Backport kdc policy plugin, but this time with dependencies
This commit is contained in:
parent
48ad53c66e
commit
95b80fb0b9
@ -1,4 +1,4 @@
|
||||
From 387ac75a30b679d6f0b0408b6c8e46ec2df30088 Mon Sep 17 00:00:00 2001
|
||||
From 648fa08747a5f2025f47e5b0bc2589f55a65218a Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 27 Jun 2017 17:15:39 -0400
|
||||
Subject: [PATCH] Add KDC policy pluggable interface
|
||||
@ -18,8 +18,7 @@ Also authored by Matt Rogers <mrogers@redhat.com>.
|
||||
|
||||
ticket: 8606 (new)
|
||||
(cherry picked from commit d0969f6a8170344031ef58fd2a161190f1edfb96)
|
||||
[rharwood@redhat.com: plugin numbering for not having kadmin auth, and
|
||||
conflict in tests]
|
||||
[rharwood@redhat.com: mention but do not use kadm_auth]
|
||||
---
|
||||
doc/plugindev/index.rst | 1 +
|
||||
doc/plugindev/kdcpolicy.rst | 24 +++
|
||||
@ -95,7 +94,7 @@ index 000000000..74f21f08f
|
||||
+explicitly not as stable as other public interfaces, modules which do
|
||||
+this may not retain compatibility across releases.
|
||||
diff --git a/src/Makefile.in b/src/Makefile.in
|
||||
index b0249778c..84856debb 100644
|
||||
index ad8565056..e47bddcb1 100644
|
||||
--- a/src/Makefile.in
|
||||
+++ b/src/Makefile.in
|
||||
@@ -21,6 +21,7 @@ SUBDIRS=util include lib \
|
||||
@ -107,10 +106,10 @@ index b0249778c..84856debb 100644
|
||||
plugins/preauth/pkinit \
|
||||
plugins/preauth/test \
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 24f653f0d..a3881e93f 100644
|
||||
index 4ae2c07d5..ee1983043 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1467,6 +1467,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
|
||||
@@ -1470,6 +1470,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
|
||||
plugins/kdb/db2/libdb2/recno
|
||||
plugins/kdb/db2/libdb2/test
|
||||
plugins/kdb/test
|
||||
@ -131,7 +130,7 @@ index 0239338a1..6a3fa8242 100644
|
||||
$(INSTALL_DATA) $(srcdir)/krb5/localauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)localauth_plugin.h
|
||||
$(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 06ca2b66d..a157ff03f 100644
|
||||
index ed9c7bf75..39ffb9568 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -1157,7 +1157,9 @@ struct plugin_interface {
|
||||
@ -294,7 +293,7 @@ index 000000000..c7592c5db
|
||||
+
|
||||
+#endif /* KRB5_POLICY_PLUGIN_H */
|
||||
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
|
||||
index a4bf91b1b..7636bfb52 100644
|
||||
index f85da6da6..f5cf8ad89 100644
|
||||
--- a/src/kdc/do_as_req.c
|
||||
+++ b/src/kdc/do_as_req.c
|
||||
@@ -207,6 +207,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
|
||||
@ -312,7 +311,7 @@ index a4bf91b1b..7636bfb52 100644
|
||||
* Find the server key
|
||||
*/
|
||||
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
||||
index 339259fd1..b2d5952bf 100644
|
||||
index ac5864603..0009a9319 100644
|
||||
--- a/src/kdc/do_tgs_req.c
|
||||
+++ b/src/kdc/do_tgs_req.c
|
||||
@@ -518,6 +518,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
|
||||
@ -329,7 +328,7 @@ index 339259fd1..b2d5952bf 100644
|
||||
* Set authtime to be the same as header or evidence ticket's
|
||||
*/
|
||||
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
||||
index 30c501c67..f7212d7a3 100644
|
||||
index b710aefe4..5455e2a67 100644
|
||||
--- a/src/kdc/kdc_util.c
|
||||
+++ b/src/kdc/kdc_util.c
|
||||
@@ -642,7 +642,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
|
||||
@ -354,7 +353,7 @@ index 30c501c67..f7212d7a3 100644
|
||||
}
|
||||
|
||||
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
|
||||
index bcf05fc27..b499a04e1 100644
|
||||
index 672f94380..dcedfd538 100644
|
||||
--- a/src/kdc/kdc_util.h
|
||||
+++ b/src/kdc/kdc_util.h
|
||||
@@ -166,17 +166,6 @@ kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...)
|
||||
@ -735,10 +734,10 @@ index 6b000dc90..2a57b0a01 100644
|
||||
|
||||
#endif /* __KRB5_KDC_POLICY__ */
|
||||
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
|
||||
index a30cacc66..ea285376f 100644
|
||||
index d0f25d1b7..33cfbcd81 100644
|
||||
--- a/src/kdc/tgs_policy.c
|
||||
+++ b/src/kdc/tgs_policy.c
|
||||
@@ -374,11 +374,5 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
|
||||
@@ -375,11 +375,5 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
|
||||
if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
|
||||
return errcode_to_protocol(ret);
|
||||
|
||||
@ -919,13 +918,13 @@ index 000000000..9682ec74f
|
||||
@@ -0,0 +1 @@
|
||||
+kdcpolicy_test_initvt
|
||||
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
|
||||
index 0e93d6b59..60e39dd14 100644
|
||||
index 2b3112537..a2093108b 100644
|
||||
--- a/src/tests/Makefile.in
|
||||
+++ b/src/tests/Makefile.in
|
||||
@@ -168,6 +168,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
|
||||
$(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
|
||||
@@ -169,6 +169,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
|
||||
$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
|
||||
+ $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS)
|
||||
|
||||
clean:
|
||||
|
80
Add-timestamp-helper-functions.patch
Normal file
80
Add-timestamp-helper-functions.patch
Normal file
@ -0,0 +1,80 @@
|
||||
From 38b7fbd7ee64a205c4dcfc345c30132e73f5b249 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 22 Apr 2017 09:49:12 -0400
|
||||
Subject: [PATCH] Add timestamp helper functions
|
||||
|
||||
Add k5-int.h helper functions to manipulate krb5_timestamp values,
|
||||
avoiding undefined behavior and treating negative timestamp values as
|
||||
times between 2038 and 2106. Add a doxygen comment for krb5_timestamp
|
||||
indicating how third-party code should use it safely.
|
||||
|
||||
ticket: 8352
|
||||
(cherry picked from commit 58e9155060cd93b1a7557e37fbc9b077b76465c2)
|
||||
---
|
||||
src/include/k5-int.h | 31 +++++++++++++++++++++++++++++++
|
||||
src/include/krb5/krb5.hin | 9 +++++++++
|
||||
2 files changed, 40 insertions(+)
|
||||
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 06ca2b66d..82ee20760 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -2353,6 +2353,37 @@ k5memdup0(const void *in, size_t len, krb5_error_code *code)
|
||||
return ptr;
|
||||
}
|
||||
|
||||
+/* Convert a krb5_timestamp to a time_t value, treating the negative range of
|
||||
+ * krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */
|
||||
+static inline time_t
|
||||
+ts2tt(krb5_timestamp timestamp)
|
||||
+{
|
||||
+ return (time_t)(uint32_t)timestamp;
|
||||
+}
|
||||
+
|
||||
+/* Return the delta between two timestamps (a - b) as a signed 32-bit value,
|
||||
+ * without relying on undefined behavior. */
|
||||
+static inline krb5_deltat
|
||||
+ts_delta(krb5_timestamp a, krb5_timestamp b)
|
||||
+{
|
||||
+ return (krb5_deltat)((uint32_t)a - (uint32_t)b);
|
||||
+}
|
||||
+
|
||||
+/* Increment a timestamp by a signed 32-bit interval, without relying on
|
||||
+ * undefined behavior. */
|
||||
+static inline krb5_timestamp
|
||||
+ts_incr(krb5_timestamp ts, krb5_deltat delta)
|
||||
+{
|
||||
+ return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta);
|
||||
+}
|
||||
+
|
||||
+/* Return true if a comes after b. */
|
||||
+static inline krb5_boolean
|
||||
+ts_after(krb5_timestamp a, krb5_timestamp b)
|
||||
+{
|
||||
+ return (uint32_t)a > (uint32_t)b;
|
||||
+}
|
||||
+
|
||||
krb5_error_code KRB5_CALLCONV
|
||||
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
|
||||
krb5_ccache ccache,
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index cf60d6c41..53ad85384 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -187,7 +187,16 @@ typedef krb5_int32 krb5_cryptotype;
|
||||
|
||||
typedef krb5_int32 krb5_preauthtype; /* This may change, later on */
|
||||
typedef krb5_int32 krb5_flags;
|
||||
+
|
||||
+/**
|
||||
+ * Represents a timestamp in seconds since the POSIX epoch. This legacy type
|
||||
+ * is used frequently in the ABI, but cannot represent timestamps after 2038 as
|
||||
+ * a positive number. Code which uses this type should cast values of it to
|
||||
+ * uint32_t so that negative values are treated as timestamps between 2038 and
|
||||
+ * 2106 on platforms with 64-bit time_t.
|
||||
+ */
|
||||
typedef krb5_int32 krb5_timestamp;
|
||||
+
|
||||
typedef krb5_int32 krb5_deltat;
|
||||
|
||||
/**
|
599
Add-timestamp-tests.patch
Normal file
599
Add-timestamp-tests.patch
Normal file
@ -0,0 +1,599 @@
|
||||
From 1b351445b4b938f54025728ba786f05ee82c47d1 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 29 Apr 2017 17:30:36 -0400
|
||||
Subject: [PATCH] Add timestamp tests
|
||||
|
||||
Add a test program for krb5int_validate_times() covering cases before
|
||||
and across the y2038 boundary. Add a GSSAPI test program to exercise
|
||||
lifetime queries, and tests using it in t_gssapi.py for ticket end
|
||||
times after y2038. Add a new test script t_y2038.py which only runs
|
||||
on platforms with 64-bit time_t to exercise end-user operations across
|
||||
and after y2038. Add an LDAP test case to test storage of post-y2038
|
||||
timestamps.
|
||||
|
||||
ticket: 8352
|
||||
(cherry picked from commit 8ca62e54e89e2fbd6a089e8ab20b4e374a486003)
|
||||
[rharwood@redhat.com: prune gitignore]
|
||||
---
|
||||
src/Makefile.in | 1 +
|
||||
src/config/pre.in | 2 +
|
||||
src/configure.in | 3 +
|
||||
src/lib/krb5/krb/Makefile.in | 14 ++--
|
||||
src/lib/krb5/krb/t_valid_times.c | 109 ++++++++++++++++++++++++++++++
|
||||
src/tests/Makefile.in | 1 +
|
||||
src/tests/gssapi/Makefile.in | 27 ++++----
|
||||
src/tests/gssapi/t_gssapi.py | 32 +++++++++
|
||||
src/tests/gssapi/t_lifetime.c | 140 +++++++++++++++++++++++++++++++++++++++
|
||||
src/tests/t_kdb.py | 7 ++
|
||||
src/tests/t_y2038.py | 75 +++++++++++++++++++++
|
||||
11 files changed, 395 insertions(+), 16 deletions(-)
|
||||
create mode 100644 src/lib/krb5/krb/t_valid_times.c
|
||||
create mode 100644 src/tests/gssapi/t_lifetime.c
|
||||
create mode 100644 src/tests/t_y2038.py
|
||||
|
||||
diff --git a/src/Makefile.in b/src/Makefile.in
|
||||
index b0249778c..ad8565056 100644
|
||||
--- a/src/Makefile.in
|
||||
+++ b/src/Makefile.in
|
||||
@@ -521,6 +521,7 @@ pyrunenv.vals: Makefile
|
||||
done > $@
|
||||
echo "tls_impl = '$(TLS_IMPL)'" >> $@
|
||||
echo "have_sasl = '$(HAVE_SASL)'" >> $@
|
||||
+ echo "sizeof_time_t = $(SIZEOF_TIME_T)" >> $@
|
||||
|
||||
runenv.py: pyrunenv.vals
|
||||
echo 'env = {}' > $@
|
||||
diff --git a/src/config/pre.in b/src/config/pre.in
|
||||
index d961b5621..f23c07d9d 100644
|
||||
--- a/src/config/pre.in
|
||||
+++ b/src/config/pre.in
|
||||
@@ -452,6 +452,8 @@ HAVE_SASL = @HAVE_SASL@
|
||||
# Whether we have libresolv 1.1.5 for URI discovery tests
|
||||
HAVE_RESOLV_WRAPPER = @HAVE_RESOLV_WRAPPER@
|
||||
|
||||
+SIZEOF_TIME_T = @SIZEOF_TIME_T@
|
||||
+
|
||||
# error table rules
|
||||
#
|
||||
### /* these are invoked as $(...) foo.et, which works, but could be better */
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 24f653f0d..4ae2c07d5 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -744,6 +744,9 @@ fi
|
||||
|
||||
AC_HEADER_TIME
|
||||
AC_CHECK_TYPE(time_t, long)
|
||||
+AC_CHECK_SIZEOF(time_t)
|
||||
+SIZEOF_TIME_T=$ac_cv_sizeof_time_t
|
||||
+AC_SUBST(SIZEOF_TIME_T)
|
||||
|
||||
# Determine where to put the replay cache.
|
||||
|
||||
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
|
||||
index 0fe02a95d..55f82b147 100644
|
||||
--- a/src/lib/krb5/krb/Makefile.in
|
||||
+++ b/src/lib/krb5/krb/Makefile.in
|
||||
@@ -364,6 +364,7 @@ SRCS= $(srcdir)/addr_comp.c \
|
||||
$(srcdir)/t_in_ccache.c \
|
||||
$(srcdir)/t_response_items.c \
|
||||
$(srcdir)/t_sname_match.c \
|
||||
+ $(srcdir)/t_valid_times.c \
|
||||
$(srcdir)/t_vfy_increds.c
|
||||
|
||||
# Someday, when we have a "maintainer mode", do this right:
|
||||
@@ -457,9 +458,12 @@ t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS)
|
||||
t_sname_match: t_sname_match.o sname_match.o $(KRB5_BASE_DEPLIBS)
|
||||
$(CC_LINK) -o $@ t_sname_match.o sname_match.o $(KRB5_BASE_LIBS)
|
||||
|
||||
+t_valid_times: t_valid_times.o valid_times.o $(KRB5_BASE_DEPLIBS)
|
||||
+ $(CC_LINK) -o $@ t_valid_times.o valid_times.o $(KRB5_BASE_LIBS)
|
||||
+
|
||||
TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \
|
||||
- t_in_ccache t_cc_config t_copy_context \
|
||||
- t_princ t_etypes t_vfy_increds t_response_items t_sname_match
|
||||
+ t_in_ccache t_cc_config t_copy_context t_princ t_etypes t_vfy_increds \
|
||||
+ t_response_items t_sname_match t_valid_times
|
||||
|
||||
check-unix: $(TEST_PROGS)
|
||||
$(RUN_TEST_LOCAL_CONF) ./t_kerb \
|
||||
@@ -496,6 +500,7 @@ check-unix: $(TEST_PROGS)
|
||||
$(RUN_TEST) ./t_response_items
|
||||
$(RUN_TEST) ./t_copy_context
|
||||
$(RUN_TEST) ./t_sname_match
|
||||
+ $(RUN_TEST) ./t_valid_times
|
||||
|
||||
check-pytests: t_expire_warn t_vfy_increds
|
||||
$(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
|
||||
@@ -522,8 +527,9 @@ clean:
|
||||
$(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \
|
||||
$(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \
|
||||
$(OUTPRE)t_response_items$(EXEEXT) \
|
||||
- $(OUTPRE)t_response_items.$(OBJEXT) $(OUTPRE)t_sname_match$(EXEEXT) \
|
||||
- $(OUTPRE)t_sname_match.$(OBJEXT) \
|
||||
+ $(OUTPRE)t_response_items.$(OBJEXT) \
|
||||
+ $(OUTPRE)t_sname_match$(EXEEXT) $(OUTPRE)t_sname_match.$(OBJEXT) \
|
||||
+ $(OUTPRE)t_valid_times$(EXEEXT) $(OUTPRE)t_valid_times.$(OBJECT) \
|
||||
$(OUTPRE)t_parse_host_string$(EXEEXT) \
|
||||
$(OUTPRE)t_parse_host_string.$(OBJEXT)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/t_valid_times.c b/src/lib/krb5/krb/t_valid_times.c
|
||||
new file mode 100644
|
||||
index 000000000..1b469ffc2
|
||||
--- /dev/null
|
||||
+++ b/src/lib/krb5/krb/t_valid_times.c
|
||||
@@ -0,0 +1,109 @@
|
||||
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||
+/* lib/krb5/krb/t_valid_times.c - test program for krb5int_validate_times() */
|
||||
+/*
|
||||
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
|
||||
+ * All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ *
|
||||
+ * * Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * * Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in
|
||||
+ * the documentation and/or other materials provided with the
|
||||
+ * distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "k5-int.h"
|
||||
+#include "int-proto.h"
|
||||
+
|
||||
+#define BOUNDARY (uint32_t)INT32_MIN
|
||||
+
|
||||
+int
|
||||
+main()
|
||||
+{
|
||||
+ krb5_error_code ret;
|
||||
+ krb5_context context;
|
||||
+ krb5_ticket_times times = { 0, 0, 0, 0 };
|
||||
+
|
||||
+ ret = krb5_init_context(&context);
|
||||
+ assert(!ret);
|
||||
+
|
||||
+ /* Current time is within authtime and end time. */
|
||||
+ ret = krb5_set_debugging_time(context, 1000, 0);
|
||||
+ times.authtime = 500;
|
||||
+ times.endtime = 1500;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(!ret);
|
||||
+
|
||||
+ /* Current time is before starttime, but within clock skew. */
|
||||
+ times.starttime = 1100;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(!ret);
|
||||
+
|
||||
+ /* Current time is before starttime by more than clock skew. */
|
||||
+ times.starttime = 1400;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(ret == KRB5KRB_AP_ERR_TKT_NYV);
|
||||
+
|
||||
+ /* Current time is after end time, but within clock skew. */
|
||||
+ times.starttime = 500;
|
||||
+ times.endtime = 800;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(!ret);
|
||||
+
|
||||
+ /* Current time is after end time by more than clock skew. */
|
||||
+ times.endtime = 600;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED);
|
||||
+
|
||||
+ /* Current time is within starttime and endtime; current time and
|
||||
+ * endtime are across y2038 boundary. */
|
||||
+ ret = krb5_set_debugging_time(context, BOUNDARY - 100, 0);
|
||||
+ assert(!ret);
|
||||
+ times.starttime = BOUNDARY - 200;
|
||||
+ times.endtime = BOUNDARY + 500;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(!ret);
|
||||
+
|
||||
+ /* Current time is before starttime, but by less than clock skew. */
|
||||
+ times.starttime = BOUNDARY + 100;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(!ret);
|
||||
+
|
||||
+ /* Current time is before starttime by more than clock skew. */
|
||||
+ times.starttime = BOUNDARY + 250;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(ret == KRB5KRB_AP_ERR_TKT_NYV);
|
||||
+
|
||||
+ /* Current time is after endtime, but by less than clock skew. */
|
||||
+ ret = krb5_set_debugging_time(context, BOUNDARY + 100, 0);
|
||||
+ assert(!ret);
|
||||
+ times.starttime = BOUNDARY - 1000;
|
||||
+ times.endtime = BOUNDARY - 100;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(!ret);
|
||||
+
|
||||
+ /* Current time is after endtime by more than clock skew. */
|
||||
+ times.endtime = BOUNDARY - 300;
|
||||
+ ret = krb5int_validate_times(context, ×);
|
||||
+ assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
|
||||
index 0e93d6b59..2b3112537 100644
|
||||
--- a/src/tests/Makefile.in
|
||||
+++ b/src/tests/Makefile.in
|
||||
@@ -168,6 +168,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
|
||||
$(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
|
||||
+ $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
|
||||
|
||||
clean:
|
||||
$(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
|
||||
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
|
||||
index 6c1464297..604f926de 100644
|
||||
--- a/src/tests/gssapi/Makefile.in
|
||||
+++ b/src/tests/gssapi/Makefile.in
|
||||
@@ -15,15 +15,16 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
|
||||
$(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \
|
||||
$(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
|
||||
$(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
|
||||
- $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c $(srcdir)/t_pcontok.c \
|
||||
- $(srcdir)/t_prf.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \
|
||||
- $(srcdir)/t_saslname.c $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
|
||||
+ $(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \
|
||||
+ $(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \
|
||||
+ $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \
|
||||
+ $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
|
||||
|
||||
OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_ciflags.o \
|
||||
t_credstore.o t_enctypes.o t_err.o t_export_cred.o t_export_name.o \
|
||||
t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \
|
||||
- t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \
|
||||
- t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
|
||||
+ t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o \
|
||||
+ t_oid.o t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
|
||||
t_spnego.o t_srcattrs.o
|
||||
|
||||
COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
|
||||
@@ -31,9 +32,9 @@ COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
|
||||
|
||||
all: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore t_enctypes \
|
||||
t_err t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \
|
||||
- t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_namingexts \
|
||||
- t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \
|
||||
- t_srcattrs
|
||||
+ t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime \
|
||||
+ t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname \
|
||||
+ t_spnego t_srcattrs
|
||||
|
||||
check-unix: t_oid
|
||||
$(RUN_TEST) ./t_invalid
|
||||
@@ -42,8 +43,8 @@ check-unix: t_oid
|
||||
|
||||
check-pytests: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore \
|
||||
t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \
|
||||
- t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \
|
||||
- t_spnego t_srcattrs
|
||||
+ t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_pcontok t_s4u \
|
||||
+ t_s4u2proxy_krb5 t_spnego t_srcattrs
|
||||
$(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
|
||||
$(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
|
||||
@@ -88,6 +89,8 @@ t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS)
|
||||
$(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS)
|
||||
t_iov: t_iov.o $(COMMON_DEPS)
|
||||
$(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS)
|
||||
+t_lifetime: t_lifetime.o $(COMMON_DEPS)
|
||||
+ $(CC_LINK) -o $@ t_lifetime.o $(COMMON_LIBS)
|
||||
t_namingexts: t_namingexts.o $(COMMON_DEPS)
|
||||
$(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS)
|
||||
t_pcontok: t_pcontok.o $(COMMON_DEPS)
|
||||
@@ -111,5 +114,5 @@ clean:
|
||||
$(RM) ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore
|
||||
$(RM) t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred
|
||||
$(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov
|
||||
- $(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5
|
||||
- $(RM) t_saslname t_spnego t_srcattrs
|
||||
+ $(RM) t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u
|
||||
+ $(RM) t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs
|
||||
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
|
||||
index 397e58962..98c8df25c 100755
|
||||
--- a/src/tests/gssapi/t_gssapi.py
|
||||
+++ b/src/tests/gssapi/t_gssapi.py
|
||||
@@ -185,4 +185,36 @@ realm.run(['./t_ciflags', 'p:' + realm.host_princ])
|
||||
# contexts.
|
||||
realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ])
|
||||
|
||||
+# Test lifetime results, using a realm with a large maximum lifetime
|
||||
+# so that we can test ticket end dates after y2038. There are no
|
||||
+# time_t conversions involved, so we can run these tests on platforms
|
||||
+# with 32-bit time_t.
|
||||
+realm.stop()
|
||||
+conf = {'realms': {'$realm': {'max_life': '9000d'}}}
|
||||
+realm = K5Realm(kdc_conf=conf, get_creds=False)
|
||||
+
|
||||
+# Check a lifetime string result against an expected number value (or None).
|
||||
+# Allow some variance due to time elapsed during the tests.
|
||||
+def check_lifetime(msg, val, expected):
|
||||
+ if expected is None and val != 'indefinite':
|
||||
+ fail('%s: expected indefinite, got %s' % (msg, val))
|
||||
+ if expected is not None and val == 'indefinite':
|
||||
+ fail('%s: expected %d, got indefinite' % (msg, expected))
|
||||
+ if expected is not None and abs(int(val) - expected) > 100:
|
||||
+ fail('%s: expected %d, got %s' % (msg, expected, val))
|
||||
+
|
||||
+realm.kinit(realm.user_princ, password('user'), flags=['-l', '8500d'])
|
||||
+out = realm.run(['./t_lifetime', 'p:' + realm.host_princ, str(8000 * 86400)])
|
||||
+ln = out.split('\n')
|
||||
+check_lifetime('icred gss_acquire_cred', ln[0], 8500 * 86400)
|
||||
+check_lifetime('icred gss_inquire_cred', ln[1], 8500 * 86400)
|
||||
+check_lifetime('acred gss_acquire_cred', ln[2], None)
|
||||
+check_lifetime('acred gss_inquire_cred', ln[3], None)
|
||||
+check_lifetime('ictx gss_init_sec_context', ln[4], 8000 * 86400)
|
||||
+check_lifetime('ictx gss_inquire_context', ln[5], 8000 * 86400)
|
||||
+check_lifetime('ictx gss_context_time', ln[6], 8000 * 86400)
|
||||
+check_lifetime('actx gss_accept_sec_context', ln[7], 8000 * 86400 + 300)
|
||||
+check_lifetime('actx gss_inquire_context', ln[8], 8000 * 86400 + 300)
|
||||
+check_lifetime('actx gss_context_time', ln[9], 8000 * 86400 + 300)
|
||||
+
|
||||
success('GSSAPI tests')
|
||||
diff --git a/src/tests/gssapi/t_lifetime.c b/src/tests/gssapi/t_lifetime.c
|
||||
new file mode 100644
|
||||
index 000000000..8dcf18621
|
||||
--- /dev/null
|
||||
+++ b/src/tests/gssapi/t_lifetime.c
|
||||
@@ -0,0 +1,140 @@
|
||||
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||
+/* tests/gssapi/t_lifetime.c - display cred and context lifetimes */
|
||||
+/*
|
||||
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
|
||||
+ * All rights reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ *
|
||||
+ * * Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * * Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in
|
||||
+ * the documentation and/or other materials provided with the
|
||||
+ * distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <assert.h>
|
||||
+#include "common.h"
|
||||
+
|
||||
+/*
|
||||
+ * Using the default credential, exercise the GSS functions which accept or
|
||||
+ * produce lifetimes. Display the following results, one per line, as ASCII
|
||||
+ * integers or the string "indefinite":
|
||||
+ *
|
||||
+ * initiator cred lifetime according to gss_acquire_cred()
|
||||
+ * initiator cred lifetime according to gss_inquire_cred()
|
||||
+ * acceptor cred lifetime according to gss_acquire_cred()
|
||||
+ * acceptor cred lifetime according to gss_inquire_cred()
|
||||
+ * initiator context lifetime according to gss_init_sec_context()
|
||||
+ * initiator context lifetime according to gss_inquire_context()
|
||||
+ * initiator context lifetime according to gss_context_time()
|
||||
+ * acceptor context lifetime according to gss_init_sec_context()
|
||||
+ * acceptor context lifetime according to gss_inquire_context()
|
||||
+ * acceptor context lifetime according to gss_context_time()
|
||||
+ */
|
||||
+
|
||||
+static void
|
||||
+display_time(OM_uint32 tval)
|
||||
+{
|
||||
+ if (tval == GSS_C_INDEFINITE)
|
||||
+ puts("indefinite");
|
||||
+ else
|
||||
+ printf("%u\n", (unsigned int)tval);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+ OM_uint32 minor, major;
|
||||
+ gss_cred_id_t icred, acred;
|
||||
+ gss_name_t tname;
|
||||
+ gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
|
||||
+ gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER;
|
||||
+ OM_uint32 time_req = GSS_C_INDEFINITE, time_rec;
|
||||
+
|
||||
+ if (argc < 2 || argc > 3) {
|
||||
+ fprintf(stderr, "Usage: %s targetname [time_req]\n", argv[0]);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ tname = import_name(argv[1]);
|
||||
+ if (argc >= 3)
|
||||
+ time_req = atoll(argv[2]);
|
||||
+
|
||||
+ /* Get initiator cred and display its lifetime according to
|
||||
+ * gss_acquire_cred and gss_inquire_cred. */
|
||||
+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
|
||||
+ GSS_C_INITIATE, &icred, NULL, &time_rec);
|
||||
+ check_gsserr("gss_acquire_cred(initiate)", major, minor);
|
||||
+ display_time(time_rec);
|
||||
+ major = gss_inquire_cred(&minor, icred, NULL, &time_rec, NULL, NULL);
|
||||
+ check_gsserr("gss_inquire_cred(initiate)", major, minor);
|
||||
+ display_time(time_rec);
|
||||
+
|
||||
+ /* Get acceptor cred and display its lifetime according to gss_acquire_cred
|
||||
+ * and gss_inquire_cred. */
|
||||
+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
|
||||
+ GSS_C_ACCEPT, &acred, NULL, &time_rec);
|
||||
+ check_gsserr("gss_acquire_cred(accept)", major, minor);
|
||||
+ display_time(time_rec);
|
||||
+ major = gss_inquire_cred(&minor, acred, NULL, &time_rec, NULL, NULL);
|
||||
+ check_gsserr("gss_inquire_cred(accept)", major, minor);
|
||||
+ display_time(time_rec);
|
||||
+
|
||||
+ /* Make an initiator context and display its lifetime according to
|
||||
+ * gss_init_sec_context, gss_inquire_context, and gss_context_time. */
|
||||
+ major = gss_init_sec_context(&minor, icred, &ictx, tname, &mech_krb5, 0,
|
||||
+ time_req, GSS_C_NO_CHANNEL_BINDINGS, &atok,
|
||||
+ NULL, &itok, NULL, &time_rec);
|
||||
+ check_gsserr("gss_init_sec_context", major, minor);
|
||||
+ assert(major == GSS_S_COMPLETE);
|
||||
+ display_time(time_rec);
|
||||
+ major = gss_inquire_context(&minor, ictx, NULL, NULL, &time_rec, NULL,
|
||||
+ NULL, NULL, NULL);
|
||||
+ check_gsserr("gss_inquire_context(initiate)", major, minor);
|
||||
+ display_time(time_rec);
|
||||
+ major = gss_context_time(&minor, ictx, &time_rec);
|
||||
+ check_gsserr("gss_context_time(initiate)", major, minor);
|
||||
+ display_time(time_rec);
|
||||
+
|
||||
+ major = gss_accept_sec_context(&minor, &actx, acred, &itok,
|
||||
+ GSS_C_NO_CHANNEL_BINDINGS, NULL,
|
||||
+ NULL, &atok, NULL, &time_rec, NULL);
|
||||
+ check_gsserr("gss_accept_sec_context", major, minor);
|
||||
+ assert(major == GSS_S_COMPLETE);
|
||||
+ display_time(time_rec);
|
||||
+ major = gss_inquire_context(&minor, actx, NULL, NULL, &time_rec, NULL,
|
||||
+ NULL, NULL, NULL);
|
||||
+ check_gsserr("gss_inquire_context(accept)", major, minor);
|
||||
+ display_time(time_rec);
|
||||
+ major = gss_context_time(&minor, actx, &time_rec);
|
||||
+ check_gsserr("gss_context_time(accept)", major, minor);
|
||||
+ display_time(time_rec);
|
||||
+
|
||||
+ (void)gss_release_buffer(&minor, &itok);
|
||||
+ (void)gss_release_buffer(&minor, &atok);
|
||||
+ (void)gss_release_name(&minor, &tname);
|
||||
+ (void)gss_release_cred(&minor, &icred);
|
||||
+ (void)gss_release_cred(&minor, &acred);
|
||||
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
|
||||
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
|
||||
index 44635b089..ffc043709 100755
|
||||
--- a/src/tests/t_kdb.py
|
||||
+++ b/src/tests/t_kdb.py
|
||||
@@ -414,6 +414,13 @@ realm.run([kadminl, 'addprinc', '-policy', 'keepoldpasspol', '-pw', 'aaaa',
|
||||
for p in ('bbbb', 'cccc', 'aaaa'):
|
||||
realm.run([kadminl, 'cpw', '-keepold', '-pw', p, 'keepoldpassprinc'])
|
||||
|
||||
+if runenv.sizeof_time_t <= 4:
|
||||
+ skipped('y2038 LDAP test', 'platform has 32-bit time_t')
|
||||
+else:
|
||||
+ # Test storage of timestamps after y2038.
|
||||
+ realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user'])
|
||||
+ realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n')
|
||||
+
|
||||
realm.stop()
|
||||
|
||||
# Briefly test dump and load.
|
||||
diff --git a/src/tests/t_y2038.py b/src/tests/t_y2038.py
|
||||
new file mode 100644
|
||||
index 000000000..02e946df4
|
||||
--- /dev/null
|
||||
+++ b/src/tests/t_y2038.py
|
||||
@@ -0,0 +1,75 @@
|
||||
+#!/usr/bin/python
|
||||
+from k5test import *
|
||||
+
|
||||
+# These tests will become much less important after the y2038 boundary
|
||||
+# has elapsed, and may start exhibiting problems around the year 2075.
|
||||
+
|
||||
+if runenv.sizeof_time_t <= 4:
|
||||
+ skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t')
|
||||
+
|
||||
+# Start a KDC running roughly 21 years in the future, after the y2038
|
||||
+# boundary. Set long maximum lifetimes for later tests.
|
||||
+conf = {'realms': {'$realm': {'max_life': '9000d',
|
||||
+ 'max_renewable_life': '9000d'}}}
|
||||
+realm = K5Realm(start_kdc=False, kdc_conf=conf)
|
||||
+realm.start_kdc(['-T', '662256000'])
|
||||
+
|
||||
+# kinit without preauth should succeed with clock skew correction, but
|
||||
+# will result in an expired ticket, because we sent an absolute end
|
||||
+# time and didn't get a chance to correct it..
|
||||
+realm.kinit(realm.user_princ, password('user'))
|
||||
+realm.run([kvno, realm.host_princ], expected_code=1,
|
||||
+ expected_msg='Ticket expired')
|
||||
+
|
||||
+# kinit with preauth should succeed and result in a valid ticket, as
|
||||
+# we get a chance to correct the end time based on the KDC time. Try
|
||||
+# with encrypted timestamp and encrypted challenge.
|
||||
+realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
|
||||
+realm.kinit(realm.user_princ, password('user'))
|
||||
+realm.run([kvno, realm.host_princ])
|
||||
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
|
||||
+realm.run([kvno, realm.host_princ])
|
||||
+
|
||||
+# Test that expiration warning works after y2038, by setting a
|
||||
+# password expiration time ten minutes after the KDC time.
|
||||
+realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user'])
|
||||
+out = realm.kinit(realm.user_princ, password('user'))
|
||||
+if 'will expire in less than one hour' not in out:
|
||||
+ fail('password expiration message')
|
||||
+year = int(out.split()[-1])
|
||||
+if year < 2038 or year > 9999:
|
||||
+ fail('password expiration year')
|
||||
+
|
||||
+realm.stop_kdc()
|
||||
+realm.start_kdc()
|
||||
+realm.start_kadmind()
|
||||
+realm.prep_kadmin()
|
||||
+
|
||||
+# Test getdate parsing of absolute timestamps after 2038 and
|
||||
+# marshalling over the kadmin protocol. The local time zone will
|
||||
+# affect the display time by a little bit, so just look for the year.
|
||||
+realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ])
|
||||
+realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n')
|
||||
+
|
||||
+# Get a ticket whose lifetime crosses the y2038 boundary and
|
||||
+# range-check the expiration year as reported by klist.
|
||||
+realm.kinit(realm.user_princ, password('user'),
|
||||
+ flags=['-l', '8000d', '-r', '8500d'])
|
||||
+realm.run([kvno, realm.host_princ])
|
||||
+out = realm.run([klist])
|
||||
+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
|
||||
+ fail('unexpected tgt expiration year')
|
||||
+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
|
||||
+ fail('unexpected tgt rtill year')
|
||||
+if int(out.split('\n')[6].split()[2].split('/')[2]) < 39:
|
||||
+ fail('unexpected service ticket expiration year')
|
||||
+if int(out.split('\n')[7].split()[2].split('/')[2]) < 40:
|
||||
+ fail('unexpected service ticket rtill year')
|
||||
+realm.kinit(realm.user_princ, None, ['-R'])
|
||||
+out = realm.run([klist])
|
||||
+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
|
||||
+ fail('unexpected renewed tgt expiration year')
|
||||
+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
|
||||
+ fail('unexpected renewed tgt rtill year')
|
||||
+
|
||||
+success('y2038 tests')
|
59
Add-y2038-documentation.patch
Normal file
59
Add-y2038-documentation.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From ebedc35a70f184030c4aab32e782fa2a8610cf73 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 4 May 2017 17:03:35 -0400
|
||||
Subject: [PATCH] Add y2038 documentation
|
||||
|
||||
ticket: 8352
|
||||
(cherry picked from commit 85d64c43dbf7a7faa56a1999494cdfa49e8bd2c9)
|
||||
---
|
||||
doc/appdev/index.rst | 1 +
|
||||
doc/appdev/y2038.rst | 28 ++++++++++++++++++++++++++++
|
||||
2 files changed, 29 insertions(+)
|
||||
create mode 100644 doc/appdev/y2038.rst
|
||||
|
||||
diff --git a/doc/appdev/index.rst b/doc/appdev/index.rst
|
||||
index 3d62045ca..961bb1e9e 100644
|
||||
--- a/doc/appdev/index.rst
|
||||
+++ b/doc/appdev/index.rst
|
||||
@@ -5,6 +5,7 @@ For application developers
|
||||
:maxdepth: 1
|
||||
|
||||
gssapi.rst
|
||||
+ y2038.rst
|
||||
h5l_mit_apidiff.rst
|
||||
init_creds.rst
|
||||
princ_handle.rst
|
||||
diff --git a/doc/appdev/y2038.rst b/doc/appdev/y2038.rst
|
||||
new file mode 100644
|
||||
index 000000000..bc4122dad
|
||||
--- /dev/null
|
||||
+++ b/doc/appdev/y2038.rst
|
||||
@@ -0,0 +1,28 @@
|
||||
+Year 2038 considerations for uses of krb5_timestamp
|
||||
+===================================================
|
||||
+
|
||||
+POSIX time values, which measure the number of seconds since January 1
|
||||
+1970, will exceed the maximum value representable in a signed 32-bit
|
||||
+integer in January 2038. This documentation describes considerations
|
||||
+for consumers of the MIT krb5 libraries.
|
||||
+
|
||||
+Applications or libraries which use libkrb5 and consume the timestamps
|
||||
+included in credentials or other structures make use of the
|
||||
+:c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp
|
||||
+is a signed 32-bit integer, even on platforms where a larger type is
|
||||
+natively used to represent time values. To behave properly for time
|
||||
+values after January 2038, calling code should cast krb5_timestamp
|
||||
+values to uint32_t, and then to time_t::
|
||||
+
|
||||
+ (time_t)(uint32_t)timestamp
|
||||
+
|
||||
+Used in this way, krb5_timestamp values can represent time values up
|
||||
+until February 2106, provided that the platform uses a 64-bit or
|
||||
+larger time_t type. This usage will also remain safe if a later
|
||||
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
|
||||
+integer.
|
||||
+
|
||||
+The GSSAPI only uses representations of time intervals, not absolute
|
||||
+times. Callers of the GSSAPI should require no changes to behave
|
||||
+correctly after January 2038, provided that they use MIT krb5 release
|
||||
+1.16 or later.
|
36
Allow-clock-skew-in-krb5-gss_context_time.patch
Normal file
36
Allow-clock-skew-in-krb5-gss_context_time.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 2944d7c0fcc8d3a87d0bb6f544b4a04c358df732 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 22 Apr 2017 16:51:23 -0400
|
||||
Subject: [PATCH] Allow clock skew in krb5 gss_context_time()
|
||||
|
||||
Commit b496ce4095133536e0ace36b74130e4b9ecb5e11 (ticket #8268) adds
|
||||
the clock skew to krb5 acceptor context lifetimes for
|
||||
gss_accept_sec_context() and gss_inquire_context(), but not for
|
||||
gss_context_time(). Add the clock skew in gss_context_time() as well.
|
||||
|
||||
ticket: 8581 (new)
|
||||
target_version: 1.14-next
|
||||
target_version: 1.15-next
|
||||
tags: pullup
|
||||
|
||||
(cherry picked from commit b0a072e6431261734e7350996a363801f180e8ea)
|
||||
---
|
||||
src/lib/gssapi/krb5/context_time.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
|
||||
index a18cfb05b..450593288 100644
|
||||
--- a/src/lib/gssapi/krb5/context_time.c
|
||||
+++ b/src/lib/gssapi/krb5/context_time.c
|
||||
@@ -51,7 +51,10 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
|
||||
return(GSS_S_FAILURE);
|
||||
}
|
||||
|
||||
- if ((lifetime = ctx->krb_times.endtime - now) <= 0) {
|
||||
+ lifetime = ctx->krb_times.endtime - now;
|
||||
+ if (!ctx->initiate)
|
||||
+ lifetime += ctx->k5_context->clockskew;
|
||||
+ if (lifetime <= 0) {
|
||||
*time_rec = 0;
|
||||
*minor_status = 0;
|
||||
return(GSS_S_CONTEXT_EXPIRED);
|
130
Fix-bugs-in-kdcpolicy-commit.patch
Normal file
130
Fix-bugs-in-kdcpolicy-commit.patch
Normal file
@ -0,0 +1,130 @@
|
||||
From 7ab7253c617364ffe8facd870e286c5876e6c30f Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Sat, 19 Aug 2017 19:09:24 -0400
|
||||
Subject: [PATCH] Fix bugs in kdcpolicy commit
|
||||
|
||||
Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
|
||||
"klist ccachname -e", which does not work with a POSIX-conformant
|
||||
getopt() implementation such as the one in Solaris. Fix
|
||||
t_kdcpolicy.py to use "klist -e ccachename" instead.
|
||||
|
||||
The tests could fail if the clock second rolled over between kinit and
|
||||
kvno. Divide service ticket maximum lifetimes by 2 in the test module
|
||||
to correctly exercise TGS policy restrictions and ensure that service
|
||||
tickets are not constrained by the TGT end time.
|
||||
|
||||
Also use the correct trace macro when a kdcpolicy module declines to
|
||||
initialize (my mistake when revising the commit, noted by rharwood).
|
||||
|
||||
ticket: 8606
|
||||
(cherry picked from commit 09acbd91efc6df54e1572285ffc94c6acb3a9113)
|
||||
---
|
||||
src/kdc/policy.c | 2 +-
|
||||
src/plugins/kdcpolicy/test/main.c | 10 +++++-----
|
||||
src/tests/t_kdcpolicy.py | 13 +++++++++----
|
||||
3 files changed, 15 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/kdc/policy.c b/src/kdc/policy.c
|
||||
index e49644e06..26c16f97c 100644
|
||||
--- a/src/kdc/policy.c
|
||||
+++ b/src/kdc/policy.c
|
||||
@@ -222,7 +222,7 @@ load_kdcpolicy_plugins(krb5_context context)
|
||||
if (h->vt.init != NULL) {
|
||||
ret = h->vt.init(context, &h->moddata);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE) {
|
||||
- TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
|
||||
+ TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
|
||||
free(h);
|
||||
continue;
|
||||
}
|
||||
diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c
|
||||
index eb8fde053..86c808958 100644
|
||||
--- a/src/plugins/kdcpolicy/test/main.c
|
||||
+++ b/src/plugins/kdcpolicy/test/main.c
|
||||
@@ -35,7 +35,7 @@
|
||||
#include <krb5/kdcpolicy_plugin.h>
|
||||
|
||||
static krb5_error_code
|
||||
-output_from_indicator(const char *const *auth_indicators,
|
||||
+output_from_indicator(const char *const *auth_indicators, int divisor,
|
||||
krb5_deltat *lifetime_out,
|
||||
krb5_deltat *renew_lifetime_out,
|
||||
const char **status)
|
||||
@@ -46,11 +46,11 @@ output_from_indicator(const char *const *auth_indicators,
|
||||
}
|
||||
|
||||
if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) {
|
||||
- *lifetime_out = 3600;
|
||||
+ *lifetime_out = 3600 / divisor;
|
||||
*renew_lifetime_out = *lifetime_out * 2;
|
||||
return 0;
|
||||
} else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) {
|
||||
- *lifetime_out = 7 * 3600;
|
||||
+ *lifetime_out = 7 * 3600 / divisor;
|
||||
*renew_lifetime_out = *lifetime_out * 2;
|
||||
return 0;
|
||||
}
|
||||
@@ -71,7 +71,7 @@ test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
||||
*status = "LOCAL_POLICY";
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
}
|
||||
- return output_from_indicator(auth_indicators, lifetime_out,
|
||||
+ return output_from_indicator(auth_indicators, 1, lifetime_out,
|
||||
renew_lifetime_out, status);
|
||||
}
|
||||
|
||||
@@ -87,7 +87,7 @@ test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
||||
*status = "LOCAL_POLICY";
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
}
|
||||
- return output_from_indicator(auth_indicators, lifetime_out,
|
||||
+ return output_from_indicator(auth_indicators, 2, lifetime_out,
|
||||
renew_lifetime_out, status);
|
||||
}
|
||||
|
||||
diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py
|
||||
index 6a745b959..b5d308461 100644
|
||||
--- a/src/tests/t_kdcpolicy.py
|
||||
+++ b/src/tests/t_kdcpolicy.py
|
||||
@@ -18,16 +18,21 @@ realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
|
||||
def verify_time(out, target_time):
|
||||
times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
|
||||
times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
|
||||
+ divisor = 1
|
||||
while len(times) > 0:
|
||||
starttime = times.pop(0)
|
||||
endtime = times.pop(0)
|
||||
renewtime = times.pop(0)
|
||||
|
||||
- if str(endtime - starttime) != target_time:
|
||||
+ if str((endtime - starttime) * divisor) != target_time:
|
||||
fail('unexpected lifetime value')
|
||||
- if str(renewtime - endtime) != target_time:
|
||||
+ if str((renewtime - endtime) * divisor) != target_time:
|
||||
fail('unexpected renewable value')
|
||||
|
||||
+ # Service tickets should have half the lifetime of initial
|
||||
+ # tickets.
|
||||
+ divisor = 2
|
||||
+
|
||||
rflags = ['-r', '1d', '-l', '12h']
|
||||
|
||||
# Test AS+TGS success path.
|
||||
@@ -35,7 +40,7 @@ realm.kinit(realm.user_princ, password('user'),
|
||||
rflags + ['-X', 'indicators=SEVEN_HOURS'])
|
||||
realm.run([kvno, realm.host_princ])
|
||||
realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
|
||||
-out = realm.run([klist, realm.ccache, '-e'])
|
||||
+out = realm.run([klist, '-e', realm.ccache])
|
||||
verify_time(out, '7:00:00')
|
||||
|
||||
# Test AS+TGS success path with different values.
|
||||
@@ -43,7 +48,7 @@ realm.kinit(realm.user_princ, password('user'),
|
||||
rflags + ['-X', 'indicators=ONE_HOUR'])
|
||||
realm.run([kvno, realm.host_princ])
|
||||
realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
|
||||
-out = realm.run([klist, realm.ccache, '-e'])
|
||||
+out = realm.run([klist, '-e', realm.ccache])
|
||||
verify_time(out, '1:00:00')
|
||||
|
||||
# Test TGS failure path (using previous creds).
|
58
Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
Normal file
58
Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From b0351efa57654f06477ab7540e6c0624e3a64f4e Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 24 Apr 2017 02:02:36 -0400
|
||||
Subject: [PATCH] Fix in_clock_skew() and use it in AS client code
|
||||
|
||||
Add a context parameter to the in_clock_skew() macro so that it isn't
|
||||
implicitly relying on a local variable. Use it in
|
||||
get_in_tkt.c:verify_as_reply().
|
||||
|
||||
(cherry picked from commit 28a07a6461bb443b7fa75cc5cb859ad0db4cbb5a)
|
||||
---
|
||||
src/lib/krb5/krb/gc_via_tkt.c | 2 +-
|
||||
src/lib/krb5/krb/get_in_tkt.c | 4 ++--
|
||||
src/lib/krb5/krb/int-proto.h | 3 ++-
|
||||
3 files changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
|
||||
index 4c0a1a461..c85d8b8d8 100644
|
||||
--- a/src/lib/krb5/krb/gc_via_tkt.c
|
||||
+++ b/src/lib/krb5/krb/gc_via_tkt.c
|
||||
@@ -305,7 +305,7 @@ krb5int_process_tgs_reply(krb5_context context,
|
||||
goto cleanup;
|
||||
|
||||
if (!in_cred->times.starttime &&
|
||||
- !in_clock_skew(dec_rep->enc_part2->times.starttime,
|
||||
+ !in_clock_skew(context, dec_rep->enc_part2->times.starttime,
|
||||
timestamp)) {
|
||||
retval = KRB5_KDCREP_SKEW;
|
||||
goto cleanup;
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index 54badbbc3..a058f5bd7 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -287,8 +287,8 @@ verify_as_reply(krb5_context context,
|
||||
return retval;
|
||||
} else {
|
||||
if ((request->from == 0) &&
|
||||
- (labs(as_reply->enc_part2->times.starttime - time_now)
|
||||
- > context->clockskew))
|
||||
+ !in_clock_skew(context, as_reply->enc_part2->times.starttime,
|
||||
+ time_now))
|
||||
return (KRB5_KDCREP_SKEW);
|
||||
}
|
||||
return 0;
|
||||
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
|
||||
index 6da74858e..44eca359f 100644
|
||||
--- a/src/lib/krb5/krb/int-proto.h
|
||||
+++ b/src/lib/krb5/krb/int-proto.h
|
||||
@@ -83,7 +83,8 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
|
||||
krb5_creds *in_creds, krb5_creds *mcreds,
|
||||
krb5_flags *fields);
|
||||
|
||||
-#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
|
||||
+#define in_clock_skew(context, date, now) \
|
||||
+ (labs((date) - (now)) < (context)->clockskew)
|
||||
|
||||
#define IS_TGS_PRINC(p) ((p)->length == 2 && \
|
||||
data_eq_string((p)->data[0], KRB5_TGS_NAME))
|
83
Fix-more-time-manipulations-for-y2038.patch
Normal file
83
Fix-more-time-manipulations-for-y2038.patch
Normal file
@ -0,0 +1,83 @@
|
||||
From c9fca85329f4b25509f83837239bf882841caccc Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 17 May 2017 14:52:09 -0400
|
||||
Subject: [PATCH] Fix more time manipulations for y2038
|
||||
|
||||
Use timestamp helper functions to ensure that more operations are safe
|
||||
after y2038, and display the current timestamp as unsigned in
|
||||
krb5int_trace().
|
||||
|
||||
ticket: 8352
|
||||
(cherry picked from commit a60db180211a383bd382afe729e9309acb8dcf53)
|
||||
---
|
||||
src/kadmin/server/misc.c | 2 +-
|
||||
src/kdc/dispatch.c | 2 +-
|
||||
src/lib/krb5/os/c_ustime.c | 8 ++++----
|
||||
src/lib/krb5/os/trace.c | 2 +-
|
||||
4 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
|
||||
index 27a6376af..a75b65a26 100644
|
||||
--- a/src/kadmin/server/misc.c
|
||||
+++ b/src/kadmin/server/misc.c
|
||||
@@ -184,7 +184,7 @@ check_min_life(void *server_handle, krb5_principal principal,
|
||||
(void) kadm5_free_principal_ent(handle->lhandle, &princ);
|
||||
return (ret == KADM5_UNK_POLICY) ? 0 : ret;
|
||||
}
|
||||
- if((now - princ.last_pwd_change) < pol.pw_min_life &&
|
||||
+ if(ts_delta(now, princ.last_pwd_change) < pol.pw_min_life &&
|
||||
!(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
|
||||
if (msg_ret != NULL) {
|
||||
time_t until;
|
||||
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
|
||||
index 3a169ebc7..16a35d2be 100644
|
||||
--- a/src/kdc/dispatch.c
|
||||
+++ b/src/kdc/dispatch.c
|
||||
@@ -104,7 +104,7 @@ reseed_random(krb5_context kdc_err_context)
|
||||
if (last_os_random == 0)
|
||||
last_os_random = now;
|
||||
/* Grab random data from OS every hour*/
|
||||
- if (now-last_os_random >= 60 * 60) {
|
||||
+ if (ts_delta(now, last_os_random) >= 60 * 60) {
|
||||
krb5_c_random_os_entropy(kdc_err_context, 0, NULL);
|
||||
last_os_random = now;
|
||||
}
|
||||
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
|
||||
index 871d72183..68fb381f4 100644
|
||||
--- a/src/lib/krb5/os/c_ustime.c
|
||||
+++ b/src/lib/krb5/os/c_ustime.c
|
||||
@@ -102,17 +102,17 @@ krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
|
||||
putting now.sec in the past. But don't just use '<' because we
|
||||
need to properly handle the case where the administrator intentionally
|
||||
adjusted time backwards. */
|
||||
- if ((now.sec == last_time.sec-1) ||
|
||||
- ((now.sec == last_time.sec) && (now.usec <= last_time.usec))) {
|
||||
+ if (now.sec == ts_incr(last_time.sec, -1) ||
|
||||
+ (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) {
|
||||
/* Correct 'now' to be exactly one microsecond later than 'last_time'.
|
||||
Note that _because_ we perform this hack, 'now' may be _earlier_
|
||||
than 'last_time', even though the system time is monotonically
|
||||
increasing. */
|
||||
|
||||
now.sec = last_time.sec;
|
||||
- now.usec = ++last_time.usec;
|
||||
+ now.usec = ts_incr(last_time.usec, 1);
|
||||
if (now.usec >= 1000000) {
|
||||
- ++now.sec;
|
||||
+ now.sec = ts_incr(now.sec, 1);
|
||||
now.usec = 0;
|
||||
}
|
||||
}
|
||||
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
|
||||
index a19246128..74c315c90 100644
|
||||
--- a/src/lib/krb5/os/trace.c
|
||||
+++ b/src/lib/krb5/os/trace.c
|
||||
@@ -350,7 +350,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
|
||||
goto cleanup;
|
||||
if (krb5_crypto_us_timeofday(&sec, &usec) != 0)
|
||||
goto cleanup;
|
||||
- if (asprintf(&msg, "[%d] %d.%d: %s\n", (int) getpid(), (int) sec,
|
||||
+ if (asprintf(&msg, "[%d] %u.%d: %s\n", (int) getpid(), (unsigned int) sec,
|
||||
(int) usec, str) < 0)
|
||||
goto cleanup;
|
||||
info.message = msg;
|
1844
Make-timestamp-manipulations-y2038-safe.patch
Normal file
1844
Make-timestamp-manipulations-y2038-safe.patch
Normal file
File diff suppressed because it is too large
Load Diff
327
Use-krb5_timestamp-where-appropriate.patch
Normal file
327
Use-krb5_timestamp-where-appropriate.patch
Normal file
@ -0,0 +1,327 @@
|
||||
From f0f0a503f58ed4f6ccf924751b356a70f515dd4b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 17 May 2017 15:14:15 -0400
|
||||
Subject: [PATCH] Use krb5_timestamp where appropriate
|
||||
|
||||
Where krb5_int32 is used to hold the number of seconds since the
|
||||
epoch, use krb5_timestamp instead.
|
||||
|
||||
(cherry picked from commit ae25f6ec5558140a546db34fea389412d81c0631)
|
||||
---
|
||||
src/clients/klist/klist.c | 2 +-
|
||||
src/include/k5-int.h | 2 +-
|
||||
src/kadmin/server/misc.c | 2 +-
|
||||
src/kdc/dispatch.c | 4 ++--
|
||||
src/lib/kadm5/srv/server_acl.c | 2 +-
|
||||
src/lib/kadm5/srv/server_kdb.c | 2 +-
|
||||
src/lib/kadm5/srv/svr_principal.c | 10 +++++-----
|
||||
src/lib/krb5/krb/gen_save_subkey.c | 3 ++-
|
||||
src/lib/krb5/krb/get_in_tkt.c | 2 +-
|
||||
src/lib/krb5/krb/init_ctx.c | 3 ++-
|
||||
src/lib/krb5/os/c_ustime.c | 7 +++++--
|
||||
src/lib/krb5/os/toffset.c | 3 ++-
|
||||
src/lib/krb5/os/trace.c | 3 ++-
|
||||
src/lib/krb5/os/ustime.c | 3 ++-
|
||||
src/lib/krb5/rcache/rc_dfl.c | 10 +++++-----
|
||||
src/tests/create/kdb5_mkdums.c | 2 +-
|
||||
16 files changed, 34 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
|
||||
index ffeecc394..4334415be 100644
|
||||
--- a/src/clients/klist/klist.c
|
||||
+++ b/src/clients/klist/klist.c
|
||||
@@ -56,7 +56,7 @@ int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
|
||||
int show_config = 0;
|
||||
char *defname;
|
||||
char *progname;
|
||||
-krb5_int32 now;
|
||||
+krb5_timestamp now;
|
||||
unsigned int timestamp_width;
|
||||
|
||||
krb5_context kcontext;
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 82ee20760..ed9c7bf75 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -721,7 +721,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
|
||||
const krb5_keyblock *from,
|
||||
krb5_keyblock *to);
|
||||
|
||||
-krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
|
||||
+krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *);
|
||||
|
||||
/*
|
||||
* End "los-proto.h"
|
||||
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
|
||||
index a75b65a26..ba672d714 100644
|
||||
--- a/src/kadmin/server/misc.c
|
||||
+++ b/src/kadmin/server/misc.c
|
||||
@@ -159,7 +159,7 @@ kadm5_ret_t
|
||||
check_min_life(void *server_handle, krb5_principal principal,
|
||||
char *msg_ret, unsigned int msg_len)
|
||||
{
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
kadm5_ret_t ret;
|
||||
kadm5_policy_ent_rec pol;
|
||||
kadm5_principal_ent_rec princ;
|
||||
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
|
||||
index 16a35d2be..4ecc23481 100644
|
||||
--- a/src/kdc/dispatch.c
|
||||
+++ b/src/kdc/dispatch.c
|
||||
@@ -94,8 +94,8 @@ static void
|
||||
reseed_random(krb5_context kdc_err_context)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
- krb5_int32 now, now_usec;
|
||||
- krb5_int32 usec_difference;
|
||||
+ krb5_timestamp now;
|
||||
+ krb5_int32 now_usec, usec_difference;
|
||||
krb5_data data;
|
||||
|
||||
retval = krb5_crypto_us_timeofday(&now, &now_usec);
|
||||
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
|
||||
index 656dddff5..c2cf69169 100644
|
||||
--- a/src/lib/kadm5/srv/server_acl.c
|
||||
+++ b/src/lib/kadm5/srv/server_acl.c
|
||||
@@ -375,7 +375,7 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
|
||||
restriction_t *rp;
|
||||
{
|
||||
krb5_error_code code;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
|
||||
DPRINT(DEBUG_CALLS, acl_debug_level,
|
||||
("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
|
||||
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
|
||||
index 612553ba3..f4b8aef2b 100644
|
||||
--- a/src/lib/kadm5/srv/server_kdb.c
|
||||
+++ b/src/lib/kadm5/srv/server_kdb.c
|
||||
@@ -365,7 +365,7 @@ kdb_put_entry(kadm5_server_handle_t handle,
|
||||
krb5_db_entry *kdb, osa_princ_ent_rec *adb)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
XDR xdrs;
|
||||
krb5_tl_data tl_data;
|
||||
|
||||
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
|
||||
index f4a9a2ad2..0d4f0a632 100644
|
||||
--- a/src/lib/kadm5/srv/svr_principal.c
|
||||
+++ b/src/lib/kadm5/srv/svr_principal.c
|
||||
@@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle,
|
||||
osa_princ_ent_rec adb;
|
||||
kadm5_policy_ent_rec polent;
|
||||
krb5_boolean have_polent = FALSE;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
krb5_tl_data *tl_data_tail;
|
||||
unsigned int ret;
|
||||
kadm5_server_handle_t handle = server_handle;
|
||||
@@ -1322,7 +1322,7 @@ kadm5_chpass_principal_3(void *server_handle,
|
||||
int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
|
||||
char *password)
|
||||
{
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
kadm5_policy_ent_rec pol;
|
||||
osa_princ_ent_rec adb;
|
||||
krb5_db_entry *kdb;
|
||||
@@ -1544,7 +1544,7 @@ kadm5_randkey_principal_3(void *server_handle,
|
||||
{
|
||||
krb5_db_entry *kdb;
|
||||
osa_princ_ent_rec adb;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
kadm5_policy_ent_rec pol;
|
||||
int ret, last_pwd, n_new_keys;
|
||||
krb5_boolean have_pol = FALSE;
|
||||
@@ -1686,7 +1686,7 @@ kadm5_setv4key_principal(void *server_handle,
|
||||
{
|
||||
krb5_db_entry *kdb;
|
||||
osa_princ_ent_rec adb;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
kadm5_policy_ent_rec pol;
|
||||
krb5_keysalt keysalt;
|
||||
int i, kvno, ret;
|
||||
@@ -1888,7 +1888,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
|
||||
{
|
||||
krb5_db_entry *kdb;
|
||||
osa_princ_ent_rec adb;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
kadm5_policy_ent_rec pol;
|
||||
krb5_key_data *new_key_data = NULL;
|
||||
int i, j, ret, n_new_key_data = 0;
|
||||
diff --git a/src/lib/krb5/krb/gen_save_subkey.c b/src/lib/krb5/krb/gen_save_subkey.c
|
||||
index 61f36aa36..bc2c46d30 100644
|
||||
--- a/src/lib/krb5/krb/gen_save_subkey.c
|
||||
+++ b/src/lib/krb5/krb/gen_save_subkey.c
|
||||
@@ -38,7 +38,8 @@ k5_generate_and_save_subkey(krb5_context context,
|
||||
to guarantee randomness, but to make it less likely that multiple
|
||||
sessions could pick the same subkey. */
|
||||
struct {
|
||||
- krb5_int32 sec, usec;
|
||||
+ krb5_timestamp sec;
|
||||
+ krb5_int32 usec;
|
||||
} rnd_data;
|
||||
krb5_data d;
|
||||
krb5_error_code retval;
|
||||
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
||||
index 40aba1905..7178bd87b 100644
|
||||
--- a/src/lib/krb5/krb/get_in_tkt.c
|
||||
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
||||
@@ -1788,7 +1788,7 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
|
||||
krb5_creds *creds)
|
||||
{
|
||||
int i;
|
||||
- krb5_int32 starttime;
|
||||
+ krb5_timestamp starttime;
|
||||
krb5_deltat lifetime;
|
||||
krb5_get_init_creds_opt *opt;
|
||||
krb5_error_code retval;
|
||||
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
||||
index cf226fdba..4246c5dd2 100644
|
||||
--- a/src/lib/krb5/krb/init_ctx.c
|
||||
+++ b/src/lib/krb5/krb/init_ctx.c
|
||||
@@ -139,7 +139,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
||||
krb5_context ctx = 0;
|
||||
krb5_error_code retval;
|
||||
struct {
|
||||
- krb5_int32 now, now_usec;
|
||||
+ krb5_timestamp now;
|
||||
+ krb5_int32 now_usec;
|
||||
long pid;
|
||||
} seed_data;
|
||||
krb5_data seed;
|
||||
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
|
||||
index 68fb381f4..f69f2ea4c 100644
|
||||
--- a/src/lib/krb5/os/c_ustime.c
|
||||
+++ b/src/lib/krb5/os/c_ustime.c
|
||||
@@ -29,7 +29,10 @@
|
||||
|
||||
k5_mutex_t krb5int_us_time_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
|
||||
|
||||
-struct time_now { krb5_int32 sec, usec; };
|
||||
+struct time_now {
|
||||
+ krb5_timestamp sec;
|
||||
+ krb5_int32 usec;
|
||||
+};
|
||||
|
||||
#if defined(_WIN32)
|
||||
|
||||
@@ -73,7 +76,7 @@ get_time_now(struct time_now *n)
|
||||
static struct time_now last_time;
|
||||
|
||||
krb5_error_code
|
||||
-krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
|
||||
+krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
|
||||
{
|
||||
struct time_now now;
|
||||
krb5_error_code err;
|
||||
diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
|
||||
index 37bc69f49..4bbcdde52 100644
|
||||
--- a/src/lib/krb5/os/toffset.c
|
||||
+++ b/src/lib/krb5/os/toffset.c
|
||||
@@ -40,7 +40,8 @@ krb5_error_code KRB5_CALLCONV
|
||||
krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds)
|
||||
{
|
||||
krb5_os_context os_ctx = &context->os_context;
|
||||
- krb5_int32 sec, usec;
|
||||
+ krb5_timestamp sec;
|
||||
+ krb5_int32 usec;
|
||||
krb5_error_code retval;
|
||||
|
||||
retval = krb5_crypto_us_timeofday(&sec, &usec);
|
||||
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
|
||||
index 74c315c90..8750b7650 100644
|
||||
--- a/src/lib/krb5/os/trace.c
|
||||
+++ b/src/lib/krb5/os/trace.c
|
||||
@@ -340,7 +340,8 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
|
||||
va_list ap;
|
||||
krb5_trace_info info;
|
||||
char *str = NULL, *msg = NULL;
|
||||
- krb5_int32 sec, usec;
|
||||
+ krb5_timestamp sec;
|
||||
+ krb5_int32 usec;
|
||||
|
||||
if (context == NULL || context->trace_callback == NULL)
|
||||
return;
|
||||
diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c
|
||||
index 1c1b571eb..a80fdf68c 100644
|
||||
--- a/src/lib/krb5/os/ustime.c
|
||||
+++ b/src/lib/krb5/os/ustime.c
|
||||
@@ -40,7 +40,8 @@ krb5_error_code
|
||||
k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec,
|
||||
krb5_timestamp *time_out, krb5_int32 *usec_out)
|
||||
{
|
||||
- krb5_int32 sec, usec;
|
||||
+ krb5_timestamp sec;
|
||||
+ krb5_int32 usec;
|
||||
krb5_error_code retval;
|
||||
|
||||
retval = krb5_crypto_us_timeofday(&sec, &usec);
|
||||
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
|
||||
index 6b043844d..41ebf94da 100644
|
||||
--- a/src/lib/krb5/rcache/rc_dfl.c
|
||||
+++ b/src/lib/krb5/rcache/rc_dfl.c
|
||||
@@ -93,7 +93,7 @@ cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t)
|
||||
}
|
||||
|
||||
static int
|
||||
-alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t)
|
||||
+alive(krb5_timestamp mytime, krb5_donot_replay *new1, krb5_deltat t)
|
||||
{
|
||||
if (mytime == 0)
|
||||
return CMP_HOHUM; /* who cares? */
|
||||
@@ -129,7 +129,7 @@ struct authlist
|
||||
|
||||
static int
|
||||
rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep,
|
||||
- krb5_int32 now, krb5_boolean fromfile)
|
||||
+ krb5_timestamp now, krb5_boolean fromfile)
|
||||
{
|
||||
struct dfl_data *t = (struct dfl_data *)id->data;
|
||||
unsigned int rephash;
|
||||
@@ -536,7 +536,7 @@ krb5_rc_dfl_recover_locked(krb5_context context, krb5_rcache id)
|
||||
krb5_error_code retval;
|
||||
long max_size;
|
||||
int expired_entries = 0;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
|
||||
if ((retval = krb5_rc_io_open(context, &t->d, t->name))) {
|
||||
return retval;
|
||||
@@ -706,7 +706,7 @@ krb5_rc_dfl_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
struct dfl_data *t;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
|
||||
ret = krb5_timeofday(context, &now);
|
||||
if (ret)
|
||||
@@ -762,7 +762,7 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
|
||||
struct authlist **qt;
|
||||
struct authlist *r;
|
||||
struct authlist *rt;
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
|
||||
if (krb5_timestamp(context, &now))
|
||||
now = 0;
|
||||
diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c
|
||||
index 622f549f9..7c0666601 100644
|
||||
--- a/src/tests/create/kdb5_mkdums.c
|
||||
+++ b/src/tests/create/kdb5_mkdums.c
|
||||
@@ -247,7 +247,7 @@ add_princ(context, str_newprinc)
|
||||
|
||||
{
|
||||
/* Add mod princ to db entry */
|
||||
- krb5_int32 now;
|
||||
+ krb5_timestamp now;
|
||||
|
||||
retval = krb5_timeofday(context, &now);
|
||||
if (retval) {
|
16
krb5.spec
16
krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.15.1
|
||||
# for prerelease, should be e.g., 0.3.beta2%{?dist}
|
||||
Release: 23%{?dist}
|
||||
Release: 24%{?dist}
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -81,7 +81,16 @@ Patch52: Fix-leaks-in-gss_inquire_cred_by_oid.patch
|
||||
Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch
|
||||
Patch54: Prevent-KDC-unset-status-assertion-failures.patch
|
||||
Patch55: Remove-incomplete-PKINIT-OCSP-support.patch
|
||||
Patch56: Add-KDC-policy-pluggable-interface.patch
|
||||
Patch56: Allow-clock-skew-in-krb5-gss_context_time.patch
|
||||
Patch57: Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
|
||||
Patch58: Add-timestamp-helper-functions.patch
|
||||
Patch59: Make-timestamp-manipulations-y2038-safe.patch
|
||||
Patch60: Add-timestamp-tests.patch
|
||||
Patch61: Add-y2038-documentation.patch
|
||||
Patch62: Fix-more-time-manipulations-for-y2038.patch
|
||||
Patch63: Use-krb5_timestamp-where-appropriate.patch
|
||||
Patch64: Add-KDC-policy-pluggable-interface.patch
|
||||
Patch65: Fix-bugs-in-kdcpolicy-commit.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -733,6 +742,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Mon Aug 21 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-24
|
||||
- Backport kdc policy plugin, but this time with dependencies
|
||||
|
||||
* Mon Aug 21 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-23
|
||||
- Backport kdcpolicy interface
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user