adds
the clock skew to krb5 acceptor context lifetimes for
gss_accept_sec_context() and gss_inquire_context(), but not for
gss_context_time(). Add the clock skew in gss_context_time() as well.
ticket: 8581 (new)
target_version: 1.14-next
target_version: 1.15-next
tags: pullup
(cherry picked from commit b0a072e6431261734e7350996a363801f180e8ea)
---
src/lib/gssapi/krb5/context_time.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
index a18cfb05b..450593288 100644
--- a/src/lib/gssapi/krb5/context_time.c
+++ b/src/lib/gssapi/krb5/context_time.c
@@ -51,7 +51,10 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
return(GSS_S_FAILURE);
}
- if ((lifetime = ctx->krb_times.endtime - now) <= 0) {
+ lifetime = ctx->krb_times.endtime - now;
+ if (!ctx->initiate)
+ lifetime += ctx->k5_context->clockskew;
+ if (lifetime <= 0) {
*time_rec = 0;
*minor_status = 0;
return(GSS_S_CONTEXT_EXPIRED);

View File

@ -0,0 +1,130 @@
From 7ab7253c617364ffe8facd870e286c5876e6c30f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 19 Aug 2017 19:09:24 -0400
Subject: [PATCH] Fix bugs in kdcpolicy commit
Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
"klist ccachname -e", which does not work with a POSIX-conformant
getopt() implementation such as the one in Solaris. Fix
t_kdcpolicy.py to use "klist -e ccachename" instead.
The tests could fail if the clock second rolled over between kinit and
kvno. Divide service ticket maximum lifetimes by 2 in the test module
to correctly exercise TGS policy restrictions and ensure that service
tickets are not constrained by the TGT end time.
Also use the correct trace macro when a kdcpolicy module declines to
initialize (my mistake when revising the commit, noted by rharwood).
ticket: 8606
(cherry picked from commit 09acbd91efc6df54e1572285ffc94c6acb3a9113)
---
src/kdc/policy.c | 2 +-
src/plugins/kdcpolicy/test/main.c | 10 +++++-----
src/tests/t_kdcpolicy.py | 13 +++++++++----
3 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/src/kdc/policy.c b/src/kdc/policy.c
index e49644e06..26c16f97c 100644
--- a/src/kdc/policy.c
+++ b/src/kdc/policy.c
@@ -222,7 +222,7 @@ load_kdcpolicy_plugins(krb5_context context)
if (h->vt.init != NULL) {
ret = h->vt.init(context, &h->moddata);
if (ret == KRB5_PLUGIN_NO_HANDLE) {
- TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
+ TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
free(h);
continue;
}
diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c
index eb8fde053..86c808958 100644
--- a/src/plugins/kdcpolicy/test/main.c
+++ b/src/plugins/kdcpolicy/test/main.c
@@ -35,7 +35,7 @@
#include <krb5/kdcpolicy_plugin.h>
static krb5_error_code
-output_from_indicator(const char *const *auth_indicators,
+output_from_indicator(const char *const *auth_indicators, int divisor,
krb5_deltat *lifetime_out,
krb5_deltat *renew_lifetime_out,
const char **status)
@@ -46,11 +46,11 @@ output_from_indicator(const char *const *auth_indicators,
}
if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) {
- *lifetime_out = 3600;
+ *lifetime_out = 3600 / divisor;
*renew_lifetime_out = *lifetime_out * 2;
return 0;
} else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) {
- *lifetime_out = 7 * 3600;
+ *lifetime_out = 7 * 3600 / divisor;
*renew_lifetime_out = *lifetime_out * 2;
return 0;
}
@@ -71,7 +71,7 @@ test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
*status = "LOCAL_POLICY";
return KRB5KDC_ERR_POLICY;
}
- return output_from_indicator(auth_indicators, lifetime_out,
+ return output_from_indicator(auth_indicators, 1, lifetime_out,
renew_lifetime_out, status);
}
@@ -87,7 +87,7 @@ test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
*status = "LOCAL_POLICY";
return KRB5KDC_ERR_POLICY;
}
- return output_from_indicator(auth_indicators, lifetime_out,
+ return output_from_indicator(auth_indicators, 2, lifetime_out,
renew_lifetime_out, status);
}
diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py
index 6a745b959..b5d308461 100644
--- a/src/tests/t_kdcpolicy.py
+++ b/src/tests/t_kdcpolicy.py
@@ -18,16 +18,21 @@ realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
def verify_time(out, target_time):
times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
+ divisor = 1
while len(times) > 0:
starttime = times.pop(0)
endtime = times.pop(0)
renewtime = times.pop(0)
- if str(endtime - starttime) != target_time:
+ if str((endtime - starttime) * divisor) != target_time:
fail('unexpected lifetime value')
- if str(renewtime - endtime) != target_time:
+ if str((renewtime - endtime) * divisor) != target_time:
fail('unexpected renewable value')
+ # Service tickets should have half the lifetime of initial
+ # tickets.
+ divisor = 2
+
rflags = ['-r', '1d', '-l', '12h']
# Test AS+TGS success path.
@@ -35,7 +40,7 @@ realm.kinit(realm.user_princ, password('user'),
rflags + ['-X', 'indicators=SEVEN_HOURS'])
realm.run([kvno, realm.host_princ])
realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
-out = realm.run([klist, realm.ccache, '-e'])
+out = realm.run([klist, '-e', realm.ccache])
verify_time(out, '7:00:00')
# Test AS+TGS success path with different values.
@@ -43,7 +48,7 @@ realm.kinit(realm.user_princ, password('user'),
rflags + ['-X', 'indicators=ONE_HOUR'])
realm.run([kvno, realm.host_princ])
realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
-out = realm.run([klist, realm.ccache, '-e'])
+out = realm.run([klist, '-e', realm.ccache])
verify_time(out, '1:00:00')
# Test TGS failure path (using previous creds).

View File

@ -0,0 +1,58 @@
From b0351efa57654f06477ab7540e6c0624e3a64f4e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 24 Apr 2017 02:02:36 -0400
Subject: [PATCH] Fix in_clock_skew() and use it in AS client code
Add a context parameter to the in_clock_skew() macro so that it isn't
implicitly relying on a local variable. Use it in
get_in_tkt.c:verify_as_reply().
(cherry picked from commit 28a07a6461bb443b7fa75cc5cb859ad0db4cbb5a)
---
src/lib/krb5/krb/gc_via_tkt.c | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 4 ++--
src/lib/krb5/krb/int-proto.h | 3 ++-
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index 4c0a1a461..c85d8b8d8 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -305,7 +305,7 @@ krb5int_process_tgs_reply(krb5_context context,
goto cleanup;
if (!in_cred->times.starttime &&
- !in_clock_skew(dec_rep->enc_part2->times.starttime,
+ !in_clock_skew(context, dec_rep->enc_part2->times.starttime,
timestamp)) {
retval = KRB5_KDCREP_SKEW;
goto cleanup;
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 54badbbc3..a058f5bd7 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -287,8 +287,8 @@ verify_as_reply(krb5_context context,
return retval;
} else {
if ((request->from == 0) &&
- (labs(as_reply->enc_part2->times.starttime - time_now)
- > context->clockskew))
+ !in_clock_skew(context, as_reply->enc_part2->times.starttime,
+ time_now))
return (KRB5_KDCREP_SKEW);
}
return 0;
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 6da74858e..44eca359f 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -83,7 +83,8 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
krb5_creds *in_creds, krb5_creds *mcreds,
krb5_flags *fields);
-#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
+#define in_clock_skew(context, date, now) \
+ (labs((date) - (now)) < (context)->clockskew)
#define IS_TGS_PRINC(p) ((p)->length == 2 && \
data_eq_string((p)->data[0], KRB5_TGS_NAME))

View File

@ -0,0 +1,83 @@
From c9fca85329f4b25509f83837239bf882841caccc Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 May 2017 14:52:09 -0400
Subject: [PATCH] Fix more time manipulations for y2038
Use timestamp helper functions to ensure that more operations are safe
after y2038, and display the current timestamp as unsigned in
krb5int_trace().
ticket: 8352
(cherry picked from commit a60db180211a383bd382afe729e9309acb8dcf53)
---
src/kadmin/server/misc.c | 2 +-
src/kdc/dispatch.c | 2 +-
src/lib/krb5/os/c_ustime.c | 8 ++++----
src/lib/krb5/os/trace.c | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 27a6376af..a75b65a26 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -184,7 +184,7 @@ check_min_life(void *server_handle, krb5_principal principal,
(void) kadm5_free_principal_ent(handle->lhandle, &princ);
return (ret == KADM5_UNK_POLICY) ? 0 : ret;
}
- if((now - princ.last_pwd_change) < pol.pw_min_life &&
+ if(ts_delta(now, princ.last_pwd_change) < pol.pw_min_life &&
!(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
if (msg_ret != NULL) {
time_t until;
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index 3a169ebc7..16a35d2be 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -104,7 +104,7 @@ reseed_random(krb5_context kdc_err_context)
if (last_os_random == 0)
last_os_random = now;
/* Grab random data from OS every hour*/
- if (now-last_os_random >= 60 * 60) {
+ if (ts_delta(now, last_os_random) >= 60 * 60) {
krb5_c_random_os_entropy(kdc_err_context, 0, NULL);
last_os_random = now;
}
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
index 871d72183..68fb381f4 100644
--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
@@ -102,17 +102,17 @@ krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
putting now.sec in the past. But don't just use '<' because we
need to properly handle the case where the administrator intentionally
adjusted time backwards. */
- if ((now.sec == last_time.sec-1) ||
- ((now.sec == last_time.sec) && (now.usec <= last_time.usec))) {
+ if (now.sec == ts_incr(last_time.sec, -1) ||
+ (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) {
/* Correct 'now' to be exactly one microsecond later than 'last_time'.
Note that _because_ we perform this hack, 'now' may be _earlier_
than 'last_time', even though the system time is monotonically
increasing. */
now.sec = last_time.sec;
- now.usec = ++last_time.usec;
+ now.usec = ts_incr(last_time.usec, 1);
if (now.usec >= 1000000) {
- ++now.sec;
+ now.sec = ts_incr(now.sec, 1);
now.usec = 0;
}
}
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index a19246128..74c315c90 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -350,7 +350,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
goto cleanup;
if (krb5_crypto_us_timeofday(&sec, &usec) != 0)
goto cleanup;
- if (asprintf(&msg, "[%d] %d.%d: %s\n", (int) getpid(), (int) sec,
+ if (asprintf(&msg, "[%d] %u.%d: %s\n", (int) getpid(), (unsigned int) sec,
(int) usec, str) < 0)
goto cleanup;
info.message = msg;

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,327 @@
From f0f0a503f58ed4f6ccf924751b356a70f515dd4b Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 May 2017 15:14:15 -0400
Subject: [PATCH] Use krb5_timestamp where appropriate
Where krb5_int32 is used to hold the number of seconds since the
epoch, use krb5_timestamp instead.
(cherry picked from commit ae25f6ec5558140a546db34fea389412d81c0631)
---
src/clients/klist/klist.c | 2 +-
src/include/k5-int.h | 2 +-
src/kadmin/server/misc.c | 2 +-
src/kdc/dispatch.c | 4 ++--
src/lib/kadm5/srv/server_acl.c | 2 +-
src/lib/kadm5/srv/server_kdb.c | 2 +-
src/lib/kadm5/srv/svr_principal.c | 10 +++++-----
src/lib/krb5/krb/gen_save_subkey.c | 3 ++-
src/lib/krb5/krb/get_in_tkt.c | 2 +-
src/lib/krb5/krb/init_ctx.c | 3 ++-
src/lib/krb5/os/c_ustime.c | 7 +++++--
src/lib/krb5/os/toffset.c | 3 ++-
src/lib/krb5/os/trace.c | 3 ++-
src/lib/krb5/os/ustime.c | 3 ++-
src/lib/krb5/rcache/rc_dfl.c | 10 +++++-----
src/tests/create/kdb5_mkdums.c | 2 +-
16 files changed, 34 insertions(+), 26 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index ffeecc394..4334415be 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -56,7 +56,7 @@ int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
int show_config = 0;
char *defname;
char *progname;
-krb5_int32 now;
+krb5_timestamp now;
unsigned int timestamp_width;
krb5_context kcontext;
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 82ee20760..ed9c7bf75 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -721,7 +721,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
const krb5_keyblock *from,
krb5_keyblock *to);
-krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
+krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *);
/*
* End "los-proto.h"
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index a75b65a26..ba672d714 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -159,7 +159,7 @@ kadm5_ret_t
check_min_life(void *server_handle, krb5_principal principal,
char *msg_ret, unsigned int msg_len)
{
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_ret_t ret;
kadm5_policy_ent_rec pol;
kadm5_principal_ent_rec princ;
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index 16a35d2be..4ecc23481 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -94,8 +94,8 @@ static void
reseed_random(krb5_context kdc_err_context)
{
krb5_error_code retval;
- krb5_int32 now, now_usec;
- krb5_int32 usec_difference;
+ krb5_timestamp now;
+ krb5_int32 now_usec, usec_difference;
krb5_data data;
retval = krb5_crypto_us_timeofday(&now, &now_usec);
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index 656dddff5..c2cf69169 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -375,7 +375,7 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
restriction_t *rp;
{
krb5_error_code code;
- krb5_int32 now;
+ krb5_timestamp now;
DPRINT(DEBUG_CALLS, acl_debug_level,
("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 612553ba3..f4b8aef2b 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -365,7 +365,7 @@ kdb_put_entry(kadm5_server_handle_t handle,
krb5_db_entry *kdb, osa_princ_ent_rec *adb)
{
krb5_error_code ret;
- krb5_int32 now;
+ krb5_timestamp now;
XDR xdrs;
krb5_tl_data tl_data;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index f4a9a2ad2..0d4f0a632 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle,
osa_princ_ent_rec adb;
kadm5_policy_ent_rec polent;
krb5_boolean have_polent = FALSE;
- krb5_int32 now;
+ krb5_timestamp now;
krb5_tl_data *tl_data_tail;
unsigned int ret;
kadm5_server_handle_t handle = server_handle;
@@ -1322,7 +1322,7 @@ kadm5_chpass_principal_3(void *server_handle,
int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
char *password)
{
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_policy_ent_rec pol;
osa_princ_ent_rec adb;
krb5_db_entry *kdb;
@@ -1544,7 +1544,7 @@ kadm5_randkey_principal_3(void *server_handle,
{
krb5_db_entry *kdb;
osa_princ_ent_rec adb;
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_policy_ent_rec pol;
int ret, last_pwd, n_new_keys;
krb5_boolean have_pol = FALSE;
@@ -1686,7 +1686,7 @@ kadm5_setv4key_principal(void *server_handle,
{
krb5_db_entry *kdb;
osa_princ_ent_rec adb;
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_policy_ent_rec pol;
krb5_keysalt keysalt;
int i, kvno, ret;
@@ -1888,7 +1888,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
{
krb5_db_entry *kdb;
osa_princ_ent_rec adb;
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_policy_ent_rec pol;
krb5_key_data *new_key_data = NULL;
int i, j, ret, n_new_key_data = 0;
diff --git a/src/lib/krb5/krb/gen_save_subkey.c b/src/lib/krb5/krb/gen_save_subkey.c
index 61f36aa36..bc2c46d30 100644
--- a/src/lib/krb5/krb/gen_save_subkey.c
+++ b/src/lib/krb5/krb/gen_save_subkey.c
@@ -38,7 +38,8 @@ k5_generate_and_save_subkey(krb5_context context,
to guarantee randomness, but to make it less likely that multiple
sessions could pick the same subkey. */
struct {
- krb5_int32 sec, usec;
+ krb5_timestamp sec;
+ krb5_int32 usec;
} rnd_data;
krb5_data d;
krb5_error_code retval;
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 40aba1905..7178bd87b 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1788,7 +1788,7 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
krb5_creds *creds)
{
int i;
- krb5_int32 starttime;
+ krb5_timestamp starttime;
krb5_deltat lifetime;
krb5_get_init_creds_opt *opt;
krb5_error_code retval;
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index cf226fdba..4246c5dd2 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -139,7 +139,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
krb5_context ctx = 0;
krb5_error_code retval;
struct {
- krb5_int32 now, now_usec;
+ krb5_timestamp now;
+ krb5_int32 now_usec;
long pid;
} seed_data;
krb5_data seed;
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
index 68fb381f4..f69f2ea4c 100644
--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
@@ -29,7 +29,10 @@
k5_mutex_t krb5int_us_time_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
-struct time_now { krb5_int32 sec, usec; };
+struct time_now {
+ krb5_timestamp sec;
+ krb5_int32 usec;
+};
#if defined(_WIN32)
@@ -73,7 +76,7 @@ get_time_now(struct time_now *n)
static struct time_now last_time;
krb5_error_code
-krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
+krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
{
struct time_now now;
krb5_error_code err;
diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
index 37bc69f49..4bbcdde52 100644
--- a/src/lib/krb5/os/toffset.c
+++ b/src/lib/krb5/os/toffset.c
@@ -40,7 +40,8 @@ krb5_error_code KRB5_CALLCONV
krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds)
{
krb5_os_context os_ctx = &context->os_context;
- krb5_int32 sec, usec;
+ krb5_timestamp sec;
+ krb5_int32 usec;
krb5_error_code retval;
retval = krb5_crypto_us_timeofday(&sec, &usec);
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 74c315c90..8750b7650 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -340,7 +340,8 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
va_list ap;
krb5_trace_info info;
char *str = NULL, *msg = NULL;
- krb5_int32 sec, usec;
+ krb5_timestamp sec;
+ krb5_int32 usec;
if (context == NULL || context->trace_callback == NULL)
return;
diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c
index 1c1b571eb..a80fdf68c 100644
--- a/src/lib/krb5/os/ustime.c
+++ b/src/lib/krb5/os/ustime.c
@@ -40,7 +40,8 @@ krb5_error_code
k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec,
krb5_timestamp *time_out, krb5_int32 *usec_out)
{
- krb5_int32 sec, usec;
+ krb5_timestamp sec;
+ krb5_int32 usec;
krb5_error_code retval;
retval = krb5_crypto_us_timeofday(&sec, &usec);
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 6b043844d..41ebf94da 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -93,7 +93,7 @@ cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t)
}
static int
-alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t)
+alive(krb5_timestamp mytime, krb5_donot_replay *new1, krb5_deltat t)
{
if (mytime == 0)
return CMP_HOHUM; /* who cares? */
@@ -129,7 +129,7 @@ struct authlist
static int
rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep,
- krb5_int32 now, krb5_boolean fromfile)
+ krb5_timestamp now, krb5_boolean fromfile)
{
struct dfl_data *t = (struct dfl_data *)id->data;
unsigned int rephash;
@@ -536,7 +536,7 @@ krb5_rc_dfl_recover_locked(krb5_context context, krb5_rcache id)
krb5_error_code retval;
long max_size;
int expired_entries = 0;
- krb5_int32 now;
+ krb5_timestamp now;
if ((retval = krb5_rc_io_open(context, &t->d, t->name))) {
return retval;
@@ -706,7 +706,7 @@ krb5_rc_dfl_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep)
{
krb5_error_code ret;
struct dfl_data *t;
- krb5_int32 now;
+ krb5_timestamp now;
ret = krb5_timeofday(context, &now);
if (ret)
@@ -762,7 +762,7 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
struct authlist **qt;
struct authlist *r;
struct authlist *rt;
- krb5_int32 now;
+ krb5_timestamp now;
if (krb5_timestamp(context, &now))
now = 0;
diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c
index 622f549f9..7c0666601 100644
--- a/src/tests/create/kdb5_mkdums.c
+++ b/src/tests/create/kdb5_mkdums.c
@@ -247,7 +247,7 @@ add_princ(context, str_newprinc)
{
/* Add mod princ to db entry */
- krb5_int32 now;
+ krb5_timestamp now;
retval = krb5_timeofday(context, &now);
if (retval) {

View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.15.1 Version: 1.15.1
# for prerelease, should be e.g., 0.3.beta2%{?dist} # for prerelease, should be e.g., 0.3.beta2%{?dist}
Release: 23%{?dist} Release: 24%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead? # - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with # - The sources below are stored in a lookaside cache. Upload with
@ -81,7 +81,16 @@ Patch52: Fix-leaks-in-gss_inquire_cred_by_oid.patch
Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch
Patch54: Prevent-KDC-unset-status-assertion-failures.patch Patch54: Prevent-KDC-unset-status-assertion-failures.patch
Patch55: Remove-incomplete-PKINIT-OCSP-support.patch Patch55: Remove-incomplete-PKINIT-OCSP-support.patch
Patch56: Add-KDC-policy-pluggable-interface.patch Patch56: Allow-clock-skew-in-krb5-gss_context_time.patch
Patch57: Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
Patch58: Add-timestamp-helper-functions.patch
Patch59: Make-timestamp-manipulations-y2038-safe.patch
Patch60: Add-timestamp-tests.patch
Patch61: Add-y2038-documentation.patch
Patch62: Fix-more-time-manipulations-for-y2038.patch
Patch63: Use-krb5_timestamp-where-appropriate.patch
Patch64: Add-KDC-policy-pluggable-interface.patch
Patch65: Fix-bugs-in-kdcpolicy-commit.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -733,6 +742,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Mon Aug 21 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-24
- Backport kdc policy plugin, but this time with dependencies
* Mon Aug 21 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-23 * Mon Aug 21 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-23
- Backport kdcpolicy interface - Backport kdcpolicy interface