diff --git a/krb5-1-8-gss-noexp.patch b/krb5-1-8-gss-noexp.patch new file mode 100644 index 0000000..42b4fa6 --- /dev/null +++ b/krb5-1-8-gss-noexp.patch @@ -0,0 +1,138 @@ +Pending change to not fail wrap/unwrap/seal/unseal after the ticket +that was used for authentication expires. + +Index: src/lib/gssapi/krb5/k5sealiov.c +=================================================================== +--- src/lib/gssapi/krb5/k5sealiov.c (revision 24129) ++++ src/lib/gssapi/krb5/k5sealiov.c (revision 24130) +@@ -279,7 +279,6 @@ + { + krb5_gss_ctx_id_rec *ctx; + krb5_error_code code; +- krb5_timestamp now; + krb5_context context; + + if (qop_req != 0) { +@@ -298,19 +297,12 @@ + return GSS_S_NO_CONTEXT; + } + +- context = ctx->k5_context; +- code = krb5_timeofday(context, &now); +- if (code != 0) { +- *minor_status = code; +- save_error_info(*minor_status, context); +- return GSS_S_FAILURE; +- } +- + if (conf_req_flag && kg_integ_only_iov(iov, iov_count)) { + /* may be more sensible to return an error here */ + conf_req_flag = FALSE; + } + ++ context = ctx->k5_context; + switch (ctx->proto) { + case 0: + code = make_seal_token_v1_iov(context, ctx, conf_req_flag, +@@ -333,7 +325,7 @@ + + *minor_status = 0; + +- return (ctx->krb_times.endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE; ++ return GSS_S_COMPLETE; + } + + #define INIT_IOV_DATA(_iov) do { (_iov)->buffer.value = NULL; \ +Index: src/lib/gssapi/krb5/k5unsealiov.c +=================================================================== +--- src/lib/gssapi/krb5/k5unsealiov.c (revision 24129) ++++ src/lib/gssapi/krb5/k5unsealiov.c (revision 24130) +@@ -52,7 +52,6 @@ + int signalg; + krb5_checksum cksum; + krb5_checksum md5cksum; +- krb5_timestamp now; + size_t cksum_len = 0; + size_t conflen = 0; + int direction; +@@ -280,19 +279,6 @@ + if (qop_state != NULL) + *qop_state = GSS_C_QOP_DEFAULT; + +- code = krb5_timeofday(context, &now); +- if (code != 0) { +- *minor_status = code; +- retval = GSS_S_FAILURE; +- goto cleanup; +- } +- +- if (now > ctx->krb_times.endtime) { +- *minor_status = 0; +- retval = GSS_S_CONTEXT_EXPIRED; +- goto cleanup; +- } +- + if ((ctx->initiate && direction != 0xff) || + (!ctx->initiate && direction != 0)) { + *minor_status = (OM_uint32)G_BAD_DIRECTION; +Index: src/lib/gssapi/krb5/k5seal.c +=================================================================== +--- src/lib/gssapi/krb5/k5seal.c (revision 24129) ++++ src/lib/gssapi/krb5/k5seal.c (revision 24130) +@@ -328,7 +328,6 @@ + { + krb5_gss_ctx_id_rec *ctx; + krb5_error_code code; +- krb5_timestamp now; + krb5_context context; + + output_message_buffer->length = 0; +@@ -359,12 +358,6 @@ + } + + context = ctx->k5_context; +- if ((code = krb5_timeofday(context, &now))) { +- *minor_status = code; +- save_error_info(*minor_status, context); +- return(GSS_S_FAILURE); +- } +- + switch (ctx->proto) + { + case 0: +@@ -396,5 +389,5 @@ + *conf_state = conf_req_flag; + + *minor_status = 0; +- return((ctx->krb_times.endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE); ++ return(GSS_S_COMPLETE); + } +Index: src/lib/gssapi/krb5/k5unseal.c +=================================================================== +--- src/lib/gssapi/krb5/k5unseal.c (revision 24129) ++++ src/lib/gssapi/krb5/k5unseal.c (revision 24130) +@@ -79,7 +79,6 @@ + krb5_checksum md5cksum; + krb5_data plaind; + char *data_ptr; +- krb5_timestamp now; + unsigned char *plain; + unsigned int cksum_len = 0; + size_t plainlen; +@@ -441,16 +440,6 @@ + if (qop_state) + *qop_state = GSS_C_QOP_DEFAULT; + +- if ((code = krb5_timeofday(context, &now))) { +- *minor_status = code; +- return(GSS_S_FAILURE); +- } +- +- if (now > ctx->krb_times.endtime) { +- *minor_status = 0; +- return(GSS_S_CONTEXT_EXPIRED); +- } +- + /* do sequencing checks */ + + if ((ctx->initiate && direction != 0xff) || diff --git a/krb5.spec b/krb5.spec index da82b51..590ea70 100644 --- a/krb5.spec +++ b/krb5.spec @@ -5,7 +5,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.8.2 -Release: 1%{?dist} +Release: 2%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -46,6 +46,7 @@ Patch63: krb5-1.8-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch Patch71: krb5-1.8-dirsrv-accountlock.patch Patch72: krb5-1.7.1-24139.patch +Patch73: krb5-1-8-gss-noexp.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -182,6 +183,7 @@ ln -s NOTICE LICENSE #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock %patch72 -p1 -b .24139 +%patch73 -p0 -b .gss-noexp gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -623,6 +625,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Jun 21 2010 Nalin Dahyabhai 1.8.2-2 +- libgssapi: pull in patch from svn to stop returning context-expired errors + when the ticket which was used to set up the context expires (#605366, + upstream #6739) + * Mon Jun 21 2010 Nalin Dahyabhai - pull up fix for upstream #6745, in which the gssapi library would add the wrong error table but subsequently attempt to unload the right one